Skip to content

chore(deps): bump the security-updates group across 1 directory with 5 updates#2902

Open
dependabot[bot] wants to merge 1 commit into
nextfrom
dependabot/npm_and_yarn/security-updates-681233166a
Open

chore(deps): bump the security-updates group across 1 directory with 5 updates#2902
dependabot[bot] wants to merge 1 commit into
nextfrom
dependabot/npm_and_yarn/security-updates-681233166a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the security-updates group with 5 updates in the / directory:

Package From To
js-yaml 3.14.2 3.15.0
form-data 2.5.5 2.5.6
qs 6.14.2 6.15.3
shell-quote 1.8.1 1.9.0
tmp 0.0.33 0.2.7

Updates js-yaml from 3.14.2 to 3.15.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits

Updates form-data from 2.5.5 to 2.5.6

Changelog

Sourced from form-data's changelog.

v2.5.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames b620316
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, tape 12be578
  • [Dev Deps] update js-randomness-predictor 46cfd23
  • [Tests] use safe-buffer so the header-injection test runs on node < 4 633044a
  • [Deps] update hasown e3b96ee
Commits
  • c713349 v2.5.6
  • 46cfd23 [Dev Deps] update js-randomness-predictor
  • 633044a [Tests] use safe-buffer so the header-injection test runs on node < 4
  • e3b96ee [Deps] update hasown
  • 12be578 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, tape
  • b620316 [Fix] escape CR, LF, and " in field names and filenames
  • See full diff in compare view

Updates qs from 6.14.2 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates shell-quote from 1.8.1 to 1.9.0

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

v1.8.2 - 2024-11-27

Fixed

Commits

  • [meta] fix changelog tags 0fb9fd8
  • [actions] split out node 10-20, and 20+ 819bd84
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
  • [actions] update npm for windows tests fdeb0fd
  • [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
  • [actions] prevent node 14 on ARM mac from failing 9eecafc
  • [meta] exclude more files from the package 4044e7f
  • [Tests] replace aud with npm audit 8cfdbd8
  • [meta] add missing engines.node 843820e
  • [Dev Deps] add missing peer dep 4c3b88d
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view

Updates tmp from 0.0.33 to 0.2.7

Changelog

Sourced from tmp's changelog.

v0.2.2 (2024-02-28)

🐛 Bug Fix

📝 Documentation

Committers: 5

v0.2.1 (2020-04-28)

🚀 Enhancement

🏠 Internal

Committers: 1

v0.2.0 (2020-04-25)

🚀 Enhancement

🐛 Bug Fix

📝 Documentation

🏠 Internal

... (truncated)

Commits

@dependabot dependabot Bot added the automated label Jun 30, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 30, 2026 13:41
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file automated labels Jun 30, 2026
…5 updates

Bumps the security-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.2` | `3.15.0` |
| [form-data](https://github.com/form-data/form-data) | `2.5.5` | `2.5.6` |
| [qs](https://github.com/ljharb/qs) | `6.14.2` | `6.15.3` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.8.1` | `1.9.0` |
| [tmp](https://github.com/raszi/node-tmp) | `0.0.33` | `0.2.7` |



Updates `js-yaml` from 3.14.2 to 3.15.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.2...3.15.0)

Updates `form-data` from 2.5.5 to 2.5.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v2.5.5...v2.5.6)

Updates `qs` from 6.14.2 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.2...v6.15.3)

Updates `shell-quote` from 1.8.1 to 1.9.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.1...v1.9.0)

Updates `tmp` from 0.0.33 to 0.2.7
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.0.33...v0.2.7)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 2.5.6
  dependency-type: indirect
  dependency-group: security-updates
- dependency-name: js-yaml
  dependency-version: 3.15.0
  dependency-type: direct:development
  dependency-group: security-updates
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  dependency-group: security-updates
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: indirect
  dependency-group: security-updates
- dependency-name: tmp
  dependency-version: 0.2.7
  dependency-type: indirect
  dependency-group: security-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/security-updates-681233166a branch from 88e6b53 to 8b6c51b Compare July 2, 2026 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant