chore(deps): update several dependencies to solve CVEs (#40403)

dionisio-bot[bot] · julio-rocketchat · web-flow · commit 0d1c56532ef2 · 2026-05-05T15:56:21.000+02:00
Co-authored-by: Julio Araujo &lt;julio.araujo@rocket.chat&gt;
diff --git a/apps/meteor/ee/server/services/package.json b/apps/meteor/ee/server/services/package.json
@@ -28,7 +28,7 @@
 		"@rocket.chat/string-helpers": "~0.32.0",
 		"@rocket.chat/ui-kit": "workspace:~",
 		"ajv": "^8.17.1",
-		"bcrypt": "^5.1.1",
+		"bcrypt": "^6.0.0",
 		"body-parser": "^1.20.4",
 		"colorette": "^2.0.20",
 		"cookie": "^0.7.2",
diff --git a/apps/meteor/package.json b/apps/meteor/package.json
@@ -85,7 +85,7 @@
 		"@opentelemetry/api": "^1.9.1",
 		"@opentelemetry/exporter-trace-otlp-grpc": "^0.54.2",
 		"@opentelemetry/sdk-node": "^0.54.2",
-		"@parse/node-apn": "^7.0.1",
+		"@parse/node-apn": "^8.1.0",
 		"@react-aria/toolbar": "^3.0.0-nightly.5042",
 		"@react-pdf/renderer": "^4.3.2",
 		"@rocket.chat/abac": "workspace:^",
@@ -169,7 +169,7 @@
 		"asterisk-manager": "^0.2.0",
 		"atlassian-crowd-patched": "^0.5.1",
 		"bad-words": "^3.0.4",
-		"bcrypt": "^5.1.1",
+		"bcrypt": "^6.0.0",
 		"body-parser": "1.20.4",
 		"bson": "^6.7.1",
 		"busboy": "^1.6.0",
@@ -316,7 +316,7 @@
 		"@babel/preset-react": "~7.27.1",
 		"@babel/register": "~7.28.6",
 		"@faker-js/faker": "~8.0.2",
-		"@playwright/test": "^1.52.0",
+		"@playwright/test": "~1.52.0",
 		"@rocket.chat/desktop-api": "workspace:~",
 		"@rocket.chat/jest-presets": "workspace:~",
 		"@rocket.chat/livechat": "workspace:^",
@@ -335,7 +335,7 @@
 		"@types/adm-zip": "^0.5.8",
 		"@types/archiver": "~6.0.4",
 		"@types/bad-words": "^3.0.3",
-		"@types/bcrypt": "^5.0.2",
+		"@types/bcrypt": "^6.0.0",
 		"@types/body-parser": "^1.19.6",
 		"@types/busboy": "^1.5.4",
 		"@types/chai": "~4.3.20",
@@ -423,7 +423,7 @@
 		"outdent": "~0.8.0",
 		"pino-pretty": "13.1.3",
 		"playwright-core": "~1.52.0",
-		"playwright-qase-reporter": "~2.1.7",
+		"playwright-qase-reporter": "~2.5.0",
 		"postcss": "~8.4.49",
 		"postcss-custom-properties": "^14.0.6",
 		"postcss-easy-import": "^4.0.0",
diff --git a/ee/apps/account-service/package.json b/ee/apps/account-service/package.json
@@ -31,7 +31,7 @@
 		"@rocket.chat/tools": "workspace:^",
 		"@rocket.chat/tracing": "workspace:^",
 		"@types/node": "~22.16.5",
-		"bcrypt": "^5.1.1",
+		"bcrypt": "^6.0.0",
 		"ejson": "^2.2.3",
 		"eventemitter3": "^5.0.4",
 		"mem": "^8.1.1",
@@ -45,7 +45,7 @@
 	},
 	"devDependencies": {
 		"@rocket.chat/tsconfig": "workspace:*",
-		"@types/bcrypt": "^5.0.2",
+		"@types/bcrypt": "^6.0.0",
 		"@types/polka": "^0.5.8",
 		"@types/prometheus-gc-stats": "^0.6.4",
 		"eslint": "~9.39.4",
diff --git a/ee/packages/federation-matrix/package.json b/ee/packages/federation-matrix/package.json
@@ -47,7 +47,7 @@
 		"@types/sanitize-html": "~2.16.1",
 		"eslint": "~9.39.4",
 		"jest": "~30.2.0",
-		"jest-qase-reporter": "^2.1.4",
+		"jest-qase-reporter": "^2.4.0",
 		"matrix-js-sdk": "^38.4.0",
 		"pino-pretty": "13.1.3",
 		"typescript": "~5.9.3"
diff --git a/ee/packages/license/package.json b/ee/packages/license/package.json
@@ -20,12 +20,12 @@
 		"@rocket.chat/core-typings": "workspace:^",
 		"@rocket.chat/jwt": "workspace:^",
 		"@rocket.chat/logger": "workspace:^",
-		"bcrypt": "^5.1.1"
+		"bcrypt": "^6.0.0"
 	},
 	"devDependencies": {
 		"@rocket.chat/jest-presets": "workspace:~",
 		"@rocket.chat/tsconfig": "workspace:*",
-		"@types/bcrypt": "^5.0.2",
+		"@types/bcrypt": "^6.0.0",
 		"@types/jest": "~30.0.0",
 		"@types/ws": "^8.5.14",
 		"eslint": "~9.39.4",
diff --git a/package.json b/package.json
@@ -37,6 +37,16 @@
 	"resolutions": {
 		"@sematext/gc-stats@npm:^1.5.9": "patch:@sematext/gc-stats@npm%3A1.5.9#~/.yarn/patches/@sematext-gc-stats-npm-1.5.9-01e77be4d0.patch",
 		"adm-zip": "0.5.9",
+		"axios@npm:^1.6.1": "1.15.2",
+		"axios@npm:^1.7.4": "1.15.2",
+		"axios@npm:^1.7.8": "1.15.2",
+		"axios@npm:^1.11.0": "1.15.2",
+		"axios@npm:^1.13.2": "1.15.2",
+		"sass/immutable": "5.1.5",
+		"jws@npm:^3.2.2": "3.2.3",
+		"jws@npm:^4.0.0": "4.0.1",
+		"tar-fs@npm:^2.0.0": "2.1.4",
+		"tar-fs@npm:^3.0.6": "3.0.10",
 		"brace-expansion@npm:^2.0.1": "^2.0.3",
 		"brace-expansion@npm:^5.0.2": "^5.0.5",
 		"@meteorjs/crypto-browserify/pbkdf2": "3.1.3",
@@ -56,6 +66,14 @@
 		"mongodb": "6.10.0",
 		"protobufjs": "7.5.5",
 		"webdav/axios": "0.31.1",
+		"flatted@npm:^3.1.0": "3.4.2",
+		"flatted@npm:^3.2.9": "3.4.2",
+		"flatted@npm:^3.3.1": "3.4.2",
+		"glob@npm:^10.0.0": "10.5.0",
+		"glob@npm:^10.2.2": "10.5.0",
+		"glob@npm:^10.3.7": "10.5.0",
+		"glob@npm:^10.3.10": "10.5.0",
+		"glob@npm:^11.0.0": "11.1.0",
 		"picomatch@npm:^2.0.4": "^2.3.2",
 		"picomatch@npm:^2.2.1": "^2.3.2",
 		"picomatch@npm:^2.2.3": "^2.3.2",
@@ -91,11 +109,50 @@
 		"create-hash/cipher-base": "1.0.7",
 		"create-hmac/cipher-base": "1.0.7",
 		"create-hash/sha.js": "2.4.12",
-		"create-hmac/sha.js": "2.4.12"
+		"create-hmac/sha.js": "2.4.12",
+		"@typescript-eslint/typescript-estree/minimatch": "10.2.5",
+		"depcheck/minimatch": "7.4.9",
+		"eslint-plugin-import/minimatch": "3.1.5",
+		"eslint-plugin-jsx-a11y/minimatch": "3.1.5",
+		"eslint-plugin-react/minimatch": "3.1.5",
+		"fork-ts-checker-webpack-plugin/minimatch": "3.1.5",
+		"mocha/minimatch": "4.2.6",
+		"multimatch/minimatch": "3.1.5",
+		"npm-run-all/minimatch": "3.1.5",
+		"postcss-bem-linter/minimatch": "3.1.5",
+		"postcss-url/minimatch": "3.1.5",
+		"readdir-glob/minimatch": "5.1.9",
+		"test-exclude/minimatch": "3.1.5",
+		"webdav/minimatch": "5.1.9",
+		"glob@npm:7.2.0/minimatch": "3.1.5",
+		"minimatch@npm:^3.1.1": "3.1.5",
+		"minimatch@npm:^9.0.4": "9.0.9",
+		"minimatch@npm:^10.0.0": "10.2.5",
+		"nodemailer@npm:^8.0.5": "8.0.7",
+		"mailparser/nodemailer": "7.0.13",
+		"normalize-package-data@npm:2.5.0/semver": "5.7.2",
+		"make-dir@npm:2.1.0/semver": "5.7.2",
+		"utf7/semver": "5.7.2",
+		"semver@npm:^7.3.2": "7.7.4",
+		"semver@npm:^7.3.4": "7.7.4",
+		"semver@npm:^7.3.5": "7.7.4",
+		"semver@npm:^7.3.7": "7.7.4",
+		"semver@npm:^7.5.2": "7.7.4",
+		"semver@npm:^7.5.3": "7.7.4",
+		"semver@npm:^7.5.4": "7.7.4",
+		"semver@npm:^7.6.2": "7.7.4",
+		"semver@npm:^7.6.3": "7.7.4",
+		"semver@npm:^7.7.1": "7.7.4",
+		"semver@npm:^7.7.2": "7.7.4",
+		"semver@npm:^7.7.3": "7.7.4",
+		"@peggyjs/from-mem/semver": "7.7.4",
+		"node-gyp/tar": "7.5.13",
+		"cacache/tar": "7.5.13",
+		"@mapbox/node-pre-gyp/tar": "7.5.13"
 	},
 	"dependencies": {
 		"@types/stream-buffers": "^3.0.8",
-		"node-gyp": "^10.2.0"
+		"node-gyp": "^11.0.0"
 	},
 	"devDependencies": {
 		"@changesets/cli": "^2.27.12",
diff --git a/packages/livechat/package.json b/packages/livechat/package.json
@@ -77,7 +77,7 @@
 		"babel-loader": "~10.0.0",
 		"cross-env": "^7.0.3",
 		"css-loader": "^4.3.0",
-		"cssnano": "^7.0.7",
+		"cssnano": "^7.1.7",
 		"desvg-loader": "^0.1.0",
 		"eslint": "~9.39.4",
 		"file-loader": "^6.2.0",
diff --git a/packages/ui-voip/package.json b/packages/ui-voip/package.json
@@ -26,7 +26,7 @@
 		"react-i18next": "~13.2.2"
 	},
 	"devDependencies": {
-		"@playwright/test": "^1.52.0",
+		"@playwright/test": "~1.52.0",
 		"@react-spectrum/test-utils": "~1.0.0-alpha.8",
 		"@rocket.chat/core-typings": "workspace:^",
 		"@rocket.chat/css-in-js": "~0.31.25",
diff --git a/yarn.lock b/yarn.lock
