Skip to content

build(deps): bump the dependencies group with 8 updates #3252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(deps): bump the dependencies group with 8 updates #3252

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 1, 2025
edited by cursor bot
Loading

Bumps the dependencies group with 8 updates:

Package From To
lerna 9.0.1 9.0.3
typescript-eslint 8.47.0 8.48.0
node-forge 1.3.1 1.3.2
@aws-sdk/client-route-53 3.936.0 3.940.0
body-parser 2.2.0 2.2.1
ipaddr.js 2.2.0 2.3.0
lru-cache 11.2.2 11.2.4
pino-pretty 13.1.2 13.1.3

Updates lerna from 9.0.1 to 9.0.3

Release notes

Sourced from lerna's releases.

v9.0.3

9.0.3 (2025-11-27)

Bumped some dependencies to reduce audit warning noise.

NOTE: 9.0.2 does not exist because of a failed release

Changelog

Sourced from lerna's changelog.

9.0.3 (2025-11-27)

Note: Version bump only for package lerna

9.0.2 (2025-11-27)

Note: Version bump only for package lerna

Commits

Updates typescript-eslint from 8.47.0 to 8.48.0

Release notes

Sourced from typescript-eslint's releases.

v8.48.0

8.48.0 (2025-11-24)

🚀 Features

  • eslint-plugin: [no-redundant-type-constituents] use assignability checking for redundancy checks (#10744)
  • rule-tester: remove workaround for jest circular structure error (#11772)
  • typescript-estree: gate all errors behind allowInvalidAST (#11693)
  • typescript-estree: replace fast-glob with tinyglobby (#11740)

🩹 Fixes

  • eslint-plugin: [consistent-generic-constructors] ignore when constructor is typed array (#10477)
  • scope-manager: change unhelpful aaa error message and change analyze to expects Program (#11747)
  • typescript-estree: infers singleRun as true for project service (#11327)
  • typescript-estree: disallow binding patterns in parameter properties (#11760)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.48.0 (2025-11-24)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

Commits

Updates node-forge from 1.3.1 to 1.3.2

Changelog

Sourced from node-forge's changelog.

1.3.2 - 2025-11-25

Security

  • HIGH: ASN.1 Validator Desynchronization
    • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-12816
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: ASN.1 Unbounded Recursion
    • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66031
    • GHSA ID: GHSA-554w-wpv2-vw27
  • MODERATE: ASN.1 OID Integer Truncation
    • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66030
    • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

  • [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
  • [asn1] Add fromDer() max recursion depth check.
    • Add a asn1.maxDepth global configurable maximum depth of 256.
    • Add a asn1.fromDer() per-call maxDepth option.
    • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
    • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default maximum.
  • [asn1] Improve OID handling.
    • Error on parsed OID values larger than 2**32 - 1.
    • Error on DER OID values larger than 2**53 - 1 .
Commits

Updates @aws-sdk/client-route-53 from 3.936.0 to 3.940.0

Release notes

Sourced from @​aws-sdk/client-route-53's releases.

v3.940.0

3.940.0(2025-11-25)

New Features
  • clients: update client endpoints as of 2025-11-25 (e2770904)
  • client-network-firewall: Network Firewall release of the Proxy feature. (0eb20e88)
  • client-organizations: Add support for policy operations on the S3_POLICY and BEDROCK_POLICY policy type. (75e196ee)
  • client-route-53: Adds support for new route53 feature: accelerated recovery. (dbe0a58f)
  • client-ec2: This release adds support to view Network firewall proxy appliances attached to an existing NAT Gateway via DescribeNatGateways API NatGatewayAttachedAppliance structure. (7d70b063)
Bug Fixes
  • core/protocols: performance improvements for shape serde traversal (#7523) (b20a25ea)
Tests

For list of updated packages, view updated-packages.md in assets-3.940.0.zip

v3.939.0

3.939.0(2025-11-24)

Chores
  • scripts: reduce api validation to packages/lib only (#7519) (eb74d6a0)
New Features
  • client-cloudwatch-logs: New CloudWatch Logs feature - LogGroup Deletion Protection, a capability that allows customers to safeguard their critical CloudWatch log groups from accidental or unintended deletion. (02360329)
  • client-cloudfront: Add TrustStore, ConnectionFunction APIs to CloudFront SDK (168505ee)
Bug Fixes
  • clients: export enum objects for string shapes (#7521) (62f648df)
  • cloudfront-signer: skip extended encoding for query parameters in the base url (#7515) (954d411e)
Tests

For list of updated packages, view updated-packages.md in assets-3.939.0.zip

... (truncated)

Changelog

Sourced from @​aws-sdk/client-route-53's changelog.

3.940.0 (2025-11-25)

Features

  • client-route-53: Adds support for new route53 feature: accelerated recovery. (dbe0a58)

3.939.0 (2025-11-24)

Note: Version bump only for package @​aws-sdk/client-route-53

Commits
  • e9962f1 Publish v3.940.0
  • dbe0a58 feat(client-route-53): Adds support for new route53 feature: accelerated reco...
  • 1592379 Publish v3.939.0
  • See full diff in compare view

Updates body-parser from 2.2.0 to 2.2.1

Release notes

Sourced from body-parser's releases.

v2.2.1

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.1 / 2025-11-24

  • Security fix for GHSA-wqch-xfxh-vrr4
  • deps:
    • type-is@^2.0.1
    • iconv-lite@^0.7.0
      • Handle split surrogate pairs when encoding UTF-8
      • Avoid false positives in encodingExists by using prototype-less objects
    • raw-body@^3.0.1
    • debug@^4.4.3
Commits
  • d96b63d 2.2.1 (#659)
  • b204886 sec: security patch for CVE-2025-13466
  • e20e351 feat: remove history.md from being packaged on publish (#660)
  • 0d7ce71 docs: switch badges from badgen.net to shields.io (#661)
  • 168afff ci: also test on first supported node.js version (#646)
  • e539a71 build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654)
  • 9391612 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655)
  • 57baafb build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656)
  • a6a088e build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657)
  • 10a114d test: add test for urlencoded invalid defaultCharset (#643)
  • Additional commits viewable in compare view

Updates ipaddr.js from 2.2.0 to 2.3.0

Changelog

Sourced from ipaddr.js's changelog.

2.3.0 - 2025-11-27

  • add isValidCIDRFourPartDecimal helper for IPv4 CIDR in four-part decimal form
  • upgrade eslint dev dependency to v9
  • remove duplicated LICENSE entry from published files list
Commits
  • e373b4e Bump version to 2.3.0
  • d564b1d Add IPv4 CIDR four-part decimal validator
  • 08c2cd4 dep(eslint): upgrade to v9
  • e6438fe remove LICENSE from files, redundant, always included
  • See full diff in compare view

Updates lru-cache from 11.2.2 to 11.2.4

Commits

Updates pino-pretty from 13.1.2 to 13.1.3

Release notes

Sourced from pino-pretty's releases.

v13.1.3

What's Changed

New Contributors

Full Changelog: pinojs/pino-pretty@v13.1.2...v13.1.3

Commits
  • 08425cd v13.1.3
  • 6afb524 fix: messageFormat print 0 value (#635)
  • 70c73ea build(deps): bump fast-copy from 3.0.2 to 4.0.0 (#637)
  • 2cd9794 build(deps): bump actions/checkout from 5 to 6 (#636)
  • c06e276 Update format-time.js documentation to match functionality (#632)
  • 47ffb45 build(deps): bump pino-abstract-transport from 2.0.0 to 3.0.0 (#629)
  • 932af85 build(deps-dev): bump pino from 9.14.0 to 10.1.0 (#628)
  • 6d48318 build(deps-dev): bump borp from 0.20.2 to 0.21.0 (#627)
  • 3b89a0c build(deps): bump actions/setup-node from 4 to 6 (#626)
  • ab0ccab Add in the README file a snippet to use pino-pretty only for dev (#623)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note

Bumps key dependencies across the monorepo (lerna, typescript-eslint, AWS Route53 client, body-parser, node-forge, ipaddr.js, lru-cache, pino-pretty) and refreshes lockfile.

  • Dependencies:
    • Root (package.json): bump lerna to ^9.0.3, typescript-eslint to ^8.48.0.
    • Autocertifier Client (packages/autocertifier-client): bump node-forge to ^1.3.2.
    • Autocertifier Server (packages/autocertifier-server): bump @aws-sdk/client-route-53 to ^3.940.0, body-parser to ^2.2.1.
    • DHT (packages/dht): bump ipaddr.js to ^2.3.0, lru-cache to ^11.2.4.
    • SDK (packages/sdk): bump lru-cache to ^11.2.4.
    • Utils (packages/utils): bump pino-pretty to ^13.1.3.
    • Update package-lock.json to reflect new versions.

Written by Cursor Bugbot for commit b70c8cb. This will update automatically on new commits. Configure here.

@dependabot
build(deps): bump the dependencies group with 8 updates
b70c8cb 
Bumps the dependencies group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [lerna](https://github.com/lerna/lerna/tree/HEAD/packages/lerna) | `9.0.1` | `9.0.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.47.0` | `8.48.0` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.2` |
| [@aws-sdk/client-route-53](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-route-53) | `3.936.0` | `3.940.0` |
| [body-parser](https://github.com/expressjs/body-parser) | `2.2.0` | `2.2.1` |
| [ipaddr.js](https://github.com/whitequark/ipaddr.js) | `2.2.0` | `2.3.0` |
| [lru-cache](https://github.com/isaacs/node-lru-cache) | `11.2.2` | `11.2.4` |
| [pino-pretty](https://github.com/pinojs/pino-pretty) | `13.1.2` | `13.1.3` |


Updates `lerna` from 9.0.1 to 9.0.3
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/packages/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/v9.0.3/packages/lerna)

Updates `typescript-eslint` from 8.47.0 to 8.48.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.48.0/packages/typescript-eslint)

Updates `node-forge` from 1.3.1 to 1.3.2
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.3.2)

Updates `@aws-sdk/client-route-53` from 3.936.0 to 3.940.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-route-53/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.940.0/clients/client-route-53)

Updates `body-parser` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@v2.2.0...v2.2.1)

Updates `ipaddr.js` from 2.2.0 to 2.3.0
- [Changelog](https://github.com/whitequark/ipaddr.js/blob/main/Changes.md)
- [Commits](whitequark/ipaddr.js@v2.2.0...v2.3.0)

Updates `lru-cache` from 11.2.2 to 11.2.4
- [Changelog](https://github.com/isaacs/node-lru-cache/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-lru-cache@v11.2.2...v11.2.4)

Updates `pino-pretty` from 13.1.2 to 13.1.3
- [Release notes](https://github.com/pinojs/pino-pretty/releases)
- [Commits](pinojs/pino-pretty@v13.1.2...v13.1.3)

---
updated-dependencies:
- dependency-name: lerna
  dependency-version: 9.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: typescript-eslint
  dependency-version: 8.48.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: node-forge
  dependency-version: 1.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@aws-sdk/client-route-53"
  dependency-version: 3.940.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: body-parser
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: ipaddr.js
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: lru-cache
  dependency-version: 11.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: pino-pretty
  dependency-version: 13.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Dec 1, 2025
@github-actions github-actions bot added dht Related to DHT package utils sdk labels Dec 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file dht Related to DHT package javascript Pull requests that update Javascript code sdk utils

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant