Bump the npm_and_yarn group across 2 directories with 11 updates by dependabot[bot] · Pull Request #36 · commercetools-demo/contentools

dependabot · 2026-04-22T18:26:50Z

Bumps the npm_and_yarn group with 9 updates in the /cms directory:

Package	From	To
@xmldom/xmldom	`0.8.11`	`0.8.13`
dompurify	`2.5.8`	`2.5.9`
flatted	`3.3.3`	`3.4.2`
follow-redirects	`1.15.9`	`1.16.0`
jsonpath	`1.1.1`	`1.3.0`
node-forge	`1.3.3`	`1.4.0`
picomatch	`2.3.1`	`2.3.2`
tar	`7.5.10`	`7.5.13`
yaml	`1.10.2`	`1.10.3`

Bumps the npm_and_yarn group with 2 updates in the /service directory: flatted and vite.

Updates @xmldom/xmldom from 0.8.11 to 0.8.13

Release notes

Sourced from @xmldom/xmldom's releases.

0.8.13

Commits

Fixed

Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h

Comment: throws when data contains -->

ProcessingInstruction: throws when data contains ?>

DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>

Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @Jvr2022, @praveen-kv, @TharVid, @decsecre583, @tlsbollei, @KarimTantawey, for your contributions

0.8.12

Commits

Fixed

preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)

Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp

Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @thesmartshadow, @stevenobiajulu, for your contributions

xmldom/xmldom#357

Changelog

Sourced from @xmldom/xmldom's changelog.

0.8.13

Fixed

Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h

Comment: throws when data contains -->

ProcessingInstruction: throws when data contains ?>

DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>

Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @Jvr2022, @praveen-kv, @TharVid, @decsecre583, @tlsbollei, @KarimTantawey, for your contributions

0.9.9

Added

implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp

Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

updated dependencies

Thank you, @stevenobiajulu, @yoshi389111, @thesmartshadow, for your contributions

0.8.12

Fixed

preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)

... (truncated)

Commits

e5c1480 0.8.13
9611e20 style: drop unused import in test file
dc4dff3 docs: add 0.8.13 changelog entry
842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
aeff69f test: add normalize behavioral coverage to node.test.js
cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
c007c51 refactor: migrate serializeToString to walkDOM
2bb3899 test: add serializeToString coverage for uncovered branches
e69f38d refactor: migrate importNode to walkDOM
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @xmldom/xmldom since your current version.

Updates dompurify from 2.5.8 to 2.5.9

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.9

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing

Commits

0951ca4 chore: Updated minor version on demo website
1049002 Getting 2.x branch ready for 2.5.9 release
ca136fa Merge branch '2.x' of github.com:cure53/DOMPurify into 2.x
d59bfe7 fix: Added fixes for the jsdom parser issue in 2.x
d13358d Update README.md
25b59f6 Update README.md
d5a8731 Update README.md
58a799f Update README.md
184e548 Update README.md
cfce1dd Update README.md
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates follow-redirects from 1.15.9 to 1.16.0

Commits

0c23a22 Release version 1.16.0 of the npm package.
844c4d3 Add sensitiveHeaders option.
5e8b8d0 ci: add Node.js 24.x to the CI matrix
7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
86dc1f8 Sanitizing input.
21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
See full diff in compare view

Updates jsonpath from 1.1.1 to 1.3.0

Commits

See full diff in compare view

Updates node-forge from 1.3.3 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

HIGH: Denial of Service in BigInteger.modInverse()

A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.

Reported by Kr0emer.

CVE ID: CVE-2026-33891

GHSA ID: GHSA-5gfm-wpxj-wjgq

HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.

RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.

Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.

Reported as part of a U.C. Berkeley security research project by:

Austin Chu, Sohee Kim, and Corban Villa.

CVE ID: CVE-2026-33894

GHSA ID: GHSA-ppp5-5v6c-4jwp

HIGH: Signature forgery in Ed25519 due to missing S < L check.

Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.

Reported as part of a U.C. Berkeley security research project by:

Austin Chu, Sohee Kim, and Corban Villa.

CVE ID: CVE-2026-33895

GHSA ID: GHSA-q67f-28xg-22rw

HIGH: basicConstraints bypass in certificate chain verification.

pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.

Reported by Doruk Tan Ozturk (@peaktwilight) - doruk.ch

CVE ID: CVE-2026-33896

GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

fa385f9 Release 1.4.0.
07d4e16 Update changelog.
cb90fd9 Update changelog.
963e7c5 Add unit test for "pseudonym"
f0b6f5b Add pseudonym OID
3df48a3 Fix missing CVE ID.
2e49283 Add x509 basicConstraints check.
bdecf11 Add canonical signature scaler check for S < L.
af094e6 Add RSA padding and DigestInfo length checks.
796eeb1 Improve jsbn fix.
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Updates tar from 7.5.10 to 7.5.13

Commits

d6611ae 7.5.13
119c401 fix(extract): prevent raced symlink writes outside cwd
2a294d3 7.5.12
01082a4 fix: reject top promise on floating addFilesAsync rejections
dd1c36a linting
35a1ffe doc: more clarity in security warning
bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
See full diff in compare view

Updates underscore from 1.12.1 to 1.13.6

Commits

bd2d35c Merge remote-tracking branch 'upstream/master'
2e7c0f2 Update generated files, tag 1.13.6 release
732cafe Underscore 1.13.6
e8f86fb Add changelog entry for versioin 1.13.6
43e827a Bump the version to 1.13.6 (hotfix)
1c1d1a2 Remove patch-package postinstall script
4eb6894 Merge pull request #2974 from paulsmithkc/patch-1
2edcdc1 Hostfix for broken builds
66ee70d Verify that production and doc builds still work in CI
68e5eb6 Update generated sources, tag 1.13.5 release
Additional commits viewable in compare view

Updates yaml from 1.10.2 to 1.10.3

Commits

cfe8f04 1.10.3
7abcf45 fix: Catch stack overflow during CST composition
a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
a5e83b0 style: Apply updates Prettier rules
b8ddca0 chore: Refresh lockfile
395f892 ci: Use a different (working) submodule checkout
6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

fix: exception when glob pattern contains constructor by @Jason3S in micromatch/picomatch#144

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Changelogs are for humans, not machines.

There should be an entry for every single version.

The same types of changes should be grouped.

Versions and sections should be linkable.

The latest version comes first.

The release date of each versions is displayed.

Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

Added for new features.

Changed for changes in existing functionality.

Deprecated for soon-to-be removed features.

Removed for now removed features.

Fixed for any bug fixes.

Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

Fix bad text values in parse #126, thanks to @connor4312

Changed

Remove process global to work outside of node #129, thanks to @styfle

Add sideEffects to package.json #128, thanks to @frandiox

Removed os, make compatible browser environment. See #124, thanks to @gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

81cba8d Publish 2.3.2
fc1f6b6 Merge commit from fork
eec17ae Merge commit from fork
78f8ca4 Merge pull request #156 from micromatch/backport-144
3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Bumps the npm_and_yarn group with 9 updates in the /cms directory: | Package | From | To | | --- | --- | --- | | [@xmldom/xmldom](https://github.com/xmldom/xmldom) | `0.8.11` | `0.8.13` | | [dompurify](https://github.com/cure53/DOMPurify) | `2.5.8` | `2.5.9` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.9` | `1.16.0` | | [jsonpath](https://github.com/dchester/jsonpath) | `1.1.1` | `1.3.0` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.3` | `1.4.0` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [tar](https://github.com/isaacs/node-tar) | `7.5.10` | `7.5.13` | | [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` | Bumps the npm_and_yarn group with 2 updates in the /service directory: [flatted](https://github.com/WebReflection/flatted) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `@xmldom/xmldom` from 0.8.11 to 0.8.13 - [Release notes](https://github.com/xmldom/xmldom/releases) - [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md) - [Commits](xmldom/xmldom@0.8.11...0.8.13) Updates `dompurify` from 2.5.8 to 2.5.9 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@2.5.8...2.5.9) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `follow-redirects` from 1.15.9 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.9...v1.16.0) Updates `jsonpath` from 1.1.1 to 1.3.0 - [Commits](https://github.com/dchester/jsonpath/commits) Updates `node-forge` from 1.3.3 to 1.4.0 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.3...v1.4.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `tar` from 7.5.10 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.10...v7.5.13) Updates `underscore` from 1.12.1 to 1.13.6 - [Commits](jashkenas/underscore@1.12.1...1.13.6) Updates `yaml` from 1.10.2 to 1.10.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v1.10.2...v1.10.3) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `vite` from 6.4.1 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `vite` from 6.4.1 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: "@xmldom/xmldom" dependency-version: 0.8.13 dependency-type: indirect - dependency-name: dompurify dependency-version: 2.5.9 dependency-type: indirect - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect - dependency-name: jsonpath dependency-version: 1.3.0 dependency-type: indirect - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: indirect - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect - dependency-name: underscore dependency-version: 1.13.6 dependency-type: indirect - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development - dependency-name: yaml dependency-version: 1.10.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

netlify · 2026-04-27T15:55:01Z

✅ Deploy Preview for multitenant-contentools canceled.

Name	Link
🔨 Latest commit	`a5a5d5b`
🔍 Latest deploy log	https://app.netlify.com/projects/multitenant-contentools/deploys/69ef86d052da640008230197

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 22, 2026

dependabot Bot mentioned this pull request Apr 22, 2026

Bump the npm_and_yarn group across 2 directories with 11 updates #35

Closed

dependabot Bot force-pushed the dependabot/npm_and_yarn/cms/npm_and_yarn-c6a8d8f137 branch from 1bd520d to a5a5d5b Compare April 27, 2026 15:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 11 updates#36

Bump the npm_and_yarn group across 2 directories with 11 updates#36
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/cms/npm_and_yarn-c6a8d8f137

dependabot Bot commented on behalf of github Apr 22, 2026 •

edited

Loading

Uh oh!

netlify Bot commented Apr 27, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

0.8.13

Fixed

0.8.12

Fixed

0.8.13

Fixed

0.9.9

Added

Fixed

Chore

0.8.12

Fixed

DOMPurify 2.5.9

1.4.0 - 2026-03-24

Security

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

2.3.2

What's Changed

Release history

4.0.0 (2024-02-07)

Fixes

Changed

3.0.1

Fixes

v6.4.2

6.4.2 (2026-04-06)

v6.4.2

6.4.2 (2026-04-06)

Uh oh!

netlify Bot commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for multitenant-contentools canceled.

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 22, 2026 •

edited

Loading

netlify Bot commented Apr 27, 2026 •

edited

Loading