Bump the npm_and_yarn group across 1 directory with 34 updates

[dependabot]

Bumps the npm_and_yarn group with 26 updates in the /js directory:

Package	From	To
axios	1.4.0	1.15.2
firebase	7.24.0	12.13.0
@babel/helpers	7.21.5	7.29.2
@babel/plugin-transform-modules-systemjs	7.20.11	7.29.4
js-yaml	3.14.1	3.14.2
ajv	6.12.6	6.15.0
ajv	8.12.0	8.20.0
body-parser	1.20.1	1.20.5
express	4.18.2	4.22.2
brace-expansion	1.1.11	1.1.14
brace-expansion	2.0.1	2.1.0
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
ejs	3.1.9	3.1.10
minimatch	3.1.2	3.1.5
minimatch	5.1.6	5.1.9
flatted	3.2.7	3.4.2
form-data	3.0.1	3.0.4
http-proxy-middleware	2.0.6	2.0.9
lodash	4.17.21	4.18.1
micromatch	4.0.5	4.0.8
nanoid	3.3.6	3.3.12
node-forge	1.3.1	1.4.0
on-headers	1.0.2	1.1.0
picomatch	2.3.1	2.3.2
yaml	1.10.2	1.10.3
yaml	2.2.2	2.9.0
rollup	2.79.1	2.80.0
webpack	5.83.1	5.106.2
ws	8.13.0	8.20.1
ws	7.5.9	7.5.10

Updates axios from 1.4.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates firebase from 7.24.0 to 12.13.0

Release notes

Sourced from firebase's releases.

firebase@12.13.0

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

What's Changed

@​firebase/ai@​2.12.0

Minor Changes

• ffa39f6 #9795 - Added LiveSession.resumeSession() to allow resuming a previous LiveSession. Also added contextWindowCompression feature.

• 86dc0db #9819 - Added support for ImageConfig (aspect ratio and size). Expanded FinishReason values to include all currently available values provided by the models.

• 345c5f6 #9458 - AI Logic : Feature : Added support for Grounding with Google Maps.

Patch Changes

• 8e384c9 #9883 - Updated dependencies.

• Updated dependencies [8e384c9]:

• @​firebase/app-check-interop-types@​0.3.4

• @​firebase/component@​0.7.3

• @​firebase/logger@​0.5.1

• @​firebase/util@​1.15.1

@​firebase/data-connect@​0.7.0

Minor Changes

• 714b41d #9905 - Hardened the Firebase SQL Connect streaming transport with intelligent reconnection, query de-duplication, and resume optimizations.

Patch Changes

• 8e384c9 #9883 - Updated dependencies.

• Updated dependencies [8e384c9]:

• @​firebase/auth-interop-types@​0.2.5

• @​firebase/component@​0.7.3

• @​firebase/logger@​0.5.1

• @​firebase/util@​1.15.1

firebase@12.13.0

Minor Changes

• ffa39f6 #9795 - Added LiveSession.resumeSession() to allow resuming a previous LiveSession. Also added contextWindowCompression feature.

• 714b41d #9905 - Hardened the Firebase SQL Connect streaming transport with intelligent reconnection, query de-duplication, and resume optimizations.

... (truncated)

Commits

• 1adfd64 Version Packages (#9923)
• 50d5b6a Merge main into release
• 714b41d feat(data-connect): add de-duplication, resume, and intelligent reconnection ...
• f80895f Merge main into release
• 330a387 chore: migrate test functions to v2 (#9910)
• 3b87134 build(deps): bump axios from 1.13.5 to 1.15.2 (#9860)
• 402b1f0 fix(firestore): Assertion ID: ca9 (pendingResponses less than 0) caused by ta...
• 86dc0db feat(ai): ImageConfig and FinishReasons (#9819)
• 62ae2e2 chore: Update picomatch and rollup-plugin-typescript2 (#9892)
• 96e81ff feat(firestore): Added search stage support for languageCode, offset, limit, ...
• Additional commits viewable in compare view

Updates @babel/helpers from 7.21.5 to 7.29.2

Release notes

Sourced from @​babel/helpers's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature

• babel-types
  • #17750 [7.x backport] Add attributes import declaration builder (@​JLHwung)
• babel-standalone
  • #17663 [7.x backport] feat(standalone): export async transform (@​JLHwung)
  • #17725 [7.x backport] feat: read standalone targets from data-targets (@​JLHwung)

🐛 Bug Fix

• babel-parser
  • #17765 fix(parser): correctly parse type assertions in extends clause (@​nicolo-ribaudo)
  • #17723 [7.x backport] fix(parser): improve super type argument parsing (@​JLHwung)
• babel-traverse
  • #17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
• babel-plugin-transform-block-scoping, babel-traverse
  • #17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)

... (truncated)

Commits

• 37d5595 v7.29.2
• 1c0a08d [7.x backport] fix: Properly handle await in finally (#17805)
• d7f4008 v7.28.6
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c1b55f6 Use eslint.config.mts (#17573)
• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/helpers since your current version.

Updates @babel/plugin-transform-modules-systemjs from 7.20.11 to 7.29.4

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env

... (truncated)

Commits

• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• eebd3a0 v7.27.1
• 317e332 Enforce node protocol import (#17207)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• cd24cc0 chore: Update TS 5.7 (#17053)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates @grpc/grpc-js from 1.8.14 to 1.9.15

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.9.15

• Avoid buffering significantly more than grpc.max_receive_message_size per received message.

@​grpc/grpc-js 1.9.14

• Fix a bug that could rarely cause connection leaks (#2644)
• Fix a bug that could cause clients to go IDLE incorrectly some time after calling waitForReady (#2643)

@​grpc/grpc-js 1.9.13

• Fix a bug that could cause the Node process to close early when establishing a connection while a request is pending (#2626)

@​grpc/grpc-js 1.9.12

• Fix a bug that could cause connectivity state information to become stale in some circumstances (#2623)

@​grpc/grpc-js 1.9.11

• Fix a busy loop when recovering from a failure to establish a connection to a unix domain socket address target (#2618)
• Fix a bug that caused clients to stop trying to connect to a fixed IP address target after a working connection drops (#2619)

@​grpc/grpc-js 1.9.10

• Provide the correct port to the proxy when connecting to a target without an explicitly specified port (#2608 contributed by @​segevfiner)
• Properly handle goaway events with no additional data attached (#2611)

@​grpc/grpc-js 1.9.9

• Fix a busy loop when recovering from a failure to establish a connection to a fixed IP address target (#2609)

@​grpc/grpc-js 1.9.8

• Fix a memory leak caused by creating and closing multiple clients (#2606)

@​grpc/grpc-js 1.9.7

• Fix a bug that could cause a client to not update name resolution after multiple failed connection attempts (#2602)

@​grpc/grpc-js 1.9.6

• Include more information in most "No connection established" errors (#2598)
• Remove the index tracer, and add more information to other trace logs (#2599)

@​grpc/grpc-js 1.9.5

• Fix a type inconsistency in server-call.ts (#2589 contributed by @​rsnullptr)
• Close ports if the server is shut down while the bind operation is ongoing (#2590)

@​grpc/grpc-js 1.9.4

• Fix a bug that could cause a client to sometimes incorrectly hold the process open when no longer in use (#2586)

@​grpc/grpc-js 1.9.3

• Make a few improvements to DNS resolving timing (#2571)

Experimental changes:

• Added grpc.experimental.BackoffTimeout#getEndTime

@​grpc/grpc-js 1.9.2

• Handle error when sending keepalive pings (#2563)

... (truncated)

Commits

• 08b0422 Merge pull request from GHSA-7v5v-9h63-cj86
• c75e048 grpc-js: Bump to 1.9.15
• d5d62b4 grpc-js: Avoid buffering significantly more than max_receive_message_size per...
• 02d0344 Merge pull request #2741 from sergiitk/backport-1.9-psm-interop-common-prod-t...
• cf14020 Merge pull request #2729 from sergiitk/psm-interop-common-prod-tests
• da44229 Merge pull request #2738 from murgatroid99/backport-1.9-grpc-js_linkify-it_fix
• 5ae7c8c Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fix
• eed21ba Merge pull request #2714 from sergiitk/backport-1.9-psm-interop-pkg-dev
• 63763a4 Merge pull request #2712 from sergiitk/psm-interop-pkg-dev
• 5be83dd Merge pull request #2643 from murgatroid99/grpc-js_idle_timer_fix
• Additional commits viewable in compare view

Updates protobufjs from 6.11.3 to 7.5.8

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.8

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

protobufjs: v7.5.7

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

protobufjs: v7.5.4

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

protobufjs: v7.5.3

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

protobufjs: v7.5.2

7.5.2 (2025-05-14)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

... (truncated)

Commits

• d7035f9 chore: release protobufjs-v7.x (#2248)
• 54b593f fix: Backport parser hardening to 7.x (#2245)
• e88fcea chore: release protobufjs-v7.x (#2239)
• cc7d595 fix: Restore first-match namespace lookup (#2236)
• 3abc9b5 chore: release protobufjs-v7.x (#2190)
• a0bf2df fix: Update CLI peer dependency (7.x) (#2189)
• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• 8af8d7c chore(ci): Fix 7.x release please configuration (#2169)
• e92ca42 chore(ci): Enable release-please for 7.x (#2166)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates ajv from 8.12.0 to 8.20.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0

[jpcottin]

Superseded by #398, which regenerates js/package-lock.json to pick up the compatible transitive bumps from this PR (without crossing a top-level major-version boundary).

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml