Bump the npm_and_yarn group across 1 directory with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 15 updates in the / directory:

Package	From	To
axios	1.4.0	1.11.0
ws	8.17.0	8.18.3
engine.io	6.5.4	6.5.5
socket.io-adapter	2.5.4	2.5.5
engine.io-client	6.5.3	6.5.4
brace-expansion	1.1.11	1.1.12
cookie	0.4.2	0.7.2
light-my-request	5.13.0	5.14.0
socket.io	4.7.5	4.8.1
cross-spawn	6.0.5	6.0.6
find-my-way	7.7.0	8.2.2
fastify	4.12.0	4.29.1
got	9.6.0	removed
np	7.7.0	10.2.0
tar-fs	2.1.1	2.1.3

Updates axios from 1.4.0 to 1.11.0

Release notes

Sourced from axios's releases.

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

Release v1.10.0

Release notes:

Bug Fixes

• adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
• form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
• package: add module entry point for React Native; (#6933) (3d343b8)

Features

• types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Dimitrios Lazanas
• Adrian Knapp
• Howie Zhao
• Uhyeon Park
• Sampo Silvennoinen

Release v1.9.0

Release notes:

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
• headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
• http: send minimal end multipart boundary (#6661) (987d2e2)
• types: fix autocomplete for adapter config (#6855) (e61a893)

... (truncated)

Changelog

Sourced from axios's changelog.

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

1.10.0 (2025-06-14)

Bug Fixes

• adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
• form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
• package: add module entry point for React Native; (#6933) (3d343b8)

Features

• types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Dimitrios Lazanas
• Adrian Knapp
• Howie Zhao
• Uhyeon Park
• Sampo Silvennoinen

1.9.0 (2025-04-24)

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

... (truncated)

Commits

• b76c4ac chore(release): v1.11.0 (#6974)
• e72c193 fix: form-data npm pakcage (#6970)
• 8517aa1 fix(types): resolve type discrepancies between ESM and CJS TypeScript declara...
• a2214ca fix: prevent RangeError when using large Buffers (#6961)
• 6161947 refactor: use spread operator instead of '.apply()' (#6938)
• a1d16dd refactor: use an object spread instead of Object.assign (#6939)
• 07183cd chore(sponsor): update sponsor block (#6952)
• ef36347 docs(CONTRIBUTING): update docs link for accuracy (#6894)
• b29bd6a chore(sponsor): update sponsor block (#6948)
• a406a93 chore(sponsor): update sponsor block (#6937)
• Additional commits viewable in compare view

Updates ws from 8.17.0 to 8.18.3

Release notes

Sourced from ws's releases.

8.18.3

Bug fixes

• Fixed a spec violation where the Sec-WebSocket-Version header was not added to the HTTP response if the client requested version was either invalid or unacceptable (33f5dbaf).

8.18.2

Bug fixes

• Fixed an issue that, during message decompression when the maximum size was exceeded, led to the emission of an inaccurate error and closure of the connection with an improper close code (#2285).

8.18.1

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to make them work when run via CITGM (021f7b8b).

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

</tr></table>

... (truncated)

Commits

• dabbdec [dist] 8.18.3
• 33f5dba [fix] Respond with the supported protocol versions (#2291)
• 22a5a17 [ci] Test on node 24
• e67eb7a [ci] Do not test on node 23
• fa670f2 [ci] Run the lint step on node 22
• 0eb8535 [dist] 8.18.2
• 4f20aed [fix] Handle oversized messages with designated error (#2285)
• aa998e3 [pkg] Update globals to version 16.0.0
• cf25954 [minor] Fix nit in error message
• b92745a [dist] 8.18.1
• Additional commits viewable in compare view

Updates engine.io from 6.5.4 to 6.5.5

Commits

• See full diff in compare view

Updates socket.io-adapter from 2.5.4 to 2.5.5

Changelog

Sourced from socket.io-adapter's changelog.

2.5.5 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: GHSA-3h5v-q93c-6h6q

Commits

• 05a190a chore(release): 6.5.5
• 93fe190 chore(deps): bump ws from 8.11.0 to 8.17.1 (#93)
• See full diff in compare view

Updates engine.io-client from 6.5.3 to 6.5.4

Commits

• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates cookie from 0.4.2 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates light-my-request from 5.13.0 to 5.14.0

Release notes

Sourced from light-my-request's releases.

v5.14.0

What's Changed

• Bumped cookie to v0.7 [5.x] by @​mcollina in fastify/light-my-request#302

Full Changelog: fastify/light-my-request@v5.13.0...v5.14

Commits

• 7036b3b Bumped v5.14.0
• b9e1e59 Bumped cookie to v0.7 [5.x] (#302)
• See full diff in compare view

Updates socket.io from 4.7.5 to 4.8.1

Release notes

Sourced from socket.io's releases.

socket.io@4.8.1

Due to a change in the bundler configuration, the production bundle (socket.io.min.js) did not support sending and receiving binary data in version 4.8.0. This is now fixed.

Dependencies

• engine.io@~6.6.0 (no change)
• ws@~8.17.1 (no change)

socket.io-client@4.8.1

Bug Fixes

• bundle: do not mangle the "_placeholder" attribute (ca9e994)

Dependencies

• engine.io-client@~6.6.1 (no change)
• ws@~8.17.1 (no change)

socket.io-client@4.8.0

Features

Custom transport implementations

The transports option now accepts an array of transport implementations:

import { io } from "socket.io-client";
import { XHR, WebSocket } from "engine.io-client";
const socket = io({
transports: [XHR, WebSocket]
});

Here is the list of provided implementations:

Transport	Description
Fetch	HTTP long-polling based on the built-in fetch() method.
NodeXHR	HTTP long-polling based on the XMLHttpRequest object provided by the xmlhttprequest-ssl package.
XHR	HTTP long-polling based on the built-in XMLHttpRequest object.
NodeWebSocket	WebSocket transport based on the WebSocket object provided by the ws package.
WebSocket	WebSocket transport based on the built-in WebSocket object.
WebTransport	WebTransport transport based on the built-in WebTransport object.

Usage:

Transport	browser	Node.js	Deno	Bun

... (truncated)

Commits

• 91e1c8b chore(release): socket.io@4.8.1
• 8d5528a chore(release): socket.io-client@4.8.1
• 71387e5 refactor(sio-client): reexport transports from the engine
• aead835 refactor(sio): make Namespace._fns private (#5196)
• 029e010 chore(release): engine.io-client@6.6.2
• 4ca6ddb docs(nuxt): update example with latest version
• ca9e994 fix(sio-client): do not mangle the "_placeholder" attribute
• 4865f2e fix(eio-client): prevent infinite loop with Node.js built-in WebSocket
• d4b3dde ci: use Node.js 22
• 3b68658 chore: bump @​fails-components/webtransport to version 1.1.4 (dev)
• Additional commits viewable in compare view

Updates cross-spawn from 6.0.5 to 6.0.6

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

• disable regexp backtracking (#160) (ba5aaef)
• core: support worker threads (#127) (f4af31c)

Commits

• d35c865 chore(release): 6.0.6
• 5a37e19 chore: update package.json and package.lock
• ba5aaef fix: disable regexp backtracking (#160)
• f4af31c fix(core): support worker threads (#127)
• See full diff in compare view

Updates find-my-way from 7.7.0 to 8.2.2

Release notes

Sourced from find-my-way's releases.

v8.2.2

⚠️ Security Release ⚠️

Fixes: GHSA-rrr8-f88r-h8q6 CVE-2024-45813

Full Changelog: delvedor/find-my-way@v8.2.0...v8.2.2

v8.2.0

What's Changed

• Update contraint check to throw with 32 handlers by @​valeneiko in delvedor/find-my-way#344
• feat: add node: prefix for assert by @​SavaCool122 in delvedor/find-my-way#347
• add dependabot.yml by @​Uzlopak in delvedor/find-my-way#350
• chore: bump actions/setup-node from 3 to 4 by @​dependabot in delvedor/find-my-way#351
• chore: bump actions/checkout from 3 to 4 by @​dependabot in delvedor/find-my-way#352
• Achieve 100% test coverage by @​jean-michelet in delvedor/find-my-way#349
• chore: bump the dependencies-major group with 1 update by @​dependabot in delvedor/find-my-way#353
• Fix header in README by @​selimb in delvedor/find-my-way#345
• Exclude Node v14 and v16 on macos by @​mcollina in delvedor/find-my-way#364
• add node v22. Skip old nodes on mac by @​mcollina in delvedor/find-my-way#363
• Support optional params on root by @​mcollina in delvedor/find-my-way#367

New Contributors

• @​valeneiko made their first contribution in delvedor/find-my-way#344
• @​SavaCool122 made their first contribution in delvedor/find-my-way#347
• @​dependabot made their first contribution in delvedor/find-my-way#351
• @​jean-michelet made their first contribution in delvedor/find-my-way#349
• @​selimb made their first contribution in delvedor/find-my-way#345

Full Changelog: delvedor/find-my-way@v8.1.0...v8.2.0

v8.1.0

What's Changed

• feat(route): return route params on findRoute by @​sf3ris in delvedor/find-my-way#342

New Contributors

• @​sf3ris made their first contribution in delvedor/find-my-way#342

Full Changelog: delvedor/find-my-way@v8.0.0...v8.1.0

v8.0.0

What's Changed

• swap sentences in docs by @​matthyk in delvedor/find-my-way#339
• fix ci badge by @​Uzlopak in delvedor/find-my-way#340
• feat: disable semicolon separator by default by @​levensta in delvedor/find-my-way#336

New Contributors

• @​levensta made their first contribution in delvedor/find-my-way#336

Full Changelog: delvedor/find-my-way@v7.7.0...v8.0.0

Commits

• 9e666a1 Bumped v8.2.2
• 17fae69 Merge commit from fork
• ea27fa2 Bumped v8.2.0
• cce5437 Support optional params on root (#367)
• 984ff20 add node v22. Skip old nodes on mac (#363)
• 20e7b1c Exclude Node v14 and v16 on macos (#364)
• a9d1ee1 Fix header in README (#345)
• 8c7983c chore: bump the dependencies-major group with 1 update (#353)
• e117960 Achieve 100% test coverage (#349)
• 9731ad7 chore: bump actions/checkout from 3 to 4 (#352)
• Additional commits viewable in compare view

Updates fastify from 4.12.0 to 4.29.1

Release notes

Sourced from fastify's releases.

v4.29.1

⚠️ Security Release ⚠️

Fix for "Invalid content-type parsing could lead to validation bypass" and CVE-2025-32442.

Full Changelog: fastify/fastify@v4.29.0...v4.29.1

v4.29.0

What's Changed

• fix(backport v4.x): config type in RouteShorthandOptions by @​bastienmenis in fastify/fastify#5527
• feat(backport 4.x): add body parsing on copy move mkcol methods by @​johaven in fastify/fastify#5549
• [Backport 4.x] fix: res serializer not given reply (#5556) by @​github-actions in fastify/fastify#5563
• chore(backport 4.x): allow ! in PR title by @​github-actions in fastify/fastify#5572
• [Backport 4.x] feat: support different body schema per content type by @​github-actions in fastify/fastify#5559
• [Backport 4.x] chore(sponsor): add valtown by @​github-actions in fastify/fastify#5593
• [Backport 4.x] fix: nullish host by @​github-actions in fastify/fastify#5594
• refactor(4.x): add deprecate warning of json shorthand by @​climba03003 in fastify/fastify#5587
• [Backport 4.x] chore(sponsor): add handsontable by @​github-actions in fastify/fastify#5595
• [Backport 4.x] fix: throwing "FST_ERR_DUPLICATED_ROUTE" error instead of raw error by @​github-actions in fastify/fastify#5624
• fix(backport 4.x): reorder handling of Response replies by @​github-actions in fastify/fastify#5629
• [Backport 4.x] docs: add default value for maxParamLength by @​github-actions in fastify/fastify#5631
• [Backport 4.x] chore: fix sponsor link by @​github-actions in fastify/fastify#5641
• [Backport 4.x] feat: add fastify v4 codemods by @​github-actions in fastify/fastify#5654
• [Backport 4.x] feat: bind this to instance in onclose by @​github-actions in fastify/fastify#5679
• [Backport 4.x] docs: update v4 codemods by @​github-actions in fastify/fastify#5686

New Contributors

• @​bastienmenis made their first contribution in fastify/fastify#5527

Full Changelog: fastify/fastify@v4.28.1...v4.29.0

v4.28.1

What's Changed

• [Backport 4.x] fix: server.listen listener is not cleanup properly by @​github-actions in fastify/fastify#5523
• [Backport 4.x] test: fix test finished earlier than expected by @​github-actions in fastify/fastify#5541
• fix(v4): update .npmignore by @​Eomm in fastify/fastify#5538

Full Changelog: fastify/fastify@v4.28.0...v4.28.1

v4.28.0

What's Changed

• test: fix closing - pipelining by @​climba03003 in fastify/fastify#5486
• refactor(backport v4.x): change reply.redirect() signature (#5483) by @​gurgunday in fastify/fastify#5484
• refactor(backport v4.x): hasRoute method comparison with case insensitive by @​SMNBLMRR in fastify/fastify#5513
• fix: (backport) Type inferrence with auxilliary hook handlers by @​aadito123 in fastify/fastify#5518

Full Changelog: fastify/fastify@v4.27.0...v4.28.0

... (truncated)

Commits

• 2d85fee Bumped v4.29.1
• 5faed29 fix(test): nodejs 16 needs no keep-alive
• 92075f8 ci: fix branch pattern (#6090)
• c470417 fix: treat space as a delimiter in content-type parsing (#6064)
• 1f4cf36 fix: test and sync version
• bebd4e6 Merge commit from fork
• 3a6d4ae Bumped v4.29.0
• 238d8a4 docs: update v4 codemods (#5666) (#5686)
• 28880c3 fix: bind this to instance in onclose (#5670) (#5679)
• b934a99 feat: add fastify v4 codemods (#5642) (#5654)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by eomm, a new releaser for fastify since your current version.

Updates form-data from 4.0.0 to 4.0.4

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

• Merge tags v2.5.3 and v3.0.3 92613b9
• [Tests] migrate from travis to GHA