Bump the npm_and_yarn group across 1 directory with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 14 updates in the / directory:

Package	From	To
lodash	4.17.21	4.18.1
dompurify	3.1.6	3.4.9
@tootallnate/once	2.0.0	2.0.1
fast-uri	3.0.1	3.1.2
flatted	3.3.1	3.4.2
follow-redirects	1.15.6	1.16.0
immutable	4.3.7	4.3.8
js-cookie	3.0.5	3.0.8
linkifyjs	4.1.3	4.3.3
mdast-util-to-hast	13.2.0	13.2.1
node-forge	1.3.1	1.4.0
serialize-javascript	6.0.2	removed
shell-quote	1.8.1	1.8.4
yaml	2.5.0	2.9.0

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates dompurify from 3.1.6 to 3.4.9

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
• Added more test coverage for IN_PLACE and Trusted Types related usage
• Bumped several dependencies where possible
• Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

... (truncated)

Commits

• 5210247 release: 3.4.9 (#1459)
• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @tootallnate/once from 2.0.0 to 2.0.1

Release notes

Sourced from @​tootallnate/once's releases.

v2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Changelog

Sourced from @​tootallnate/once's changelog.

2.0.1

Patch Changes

• a1e5e2d: Fix promise hang when AbortSignal is aborted

Commits

• bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
• dc24387 Version Packages (2.x) (#12)
• b8a6f80 CI: test all Node versions on Linux only
• dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
• b464efc Update CI: modern Node versions, fix macOS ARM64 compat
• a1e5e2d Fix promise hang when AbortSignal is aborted
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.

Updates fast-uri from 3.0.1 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

• ci: remove master branch support by @​Fdawgs in fastify/fast-uri#126
• chore(test) remove .gitkeep by @​Fdawgs in fastify/fast-uri#128
• ci(ci): set job permissions by @​Fdawgs in fastify/fast-uri#129
• ci: set permissions at workflow level by @​Fdawgs in fastify/fast-uri#131
• ci: set workflow permissions to read-only by default by @​Fdawgs in fastify/fast-uri#132
• ci(ci): restore job level permissions by @​Fdawgs in fastify/fast-uri#133
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in fastify/fast-uri#134
• ci(ci): pin actions to commit-hash by @​Fdawgs in fastify/fast-uri#135
• ci: add node 24 to test matrix by @​Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates flatted from 3.3.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.6 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• Additional commits viewable in compare view

Updates immutable from 4.3.7 to 4.3.8

Release notes

Sourced from immutable's releases.

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

• fix(IndexedCollection): has(index) on a lazy Seq of unknown size now checks index existence instead of searching for a value equal to the index
• [TypeScript]: reduce/reduceRight without an initial value now infer the result type from the collection's values when the reducer returns a value (e.g. list.reduce((a, b) => a + b) infers number), matching Array#reduce. Previously an explicit type argument was required.

5.1.6

• fix(reverseFactory): read reversedSequence.size in __iterator instead of this #2196

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

... (truncated)

Commits

• 485cbe0 4.3.8
• 6ed4eb6 Merge commit from fork
• 94bcd3c fix new proto key injection
• faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for immutable since your current version.

Updates js-cookie from 3.0.5 to 3.0.8

Release notes

Sourced from js-cookie's releases.

v3.0.8

• Restore ES5 compatibility, inadvertently broken in 3.0.7 - #959
• Lift Node version restriction, inadvertently restricted to >= 20 in 3.0.7 - #956

v3.0.7

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

Commits

• d7a1096 Craft v3.0.8 release
• 248e685 Use existing Chrome with puppeteer
• fc04269 Remove QUnit related workaround in Grunt config
• 265a685 Tidy up package lock file
• 478e591 Disable Node deprecation DEP0044 for release workflow
• 331d524 Fix node version config for E2E test job
• 11d773d Ensure ECMAScript compatibility
• d788646 Remove engines property from package
• e7d9a4d Fix typo in test assertion message
• b5fca24 Make credentials use explicit in release workflow
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

Updates linkifyjs from 4.1.3 to 4.3.3

Release notes

Sourced from linkifyjs's releases.

v4.3.3

What's Changed

• Fix parsing bugs with some special encoded URLs
• Parsed emails should not include port numbers
• Exact version requirement for interfaces and plugins to avoid incompatibility issues with older versions of linkify core
• Support for jQuery 4

Full Changelog: nfrasser/linkifyjs@v4.3.2...v4.3.3

v4.3.2

What's Changed

• Use Object.assign instead of custom assign function by @​nfrasser in nfrasser/linkifyjs#518

Full Changelog: nfrasser/linkifyjs@v4.3.1...v4.3.2

v4.3.1

What's Changed

• Use correct simple-html-tokenizer version for linkify-html

Full Changelog: nfrasser/linkifyjs@v4.3.0...v4.3.1

v4.3.0

What's Changed

• Fix: allow apostrophe in URL by @​patrickReiis in nfrasser/linkifyjs#504
• Fix tokenizing of comments starting or ending with more than two -- by @​hrb-hub in nfrasser/simple-html-tokenizer#1
• Update dependencies by @​nfrasser in nfrasser/linkifyjs#513
• Rename dist file .cjs.js and .es.js extensions to .cjs and .mjs, respectively

Full Changelog: nfrasser/linkifyjs@v4.2.0...v4.3.0

v4.2.0

What's Changed

• Correctly sanitize object replacement character by treating as whitespace in nfrasser/linkifyjs#497
• Avoid detecting invalid URLs with numbers around boundaries in nfrasser/linkifyjs#498
• Prevent delimiter apostrophes from being included in URLs in nfrasser/linkifyjs#499
• Correctly interpret \r\n as newline character in nfrasser/linkifyjs#500
• Correctly interpret emoji followed by # sign in nfrasser/linkifyjs#501
• Fix support for domain names with multiple hyphens in nfrasser/linkifyjs#502
• Fix parsing for magnet links in nfrasser/linkifyjs#503

Full Changelog: nfrasser/linkifyjs@v4.1.4...v4.2.0

v4.1.4

What's Changed

• Fix hashtag plugin: add support for full width middle dot ・ by @​yuiseki in nfrasser/linkifyjs#492
• Update CI matrices and other chores by @​nfrasser in nfrasser/linkifyjs#494

... (truncated)

Changelog

Sourced from linkifyjs's changelog.

v4.3.3

• Fix parsing bugs with some special encoded URLs
• Parsed emails should not include port numbers
• Exact version requirement for interfaces and plugins to avoid incompatibility issues with older versions of linkify core

v4.3.2

• Replace assign helper with Object.assign to avoid prototype pollution

v4.3.1

• Use correct simple-html-tokenizer version for linkify-html

v4.3.0

• HTML comments opened or closed with 3 dashes tokenized correctly
• Restore support for delimiter apostrophes in URLs
• Rename dist file .cjs.js and .es.js extensions to .cjs and .mjs, respectively

v4.2.0

• Correctly sanitize object replacement character by treating as whitespace
• Avoid detecting invalid URLs with numbers around boundaries
• Prevent delimiter apostrophes from being included in URLs
• Correctly interpret \r\n as newline character
• Correctly interpret emoji followed by # sign
• Fix support for domain names with multiple hyphens
• Fix parsing for magnet links

v4.1.4

• Add support for full width middle dot ・ in hashtag plugin
• Development updates for newest Node.js versions

Commits

• 7fffcc6 v4.3.3
• 90b37cc Release v4.3.3 (#535)
• 2cb8352 Update dependencies (#529)
• 3abe9ab v4.3.2
• 931d3e2 Use Object.assign instead of custom assign function (#518)
• 45bc27e v4.3.1
• 251a5c6 v4.3.0
• 359ed4e Update dependencies (#513)
• c4bdf85 Revert "Don't allow apostrophe in URLs (#499)" (#504)
• 86e977c v4.2.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for linkifyjs since your current version.

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps

Full Changelog: syntax-tree/mdast-util-to-hast@13.2.0...13.2.1

Commits

• 174795b 13.2.1
• 3d05b3a Update Node in Actions
• ab3a795 Fix support for spaces in class names
• efb5312 Refactor to use @imports
• a5bc210 Add declaration maps
• b54955d Add .tsbuildinfo to .gitignore
• See full diff in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• cb90fd9 Update changelog.
• 963e7c5 Add unit test for "pseudonym"
• f0b6f5b Add pseudonym OID
• 3df48a3 Fix missing CVE ID.
• 2e49283 Add x509 basicConstraints check.
• bdecf11 Add canonical signature scaler check for S < L.
• af094e6 Add RSA padding and DigestInfo length checks.
• 796eeb1 Improve jsbn fix.
• Additional commits viewable in compare view

Removes serialize-javascript

Updates shell-quote from 1.8.1 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

• [Fix] remove unnecessary backslash escaping in single quotes [#15](https://github.com/ljharb/shell-quote/issues/15)

v1.8.2 - 2024-11-27

Fixed

• [Fix] quote: preserve empty strings [#18](https://github.com/ljharb/shell-quote/issues/18)

Commits

• [meta] fix changelog tags 0fb9fd8
• [actions] split out node 10-20, and 20+ 819bd84
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
• [actions] update npm for windows tests fdeb0fd
• [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
• [actions] prevent node 14 on ARM mac from failing 9eecafc
• [meta] exclude more files from the package 4044e7f
• [Tests] replace aud with npm audit 8cfdbd8
• [meta] add missing engines.node 843820e
• [Dev Deps] add missing peer dep 4c3b88d
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

Commits

• ff166e2 v1.8.4
• 4378a6e [Fix] quote: validate object-token shapes
• 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
• 9f3caa3 [Tests] increase coverage
• 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
• 699c511 [Dev Deps] update @ljharb/eslint-config
• 487a9b4 v1.8.3
• 01faaff [Fix] remove unnecessary backslash escaping in single quotes
• b19fc77 v1.8.2
• 59d29ea [Fix] quote: preserve empty strings
• Additional commits viewable in compare view

Updates yaml from 2.5.0 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

v2.8.2

• Serialize -0 as -0 (#638)
• Do not double newlines for empty map values (#642)

v2.8.1

• Preserve empty block literals (#634)

v2.8.0

• Add node cache for faster alias resolution (#612)
• Re-introduce compatibility with Node.js 14.6 (#614)
• Add --merge option to CLI tool (#611)
• Improve error for tag resolution error on null value (#616)
• Allow empty string as plain scalar representation, for failsafe schema ...

  Description has been truncated