chore (deps): bump the patch-updates group across 1 directory with 11 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps the patch-updates group with 11 updates in the / directory:

Package	From	To
@xmldom/xmldom	0.8.12	0.8.13
dompurify	3.4.0	3.4.1
jimp	1.6.0	1.6.1
jsrsasign	11.1.1	11.1.3
protobufjs	7.5.4	7.5.5
@codemirror/view	6.41.0	6.41.1
grunt	1.6.1	1.6.2
html-webpack-plugin	5.6.6	5.6.7
postcss	8.5.8	8.5.10
terser	5.46.1	5.46.2
webpack	5.106.0	5.106.2

Updates @xmldom/xmldom from 0.8.12 to 0.8.13

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

Commits

• e5c1480 0.8.13
• 9611e20 style: drop unused import in test file
• dc4dff3 docs: add 0.8.13 changelog entry
• 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
• aeff69f test: add normalize behavioral coverage to node.test.js
• cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
• 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
• c007c51 refactor: migrate serializeToString to walkDOM
• 2bb3899 test: add serializeToString coverage for uncovered branches
• e69f38d refactor: migrate importNode to walkDOM
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates dompurify from 3.4.0 to 3.4.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Commits

• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates jimp from 1.6.0 to 1.6.1

Release notes

Sourced from jimp's releases.

v1.6.1

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

• fix docs imports (@​hipstersmoothie)
• @jimp/core, @jimp/plugin-quantize, @jimp/wasm-avif, @jimp/wasm-jpeg, @jimp/wasm-png, @jimp/wasm-webp
  • Update file-type from ^16 to ^21.3.3 in @​jimp/core #1400 (@​Kashkovsky @​hipstersmoothie)

⚠️ Pushed to main

• @jimp/core
  • Doc updates (closes #1342) (@​hipstersmoothie)

📝 Documentation

• docs: correct GitHub repo link #1340 (@​vikiboss)

Authors: 3

• Andrew Lisowski (@​hipstersmoothie)
• Denys Kashkovskyi (@​Kashkovsky)
• Viki (@​vikiboss)

Changelog

Sourced from jimp's changelog.

v1.6.1 (Tue Apr 07 2026)

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

• fix docs imports (@​hipstersmoothie)
• @jimp/core, @jimp/plugin-quantize, @jimp/wasm-avif, @jimp/wasm-jpeg, @jimp/wasm-png, @jimp/wasm-webp
  • Update file-type from ^16 to ^21.3.3 in @​jimp/core #1400 (@​Kashkovsky @​hipstersmoothie)

⚠️ Pushed to main

• @jimp/core
  • Doc updates (closes #1342) (@​hipstersmoothie)

📝 Documentation

• docs: correct GitHub repo link #1340 (@​vikiboss)

Authors: 3

• Andrew Lisowski (@​hipstersmoothie)
• Denys Kashkovskyi (@​Kashkovsky)
• Viki (@​vikiboss)

---

v1.5.0 (Mon Sep 09 2024)

Release Notes

Add support for image decoder options (#1336)

Can now have options for the underlying image codecs

---

🚀 Enhancement

• @jimp/core, @jimp/types, @jimp/js-bmp, @jimp/js-jpeg, @jimp/js-png
  • Add support for image decoder options #1336 (@​hipstersmoothie)

... (truncated)

Commits

• 7e6a956 Bump version to: v1.6.1 [skip ci]
• cf9ed93 Update contributors [skip ci]
• 7851672 Update CHANGELOG.md [skip ci]
• e1bfa93 Update file-type from ^16 to ^21.3.3 in @​jimp/core (#1400)
• b6b0e41 fix docs imports
• c943994 docs: correct GitHub repo link (#1340)
• f3e6b9e Doc updates (closes #1342)
• See full diff in compare view

Updates jsrsasign from 11.1.1 to 11.1.3

Release notes

Sourced from jsrsasign's releases.

Security Fix

• Changes from 11.1.2 to 11.1.3 (2026-Apr-18)
  • base64x.js
    • timingSafeEqual and timingSafeEqualImpl added
  • jws.js
    • modified to use timingSafeEqual for HS* signature verification
  • Security fixes:
    • JWS hmac signature validation timing attack fix #654 by @​Kr0emer
  • bugfix
    • jws.js
      • wrong thumbprint calculation for symmetric key (KJUR.jws.JWS.getJWKthumbprint) reported in issue #656 by @​e3stpavel

Security Fix

• Changes from 11.1.1 to 11.1.2 (2026-Apr-12)
  • Security fixes:
    • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
    • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
    • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
    • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
    • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.

Changelog

Sourced from jsrsasign's changelog.

ChangeLog for jsrsasign

• Changes from 11.1.2 to 11.1.3 (2026-Apr-18)

  • base64x.js
    • timingSafeEqual and timingSafeEqualImpl added
  • jws.js
    • modified to use timingSafeEqual for HS* signature verification
  • Security fixes:
    • JWS hmac signature validation timing attack fix #654 by @​Kr0emer
  • bugfix
    • jws.js
      • wrong thumbprint calculation for symmetric key (KJUR.jws.JWS.getJWKthumbprint) reported in issue #656 by @​e3stpavel.

• Changes from 11.1.1 to 11.1.2 (2026-Apr-12)

  • Security fixes:
    • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
    • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
    • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
    • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
    • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.

• Changes from 11.1.0 to 11.1.1 (2026-Feb-20)

  • security fix for DSA and BigInteger
    • PR #651, #650, #649, #648, #647, #646, #645. Thank you @​Kr0remer
    • After assigned CVE number reports will be added.
  • SECURITY.md added. Thank you @​njg7194

restore KJUR.crypto.Cipher class without RSA/RSAOAEP support

• Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
  • src/crypto.js
    • restore KJUR.crypto.Cipher class without RSA and RSAOAEP encryption/decryption support

remove RSA and RSAOAEP encryption for Marvin attack

• Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
  • Major Changes:
    • Stop to support Internet Explorer.
    • Stop to support bower.
    • Modern ECMA functions will be introduced such as Promise, let, Array methods or class.
    • API document generator will be changed from Jsdoc Toolkit to JSDoc3.
    • Module bandler will be used such as browserify or webpack.

... (truncated)

Commits

• 5d67719 11.1.3 release
• 53c0afd README update
• 7933fcb README update
• dfbc4ba README update
• d568de3 11.1.2 release
• 08f659d delete sponsorship
• 66ff9ba text update
• d3370bf text update
• See full diff in compare view

Updates protobufjs from 7.5.4 to 7.5.5

Release notes

Sourced from protobufjs's releases.

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

Changelog

Sourced from protobufjs's changelog.

Changelog

8.0.1 (2026-03-11)

Bug Fixes

• bump protobufjs dependency version for cli package (#2128) (549b05e)
• correct json syntax in tsconfig.json (#2120) (8065625)
• descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
• do not allow setting proto in Message constructor (#2126) (f05e3c3)
• filter invalid characters from the type name (#2127) (535df44)

8.0.0 (2025-12-16)

⚠ BREAKING CHANGES

• add Edition 2024 Support (#2060)

Features

• add Edition 2024 Support (#2060) (53e8492)

Commits

• b7bdfaf chore: release 7.5.5
• ff7b2af fix: filter invalid characters from the type name (#2127)
• 086b19d fix: do not allow setting proto in Message constructor (#2126)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.

Updates @codemirror/view from 6.41.0 to 6.41.1

Commits

• See full diff in compare view

Updates grunt from 1.6.1 to 1.6.2

Changelog

Sourced from grunt's changelog.

v1.6.2 date: 2026-04-14 changes: - Update minimatch to 3.1.5. (PR: gruntjs/grunt#1796) - Update nopt to 5.0.0. (PR: gruntjs/grunt#1778)

Commits

• f49016e 1.6.2
• 662e097 Update minimatch to 3.1.5 to fix CVEs
• a29fd18 CI: add Node.js 24 to version matrix
• f757c4f Update links
• b5aa834 Merge pull request #1792 from UlisesGascon/security-md
• 8d2dea2 docs: refresh security policy
• aa15bdc Merge pull request #1786 from stscoundrel/ci-node-22
• ee5b2a3 Merge pull request #1787 from gruntjs/add-commercial-support
• c0e2b42 Readme updates re: support
• c4f037d CI: update GH actions V3 -> V4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by krinkle, a new releaser for grunt since your current version.

Updates html-webpack-plugin from 5.6.6 to 5.6.7

Changelog

Sourced from html-webpack-plugin's changelog.

5.6.7 (2026-04-17)

Bug Fixes

• provide module/exports in VM sandbox for Node.js 25+ compatibility (#1889) (c862830), closes #1880 facebook/docusaurus#11545

Commits

• fdef1b4 chore(release): 5.6.7
• c862830 fix: provide module/exports in VM sandbox for Node.js 25+ compatibility (#1889)
• 0d1ff98 refactor: remove lodash usage where possible (#1888)
• See full diff in compare view

Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates terser from 5.46.1 to 5.46.2

Changelog

Sourced from terser's changelog.

v5.46.2

• unused option: delete computed keys of concise methods and getters/setters.
• Error.cause added to DOM properties list
• Don't consider foo.bar and foo["bar"] to be equivalent when property mangler is enabled with keep_quoted=strict option.

Commits

• b929080 5.46.2
• 5a3dc6a update changelog
• 8a5b478 drop_unused: delete computed keys of concise methods and getters/setters. Clo...
• 45c49c0 add Error.cause to domprops. Closes #1673
• b5bb95e do not consider foo.bar and foo["bar"] to be equivalent. Closes #1674
• See full diff in compare view

Updates webpack from 5.106.0 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Commits

• 0d7e3e0 chore(release): new release (#20815)
• d5df118 chore(deps): bump actions/cache in the dependencies group (#20839)
• 5f0874b fix: make asset modules available in JS when referenced from CSS and lazy JS ...
• b63ab37 chore(deps): bump test/test262-cases in the dependencies group (#20792)
• 313dfc5 ci: improve time for windows (#20840)
• a553f61 test: update test262 (#20841)
• 1ef747c fix: CSS @​import should inherit parent's exportType over parser config (#20838)
• 485d4ce chore(deps): update open-cli (#20834)
• 46042b9 chore(deps): no outdated strip-ansi (#20835)
• 8c7700b fix: handle @charset at-rules in CSS modules
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer being updated by Dependabot, so this is no longer needed.