Bump the npm_and_yarn group across 2 directories with 14 updates by dependabot[bot] · Pull Request #20 · ithxforyou/billing

dependabot · 2026-02-20T13:38:44Z

Bumps the npm_and_yarn group with 4 updates in the / directory: axios, webpack, brace-expansion and js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /src directory: brace-expansion, body-parser and express.

Updates axios from 1.8.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates webpack from 5.94.0 to 5.105.2

Release notes

Sourced from webpack's releases.

v5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

v5.105.1

Patch Changes

Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @xiaoxiaojx in #20424)

Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @hai-x in #20433)

Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @hai-x in #20433)

v5.105.0

Minor Changes

Allow resolving worker module by export condition name when using new Worker() (by @hai-x in #20353)

Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @hai-x in #20320)

Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @alexander-akait in #20400)

Support import.defer() for context modules. (by @ahabhgk in #20399)

Added support for array values to the devtool option. (by @hai-x in #20191)

Improve rendering node built-in modules for ECMA module output. (by @hai-x in #20255)

Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @xiaoxiaojx in #20312)

Patch Changes

Fixed ESM default export handling for .mjs files in Module Federation (by @y-okt in #20189)

Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @xiaoxiaojx in #20313)

Respect the stats.errorStack option in stats output. (by @samarthsinh2660 in #20258)

Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @xiaoxiaojx in #20265)

Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @xiaoxiaojx in #20390)

Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @xiaoxiaojx in #20381)

Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @xiaoxiaojx in #20345)

Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @samarthsinh2660 in #20251)

Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @hai-x in #20346)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

5.105.1

Patch Changes

Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @xiaoxiaojx in #20424)

Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @hai-x in #20433)

Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @hai-x in #20433)

5.105.0

Minor Changes

Allow resolving worker module by export condition name when using new Worker() (by @hai-x in #20353)

Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @hai-x in #20320)

Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @alexander-akait in #20400)

Support import.defer() for context modules. (by @ahabhgk in #20399)

Added support for array values to the devtool option. (by @hai-x in #20191)

Improve rendering node built-in modules for ECMA module output. (by @hai-x in #20255)

Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @xiaoxiaojx in #20312)

Patch Changes

Fixed ESM default export handling for .mjs files in Module Federation (by @y-okt in #20189)

Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @xiaoxiaojx in #20313)

Respect the stats.errorStack option in stats output. (by @samarthsinh2660 in #20258)

Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @xiaoxiaojx in #20265)

Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @xiaoxiaojx in #20390)

Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @xiaoxiaojx in #20381)

Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @xiaoxiaojx in #20345)

... (truncated)

Commits

0756c7e chore(release): new release (#20441)
ff28476 chore(deps): bump CodSpeedHQ/action in the dependencies group (#20442)
4d3ed66 ci: discord using curl
004550a ci: discord fix
44bf97b ci: emulate release for discord using other approach
9c71a09 ci: emulate release for discord
02d3bc9 ci: allow to run release announcement
6c62c28 ci: fix discord
900219d fix: type regression (#20440)
8e50ef2 chore(release): new release (#20429)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

a3efcee 2.0.2
14f1d91 pkg: publish on tag 2.x
ed7780a fmt
36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

a3efcee 2.0.2
14f1d91 pkg: publish on tag 2.x
ed7780a fmt
36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates form-data from 4.0.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

[meta] add auto-changelog 811f682

[Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76

[Fix] Switch to using crypto random for boundary values 3d17230

[Tests] fix linting errors 5e34080

[meta] actually ensure the readme backup isn’t published 316c82b

[Dev Deps] update @ljharb/eslint-config 58c25d7

[meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

[Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

[eslint] use a shared config 426ba9a

[eslint] fix some spacing issues 2094191

[Refactor] use hasown 81ab41b

[Fix] validate boundary type in setBoundary() method 8d8e469

[Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1

[Dev Deps] remove unused deps 870e4e6

[meta] remove local commit hooks e6e83cc

[Dev Deps] update eslint 4066fd6

[meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

[Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

[Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076

[Dev Deps] update @ljharb/eslint-config, eslint 5822467

[Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

[meta] add auto-changelog 811f682

[Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76

[Fix] Switch to using crypto random for boundary values 3d17230

[Tests] fix linting errors 5e34080

[meta] actually ensure the readme backup isn’t published 316c82b

[Dev Deps] update @ljharb/eslint-config 58c25d7

[meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

[Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

[eslint] use a shared config 426ba9a

[eslint] fix some spacing issues 2094191

[Refactor] use hasown 81ab41b

[Fix] validate boundary type in setBoundary() method 8d8e469

[Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1

[Dev Deps] remove unused deps 870e4e6

[meta] remove local commit hooks e6e83cc

[Dev Deps] update eslint 4066fd6

[meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

... (truncated)

Commits

68ff7dd v4.0.5
5822467 [Dev Deps] update @ljharb/eslint-config, eslint
76d0dee [Fix] set Symbol.toStringTag in the proper place
16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
41996f5 v4.0.4
316c82b [meta] actually ensure the readme backup isn’t published
2300ca1 [meta] fix readme capitalization
811f682 [meta] add auto-changelog
5e34080 [Tests] fix linting errors
1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

Types are now exported as yaml.types.XXX.

Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

Check migration guide to see details for all breaking changes.

Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.

Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.

yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.

yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.

!!binary now always mapped to Uint8Array on load.

Reduced nesting of /lib folder.

Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).

dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.

Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.

Code snippet created in exceptions now contains multiple lines with line numbers.

dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.

dump() with skipInvalid=true now serializes invalid items in collections as null.

Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.

Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

Added .mjs (es modules) support.

Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.

Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

9963d36 3.14.2 released
10d3c8e dist rebuild
5278870 fix prototype pollution in merge (<<) (#731)
See full diff in compare view

Updates serialize-javascript from 6.0.0 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

fix: serialize URL string contents to prevent XSS (#173) f27d65d

Bump @babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0

docs: update readme with URL support (#146) 0d88527

chore: update node version and lock file e2a3a91

fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

v6.0.1

What's Changed

Bump mocha from 9.0.1 to 9.0.2 by @dependabot in yahoo/serialize-javascript#126

Bump mocha from 9.0.2 to 9.0.3 by @dependabot in yahoo/serialize-javascript#127

Bump path-parse from 1.0.6 to 1.0.7 by @dependabot in yahoo/serialize-javascript#129

Bump mocha from 9.0.3 to 9.1.0 by @dependabot in yahoo/serialize-javascript#130

Bump mocha from 9.1.0 to 9.1.1 by @dependabot in yahoo/serialize-javascript#131

Bump mocha from 9.1.1 to 9.1.2 by @dependabot in yahoo/serialize-javascript#132

Bump mocha from 9.1.2 to 9.1.3 by @dependabot in yahoo/serialize-javascript#133

Bump mocha from 9.1.3 to 9.1.4 by @dependabot in yahoo/serialize-javascript#137

Bump mocha from 9.1.4 to 9.2.0 by @dependabot in yahoo/serialize-javascript#138

Bump chai from 4.3.4 to 4.3.6 by @dependabot in yahoo/serialize-javascript#140

Bump ansi-regex from 5.0.0 to 5.0.1 by @dependabot in yahoo/serialize-javascript#141

Bump mocha from 9.2.0 to 9.2.2 by @dependabot in yahoo/serialize-javascript#143

Bump minimist from 1.2.5 to 1.2.6 by @dependabot in yahoo/serialize-javascript#144

Bump mocha from 9.2.2 to 10.0.0 by @dependabot in yahoo/serialize-javascript#145

Bump mocha from 10.0.0 to 10.1.0 by @dependabot in yahoo/serialize-javascript#149

Bump chai from 4.3.6 to 4.3.7 by @dependabot in yahoo/serialize-javascript#150

ci: test.yml - actions bump by @piwysocki in yahoo/serialize-javascript#151

Bump minimatch from 3.0.4 to 3.1.2 by @dependabot in yahoo/serialize-javascript#152

Bump mocha from 10.1.0 to 10.2.0 by @dependabot in yahoo/serialize-javascript#153

Bump json5 from 2.1.3 to 2.2.3 by @dependabot in yahoo/serialize-javascript#155

Fix serialization issue for 0n. by @momocow in yahoo/serialize-javascript#156

Release v6.0.1 by @okuryu in yahoo/serialize-javascript#157

New Contributors

@piwysocki made their first contribution in yahoo/serialize-javascript#151

@momocow made their first contribution in yahoo/serialize-javascript#156

Full Changelog: yahoo/serialize-javascript@v6.0.0...v6.0.1

Commits

b71ec23 6.0.2
f27d65d fix: serialize URL string contents to prevent XSS (#173)
02499c0 Bump @babel/traverse from 7.10.1 to 7.23.7 (#171)
0d88527 docs: update readme with URL support (#146)
e2a3a91 chore: update node version and lock file
5a1fa64 fix typo (#164)
7139f92 Release v6.0.1 (#157)
7e23ae8 Fix serialization issue for 0n. (#156)
343abd9 Bump json5 from 2.1.3 to 2.2.3 (#155)
38d0e70 Bump mocha from 10.1.0 to 10.2.0 (#153)
Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

a3efcee 2.0.2
14f1d91 pkg: publish on tag 2.x
ed7780a fmt
36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates micromatch from 4.0.7 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

Commits

8bd704e 4.0.8
a0e6841 run verb to generate README documentation
4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8

Bumps the npm_and_yarn group with 4 updates in the / directory: [axios](https://github.com/axios/axios), [webpack](https://github.com/webpack/webpack), [brace-expansion](https://github.com/juliangruber/brace-expansion) and [js-yaml](https://github.com/nodeca/js-yaml). Bumps the npm_and_yarn group with 3 updates in the /src directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [body-parser](https://github.com/expressjs/body-parser) and [express](https://github.com/expressjs/express). Updates `axios` from 1.8.2 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.8.2...v1.13.5) Updates `webpack` from 5.94.0 to 5.105.2 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.94.0...v5.105.2) Updates `brace-expansion` from 2.0.1 to 2.0.2 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2) Updates `form-data` from 4.0.0 to 4.0.5 - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.0...v4.0.5) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) Updates `serialize-javascript` from 6.0.0 to 6.0.2 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.0...v6.0.2) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.2) Updates `micromatch` from 4.0.7 to 4.0.8 - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](micromatch/micromatch@4.0.7...4.0.8) Updates `body-parser` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.3) Updates `express` from 4.19.2 to 4.22.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md) - [Commits](expressjs/express@4.19.2...4.22.0) Updates `cookie` from 0.4.2 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.4.2...v0.7.2) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `qs` from 6.11.0 to 6.13.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.11.0...v6.13.0) Updates `send` from 0.16.2 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.16.2...0.19.2) Updates `serve-static` from 1.13.2 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.13.2...v1.16.3) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.105.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 2.0.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 4.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-version: 6.0.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: micromatch dependency-version: 4.0.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.3 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.13.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 14 updates#20

Bump the npm_and_yarn group across 2 directories with 14 updates#20
dependabot[bot] wants to merge 1 commit intoQfrom
dependabot/npm_and_yarn/npm_and_yarn-f2b69115c4

dependabot bot commented on behalf of github Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Feb 20, 2026

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Fixes

Features / Improvements

Documentation

CI / Maintenance

New Contributors

v1.13.4

Overview

What's New in v1.13.4

Bug Fixes

Changelog

1.13.3 (2026-01-20)

Bug Fixes

Features

Reverts

Contributors to this release

v5.105.2

Patch Changes

v5.105.1

Patch Changes

v5.105.0

Minor Changes

Patch Changes

5.105.2

Patch Changes

5.105.1

Patch Changes

5.105.0

Minor Changes

Patch Changes

v2.0.2

v2.0.2

v4.0.4

v4.0.4 - 2025-07-16

Commits

v4.0.3

v4.0.3 - 2025-06-05

Fixed

Commits

v4.0.2

v4.0.2 - 2025-02-14

Merged

Fixed

Commits

v4.0.5 - 2025-11-17

Commits

v4.0.4 - 2025-07-16

Commits

v4.0.3 - 2025-06-05

Fixed

Commits

v4.0.2 - 2025-02-14

Merged

Fixed

[3.14.2] - 2025-11-15

Security

[4.1.1] - 2025-11-12

Security

[4.1.0] - 2021-04-15

Added

Changed

[4.0.0] - 2021-01-03

Changed

Added

v6.0.2

v6.0.1

What's Changed

New Contributors

v2.0.2

4.0.8

[4.0.8] - 2024-08-22

Uh oh!

Reviewers

Assignees