chore(deps): bump the npm_and_yarn group across 2 directories with 19 updates by dependabot[bot] · Pull Request #939 · thirdweb-dev/engine

dependabot · 2026-04-07T00:05:03Z

Bumps the npm_and_yarn group with 17 updates in the / directory:

Package	From	To
fastify	`4.29.0`	`5.8.3`
undici	`6.20.1`	`6.24.0`
ajv	`8.17.1`	`8.18.0`
defu	`6.1.4`	`6.1.6`
h3	`1.13.0`	`1.15.11`
handlebars	`4.7.8`	`4.7.9`
js-yaml	`4.1.0`	`4.1.1`
lodash	`4.17.21`	`4.18.1`
markdown-it	`14.1.0`	`14.1.1`
node-forge	`1.3.1`	`1.4.0`
path-to-regexp	`0.1.12`	`0.1.13`
pbkdf2	`3.1.2`	`3.1.5`
picomatch	`2.3.1`	`2.3.2`
rollup	`4.28.1`	`4.60.1`
sha.js	`2.4.11`	`2.4.12`
tmp	`0.2.3`	`0.2.5`
underscore	`1.13.7`	`1.13.8`

Bumps the npm_and_yarn group with 4 updates in the /sdk directory: brace-expansion, minimatch, picomatch and rollup.

Updates fastify from 4.29.0 to 5.8.3

Release notes

Sourced from fastify's releases.

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in fastify/fastify#6565

Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in fastify/fastify#6566

test: use fastify.test in test case by @climba03003 in fastify/fastify#6568

docs: use fastify.example in documentation by @climba03003 in fastify/fastify#6567

docs: add common performance degradation guidance by @maxpetrusenko in fastify/fastify#6520

docs(server): fix camelCase anchor links in TOC by @Deepvamja in fastify/fastify#6530

ci(link-checker): fix root-relative links resolution by @barba-rossa in fastify/fastify#6535

docs: update syntax markdown, absolute paths and links by @Tony133 in fastify/fastify#6569

docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in fastify/fastify#6537

docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in fastify/fastify#6582

docs: replace redirected npm.im http-errors link by @mcollina in fastify/fastify#6588

types: Allow port to be null in request type definition by @TristanBarlow in fastify/fastify#6589

docs: update links by @Tony133 in fastify/fastify#6593

ci(lock-threads): use shared lock-threads workflow by @Fdawgs in fastify/fastify#6592

New Contributors

@kyrylchenko made their first contribution in fastify/fastify#6566

@maxpetrusenko made their first contribution in fastify/fastify#6520

@Deepvamja made their first contribution in fastify/fastify#6530

@barba-rossa made their first contribution in fastify/fastify#6535

@mahmoodhamdi made their first contribution in fastify/fastify#6582

@TristanBarlow made their first contribution in fastify/fastify#6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in fastify/fastify#6546

Revert "chore: upgrade borp to v1.0.0" by @climba03003 in fastify/fastify#6564

docs: document body validation with custom content type parsers by @mcollina in fastify/fastify#6556

docs(ecosystem): add fastify-file-router by @bhouston in fastify/fastify#6441

docs: add fastify-svelte-view to Ecosystem list by @matths in fastify/fastify#6453

fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in fastify/fastify#6558

docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in fastify/fastify#5661

docs(guides): update codemod links by @OluchiEzeifedikwa in fastify/fastify#6479

docs: add @glidemq/fastify to community plugins by @avifenesh in fastify/fastify#6560

New Contributors

@yeliex made their first contribution in fastify/fastify#6546

@matths made their first contribution in fastify/fastify#6453

@leftieFriele made their first contribution in fastify/fastify#5661

@OluchiEzeifedikwa made their first contribution in fastify/fastify#6479

@avifenesh made their first contribution in fastify/fastify#6560

... (truncated)

Commits

a3e77ce Bumped v5.8.3
4e1db5b fix: gate host and protocol getters on proxy trust function
a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
1851f20 docs: update links (#6593)
9cc5187 types: Allow port to be null in request type definition (#6589)
722d83b docs: replace redirected npm.im http-errors link (#6588)
a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
d477915 ci(link-checker): fix root-relative links resolution (#6535)
Additional commits viewable in compare view

Updates undici from 6.20.1 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

CVE-2026-1525: affected < 6.24.0, patched 6.24.0

CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0

CVE-2026-1527: affected < 6.24.0, patched 6.24.0

CVE-2026-2229: affected < 6.24.0, patched 6.24.0

CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v6.23.0

⚠️ Security Release

... (truncated)

Commits

8873c94 Bumped v6.24.0
411bd01 test(websocket): use node:assert for Node 18 compatibility
844bf59 test: fix http2 lint regressions in backport
a444e4f test: stabilize h2 and tls-cert-leak under current test runner
dc032a1 fix: h2 CI (#4395)
4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
7df6442 fix: adapt websocket frame-limit handling for v6 parser
4e0179a fix: reject duplicate content-length and host headers
5a97f08 Fix websocket 64-bit length overflow
e43e898 fix: validate upgrade header to prevent CRLF injection
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
See full diff in compare view

Updates defu from 6.1.4 to 6.1.6

Release notes

Sourced from defu's releases.

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

✅ Tests

Add more tests for plain objects (b65f603)

❤️ Contributors

Pooya Parsa (@pi0)

Kricsleo (@kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.6

compare changes

📦 Build

Fix mixed types (407b516)

❤️ Contributors

Pooya Parsa (@pi0)

v6.1.5

compare changes

🩹 Fixes

Prevent prototype pollution via __proto__ in defaults (#156)

Ignore inherited enumerable properties (11ba022)

🏡 Chore

Add tea.yaml (70cffe5)

Update repo (23cc432)

Fix typecheck (89df6bb)

✅ Tests

Add more tests for plain objects (b65f603)

🤖 CI

Bump node (9237d9c)

❤️ Contributors

Pooya Parsa (@pi0)

Kricsleo (@kricsleo)

Commits

001c290 chore(release): v6.1.6
407b516 build: fix mixed types
23e59e6 chore(release): v6.1.5
11ba022 fix: ignore inherited enumerable properties
3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
d3ef16d chore(deps): update actions/checkout action to v6 (#151)
869a053 chore(deps): update actions/setup-node action to v6 (#149)
a97310c chore(deps): update codecov/codecov-action action to v6 (#154)
89df6bb chore: fix typecheck
9237d9c ci: bump node
Additional commits viewable in compare view

Updates h3 from 1.13.0 to 1.15.11

Release notes

Sourced from h3's releases.

v1.15.11

compare changes

🏡 Chore

Update defu to 6.1.6 (6125485)

Update deps (4998dd8)

Update cookie-es (d166186)

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

static: Narrow path traversal check to match .. as a path segment only (c049dc0)

app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

Remove implicit event handler conversion warning (#1340)

❤️ Contributors

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.11

compare changes

🏡 Chore

Update defu to 6.1.6 (6125485)

Update deps (4998dd8)

Update cookie-es (d166186)

❤️ Contributors

Pooya Parsa (@pi0)

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

Update deps (26fec6f)

❤️ Contributors

Pooya Parsa (@pi0)

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

release: V1.15.8 (e3b9c9e)

Update deps (23045df)

❤️ Contributors

Pooya Parsa (@pi0)

... (truncated)

Commits

7b9f41f chore(release): v1.15.11
d166186 chore: update cookie-es
4998dd8 chore: update deps
6125485 chore: update defu to 6.1.6
b72bb57 chore(release): v1.15.10
d8ef318 remove resolutions for h3
26fec6f chore: update deps
51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
4e8d43a chore(release): v1.15.9
23045df chore: update deps
Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

GHSA-2w6w-674q-4c4q

GHSA-3mfm-83xf-c92r

GHSA-xhpv-hc6g-r9c6

GHSA-xjpj-3mr7-gcpf

GHSA-9cx6-37pm-9jff

GHSA-2qvq-rjwj-gvw9

GHSA-7rx3-28cr-v5wh

GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2

fix type "RuntimeOptions" also accepting string partials - eab1d14

feat(types): set hash to be a Record<string, any> - de4414d

fix non-contiguous program indices - 4512766

refactor: rename i to startPartIndex - e497a35

security: fix security issues - 68d8df5

Commits

Commits

dce542c v4.7.9
8a41389 Update release notes
68d8df5 Fix security issues
b2a0831 Fix browser tests
9f98c16 Fix release script
45443b4 Revert "Improve partial indenting performance"
8841a5f Fix CI errors with linting
e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
e914d60 Improve rendering performance
7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @ltduc147 for report.

Commits

b4a9b65 14.1.1 released
4b4bbca Fixed perf regression in linkify-it wrapper
d2782d8 Add supplementary example-driven documentation (#1092)
See full diff in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

HIGH: Denial of Service in BigInteger.modInverse()

A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.

Reported by Kr0emer.

CVE ID: CVE-2026-33891

GHSA ID: GHSA-5gfm-wpxj-wjgq

HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.

RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.

Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.

Reported as part of a U.C. Berkeley security research project by:

Austin Chu, Sohee Kim, and Corban Villa.

CVE ID: CVE-2026-33894

GHSA ID: GHSA-ppp5-5v6c-4jwp

HIGH: Signature forgery in Ed25519 due to missing S < L check.

Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.

Reported as part of a U.C. Berkeley security research project by:

Austin Chu, Sohee Kim, and Corban Villa.

CVE ID: CVE-2026-33895

GHSA ID: GHSA-q67f-28xg-22rw

HIGH: basicConstraints bypass in certificate chain verification.

pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.

Reported by Doruk Tan Ozturk (@peaktwilight) - doruk.ch

CVE ID: CVE-2026-33896

GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

fa385f9 Release 1.4.0.
07d4e16 Update changelog.
cb90fd9 Update changelog.
963e7c5 Add unit test for "pseudonym"
f0b6f5b Add pseudonym OID
3df48a3 Fix missing CVE ID.
2e49283 Add x509 basicConstraints check.
bdecf11 Add canonical signature scaler check for S < L.
af094e6 Add RSA padding and DigestInfo length checks.
796eeb1 Improve jsbn fix.
Additional commits viewable in compare view

Updates path-to-regexp from 0.1.12 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

0.1.7 / 2015-07-28

Fixed regression with escaped round brackets and matching groups.

0.1.6 / 2015-06-19

Replace index feature by outputting all parameters, unnamed and named.

0.1.5 / 2015-05-08

Add an index property for position in match result.

0.1.4 / 2015-03-05

Add license information

0.1.3 / 2014-07-06

Better array support

Improved support for trailing slash in non-ending mode

0.1.0 / 2014-03-06

add options.end

0.0.2 / 2013-02-10

Update to match current express

add .license property to component.json

Commits

9fd0c87 0.1.13 (#425)
7ccf02c fix: CVE-2026-4867
See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.

Updates pbkdf2 from 3.1.2 to 3.1.5

Changelog

Sourced from pbkdf2's changelog.

v3.1.5 - 2025-09-23

Commits

[Fix] only allow finite iterations 67bd94d

[Fix] restore node 0.10 support 8f59d96

[Fix] check parameters before the "no Promise" bailout d2dc5f0

v3.1.4 - 2025-09-22

Commits

[Deps] update create-hash, ripemd160, sha.js, to-buffer 8dbf49b

[meta] update repo URLs d15bc35

[Dev Deps] update @ljharb/eslint-config aaf870b

v3.1.3 - 2025-06-20

Commits

Only apps should have lockfiles 8b06730

[lint] fix whitespace 9a76e2f

[lint] fix parens/curlies/semis/etc 6fd84bf

[meta] add auto-changelog 796c38d

[Tests] fix tests in node 17 3661fb0

Revert "[Tests] fix tests in node < 3" 7431b57

[Tests] fix tests in node < 3 eb9f97a

[Fix] ensure unknown algorithms throw + known ones match node 26d4fd3

[Tests] add GHA, always run nyc 513906a

[lint] fix a few more rules ab04da8

[lint] switch to eslint 89694cf

[Tests] add coverage d0d534b

[Refactor] use to-buffer e3102a8

[readme] improve badges fca0c9d

[Tests] remove unused travis file a2c7d93

[meta] switch from files to npmignore 7f31fbc

[Tests] use .nycrc 8d628e8

[Refactor] minor tweaks fc61005

[Deps] update create-hmac, safe-buffer, sha.js ae2a7d0

[Fix] pin create-hash, ripemd160 due to breaking changes e079968

[Tests] fix tests in node 3 45fbcf3

[meta] skip publishing benchmarks 19ea57b

[Dev Deps] add missing peer dep 645e252

Commits

3687905 v3.1.5
67bd94d [Fix] only allow finite iterations
8f59d96 [Fix] restore node 0.10 support
d2dc5f0 [Fix] check parameters before the "no Promise" bailout
b2ad615 v3.1.4
8dbf49b [Deps] update create-hash, ripemd160, sha.js, to-buffer
aaf870b [Dev Deps] update @ljharb/eslint-config
d15bc35 [meta] update repo URLs
3e40827 v3.1.3

… updates Bumps the npm_and_yarn group with 17 updates in the / directory: | Package | From | To | | --- | --- | --- | | [fastify](https://github.com/fastify/fastify) | `4.29.0` | `5.8.3` | | [undici](https://github.com/nodejs/undici) | `6.20.1` | `6.24.0` | | [ajv](https://github.com/ajv-validator/ajv) | `8.17.1` | `8.18.0` | | [defu](https://github.com/unjs/defu) | `6.1.4` | `6.1.6` | | [h3](https://github.com/h3js/h3) | `1.13.0` | `1.15.11` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.4.0` | | [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `0.1.12` | `0.1.13` | | [pbkdf2](https://github.com/browserify/pbkdf2) | `3.1.2` | `3.1.5` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [rollup](https://github.com/rollup/rollup) | `4.28.1` | `4.60.1` | | [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` | | [tmp](https://github.com/raszi/node-tmp) | `0.2.3` | `0.2.5` | | [underscore](https://github.com/jashkenas/underscore) | `1.13.7` | `1.13.8` | Bumps the npm_and_yarn group with 4 updates in the /sdk directory: [brace-expansion](https://github.com/juliangruber/brace-expansion), [minimatch](https://github.com/isaacs/minimatch), [picomatch](https://github.com/micromatch/picomatch) and [rollup](https://github.com/rollup/rollup). Updates `fastify` from 4.29.0 to 5.8.3 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v4.29.0...v5.8.3) Updates `undici` from 6.20.1 to 6.24.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.20.1...v6.24.0) Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `defu` from 6.1.4 to 6.1.6 - [Release notes](https://github.com/unjs/defu/releases) - [Changelog](https://github.com/unjs/defu/blob/main/CHANGELOG.md) - [Commits](unjs/defu@v6.1.4...v6.1.6) Updates `h3` from 1.13.0 to 1.15.11 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.11/CHANGELOG.md) - [Commits](h3js/h3@v1.13.0...v1.15.11) Updates `handlebars` from 4.7.8 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `markdown-it` from 14.1.0 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@14.1.0...14.1.1) Updates `node-forge` from 1.3.1 to 1.4.0 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.4.0) Updates `path-to-regexp` from 0.1.12 to 0.1.13 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.12...v.0.1.13) Updates `pbkdf2` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.5) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `rollup` from 4.28.1 to 4.60.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.28.1...v4.60.1) Updates `sha.js` from 2.4.11 to 2.4.12 - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) Updates `tmp` from 0.2.3 to 0.2.5 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.2.3...v0.2.5) Updates `underscore` from 1.13.7 to 1.13.8 - [Commits](jashkenas/underscore@1.13.7...1.13.8) Updates `brace-expansion` from 1.1.11 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.13) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `rollup` from 2.79.2 to 2.80.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.28.1...v4.60.1) --- updated-dependencies: - dependency-name: fastify dependency-version: 5.8.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 6.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: defu dependency-version: 6.1.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 0.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: pbkdf2 dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: 0.2.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: underscore dependency-version: 1.13.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 2.80.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-04-07T00:06:43Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	undici@6.20.1 ⏵ 6.24.0	^-24	⁺³¹	⁺¹	⁺¹
	fastify@4.29.0 ⏵ 5.8.3	⁺¹	⁺²⁴

View full report

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 7, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 19 updates#939

chore(deps): bump the npm_and_yarn group across 2 directories with 19 updates#939
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-5ed32946c4

dependabot bot commented on behalf of github Apr 7, 2026

Uh oh!

socket-security bot commented Apr 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 7, 2026

v5.8.3

⚠️ Security Release

What's Changed

New Contributors

v5.8.2

What's Changed

New Contributors

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

Upgrade guidance

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v6.23.0

⚠️ Security Release

v8.18.0

What's Changed

New Contributors

v6.1.6

📦 Build

v6.1.5

🩹 Fixes

✅ Tests

❤️ Contributors

v6.1.6

📦 Build

❤️ Contributors

v6.1.5

🩹 Fixes

🏡 Chore

✅ Tests

🤖 CI

❤️ Contributors

v1.15.11

🏡 Chore

v1.15.10

🩹 Fixes

❤️ Contributors

v1.15.9

🩹 Fixes

v1.15.8

🩹 Fixes

v1.15.7

🩹 Fixes

💅 Refactors

❤️ Contributors

v1.15.11

🏡 Chore

❤️ Contributors

v1.15.10

🩹 Fixes

🏡 Chore

❤️ Contributors

v1.15.9

🩹 Fixes

🏡 Chore

❤️ Contributors

v4.7.9

v4.7.9 - March 26th, 2026

[4.1.1] - 2025-11-12

Security

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

[14.1.1] - 2026-01-11

Security

1.4.0 - 2026-03-24

Security

0.1.13

Important

0.1.13 / 2026-03-26

0.1.7 / 2015-07-28

0.1.6 / 2015-06-19

`lodash.*` modular packages