Skip to content

Bump the npm_and_yarn group across 1 directory with 6 updates#21

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-c903a71cde
Open

Bump the npm_and_yarn group across 1 directory with 6 updates#21
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm_and_yarn-c903a71cde

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
next 16.2.1 16.2.6
postcss 8.5.8 8.5.10
brace-expansion 5.0.5 5.0.6
fast-uri 3.1.0 3.1.2
fast-xml-builder 1.1.4 1.2.0
fast-xml-parser 5.5.9 5.8.0

Updates next from 16.2.1 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

Low:

Core Changes

  • fix: preserve HTTP access fallbacks during prerender recovery (#92231)
  • Fix fallback route params case in app-page handler (#91737)
  • Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
  • Patch setHeader for direct route handlers (#93101)
  • Include deployment id in cacheHandlers keys (#93453)
  • Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

... (truncated)

Commits
  • ee6e79b v16.2.6
  • afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
  • 97a154e Turbopack: Fix middleware matcher suffix (#93590)
  • 83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
  • 7b222b9 [backport][test] Pin package manager to patch versions (#93595)
  • a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
  • 766148f v16.2.5
  • 0dd9483 fix: add explicit checks for RSC header (#83) (#98)
  • d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
  • 9d50c0b Strip next-resume header from incoming requests (#92)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.


Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

  • Add support for sanitizeName option
  • Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

  • fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

  • fix: skip text property for PI tags
  • improve typings

1.1.7 (2026--05-04)

  • fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

  • fix security issues related to comment
  • skip comment with null value

1.1.5 (2026-04-17)

  • fix security issues related to comment and cdata

1.1.4 (2026-03-16)

  • support maxNestedTags option

1.1.3 (2026-03-13)

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

  • fix typings

1.1.1 (2026-03-11)

  • upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Commits

Updates fast-xml-parser from 5.5.9 to 5.8.0

Release notes

Sourced from fast-xml-parser's releases.

update strnum, FXB. Use xml-naming for DOCTYPE

  • integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
    • This will consider xml-version as well. '1.0' is default
  • update strnum to 2.3.0
    • You can set octal and binary parsing which is by deault off
  • update fast-xml-builder to 1.2.0
    • can sanitize tag names if found invalid
    • fix format output

fix minor old bugs and update builder

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to use entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

  • No API change
  • No change in performance for basic usage
  • No typing change
  • No config change
  • new dependency
  • breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

  • increase default entity explansion limit as many projects demand for that
</tr></table> 

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

  • integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
    • This will consider xml-version as well. '1.0' is default
  • update strnum to 2.3.0
    • You can set octal and binary parsing which is bydeault off
  • update fast-xml-builder to 1.2.0
    • can sanitize tag names if found invalid
    • fix format output

5.7.3 / 2006-05-05

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

  • fix typo in CJS typing file

5.7.0 / 2026-04-17

  • Use @nodable/entities v2.1.0
    • breaking changes
      • single entity scan. You're not allowed to user entity value to form another entity name.
      • you cant add numeric external entity
      • entity error message when expantion limit is crossed might change
    • typings are updated for new options related to process entity
    • please follow documentation of @nodable/entities for more detail.
    • performance
      • if processEntities is false, then there should not be impact on performance.
      • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
      • if processEntities is true, and you pass entity decoder separately
        • if no entity then performance should be same as before
        • if there are entities then performance should be increased from past versions
    • ignoreAttributes is not required to be set to set xml version for NCR entity value
  • update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

  • fix: entity replacement for numeric entities
  • use @​nodable/entities to replace entities
    • this may change some error messages related to entities expansion limit or inavlid use
    • post check would be exposed in future version

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [next](https://github.com/vercel/next.js) | `16.2.1` | `16.2.6` |
| [postcss](https://github.com/postcss/postcss) | `8.5.8` | `8.5.10` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `5.0.5` | `5.0.6` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.2.0` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `5.5.9` | `5.8.0` |



Updates `next` from 16.2.1 to 16.2.6
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.2.1...v16.2.6)

Updates `postcss` from 8.5.8 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.10)

Updates `brace-expansion` from 5.0.5 to 5.0.6
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v5.0.5...v5.0.6)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `fast-xml-builder` from 1.1.4 to 1.2.0
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0)

Updates `fast-xml-parser` from 5.5.9 to 5.8.0
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.5.9...v5.8.0)

---
updated-dependencies:
- dependency-name: next
  dependency-version: 16.2.6
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-builder
  dependency-version: 1.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.8.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants