Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#544

Merged
kehoecj merged 2 commits into
mainfrom
dependabot/npm_and_yarn/website/npm_and_yarn-6be0d8d498
Jul 16, 2026
Merged

chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates#544
kehoecj merged 2 commits into
mainfrom
dependabot/npm_and_yarn/website/npm_and_yarn-6be0d8d498

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 2 updates in the /website directory: js-yaml and websocket-driver.

Updates js-yaml from 3.14.2 to 3.15.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits

Updates websocket-driver from 0.7.4 to 0.7.5

Changelog

Sourced from websocket-driver's changelog.

0.7.5 / 2026-06-04

  • Close a draft-75/76 connection if a length header grows to exceed the configured max length
  • Fail the connection if a message is larger than the configured max length after extension processing
Commits
  • 5d6a9aa Bump version to 0.7.5
  • c55679a Fail the connection if a message is larger than the configured max length aft...
  • 5b197ca Close a draft-75/76 connection if a length header grows to exceed the configu...
  • fc93a48 Test on Node v22, v24, and v26
  • 2e82d34 Test on recent versions of Node
  • e4962db Switch from Travis CI to GitHub Actions
  • 3f2f9b7 Travis update: cache npm modules, remove sudo, run on Node 15
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates

Bumps the npm_and_yarn group with 2 updates in the /website directory: [js-yaml](https://github.com/nodeca/js-yaml) and [websocket-driver](https://github.com/faye/websocket-driver-node).


Updates `js-yaml` from 3.14.2 to 3.15.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.2...3.15.0)

Updates `websocket-driver` from 0.7.4 to 0.7.5
- [Changelog](https://github.com/faye/websocket-driver-node/blob/main/CHANGELOG.md)
- [Commits](faye/websocket-driver-node@0.7.4...0.7.5)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.15.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: websocket-driver
  dependency-version: 0.7.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 16, 2026 02:26
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
@kehoecj kehoecj added the no changelog Do not require a CHANGELOG update for MR's. Mostly used for dependably label Jul 16, 2026
@kehoecj kehoecj force-pushed the dependabot/npm_and_yarn/website/npm_and_yarn-6be0d8d498 branch 6 times, most recently from 5977b85 to 2314ee8 Compare July 16, 2026 14:23
- golang.org/x/text: v0.38.0 → v0.39.0 (fixes Trivy CVE-2026-56852)
- go directive: remains 1.26.3 (must match MegaLinter container's Go version
  to prevent govulncheck load failure which causes exit 127)
- CI workflows: go-version '1.26' → '~1.26' for automatic patch pickup
- osv-scanner.toml: ignore 5 Go stdlib CVEs (GO-2026-4970, 5037, 5038,
  5039, 5856) that osv-scanner 2.3.8 reports for go 1.26.3 but cannot be
  fixed without upgrading MegaLinter's container

Verified locally with osv-scanner 2.3.8: exit 0, all 5 CVEs filtered.
@kehoecj kehoecj force-pushed the dependabot/npm_and_yarn/website/npm_and_yarn-6be0d8d498 branch from 2314ee8 to d659622 Compare July 16, 2026 15:04
@kehoecj kehoecj merged commit 78aa6e0 into main Jul 16, 2026
18 checks passed
@kehoecj kehoecj deleted the dependabot/npm_and_yarn/website/npm_and_yarn-6be0d8d498 branch July 16, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code no changelog Do not require a CHANGELOG update for MR's. Mostly used for dependably

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant