chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates by dependabot[bot] · Pull Request #2500 · Web3Auth/web3auth-web

dependabot · 2026-05-25T14:57:01Z

Bumps the npm_and_yarn group with 1 update in the /demo/nextjs-ssr-app directory: next.
Bumps the npm_and_yarn group with 3 updates in the /demo/react-app-no-modal directory: @babel/plugin-transform-modules-systemjs, fast-uri and qs.
Bumps the npm_and_yarn group with 1 update in the /demo/vue-app-new directory: ws.
Bumps the npm_and_yarn group with 3 updates in the /demo/wagmi-react-app directory: picomatch, ws and fast-uri.
Bumps the npm_and_yarn group with 2 updates in the /demo/x402-test-server directory: fast-uri and qs.

Updates next from 16.2.3 to 16.2.6

Release notes

Sourced from next's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces

GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input

GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API

GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting

GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

fix: preserve HTTP access fallbacks during prerender recovery (#92231)

Fix fallback route params case in app-page handler (#91737)

Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)

Patch setHeader for direct route handlers (#93101)

Include deployment id in cacheHandlers keys (#93453)

Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

GHSA-8h8q-6873-q5fj: Denial of Service with Server Components

GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes

GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components

GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection

GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

ee6e79b v16.2.6
afa053d Turbopack: Match proxy matchers with webpack implementation (#93594)
97a154e Turbopack: Fix middleware matcher suffix (#93590)
83899bc [backport] Disable build caches for production/staging/force-preview deploys ...
7b222b9 [backport][test] Pin package manager to patch versions (#93595)
a8dc24f [backport] Turbopack: more strict vergen setup (#93587)
766148f v16.2.5
0dd9483 fix: add explicit checks for RSC header (#83) (#98)
d166096 fix proxy matching for segment prefetch URLs (#89) (#96)
9d50c0b Strip next-resume header from incoming requests (#92)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for next since your current version.

Updates @babel/plugin-transform-modules-systemjs from 7.25.9 to 7.29.7

Release notes

Sourced from @babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

babel-generator

#18014 Catchup source map position in preserveFormat (@nicolo-ribaudo)

babel-core

#18001 [7.x packport]Improve input source map handling (@JLHwung)

babel-core, babel-generator

#17998 Preserve original identifier names from input sourcemaps (#17992) (@Andarist)

Committers: 3

Huáng Jùnliàng (@JLHwung)

Mateusz Burzyński (@Andarist)

Nicolò Ribaudo (@nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

babel-preset-env

Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

babel-plugin-transform-modules-systemjs

#17974 [7.x backport]fix(systemjs): improve module string name support (@JLHwung)

Committers: 1

Huáng Jùnliàng (@JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

babel-parser

#17923 Support flow extends bound (@JLHwung)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#17931 fix(decorators): replace super within all removed static elements (@JLHwung)

babel-register

#17915 Fix thread synchronization issues in @babel/register (@liuxingbaoyu)

babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

#17788 Add bugfix plugin for Safari array rest destructuring bug (@JLHwung)

💅 Polish

babel-parser

... (truncated)

Commits

4fba754 v7.29.7
a458f66 v7.29.4
32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
aa8394e v7.29.0
0053db6 Update polyfill packages (#17727)
61647ae v7.28.5
a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
eebd3a0 v7.27.1
317e332 Enforce node protocol import (#17207)
fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @babel/plugin-transform-modules-systemjs since your current version.

Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

ci: remove master branch support by @Fdawgs in fastify/fast-uri#126

chore(test) remove .gitkeep by @Fdawgs in fastify/fast-uri#128

ci(ci): set job permissions by @Fdawgs in fastify/fast-uri#129

ci: set permissions at workflow level by @Fdawgs in fastify/fast-uri#131

ci: set workflow permissions to read-only by default by @Fdawgs in fastify/fast-uri#132

ci(ci): restore job level permissions by @Fdawgs in fastify/fast-uri#133

build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot[bot] in fastify/fast-uri#134

ci(ci): pin actions to commit-hash by @Fdawgs in fastify/fast-uri#135

ci: add node 24 to test matrix by @Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

ci: remove master branch support by @Fdawgs in fastify/fast-uri#126

chore(test) remove .gitkeep by @Fdawgs in fastify/fast-uri#128

ci(ci): set job permissions by @Fdawgs in fastify/fast-uri#129

ci: set permissions at workflow level by @Fdawgs in fastify/fast-uri#131

ci: set workflow permissions to read-only by default by @Fdawgs in fastify/fast-uri#132

ci(ci): restore job level permissions by @Fdawgs in fastify/fast-uri#133

build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot[bot] in fastify/fast-uri#134

ci(ci): pin actions to commit-hash by @Fdawgs in fastify/fast-uri#135

ci: add node 24 to test matrix by @Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

ci: remove master branch support by @Fdawgs in fastify/fast-uri#126

chore(test) remove .gitkeep by @Fdawgs in fastify/fast-uri#128

ci(ci): set job permissions by @Fdawgs in fastify/fast-uri#129

ci: set permissions at workflow level by @Fdawgs in fastify/fast-uri#131

ci: set workflow permissions to read-only by default by @Fdawgs in fastify/fast-uri#132

ci(ci): restore job level permissions by @Fdawgs in fastify/fast-uri#133

build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot[bot] in fastify/fast-uri#134

ci(ci): pin actions to commit-hash by @Fdawgs in fastify/fast-uri#135

ci: add node 24 to test matrix by @Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

Fix for GHSA-v39h-62p7-jpjc

What's Changed

Handle malformed fragment decoding as a parse error by @mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

Fix for GHSA-q3j6-qgpj-74h6

What's Changed

build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in fastify/fast-uri#148

build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in fastify/fast-uri#149

chore(.npmrc): ignore scripts by @Fdawgs in fastify/fast-uri#150

build(deps-dev): remove @fastify/pre-commit by @Fdawgs in fastify/fast-uri#151

build(deps): bump actions/setup-node from 4 to 5 by @dependabot[bot] in fastify/fast-uri#152

ci(ci): add concurrency config by @Fdawgs in fastify/fast-uri#153

build(deps): bump actions/setup-node from 5 to 6 by @dependabot[bot] in fastify/fast-uri#154

build(deps): bump actions/checkout from 5 to 6 by @dependabot[bot] in fastify/fast-uri#156

chore(license): standardise license notice by @Fdawgs in fastify/fast-uri#159

style: remove trailing whitespace by @Fdawgs in fastify/fast-uri#161

ci: remove unused github files by @Tony133 in fastify/fast-uri#162

chore: update readme by @Tony133 in fastify/fast-uri#164

build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#165

build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @dependabot[bot] in fastify/fast-uri#166

build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @dependabot[bot] in fastify/fast-uri#167

ci: add lock-threads workflow by @Fdawgs in fastify/fast-uri#169

New Contributors

@Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

ci: remove master branch support by @Fdawgs in fastify/fast-uri#126

chore(test) remove .gitkeep by @Fdawgs in fastify/fast-uri#128

ci(ci): set job permissions by @Fdawgs in fastify/fast-uri#129

ci: set permissions at workflow level by @Fdawgs in fastify/fast-uri#131

ci: set workflow permissions to read-only by default by @Fdawgs in fastify/fast-uri#132

ci(ci): restore job level permissions by @Fdawgs in fastify/fast-uri#133

build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot[bot] in fastify/fast-uri#134

ci(ci): pin actions to commit-hash by @Fdawgs in fastify/fast-uri#135

ci: add node 24 to test matrix by @Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

919dd8e Bumped v3.1.2
c65ba57 fixup: linting
6c86c17 Merge commit from fork
a95158a Handle malformed fragment decoding without throwing (#171)
cea547c Bumped v3.1.1
876ce79 Merge commit from fork
dcdf690 ci: add lock-threads workflow (#169)
c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Updates ws from 8.18.3 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

Added the closeTimeout option (#2308).

Bug fixes

Handled a forthcoming breaking change in Node.js core (19984854).

Commits

5d9b316 [dist] 8.20.1
c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
ce2a3d6 [ci] Test on node 26
58e45b8 [ci] Do not test on node 25
5f26c24 [ci] Run the lint step on node 24
8439255 [dist] 8.20.0
d3503c1 [minor] Export the PerMessageDeflate class and header utils
3ee5349 [api] Convert the isServer and maxPayload parameters to options
91707b4 [doc] Add missing space
8b55319 [pkg] Update eslint to version 10.0.1
Additional commits viewable in compare view

Updates ws from 8.18.3 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, rea...
Description has been truncated

vercel · 2026-05-25T14:57:04Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	Jun 2, 2026 3:54pm

dependabot · 2026-06-02T10:12:03Z

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

…updates Bumps the npm_and_yarn group with 1 update in the /demo/nextjs-ssr-app directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 3 updates in the /demo/react-app-no-modal directory: [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs), [fast-uri](https://github.com/fastify/fast-uri) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 1 update in the /demo/vue-app-new directory: [ws](https://github.com/websockets/ws). Bumps the npm_and_yarn group with 3 updates in the /demo/wagmi-react-app directory: [picomatch](https://github.com/micromatch/picomatch), [ws](https://github.com/websockets/ws) and [fast-uri](https://github.com/fastify/fast-uri). Bumps the npm_and_yarn group with 2 updates in the /demo/x402-test-server directory: [fast-uri](https://github.com/fastify/fast-uri) and [qs](https://github.com/ljharb/qs). Updates `next` from 16.2.3 to 16.2.6 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v16.2.3...v16.2.6) Updates `@babel/plugin-transform-modules-systemjs` from 7.25.9 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs) Updates `fast-uri` from 3.0.6 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `fast-uri` from 3.0.6 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.0.6 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.0.6 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `ws` from 8.20.0 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `ws` from 8.18.3 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.18.3...8.20.1) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.0.6...v3.1.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) --- updated-dependencies: - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.7 dependency-type: indirect - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect - dependency-name: next dependency-version: 16.2.6 dependency-type: direct:production - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the dependencies Pull requests that update a dependency file label May 25, 2026

dependabot Bot requested a review from a team as a code owner May 25, 2026 14:57

dependabot Bot added javascript Pull requests that update javascript code dependencies Pull requests that update a dependency file labels May 25, 2026

This was referenced May 25, 2026

build(deps): bump the npm_and_yarn group across 5 directories with 6 updates #2496

Closed

build(deps): bump the npm_and_yarn group across 5 directories with 5 updates #2498

Closed

vercel Bot deployed to Preview May 25, 2026 14:58 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/demo/nextjs-ssr-app/npm_and_yarn-24de45029e branch from 9f561ef to 3dfe041 Compare May 26, 2026 01:35

vercel Bot deployed to Preview May 26, 2026 01:37 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/demo/nextjs-ssr-app/npm_and_yarn-24de45029e branch from 3dfe041 to bfd47dd Compare May 28, 2026 07:09

vercel Bot deployed to Preview May 28, 2026 07:10 View deployment

dependabot Bot changed the title ~~build(deps): bump the npm_and_yarn group across 5 directories with 6 updates~~ chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates Jun 2, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/demo/nextjs-ssr-app/npm_and_yarn-24de45029e branch from bfd47dd to 14c463f Compare June 2, 2026 07:50

vercel Bot deployed to Preview June 2, 2026 07:51 View deployment

dependabot Bot force-pushed the dependabot/npm_and_yarn/demo/nextjs-ssr-app/npm_and_yarn-24de45029e branch from 14c463f to 9e6000f Compare June 2, 2026 15:53

vercel Bot deployed to Preview June 2, 2026 15:54 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates#2500

chore(deps): bump the npm_and_yarn group across 5 directories with 6 updates#2500
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/demo/nextjs-ssr-app/npm_and_yarn-24de45029e

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

Uh oh!

vercel Bot commented May 25, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Jun 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v16.2.6

Security Fixes

Core Changes

v16.2.5

Security Fixes

v7.29.7 (2026-05-25)

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

v7.29.4 (2026-05-05)

🐛 Bug Fix

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v3.1.0

What's Changed

6.15.2

6.15.1

6.15.0

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v3.1.0

What's Changed

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v3.1.0

What's Changed

v3.1.2

⚠️ Security Release

What's Changed

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

v3.1.0

What's Changed

6.15.2

6.15.1

6.15.0

8.20.1

Bug fixes

8.20.0

Features

8.19.0

Features

Bug fixes

8.20.1

Bug fixes

Uh oh!

vercel Bot commented May 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dependabot Bot commented on behalf of github Jun 2, 2026

Uh oh!

Reviewers

Assignees

dependabot Bot commented on behalf of github May 25, 2026 •

edited

Loading

vercel Bot commented May 25, 2026 •

edited

Loading