Bump the npm_and_yarn group across 11 directories with 11 updates by dependabot[bot] · Pull Request #1 · OwenGrumbles/vscode

dependabot · 2026-02-14T12:23:47Z

Bumps the npm_and_yarn group with 4 updates in the /build directory: jws, @isaacs/brace-expansion, lodash and qs.
Bumps the npm_and_yarn group with 3 updates in the /test/mcp directory: qs, @modelcontextprotocol/sdk and @playwright/mcp.
Bumps the npm_and_yarn group with 1 update in the /test/monaco directory: lodash.
Bumps the npm_and_yarn group with 1 update in the /remote directory: undici.
Bumps the npm_and_yarn group with 4 updates in the / directory: braces, lodash, undici and webpack.
Bumps the npm_and_yarn group with 1 update in the /extensions/vscode-api-tests directory: node-forge.
Bumps the npm_and_yarn group with 1 update in the /extensions/microsoft-authentication directory: jws.
Bumps the npm_and_yarn group with 1 update in the /extensions/json-language-features directory: @isaacs/brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /extensions/html-language-features directory: @isaacs/brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /extensions/css-language-features directory: @isaacs/brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /build/npm/gyp directory: tar.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

Code reorganization, thanks @fearphage! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

4f6e73f Merge commit from fork
bd0fea5 version 3.2.3
7c3b4b4 Enhance tests for HMAC streaming sign and verify
a9b8ed9 Improve secretOrKey initialization in VerifyStream
6707fde Improve secret handling in SignStream
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v3.2.3

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

Code reorganization, thanks @fearphage! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

4f6e73f Merge commit from fork
bd0fea5 version 3.2.3
7c3b4b4 Enhance tests for HMAC streaming sign and verify
a9b8ed9 Improve secretOrKey initialization in VerifyStream
6707fde Improve secret handling in SignStream
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

bdcf0c7 v6.14.2
294db90 [readme] document that addQueryPrefix does not add ? to empty output
5c308e5 [readme] clarify parseArrays and arrayLimit documentation
6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
1b9a8b4 [actions] fix rebase workflow permissions
2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

bdcf0c7 v6.14.2
294db90 [readme] document that addQueryPrefix does not add ? to empty output
5c308e5 [readme] clarify parseArrays and arrayLimit documentation
6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
1b9a8b4 [actions] fix rebase workflow permissions
2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
Additional commits viewable in compare view

Updates @modelcontextprotocol/sdk from 1.24.0 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in modelcontextprotocol/typescript-sdk#1319

fix: README badges links destinations by @antonpk1 in modelcontextprotocol/typescript-sdk#907

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

@antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

spec types - backwards compatibility changes by @KKonstantinov in modelcontextprotocol/typescript-sdk#1306

chore: bump version for patch fix by @felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

list changed handlers on client constructor by @mattzcarey in modelcontextprotocol/typescript-sdk#1206

Role - moved from inline to reusable type by @KKonstantinov in modelcontextprotocol/typescript-sdk#1221

fix: use versioned npm tag for non-main branch releases by @pcarleton in modelcontextprotocol/typescript-sdk#1236

No automatic completion support unless needed - Revisited yet again by @cliffhall in modelcontextprotocol/typescript-sdk#1237

fix: Support updating output schema by @vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

fe9c07b chore: bump version to 1.26.0 (#1479)
4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
a05be17 Merge commit from fork
50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
6aba065 chore: bump v1.25.3 for backport fixes (#1412)
6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
a0c9b13 fix: README badges links destinations (#907)
Additional commits viewable in compare view

Updates @playwright/mcp from 0.0.37 to 0.0.40

Release notes

Sourced from @playwright/mcp's releases.

v0.0.40

Features
microsoft/playwright@c813e9cf5 feat(mcp): allow saving videos for sessions microsoft/playwright#37531
# video is saved from the creation of the page to the closure of the context (browser_close call).
npx @playwright/mcp --save-video=800x600
microsoft/playwright@fff065816 feat(mcp): add --init-script option microsoft/playwright#37507
# the code in web-mocks.js will run on page initialization
npx @playwright/mcp --init-script=./web-mocks.js
microsoft/playwright@1313fbd47 chore(mcp): introduce allowed-hosts microsoft/playwright#37541
# Runs MCP server only accessible on 192.168.1.10, defense from DNS rebind
npx @playwright/mcp --allowed-hosts=192.168.1.10:8080 --port=8080
Bugfixes

microsoft/playwright@da333232e fix(mcp): snapshot for ai fixes microsoft/playwright#37527

microsoft/playwright@499d084a5 fix(session): an extra check for session log microsoft/playwright#37508

microsoft/playwright@2f820cb20 fix(mcp): lax file path sanitization microsoft/playwright#37502

v0.0.39

microsoft/playwright@afb59a0ec fix(mcp): tolerate malformed roots microsoft/playwright#37492 microsoft/playwright@0574514a0 feat(mcp): support shared browser context microsoft/playwright#37463

v0.0.38

microsoft/playwright@29fb93479 fix(mcp): use single output dir microsoft/playwright#37436 microsoft/playwright@f07c8c0ac chore(mcp): --grant-permissions cli option microsoft/playwright#37431 microsoft/playwright@eb39131eb fix(mcp): --allowed/blocked-origins accept origins not hosts microsoft/playwright#37408 microsoft/playwright@b3d666428 chore: fetch roots lazily microsoft/playwright#37399 microsoft/playwright@4968bc611 chore(mcp): allow to pass extension token via env variable microsoft/playwright#37371

Commits

a86b580 chore: mark v0.0.40 (#1079)
927e570 chore: roll Playwright to latest (#1078)
24e68fa devops: do not use npm token (#1076)
e503227 devops: merge canary publishing workflow into publish.yml (#1075)
711089d chore: add auth token example (#1070)
4a7be8d devops: migrate to OIDC NPM publishing (#1068)
1523338 feat(config): add sharedBrowserContext option to reuse browser context across...
08bd91d chore: mark v0.0.39 (#1059)
ef83729 chore: roll Playwright to latest (#1060)
a70854c chore: roll Playwright to latest (#1056)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @playwright/mcp since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates undici from 7.9.0 to 7.22.0

Release notes

Sourced from undici's releases.

v7.22.0

What's Changed

docs: fix syntax highlighting in WebSocket.md by @styfle in nodejs/undici#4814

fix: use OR operator in includesCredentials per WHATWG URL Standard by @jackhax in nodejs/undici#4816

feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @SuperOleg39 in nodejs/undici#4676

fix: route WebSocket upgrades through onRequestUpgrade by @mcollina in nodejs/undici#4787

build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @dependabot[bot] in nodejs/undici#4821

fix(deduplicate): do not deduplicate non-safe methods by default by @mcollina in nodejs/undici#4818

feat: Support async cache stores in revalidation by @marcopiraccini in nodejs/undici#4826

New Contributors

@jackhax made their first contribution in nodejs/undici#4816

@marcopiraccini made their first contribution in nodejs/undici#4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

What's Changed

build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @dependabot[bot] in nodejs/undici#4796

test: restore global dispatcher after fetch tests by @mcollina in nodejs/undici#4790

Add missing close method to WebSocketStream interface by @piotr-cz in nodejs/undici#4802

fix: error stream instead of canceling by @KhafraDev in nodejs/undici#4804

Fix clientTtl cleanup race in Agent by @mcollina in nodejs/undici#4807

feat(#4230): Implement pingInterval for dispatching PING frames by @metcoder95 in nodejs/undici#4296

fix: handle undefined __filename in bundled environments by @mcollina in nodejs/undici#4812

fix: set finalizer only for fetch responses by @tsctx in nodejs/undici#4803

New Contributors

@piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

fix: preserve fetch stack traces by @mcollina in nodejs/undici#4778

Fix error handling in MockPool example by @dave-kennedy in nodejs/undici#4781

feat: expose statusText in request() ResponseData by @domenic in nodejs/undici#4784

test: reduce retry-after invalid date flake by @mcollina in nodejs/undici#4788

extractBody fixes by @KhafraDev in nodejs/undici#4791

fix: MockAgent delayed response with AbortSignal (#4693) by @mcollina in nodejs/undici#4772

fix: onParserTimeout potentially accessing undefined by @vbfox in nodejs/undici#4758

New Contributors

@dave-kennedy made their first contribution in nodejs/undici#4781

@vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

... (truncated)

Commits

0a23610 Bumped v7.22.0 (#4829)
f3c5c61 feat: Support async cache stores in revalidation (#4826)
9b78a44 fix(deduplicate): avoid deduping methods not in methods option (#4818)
0ce57ba build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 (#4821)
2453caf fix: route websocket upgrades through new handler API (#4787)
4658cdf feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk (#4676)
a821c56 fix: use OR operator in includesCredentials per WHATWG URL Standard (#4816)
b3326b5 docs: fix syntax highlighting in WebSocket.md (#4814)
393c0da Bumped v7.21.0 (#4813)
47f9b96 fix: set finalizer only for fetch responses (#4803)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

The undocumented .makeRe method was removed

Require Node.js >= 8.3

Non-breaking changes

Caching was removed

Commits

See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates undici from 7.9.0 to 7.22.0

Release notes

Sourced from undici's releases.

v7.22.0

What's Changed

docs: fix syntax highlighting in WebSocket.md by @styfle in nodejs/undici#4814

fix: use OR operator in includesCredentials per WHATWG URL Standard by @jackhax in nodejs/undici#4816

feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @SuperOleg39 in nodejs/undici#4676

fix: route WebSocket upgrades through onRequestUpgrade by @mcollina in nodejs/undici#4787

build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @dependabot[bot] in nodejs/undici#4821

fix(deduplicate): do not deduplicate non-safe methods by default by @mcollina in nodejs/undici#4818

feat: Support async cache stores in revalidation by @marcopiraccini in nodejs/undici#4826

New Contributors

@jackhax made their first contribution in nodejs/undici#4816

@marcopiraccini made their first contribution in nodejs/undici#4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

What's Changed

build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @dependabot[bot] in nodejs/undici#4796

test: restore global dispatcher after fetch tests by @mcollina in nodejs/undici#4790

Add missing close method to WebSocketStream interface by @piotr-cz in nodejs/undici#4802

fix: error stream instead of canceling by @KhafraDev in nodejs/undici#4804

Fix clientTtl cleanup race in Agent by @mcollina in nodejs/undici#4807

feat(#4230): Implement pingInterval for dispatching PING frames by @metcoder95 in nodejs/undici#4296

fix: handle undefined __filename in bundled environments by @mcollina in nodejs/undici#4812

fix: set finalizer only for fetch responses by @tsctx in nodejs/undici#4803

New Contributors

@piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

fix: preserve fetch stack traces by @mcollina in nodejs/undici#4778

Fix error handling in MockPool example by @dave-kennedy in nodejs/undici#4781

feat: expose statusText in request() ResponseData by @domenic in nodejs/undici#4784

test: reduce retry-after invalid date flake by @mcollina in nodejs/undici#4788

extractBody fixes by @KhafraDev in nodejs/undici#4791

fix: MockAgent delayed response with AbortSignal (#4693) by @mcollina in nodejs/undici#4772

fix: onParserTimeout potentially accessing undefined by @vbfox in nodejs/undici#4758

New Contributors

@dave-kennedy made their first contribution in nodejs/undici#4781

@vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

... (truncated)

Commits

0a23610 Bumped v7.22.0 (#4829)
f3c5c61 feat: Support async cache stores in revalidation (#4826)
9b78a44 fix(deduplicate): avoid deduping methods not in methods option (#4818)
0ce57ba build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 (#4821)
2453caf fix: route websocket upgrades through new handler API (#4787)
4658cdf feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk (#4676)
a821c56 fix: use OR operator in includesCredentials per WHATWG URL Standard (#4816)
b3326b5 docs: fix syntax highlighting in WebSocket.md (#4814)

Bumps the npm_and_yarn group with 4 updates in the /build directory: [jws](https://github.com/brianloveswords/node-jws), @isaacs/brace-expansion, [lodash](https://github.com/lodash/lodash) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 3 updates in the /test/mcp directory: [qs](https://github.com/ljharb/qs), [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) and [@playwright/mcp](https://github.com/microsoft/playwright-mcp). Bumps the npm_and_yarn group with 1 update in the /test/monaco directory: [lodash](https://github.com/lodash/lodash). Bumps the npm_and_yarn group with 1 update in the /remote directory: [undici](https://github.com/nodejs/undici). Bumps the npm_and_yarn group with 4 updates in the / directory: [braces](https://github.com/micromatch/braces), [lodash](https://github.com/lodash/lodash), [undici](https://github.com/nodejs/undici) and [webpack](https://github.com/webpack/webpack). Bumps the npm_and_yarn group with 1 update in the /extensions/vscode-api-tests directory: [node-forge](https://github.com/digitalbazaar/forge). Bumps the npm_and_yarn group with 1 update in the /extensions/microsoft-authentication directory: [jws](https://github.com/brianloveswords/node-jws). Bumps the npm_and_yarn group with 1 update in the /extensions/json-language-features directory: @isaacs/brace-expansion. Bumps the npm_and_yarn group with 1 update in the /extensions/html-language-features directory: @isaacs/brace-expansion. Bumps the npm_and_yarn group with 1 update in the /extensions/css-language-features directory: @isaacs/brace-expansion. Bumps the npm_and_yarn group with 1 update in the /build/npm/gyp directory: [tar](https://github.com/isaacs/node-tar). Updates `jws` from 3.2.2 to 3.2.3 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v3.2.2...v3.2.3) Updates `jws` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v3.2.2...v3.2.3) Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `qs` from 6.14.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.14.2) Updates `qs` from 6.14.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.14.2) Updates `@modelcontextprotocol/sdk` from 1.24.0 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.24.0...v1.26.0) Updates `@playwright/mcp` from 0.0.37 to 0.0.40 - [Release notes](https://github.com/microsoft/playwright-mcp/releases) - [Commits](microsoft/playwright-mcp@v0.0.37...v0.0.40) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `undici` from 7.9.0 to 7.22.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.9.0...v7.22.0) Updates `braces` from 2.3.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/braces/commits/3.0.3) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `undici` from 7.9.0 to 7.22.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.9.0...v7.22.0) Updates `webpack` from 5.100.0 to 5.105.2 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.100.0...v5.105.2) Updates `node-forge` from 1.3.1 to 1.3.2 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.2) Updates `jws` from 3.2.2 to 3.2.3 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v3.2.2...v3.2.3) Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `tar` from 7.4.3 to 7.5.7 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.4.3...v7.5.7) --- updated-dependencies: - dependency-name: jws dependency-version: 3.2.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jws dependency-version: 4.0.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@playwright/mcp" dependency-version: 0.0.40 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.22.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.22.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.105.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: jws dependency-version: 3.2.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.7 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-02-19T17:07:42Z

Superseded by #2.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 14, 2026

dependabot bot closed this Feb 19, 2026

dependabot bot deleted the dependabot/npm_and_yarn/build/npm_and_yarn-f0c17652bc branch February 19, 2026 17:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 11 directories with 11 updates#1

Bump the npm_and_yarn group across 11 directories with 11 updates#1
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/build/npm_and_yarn-f0c17652bc

dependabot bot commented on behalf of github Feb 14, 2026

Uh oh!

dependabot bot commented on behalf of github Feb 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Feb 14, 2026

v3.2.3

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v3.2.3

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

6.14.2

6.14.1

6.14.2

6.14.1

v1.26.0

What's Changed

New Contributors

v1.25.3

What's Changed

v1.25.2

What's Changed

New Contributors

1.25.1

What's Changed

1.25.0

What's Changed

v0.0.40

Features

Bugfixes

v0.0.39

v0.0.38

v7.22.0

What's Changed

New Contributors

v7.21.0

What's Changed

New Contributors

v7.20.0

What's Changed

New Contributors

v7.19.2

What's Changed

Release history

[3.0.0] - 2018-04-08

v7.22.0

What's Changed

New Contributors

v7.21.0

What's Changed

New Contributors

v7.20.0

What's Changed

New Contributors

v7.19.2

What's Changed

Uh oh!

dependabot bot commented on behalf of github Feb 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants