chore(deps): bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
nuxt	4.4.4	4.4.8
markdown-it	14.1.1	14.2.0
ws	8.20.0	8.21.0
form-data	4.0.5	4.0.6
ip-address	10.0.1	10.2.0
qs	6.14.2	6.15.2
shell-quote	1.8.3	1.8.4
tmp	0.2.5	0.2.7

Updates nuxt from 4.4.4 to 4.4.8

Release notes

Sourced from nuxt's releases.

v4.4.8

4.4.8 is a hotfix release to address an issue running the dev server on MacOS.

👉 Changelog

compare changes

🩹 Fixes

• vite: Shorter socket name for macOs with tmp fallback (#35265)
• kit: Respect type option in findPath (#35272)
• deps: Update nuxt/scripts presets (905621594)
• nuxt: Revert unhead dependency back to v2 (e6d578fea)

📖 Documentation

• Fix many typos (#35266)
• Explain static fallback pages (#35277)
• Change null to undefined in data-fetching docs to match actual types (#35301)
• Fix broken internal links, useAsyncData watch type, and NuxtError type (#35303)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Ali Mahmmoud (@​AliMahmoudDev)
• Quentin Macq (@​quentinmcq)
• Pranav Rajeshirke (@​Pranav188)
• Eduardo San Martin Morote (@​posva)

v4.4.7

4.4.7 is a security hotfix release.

👉 make sure to check https://github.com/nuxt/nuxt/security/advisories to view open advisories resolved by this release.

👉 Changelog

compare changes

🩹 Fixes

• nitro: Assign noSSR before deciding payload extraction (#35108)
• vite: Avoid filtering out dirs with shared prefix from allowDirs (#35112)
• nuxt: Use resolve from pathe for buildCache path boundary check (#35111)
• nuxt: Prevent sibling-directory traversal in test component wrapper (#35110)
• nitro: Pass event data to isValid in dev clipboard-copy listener (#35109)
• nuxt: Validate protocols in reloadNuxtApp path before reload (#35115)
• vite: Prefix public asset virtuals with null byte (9e303b438)
• nuxt: Re-run getCachedData after initial fetch (#35122)
• nuxt: Propagate useFetch/useAsyncData factory types (#35133)
• vite: Close vite dev server on nuxt close (a10a68abc)
• kit,nuxt: Handle cancelling prompts to install packages (e84813229)
• kit: Avoid excluding node-context files in legacy tsconfig (#35152)
• nuxt: Handle missing payload in chunkError listener (#35155)
• nuxt: Await in-lifght template generation when closing nuxt (#35181)
• nuxt: Clarify page and layout usage warnings (#35184)
• webpack: Surface compilation errors when stats.toString is empty (073b07851)
• nuxt: Reject prototype-chain keys in the island registry (#35205)

... (truncated)

Commits

• 2bfc2c8 v4.4.8
• e6d578f fix(nuxt): revert unhead dependency back to v2
• 9056215 fix(deps): update nuxt/scripts presets
• b7d5790 v4.4.7
• dbc5896 chore: lint
• e447a79 fix(nuxt): reject cross-origin paths in reloadNuxtApp
• d72a89e refactor(nuxt): replace runInNewContext with AST walker
• 2cce6fb fix(nuxt): block path-normalization open redirect in navigateTo
• 0103ce0 fix(nuxt): reject script-capable protocols in \<NuxtLink> href
• 07e39cd fix(nuxt): match route rules case-insensitively to mirror vue-router
• Additional commits viewable in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

• isPunctCharCode to utilities.

Fixed

• Don't end HTML comment blocks on a blank line, #1155.
• Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
• Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
• More strict entities decode to avoid false positives ;, #1096.
• Restore block parser state on fail in lheading rule, #1131.

Security

• Fixed poor smartquotes perfomance on > 70k quotes in single block
• Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

Commits

• 829797a 14.2.0 released
• 9ce2087 Fix smartquotes perfomance
• 02e73b8 linkify-it bump
• 68cfb8c fix: don't end HTML comment blocks on a blank line (#1155)
• 1083137 Readme cleanup
• 97c7ca2 Update funding info
• c471b55 Changelog update
• 7769621 isPunctChar => isPunctCharCode
• aa2aa70 fix: always reset parentType in lheading rule (#1131)
• 59955f2 Polish PRs #1072, #1074
• Additional commits viewable in compare view

Updates devalue from 5.8.0 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

Commits

• 796ea83 Version Packages (#152)
• 206ca67 Merge commit from fork
• See full diff in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Updates ip-address from 10.0.1 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates shell-quote from 1.8.3 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

Commits

• ff166e2 v1.8.4
• 4378a6e [Fix] quote: validate object-token shapes
• 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
• 9f3caa3 [Tests] increase coverage
• 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
• 699c511 [Dev Deps] update @ljharb/eslint-config
• See full diff in compare view

Updates tmp from 0.2.5 to 0.2.7

Commits

• 8ea1f37 Bump up the version
• 8f24f78 Merge commit from fork
• ce787f3 Reject non-string prefix, postfix, template
• 41f7159 Bump up the version
• efa4a06 Merge commit from fork
• 7ef2728 Check for relative values
• See full diff in compare view

Updates vite from 7.3.2 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.5 (2026-06-01)

Bug Fixes

• backport #22572, reject windows alternate paths (#22574) (8c18556)
• deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

Miscellaneous Chores

• skip v7.3.4 release (8a6a0c9)

7.3.4 (2026-06-01)

Bug Fixes

• backport #22572, reject windows alternate paths (#22574) (8c18556)
• deps: backport #22571, reject UNC paths for launch-editor-middleware (#22573) (f20d64b)

7.3.3 (2026-05-07)

Bug Fixes

• avoid destructure lowering for newer safari (#22346) (5ab51c0)

Commits

• 077945c release: v7.3.5
• 8a6a0c9 chore: skip v7.3.4 release
• 8c18556 fix: backport #22572, reject windows alternate paths (#22574)
• f20d64b fix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...
• ca31424 release: v7.3.3
• 5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #455.