Skip to content

chore (deps): bump the patch-updates group with 6 updates#14

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/patch-updates-82f14583f1
Closed

chore (deps): bump the patch-updates group with 6 updates#14
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/patch-updates-82f14583f1

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 17, 2026
edited
Loading

Bumps the patch-updates group with 6 updates:

Package From To
jimp 1.6.0 1.6.1
jsrsasign 11.1.1 11.1.2
protobufjs 7.5.4 7.5.5
grunt 1.6.1 1.6.2
postcss 8.5.8 8.5.10
webpack 5.106.0 5.106.2

Updates jimp from 1.6.0 to 1.6.1

Release notes

Sourced from jimp's releases.

v1.6.1

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3

Changelog

Sourced from jimp's changelog.

v1.6.1 (Tue Apr 07 2026)

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3

v1.5.0 (Mon Sep 09 2024)

Release Notes

Add support for image decoder options (#1336)

Can now have options for the underlying image codecs

CleanShot 2024-09-07 at 15 26 41

🚀 Enhancement

  • @jimp/core, @jimp/types, @jimp/js-bmp, @jimp/js-jpeg, @jimp/js-png

... (truncated)

Commits

Updates jsrsasign from 11.1.1 to 11.1.2

Release notes

Sourced from jsrsasign's releases.

Security Fix

  • Changes from 11.1.1 to 11.1.2 (2026-Apr-12)
    • Security fixes:
      • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
      • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
      • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
      • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
      • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.
Changelog

Sourced from jsrsasign's changelog.

ChangeLog for jsrsasign

  • Changes from 11.1.1 to 11.1.2 (2026-Apr-12)

    • Security fixes:
      • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
      • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
      • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
      • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
      • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.

  • Changes from 11.1.0 to 11.1.1 (2026-Feb-20)

restore KJUR.crypto.Cipher class without RSA/RSAOAEP support

  • Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
    • src/crypto.js
      • restore KJUR.crypto.Cipher class without RSA and RSAOAEP encryption/decryption support

remove RSA and RSAOAEP encryption for Marvin attack

  • Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
    • Major Changes:
      • Stop to support Internet Explorer.
      • Stop to support bower.
      • Modern ECMA functions will be introduced such as Promise, let, Array methods or class.
      • API document generator will be changed from Jsdoc Toolkit to JSDoc3.
      • Module bandler will be used such as browserify or webpack.
      • Not to use YUI compressor.
      • Unit test framework will be changed from QUnit and mocha to jest.
      • W3C Web Crypto API support.
      • split into some modules besides jsrsasign have been all in package before 11.0.0.
    • remove RSA PKCS#1.5 end OAEP encryption/decryption for Marvin attack (#598)
    • src/crypto.js
      • remove KJUR.crypto.Cipher class for RSA and RSAOAEP encryption/decryption
    • ext/{rsa,rsa2}.js remove encrypt/decrypt/encryptOAEP/decryptOAEP for RSAKey class

enhanced support for encrypted PKCS8

  • Changes from 10.8.6 to 10.9.0 (2023-Nov-27)

... (truncated)

Commits

Updates protobufjs from 7.5.4 to 7.5.5

Changelog

Sourced from protobufjs's changelog.

Changelog

8.0.1 (2026-03-11)

Bug Fixes

  • bump protobufjs dependency version for cli package (#2128) (549b05e)
  • correct json syntax in tsconfig.json (#2120) (8065625)
  • descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
  • do not allow setting proto in Message constructor (#2126) (f05e3c3)
  • filter invalid characters from the type name (#2127) (535df44)

8.0.0 (2025-12-16)

⚠ BREAKING CHANGES

  • add Edition 2024 Support (#2060)

Features

Commits
Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.


Updates grunt from 1.6.1 to 1.6.2

Changelog

Sourced from grunt's changelog.

v1.6.2 date: 2026-04-14 changes: - Update minimatch to 3.1.5. (PR: gruntjs/grunt#1796) - Update nopt to 5.0.0. (PR: gruntjs/grunt#1778)

Commits
Maintainer changes

This version was pushed to npm by krinkle, a new releaser for grunt since your current version.


Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits

Updates webpack from 5.106.0 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

  • CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

  • Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

  • Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

  • Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

  • Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

  • Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

  • Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

  • CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

  • Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

  • Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

  • Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

  • Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

  • Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

  • Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore (deps): bump the patch-updates group with 6 updates
dd5cfd8 
Bumps the patch-updates group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [jimp](https://github.com/jimp-dev/jimp) | `1.6.0` | `1.6.1` |
| [jsrsasign](https://github.com/kjur/jsrsasign) | `11.1.1` | `11.1.2` |
| [protobufjs](https://github.com/protobufjs/protobuf.js) | `7.5.4` | `7.5.5` |
| [grunt](https://github.com/gruntjs/grunt) | `1.6.1` | `1.6.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.8` | `8.5.10` |
| [webpack](https://github.com/webpack/webpack) | `5.106.0` | `5.106.2` |


Updates `jimp` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/jimp-dev/jimp/releases)
- [Changelog](https://github.com/jimp-dev/jimp/blob/v1.6.1/CHANGELOG.md)
- [Commits](jimp-dev/jimp@v1.6.0...v1.6.1)

Updates `jsrsasign` from 11.1.1 to 11.1.2
- [Release notes](https://github.com/kjur/jsrsasign/releases)
- [Changelog](https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt)
- [Commits](kjur/jsrsasign@11.1.1...11.1.2)

Updates `protobufjs` from 7.5.4 to 7.5.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5)

Updates `grunt` from 1.6.1 to 1.6.2
- [Release notes](https://github.com/gruntjs/grunt/releases)
- [Changelog](https://github.com/gruntjs/grunt/blob/main/CHANGELOG)
- [Commits](gruntjs/grunt@v1.6.1...v1.6.2)

Updates `postcss` from 8.5.8 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.10)

Updates `webpack` from 5.106.0 to 5.106.2
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.106.0...v5.106.2)

---
updated-dependencies:
- dependency-name: jimp
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: jsrsasign
  dependency-version: 11.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: protobufjs
  dependency-version: 7.5.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: grunt
  dependency-version: 1.6.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: webpack
  dependency-version: 5.106.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 17, 2026
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 24, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 24, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/patch-updates-82f14583f1 branch April 24, 2026 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants