Bump the npm_and_yarn group across 1 directory with 20 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
hoek	5.0.3	6.1.3
npm	4.6.1	11.9.0
angular	1.6.8	1.8.3
angular-sanitize	1.6.8	1.8.3
open	0.0.5	6.0.0
cipher-base	1.0.4	1.0.7
json5	0.5.1	2.2.3
minimatch	3.0.4	3.1.2
node-notifier	5.2.1	10.0.1
pbkdf2	3.0.14	3.1.5
secp256k1	3.5.0	3.8.1

Updates hoek from 5.0.3 to 6.1.3

Commits

• 47d6306 6.1.3
• eef9740 cleanup
• fc934af Cleanup
• f2eb7fd Clone without prototype. Closes #290
• 5bfe5b6 6.1.2
• 17fe9a1 Revert all symbol handlings to false by default. Closes #283
• 542939b 6.1.1
• 947a326 Ignore symbols in deepEqual() by default. Closes #281
• 27ac630 6.1.0
• b3b5134 Merge pull request #281 from kanongil/symbol-support
• Additional commits viewable in compare view

Updates npm from 4.6.1 to 11.9.0

Release notes

Sourced from npm's releases.

v11.9.0

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

v11.8.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

... (truncated)

Changelog

Sourced from npm's changelog.

11.9.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

Bug Fixes

• 2242f25 #8952 webauth: improve error messages around webauth in non-TTY (#8952) (@​Andarist)

Dependencies

• 332c9f3 #8960 glob@13.0.1
• eca02c7 #8960 minimatch@10.1.2 @isaacs/brace-expansion@5.0.1
• b3f8475 #8951 minipass-fetch@5.0.1
• 924171b #8951 is-cidr@6.0.2
• 4404002 #8951 ci-info@4.4.0
• b65af73 #8951 lru-cache@11.2.5
• 164c355 #8951 tar@7.5.7
• a74a19c #8951 node-gyp@12.2.0
• e0bc212 #8943 pacote@21.1.0

Chores

• 4a82a8f #8951 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.2.0
• workspace: @npmcli/config@10.6.0
• workspace: libnpmdiff@8.1.0
• workspace: libnpmexec@10.2.0
• workspace: libnpmfund@7.0.14
• workspace: libnpmpack@9.1.0

11.8.0 (2026-01-21)

Features

• 545e861 #8828 show proxy environment variables in npm config list (Max Black)

Bug Fixes

• c2f784d #8859 preserve serialNumber UUID in CycloneDX SBOM output #8837 (#8859) (@​saksham-malhotra-27)
• f2c3af7 #8840 more intuitive byte formatting boundaries for rounding (#8840) (@​watilde)

Documentation

• 3474ec3 #8866 fix typo/logic error in npm-dedupe docs (#8866) (@​Schweinepriester)
• 5552e46 #8797 npm-install: explain package-lock.json behavior (#8797) (@​MaxBlack-dev, Max Black)

Dependencies

• f478ca0 #8919 postcss-selector-parser@7.1.1
• 2b6a71f #8919 path-scurry@2.0.1
• 19096f2 #8919 sigstore@4.1.0
• e7f5d1e #8919 lru-cache@11.2.4
• 9e756ae #8919 ip-address@10.1.0
• f951820 #8919 common-ancestor-path@2.0.0
• 7a949ad #8919 @sigstore/verify@3.1.0
• 6979ce1 #8919 @sigstore/sign@4.1.0
• b4a6a41 #8919 @sigstore/core@3.1.0
• dc8a8e8 #8919 @sigstore/tuf@4.0.1
• be221ea #8919 validate-npm-package-name@7.0.2
• 149823d #8919 diff@8.0.3
• 32b2001 #8919 tar@7.5.4

Chores

• 8f599df #8919 pin jsdom to 27.0.0 (@​wraithgar)
• f4f1161 #8919 dev dependency updates (@​wraithgar)

... (truncated)

Commits

• 417daa7 chore: release 11.9.0
• 332c9f3 deps: glob@13.0.1
• eca02c7 deps: minimatch@10.1.2 @​isaacs/brace-expansion@​5.0.1
• 2242f25 fix(webauth): improve error messages around webauth in non-TTY (#8952)
• b3f8475 deps: minipass-fetch@5.0.1
• 4a82a8f chore: dev dependency updates
• 924171b deps: is-cidr@6.0.2
• 4404002 deps: ci-info@4.4.0
• b65af73 deps: lru-cache@11.2.5
• 164c355 deps: tar@7.5.7
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gar, a new releaser for npm since your current version.

Updates angular from 1.6.8 to 1.8.3

Changelog

Sourced from angular's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates angular-sanitize from 1.6.8 to 1.8.3

Changelog

Sourced from angular-sanitize's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

• $sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

• $sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

• SanitizeUriProvider: remove usages of whitelist (76738102)
• httpProvider: remove usages of whitelist and blacklist (c953af6b)
• sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

• Deprecated $compileProvider.aHrefSanitizationWhitelist. It is now aHrefSanitizationTrustedUrlList.
• Deprecated $compileProvider.imgSrcSanitizationWhitelist. It is now imgSrcSanitizationTrustedUrlList.
• Deprecated $httpProvider.xsrfWhitelistedOrigins. It is now xsrfTrustedOrigins.
• Deprecated $sceDelegateProvider.resourceUrlWhitelist. It is now trustedResourceUrlList.
• Deprecated $sceDelegateProvider.resourceUrlBlacklist. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@​koto); and independently by Esben Sparre Andreasen (@​esbena) while

... (truncated)

Commits

• cf16b24 docs(changelog): add release notes for 1.8.3
• 757d56e docs(*): update end-of-life messages (#17177)
• f362437 docs(eol): add EOL options text and link to template header used in every page
• fb04e42 test(Angular): fix angularInit() tests on Safari v15+
• 6a52c4f test(input): fix tests on Firefox v93+
• ed30c4d docs(README.md): add wiki link to MVC
• 4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
• 47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
• 56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
• 58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
• Additional commits viewable in compare view

Updates open from 0.0.5 to 6.0.0

Release notes

Sourced from open's releases.

v6.0.0

Breaking:

• Rename the package from opn to open (See the readme for more info) eca88d8
• Make the wait option false by default da2d663
• Require Node.js 8 5c525b5

Enhancements:

• Add support for Windows apps referenced by their WSL paths (#118) b30220c

sindresorhus/open@v5.5.0...v6.0.0

v5.5.0

• Use system xdg-open in Electron apps on Linux (#108) 6d3f255

sindresorhus/open@v5.4.0...v5.5.0

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by sindresorhus, a new releaser for open since your current version.

Updates ajv from 4.11.4 to 4.11.8

Release notes

Sourced from ajv's releases.

4.11.7

The last release before 5.0.0

Commits

• See full diff in compare view

Updates brace-expansion from 1.1.6 to 1.1.8

Commits

• 8f59e68 1.1.8
• 6049719 bump balanced-match (1.0.0 for semver updates)
• 8925120 1.1.7
• ed46e5b Merge pull request #35 from kamael/master
• b133812 fix bug in juliangruber/brace-expansion#33
• 265f6cd Merge pull request #34 from juliangruber/greenkeeper/initial
• 9c5d643 Update README.md
• d6f2867 Update README.md
• c91e261 docs(readme): add Greenkeeper badge
• 499e205 update travis
• Additional commits viewable in compare view

Updates chownr from 1.0.1 to 3.0.0

Commits

• 8b9800a 3.0.0
• 222a6d5 modernize
• 8d35541 chore: add copyright year to license
• 8ad52b1 remove FUNDING.yml (coming from .github repo now)
• cf9ac45 funding
• 6573bba update tap
• 800f7e3 chore: add copyright year to license
• 0c447f8 ci: chores
• f9f9d86 2.0.0
• fc69315 drop support for EOL node versions
• Additional commits viewable in compare view

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

• [Refactor] use to-buffer fd1e5ee
• [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• 0056718 v1.0.7
• fd1e5ee [Refactor] use to-buffer
• 08ba803 [Dev Deps] update @ljharb/eslint-config
• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates form-data from 2.1.2 to 2.1.4

Release notes

Sourced from form-data's releases.

Proper toString

• toString will output '[object FormData]' Thanks to @​m59peacemaker

Broken version

No release notes provided.

Changelog

Sourced from form-data's changelog.

v2.1.4 - 2017-04-08

2.1.3 - 2017-04-08

v2.1.3 - 2017-04-08

Merged

• toString should output '[object FormData]' [#346](https://github.com/form-data/form-data/issues/346)

Commits

• 1974877 Merge pull request #346 from m59peacemaker/master
• 67b8a8e toString should output '[object FormData]'
• See full diff in compare view

Updates hosted-git-info from 2.4.2 to 2.5.0

Changelog

Sourced from hosted-git-info's changelog.

Changelog

9.0.2 (2025-10-08)

Bug Fixes

• c91490e #314 correctProtocol misparsing protocol (#314) (@​markovejnovic)

9.0.1 (2025-10-07)

Bug Fixes

• bf29151 #312 remove redundant httpstemplate (#312) (@​markovejnovic)

Chores

• 6525ea6 #311 stop backport branch updates (#311) (@​owlstronaut)
• 97fef20 #308 bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#308) (@​dependabot[bot], @​npm-cli-bot)

9.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• hosted-git-info now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• f5d971c #305 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 7a9c71e #305 lru-cache@11.1.0

Chores

• a0e07cd #302 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#302) (@​dependabot[bot], @​owlstronaut)

8.1.0 (2025-04-14)

Features

• ef0865c #288 add HostedGitInfo.fromManifest (#288) (@​ljharb)

Chores

• ac08fe8 #296 bump @​npmcli/template-oss from 4.23.6 to 4.24.3 (#296) (@​dependabot[bot], @​npm-cli-bot)

8.0.2 (2024-11-21)

Bug Fixes

• cc004ba #280 even better regex for host fragment (#280) (@​wraithgar)

8.0.1 (2024-11-20)

Bug Fixes

• e47b7e4 #274 break up greedy host fragment parsing regex (#274) (@​wraithgar)

Chores

• 3d55d13 #277 fix workflows for new backport branch (#277) (@​wraithgar)
• b3e455f #273 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#273) (@​dependabot[bot], @​npm-cli-bot)

8.0.0 (2024-09-03)

⚠️ BREAKING CHANGES

• hosted-git-info now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• 967d930 #268 align to npm 10 node engine range (@​hashtagchris)

Chores

• 20551b0 #268 run template-oss-apply (@​hashtagchris)
• 9a3c062 #265 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 8f0fa04 #266 postinstall for dependabot template-oss PR (@​hashtagchris)
• e0fe523 #266 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

... (truncated)

Commits

• 88da66d 2.5.0
• 3e376eb add caching to fromUrl
• See full diff in compare view

Updates json5 from 0.5.1 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1

• New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
• Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
• Fix: Spelling mistakes have been fixed. (#196)

v2.1.0

• New: The index.mjs and index.min.mjs browser builds in the dist directory support ES6 modules. (#187)

v2.0.1

• Fix: The browser builds in the dist directory support ES5. (#182)

v2.0.0

• Major: JSON5 officially supports Node.js v6 and later. Support for Node.js v4 has been dropped. Since Node.js v6 supports ES5 features, the code has been rewritten in native ES5, and the dependence on Babel has been eliminated.

• New: Support for Unicode 10 has been added.

• New: The test framework has been migrated from Mocha to Tap.

• New: The browser build at dist/index.js is no longer minified by default. A minified version is available at dist/index.min.js. (#181)

• Fix: The warning has been made clearer when line and paragraph separators are

... (truncated)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1 [code, [diff][d2.1.1]]

... (truncated)

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays
• edde30a Readme: slight tweak to intro
• 97286f8 Improve example in readme
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.2

Commits

• 699c459 3.1.2
• 2f2b5ff fix: trim pattern
• 25d7c0d 3.1.1
• 55dda29 fix: treat nocase:true as always having magic
• 5e1fb8d 3.1.0