build(deps): bump the npm_and_yarn group across 2 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 15 updates in the / directory:

Package	From	To
file-type	21.3.1	21.3.2
hono	4.12.7	4.12.18
undici	7.22.0	7.24.0
yaml	2.8.2	2.8.3
dompurify	3.3.3	3.4.0
vite	8.0.3	8.0.5
axios	1.13.5	1.16.1
basic-ftp	5.2.0	5.3.1
brace-expansion	5.0.4	5.0.6
defu	6.1.4	6.1.7
fast-uri	3.1.0	3.1.2
follow-redirects	1.15.11	1.16.0
ip-address	10.1.0	10.2.0
path-to-regexp	8.3.0	8.4.2
uuid	8.3.2	13.0.2

Bumps the npm_and_yarn group with 2 updates in the /ui directory: dompurify and vite.

Updates file-type from 21.3.1 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

• Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
• Fix bound recursive BOM and ID3 detection 370ed91

---

sindresorhus/file-type@v21.3.1...v21.3.2

Commits

• e18028c 21.3.2
• a155cd7 Fix ZIP bomb in known-size ZIP probing
• 6954817 Harden parser more
• 370ed91 Fix bound recursive BOM and ID3 detection
• d2ecea1 Add a few more safeguards
• 41fcff5 Update readme
• a8f6934 Fix CI
• See full diff in compare view

Updates hono from 4.12.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates undici from 7.22.0 to 7.24.0

Release notes

Sourced from undici's releases.

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

• CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0
• CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

What's Changed

... (truncated)

Commits

• 07a3906 Bumped v7.24.0 (#4887)
• 74495c6 fix: reject duplicate content-length and host headers
• 84235c6 Fix websocket 64-bit length overflow
• 77594f9 fix: validate upgrade header to prevent CRLF injection
• cb79c57 fix: validate server_max_window_bits range in permessage-deflate
• 4147ce2 Merge commit '2ee00cb3'
• 2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
• 5890c7b fix(deduplicate): stream response chunks to waiting handlers
• fbda3c1 Bumped v7.23.0 (#4884)
• 07276c9 fix: remove unused kSocketPath symbol
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Updates vite from 8.0.3 to 8.0.5

Release notes

Sourced from vite's releases.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.5 (2026-04-06)

Bug Fixes

• apply server.fs check to env transport (#22159) (f02d9fd)
• avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
• check server.fs after stripping query as well (#22160) (a9a3df2)
• disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

• allow esbuild 0.28 as peer deps (#22155) (b0da973)
• hmr: truncate list of files on hmr update (#21535) (d00e806)
• optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

• hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)
• add types for vite/modulepreload-polyfill (#22126) (17330d2)
• deps: update all non-major dependencies (#22073) (6daa10f)
• deps: update all non-major dependencies (#22143) (22b0166)
• resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)
• ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

• add environment.fetchModule documentation (#22035) (54229e7)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#21989) (0ded627)

Code Refactoring

• upgrade to typescript 6 (#22110) (cc41398)

Commits

• 1a12d4c release: v8.0.5
• 79f002f fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• a9a3df2 fix: check server.fs after stripping query as well (#22160)
• f02d9fd fix: apply server.fs check to env transport (#22159)
• f05f501 fix: disallow referencing files outside the package from sourcemap (#22158)
• 7339bdc release: v8.0.4
• 54229e7 docs: add environment.fetchModule documentation (#22035)
• b0da973 feat: allow esbuild 0.28 as peer deps (#22155)
• 22b0166 fix(deps): update all non-major dependencies (#22143)
• 17330d2 fix: add types for vite/modulepreload-polyfill (#22126)
• Additional commits viewable in compare view

Updates @opentelemetry/exporter-prometheus from 0.214.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
• refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

• feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
• feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
  • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
  • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
  • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

• fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
• fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
• fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
• fix(configuration): improve handling of enums in generated types #6659 @​trentm
• fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
• fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
• fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

• feat(sdk-node): wire attribute_keys from declarative configuration to ViewOptions.attributesProcessors #6427 @​ravitheja4531-cell
• feat(sdk-node): set TracerProvider in startNodeSDK() #6607 @​maryliag

🐛 Bug Fixes

• fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
• fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits

• 06ad0ea chore: prepare next release (#6703)
• 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
• 013c600 chore: prepare next release (#6699)
• b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
• 774143b chore(renovate): add minimumReleaseAge to config (#6697)
• e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
• f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
• 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
• 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
• 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
• Additional commits viewable in compare view

Updates axios from 1.13.5 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)

... (truncated)

Commits

• 1337d6b chore(release): prepare release 1.16.1 (#10877)
• 858a790 fix: remove all caches (#10882)
• 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
• 847d89b fix: support URL object as config.url input (#10866)
• 4094886 fix(progress): guard malformed XHR upload events (#10868)
• 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
• 64e1095 chore: update PR and issue template to use h2 (#10865)
• 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
• c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
• caa00a9 fix: https data in cleartext to proxy (#10858)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates basic-ftp from 5.2.0 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Changelog

Sourced from basic-ftp's changelog.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

Commits

• 980371b Guard against unbounded control response
• 50827c7 Adjust changelog to match release notes
• c9378a8 Fix test
• 22abe43 Update Github Actions
• 0feaaec Fix test
• 6629d7d Improve error message
• 9c3bf4f Set higher default value for max size of directory listing
• acd3942 Bump version
• 1304429 Offer maxListingBytes as an option
• 5cb5367 Add bounded StringWriter
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates brace-expansion from 5.0.4 to 5.0.6

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• 8793901 5.0.5
• 9a02af5 Merge commit from fork
• daa71bc Bump tar from 7.5.10 to 7.5.11 (

[llamapreview]

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Request Changes

This PR aims to update 19 npm dependencies, but a critical security regression was introduced by downgrading undici from 7.24.6 to 7.24.0 in extensions/zalo/package.json, re-exposing the project to multiple high-severity CVEs.

Priority	File	Category	Impact Summary	Anchors
P1	extensions/zalo/package.json	Security	Downgrade reintroduces high-severity CVEs
P2	package.json	Security	Major uuid version jump may have breaking changes
P2	diagnostics-otel/package.json	Maintainability	0.x OTel bump may include breaking API changes

🔍 Notable Themes

• No cross-cutting patterns identified.

📈 Risk Diagram

This diagram illustrates the security risk introduced by downgrading undici to a version with known high-severity vulnerabilities.

sequenceDiagram
    participant Dev as Developer
    participant PR as PR #35;3
    participant Dep as undici@7.24.0
    participant Vuln as Vulnerabilities

    Dev->>PR: Bump undici to 7.24.0
    PR->>Dep: Downgrades to 7.24.0
    note over Dep: Reintroduces CVE-2026-1528,<br/>CVE-2026-2229, CVE-2026-1526
    Dep->>Vuln: Exposed to malicious WebSocket frames
    note over Vuln: R1(P1): Unbounded memory consumption<br/>or crash via permessage-deflate

Loading

⚠️ **Unanchored Suggestions (Manual Review Recommended)**

The following suggestions could not be precisely anchored to a specific line in the diff. This can happen if the code is outside the changed lines, has been significantly refactored, or if the suggestion is a general observation. Please review them carefully in the context of the full file.

---

📁 File: extensions/zalo/package.json

This change downgrades undici from 7.24.6 to 7.24.0. According to the release notes provided in the PR description, version 7.24.0 includes fixes for multiple high‑severity CVEs (e.g., CVE‑2026‑1528, CVE‑2026‑2229, CVE‑2026‑1526), and versions after 7.24.0 contain additional security patches. Downgrading to 7.24.0 reintroduces these vulnerabilities (e.g., unbounded memory consumption in WebSocket decompression, unhandled exceptions from invalid server_max_window_bits). This is a direct security regression. The change is not a bump but a downgrade, contradicting the PR’s stated purpose.

Suggestion:

"undici": "7.24.6"

Related Code:

"dependencies": {
-    "undici": "7.24.6"
+    "undici": "7.24.0"
   },

---

📁 File: package.json

Speculative: The PR description lists a major version bump for uuid from 8.3.2 to 13.0.2. No changed file in pr_details directly reflects this bump (it is likely a transitive dependency or only present in pnpm-lock.yaml). A jump from v8 to v13 indicates breaking changes (e.g., removed UUID methods, altered exports). Without evidence of how uuid is consumed in the codebase, the severity cannot be confirmed. This is a high‑visibility risk that warrants manual verification.

Related Code:

---

📁 File: diagnostics-otel/package.json

Speculative: The @opentelemetry/sdk-node dependency is bumped from ^0.214.0 to ^0.218.0. Because this is a 0.x semver range, even a minor bump may include breaking API changes. The related‑context search found no usage of this package in the project code, so the practical impact is unknown. However, any OTel init code (e.g., in the extension’s index) could silently break at runtime. The bump should be verified against the extension’s OTel configuration and the upstream changelog.

Related Code:

"@opentelemetry/sdk-node": "^0.214.0",
+    "@opentelemetry/sdk-node": "^0.218.0",

---

---

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.