chore(deps): bump the production-dependencies group across 1 directory with 9 updates

[dependabot]

Bumps the production-dependencies group with 9 updates in the / directory:

Package	From	To
@supabase/supabase-js	2.105.0	2.108.2
axios	1.16.0	1.18.0
express-rate-limit	8.5.1	8.5.2
helmet	8.1.0	8.2.0
jest	30.3.0	30.4.2
lru-cache	11.3.5	11.5.1
morgan	1.10.1	1.11.0
sanitize-html	2.17.4	2.17.5
swagger-jsdoc	6.2.8	6.3.0

Updates @supabase/supabase-js from 2.105.0 to 2.108.2

Release notes

Sourced from @​supabase/supabase-js's releases.

v2.108.2

2.108.2 (2026-06-15)

🩹 Fixes

• auth: preserve valid session on refresh failure and cooldown repeat failures (#2436)
• realtime: clarify httpSend() 404 error and server migration note (#2444)
• release: pin Deno and bound JSR publish to survive stranded-task hangs (#2439)
• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.5

2.108.2-canary.5 (2026-06-15)

This was a version bump only, there were no code changes.

v2.108.2-canary.4

2.108.2-canary.4 (2026-06-12)

🩹 Fixes

• realtime: clarify httpSend() 404 error and server migration note (#2444)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.3

2.108.2-canary.3 (2026-06-11)

This was a version bump only, there were no code changes.

v2.108.2-canary.2

2.108.2-canary.2 (2026-06-11)

🩹 Fixes

• release: restore JSR publish flags and enable for beta (#2440)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

v2.108.2-canary.1

2.108.2-canary.1 (2026-06-11)

🩹 Fixes

... (truncated)

Changelog

Sourced from @​supabase/supabase-js's changelog.

2.108.2 (2026-06-15)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.108.0 (2026-06-08)

This was a version bump only for @​supabase/supabase-js to align it with other projects, there were no code changes.

2.107.0 (2026-06-02)

🚀 Features

• auth: remove navigator.locks-based mutex; introduce commit guard + dispose() (#2392)
• supabase: update X-Client-Info to structured metadata format (#2359)
• realtime: allow httpSend to send binary payload (#2400)

❤️ Thank You

• Claude Sonnet 4.6
• Eduardo Gurgel
• Guilherme Souza
• Katerina Skroumpelou @​mandarini
• Omar Al Matar @​Bewinxed

2.106.2 (2026-05-25)

🩹 Fixes

• misc: add react-native export condition for Hermes-safe resolution (#2393)

❤️ Thank You

• Myroslav Hryhschenko @​BLOCKMATERIAL

2.106.1 (2026-05-20)

🩹 Fixes

• misc: hide dynamic import from hermesc (#2381)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.106.0 (2026-05-18)

🚀 Features

• supabase: W3C/OpenTelemetry trace context propagation (#2163)

... (truncated)

Commits

• 76f3f02 test(auth): add passkey unit and e2e coverage (#2442)
• 65fafe5 chore(release): version 2.108.0 changelogs (#2433)
• 57014e1 chore(release): version 2.107.0 changelogs (#2421)
• 54ec2b6 feat(auth): remove navigator.locks-based mutex; introduce commit guard + disp...
• 3397c92 feat(supabase): update X-Client-Info to structured metadata format (#2359)
• 335207f feat(realtime): allow httpSend to send binary payload (#2400)
• 42f12dd docs(repo): ship per-package AGENTS.md and migrations via npm (#2397)
• b200b74 chore(release): version 2.106.2 changelogs (#2396)
• a5f09cf chore(repo): adopt pnpm catalog and clean up devDeps (#2389)
• c72cc56 fix(misc): add react-native export condition for Hermes-safe resolution (#2393)
• Additional commits viewable in compare view

Updates axios from 1.16.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits

• 2d06f96 chore(release): prepare release 1.18.0 (#11003)
• 32fc489 fix: malformed http urls (#11000)
• b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
• fe964f9 docs: mark proxy config as Node.js only (#10995)
• 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
• fae9d4e docs: clarify package update PR policy (#10992)
• 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
• a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
• 614f455 docs: publish v1.17.0 release notes (#10988)
• 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.5.1 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

Commits

• 9774693 8.5.2
• 0e94cc0 v8.5.2 changelog
• 9a583c5 feat: simplify IPv6 key generation (#633)
• 4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
• 3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
• 18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
• dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
• 486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
• See full diff in compare view

Updates helmet from 8.1.0 to 8.2.0

Changelog

Sourced from helmet's changelog.

8.2.0 - 2026-05-21

• Cross-Origin-Opener-Policy: support noopener-allow-popups. See #522
• Improve error message when passing duplicate options

Commits

• 638e43b 8.2.0
• fdf25a8 Update changelog for 8.2.0 release
• bd293b7 Update devDependencies to latest versions
• 81ce5cc Test supported Node versions on CI
• 807a888 Update to new URL
• d4e0128 Add direct link to FAQ
• 437d2eb Bump actions/setup-node from 6.3.0 to 6.4.0 (#537)
• a6bd779 Upgrade actions/setup-node to 6.3.0
• 1e09f5f Fix changelog typo
• d526f5c Bump Picomatch dev sub-dependency
• Additional commits viewable in compare view

Updates jest from 30.3.0 to 30.4.2

Release notes

Sourced from jest's releases.

v30.4.2

Fixes

• [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

Full Changelog: jestjs/jest@v30.4.1...v30.4.2

v30.4.1

Features

• [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

• [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

Full Changelog: jestjs/jest@v30.4.0...v30.4.1

v30.4.0

Big release! 😀

Main feature is a rewrite of our custom runtime in preparation for stabilisation of native support of ESM. As part of that work require(esm) module is now supported on Node 24.9+ (still requires --experimental-vm-modules like before).

In addition we now support fake timers for the recently released Temporal API in Node v26.

React 19 is also supported properly in pretty-format, meaning snapshots of React components now work like they should.

Due to all the changes, there might be regressions that snuck in. Please report them!

Full list of changes below

Features

• [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
• [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
• [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
• [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
• [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
• [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
• [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
• [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
• [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
• [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
• [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
• [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
• [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
• [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
• [jest-util] Add isError helper (#16076)

... (truncated)

Changelog

Sourced from jest's changelog.

30.4.2

Fixes

• [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#16150)

30.4.1

Features

• [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#16141)

Fixes

• [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#16143)

30.4.0

Features

• [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#15994)
• [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#16006)
• [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#15984)
• [jest-config] Add support for jest.config.mts as a valid configuration file (#16005)
• [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#16133)
• [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#16128)
• [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#16128)
• [@jest/fake-timers] Support faking Temporal.Now.* (#16131)
• [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#16088)
• [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#16064)
• [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#16062)
• [jest-runtime] Support require() of ES modules on Node v24.9+ (#16074)
• [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#16127)
• [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#16062)
• [jest-util] Add isError helper (#16076)
• [pretty-format] Support React 19 (#16123)

Fixes

• [expect-utils] Fix toStrictEqual failing on structuredClone results due to cross-realm constructor mismatch (#15959)
• [@jest/expect-utils] Prevent toMatchObject/subset matching from throwing when encountering exotic iterables (#15952)
• [fake-timers] Convert Date to milliseconds before passing to @sinonjs/fake-timers (#16029)
• [jest] Export GlobalConfig and ProjectConfig TypeScript types (#16132)
• [jest-circus] Prevent crash when asyncError is undefined for non-Error throws (#16003)
• [jest-circus, jest-jasmine2] Include Error.cause in JSON failureMessages output (#15967)
• [jest-config] Fix preset path resolution on Windows when the preset uses subpath exports (#15961)
• [jest-config] Allow collectCoverage and coverageProvider in project config without a validation warning (#16132)
• [jest-config] Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options (#16132)
• [jest-environment-node] Fix --localstorage-file warning on Node 25+ (#16086)
• [jest-reporters] Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds (#16137)

... (truncated)

Commits

• 746f2a0 v30.4.2
• b3b4a09 v30.4.1
• 5cbb21e v30.4.0
• db7141a fix: allow collectCoverage and coverageProvider in project config (#16132)
• See full diff in compare view

Updates lru-cache from 11.3.5 to 11.5.1

Changelog

Sourced from lru-cache's changelog.

cringe lorg

11.5

• Add backgroundFetchSize option, defaulting to 1, to set an effective size for provisional background fetch objects while in flight, if they do not shadow an existing stale entry.

11.4

• Add cache property to status objects, in order to differentiate which cache is emitting the metric or trace.
• Several small bugs regarding fetch behavior edge cases.
  • onInsert does not fire for background fetch internal promises.
  • dispose() and disposeAfter() now fire for the stale value left behind when an in-process background fetch is pre-empted by eviction.
  • fetchMethod that returns a non-Promise value is handled correctly.
  • No Error is created, or abort() signaled, when a background fetch promise is resolved. (Presumably the implementation is done by that point.)

11.3

• Add observability features, expand the coverage of LRUCache.Status objects.

11.2

• Add the perf option to specify performance, Date, or any other object with a now() method that returns a number.

11.1

• Add the onInsert method

11.0

• Drop support for node less than v20

10.4

• Accidental minor update, should've been patch.

10.3

• add forceFetch() method
• set disposeReason to 'expire' when it's the result of a TTL

... (truncated)

Commits

• cd98065 11.5.1
• 281f49d work with exactOptionalPropertyTypes
• 0adc7a5 11.5.0
• 4708153 add backgroundFetchSize option
• 9bed6db formatting changelog
• cd8f37b test: loosen test on onInsert
• c440996 11.4.0
• fdab191 changelog 11.4
• fbd958d add cache to status type
• 451737c fix several bugs related to background fetch edge cases
• Additional commits viewable in compare view

Updates morgan from 1.10.1 to 1.11.0

Release notes

Sourced from morgan's releases.

1.11.0

What's Changed

• feat: add :pid token by @​ganesh3367 in expressjs/morgan#329

Security Fix:

• Escape control characters in :remote-user token to prevent log injection
  • Fixes CVE-2026-5078 GHSA-4vj7-5mj6-jm8m

New Contributors

• @​inigomarquinez made their first contribution in expressjs/morgan#291
• @​jonchurch made their first contribution in expressjs/morgan#299
• @​bjohansebas made their first contribution in expressjs/morgan#301
• @​UlisesGascon made their first contribution in expressjs/morgan#300
• @​ctcpip made their first contribution in expressjs/morgan#319
• @​ganesh3367 made their first contribution in expressjs/morgan#329

Full Changelog: expressjs/morgan@1.10.0...1.11.0

Changelog

Sourced from morgan's changelog.

1.11.0 / 2026-06-02

• add :pid token

Security Fix:

• Escape control characters in :remote-user token to prevent log injection
  • Fixes CVE-2026-5078 GHSA-4vj7-5mj6-jm8m

Commits

• e0e6f17 Release 1.11.0 (#350)
• b3f5d9b Merge commit from fork
• 203c758 build(deps): bump github/codeql-action from 4.32.4 to 4.35.2 (#346)
• 002bc81 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#347)
• 561b0d7 build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.0 (#338)
• 2db705e build(deps): bump github/codeql-action from 3.29.7 to 4.32.4 (#337)
• a373c5f build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.3 (#327)
• c8e72fa build(deps): bump actions/checkout from 4.1.1 to 6.0.1 (#324)
• 023300e build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 (#307)
• 9d8d6c0 build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#306)
• Additional commits viewable in compare view

Updates sanitize-html from 2.17.4 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

• Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
• Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

Commits

• 2427508 release and changelog edits (#5465)
• 5a88e96 Latest security q2 (#5464)
• 958d162 merge main to latest (#5460)
• See full diff in compare view

Updates swagger-jsdoc from 6.2.8 to 6.3.0

Release notes

Sourced from swagger-jsdoc's releases.

v6.3.0

What's Changed

• Fix/extract annotations error handling by @​nejclovrencic in Surnet/swagger-jsdoc#363
• fix: Update Glob to fix memory leak issue from inflight by @​mkonikov in Surnet/swagger-jsdoc#430
• chore(deps): bump @​babel/helpers from 7.18.9 to 7.28.4 in /docusaurus by @​dependabot[bot] in Surnet/swagger-jsdoc#433
• chore(deps): bump @​babel/runtime from 7.18.9 to 7.28.4 in /docusaurus by @​dependabot[bot] in Surnet/swagger-jsdoc#434
• fix: replace mikeal/merge-release with direct npm publish, update actions to v5 by @​mkonikov in Surnet/swagger-jsdoc#448
• Fix security vulnerabilities by @​jpage-godaddy in Surnet/swagger-jsdoc#425

New Contributors

• @​nejclovrencic made their first contribution in Surnet/swagger-jsdoc#363
• @​mkonikov made their first contribution in Surnet/swagger-jsdoc#430
• @​jpage-godaddy made their first contribution in Surnet/swagger-jsdoc#425

Full Changelog: Surnet/swagger-jsdoc@v6.2.8...v6.3.0

Commits

• 04cbcb6 Version Bump
• a761cf7 Fix security vulnerabilities (#425)
• cb90faf fix: replace mikeal/merge-release with direct npm publish, update actions to ...
• 3ebd8d2 chore(deps): bump @​babel/runtime from 7.18.9 to 7.28.4 in /docusaurus (#434)
• 51f408d chore(deps): bump @​babel/helpers from 7.18.9 to 7.28.4 in /docusaurus (#433)
• 3778b42 fix: Update Glob to fix memory leak issue from inflight (#430)
• 2325600 Merge pull request #363 from nejclovrencic/fix/extract-annotations-error-hand...
• f92ee06 Update express and body-parser to fix qs vulnerability
• fc52de9 Update yarn.lock
• af64d34 Add try catch to build function for loop
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.