Bump the npm_and_yarn group across 5 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
kysely	0.25.0	0.28.14
zx	7.2.3	8.8.5
@hono/node-server	1.14.3	1.19.13
hono	4.7.10	4.12.14
minimatch	7.4.6	7.4.8
rollup	3.29.5	3.30.0
valibot	1.0.0-beta.7	1.2.0

Bumps the npm_and_yarn group with 1 update in the /drizzle-arktype directory: zx.
Bumps the npm_and_yarn group with 2 updates in the /drizzle-orm directory: kysely and zx.
Bumps the npm_and_yarn group with 1 update in the /drizzle-typebox directory: zx.
Bumps the npm_and_yarn group with 2 updates in the /drizzle-valibot directory: zx and valibot.

Updates kysely from 0.25.0 to 0.28.14

Release notes

Sourced from kysely's releases.

0.28.14

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

MySQL 🐬

• fix: string literals are injectable on MySQL when backslash escapes (\\') are used. by @​igalklebanov in kysely-org/kysely#1754 & kysely-org/kysely@054e801

📖 Documentation

• Add Node SQLite link to dialects documentation by @​wolfie in kysely-org/kysely#1709 & kysely-org/kysely#1755
• docs: document immediate value behavior in case() then/else by @​alexchenai in kysely-org/kysely#1753

📦 CICD & Tooling

• bump deno kysely dependency. by @​igalklebanov in kysely-org/kysely@9e02f3b

⚠️ Breaking Changes

🐤 New Contributors

• @​wolfie made their first contribution in kysely-org/kysely#1709
• @​alexchenai made their first contribution in kysely-org/kysely#1753

Full Changelog: kysely-org/kysely@v0.28.13...v0.28.14

0.28.13

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

• fix: missing sideEffects: false in root package.json resulting in bigger bundles in various bundlers. by @​igalklebanov in kysely-org/kysely#1746
• fix: Insertable allows non-objects when a table has no required columns. by @​igalklebanov in kysely-org/kysely#1747

PostgreSQL 🐘

• fix: ON COMMIT clause not being output when using .as(query) in CREATE TABLE queries. by @​igalklebanov in kysely-org/kysely#1748

📖 Documentation

📦 CICD & Tooling

... (truncated)

Commits

• 91cf373 0.28.14
• 9e02f3b bump deno kysely dependency.
• 6ef6f63 docs: document immediate value behavior in case() then/else (#1753)
• 2fb071b Remove unnecessary ")" in Node SQLite link (#1755)
• 29032ea Add Node SQLite link to dialects documentation (#1709)
• 054e801 test: add sql.lit(string) test case following #1754.
• e63ceb9 fix: string literals are injectable on MySQL when backslash escapes (\\') a...
• b15c041 0.28.13
• 6a3c898 chore: bump GitHub actions. (#1751)
• 88e6cca chore: bump dependencies. (#1750)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for kysely since your current version.

Updates zx from 7.2.3 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also globby@15.0.0 arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

8.8.1 — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

• Applied flags filtration for CLI-driven deps install #1308
• Added kill() event logging #1312
• Set SIGTERM as kill() fallback signal #1313
• Allowed stdio() arg be an array #1311

const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

• Added check for zx@lite pkg contents #1317 #1316
• Simplified ProcessPromise[asyncIterator] inners #1307
• Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 #1309 #1323 #1326
• Added TS@next to the test matrix #1310
• Optimized internal shell setters #1314
• Refactored build-publish pipelines and scripts #1319 #1320 #1321 #1322 #1324 #1325 #1327

8.8.0 — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

unpipe() — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

</tr></table> 

... (truncated)

Commits

• 1ca9270 chore: pr template formatting (#1359)
• 52b01a1 chore: update pr template (#1358)
• 70ecf23 chore: update issue templates (#1357)
• 8b08fc0 chore: bump version to 8.8.5 (#1356)
• 6045c34 chore: update globby to v15 (#1354)
• a4d1bc2 fix: checks node_modules ref on linking (#1355)
• 9ef6d3c fix(cli): prevent external node_modules deletion with --prefer-local (#1349)
• cc2a4f7 ci: update zizmor to v1.15.1 (#1353)
• b47a5f0 ci: refactor smoke tests naming (#1352)
• 1fb8c9f ci: update gh actions (#1351)
• Additional commits viewable in compare view

Updates @hono/node-server from 1.14.3 to 1.19.13

Release notes

Sourced from @​hono/node-server's releases.

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290

... (truncated)

Commits

• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• Additional commits viewable in compare view

Updates hono from 4.7.10 to 4.12.14

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

---

... (truncated)

Commits

• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• faa6c46 feat(cache): add onCacheNotAvailable option (#4876)
• f23e97b feat(trailing-slash): add skip option (#4862)
• 1aa32fb fix(types): infer response type from last handler in app.on 9- and 10-handler...
• c37ba26 4.12.12
• cc067c8 Merge commit from fork
• a586cd7 Merge commit from fork
• Additional commits viewable in compare view

Updates minimatch from 7.4.6 to 7.4.8

Commits

• 6fcf01a 7.4.8
• b03313c limit recursion for **, improve perf considerably
• 64dee8c remove dist
• d1e5e57 lockfile update
• d38768c lock node version to 14
• 926c312 7.4.7
• 5f029ed update CI matrix and actions
• fed9ab0 update test expectations for coalesced consecutive stars
• 71b4867 coalesce consecutive non-globstar * characters
• See full diff in compare view

Updates rollup from 3.29.5 to 3.30.0

Release notes

Sourced from rollup's releases.

v3.30.0

3.30.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6276: Validate bundle stays within output dir (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

3.30.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6276: Validate bundle stays within output dir (@​lukastaegert)

Commits

• d91d5e1 3.30.0
• 9677409 Update release script for backports
• c8cf1f9 Validate bundle stays within output dir (#6276)
• See full diff in compare view

Updates valibot from 1.0.0-beta.7 to 1.2.0

Release notes

Sourced from valibot's releases.

v1.2.0

Many thanks to @​EskiMojo14, @​makenowjust, @​ysknsid25 and @​jacekwilczynski for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add toBigint, toBoolean, toDate, toNumber and toString transformation actions (pull request #1212)
• Add examples action to add example values to a schema (pull request #1199)
• Add getExamples method to extract example values from a schema (pull request #1199)
• Add isbn validation action to validate ISBN-10 and ISBN-13 strings (pull request #1097)
• Add exports for RawCheckAddIssue, RawCheckContext, RawCheckIssueInfo, RawTransformAddIssue, RawTransformContext and RawTransformIssueInfo types for better developer experience with rawCheck and rawTransform actions (pull request #1359)
• Change build step to tsdown
• Fix ReDoS vulnerability in EMOJI_REGEX used by emoji action

v1.2.0 (to-json-schema)

Many thanks to @​cruzdanilo and @​Xiot for contributing to this release.

• Add support for title, description and examples in metadata action (pull request #1189)
• Add new override configurations to override default behaviour of JSON Schema conversion (pull request #1197)
• Add storage for global definitions with addGlobalDefs and getGlobalDefs (pull request #1197)
• Add new toJsonSchemaDefs function to convert Valibot schema definitions to JSON Schema definitions (pull request #1197)

v1.1.0

Many thanks to @​EltonLobo07, @​sacrosanctic, @​muningis, @​EskiMojo14, @​MOZGIII, @​vktrl and @​jasperteo for contributing to this release.

Read the release notes on our website for a quick overview of the most exciting new features in this release.

• Add message method to overwrite local error message configuration of a schema (pull request #1103)
• Add summarize method to summarize issues into a pretty-printable multi-line string (pull request #1158)
• Add getTitle, getDescription and getMetadata methods to extract metadata of a schema (pull request #1154)
• Add minEntries and maxEntries validation action to validate number of object entries (pull request #1100)
• Add entries and notEntries validation action to validate number of object entries (pull request #1156)
• Add parseJson and stringifyJson transformation action to parse and stringify JSON (pull request #1137)
• Add flavor transformation action to flavor the output type of a schema (pull request #950)
• Add support for bigints to multipleOf validation action (pull request #1164)
• Change implementation of variant and variantAsync schema to improve performance by aborting validation of discriminators early (pull request #1110)
• Change name of NanoIDAction and NanoIDIssue interface to NanoIdAction and NanoIdIssue (pull request #1171)
• Fix internal MarkOptional type to fix input and output type of objects in edge cases (issue #1176)

v1.1.0 (to-json-schema)

Many thanks to @​sruenwg, @​muningis and @​EltonLobo07 for contributing to this release.

• Add support for minEntries and maxEntries action (pull request #1100)
• Add support for entries action (pull request #1156)
• Change Valibot peer dependency to v1.1.0
• Fix toJsonSchema to be independent of definition order (pull request #1133)
• Fix additionalItems for tuple schemas and add minItems (pull request #1126)

v1.1.0 (i18n)

Many thanks to @​mreleftheros, @​adamvx, @​illispi, @​Abilovv599, @​mtergel, @​yslpn, @​martinzilak, @​jhirvioja, @​komu, @​ganaena and @​tats-u for contributing to this release.

... (truncated)

Commits

• 053ae97 Bump version to 1.2.0 and update changelog
• de76d7c Merge pull request #1361 from open-circle/v1.2-blog-post
• c14f092 Add security fix for ReDoS vulnerability in emoji action and update release n...
• cfb799d Merge commit from fork
• 36fafd0 Add release notes blog post for Valibot v1.2 to website
• 83c07ca Merge pull request #1097 from ysknsid25/feat/add-isbn-validation
• 6957e0d Add beta annotation to JSDoc comment of isbn action
• 6c7f9c0 Add docs for new isbn action to website
• ca902e6 Refactor ISBN regex constants and update validation logic
• e7a4f17 Refactor and improve new isbn action and update changelog
• Additional commits viewable in compare view

Updates @xmldom/xmldom from 0.8.10 to 0.8.12

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.12

Commits

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

0.8.11

0.8.11

Fixed

• update ownerDocument when moving nodes between documents [#933](https://github.com/xmldom/xmldom/issues/933) / [#932](https://github.com/xmldom/xmldom/issues/932)

Thank you, @​shunkica, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.12

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

0.8.11

Fixed

• update ownerDocument when moving nodes between documents [#933](https://github.com/xmldom/xmldom/issues/933) / [#932](https://github.com/xmldom/xmldom/issues/932)

Thank you, @​shunkica, for your contributions

0.9.8

Fixed

• fix: replace \u2029 as part of normalizeLineEndings [#839](https://github.com/xmldom/xmldom/issues/839) / [#838](https://github.com/xmldom/xmldom/issues/838)
• perf: speed up line detection [#847](https://github.com/xmldom/xmldom/issues/847) / [#838](https://github.com/xmldom/xmldom/issues/838)

Chore

• updated dependencies
• drop jazzer and rxjs devDependencies [#845](https://github.com/xmldom/xmldom/issues/845)

Thank you, @​kboshold, @​Ponynjaa, for your contributions.

0.9.7

Added

• Implementation of hasAttributes [#804](https://github.com/xmldom/xmldom/issues/804)

Fixed

• locator is now true even when other options are being used for the DOMParser [#802](https://github.com/xmldom/xmldom/issues/802) / [#803](https://github.com/xmldom/xmldom/issues/803)

... (truncated)

Commits

• 189cb78 0.8.12
• ed08df7 fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp) (#968)
• a5b929b chore: clean up generated test artefacts before running ci-local
• 4e37a20 ci: run format:check in lint job
• ac0ac77 chore: ignore generated files when checking formatting
• 968c893 chore: add local CI script and format:check script
• ac40424 fix: preserve trailing whitespace in ProcessingInstruction data (#962)
• cece752 chore: add .nvmrc pointing to node version 18
• cbf44d9 docs: improve links to changes in most recent release
• c0f1401 0.8.11
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• cb90fd9 Update changelog.
• 963e7c5 Add unit test for "pseudonym"
• f0b6f5b Add pseudonym OID
• 3df48a3 Fix missing CVE ID.
• 2e49283 Add x509 basicConstraints check.
• bdecf11 Add canonical signature scaler check for S < L.
• af094e6 Add RSA padding and DigestInfo length checks.
• 796eeb1 Improve jsbn fix.
• Additional commits viewable in compare view

Updates zx from 7.2.3 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also globby@15.0.0 arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

8.8.1 — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

• Applied flags filtration for CLI-driven deps install #1308
• Added kill() event logging #1312
• Set SIGTERM as kill() fallback signal #1313
• Allowed stdio() arg be an array #1311

const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

• Added check for zx@lite pkg contents #1317 #1316
• Simplified ProcessPromise[asyncIterator] inners #1307
• Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 #1309 #1323 #1326
• Added TS@next to the test matrix #1310
• Optimized internal shell setters #1314
• Refactored build-publish pipelines and scripts #1319 #1320 #1321 #1322 #1324 #1325 #1327

8.8.0 — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

unpipe() — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

</tr></table> 

... (truncated)

Commits

• 1ca9270 chore: pr template formatting (#1359)
• 52b01a1 chore: update pr template (#1358)
• 70ecf23 chore: update issue templates (#1357)
• 8b08fc0 chore: bump version to 8.8.5 (#1...

  Description has been truncated

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.