Bump the npm_and_yarn group across 22 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 3 updates in the /astro-blog-starter-template directory: h3, picomatch and smol-toml.
Bumps the npm_and_yarn group with 1 update in the /chanfana-openapi-template directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /d1-starter-sessions-api-template directory: picomatch.
Bumps the npm_and_yarn group with 1 update in the /llm-chat-app-template directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /microfrontend-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 1 update in the /mysql-hyperdrive-template directory: picomatch.
Bumps the npm_and_yarn group with 5 updates in the /next-starter-template directory:

Package	From	To
next	16.0.7	16.1.7
fast-xml-parser	4.2.5	5.5.8
flatted	3.3.3	3.4.2
picomatch	4.0.3	4.0.4
picomatch	2.3.1	2.3.2
undici	5.29.0	7.24.4

Bumps the npm_and_yarn group with 2 updates in the /nlweb-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 1 update in the /postgres-hyperdrive-template directory: picomatch.
Bumps the npm_and_yarn group with 3 updates in the /react-postgres-fullstack-template directory: flatted, picomatch and undici.
Bumps the npm_and_yarn group with 2 updates in the /react-router-hono-fullstack-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 2 updates in the /react-router-postgres-ssr-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 2 updates in the /react-router-starter-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 2 updates in the /remix-starter-template directory: flatted and picomatch.
Bumps the npm_and_yarn group with 3 updates in the /saas-admin-template directory: h3, picomatch and smol-toml.
Bumps the npm_and_yarn group with 2 updates in the /to-do-list-kv-template directory: flatted and picomatch.
Bumps the npm_and_yarn group with 3 updates in the /vite-react-template directory: flatted, picomatch and undici.
Bumps the npm_and_yarn group with 2 updates in the /workers-builds-notifications-template directory: picomatch and undici.
Bumps the npm_and_yarn group with 1 update in the /workers-for-platforms-template directory: undici.
Bumps the npm_and_yarn group with 3 updates in the /workflows-starter-template directory: flatted, picomatch and undici.
Bumps the npm_and_yarn group with 5 updates in the /x402-proxy-template directory:

Package	From	To
flatted	3.3.3	3.4.2
h3	1.15.4	1.15.10
picomatch	2.3.1	2.3.2
picomatch	4.0.3	4.0.4
socket.io-parser	4.2.4	4.2.6
undici	5.29.0	7.24.4

Updates next from 16.0.7 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates h3 from 1.15.5 to 1.15.10

Release notes

Sourced from h3's releases.

v1.15.10

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v1.15.9

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

• static: Narrow path traversal check to match .. as a path segment only (c049dc0)
• app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

• Remove implicit event handler conversion warning (#1340)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Wind (@​productdevbook)

v1.15.6

compare changes

🩹 Fixes

• sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.10

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

• Update deps (26fec6f)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Sergio Azócar (@​sergioazoc)

v1.15.9

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

• release: V1.15.8 (e3b9c9e)
• Update deps (23045df)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.8

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.7

... (truncated)

Commits

• b72bb57 chore(release): v1.15.10
• d8ef318 remove resolutions for h3
• 26fec6f chore: update deps
• 51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
• 4e8d43a chore(release): v1.15.9
• 23045df chore: update deps
• ba3c3fe fix(sse): sanitize carriage returns in event stream data and comments
• c56683d fix(static): prevent path traversal via double-encoded dot segments (`%252e%2...
• e3b9c9e chore(release): v1.15.8
• 1103df6 fix: preserve %25 in pathname
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates smol-toml from 1.6.0 to 1.6.1

Release notes

Sourced from smol-toml's releases.

v1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

Commits

• 072b64f chore: version bump
• 19a5dc7 chore: upgrade dependencies and actions
• f286f87 fix: don't use recursion in skipVoid
• See full diff in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates undici from 7.18.2 to 7.24.6

Release notes

Sourced from undici's releases.

v7.24.6

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in nodejs/undici#4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in nodejs/undici#4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in nodejs/undici#4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in nodejs/undici#4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in nodejs/undici#4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in nodejs/undici#4834
• docs: clarify fetch and FormData pairing by @​mcollina in nodejs/undici#4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in nodejs/undici#4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in nodejs/undici#4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in nodejs/undici#4926
• test: auto-init WPT submodule by @​mcollina in nodejs/undici#4930

New Contributors

• @​rozzilla made their first contribution in nodejs/undici#4909
• @​veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

What's Changed

• Formdata tests by @​KhafraDev in nodejs/undici#4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in nodejs/undici#4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in nodejs/undici#4913

New Contributors

• @​metalix2 made their first contribution in nodejs/undici#4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

... (truncated)

Commits

• 38eab36 Bumped v7.24.6 (#4931)
• 993609d test: auto-init WPT submodule (#4930)
• 1eacc49 build(deps-dev): bump typescript from 5.9.3 to 6.0.2 (#4926)
• b64e7e4 fix: avoid prototype collisions in parseHeaders (#4923)
• deba679 Revert "fix: assume http/https scheme for scheme-less proxy env vars (#4914)"
• feef62b fix: support Connection header with connection-specific header names per RFC ...
• a613d9a docs: clarify fetch and FormData pairing (#4922)
• 2ba99a3 fix: wrap kConnector call in try/catch to prevent client hang (#4834)
• a7398c0 fix(cache): check Authorization on request headers per RFC 9111 §3.5 (#4911)
• 2b2afbc fix: assume http/https scheme for scheme-less proxy env vars (#4914)
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates next from 16.0.7 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates fast-xml-parser from 4.2.5 to 5.5.8

Release notes

Sourced from fast-xml-parser's releases.

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

• combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

• support maxEntityCount
• support onDangerousProperty
• support maxNestedTags
• handle prototype pollution
• fix incorrect entity name replacement
• fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

• pass read only matcher in callback

5.5.7 / 2026-03-19

• fix: entity expansion limits
• update strnum package to 2.2.0

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

... (truncated)

Commits

• a92a665 pass read only matcher in call back
• a21c441 update package detail
• 239b64a check for min value for entity exapantion options
• 61cb666 restrict more properties to be unsafe
• 41abd66 performance improvement of reading DOCTYPE
• 3dfcd20 refactor: performance improvement
• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release ...

Description has been truncated