Skip to content
This repository was archived by the owner on Feb 18, 2026. It is now read-only.

chore(deps): bump the npm_and_yarn group across 2 directories with 7 updates#368

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-7b321ddc73
Closed

chore(deps): bump the npm_and_yarn group across 2 directories with 7 updates#368
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-7b321ddc73

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Jan 9, 2026
edited
Loading

Bumps the npm_and_yarn group with 4 updates in the /packages/linea-ens-app directory: min-document, node-forge, tar-fs and vite.
Bumps the npm_and_yarn group with 3 updates in the /packages/linea-ens-contracts directory: cipher-base, min-document and axios.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates min-document from 2.19.0 to 2.19.2

Commits
  • 0d14150 2.19.2
  • 49c2e06 Merge pull request #56 from wasabina67/fix/prototype-pollution-removeAttribut...
  • 9666461 Fix prototype pollution vulnerability in removeAttributeNS
  • 4490b40 2.19.1
  • 2cd5871 update ignore
  • fe32e8d Merge pull request #55 from jameswassink/fix/prototype-pollution-removeAttrib...
  • 6c5f31a Better prototype pollution fix
  • 0d4e819 Fix prototype pollution in removeAttributeNS
  • bf7b691 Update package.json
  • 1b5402d Merge pull request #49 from PixnBits/patch-1
  • Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

  • [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

  • HIGH: ASN.1 Validator Desynchronization
    • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-12816
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: ASN.1 Unbounded Recursion
    • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66031
    • GHSA ID: GHSA-554w-wpv2-vw27
  • MODERATE: ASN.1 OID Integer Truncation
    • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66030
    • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

  • [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
  • [asn1] Add fromDer() max recursion depth check.
    • Add a asn1.maxDepth global configurable maximum depth of 256.
    • Add a asn1.fromDer() per-call maxDepth option.
    • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
    • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

Updates tar-fs from 2.1.3 to 2.1.4

Commits

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

5.4.20 (2025-09-08)

Commits

Updates cipher-base from 1.0.4 to 1.0.6

Changelog

Sourced from cipher-base's changelog.

v1.0.6 - 2024-11-26

Commits

  • [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

  • [Tests] standard -> eslint, make test dir, etc ae02fd6
  • [Tests] migrate from travis to GHA 66387d7
  • [meta] fix package.json indentation 5c02918
  • [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
  • [meta] add auto-changelog 88dc806
  • [meta] add npmignore and safe-publish-latest 7a137d7
  • Only apps should have lockfiles 42528f2
  • [Deps] update inherits, safe-buffer 0e7a2d9
  • [meta] add missing engines.node f2dc13e
Commits
  • f5249f9 v1.0.6
  • b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
  • f03cebf v1.0.5
  • 88dc806 [meta] add auto-changelog
  • 7a137d7 [meta] add npmignore and safe-publish-latest
  • 5c02918 [meta] fix package.json indentation
  • 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
  • 66387d7 [Tests] migrate from travis to GHA
  • f2dc13e [meta] add missing engines.node
  • 0e7a2d9 [Deps] update inherits, safe-buffer
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.


Updates min-document from 2.19.0 to 2.19.2

Commits
  • 0d14150 2.19.2
  • 49c2e06 Merge pull request #56 from wasabina67/fix/prototype-pollution-removeAttribut...
  • 9666461 Fix prototype pollution vulnerability in removeAttributeNS
  • 4490b40 2.19.1
  • 2cd5871 update ignore
  • fe32e8d Merge pull request #55 from jameswassink/fix/prototype-pollution-removeAttrib...
  • 6c5f31a Better prototype pollution fix
  • 0d4e819 Fix prototype pollution in removeAttributeNS
  • bf7b691 Update package.json
  • 1b5402d Merge pull request #49 from PixnBits/patch-1
  • Additional commits viewable in compare view

Updates axios from 1.8.4 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

Features

  • adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
  • fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
  • support reviver on JSON.parse (#5926) (2a97634), closes #5924
  • types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

Release v1.11.0

Release notes:

Bug Fixes

  • form-data npm pakcage (#6970) (e72c193)
  • prevent RangeError when using large Buffers (#6961) (a2214ca)
  • types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

... (truncated)

Changelog

Sourced from axios's changelog.

1.12.0 (2025-09-11)

Bug Fixes

Features

  • adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
  • fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
  • support reviver on JSON.parse (#5926) (2a97634), closes #5924
  • types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

1.11.0 (2025-07-22)

Bug Fixes

  • form-data npm pakcage (#6970) (e72c193)
  • prevent RangeError when using large Buffers (#6961) (a2214ca)
  • types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

... (truncated)

Commits
  • 0d8ad6e chore(release): v1.12.0 (#7013)
  • fd7f404 fix: release pr run
  • a2edc36 fix: dont add dist on release
  • 9ec86de fix: adding build artifacts
  • 945435f fix(node): enforce maxContentLength for data: URLs (#7011)
  • 28e5e30 chore(sponsor): update sponsor block (#7005)
  • d03f245 chore(CI): fixed release info script to use npm registry instead of git as fi...
  • a0bc911 chore: removing dist files from src (#7002)
  • c959ff2 feat(fetch): add fetch, Request, Response env config variables for the adapte...
  • a9f47af fix(fetch-adapter): set correct Content-Type for Node FormData (#6998)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Routine dependency updates across the monorepo driven by Dependabot.

  • In packages/linea-ens-app: upgrade min-document, node-forge, tar-fs, and vite
  • In packages/linea-ens-contracts: upgrade cipher-base, min-document, and axios
  • Patch js-yaml to 3.14.2

Written by Cursor Bugbot for commit eef3f84. This will update automatically on new commits. Configure here.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 9, 2026
@dependabot dependabot bot requested a review from a team as a code owner January 9, 2026 14:25
@cla-assistant
Copy link
Copy Markdown

cla-assistant bot commented Jan 9, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@cla-assistant
Copy link
Copy Markdown

cla-assistant bot commented Jan 9, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@socket-security
Copy link
Copy Markdown

socket-security bot commented Jan 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​axios@​1.8.4 ⏵ 1.12.098100 +1610096100

View full report

@dependabot
chore(deps): bump the npm_and_yarn group across 2 directories with 7 …
eef3f84 
…updates

Bumps the npm_and_yarn group with 4 updates in the /packages/linea-ens-app directory: [min-document](https://github.com/Raynos/min-document), [node-forge](https://github.com/digitalbazaar/forge), [tar-fs](https://github.com/mafintosh/tar-fs) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
Bumps the npm_and_yarn group with 3 updates in the /packages/linea-ens-contracts directory: [cipher-base](https://github.com/crypto-browserify/cipher-base), [min-document](https://github.com/Raynos/min-document) and [axios](https://github.com/axios/axios).


Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `min-document` from 2.19.0 to 2.19.2
- [Commits](Raynos/min-document@v2.19.0...v2.19.2)

Updates `node-forge` from 1.3.1 to 1.3.3
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.3.3)

Updates `tar-fs` from 2.1.3 to 2.1.4
- [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4)

Updates `vite` from 5.4.19 to 5.4.21
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v5.4.21/packages/vite)

Updates `cipher-base` from 1.0.4 to 1.0.6
- [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md)
- [Commits](browserify/cipher-base@v1.0.4...v1.0.6)

Updates `min-document` from 2.19.0 to 2.19.2
- [Commits](Raynos/min-document@v2.19.0...v2.19.2)

Updates `axios` from 1.8.4 to 1.12.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.8.4...v1.12.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: min-document
  dependency-version: 2.19.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.3.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar-fs
  dependency-version: 2.1.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 5.4.21
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cipher-base
  dependency-version: 1.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: min-document
  dependency-version: 2.19.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.12.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7b321ddc73 branch from 594712d to eef3f84 Compare January 28, 2026 10:38
@alainncls alainncls closed this Feb 18, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Feb 18, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/npm_and_yarn-7b321ddc73 branch February 18, 2026 16:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alainncls