build(deps): bump the npm_and_yarn group across 4 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /docs directory: lodash, node-forge and undici.
Bumps the npm_and_yarn group with 2 updates in the /playground directory: js-yaml and vite.
Bumps the npm_and_yarn group with 6 updates in the /squawk-vscode directory:

Package	From	To
js-yaml	3.14.1	3.14.2
lodash	4.17.21	4.17.23
qs	6.14.0	6.14.1
undici	7.15.0	7.21.0
jws	3.2.2	3.2.3
tar-fs	2.1.3	2.1.4

Updates js-yaml from 3.14.0 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates undici from 7.15.0 to 7.21.0

Release notes

Sourced from undici's releases.

v7.21.0

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in nodejs/undici#4796
• test: restore global dispatcher after fetch tests by @​mcollina in nodejs/undici#4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in nodejs/undici#4802
• fix: error stream instead of canceling by @​KhafraDev in nodejs/undici#4804
• Fix clientTtl cleanup race in Agent by @​mcollina in nodejs/undici#4807
• feat(#4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in nodejs/undici#4296
• fix: handle undefined __filename in bundled environments by @​mcollina in nodejs/undici#4812
• fix: set finalizer only for fetch responses by @​tsctx in nodejs/undici#4803

New Contributors

• @​piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

• fix: preserve fetch stack traces by @​mcollina in nodejs/undici#4778
• Fix error handling in MockPool example by @​dave-kennedy in nodejs/undici#4781
• feat: expose statusText in request() ResponseData by @​domenic in nodejs/undici#4784
• test: reduce retry-after invalid date flake by @​mcollina in nodejs/undici#4788
• extractBody fixes by @​KhafraDev in nodejs/undici#4791
• fix: MockAgent delayed response with AbortSignal (#4693) by @​mcollina in nodejs/undici#4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in nodejs/undici#4758

New Contributors

• @​dave-kennedy made their first contribution in nodejs/undici#4781
• @​vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

• Minor code cleanups to decompress interceptor by @​domenic in nodejs/undici#4754
• fix(h2): fix flaky stream end handling on macOS by @​mcollina in nodejs/undici#4762
• return response when receiving 401 instead of network error by @​KhafraDev in nodejs/undici#4769
• fix: properly close idle connections in test server cleanup by @​mcollina in nodejs/undici#4764
• fix: decode HTTP headers as latin1 instead of utf8 by @​mcollina in nodejs/undici#4768
• fix: submodule update by @​Uzlopak in nodejs/undici#4648
• build(deps): bump peter-evans/create-pull-request from 7.0.8 to 8.0.0 by @​dependabot[bot] in nodejs/undici#4720

New Contributors

• @​domenic made their first contribution in nodejs/undici#4754

Full Changelog: nodejs/undici@v7.19.1...v7.19.2

v7.19.1

What's Changed

• fix: use commit hash when generating release (#4757) by @​fenichelar in nodejs/undici#4759

... (truncated)

Commits

• 393c0da Bumped v7.21.0 (#4813)
• 47f9b96 fix: set finalizer only for fetch responses (#4803)
• 92e38fc fix: handle undefined __filename in bundled environments (#4812)
• 283f2aa feat(#4230): Implement pingInterval for dispatching PING frames (#4296)
• 9cc025b Fix clientTtl cleanup race (#4807)
• fc8bb75 fix: error stream instead of canceling (#4804)
• ff6bc5a Add close method to WebSocketStream interface (#4802)
• dae4d91 test: restore global dispatcher after fetch tests (#4790)
• 072c17a build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 (#4796)
• 6cc668d Bumped v7.20.0 (#4792)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• See full diff in compare view

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

create-vite@6.4.0

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.13 (2026-02-05)

Features

• integrate devtools (#21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#21554) (43358e9)

Bug Fixes

• scanner: respect tsconfig.json (#21547) (c6c04db)

Miscellaneous Chores

• update rolldown-plugin-dts to 0.22.1 (#21559) (77aab4b)

Code Refactoring

• deprecate customResolver in resolve.alias (#21476) (81275c9)
• remove unnecessary @rolldown/pluginutils (#21560) (c367b62)

Tests

• bundled-dev: add worker test cases (#21557) (569bc98)

8.0.0-beta.12 (2026-02-03)

Features

• manifest: add assets field for standalone CSS entry points (#21015) (f289b9b)

Bug Fixes

• avoid registering customization hook for import meta resolver multiple times (#21518) (8bb3203)
• config: avoid watching rolldown runtime virtual module (#21545) (d18b139)
• deps: update all non-major dependencies (#21540) (9ebaeaa)
• populate originalFileNames when resolving CSS asset paths (#21542) (8b47ff7)

Miscellaneous Chores

• deps: update dependency rolldown-plugin-dts to ^0.21.8 (#21539) (33881cb)

8.0.0-beta.11 (2026-01-29)

Features

• update rolldown to 1.0.0-rc.2 (#21512) (fa136a9)

Bug Fixes

• deps: update all non-major dependencies (#21488) (2b32ca2)
• disable tsconfig option when loading config (#21517) (5025c35)
• optimizer: map relative new URL paths to correct relative file location (#21434) (ca96cbc)

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

Updates undici from 7.15.0 to 7.21.0

Release notes

Sourced from undici's releases.

v7.21.0

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in nodejs/undici#4796
• test: restore global dispatcher after fetch tests by @​mcollina in nodejs/undici#4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in nodejs/undici#4802
• fix: error stream instead of canceling by @​KhafraDev in nodejs/undici#4804
• Fix clientTtl cleanup race in Agent by @​mcollina in nodejs/undici#4807
• feat(#4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in nodejs/undici#4296
• fix: handle undefined __filename in bundled environments by @​mcollina in nodejs/undici#4812
• fix: set finalizer only for fetch responses by @​tsctx in nodejs/undici#4803

New Contributors

• @​piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

• fix: preserve fetch stack traces by @​mcollina in nodejs/undici#4778
• Fix error handling in MockPool example by @​dave-kennedy in nodejs/undici#4781
• feat: expose statusText in request() ResponseData by @​domenic in nodejs/undici#4784
• test: reduce retry-after invalid date flake by @​mcollina in nodejs/undici#4788
• extractBody fixes by @​KhafraDev in nodejs/undici#4791
• fix: MockAgent delayed response with AbortSignal (#4693) by @​mcollina in nodejs/undici#4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in nodejs/undici#4758

New Contributors

• @​dave-kennedy made their first contribution in nodejs/undici#4781
• @​vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

• Minor code cleanups to decompress interceptor by @​domenic in nodejs/undici#4754
• fix(h2): fix flaky stream end handling on macOS by @​mcollina in nodejs/undici#4762
• return response when receiving 401 instead of network error by @​KhafraDev in nodejs/undici#4769
• fix: properly close idle connections in test server cleanup by @​mcollina in nodejs/undici#4764
• fix: decode HTTP headers as latin1 instead of utf8 by @​mcollina in nodejs/undici#4768
• fix: submodule update by @​Uzlopak in nodejs/undici#4648
• build(deps): bump peter-evans/create-pull-request from 7.0.8 to 8.0.0 by @​dependabot[bot] in nodejs/undici#4720

New Contributors

• @​domenic made their first contribution in nodejs/undici#4754

Full Changelog: nodejs/undici@v7.19.1...v7.19.2

v7.19.1

What's Changed

• fix: use commit hash when generating release (#4757) by @​fenichelar in nodejs/undici#4759

... (truncated)

Commits

• 393c0da Bumped v7.21.0 (#4813)
• 47f9b96 fix: set finalizer only for fetch responses (#4803)
• 92e38fc fix: handle undefined __filename in bundled environments (#4812)
• 283f2aa feat(#4230): Implement pingInterval for dispatching PING frames (#4296)
• 9cc025b Fix clientTtl cleanup race (#4807)
• fc8bb75 fix: error stream instead of canceling (#4804)
• ff6bc5a Add close method to WebSocketStream interface (#4802)
• dae4d91 test: restore global dispatcher after fetch tests (#4790)
• 072c17a build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 (#4796)
• 6cc668d Bumped v7.20.0 (#4792)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates tar-fs from 2.1.3 to 2.1.4

Commits

• f421a23 2.1.4
• c412fa1 refactor to same pattern as v3
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/s...

Description has been truncated