Bump the npm_and_yarn group across 10 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the /x402-proxy-template directory:

Package	From	To
hono	4.11.1	4.12.7
wrangler	4.56.0	4.59.1
axios	1.13.2	1.13.6
bn.js	5.2.2	5.2.3
h3	1.15.4	1.15.6
lodash	4.17.21	4.17.23
minimatch	3.1.2	3.1.5
minimatch	9.0.5	9.0.9
undici	5.29.0	7.18.2

Bumps the npm_and_yarn group with 3 updates in the /workflows-starter-template directory: wrangler, minimatch and rollup.
Bumps the npm_and_yarn group with 3 updates in the /workers-for-platforms-template directory: hono, wrangler and esbuild.
Bumps the npm_and_yarn group with 2 updates in the /workers-builds-notifications-template directory: wrangler and rollup.
Bumps the npm_and_yarn group with 2 updates in the /worker-publisher-template directory: wrangler and undici.
Bumps the npm_and_yarn group with 5 updates in the /vite-react-template directory:

Package	From	To
hono	4.11.1	4.12.4
wrangler	4.56.0	4.59.1
minimatch	3.1.2	3.1.5
minimatch	9.0.5	9.0.9
rollup	4.53.5	4.59.0
undici	5.29.0	7.18.2

Bumps the npm_and_yarn group with 7 updates in the /to-do-list-kv-template directory:

Package	From	To
wrangler	3.114.15	3.114.17
vite	5.4.14	5.4.21
diff	5.2.0	5.2.2
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
minimatch	3.1.2	3.1.5
qs	6.14.0	6.14.2
rollup	4.53.5	4.59.0

Bumps the npm_and_yarn group with 2 updates in the /text-to-image-template directory: wrangler and undici.
Bumps the npm_and_yarn group with 5 updates in the /saas-admin-template directory:

Package	From	To
wrangler	4.56.0	4.59.1
devalue	5.6.2	5.6.3
diff	5.2.0	5.2.2
rollup	4.55.1	4.59.0
svgo	4.0.0	4.0.1

Bumps the npm_and_yarn group with 7 updates in the /remix-starter-template directory:

Package	From	To
wrangler	3.114.15	3.114.17
vite	5.4.14	5.4.21
diff	5.2.0	5.2.2
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
minimatch	3.1.2	3.1.5
qs	6.14.0	6.14.2
rollup	4.53.5	4.59.0

Updates hono from 4.11.1 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in honojs/hono#4792
• chore(builld): tsconfig project references by @​BarryThePenguin in honojs/hono#4797
• chore: add tsconfig.spec.json by @​yusukebe in honojs/hono#4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in honojs/hono#4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in honojs/hono#4782

New Contributors

• @​t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

• b0aba5b 4.12.7
• 1be3a53 ci: apply automated fixes
• ef90225 Merge commit from fork
• 3f88636 4.12.6
• 53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
• 58825a7 feat(jsx-renderer): support function-based options (#4780)
• 0e80acb chore: add tsconfig.spec.json (#4798)
• d69deb8 chore(builld): tsconfig project references (#4797)
• 8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
• 5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
• Additional commits viewable in compare view

Updates wrangler from 4.56.0 to 4.59.1

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Updates axios from 1.13.2 to 1.13.6

Release notes

Sourced from axios's releases.

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
• Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#7386)
• @​ybbus (#7392)
• @​Shiwaangee (#7324)
• @​skrtheboss (#7403)
• @​Janaka66 (#7427)
• @​moh3n9595 (#5764)
• @​digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 7108c88 chore(release): prepare release 1.13.6 (#7446)
• 20a0ba3 refactor(deps): migrate @​rollup/plugin-babel from v5.3.1 to v6.1.0 (#7424)
• 885b4af feat: support react native blob objects (#5764)
• 00d97b9 docs(utils): add missing JSDoc comments (#7427)
• 9712548 chore(deps-dev): bump the development_dependencies group across 1 directory w...
• d51accb fix(core): copy status from source error in AxiosError.from (#7403)
• 3e30bbf chore: fix publish to only run on v1 tags
• 672491d fix: safe FormData detection for WeChat Mini Program (#7306) (#7324)
• 822e3e4 fix: make AxiosError.message property enumerable (#7392)
• ef3711d feat: implement prettier and fix all issues (#7385)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates bn.js from 5.2.2 to 5.2.3

Changelog

Sourced from bn.js's changelog.

5.2.3 / 2026-02-19

• fix: imaskn state (#317)

Commits

• ea6c072 5.2.3
• 33df26b fix imaskn state (#317)
• See full diff in compare view

Updates h3 from 1.15.4 to 1.15.6

Release notes

Sourced from h3's releases.

v1.15.6

compare changes

🩹 Fixes

• sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)
• static: Prevent path traversal via percent-encoded dot segments (6465e1b)

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.6

compare changes

🩹 Fixes

• sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)
• static: Prevent path traversal via percent-encoded dot segments (6465e1b)

🏡 Chore

• Update deps (65da0e4)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

Commits

• 829daf1 chore(release): v1.15.6
• 65da0e4 chore: update deps
• 6465e1b fix(static): prevent path traversal via percent-encoded dot segments
• 840ac5c fix(sse): sanitize newlines in event stream fields to prevent SSE injection
• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates undici from 5.29.0 to 7.18.2

Release notes

Sourced from undici's releases.

v7.18.2

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

What's Changed

• fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in nodejs/undici#4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

What's Changed

• Test and Fix running without SSL by @​mcollina in nodejs/undici#4727
• docs: add security warning for strictContentLength option by @​mcollina in nodejs/undici#4726
• build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @​dependabot[bot] in nodejs/undici#4718
• build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in nodejs/undici#4719

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

What's Changed

• chore: extract infra and encoding methods by @​Uzlopak in nodejs/undici#4523
• ci: remove h2 by @​Uzlopak in nodejs/undici#4534
• ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @​Uzlopak in nodejs/undici#4535
• ci: fix nightly shared library case by @​Uzlopak in nodejs/undici#4543
• test: consume bodies of fetch responses to fix failing macos 20 ci by @​Uzlopak in nodejs/undici#4528
• docs: add Cache Interceptor example to README by @​tawseefnabi in nodejs/undici#4393
• test: remove node20 version check by @​Uzlopak in nodejs/undici#4544
• types: use MessagePort instance type in MessageEvent by @​Renegade334 in nodejs/undici#4546
• ci: set write permissions on job level by @​Uzlopak in nodejs/undici#4537
• lint: activate n/no-process-exit by @​Uzlopak in nodejs/undici#4548
• ci: run benchmarks on pull_requests and by pushing on specific branches only by @​Uzlopak in nodejs/undici#4536
• chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @​Uzlopak in nodejs/undici#4547
• feat(H2): correct CONNECT behaviour by @​metcoder95 in nodejs/undici#4541
• test: fix plans by @​Uzlopak in nodejs/undici#4550
• feat: add runtime feature "detection" by @​Uzlopak in nodejs/undici#4545
• perf: use less promises in extractBody by @​Uzlopak in nodejs/undici#4458
• fix(proxy-agent): add missing return after callback-call by @​Uzlopak in nodejs/undici#4553
• fix: remove redundant line in retry-handler by @​Uzlopak in nodejs/undici#4554
• ci: add no-wasm-simd option by @​Uzlopak in nodejs/undici#4533
• fix: use lazyloaders for runtime feature detection by @​Uzlopak in nodejs/undici#4557
• fix: minor changes in dispatcher-base.js and types for Dispatcher by @​Uzlopak in nodejs/undici#4556

... (truncated)

Commits

• 7e5cb2d Bumped v7.18.2 (#4730)
• b04e3cb fix(decompress): limit Content-Encoding chain to 5 to prevent resource exhaus...
• 2bcb77b Bumped v7.18.1 (#4728)
• 58a12b7 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#4719)
• 5fa2930 build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 (#4718)
• fbbe283 docs: add security warning for strictContentLength option (#4726)
• ce12d9e fix: do not crash if Node.js is compiled without SSL (#4727)
• ebe3e33 Bumped v7.18.0 (#4725)
• 4e9b88b fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• d560767 Bumped v7.17.0 (#4724)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates wrangler from 4.56.0 to 4.71.0

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates rollup from 4.53.5 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert<...

  Description has been truncated