Bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@babel/core	7.29.0	7.29.6
undici	8.1.0	8.5.0
form-data	4.0.5	4.0.6
protobufjs	7.6.0	7.6.4
tar	7.5.13	7.5.16

Updates @babel/core from 7.29.0 to 7.29.6

Release notes

Sourced from @​babel/core's releases.

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

... (truncated)

Commits

• 04ea6b2 v7.29.6
• 99f498a [7.x packport]Improve input source map handling (#18001)
• feba0a3 Preserve original identifier names from input sourcemaps (#17992) (#17998)
• See full diff in compare view

Updates undici from 8.1.0 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	8.5.0	32dbf0b3
GHSA-38rv-x7px-6hhq	CVE-2026-9675	High (7.5)	8.5.0	b4c287b3
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	8.5.0	42d49559
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	8.2.0	a516f870
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	8.5.0	cb105d7c
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	8.5.0	5655ea43
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	8.5.0	5655ea43
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	8.5.0	6ea54ef8

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits

• a0806e1 Bumped v8.5.0 (#5429)
• 8a0392c test: detect available python command in wpt runner (#5427)
• f4045b9 ci: increase Node.js workflow timeout (#5426)
• 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
• c5ed787 websocket: handle empty fragments and stream limits
• e114e77 align EventSource with spec (#5418)
• 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
• 32dbf0b websocket: limit the number of fragments in a message
• 0d6ecc5 add bodymixin.textStream() (#5416)
• 42d4955 fix: honor requestTls when proxy is SOCKS5
• Additional commits viewable in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Updates protobufjs from 7.6.0 to 7.6.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.4

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

protobufjs: v7.6.3

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

protobufjs: v7.6.2

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

protobufjs: v7.6.1

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

Changelog

Sourced from protobufjs's changelog.

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

Commits

• f8f64ef chore: release protobufjs-v7.x (#2330)
• 574f761 fix: Reconfigure and speed up CI (#2329)
• 06ddd07 fix: Remove inquire submodule (#2327)
• 1d3796d chore: release protobufjs-v7.x (#2317)
• df91652 fix: Preserve null conversion behavior for fieldless messages (#2312)
• 78a9576 fix: Avoid name collisions in generated code (#2311)
• ec90ef9 chore: release protobufjs-v7.x (#2295)
• a92f72e fix: Backport consistency and correctness fixes (#2294)
• f0b50d2 chore: release protobufjs-v7.x (#2268)
• 8a45c13 fix: Backport misc utility hardening (#2280)
• Additional commits viewable in compare view

Updates tar from 7.5.13 to 7.5.16

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.