chore(deps): bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
express-rate-limit	8.2.1	8.2.2
uuid	13.0.0	14.0.0
minimatch	3.1.2	3.1.5
flatted	3.3.3	3.4.2
handlebars	4.7.8	4.7.9
jws	3.2.2	3.2.3
path-to-regexp	8.3.0	8.4.2
picomatch	2.3.1	2.3.2
qs	6.14.0	6.15.1
undici	7.16.0	7.25.0

Updates express-rate-limit from 8.2.1 to 8.2.2

Commits

• a009ad6 8.2.2
• 72cd30e chore: update dependencies
• 1ddb1cc fix: handle ipv4 mapped to ipv6 (GHSA-46wh-pxpv-q5gq)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by gamemaker1, a new releaser for express-rate-limit since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (8.2.1) was attested. Review the package versions before updating.

Updates uuid from 13.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates path-to-regexp from 8.3.0 to 8.4.2

Release notes

Sourced from path-to-regexp's releases.

v8.4.2

Fixed

• Error on trailing backslash (#434) 9a78879

Performance

• Minimize array allocations (#437) 937c02d
• Improve compile performance (#436) 57247e6
  • Should improve compilation performance by ~25%
• Remove internal tokenization during parse (#435) 5844988
  • Should improve parse performance by ~20%

Bundle size to 1.93 kB, from 1.97 kB.

---

pillarjs/path-to-regexp@v8.4.1...v8.4.2

v8.4.1

Fixed

• Remove trie deduplication (#431) 6bc8e84
  • Using a trie required non-greedy matching, which regressed wildcards in non-ending mode by matching them up until the first match. For example:
    • /*foo with /a/b = /a
    • /*foo.htmlwith /a/b.html/c.html = /a/b.html
• Allow backtrack handling to match itself (#427) 5bcd30b
  • When backtracking was introduced, it rejected matching things like /:"a"_:"b" against /foo__. This makes intuitive sense because the second parameter is not going to backtrack on _ anymore, but it's somewhat unexpected since there's no reason it shouldn't match the second _.

---

pillarjs/path-to-regexp@v8.4.0...v8.4.1

v8.4.0

Important

• Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

• Restricts wildcard backtracking when using more than 1 in a path (pillarjs/path-to-regexp#421)

Changed

• Dedupes regex prefixes (pillarjs/path-to-regexp#422)
  • This will result in shorter regular expressions for some cases using optional groups
• Rejects large optional route combinations (pillarjs/path-to-regexp#424)
  • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

Commits

• cbf3025 8.4.2
• 937c02d Minimize array allocations (#437)
• 57247e6 Improve compile performance (#436)
• 5844988 Remove internal tokenization during parse (#435)
• 9a78879 Error on trailing backslash (#434)
• 7f05876 8.4.1
• 6bc8e84 Remove trie deduplication (#431)
• 5bcd30b Allow backtrack handling to match itself (#427)
• 9f9c6c5 Add parsing to benchmarks (#418)
• 9fd31e0 Add trailing: false tests (#428)
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates qs from 6.14.0 to 6.15.1

Changelog

Sourced from qs's changelog.

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• 3f5e1c5 v6.15.1
• c85b67f [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true s...
• 4dfa0f0 [Deps] update @ljharb/eslint-config
• dbb05d7 [Dev Deps] update @ljharb/eslint-config, iconv-lite
• b0cfe7c [Tests] increase coverage
• d9b4c66 v6.15.0
• cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
• 88e1563 [Fix] duplicates option should not apply to bracket notation keys
• 9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
• 85cc8ca v6.12.5
• Additional commits viewable in compare view

Updates undici from 7.16.0 to 7.25.0

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in nodejs/undici#5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in nodejs/undici#4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in nodejs/undici#4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in nodejs/undici#4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in nodejs/undici#4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in nodejs/undici#4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in nodejs/undici#4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in nodejs/undici#4938
• ignore AGENTS.md by @​mcollina in nodejs/undici#4942

New Contributors

• @​samuel871211 made their first contribution in nodejs/undici#4924
• @​mistval made their first contribution in nodejs/undici#4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in nodejs/undici#4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in nodejs/undici#4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in nodejs/undici#4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in nodejs/undici#4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in nodejs/undici#4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in nodejs/undici#4834
• docs: clarify fetch and FormData pairing by @​mcollina in nodejs/undici#4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in nodejs/undici#4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in nodejs/undici#4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in nodejs/undici#4926
• test: auto-init WPT submodule by @​mcollina in nodejs/undici#4930

New Contributors

• @​rozzilla made their first contribution in nodejs/undici#4909
• @​veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits

• 12d9045 Bumped v7.25.0 (#5025)
• 7a6f7fe Bumped v7.24.8 (#5020)
• 1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
• c661067 chore: update v7.x maintenance release flow
• 84f23e2 Bumped v7.24.7 (#4947)
• a770b10 ignore AGENTS.md (#4942)
• 6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
• 1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
• 04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
• 5145a7c fix(types): align Response with DOM fetch types (#4867)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.