Skip to content

Bump the npm_and_yarn group across 1 directory with 9 updates#949

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c6919dba38
Open

Bump the npm_and_yarn group across 1 directory with 9 updates#949
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c6919dba38

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package From To
@opentelemetry/core 2.7.0 2.9.0
http-proxy-middleware 4.0.0 4.1.1
js-yaml 4.1.1 4.3.0
form-data 4.0.5 4.0.6
form-data 2.5.5 2.5.6
undici 6.24.0 6.27.0
undici 7.24.1 7.28.0
flatted 3.3.3 3.4.2
markdown-it 14.1.0 removed
tmp 0.2.5 0.2.7

Updates @opentelemetry/core from 2.7.0 to 2.9.0

Release notes

Sourced from @​opentelemetry/core's releases.

v2.9.0

2.9.0

💥 Breaking Changes

  • docs(shim-opentracing): Notice: The @opentelemetry/shim-opentracing package will be removed in SDK 3.x, planned for approximately September 2026.
    • The OpenCensus and OpenTracing compatibility requirements in the OpenTelemetry specification have been deprecated.

🚀 Features

  • feat(sdk-metrics): add maxExportBatchSize option to PeriodicExportingMetricReader #6655 @​psx95
    • Optimized PeriodicExportingMetricReader.forceFlush to prevent redundant concurrent export cycles. Concurrent calls to forceFlush will now await any ongoing export and reuse a fresh export cycle if one is started concurrently by another caller. This ensures the latest metrics are always exported efficiently without triggering duplicate collection and export cycles.
  • feat(sdk-trace): implement span processor metrics #6504 @​anuraaga
  • feat(sdk-trace): add a new "sdk-trace" package to hold the Trace SDK, without environment variable configuration handling that belongs elsewhere #6775 @​trentm
    • "sdk-trace" will eventually replace all of "sdk-trace-base", "sdk-trace-node", and "sdk-trace-web".
    • The BatchSpanProcessor constructor call signature has changed in "sdk-trace". For example, before new BatchSpanProcessor(exporter, { maxQueueSize: 1000 }), after new BatchSpanProcessor({ exporter, maxQueueSize: 1000 }). #6817
    • The SimpleSpanProcessor constructor call signature has changed in "sdk-trace". For example, before new SimpleSpanProcessor(exporter), after new SimpleSpanProcessor({ exporter, selfObsMeterProvider: ... }). #6504
  • feat(sdk-trace): add AlwaysRecordSampler #6188 @​majanjua-amzn

🐛 Bug Fixes

  • fix(propagator-jaeger): do not throw on malformed percent-encoded uber-trace-id / uberctx-* headers during extract @​pichlermarc

🏠 Internal

  • perf(sdk-metrics): defer allocation of HrTime to accumulation creation #6839 @​legendecas
  • chore(*): migrate use of sdk-trace-base and sdk-trace-node to sdk-trace #6851 @​trentm
  • perf(sdk-metrics): optionally capture active context for sync instruments #6848 @​legendecas

v2.8.0

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

v2.7.1

2.7.1

🐛 Bug Fixes

  • fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna

... (truncated)

Changelog

Sourced from @​opentelemetry/core's changelog.

2.9.0

💥 Breaking Changes

  • docs(shim-opentracing): Notice: The @opentelemetry/shim-opentracing package will be removed in SDK 3.x, planned for approximately September 2026.
    • The OpenCensus and OpenTracing compatibility requirements in the OpenTelemetry specification have been deprecated.

🚀 Features

  • feat(sdk-metrics): add maxExportBatchSize option to PeriodicExportingMetricReader #6655 @​psx95
    • Optimized PeriodicExportingMetricReader.forceFlush to prevent redundant concurrent export cycles. Concurrent calls to forceFlush will now await any ongoing export and reuse a fresh export cycle if one is started concurrently by another caller. This ensures the latest metrics are always exported efficiently without triggering duplicate collection and export cycles.
  • feat(sdk-trace): implement span processor metrics #6504 @​anuraaga
  • feat(sdk-trace): add a new "sdk-trace" package to hold the Trace SDK, without environment variable configuration handling that belongs elsewhere #6775 @​trentm
    • "sdk-trace" will eventually replace all of "sdk-trace-base", "sdk-trace-node", and "sdk-trace-web".
    • The BatchSpanProcessor constructor call signature has changed in "sdk-trace". For example, before new BatchSpanProcessor(exporter, { maxQueueSize: 1000 }), after new BatchSpanProcessor({ exporter, maxQueueSize: 1000 }). #6817
    • The SimpleSpanProcessor constructor call signature has changed in "sdk-trace". For example, before new SimpleSpanProcessor(exporter), after new SimpleSpanProcessor({ exporter, selfObsMeterProvider: ... }). #6504
  • feat(sdk-trace): add AlwaysRecordSampler #6188 @​majanjua-amzn

🐛 Bug Fixes

  • fix(propagator-jaeger): do not throw on malformed percent-encoded uber-trace-id / uberctx-* headers during extract @​pichlermarc

🏠 Internal

  • perf(sdk-metrics): defer allocation of HrTime to accumulation creation #6839 @​legendecas
  • chore(*): migrate use of sdk-trace-base and sdk-trace-node to sdk-trace #6851 @​trentm
  • perf(sdk-metrics): optionally capture active context for sync instruments #6848 @​legendecas

2.8.0

🚀 Features

  • feat(sdk-trace-base): pretty-print SpanImpl, Tracer, and BasicTracerProvider via util.inspect so they render through diag and console.log #6690 @​mcollina
  • feat(sdk-metrics): implement metric reader self-observability metrics #6449 @​anuraaga
  • feat(core): add hrTimeToSeconds #6449 @​anuraaga

🐛 Bug Fixes

  • fix(core): limit processing of incoming "baggage" header to 8192 bytes @​pichlermarc

2.7.1

🐛 Bug Fixes

  • fix(core, api): defer trace state validation. Deprecate trace state implementation in api #6459 @​david-luna
    • important: this bug fix may be breaking for certain uses of TraceState
      • set now returns the same TraceState instance if key/value are invalid or makes the while trace state invalid.
      • unset now returns the same TraceState instance if key is not present.
      • best-effort parsing of invalid TraceStates has changed: when multiple keys with the same name are present, the most recent one will win.

... (truncated)

Commits
  • 40d67b7 chore: prepare next release (#6869)
  • b1c196d Merge commit from fork
  • d375c08 fix(instrumentation,instrumentation-http): fix codecov under-reporting (#6867)
  • d61ab5f perf(sdk-metrics): optionally capture active context for sync instruments (#6...
  • 9e6475e fix(core): guard timeInputToHrTime against clock-skew misclassification (#677...
  • c989308 feat(sdk-node): wire up tracer_provider.sampler from declarative config (#6847)
  • dddbc0e feat(sdk-trace): add AlwaysRecordSampler (#6168)
  • 991434c chore(deps): update dependency @​bufbuild/buf to v1.71.0 (#6863)
  • 69303d0 chore(deps): update all patch versions (#6862)
  • 6690b03 chore(sdk-node)!: Drop support for deprecated OpenCensusMetricProducer from d...
  • Additional commits viewable in compare view

Updates http-proxy-middleware from 4.0.0 to 4.1.1

Release notes

Sourced from http-proxy-middleware's releases.

v4.1.1

What's Changed

Full Changelog: chimurai/http-proxy-middleware@v4.1.0...v4.1.1

v4.1.0

What's Changed

New Contributors

Full Changelog: chimurai/http-proxy-middleware@v4.0.0...v4.1.0

v4.1.0-beta.2

What's Changed

... (truncated)

Changelog

Sourced from http-proxy-middleware's changelog.

v4.1.1

  • fix(fixRequestBody): harden form-data stringification

v4.1.0

  • feat(definePlugin): helper function to create plugins
  • chore(package.json): update to httpxy@0.5.3
  • fix(ipv6): preserve credentials when normalizing bracketed IPv6 target string
  • fix(ipv6): unspecified IPv6 target hostname (::)
  • fix(response-interceptor): reduce responseInterceptor buffer churn
  • fix(ws): handle multi-server upgrade subscription and safe proxy shutdown
  • feat(router): add 'res' and 'options' to router function
  • feat(pathRewrite): add 'res' and 'options' to custom pathRewrite function
  • fix(responseInterceptor): prevent trailer/content-length conflict
  • feat(zstd): support zstd compression in responseInterceptor and fixRequestBody
  • fix(responseInterceptor): handle bodyless responses (HEAD/1xx/204/304) with content-encoding
  • fix(router): harden proxy-table matching
Commits
  • b3b98d2 chore(package.json): v4.1.1 (#1262)
  • a1ac315 fix(fixRequestBody): harden form-data stringification (#1260)
  • 013dd9b chore(package.json): v4.1.0 (#1257)
  • 1f15982 fix(router): harden proxy-table matching (#1255)
  • 6e52f72 chore(package.json): bump dev deps (#1253)
  • f26184a chore(package.json): v4.1.0-beta.2 (#1252)
  • c65741c fix(responseInterceptor): handle bodyless responses (HEAD/1xx/204/304) with c...
  • fec8e1d feat(zstd): support zstd compression in responseInterceptor and fixRequestBod...
  • 6c41eae fix(responseInterceptor): prevent trailer/content-length conflict (#1249)
  • 5a78782 docs: fix documentation drift (#1248)
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.1 to 4.3.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Updates protobufjs from 7.6.0 to 7.6.5

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.5

7.6.5 (2026-07-04)

Bug Fixes

protobufjs: v7.6.4

7.6.4 (2026-06-12)

Bug Fixes

protobufjs: v7.6.3

7.6.3 (2026-06-09)

Bug Fixes

  • Avoid name collisions in generated code (#2311) (78a9576)
  • Preserve null conversion behavior for fieldless messages (#2312) (df91652)

protobufjs: v7.6.2

7.6.2 (2026-05-30)

Bug Fixes

  • Backport consistency and correctness fixes (#2294) (a92f72e)

protobufjs: v7.6.1

7.6.1 (2026-05-22)

Bug Fixes

Changelog

Sourced from protobufjs's changelog.

7.6.5 (2026-07-04)

Bug Fixes

7.6.4 (2026-06-12)

Bug Fixes

7.6.3 (2026-06-09)

Bug Fixes

  • Avoid name collisions in generated code (#2311) (78a9576)
  • Preserve null conversion behavior for fieldless messages (#2312) (df91652)

7.6.2 (2026-05-30)

Bug Fixes

  • Backport consistency and correctness fixes (#2294) (a92f72e)

7.6.1 (2026-05-22)

Bug Fixes

Commits

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates form-data from 2.5.5 to 2.5.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates undici from 6.24.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates undici from 7.24.1 to 7.28.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates flatted from 3.3.3 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Removes markdown-it

Updates tmp from 0.2.5 to 0.2.7

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@opentelemetry/core](https://github.com/open-telemetry/opentelemetry-js) | `2.7.0` | `2.9.0` |
| [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) | `4.0.0` | `4.1.1` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.1` | `4.3.0` |
| [form-data](https://github.com/form-data/form-data) | `4.0.5` | `4.0.6` |
| [form-data](https://github.com/form-data/form-data) | `2.5.5` | `2.5.6` |
| [undici](https://github.com/nodejs/undici) | `6.24.0` | `6.27.0` |
| [undici](https://github.com/nodejs/undici) | `7.24.1` | `7.28.0` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `removed` |
| [tmp](https://github.com/raszi/node-tmp) | `0.2.5` | `0.2.7` |



Updates `@opentelemetry/core` from 2.7.0 to 2.9.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@v2.7.0...v2.9.0)

Updates `http-proxy-middleware` from 4.0.0 to 4.1.1
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/master/CHANGELOG.md)
- [Commits](chimurai/http-proxy-middleware@v4.0.0...v4.1.1)

Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `protobufjs` from 7.6.0 to 7.6.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.5/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.6.0...protobufjs-v7.6.5)

Updates `form-data` from 4.0.5 to 4.0.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `form-data` from 2.5.5 to 2.5.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `undici` from 6.24.0 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.0...v6.27.0)

Updates `undici` from 7.24.1 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.0...v6.27.0)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Removes `markdown-it`

Updates `tmp` from 0.2.5 to 0.2.7
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.2.5...v0.2.7)

---
updated-dependencies:
- dependency-name: "@opentelemetry/core"
  dependency-version: 2.9.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: http-proxy-middleware
  dependency-version: 4.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.6.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 2.5.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: markdown-it
  dependency-version:
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tmp
  dependency-version: 0.2.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants