Skip to content

chore(deps): bump the npm_and_yarn group across 3 directories with 6 updates#54

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-04254814fb
Open

chore(deps): bump the npm_and_yarn group across 3 directories with 6 updates#54
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-04254814fb

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 21, 2026
edited
Loading

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
file-type 21.3.0 21.3.2
hono 4.11.9 4.12.7
multer 2.0.2 2.1.1
mailparser 3.9.1 3.9.3
next 15.5.10 15.5.14
fast-xml-parser 5.3.5 5.5.7

Bumps the npm_and_yarn group with 1 update in the /desktop directory: fast-xml-parser.
Bumps the npm_and_yarn group with 1 update in the /website directory: next.

Updates file-type from 21.3.0 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

  • Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
  • Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

sindresorhus/file-type@v21.3.0...v21.3.1

Commits

Updates hono from 4.11.9 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

2.1.0

Commits
  • 368c8a1 2.1.1 (#1380)
  • 7e66481 🐛 fix recursion issue
  • 643571e ✅ add explicit test for client able to send body without abrupt disconnect
  • e86fa52 fix error/abort handling
  • ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
  • 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
  • bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
  • c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
  • fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
  • 17d7f51 chore: add node version to 25.x in CI
  • Additional commits viewable in compare view

Updates mailparser from 3.9.1 to 3.9.3

Changelog

Sourced from mailparser's changelog.

3.9.3 (2026-01-28)

Bug Fixes

  • escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #412

3.9.2 (2026-01-28)

Bug Fixes

Commits
  • 05db224 chore(master): release 3.9.3 [skip-ci]
  • 921a67d fix: escape URLs and link text in textToHtml to prevent XSS
  • bb325f1 chore(master): release 3.9.2 [skip-ci]
  • 508bcf7 fix: Bumpe deps
  • 0e71fed docs: add maintenance mode notice to README
  • See full diff in compare view

Updates next from 15.5.10 to 15.5.14

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
  • Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

  • fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

Commits
  • d7b012d v15.5.14
  • 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
  • f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
  • cfd5f53 v15.5.13
  • 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
  • d23f41c v15.5.12
  • 8e75765 fix unlock in publish-native
  • 6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
  • 7a94645 Apply needs for publishRelease
  • bbfd4e3 v15.5.11
  • Additional commits viewable in compare view

Updates fast-xml-parser from 5.3.5 to 5.5.7

Release notes

Sourced from fast-xml-parser's releases.

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

CJS typing fix

What's Changed

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

  • combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

  • support maxEntityCount
  • support onDangerousProperty
  • support maxNestedTags
  • handle prototype pollution
  • fix incorrect entity name replacement
  • fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

  • pass read only matcher in callback

5.5.7 / 2026-03-19

  • fix: entity expansion limits
  • update strnum package to 2.2.0

5.5.6 / 2026-03-16

  • update builder dependency
  • fix incorrect regex to replace . in entity name
  • fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

  • sanitize dangerous tag or attribute name
  • error on critical property name
  • support onDangerousProperty option

5.5.4 / 2026-03-13

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

  • upgrade builder

5.5.2 / 2026-03-11

  • update dependency to fix typings

5.5.1 / 2026-03-10

  • fix dependency

... (truncated)

Commits
  • a21c441 update package detail
  • 239b64a check for min value for entity exapantion options
  • 61cb666 restrict more properties to be unsafe
  • 41abd66 performance improvement of reading DOCTYPE
  • 3dfcd20 refactor: performance improvement
  • 870043e update release info
  • 6df401e update builder dependency
  • bd26122 check for entitiy expansion for lastEntities and html entities too
  • 7e70dd8 fix incorrect regex to replace . in entity name
  • e54155f update package info
  • Additional commits viewable in compare view

Updates fast-xml-parser from 5.3.5 to 5.5.7

Release notes

Sourced from fast-xml-parser's releases.

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

  • support path-expression-matcher
  • fix: stopNode should not be parsed
  • performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

CJS typing fix

What's Changed

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.9 / 2026-03-23

  • combine typing files

4.5.5 / 2026-03-22

apply fixes from v5 (legacy maintenance branch v4-maintenance)

  • support maxEntityCount
  • support onDangerousProperty
  • support maxNestedTags
  • handle prototype pollution
  • fix incorrect entity name replacement
  • fix incorrect condition for entity expansion

5.5.8 / 2026-03-20

  • pass read only matcher in callback

5.5.7 / 2026-03-19

  • fix: entity expansion limits
  • update strnum package to 2.2.0

5.5.6 / 2026-03-16

  • update builder dependency
  • fix incorrect regex to replace . in entity name
  • fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

  • sanitize dangerous tag or attribute name
  • error on critical property name
  • support onDangerousProperty option

5.5.4 / 2026-03-13

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

  • upgrade builder

5.5.2 / 2026-03-11

  • update dependency to fix typings

5.5.1 / 2026-03-10

  • fix dependency

... (truncated)

Commits
  • a21c441 update package detail
  • 239b64a check for min value for entity exapantion options
  • 61cb666 restrict more properties to be unsafe
  • 41abd66 performance improvement of reading DOCTYPE
  • 3dfcd20 refactor: performance improvement
  • 870043e update release info
  • 6df401e update builder dependency
  • bd26122 check for entitiy expansion for lastEntities and html entities too
  • 7e70dd8 fix incorrect regex to replace . in entity name
  • e54155f update package info
  • Additional commits viewable in compare view

Updates file-type from 21.3.0 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

  • Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
  • Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

sindresorhus/file-type@v21.3.0...v21.3.1

Commits

Updates hono from 4.11.9 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

Updates mailparser from 3.9.1 to 3.9.3

Changelog

Sourced from mailparser's changelog.

3.9.3 (2026-01-28)

Bug Fixes

  • escape URLs and link text in textToHtml to prevent XSS (921a67d), closes #412

3.9.2 (2026-01-28)

Bug Fixes

Commits
  • 05db224 chore(master): release 3.9.3 [skip-ci]
  • 921a67d fix: escape URLs and link text in textToHtml to prevent XSS
  • bb325f1 chore(master): release 3.9.2 [skip-ci]
  • 508bcf7 fix: Bumpe deps
  • 0e71fed docs: add maintenance mode notice to README
  • See full diff in compare view

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

What's Changed

New Contributors

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

2.1.0

Commits
  • 368c8a1 2.1.1 (#1380)
  • 7e66481 🐛 fix recursion issue
  • 643571e ✅ add explicit test for client able to send body without abrupt disconnect
  • e86fa52 fix error/abort handling
  • ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
  • 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
  • bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
  • c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
  • fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
  • 17d7f51 chore: add node version to 25.x in CI
  • Additional commits viewable in compare view

Updates next from 15.5.10 to 15.5.14

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
  • Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending fea...

Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 21, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dashboard Ready Ready Preview, Comment Apr 2, 2026 2:13am
textrawl Ready Ready Preview, Comment Apr 2, 2026 2:13am

Request Review

@dependabot dependabot Bot mentioned this pull request Mar 21, 2026
Closed
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-04254814fb branch from 4037c6a to faf1da4 Compare March 26, 2026 18:43
@dependabot
chore(deps): bump the npm_and_yarn group across 3 directories with 6 …
8c6f8ef 
…updates

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [file-type](https://github.com/sindresorhus/file-type) | `21.3.0` | `21.3.2` |
| [hono](https://github.com/honojs/hono) | `4.11.9` | `4.12.7` |
| [multer](https://github.com/expressjs/multer) | `2.0.2` | `2.1.1` |
| [mailparser](https://github.com/nodemailer/mailparser) | `3.9.1` | `3.9.3` |
| [next](https://github.com/vercel/next.js) | `15.5.10` | `15.5.14` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `5.3.5` | `5.5.7` |

Bumps the npm_and_yarn group with 1 update in the /desktop directory: [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser).
Bumps the npm_and_yarn group with 1 update in the /website directory: [next](https://github.com/vercel/next.js).


Updates `file-type` from 21.3.0 to 21.3.2
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v21.3.0...v21.3.2)

Updates `hono` from 4.11.9 to 4.12.7
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.11.9...v4.12.7)

Updates `multer` from 2.0.2 to 2.1.1
- [Release notes](https://github.com/expressjs/multer/releases)
- [Changelog](https://github.com/expressjs/multer/blob/main/CHANGELOG.md)
- [Commits](expressjs/multer@v2.0.2...v2.1.1)

Updates `mailparser` from 3.9.1 to 3.9.3
- [Release notes](https://github.com/nodemailer/mailparser/releases)
- [Changelog](https://github.com/nodemailer/mailparser/blob/master/CHANGELOG.md)
- [Commits](nodemailer/mailparser@v3.9.1...v3.9.3)

Updates `next` from 15.5.10 to 15.5.14
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.10...v15.5.14)

Updates `fast-xml-parser` from 5.3.5 to 5.5.7
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.5...v5.5.7)

Updates `fast-xml-parser` from 5.3.5 to 5.5.7
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v5.3.5...v5.5.7)

Updates `next` from 15.5.10 to 15.5.14
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.5.10...v15.5.14)

---
updated-dependencies:
- dependency-name: file-type
  dependency-version: 21.3.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: multer
  dependency-version: 2.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: mailparser
  dependency-version: 3.9.3
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.14
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.5.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.5.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.14
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-04254814fb branch from faf1da4 to 8c6f8ef Compare April 2, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants