chore(deps): bump the dependencies group across 1 directory with 6 updates by dependabot[bot] · Pull Request #730 · NodeSecure/scanner

dependabot · 2026-05-25T14:54:29Z

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
hyperid	`3.3.0`	`4.0.0`
ipaddr.js	`2.3.0`	`2.4.0`
ssri	`13.0.1`	`14.0.0`
@npmcli/arborist	`9.4.2`	`9.7.0`
npm-pick-manifest	`11.0.3`	`12.0.0`
cacache	`20.0.4`	`21.0.0`

Updates hyperid from 3.3.0 to 4.0.0

Release notes

Sourced from hyperid's releases.

v4.0.0

What's Changed

modernize: neostandard, drop uuid, refresh CI matrix by @mcollina in mcollina/hyperid#40

chore: bump buffer to ^6.0.3 and bloomfilter to ^1.1.0 by @mcollina in mcollina/hyperid#41

Full Changelog: mcollina/hyperid@v3.3.0...v4.0.0

Commits

4298362 Bumped v4.0.0
5040f5a chore: bump nanoid to ^5.1.9 and refresh benchmarks
b7e4cd8 test
0ccfd26 chore: bump buffer to ^6.0.3 and bloomfilter to ^1.1.0 (#41)
aa7414e fix: update CI badge to use GitHub Actions endpoint
a5a341d modernize: neostandard, drop uuid, refresh CI matrix (#40)
See full diff in compare view

Updates ipaddr.js from 2.3.0 to 2.4.0

Changelog

Sourced from ipaddr.js's changelog.

2.4.0 - 2026-05-03

remove Bower support

add RFC9637, RFC9602, RFC8215, RFC3879 reserved address ranges

Commits

61bd6df Bump version.
f563e5c Add RFC9637, RFC9602, RFC8215, RFC3879 reserved address ranges.
9992db9 Rename 2001:10::/28 from deprecated to deprecatedOrchid.
5686480 Indicate which RFCs reserved some IPv6 ranges.
9199d3f Remove bower.json
1915d22 spelling: string
85eb23c spelling: javascript
4222342 spelling: ip v6
1c76a35 spelling: hexadecimal
82e4b6d spelling: addresses
Additional commits viewable in compare view

Updates ssri from 13.0.1 to 14.0.0

Release notes

Sourced from ssri's releases.

v14.0.0

14.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

ssri now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

7087885 #167 bump to new node engine range (@owlstronaut)

ae8172c #167 template-oss-apply (@owlstronaut)

Chores

bda78e5 #167 template-oss-apply (@owlstronaut)

12c6581 #166 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#166) (@dependabot[bot], @npm-cli-bot)

Changelog

Sourced from ssri's changelog.

14.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

ssri now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

7087885 #167 bump to new node engine range (@owlstronaut)

ae8172c #167 template-oss-apply (@owlstronaut)

Chores

bda78e5 #167 template-oss-apply (@owlstronaut)

12c6581 #166 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#166) (@dependabot[bot], @npm-cli-bot)

Commits

b70a4da chore: release 14.0.0 (#169)
bda78e5 chore: template-oss-apply
7087885 feat!: bump to new node engine range
ae8172c feat!: template-oss-apply
0f68d16 deps & engine update
12c6581 chore: bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#166)
592af94 chore: bump @npmcli/template-oss from 4.28.1 to 4.29.0 (#165)
See full diff in compare view

Updates @npmcli/arborist from 9.4.2 to 9.7.0

Release notes

Sourced from @npmcli/arborist's releases.

arborist: v9.7.0

9.7.0 (2026-05-27)

Features

a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)

Bug Fixes

d8a7803 #9418 arborist: drop self-link materialization for undeclared workspaces (#9418) (@github-actions[bot], @manzoorwanijk)

4d141a0 #9417 skip hidden lockfile save on dry run (#9417) (@github-actions[bot], @puneetdixit200, @puneetdixit200)

arborist: v9.6.0

9.6.0 (2026-05-20)

Features

8df10f5 #9339 add allow-git/allow-file/allow-directory/allow-remote configs (@owlstronaut)

Bug Fixes

d7e195a #9362 arborist: skip lockfile entries for optional deps with incomplete manifests (#9362) (@github-actions[bot], @ecanturk, @owlstronaut)

9c78f2a #9361 arborist: only forward Link overrides when a rule names a target dep (@manzoorwanijk)

468550f #9339 refactor #failureNode, adjust tests and safety (@owlstronaut)

cabe249 #9339 allow-remote=none does not block registry tarballs (@owlstronaut)

2169018 #9340 arborist: skip extraneous fsChildren in linked-strategy reify (@manzoorwanijk)

1d0395e #9338 arborist: prune removed-workspace entries from package-lock.json (@manzoorwanijk)

Chores

6a2bdbc #9350 change test wording to not collide with tap (#9350) (@github-actions[bot], @owlstronaut)

arborist: v9.5.0

9.5.0 (2026-05-06)

Features

20fb6a0 #9312 arborist: add lockfileString() for in-memory lockfile generation (@ljharb)

Bug Fixes

c3ea2cf #9315 arborist: clean up orphan top-level symlinks in linked strategy (#9315) (@github-actions[bot], @manzoorwanijk)

3298369 #9303 arborist: ignore hidden entries in global update (#9299) (@Grynn)

e19b349 #9301 prefer existing tree nodes for peerOptional deps (#9249) (#9283) (@everett1992)

e7805c3 #9254 arborist: propagate overrides through Link nodes to targets (#9198) (@manzoorwanijk)

arborist: v9.4.3

9.4.3 (2026-04-22)

Bug Fixes

7cd45c6 #9253 arborist: handle npm link with install-strategy=linked (@manzoorwanijk)

7e3a66e #9238 arborist: do not install inert optional extraneous shared dependencies (#9238) (@github-actions[bot], @lovell)

cff9ce9 #9237 pass _isRoot context where missing (#9237) (@github-actions[bot])

Changelog

Sourced from @npmcli/arborist's changelog.

9.7.0 (2023-05-31)

Features

a63a6d8 #6490 add provenanceFile option for libnpmpublish (@bdehamer)

2a8f4f2 #6490 add new exclusive config item publish-file (@wraithgar)

361e194 #6483 implement flag --prefer-dedupe for npm install (#6483) (@m4rch3n1ng)

Bug Fixes

38eb39b #6514 strip ansi characters from search results (#6514) (@wraithgar)

4b5ccfc #6477 make usage and completion static functions (#6477) (@lukekarrys)

4f39e8c #6479 refactor engines validation to lint syntax (#6479) (@lukekarrys)

f3cfe12 #6482 remove unused lib/npm relics (#6482) (@lukekarrys)

87de0c7 #6472 move explore command to @npmcli/package-json (@wraithgar)

636e29e #6472 move to @npmcli/package-json where possible (@wraithgar)

37cc797 #6418 retrieve registry keys via TUF (#6418) (@bdehamer)

Documentation

83cd5bd #6480 add global option for uninstall (#6480) (@m4rch3n1ng)

0400ce3 #6481 add cli params to npm set, npm get (#6481) (@m4rch3n1ng)

c3638ce #6468 remove package-lock option for npm ci (#6468) (@m4rch3n1ng)

Dependencies

060d587 chalk@5.2.0, npm-audit-report@5.0.0

fc52ca8 #6472 remove read-package-json-fast

3238aa7 #6472 remove read-package-json

Workspace: @npmcli/config@6.2.0

Workspace: libnpmexec@6.0.0

Workspace: libnpmpublish@7.3.0

9.6.7 (2023-05-17)

Bug Fixes

9202c7d #6464 npm cache completion (#6464) (@m4rch3n1ng)

6ce99a8 #6461 exit codes in node v20 (#6461) (@MichaelBitard)

23c865f #6434 deprecate ci-name config (#6434) (@wraithgar)

Documentation

7751dd4 #6413 add a comma (#6413) (@darryltec)

Dependencies

afc38a5 #6458 cacache@17.1.2

afb936c #6458 tuf-js@1.1.6

f6a0884 #6458 readable-stream@4.4.0

... (truncated)

Commits

5dbbe60 chore: remove arborist chalk dev dependency
3d5bbcc chore: release 9.6.6
e498f82 deps: minimatch@9.0.0
1c8d17a chore: @npmcli/template-oss@4.14.1
a558bbd fix: code cleanup (#6393)
c7f4b35 chore: release 9.6.5
82879f6 fix: lazy loading of arborist and pacote (#6225)
357cc29 deps: walk-up-path@3.0.1
b8006ad chore: release 9.6.4
deca335 deps: promise-call-limit@1.0.2
Additional commits viewable in compare view

Updates npm-pick-manifest from 11.0.3 to 12.0.0

Release notes

Sourced from npm-pick-manifest's releases.

v12.0.0

12.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

npm-pick-manifest now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

1b71e65 #177 bump to new node engine range (@owlstronaut)

60cde68 #177 template-oss-apply (@owlstronaut)

Dependencies

60b6749 #177 npm-package-arg@14.0.0

da16b63 #177 npm-normalize-package-bin@6.0.0

20c56b2 #177 npm-install-checks@9.0.0

Chores

46c4246 #177 template-oss-apply (@owlstronaut)

756de4f #177 bumping @npmcli/template-oss from 4.30.0 to 5.1.0 (@owlstronaut)

dfae65d #168 remove tap (@owlstronaut)

547a6f7 #168 swap from tap to built-in node:test (@owlstronaut)

e343270 #171 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#171) (@dependabot[bot], @npm-cli-bot)

Changelog

Sourced from npm-pick-manifest's changelog.

12.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

npm-pick-manifest now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

1b71e65 #177 bump to new node engine range (@owlstronaut)

60cde68 #177 template-oss-apply (@owlstronaut)

Dependencies

60b6749 #177 npm-package-arg@14.0.0

da16b63 #177 npm-normalize-package-bin@6.0.0

20c56b2 #177 npm-install-checks@9.0.0

Chores

46c4246 #177 template-oss-apply (@owlstronaut)

756de4f #177 bumping @npmcli/template-oss from 4.30.0 to 5.1.0 (@owlstronaut)

dfae65d #168 remove tap (@owlstronaut)

547a6f7 #168 swap from tap to built-in node:test (@owlstronaut)

e343270 #171 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#171) (@dependabot[bot], @npm-cli-bot)

Commits

bc160ab chore: release 12.0.0 (#178)
60b6749 deps: npm-package-arg@14.0.0
da16b63 deps: npm-normalize-package-bin@6.0.0
20c56b2 deps: npm-install-checks@9.0.0
46c4246 chore: template-oss-apply
1b71e65 feat!: bump to new node engine range
60cde68 feat!: template-oss-apply
756de4f chore: bumping @npmcli/template-oss from 4.30.0 to 5.1.0
e343270 chore: bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#171)
7003a5d chore: bump @npmcli/template-oss from 4.28.1 to 4.29.0 (#170)
Additional commits viewable in compare view

Updates cacache from 20.0.4 to 21.0.0

Release notes

Sourced from cacache's releases.

v21.0.0

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

cacache now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

224c45a #339 bump to new node engine range (@owlstronaut)

2929aa5 #339 template-oss-apply (@owlstronaut)

Dependencies

4a9b643 #339 ssri@14.0.0

23f4ca7 #339 @npmcli/fs@6.0.0

Chores

8f85b88 #339 template-oss-apply (@owlstronaut)

af6256e #339 bumping @npmcli/template-oss from 4.30.0 to 5.1.0 (@owlstronaut)

c1a85be #330 template-oss-apply (#330) (@owlstronaut)

5929444 #331 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#331) (@dependabot[bot], @npm-cli-bot)

Changelog

Sourced from cacache's changelog.

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

cacache now supports node ^22.22.2 || ^24.15.0 || >=26.0.0

template-oss-apply

Features

224c45a #339 bump to new node engine range (@owlstronaut)

2929aa5 #339 template-oss-apply (@owlstronaut)

Dependencies

4a9b643 #339 ssri@14.0.0

23f4ca7 #339 @npmcli/fs@6.0.0

Chores

8f85b88 #339 template-oss-apply (@owlstronaut)

af6256e #339 bumping @npmcli/template-oss from 4.30.0 to 5.1.0 (@owlstronaut)

c1a85be #330 template-oss-apply (#330) (@owlstronaut)

5929444 #331 bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#331) (@dependabot[bot], @npm-cli-bot)

Commits

1e665fb chore: release 21.0.0 (#340)
4a9b643 deps: ssri@14.0.0
23f4ca7 deps: @npmcli/fs@6.0.0
8f85b88 chore: template-oss-apply
224c45a feat!: bump to new node engine range
2929aa5 feat!: template-oss-apply
af6256e chore: bumping @npmcli/template-oss from 4.30.0 to 5.1.0
5929444 chore: bump @npmcli/template-oss from 4.29.0 to 4.30.0 (#331)
c1a85be chore: template-oss-apply (#330)
See full diff in compare view

changeset-bot · 2026-05-25T14:54:37Z

⚠️ No Changeset found

Latest commit: 43af1bc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

socket-security · 2026-05-25T14:55:04Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ipaddr.js@2.4.0
	hyperid@4.0.0
	ssri@14.0.0
	npm-pick-manifest@12.0.0
	cacache@21.0.0

View full report

socket-security · 2026-05-25T14:55:06Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

…dates Bumps the dependencies group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [hyperid](https://github.com/mcollina/hyperid) | `3.3.0` | `4.0.0` | | [ipaddr.js](https://github.com/whitequark/ipaddr.js) | `2.3.0` | `2.4.0` | | [ssri](https://github.com/npm/ssri) | `13.0.1` | `14.0.0` | | [@npmcli/arborist](https://github.com/npm/cli/tree/HEAD/workspaces/arborist) | `9.4.2` | `9.7.0` | | [npm-pick-manifest](https://github.com/npm/npm-pick-manifest) | `11.0.3` | `12.0.0` | | [cacache](https://github.com/npm/cacache) | `20.0.4` | `21.0.0` | Updates `hyperid` from 3.3.0 to 4.0.0 - [Release notes](https://github.com/mcollina/hyperid/releases) - [Commits](mcollina/hyperid@v3.3.0...v4.0.0) Updates `ipaddr.js` from 2.3.0 to 2.4.0 - [Changelog](https://github.com/whitequark/ipaddr.js/blob/main/Changes.md) - [Commits](whitequark/ipaddr.js@v2.3.0...v2.4.0) Updates `ssri` from 13.0.1 to 14.0.0 - [Release notes](https://github.com/npm/ssri/releases) - [Changelog](https://github.com/npm/ssri/blob/main/CHANGELOG.md) - [Commits](npm/ssri@v13.0.1...v14.0.0) Updates `@npmcli/arborist` from 9.4.2 to 9.7.0 - [Release notes](https://github.com/npm/cli/releases) - [Changelog](https://github.com/npm/cli/blob/v9.7.0/CHANGELOG.md) - [Commits](https://github.com/npm/cli/commits/v9.7.0/workspaces/arborist) Updates `npm-pick-manifest` from 11.0.3 to 12.0.0 - [Release notes](https://github.com/npm/npm-pick-manifest/releases) - [Changelog](https://github.com/npm/npm-pick-manifest/blob/main/CHANGELOG.md) - [Commits](npm/npm-pick-manifest@v11.0.3...v12.0.0) Updates `cacache` from 20.0.4 to 21.0.0 - [Release notes](https://github.com/npm/cacache/releases) - [Changelog](https://github.com/npm/cacache/blob/main/CHANGELOG.md) - [Commits](npm/cacache@v20.0.4...v21.0.0) --- updated-dependencies: - dependency-name: "@npmcli/arborist" dependency-version: 9.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: cacache dependency-version: 21.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: hyperid dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: ipaddr.js dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: npm-pick-manifest dependency-version: 12.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: ssri dependency-version: 14.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 25, 2026

dependabot Bot requested a review from a team as a code owner May 25, 2026 14:54

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 25, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/dependencies-eea1e73d49 branch from 22a98a4 to 43af1bc Compare June 8, 2026 09:46

fraxken approved these changes Jun 8, 2026

View reviewed changes

fraxken merged commit d9e51cf into master Jun 8, 2026
6 checks passed

fraxken deleted the dependabot/npm_and_yarn/dependencies-eea1e73d49 branch June 8, 2026 13:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the dependencies group across 1 directory with 6 updates#730

chore(deps): bump the dependencies group across 1 directory with 6 updates#730
fraxken merged 1 commit into
masterfrom
dependabot/npm_and_yarn/dependencies-eea1e73d49

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

Uh oh!

changeset-bot Bot commented May 25, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 25, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 25, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.0.0

What's Changed

2.4.0 - 2026-05-03

v14.0.0

14.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

Features

Chores

14.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

Features

Chores

arborist: v9.7.0

9.7.0 (2026-05-27)

Features

Bug Fixes

arborist: v9.6.0

9.6.0 (2026-05-20)

Features

Bug Fixes

Chores

arborist: v9.5.0

9.5.0 (2026-05-06)

Features

Bug Fixes

arborist: v9.4.3

9.4.3 (2026-04-22)

Bug Fixes

9.7.0 (2023-05-31)

Features

Bug Fixes

Documentation

Dependencies

9.6.7 (2023-05-17)

Bug Fixes

Documentation

Dependencies

v12.0.0

12.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

Features

Dependencies

Chores

12.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

Features

Dependencies

Chores

v21.0.0

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

Features

Dependencies

Chores

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

Features

Dependencies

Chores

Uh oh!

changeset-bot Bot commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ No Changeset found

Uh oh!

socket-security Bot commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

changeset-bot Bot commented May 25, 2026 •

edited

Loading

socket-security Bot commented May 25, 2026 •

edited

Loading

socket-security Bot commented May 25, 2026 •

edited

Loading