Bump the npm_and_yarn group across 1 directory with 32 updates

[dependabot]

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package	From	To
hoek	5.0.3	6.1.3
npm	4.6.1	11.9.0
angular	1.6.8	1.8.3
angular-sanitize	1.6.8	1.8.3
kind-of	6.0.2	6.0.3
async	2.6.0	2.6.4
bl	1.2.1	1.2.3
browserify-sign	4.0.4	4.2.5
cached-path-relative	1.0.1	1.1.0
cipher-base	1.0.4	1.0.7
decode-uri-component	0.2.0	0.2.2
flatnest	1.0.0	1.0.1
minimatch	3.0.4	3.1.2
json-schema	0.2.3	0.4.0
json5	0.5.1	2.2.3
lodash.merge	4.6.0	4.6.2
node-notifier	5.2.1	10.0.1
stringstream	0.0.5	0.0.6
secp256k1	3.5.0	3.8.1

Updates hoek from 5.0.3 to 6.1.3

Commits

• 47d6306 6.1.3
• eef9740 cleanup
• fc934af Cleanup
• f2eb7fd Clone without prototype. Closes #290
• 5bfe5b6 6.1.2
• 17fe9a1 Revert all symbol handlings to false by default. Closes #283
• 542939b 6.1.1
• 947a326 Ignore symbols in deepEqual() by default. Closes #281
• 27ac630 6.1.0
• b3b5134 Merge pull request #281 from kanongil/symbol-support
• Additional commits viewable in compare view

Updates npm from 4.6.1 to 11.9.0

Release notes

Sourced from npm's releases.

v11.9.0

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

... (truncated)

Changelog

Sourced from npm's changelog.

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

• 8f599df #8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #8919 dev dependency updates (@​wraithgar)

... (truncated)

Commits

• 417daa7 chore: release 11.9.0
• 332c9f3 deps: glob@13.0.1
• eca02c7 deps: minimatch@10.1.2 @​isaacs/brace-expansion@​5.0.1
• 2242f25 fix(webauth): improve error messages around webauth in non-TTY (#8952)
• b3f8475 deps: minipass-fetch@5.0.1
• 4a82a8f chore: dev dependency updates
• 924171b deps: is-cidr@6.0.2
• 4404002 deps: ci-info@4.4.0
• b65af73 deps: lru-cache@11.2.5
• 164c355 deps: tar@7.5.7
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gar, a new releaser for npm since your current version.

Updates angular from 1.6.8 to 1.8.3

Changelog

Sourced from angular's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates angular-sanitize from 1.6.8 to 1.8.3

Changelog

Sourced from angular-sanitize's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates ajv from 4.11.4 to 4.11.8

Release notes

Sourced from ajv's releases.

4.11.7

The last release before 5.0.0

Commits

• See full diff in compare view

Updates kind-of from 6.0.2 to 6.0.3

Changelog

Sourced from kind-of's changelog.

[6.0.3] - 2020-01-16

• Merge pull request #31 for issue #30

[6.0.0] - 2017-10-13

• refactor code to be more performant
• refactor benchmarks

[5.1.0] - 2017-10-13

Added

• Merge pull request #15 from aretecode/patch-1
• adds support and tests for string & array iterators

Changed

• updates benchmarks

[5.0.2] - 2017-08-02

• Merge pull request #14 from struct78/master
• Added undefined check

[5.0.0] - 2017-06-21

• Merge pull request #12 from aretecode/iterator
• Set Iterator + Map Iterator
• streamline isbuffer, minor edits

[4.0.0] - 2017-05-19

• Merge pull request #8 from tunnckoCore/master
• update deps

[3.2.2] - 2017-05-16

• fix version

[3.2.1] - 2017-05-16

• add browserify

[3.2.0] - 2017-04-25

• Merge pull request #10 from ksheedlo/unrequire-buffer
• add promise support and tests
• Remove unnecessary Buffer check

... (truncated)

Commits

• abab085 6.0.3
• a18459c run verb to generate README documentation
• dc6bea5 only need to check typeof val.constructor
• 1df992c Merge pull request #31 from xiaofen9/master
• 975c13a fix type checking vul in ctorName
• 4da96c0 Delete FUNDING.yml
• 28266f2 Create FUNDING.yml
• See full diff in compare view

Maintainer changes

This version was pushed to npm by doowb, a new releaser for kind-of since your current version.

Updates async from 2.6.0 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

v2.6.3

• Updated lodash to squelch a security warning (#1675)

v2.6.2

• Updated lodash to squelch a security warning (#1620)

v2.6.1

• Updated lodash to prevent npm audit warnings. (#1532, #1533)
• Made async-es more optimized for webpack users (#1517)
• Fixed a stack overflow with large collections and a synchronous iterator (#1514)
• Various small fixes/chores (#1505, #1511, #1527, #1530)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• f1d8383 Version 2.6.3
• 2b674c1 update changelog
• eab740f fix: udpate lodash. closes #1675
• eaf32be Version 2.6.2
• 684b42e Update built files
• e1bd3da update changelog
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates bl from 1.2.1 to 1.2.3

Release notes

Sourced from bl's releases.

v1.2.2

• use safe-buffer #51

Commits

• d69edfd 1.2.3
• 847473a test all branches
• 0bd87ec Fix unintialized memory access
• dc097f3 test newer versions of Node
• feaaa4c Bumped v1.2.2.
• 307da45 Merge pull request #51 from rvagg/safe-buffeer
• cf6b00e Removed node 7 from .travis.yml
• 4b8f524 Added safe-buffer and updated dependencies
• 4acbe24 Merge pull request #45 from EdwardBetts/spelling
• 52ed96c correct spelling mistake
• See full diff in compare view

Updates brace-expansion from 1.1.6 to 1.1.8

Commits

• 8f59e68 1.1.8
• 6049719 bump balanced-match (1.0.0 for semver updates)
• 8925120 1.1.7
• ed46e5b Merge pull request #35 from kamael/master
• b133812 fix bug in juliangruber/brace-expansion#33
• 265f6cd Merge pull request #34 from juliangruber/greenkeeper/initial
• 9c5d643 Update README.md
• d6f2867 Update README.md
• c91e261 docs(readme): add Greenkeeper badge
• 499e205 update travis
• Additional commits viewable in compare view

Updates browserify-sign from 4.0.4 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

• [Tests] clean up tests and convert console info skips to tape skips 37b083c
• [Fix] restore node 0.10 support faade86
• [Deps] update parse-asn1 5a0f159
• [actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

• [actions] split out node 10-20, and 20+ 17920d9
• [meta] remove files field 6d5b280
• [Deps] update bn.js, browserify-rsa, elliptic 31be0c2
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982
• [Tests] replace aud with npm audit d44b24d
• [Dev Deps] add missing peer dep ab975f4
• [Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits

• d3a7458 v4.2.5
• 37b083c [Tests] clean up tests and convert console info skips to tape skips
• faade86 [Fix] restore node 0.10 support
• 5a0f159 [Deps] update parse-asn1
• 106be97 [actions] drop unsupported nodes from CI
• 9c37172 v4.2.4
• 6d5b280 [meta] remove files field
• 17920d9 [actions] split out node 10-20, and 20+
• 31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
• ab975f4 [Dev Deps] add missing peer dep
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cached-path-relative from 1.0.1 to 1.1.0

Commits

• See full diff in compare view

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

• [Refactor] use to-buffer fd1e5ee
• [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• 0056718 v1.0.7
• fd1e5ee [Refactor] use to-buffer
• 08ba803 [Dev Deps] update @ljharb/eslint-config
• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates flatnest from 1.0.0 to 1.0.1

Commits

• See full diff in compare view

Updates form-data from 2.1.2 to 2.1.4

Release notes

Sourced from form-data's releases.

Proper toString

• toString will output '[object FormData]' Thanks to @​m59peacemaker

Broken version

No release notes provided.

Changelog

Sourced from form-data's changelog.

v2.1.4 - 2017-04-08

2.1.3 - 2017-04-08

v2.1.3 - 2017-04-08

Merged

• toString should output '[object FormData]' [#346](https://github.com/form-data/form-data/issues/346)

Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hoek@​5.0.3 ⏵ 6.1.3	+1		-4
	angular-sanitize@​1.6.8 ⏵ 1.8.3			+1
	angular@​1.6.8 ⏵ 1.8.3		+7	+1
	babelify@​7.3.0 ⏵ 10.0.0	+1
	gulp-notify@​3.2.0 ⏵ 5.0.0
	npm@​4.6.1 ⏵ 11.9.0	+3	+50	-9	+3
	open@​0.0.5 ⏵ 11.0.0		+75	+26
	gulp@​3.9.1 ⏵ 5.0.1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm npm is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: package-lock.json → npm/npm@11.9.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report