From 09600b57c623e1f43abfc90d82b43be4173dcf6e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 7 May 2026 13:45:23 +0000
Subject: [PATCH 1/2] build(deps): bump brace-expansion from 1.1.11 to 1.1.14

Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.14.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.14)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yarn.lock b/yarn.lock
index 0f276306..91ffbaa3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1815,12 +1815,12 @@ __metadata:
   linkType: hard
 
 "brace-expansion@npm:^1.1.7":
-  version: 1.1.11
-  resolution: "brace-expansion@npm:1.1.11"
+  version: 1.1.14
+  resolution: "brace-expansion@npm:1.1.14"
   dependencies:
     balanced-match: "npm:^1.0.0"
     concat-map: "npm:0.0.1"
-  checksum: 10c0/695a56cd058096a7cb71fb09d9d6a7070113c7be516699ed361317aca2ec169f618e28b8af352e02ab4233fb54eb0168460a40dc320bab0034b36ab59aaad668
+  checksum: 10c0/b6fdac832bc4e36a753658c9ed052c2e1a2be221763b002df25d1efbf7d21724334e726a6cd5eadc72a4b19ec3efb632d629cc003bc9c62f7af7a7915ffa4385
   languageName: node
   linkType: hard
 

From 19bc87fa7f61e8f00cb052f6ce1f7a45ccbf0dcf Mon Sep 17 00:00:00 2001
From: Kevin van Zonneveld <kevin@vanzonneveld.net>
Date: Thu, 7 May 2026 17:07:40 +0200
Subject: [PATCH 2/2] Add release changeset for security maintenance

---
 .changeset/soft-candles-cover.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .changeset/soft-candles-cover.md

diff --git a/.changeset/soft-candles-cover.md b/.changeset/soft-candles-cover.md
new file mode 100644
index 00000000..80f313ea
--- /dev/null
+++ b/.changeset/soft-candles-cover.md
@@ -0,0 +1,12 @@
+---
+"@transloadit/node": patch
+"@transloadit/mcp-server": patch
+"transloadit": patch
+---
+
+Release the Node SDK, the legacy `transloadit` wrapper, and the validated MCP server together after
+the latest security-maintenance batch.
+
+This release includes lockfile updates for the `ip-address`, `minimatch`, and `brace-expansion`
+advisories, and the CI coverage-publishing guard that lets Dependabot E2E checks pass when the
+private coverage repository key is unavailable.