Bump the npm_and_yarn group across 3 directories with 16 updates by dependabot[bot] · Pull Request #2 · cloud-gov/OpenSearch-Dashboards

dependabot · 2026-02-20T06:51:37Z

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	`1.18.2`	`1.26.0`
js-yaml	`4.1.0`	`4.1.1`
lodash	`4.17.21`	`4.17.23`
node-forge	`1.3.1`	`1.3.2`
tar	`6.2.1`	`7.5.8`
markdown-it	`13.0.2`	`14.1.1`
@langchain/core	`0.3.78`	`0.3.80`
serve-static	`1.14.1`	`1.16.0`
diff	`4.0.2`	`4.0.4`
@smithy/config-resolver	`4.1.0`	`4.4.6`
min-document	`2.19.0`	`2.19.2`

Bumps the npm_and_yarn group with 8 updates in the /packages/osd-dev-utils directory:

Package	From	To
@modelcontextprotocol/sdk	`1.18.2`	`1.26.0`
node-forge	`1.3.1`	`1.3.3`
markdown-it	`13.0.2`	`14.1.1`
diff	`3.5.0`	`3.5.1`
@smithy/config-resolver	`4.1.0`	`4.4.6`
formidable	`2.1.2`	`2.1.5`
min-document	`2.19.0`	`2.19.2`
qs	`6.11.0`	`6.13.0`

Bumps the npm_and_yarn group with 7 updates in the /packages/osd-storybook directory:

Package	From	To
@modelcontextprotocol/sdk	`1.18.2`	`1.26.0`
node-forge	`1.3.1`	`1.3.3`
serve-static	`1.14.1`	`1.16.0`
diff	`3.5.0`	`3.5.1`
@smithy/config-resolver	`4.1.0`	`4.4.6`
formidable	`2.1.2`	`2.1.5`
min-document	`2.19.0`	`2.19.2`

Updates @modelcontextprotocol/sdk from 1.18.2 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in modelcontextprotocol/typescript-sdk#1319

fix: README badges links destinations by @antonpk1 in modelcontextprotocol/typescript-sdk#907

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

@antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

spec types - backwards compatibility changes by @KKonstantinov in modelcontextprotocol/typescript-sdk#1306

chore: bump version for patch fix by @felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

list changed handlers on client constructor by @mattzcarey in modelcontextprotocol/typescript-sdk#1206

Role - moved from inline to reusable type by @KKonstantinov in modelcontextprotocol/typescript-sdk#1221

fix: use versioned npm tag for non-main branch releases by @pcarleton in modelcontextprotocol/typescript-sdk#1236

No automatic completion support unless needed - Revisited yet again by @cliffhall in modelcontextprotocol/typescript-sdk#1237

fix: Support updating output schema by @vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

fe9c07b chore: bump version to 1.26.0 (#1479)
4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
a05be17 Merge commit from fork
50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
6aba065 chore: bump v1.25.3 for backport fixes (#1412)
6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
a0c9b13 fix: README badges links destinations (#907)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.2

Changelog

Sourced from node-forge's changelog.

1.3.2 - 2025-11-25

Security

HIGH: ASN.1 Validator Desynchronization

An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-12816

GHSA ID: GHSA-5gfm-wpxj-wjgq

HIGH: ASN.1 Unbounded Recursion

An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-66031

GHSA ID: GHSA-554w-wpv2-vw27

MODERATE: ASN.1 OID Integer Truncation

An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-66030

GHSA ID: GHSA-65ch-62r8-g69g

Fixed

[asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.

[asn1] Add fromDer() max recursion depth check.

Add a asn1.maxDepth global configurable maximum depth of 256.

Add a asn1.fromDer() per-call maxDepth option.

NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.

NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default maximum.

[asn1] Improve OID handling.

Error on parsed OID values larger than 2**32 - 1.

Error on DER OID values larger than 2**53 - 1 .

Commits

235ad3e Release 1.3.2.
2598244 Update changelog.
0032dd0 Fix typos.
d75e08d Run new security test.
a5ce91d Update changelog formatting.
4652de6 Cleanups.
eb932d9 Fix typo.
db6954b Fix style.
afbf7d8 Align error message style.
6607445 Revert minor changes.
Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.8

Changelog

Sourced from tar's changelog.

Changelog

7.5

Added zstd compression support.

Consistent TOCTOU behavior in sync t.list

Only read from ustar block if not specified in Pax

Fix sync tar.list when file size reduces while reading

Sanitize absolute linkpaths properly

Prevent writing hardlink entries to the archive ahead of their file target

7.4

Deprecate onentry in favor of onReadEntry for clarity.

7.3

Add onWriteEntry option

7.2

DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

Update minipass to v7.1.0

Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

Drop support for node <18

Rewrite in TypeScript, provide ESM and CommonJS hybrid interface

Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.

Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.

Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

6b8eba0 7.5.8
2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
d18e4e1 fix: do not write linkpaths through symlinks
4a37eb9 7.5.7
f4a7aa9 fix: properly sanitize hard links containing ..
394ece6 7.5.6
7d4cc17 fix race puting a Link ahead of its target File
26ab904 7.5.5
e9a1ddb fix: do not prevent valid linkpaths within archive
911c886 7.5.4
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates markdown-it from 13.0.2 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @ltduc147 for report.

[14.1.0] - 2024-03-19

Changed

Updated CM spec compatibility to 0.31.2, #1009.

Fixed

Fixed quadratic complexity when parsing references, #996.

Fixed quadratic output size with pathological user input in tables, #1000.

[14.0.0] - 2023-12-08

Changed

Drop ancient browsers support (use .fromCodePoint and other features).

Rewrite to ESM (including all plugins/deps). CJS fallback still available. No signatures changed, except markdown-it-emoji plugin.

Dropped dist/ folder from repo, build on package publish.

Set punicode.js as external dependency.

Fixed

Html tokens inside img alt are now rendered as their original text, #896.

Hardbreaks inside img alt are now rendered as newlines.

Commits

b4a9b65 14.1.1 released
4b4bbca Fixed perf regression in linkify-it wrapper
d2782d8 Add supplementary example-driven documentation (#1092)
0fe7ccb 14.1.0 released
a367c44 Fix typo in comments of text.mjs (#1015)
7ad8179 add changelog
5e90063 simplify logic in scanDelims
d7ce5ec Merge pull request #1009 from notriddle/spec-0.31.2
0bfc57d Update spec to 0.31.2
cd24778 Update to comply with spec 0.31.2
Additional commits viewable in compare view

Updates @langchain/core from 0.3.78 to 0.3.80

Commits

See full diff in compare view

Updates serve-static from 1.14.1 to 1.16.0

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

@UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

1.15.0

deps: send@0.18.0

Fix emitted 416 error missing headers property

Limit the headers removed for 304 response

deps: depd@2.0.0

deps: destroy@1.2.0

deps: http-errors@2.0.0

deps: on-finished@2.4.1

deps: statuses@2.0.1

1.14.2

deps: send@0.17.2

deps: http-errors@1.8.1

deps: ms@2.1.3

pref: ignore empty http tokens

Changelog

Sourced from serve-static's changelog.

1.16.0 / 2024-09-10

Remove link renderization in html while redirecting

1.15.0 / 2022-03-24

deps: send@0.18.0

Fix emitted 416 error missing headers property

Limit the headers removed for 304 response

deps: depd@2.0.0

deps: destroy@1.2.0

deps: http-errors@2.0.0

deps: on-finished@2.4.1

deps: statuses@2.0.1

1.14.2 / 2021-12-15

deps: send@0.17.2

deps: http-errors@1.8.1

deps: ms@2.1.3

pref: ignore empty http tokens

Commits

48c7397 1.16.0
0c11fad Merge commit from fork
9b5a12a 1.15.0
a39a0df docs: update CI link
d702ea2 build: Node.js@17.8
ff1510a deps: send@0.18.0
813c7e4 build: mocha@9.2.2
2e029f9 build: Node.js@17.7
3269f31 build: supertest@6.2.2
71cd4f8 build: mocha@9.2.1
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

f06f3e4 v4.0.4
0179a48 v4.0.3
4568cae Backport kpdecker/jsdiff#649
4de0ffa Backport kpdecker/jsdiff#647
See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates @smithy/config-resolver from 4.1.0 to 4.4.6

Release notes

Sourced from @smithy/config-resolver's releases.

@smithy/util-defaults-mode-browser@4.3.32

Patch Changes

@smithy/smithy-client@4.11.5

@smithy/middleware-compression@4.3.31

Patch Changes

Updated dependencies [c5db01c]

@smithy/core@3.23.2

@smithy/util-defaults-mode-browser@4.3.31

Patch Changes

@smithy/smithy-client@4.11.4

@smithy/util-defaults-mode-browser@4.3.30

Patch Changes

@smithy/smithy-client@4.11.3

@smithy/middleware-compression@4.3.30

Patch Changes

Updated dependencies [6f96c01]

@smithy/core@3.23.1

@smithy/util-defaults-mode-browser@4.3.29

Patch Changes

@smithy/smithy-client@4.11.2

@smithy/middleware-compression@4.3.29

Patch Changes

Updated dependencies [4f05c6a]

@smithy/core@3.23.0

@smithy/util-defaults-mode-browser@4.3.28

Patch Changes

@smithy/smithy-client@4.11.1

@smithy/middleware-compression@4.3.28

Patch Changes

@smithy/core@3.22.1

@smithy/middleware-compression@4.3.27

Patch Changes

... (truncated)

Changelog

Sourced from @smithy/config-resolver's changelog.

4.4.6

Patch Changes

Updated dependencies [745867a]

@smithy/types@4.12.0

@smithy/node-config-provider@4.3.8

@smithy/util-endpoints@3.2.8

@smithy/util-middleware@4.2.8

4.4.5

Patch Changes

Updated dependencies [9ccb841]

@smithy/types@4.11.0

@smithy/node-config-provider@4.3.7

@smithy/util-endpoints@3.2.7

@smithy/util-middleware@4.2.7

4.4.4

Patch Changes

Updated dependencies [5a56762]

@smithy/types@4.10.0

@smithy/node-config-provider@4.3.6

@smithy/util-endpoints@3.2.6

@smithy/util-middleware@4.2.6

4.4.3

Patch Changes

Updated dependencies [3926fd7]

@smithy/types@4.9.0

@smithy/node-config-provider@4.3.5

@smithy/util-endpoints@3.2.5

@smithy/util-middleware@4.2.5

4.4.2

Patch Changes

372b46f: allow * region with warning

4.4.1

Patch Changes

... (truncated)

Commits

0e8cc49 Version NPM packages
7e4bbf6 chore: upgrade rimraf to v5.0.10 (#1829)
521d67c Version NPM packages
8b90f36 Version NPM packages
cc0124e Version NPM packages
07f95d9 Version NPM packages
372b46f fix(config-resolver): allow asterisk region with warning (#1760)
472a5ea Version NPM packages
8af2d33 Version NPM packages
13c5cd9 chore(config-resolver): add region validation cache (#1750)
Additional commits viewable in compare view

Updates min-document from 2.19.0 to 2.19.2

Commits

0d14150 2.19.2
49c2e06 Merge pull request #56 from wasabina67/fix/prototype-pollution-removeAttribut...
9666461 Fix prototype pollution vulnerability in removeAttributeNS
4490b40 2.19.1
2cd5871 update ignore
fe32e8d Merge pull request #55 from jameswassink/fix/prototype-pollution-removeAttrib...
6c5f31a Better prototype pollution fix
0d4e819 Fix prototype pollution in removeAttributeNS
bf7b691 Update package.json
1b5402d Merge pull request #49 from PixnBits/patch-1
Additional commits viewable in compare view

Updates send from 0.17.1 to 0.18.0

Changelog

Sourced from send's changelog.

0.18.0 / 2022-03-23

Fix emitted 416 error missing headers property

Limit the headers removed for 304 response

deps: depd@2.0.0

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: destroy@1.2.0

deps: http-errors@2.0.0

deps: depd@2.0.0

deps: statuses@2.0.1

deps: on-finished@2.4.1

deps: statuses@2.0.1

0.17.2 / 2021-12-11

pref: ignore empty http tokens

deps: http-errors@1.8.1

deps: inherits@2.0.4

deps: toidentifier@1.0.1

deps: setprototypeof@1.2.0

deps: ms@2.1.3

Commits

b69cbb3 0.18.0
f53edbb Limit the headers removed for 304 response
706d6dd docs: add security policy
b690ba4 docs: fix linux build badge link
fed09ff docs: update copyright
aee1a65 deps: destroy@1.2.0
6060bda deps: on-finished@2.4.1
8055f78 build: Node.js@17.7
5364219 build: mocha@9.2.2
f3cf8a9 deps: statuses@2.0.1
Additional commits viewable in compare view

Updates vega-functions from 5.18.0 to 6.1.1

Release notes

Sourced from vega-functions's releases.

v6.1.1

Full Changelog: vega/vega@v6.1.0...v6.1.1

v6.1.0

What's Changed

chore: bump cli to v6.0.0 by @lsh in vega/vega#4043

fix: update version in specs by @domoritz in vega/vega#4045

feat: export schema from vega package by @domoritz in vega/vega#4046

Full Changelog: vega/vega@v6.0.0...v6.1.0

v6.0.0

changes since v5.33.0

monorepo

Vega is now ESM only! (via #4018) (Thanks @domoritz!)

(fix) Correct browser export syntax (via #4039) (Thanks @domoritz!)

(fix) Fix source maps (via #4041) (Thanks @domoritz!)

(fix) handle string datetime in interpreter (via #4042) (Thanks @domoritz!)

vega-typings

Expose resetSVGDefIds (via #4012) (Thanks @domoritz!)

docs

Update deps and datasets (via #4036) (Thanks @domoritz!)

v5.33.1

What's Changed

Fixes GHSA-7f2v-3qq3-vvjf for v5 releases

fix: improve expressions by @markov00 in vega/vega#4147

chore(build): remove schema publish from long term support branch by @hydrosquall in vega/vega#4154

build: bump lockfile for 5.33.1 release by @hydrosquall in vega/vega#4158

Full Changelog: vega/vega@v5.33.0...v5.33.1

v5.33.0

Changes since v5.32.0

docs

Add release number to docs for base64 encode/decode (atob, btoa) (via #4023). (Thanks @hydrosquall!)

Fix docs for exponential regression (via #4024). (Thanks @elliot-at-looker!)

v5.32.0

Changes since v5.31.0

... (truncated)

Commits

d67c1b7 chore: bump to 6.1.1
e574530 chore: bump vega-cli
7722789 chore: bump to 6.1.0
6ba2d1b feat: export schema from vega package (#4046)
d98c6c7 fix: update version in specs (#4045)
9d01d54 chore: bump vega-typings version
f30adaa fix: correct type export
3ddb79e chore: bump cli to v6.0.0 (#4043)
45ce765 chore: v6.0.0 (#4040)
6cd32f9 fix: handle string datetime in interpreter (#4042)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by hydrosquall, a new releaser for vega-functions since your current version.

Updates vega-selections from 5.6.0 to 6.1.2

Release notes

Sourced from vega-selections's releases.

v6.1.2

Full Changelog: vega/vega@v6.1.1...v6.1.2

v6.1.1

Full Changelog: vega/vega@v6.1.0...v6.1.1

v6.1.0

What's Changed

chore: bump cli to v6.0.0 by @lsh in vega/vega#4043

fix: update version in specs by @domoritz in vega/vega#4045

feat: export schema from vega package by @domoritz in vega/vega#4046

Full Changelog: vega/vega@v6.0.0...v6.1.0

v6.0.0

changes since v5.33.0

monorepo

Vega is now ESM only! (via #4018) (Thanks @domoritz!)

(fix) Correct browser export syntax (via #4039) (Thanks @domoritz!)

(fix) Fix source maps (via #4041) (Thanks @domoritz!)

(fix) handle string datetime in interpreter (via #4042) (Thanks @domoritz!)

vega-typings

Expose resetSVGDefIds (via #4012) (Thanks @domoritz!)

docs

Update deps and datasets (via #4036) (Thanks @domoritz!)

v5.33.1

What's Changed

Fixes GHSA-7f2v-3qq3-vvjf for v5 releases

fix: improve expressions by @markov00 in vega/vega#4147

chore(build): remove schema publish from long term support branch by @hydrosquall in vega/vega#4154

build: bump lockfile for 5.33.1 release by @hydrosquall in vega/vega#4158

Full Changelog: vega/vega@v5.33.0...v5.33.1

v5.33.0

Changes since v5.32.0

docs

Add release number to docs for base64 encode/decode (atob, btoa) (via #4023). (Thanks @hydrosquall!)

Fix docs for exponential regression (via #4024). (Thanks @elliot-at-looker!)

... (truncated)

Commits

18a55af chore: fix json of package.json
38957ff chore: bump vega
bb800e9 chore: simplify gitignore
b737e03 fix: run npm pkg fix
d67c1b7 chore: bump to 6.1.1
e574530 chore: bump vega-cli
7722789 chore: bump to 6.1.0
6ba2d1b feat: export schema from vega package (#4046)
d98c6c7 fix: update version in specs (#4045)
9d01d54 chore: bump vega-typings version
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by hydrosquall, a new releaser for vega-selections since your current version.

Updates @modelcontextprotocol/sdk from 1.18.2 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in modelcontextprotocol/typescript-sdk#1319

fix: README badges links destinations by @antonpk1 in modelcontextprotocol/typescript-sdk#907

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in

Bumps the npm_and_yarn group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.18.2` | `1.26.0` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.2` | | [tar](https://github.com/isaacs/node-tar) | `6.2.1` | `7.5.8` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `13.0.2` | `14.1.1` | | [@langchain/core](https://github.com/langchain-ai/langchainjs) | `0.3.78` | `0.3.80` | | [serve-static](https://github.com/expressjs/serve-static) | `1.14.1` | `1.16.0` | | [diff](https://github.com/kpdecker/jsdiff) | `4.0.2` | `4.0.4` | | [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) | `4.1.0` | `4.4.6` | | [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` | Bumps the npm_and_yarn group with 8 updates in the /packages/osd-dev-utils directory: | Package | From | To | | --- | --- | --- | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.18.2` | `1.26.0` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `13.0.2` | `14.1.1` | | [diff](https://github.com/kpdecker/jsdiff) | `3.5.0` | `3.5.1` | | [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) | `4.1.0` | `4.4.6` | | [formidable](https://github.com/node-formidable/formidable) | `2.1.2` | `2.1.5` | | [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` | | [qs](https://github.com/ljharb/qs) | `6.11.0` | `6.13.0` | Bumps the npm_and_yarn group with 7 updates in the /packages/osd-storybook directory: | Package | From | To | | --- | --- | --- | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.18.2` | `1.26.0` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` | | [serve-static](https://github.com/expressjs/serve-static) | `1.14.1` | `1.16.0` | | [diff](https://github.com/kpdecker/jsdiff) | `3.5.0` | `3.5.1` | | [@smithy/config-resolver](https://github.com/smithy-lang/smithy-typescript/tree/HEAD/packages/config-resolver) | `4.1.0` | `4.4.6` | | [formidable](https://github.com/node-formidable/formidable) | `2.1.2` | `2.1.5` | | [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` | Updates `@modelcontextprotocol/sdk` from 1.18.2 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.18.2...v1.26.0) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `node-forge` from 1.3.1 to 1.3.2 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.2) Updates `tar` from 6.2.1 to 7.5.8 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v6.2.1...v7.5.8) Updates `markdown-it` from 13.0.2 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@13.0.2...14.1.1) Updates `@langchain/core` from 0.3.78 to 0.3.80 - [Release notes](https://github.com/langchain-ai/langchainjs/releases) - [Commits](https://github.com/langchain-ai/langchainjs/commits) Updates `serve-static` from 1.14.1 to 1.16.0 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.14.1...1.16.0) Updates `diff` from 4.0.2 to 4.0.4 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) Updates `@smithy/config-resolver` from 4.1.0 to 4.4.6 - [Release notes](https://github.com/smithy-lang/smithy-typescript/releases) - [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md) - [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.6/packages/config-resolver) Updates `min-document` from 2.19.0 to 2.19.2 - [Commits](Raynos/min-document@v2.19.0...v2.19.2) Updates `send` from 0.17.1 to 0.18.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.17.1...0.18.0) Updates `vega-functions` from 5.18.0 to 6.1.1 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.18.0...v6.1.1) Updates `vega-selections` from 5.6.0 to 6.1.2 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.6.0...v6.1.2) Updates `@modelcontextprotocol/sdk` from 1.18.2 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.18.2...v1.26.0) Updates `node-forge` from 1.3.1 to 1.3.3 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.2) Updates `markdown-it` from 13.0.2 to 14.1.1 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@13.0.2...14.1.1) Updates `diff` from 3.5.0 to 3.5.1 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) Updates `@smithy/config-resolver` from 4.1.0 to 4.4.6 - [Release notes](https://github.com/smithy-lang/smithy-typescript/releases) - [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md) - [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.6/packages/config-resolver) Updates `formidable` from 2.1.2 to 2.1.5 - [Release notes](https://github.com/node-formidable/formidable/releases) - [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md) - [Commits](https://github.com/node-formidable/formidable/commits) Updates `min-document` from 2.19.0 to 2.19.2 - [Commits](Raynos/min-document@v2.19.0...v2.19.2) Updates `qs` from 6.11.0 to 6.13.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.11.0...v6.13.0) Updates `vega-functions` from 5.18.0 to 5.18.1 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.18.0...v6.1.1) Updates `vega-selections` from 5.6.0 to 5.6.3 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.6.0...v6.1.2) Updates `@modelcontextprotocol/sdk` from 1.18.2 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.18.2...v1.26.0) Updates `node-forge` from 1.3.1 to 1.3.3 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.2) Updates `serve-static` from 1.14.1 to 1.16.0 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.14.1...1.16.0) Updates `diff` from 3.5.0 to 3.5.1 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v4.0.2...v4.0.4) Updates `@smithy/config-resolver` from 4.1.0 to 4.4.6 - [Release notes](https://github.com/smithy-lang/smithy-typescript/releases) - [Changelog](https://github.com/smithy-lang/smithy-typescript/blob/main/packages/config-resolver/CHANGELOG.md) - [Commits](https://github.com/smithy-lang/smithy-typescript/commits/@smithy/config-resolver@4.4.6/packages/config-resolver) Updates `formidable` from 2.1.2 to 2.1.5 - [Release notes](https://github.com/node-formidable/formidable/releases) - [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md) - [Commits](https://github.com/node-formidable/formidable/commits) Updates `min-document` from 2.19.0 to 2.19.2 - [Commits](Raynos/min-document@v2.19.0...v2.19.2) Updates `send` from 0.17.1 to 0.18.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.17.1...0.18.0) Updates `vega-functions` from 5.18.0 to 5.18.1 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.18.0...v6.1.1) Updates `vega-selections` from 5.6.0 to 5.6.3 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.6.0...v6.1.2) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.8 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@langchain/core" dependency-version: 0.3.80 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 4.0.4 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@smithy/config-resolver" dependency-version: 4.4.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: min-document dependency-version: 2.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.18.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-functions dependency-version: 6.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-selections dependency-version: 6.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 3.5.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@smithy/config-resolver" dependency-version: 4.4.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: formidable dependency-version: 2.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: min-document dependency-version: 2.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.13.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-functions dependency-version: 5.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-selections dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 3.5.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@smithy/config-resolver" dependency-version: 4.4.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: formidable dependency-version: 2.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: min-document dependency-version: 2.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.18.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-functions dependency-version: 5.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-selections dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 20, 2026

dependabot bot mentioned this pull request Feb 20, 2026

Bump the npm_and_yarn group across 2 directories with 7 updates #1

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

Bump the npm_and_yarn group across 3 directories with 16 updates#2

Bump the npm_and_yarn group across 3 directories with 16 updates#2
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-574a147c8a

dependabot bot commented on behalf of github Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Comments

Conversation

dependabot bot commented on behalf of github Feb 20, 2026

v1.26.0

What's Changed

New Contributors

v1.25.3

What's Changed

v1.25.2

What's Changed

New Contributors

1.25.1

What's Changed

1.25.0

What's Changed

[4.1.1] - 2025-11-12

Security

1.3.2 - 2025-11-25

Security

Fixed

Changelog

7.5

7.4

7.3

7.2

7.1

7.0

[14.1.1] - 2026-01-11

Security

[14.1.0] - 2024-03-19

Changed

Fixed

[14.0.0] - 2023-12-08

Changed

Fixed

1.16.0

What's Changed

New Contributors

1.15.0

1.14.2

1.16.0 / 2024-09-10

1.15.0 / 2022-03-24

1.14.2 / 2021-12-15

v4.0.4 - January 2026

v4.0.3 (deprecated)

@​smithy/util-defaults-mode-browser@​4.3.32

Patch Changes

@​smithy/middleware-compression@​4.3.31

Patch Changes

@​smithy/util-defaults-mode-browser@​4.3.31

Patch Changes

@​smithy/util-defaults-mode-browser@​4.3.30

Patch Changes

@​smithy/middleware-compression@​4.3.30

Patch Changes

@​smithy/util-defaults-mode-browser@​4.3.29

Patch Changes

@​smithy/middleware-compression@​4.3.29

Patch Changes

@​smithy/util-defaults-mode-browser@​4.3.28

Patch Changes

@​smithy/middleware-compression@​4.3.28

Patch Changes

@​smithy/middleware-compression@​4.3.27

Patch Changes

4.4.6

Patch Changes

4.4.5

Patch Changes

4.4.4

Patch Changes

4.4.3

Patch Changes

4.4.2

Patch Changes

4.4.1

Patch Changes

0.18.0 / 2022-03-23

0.17.2 / 2021-12-11

v6.1.1

`@smithy/util-defaults-mode-browser@4`.3.32

`@smithy/middleware-compression@4`.3.31

`@smithy/util-defaults-mode-browser@4`.3.31

`@smithy/util-defaults-mode-browser@4`.3.30

`@smithy/middleware-compression@4`.3.30

`@smithy/util-defaults-mode-browser@4`.3.29

`@smithy/middleware-compression@4`.3.29

`@smithy/util-defaults-mode-browser@4`.3.28

`@smithy/middleware-compression@4`.3.28

`@smithy/middleware-compression@4`.3.27