Bump the npm_and_yarn group across 1 directory with 13 updates by dependabot[bot] · Pull Request #1309 · Health-Informatics-UoN/carrot-mapper

dependabot · 2026-04-16T01:58:28Z

Bumps the npm_and_yarn group with 12 updates in the /app/next-client-app directory:

Package	From	To
next	`15.5.10`	`15.5.15`
picomatch	`4.0.3`	`4.0.4`
picomatch	`2.3.1`	`2.3.2`
picomatch	`4.0.2`	`4.0.4`
@hono/node-server	`1.19.9`	`1.19.14`
@isaacs/brace-expansion	`5.0.0`	`5.0.1`
@modelcontextprotocol/sdk	`1.25.2`	`1.29.0`
ajv	`6.12.6`	`6.14.0`
minimatch	`3.1.2`	`3.1.5`
flatted	`3.3.3`	`3.4.2`
hono	`4.11.7`	`4.12.14`
lodash	`4.17.23`	`4.18.1`
tar	`7.5.6`	`7.5.13`
yaml	`1.10.2`	`1.10.3`

Updates next from 15.5.10 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)

Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @styfle and @lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @ztanner for helping!

Commits

412eb90 v15.5.15
cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
fffef9e Fix CI for glibc linux builds
d7b012d v15.5.14
2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
cfd5f53 v15.5.13
15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
d23f41c v15.5.12
8e75765 fix unlock in publish-native
Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates picomatch from 4.0.2 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @hono/node-server's releases.

v1.19.14

What's Changed

fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

chore: ignore claude setting by @yusukebe in honojs/node-server#314

fix: request draining for early 413 responses by @usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

b5e63a3 1.19.14
c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
fd64e65 1.19.13
025c30f Merge commit from fork
6cdb5a7 1.19.12
70250f7 fix: request draining for early 413 responses (#329)
cfc08b3 chore: ignore claude setting (#314)
ecd4d6b 1.19.11
c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
2f8ca36 1.19.10
Additional commits viewable in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.29.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @felixweinberger in modelcontextprotocol/typescript-sdk#1749

[v1.x] fix: disallow null (infinite) requested TTL by @LucaButBoring in modelcontextprotocol/typescript-sdk#1339

[v1.x] fix: add missing size field to ResourceSchema by @olaservo in modelcontextprotocol/typescript-sdk#1575

Add typings exports by @tdraier in modelcontextprotocol/typescript-sdk#1623

v1.x npm audit fix by @KKonstantinov in modelcontextprotocol/typescript-sdk#1780

v1.x #1623 follow up -add missing types to package.json by @KKonstantinov in modelcontextprotocol/typescript-sdk#1773

[v1.x backport] Allow servers / clients to advertise extensions in the capability object by @localden in modelcontextprotocol/typescript-sdk#1811

fix(stdio): always set windowsHide on Windows, not just in Electron by @jnMetaCode in modelcontextprotocol/typescript-sdk#1640

chore: bump version to 1.29.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

@tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623

@jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

feat: use scopes_supported from resource metadata by default (fixes #580) by @antogyn in modelcontextprotocol/typescript-sdk#757

[v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @pcarleton in modelcontextprotocol/typescript-sdk#1611

fix: reject plain JSON Schema objects passed as inputSchema by @tiluckdave in modelcontextprotocol/typescript-sdk#1596

fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @pcarleton in modelcontextprotocol/typescript-sdk#1462

fix(server/auth): RFC 8252 loopback port relaxation by @poteat in modelcontextprotocol/typescript-sdk#1738

chore: bump version to 1.28.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

@antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757

@tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596

@poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

feat: implement auth/pre-registration conformance scenario by @felixweinberger in modelcontextprotocol/typescript-sdk#1545

docs: add governance documentation for SEP-1730 by @felixweinberger in modelcontextprotocol/typescript-sdk#1547

docs: comprehensive feature documentation for SEP-1730 Tier 1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1548

fix: prevent command injection in example URL opening (v1.x backport) by @maxisbey in modelcontextprotocol/typescript-sdk#1579

fix: call onerror for silently swallowed transport errors by @qing-ant in modelcontextprotocol/typescript-sdk#1580

chore: bump version to 1.27.1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

@qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

e12cbd7 chore: bump version to 1.29.0 (#1820)
3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
364f38c v1.x npm audit fix (#1780)
c95cc09 Add typings exports (#1623)
ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
a056569 chore: bump version to 1.28.0 (#1746)
Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

e3af0a7 6.14.0
b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
72f2286 docs: update v7 info
231e52b Merge pull request #1320 from philsturgeon/patch-1
d3475fc Add spectral, an AJV util from a sponsor
413afe0 docs: v7.0.0-beta.3
11e997b update readme for v7
See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates hono from 4.11.7 to 4.12.14

Release notes

Sourced from hono's releases.

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @T4ko0522 in honojs/hono#4865

feat(trailing-slash): add skip option by @yusukebe in honojs/hono#4862

feat(cache): add onCacheNotAvailable option by @yusukebe in honojs/hono#4876

New Contributors

@T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

Middleware bypass via repeated slashes in serveStatic

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Path traversal in toSSG() allows writing files outside the output directory

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Missing validation of cookie name on write path in setCookie()

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Non-breaking space prefix bypass in cookie name handling in getCookie()

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

... (truncated)

Commits

cf2d2b7 4.12.14
66daa2e Merge commit from fork
fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
3779927 4.12.13
faa6c46 feat(cache): add onCacheNotAvailable option (#4876)
f23e97b feat(trailing-slash): add skip option (#4862)
1aa32fb fix(types): infer response type from last handler in app.on 9- and 10-handler...
c37ba26 4.12.12
cc067c8 Merge commit from fork
a586cd7 Merge commit from fork
Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.1

Changelog

Sourced from qs's changelog.

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

Commits

3f5e1c5 v6.15.1
c85b67f [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true s...
4dfa0f0 [Deps] update @ljharb/eslint-config
dbb05d7 [Dev Deps] update @ljharb/eslint-config, iconv-lite
b0cfe7c [Tests] increase coverage
d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
Additional commits viewable in compare view

Updates tar from 7.5.6 to 7.5.13

Commits

d6611ae 7.5.13
119c401 fix(extract): prevent raced symlink writes outside cwd
2a294d3 7.5.12
01082a4 fix: reject top promise on floating addFilesAsync rejections
dd1c36a linting
35a1ffe doc: more clarity in security warning
bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates yaml from 1.10.2 to 1.10.3

Commits

cfe8f04 1.10.3
7abcf45 fix: Catch stack overflow during CST composition
a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
a5e83b0 style: Apply updates Prettier rules
b8ddca0 chore: Refresh lockfile
395f892 ci: Use a different (working) submodule checkout
6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 12 updates in the /app/next-client-app directory: | Package | From | To | | --- | --- | --- | | [next](https://github.com/vercel/next.js) | `15.5.10` | `15.5.15` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.2` | `4.0.4` | | [@hono/node-server](https://github.com/honojs/node-server) | `1.19.9` | `1.19.14` | | @isaacs/brace-expansion | `5.0.0` | `5.0.1` | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.25.2` | `1.29.0` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` | | [hono](https://github.com/honojs/hono) | `4.11.7` | `4.12.14` | | [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` | | [tar](https://github.com/isaacs/node-tar) | `7.5.6` | `7.5.13` | | [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` | Updates `next` from 15.5.10 to 15.5.15 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.10...v15.5.15) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `picomatch` from 4.0.2 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `@hono/node-server` from 1.19.9 to 1.19.14 - [Release notes](https://github.com/honojs/node-server/releases) - [Commits](honojs/node-server@v1.19.9...v1.19.14) Updates `@isaacs/brace-expansion` from 5.0.0 to 5.0.1 Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.29.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.29.0) Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `flatted` from 3.3.3 to 3.4.2 - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) Updates `hono` from 4.11.7 to 4.12.14 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.7...v4.12.14) Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) Updates `qs` from 6.14.1 to 6.15.1 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.15.1) Updates `tar` from 7.5.6 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.6...v7.5.13) Updates `yaml` from 1.10.2 to 1.10.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v1.10.2...v1.10.3) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.15 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@hono/node-server" dependency-version: 1.19.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@isaacs/brace-expansion" dependency-version: 5.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.29.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 1.10.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 16, 2026

dependabot Bot requested review from AndrewThien and AndyRae as code owners April 16, 2026 01:58

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 16, 2026

github-actions Bot added the Area: Frontend label Apr 16, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 13 updates#1309

Bump the npm_and_yarn group across 1 directory with 13 updates#1309
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/app/next-client-app/npm_and_yarn-6b7ff611aa

dependabot Bot commented on behalf of github Apr 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 16, 2026

v15.5.15

v15.5.14

Core Changes

Credits

v15.5.13

Core Changes

Credits

4.0.4

What's Changed

4.0.4

What's Changed

4.0.4

What's Changed

v1.19.14

What's Changed

v1.19.13

Security Fix

v1.19.12

What's Changed

v1.19.11

What's Changed

v1.19.10

Security Fix

v1.29.0

What's Changed

New Contributors

v1.28.0

What's Changed

New Contributors

v1.27.1

What's Changed

New Contributors

v1.27.0

What's Changed

v4.12.14

Security fixes

Improper handling of JSX attribute names in hono/jsx SSR

Other changes

v4.12.13

What's Changed

New Contributors

v4.12.12

Security fixes

Middleware bypass via repeated slashes in serveStatic

Path traversal in toSSG() allows writing files outside the output directory

Incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Missing validation of cookie name on write path in setCookie()

Non-breaking space prefix bypass in cookie name handling in getCookie()

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

6.15.1

6.15.0

6.14.2

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`lodash.*` modular packages