Bump the npm_and_yarn group across 2 directories with 12 updates by dependabot[bot] · Pull Request #504 · paritytech/polkadot-testnet-faucet

dependabot · 2026-02-12T18:01:48Z

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
axios	`1.7.4`	`1.13.5`
matrix-js-sdk	`36.0.0`	`38.2.0`
typeorm	`0.3.20`	`0.3.26`
base-x	`4.0.0`	`4.0.1`
brace-expansion	`1.1.11`	`1.1.12`
formidable	`2.1.2`	`2.1.5`
js-yaml	`4.1.0`	`4.1.1`
lodash	`4.17.21`	`4.17.23`
node-forge	`1.3.1`	`1.3.3`
tmp	`0.2.3`	`0.2.5`

Bumps the npm_and_yarn group with 2 updates in the /client directory: brace-expansion and devalue.

Updates axios from 1.7.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates matrix-js-sdk from 36.0.0 to 38.2.0

Release notes

Sourced from matrix-js-sdk's releases.

v38.2.0

Fix CVE-2025-59160 / GHSA-mp7c-m3rh-r56v

v38.1.0

✨ Features

Remove custom org.matrix.msc4075.rtc.notification.parent relation type (#4979). Contributed by @toger5.

MatrixRTC: Add RTC decline event (#4978). Contributed by @toger5.

Make a MatrixRTCSession emit once the RTCNotification is sent (#4976). Contributed by @toger5.

Use hydra semantics for unknown room versions (#4957). Contributed by @dbkr.

Expose the StatusChanged event through the RTCSession (#4974). Contributed by @toger5.

Add probablyLeft event to the MatrixRTCSession (#4962). Contributed by @toger5.

🐛 Bug Fixes

Fix m.topic format (#4984). Contributed by @tulir.

Fix stable-suffixed MSC4133 support (#4983). Contributed by @dbkr.

Fix thread edit aggregation race condition (#4980). Contributed by @basnijholt.

v38.1.0-rc.0

✨ Features

Remove custom org.matrix.msc4075.rtc.notification.parent relation type (#4979). Contributed by @toger5.

MatrixRTC: Add RTC decline event (#4978). Contributed by @toger5.

Make a MatrixRTCSession emit once the RTCNotification is sent (#4976). Contributed by @toger5.

Use hydra semantics for unknown room versions (#4957). Contributed by @dbkr.

Expose the StatusChanged event through the RTCSession (#4974). Contributed by @toger5.

Add probablyLeft event to the MatrixRTCSession (#4962). Contributed by @toger5.

🐛 Bug Fixes

Fix m.topic format (#4984). Contributed by @tulir.

Fix stable-suffixed MSC4133 support (#4983). Contributed by @dbkr.

Fix thread edit aggregation race condition (#4980). Contributed by @basnijholt.

v38.0.0

🚨 BREAKING CHANGES

Release tranche of breaking changes (#4975).

Remove support for FetchHttpApi onlyData = false

Remove deprecated IJoinRoomOpts.syncRoom

Remove deprecated methods which are unsupported in rust crypto

Remove deprecated getAuthIssuer method

Remove deprecated beginKeyVerification method

Remove deprecated isEncryptedDisabledForUnverifiedDevices getter

Remove deprecated UndecryptableToDeviceEvent MatrixClient emit

Remove deprecated defer utility method

Remove deprecated UIAResponse dummy type

Remove deprecated MatrixRTCSession MembershipConfig fields

... (truncated)

Changelog

Sourced from matrix-js-sdk's changelog.

Changes in 38.2.0 (2025-09-16)

Fix CVE-2025-59160 / GHSA-mp7c-m3rh-r56v

Changes in 38.1.0 (2025-09-09)

✨ Features

Remove custom org.matrix.msc4075.rtc.notification.parent relation type (#4979). Contributed by @toger5.

MatrixRTC: Add RTC decline event (#4978). Contributed by @toger5.

Make a MatrixRTCSession emit once the RTCNotification is sent (#4976). Contributed by @toger5.

Use hydra semantics for unknown room versions (#4957). Contributed by @dbkr.

Expose the StatusChanged event through the RTCSession (#4974). Contributed by @toger5.

Add probablyLeft event to the MatrixRTCSession (#4962). Contributed by @toger5.

🐛 Bug Fixes

Fix m.topic format (#4984). Contributed by @tulir.

Fix stable-suffixed MSC4133 support (#4983). Contributed by @dbkr.

Fix thread edit aggregation race condition (#4980). Contributed by @basnijholt.

Changes in 38.0.0 (2025-08-27)

🚨 BREAKING CHANGES

Release tranche of breaking changes (#4975).

Remove support for FetchHttpApi onlyData = false

Remove deprecated IJoinRoomOpts.syncRoom

Remove deprecated methods which are unsupported in rust crypto

Remove deprecated getAuthIssuer method

Remove deprecated beginKeyVerification method

Remove deprecated isEncryptedDisabledForUnverifiedDevices getter

Remove deprecated UndecryptableToDeviceEvent MatrixClient emit

Remove deprecated defer utility method

Remove deprecated UIAResponse dummy type

Remove deprecated MatrixRTCSession MembershipConfig fields

Remove deprecated findVerificationRequestDMInProgress and storeSessionBackupPrivateKey methods in favour of overloads

✨ Features

Allow multiple rtc sessions per room (with different sessionDescriptions) (#4945). Contributed by @toger5.

Add support for login_hint in authorization url generation (#4943). Contributed by @odelcroi.

Only process MatrixRTC sessions associated with calls for callMembershipsForRoom (#4960). Contributed by @fkwp.

Changes in 37.13.0 (2025-08-11)

... (truncated)

Commits

4a9006a v38.2.0
43c72d5 Merge commit from fork
ff89c9e v38.1.0
b32619a v38.1.0-rc.0
3d3c3ba Fix m.topic format (#4984)
d62c658 Remove custom org.matrix.msc4075.rtc.notification.parent relation type (#4979)
bdc4a69 Fix stable-suffixed MSC4133 support (#4983)
ab89242 Fix thread edit aggregation race condition (#4980)
ed607c4 Merge branch 'master' into develop
a8d75b8 v38.0.0
Additional commits viewable in compare view

Updates typeorm from 0.3.20 to 0.3.26

Release notes

Sourced from typeorm's releases.

0.3.26

Notes:

When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.

When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

What's Changed

chore: Remove manual trigger on publish workflow by @michaelbromley in typeorm/typeorm#11536

test(ci): force mocha to exit on stuck process by @OSA413 in typeorm/typeorm#11538

fix(oracle): pass duplicated parameters correctly to the client when executing a query by @alumni in typeorm/typeorm#11537

feat(sap): add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud by @alumni in typeorm/typeorm#11526

fix: add stricter type-checking and improve event loop handling by @alumni in typeorm/typeorm#11540

perf: avoid unnecessary count on getManyAndCount by @EQuincerot in typeorm/typeorm#11524

feat(sap): use the native driver for connection pooling by @alumni in typeorm/typeorm#11520

fix: support for better-sqlite3 v12 by @mohd-akram in typeorm/typeorm#11557

fix: preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) by @kettui in typeorm/typeorm#10679

chore: change test badge from test.yml to commit-validation.yml by @albasyir in typeorm/typeorm#11560

fix: do not create junction table metadata when it already exists by @ragrag in typeorm/typeorm#11114

fix(mysql): support AnalyticDB returning version() column name in getVersion() by @rhydian0x in typeorm/typeorm#11555

fix: resolve array modification bug in QueryRunner drop methods #11563 by @taina0407 in typeorm/typeorm#11564

fix(mysql): set stringifyObjects implicitly by @alumni in typeorm/typeorm#11574

docs: separate driver-specific documentation by @alumni in typeorm/typeorm#11581

docs: fix redirect to mongodb page by @alumni in typeorm/typeorm#11584

feat(11528): add Redis 5.x support with backward compatibility wite peer dependency to allow by @par333k in typeorm/typeorm#11585

fix: regtype is not supported in aurora serverless v2 by @ArsenyYankovsky in typeorm/typeorm#11568

fix(platform[web worker]): improve globalThis variable retrieval for … by @dasoncheng in typeorm/typeorm#11495

docs: added @piying/orm extension to readme by @wszgrcy in typeorm/typeorm#11596

docs: Fix reload option typo by @radovanovic-stevan in typeorm/typeorm#11601

feat: add entity mode virtual-property by @wszgrcy in typeorm/typeorm#11597

chore: Release v0.3.26 by @michaelbromley in typeorm/typeorm#11602

New Contributors

@EQuincerot made their first contribution in typeorm/typeorm#11524

@kettui made their first contribution in typeorm/typeorm#10679

@ragrag made their first contribution in typeorm/typeorm#11114

@rhydian0x made their first contribution in typeorm/typeorm#11555

@taina0407 made their first contribution in typeorm/typeorm#11564

@par333k made their first contribution in typeorm/typeorm#11585

@dasoncheng made their first contribution in typeorm/typeorm#11495

@wszgrcy made their first contribution in typeorm/typeorm#11596

@radovanovic-stevan made their first contribution in typeorm/typeorm#11601

Full Changelog: typeorm/typeorm@0.3.25...0.3.26

0.3.25

... (truncated)

Changelog

Sourced from typeorm's changelog.

0.3.26 (2025-08-16)

Notes:

When using MySQL, TypeORM now connects using stringifyObjects: true, in order to avoid a potential security vulnerability in the mysql/mysql2 client libraries. You can revert to the old behavior by setting connectionOptions.extra.stringifyObjects = false.

When using SAP HANA, TypeORM now uses the built-in pool from the @sap/hana-client library. The deprecated hdb-pool is no longer necessary and can be removed. See https://typeorm.io/docs/drivers/sap/#data-source-options for the new pool options.

Bug Fixes

add stricter type-checking and improve event loop handling (#11540) (01dddfe)

do not create junction table metadata when it already exists (#11114) (3c26cf1)

mysql: set stringifyObjects implicitly (#11574) (d57fe3b)

mysql: support Alibaba AnalyticDB returning version() column name in getVersion() (#11555) (1737e97)

oracle: pass duplicated parameters correctly to the client when executing a query (#11537) (f2d2236)

platform[web worker]: improve globalThis variable retrieval for browser environment (#11495) (ec26eae)

preserve useIndex when cloning a QueryExpressionMap (or a QueryBuilder) (#10679) (66ee307), closes #10678 #10678

regtype is not supported in aurora serverless v2 (#11568) (6e9f20d)

resolve array modification bug in QueryRunner drop methods (#11564) (f351757), closes #11563

support for better-sqlite3 v12 (#11557) (1ea3a5e)

Features

add Redis 5.x support with backward compatibility with peer dependency to allow (#11585) (17cf837), closes #11528

sap: add support for REAL_VECTOR and HALF_VECTOR data types in SAP HANA Cloud (#11526) (abf8863)

sap: use the native driver for connection pooling (#11520) (aebc7eb)

support virtual columns in entity schema (#11597) (d1e3950)

Performance Improvements

avoid unnecessary count on getManyAndCount (#11524) (5904ac3)

0.3.25 (2025-06-19)

Bug Fixes

add collation update detection in PostgresDriver (#11441) (24c3e38), closes #8647 #8647

fix null pointer exception on date array column comparison (#11532) (42e7cbe)

handle limit(0) and offset(0) correctly in SelectQueryBuilder (#11507) (413f0a6)

improve async calls on disconnect (#11523) (ead4f98)

multiple relations with same column name(s) generate invalid SELECT statement (#11400) (63a3b9a), closes #1668 #9788 #9814 #10121 #10148 #11109 #11132 #11180

postgres: resolve alias or table name in upsert/insert or update conditionally (#11452) (2bfa300), closes #11082 #11440

tree-entity: closure junction table primary key definition should match parent table (#11422) (ce23d46)

docs: fix up doc search workflow (#11513) (930eefd)

Features

add upsert support for Oracle, SQLServer and SAP HANA (#10974) (a9c16ee)

spanner: use credentials from connection options (#11492) (07d7913), closes #11442

... (truncated)

Commits

4d204ad chore: Release v0.3.26 (#11602)
d1e3950 feat: support virtual columns in entity schema (#11597)
1698313 docs: fix reload option typo (#11601)
0b767e8 docs: added @piying/orm extension to readme (#11596)
ec26eae fix(platform[web worker]): improve globalThis variable retrieval for browser ...
6e9f20d fix: regtype is not supported in aurora serverless v2 (#11568)
17cf837 feat(11528): add Redis 5.x support with backward compatibility wite peer depe...
8097d1a docs: fix redirect to mongodb page (#11584)
23fcde2 docs: separate driver-specific documentation (#11581)
d57fe3b fix(mysql): set stringifyObjects implicitly (#11574)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by michaelbromley, a new releaser for typeorm since your current version.

Updates base-x from 4.0.0 to 4.0.1

Commits

7c17e51 4.0.1
e848733 Prohibit char codes that would overflow the BASE_MAP
See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

pkg: publish on tag 1.x c460dbd

fmt ccb8ac6

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

44f33b4 1.1.12
c460dbd pkg: publish on tag 1.x
ccb8ac6 fmt
c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates formidable from 2.1.2 to 2.1.5

Commits

See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Commits

cc482e7 4.1.1 released
50968b8 dist rebuild
d092d86 lint fix
383665f fix prototype pollution in merge (<<)
0d3ca7a README.md: HTTP => HTTPS (#678)
49baadd doc: 'empty' style option for !!null
ba3460e Fix demo link (#618)
See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

[pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

HIGH: ASN.1 Validator Desynchronization

An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-12816

GHSA ID: GHSA-5gfm-wpxj-wjgq

HIGH: ASN.1 Unbounded Recursion

An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-66031

GHSA ID: GHSA-554w-wpv2-vw27

MODERATE: ASN.1 OID Integer Truncation

An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.

Reported by Hunter Wodzenski.

CVE ID: CVE-2025-66030

GHSA ID: GHSA-65ch-62r8-g69g

Fixed

[asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.

[asn1] Add fromDer() max recursion depth check.

Add a asn1.maxDepth global configurable maximum depth of 256.

Add a asn1.fromDer() per-call maxDepth option.

NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.

NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

1cea0af Release 1.3.3.
5265989 Update changelog.
e4f3961 Fix changelog for release.
503979b Update changelog.
c3b3b32 Make digestAlgorithm parameters optional
6f70043 Update CVE details.
f547b0d Start 1.3.3-0.
235ad3e Release 1.3.2.
2598244 Update changelog.
0032dd0 Fix typos.
Additional commits viewable in compare view

Updates sha.js from 2.4.11 to 2.4.12

Changelog

Sourced from sha.js's changelog.

v2.4.12 - 2025-07-01

Commits

[eslint] switch to eslint 7acadfb

[meta] add auto-changelog b46e711

[eslint] fix package.json indentation df9d521

[Tests] migrate from travis to GHA c43c64a

[Fix] support multi-byte wide typed arrays f2a258e

[meta] reorder package.json d8d77c0

[meta] add npmignore 35aec35

[Tests] avoid console logs 73e33ae

[Tests] fix tests run in batch 2629130

[Tests] drop node requirement to 0.10 00c7f23

[Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5

[Tests] drop node requirement to v3 9b5eca8

[meta] set engines to >= 4 807084c

Only apps should have lockfiles c72789c

[Deps] update inherits, safe-buffer 5428cfc

[Dev Deps] update @ljharb/eslint-config 2dbe0aa

update README to reflect LICENSE 8938256

[Dev Deps] add missing peer dep d528896

[Dev Deps] remove unused buffer dep 94ca724

Commits

eb4ea2f v2.4.12
d8d77c0 [meta] reorder package.json
df9d521 [eslint] fix package.json inden...
Description has been truncated

Bumps the npm_and_yarn group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `1.7.4` | `1.13.5` | | [matrix-js-sdk](https://github.com/matrix-org/matrix-js-sdk) | `36.0.0` | `38.2.0` | | [typeorm](https://github.com/typeorm/typeorm) | `0.3.20` | `0.3.26` | | [base-x](https://github.com/cryptocoinjs/base-x) | `4.0.0` | `4.0.1` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` | | [formidable](https://github.com/node-formidable/formidable) | `2.1.2` | `2.1.5` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` | | [tmp](https://github.com/raszi/node-tmp) | `0.2.3` | `0.2.5` | Bumps the npm_and_yarn group with 2 updates in the /client directory: [brace-expansion](https://github.com/juliangruber/brace-expansion) and [devalue](https://github.com/sveltejs/devalue). Updates `axios` from 1.7.4 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.7.4...v1.13.5) Updates `matrix-js-sdk` from 36.0.0 to 38.2.0 - [Release notes](https://github.com/matrix-org/matrix-js-sdk/releases) - [Changelog](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CHANGELOG.md) - [Commits](matrix-org/matrix-js-sdk@v36.0.0...v38.2.0) Updates `typeorm` from 0.3.20 to 0.3.26 - [Release notes](https://github.com/typeorm/typeorm/releases) - [Changelog](https://github.com/typeorm/typeorm/blob/master/CHANGELOG.md) - [Commits](typeorm/typeorm@0.3.20...0.3.26) Updates `base-x` from 4.0.0 to 4.0.1 - [Commits](cryptocoinjs/base-x@v4.0.0...v4.0.1) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `formidable` from 2.1.2 to 2.1.5 - [Release notes](https://github.com/node-formidable/formidable/releases) - [Changelog](https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md) - [Commits](https://github.com/node-formidable/formidable/commits) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `node-forge` from 1.3.1 to 1.3.3 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.3.3) Updates `sha.js` from 2.4.11 to 2.4.12 - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) Updates `tmp` from 0.2.3 to 0.2.5 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.2.3...v0.2.5) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `brace-expansion` from 1.1.11 to 1.1.12 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) Updates `devalue` from 4.3.2 to 4.3.3 - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v4.3.2...v4.3.3) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: matrix-js-sdk dependency-version: 38.2.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: typeorm dependency-version: 0.3.26 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: base-x dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: formidable dependency-version: 2.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.3.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: 0.2.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: devalue dependency-version: 4.3.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot requested a review from a team as a code owner February 12, 2026 18:01

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 12, 2026

dependabot bot mentioned this pull request Feb 12, 2026

Bump the npm_and_yarn group across 2 directories with 12 updates #501

Closed

github-actions bot added the client Changes related to th client label Feb 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 2 directories with 12 updates#504

Bump the npm_and_yarn group across 2 directories with 12 updates#504
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-9235f0ce52

dependabot bot commented on behalf of github Feb 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Feb 12, 2026

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Fixes

Features / Improvements

Documentation

CI / Maintenance

New Contributors

v1.13.4

Overview

What's New in v1.13.4

Bug Fixes

Changelog

1.13.3 (2026-01-20)

Bug Fixes

Features

Reverts

Contributors to this release

v38.2.0

v38.1.0

✨ Features

🐛 Bug Fixes

v38.1.0-rc.0

✨ Features

🐛 Bug Fixes

v38.0.0

🚨 BREAKING CHANGES

Changes in 38.2.0 (2025-09-16)

Changes in 38.1.0 (2025-09-09)

✨ Features

🐛 Bug Fixes

Changes in 38.0.0 (2025-08-27)

🚨 BREAKING CHANGES

✨ Features

Changes in 37.13.0 (2025-08-11)

0.3.26

What's Changed

New Contributors

0.3.25

0.3.26 (2025-08-16)

Bug Fixes

Features

Performance Improvements

0.3.25 (2025-06-19)

Bug Fixes

Features

v1.1.12

[4.1.1] - 2025-11-12

Security

1.3.3 - 2025-12-02

Fixed

1.3.2 - 2025-11-25

Security

Fixed

v2.4.12 - 2025-07-01

Commits

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants