[deps] Platform: Lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.74%. Comparing base (ef4f4e3) to head (f789942).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6336      +/-   ##
==========================================
- Coverage   60.75%   56.74%   -4.01%     
==========================================
  Files        2013     2013              
  Lines       88129    88129              
  Branches     7848     7848              
==========================================
- Hits        53543    50011    -3532     
- Misses      32680    36295    +3615     
+ Partials     1906     1823      -83     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Checkmarx One – Scan Summary & Details – 0bbe298c-7406-4be3-bf91-ff721d3fef95

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 419	details Method at line 419 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... ID: XWl46lV2X%2BBt49nNe5GE3VUr%2Fy0%3D Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1508	details Method at line 1508 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... ID: Tk%2FmvJPGUHNjl6cjrFHos7YAa1M%3D Attack Vector
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1389	details Method at line 1389 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... ID: KKbwt1aUy7U49Pl7Stx2veFr%2FSU%3D Attack Vector

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97
	CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 299

[enmande]

Dependency Upgrades by Lock File

1. SSO & Admin Lock Files

Both bitwarden_license/src/Sso/package-lock.json and src/Admin/package-lock.json received identical updates.

@jridgewell/trace-mapping: 0.3.30 → 0.3.31

Release Notes: No specific changelog found for 0.3.31. Repository has moved to a monorepo structure, and detailed release notes are not available for recent patch versions.

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: Source map utility library
• Impact: Dev dependency for build tooling
• Confidence: Very high - source mapping utilities rarely have breaking changes in patch releases

@types/node: 24.3.1 → 24.5.2

Release Notes: TypeScript definitions for Node.js. No traditional changelog available - @types packages are auto-published when DefinitelyTyped PRs are merged.

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: TypeScript definitions update
• Impact: Development-time type checking improvements
• Confidence: Very high - type definition updates rarely break builds

browserslist: 4.25.4 → 4.26.2

Release Notes:

• 4.26.2: Fixed "baseline-browser-mapping" version requirement
• 4.26.1: Updated Firefox ESR
• 4.26.0: Added "Baseline queries" feature
• 4.25.4: Fixed Windows support for custom stats

Dependencies Added: baseline-browser-mapping (new dependency)

Assessment:

• Risk Level: 2/5 (Low-Medium Risk)
• Type: Browser targeting configuration
• Impact: May affect build output and browser support targeting
• Confidence: Medium - new dependency and feature additions could affect browser targets

caniuse-lite: 1.0.30001741 → 1.0.30001745

Release Notes: No detailed changelog available. Updates contain browser compatibility data refreshes from caniuse database.

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: Browser compatibility data
• Impact: More accurate browser support information
• Confidence: Very high - data-only updates are safe

electron-to-chromium: 1.5.215 → 1.5.223

Release Notes: No detailed changelog for individual patch versions. Package provides automated Electron-to-Chromium version mappings updated with each new Electron release.

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: Version mapping data
• Impact: Updated Electron/Chromium version mappings
• Confidence: Very high - automated data updates are reliable

node-releases: 2.0.20 → 2.0.21

Release Notes: No specific changelog found. Package contains Node.js release data for Browserslist and other tooling.

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: Node.js release data
• Impact: Updated Node.js version information
• Confidence: Very high - data-only package

undici-types: 7.10.0 → 7.12.0

Release Notes:

• 7.12.0: Code quality improvements, reduced intermediate functions, removed unnecessary WebIDL parameters
• 7.11.0: Various CI and testing improvements
• 7.10.0: Added "clientLifetime" option for connection pool management

Assessment:

• Risk Level: 2/5 (Low-Medium Risk)
• Type: HTTP client type definitions
• Impact: Updated types for HTTP/fetch APIs
• Confidence: Medium - type changes could affect HTTP-related code

baseline-browser-mapping: 2.8.7 (New Dependency)

Release Notes: New dependency added by browserslist 4.26.x. Package provides browser compatibility data for Web Platform Baseline features. Updated daily with fresh browser data.

Assessment:

• Risk Level: 2/5 (Low-Medium Risk)
• Type: New browser compatibility data package
• Impact: Enables new "Baseline queries" feature in browserslist
• Confidence: Medium - new dependency introduction requires validation

2. MJML Templates Lock File

src/Core/MailTemplates/Mjml/package-lock.json received a single update.

debug: 4.4.1 → 4.4.3

Release Notes:

• 4.4.3: Security release - functionally identical to 4.4.1
• 4.4.2: !! COMPROMISED VERSION - avoid this version entirely

Assessment:

• Risk Level: 1/5 (Trivial)
• Type: Debugging utility security update
• Impact: Restores safe version after compromised 4.4.2
• Confidence: Very high - critical security fix with no functional changes

[enmande]

Engineer Verification Notes

No evidence of compromised npm package debug@4.4.2 (skipped fully for 4.4.3).

SSO login flow verified locally. Server appears to run as expected, and client communicates properly through SSO flows (MP and TDE orgs).

No unexpected dependency adds beyond the noted baseline-browser-mapping.

Browserslist matches main after update.
and_chr 139
and_ff 142
and_qq 14.9
and_uc 15.5
android 139
chrome 140
chrome 139
chrome 138
chrome 137
chrome 112
chrome 109
edge 140
edge 139
edge 138
firefox 142
firefox 141
firefox 140
firefox 128
ios_saf 18.5-18.6
ios_saf 18.4
kaios 3.0-3.1
kaios 2.5
op_mini all
op_mob 80
opera 121
opera 120
safari 18.5-18.6
safari 18.4
samsung 28
samsung 27