chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates by dependabot[bot] · Pull Request #5 · GWALN/gwaln

dependabot · 2026-03-02T11:31:00Z

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	`1.25.2`	`1.26.0`
ajv	`8.17.1`	`8.18.0`
ajv	`6.12.6`	`6.14.0`
axios	`1.13.2`	`1.13.5`
diff	`8.0.2`	`8.0.3`
diff	`4.0.2`	`4.0.4`
diff	`5.2.0`	`5.2.2`
undici	`7.16.0`	`7.22.0`
minimatch	`3.1.2`	`3.1.5`
lodash	`4.17.21`	`4.17.23`
rollup	`4.53.2`	`4.59.0`

Updates @modelcontextprotocol/sdk from 1.25.2 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

Commits

fe9c07b chore: bump version to 1.26.0 (#1479)
4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
a05be17 Merge commit from fork
50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
6aba065 chore: bump v1.25.3 for backport fixes (#1412)
6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
See full diff in compare view

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
See full diff in compare view

Updates ajv from 6.12.6 to 6.14.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
See full diff in compare view

Updates axios from 1.13.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates diff from 8.0.2 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

#631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).

#635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.

#641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.

#647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Commits

13576bf 8.0.3 release (#652)
1179ccb Ignore .zed (#651)
949d6e2 Add test for the vuln I just fixed (#650)
15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
de95cca Fix potentially cubic-time regex in parsePatch (#647)
b9aeede Allow more customisation of file headers in patches (#641)
43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
b8162c7 Bump node-forge from 1.3.1 to 1.3.2
ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
3e1774a Fix a comment typo (#633)
Additional commits viewable in compare view

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

8.0.3

#631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).

#635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.

#641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.

#647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Commits

13576bf 8.0.3 release (#652)
1179ccb Ignore .zed (#651)
949d6e2 Add test for the vuln I just fixed (#650)
15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
de95cca Fix potentially cubic-time regex in parsePatch (#647)
b9aeede Allow more customisation of file headers in patches (#641)
43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
b8162c7 Bump node-forge from 1.3.1 to 1.3.2
ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
3e1774a Fix a comment typo (#633)
Additional commits viewable in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

8.0.3

#631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).

#635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.

#641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.

#647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

Commits

13576bf 8.0.3 release (#652)
1179ccb Ignore .zed (#651)
949d6e2 Add test for the vuln I just fixed (#650)
15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
de95cca Fix potentially cubic-time regex in parsePatch (#647)
b9aeede Allow more customisation of file headers in patches (#641)
43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
b8162c7 Bump node-forge from 1.3.1 to 1.3.2
ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
3e1774a Fix a comment typo (#633)
Additional commits viewable in compare view

Updates undici from 7.16.0 to 7.22.0

Release notes

Sourced from undici's releases.

v7.22.0

What's Changed

docs: fix syntax highlighting in WebSocket.md by @styfle in nodejs/undici#4814

fix: use OR operator in includesCredentials per WHATWG URL Standard by @jackhax in nodejs/undici#4816

feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @SuperOleg39 in nodejs/undici#4676

fix: route WebSocket upgrades through onRequestUpgrade by @mcollina in nodejs/undici#4787

build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @dependabot[bot] in nodejs/undici#4821

fix(deduplicate): do not deduplicate non-safe methods by default by @mcollina in nodejs/undici#4818

feat: Support async cache stores in revalidation by @marcopiraccini in nodejs/undici#4826

New Contributors

@jackhax made their first contribution in nodejs/undici#4816

@marcopiraccini made their first contribution in nodejs/undici#4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

What's Changed

build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @dependabot[bot] in nodejs/undici#4796

test: restore global dispatcher after fetch tests by @mcollina in nodejs/undici#4790

Add missing close method to WebSocketStream interface by @piotr-cz in nodejs/undici#4802

fix: error stream instead of canceling by @KhafraDev in nodejs/undici#4804

Fix clientTtl cleanup race in Agent by @mcollina in nodejs/undici#4807

feat(#4230): Implement pingInterval for dispatching PING frames by @metcoder95 in nodejs/undici#4296

fix: handle undefined __filename in bundled environments by @mcollina in nodejs/undici#4812

fix: set finalizer only for fetch responses by @tsctx in nodejs/undici#4803

New Contributors

@piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

fix: preserve fetch stack traces by @mcollina in nodejs/undici#4778

Fix error handling in MockPool example by @dave-kennedy in nodejs/undici#4781

feat: expose statusText in request() ResponseData by @domenic in nodejs/undici#4784

test: reduce retry-after invalid date flake by @mcollina in nodejs/undici#4788

extractBody fixes by @KhafraDev in nodejs/undici#4791

fix: MockAgent delayed response with AbortSignal (#4693) by @mcollina in nodejs/undici#4772

fix: onParserTimeout potentially accessing undefined by @vbfox in nodejs/undici#4758

New Contributors

@dave-kennedy made their first contribution in nodejs/undici#4781

@vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

... (truncated)

Commits

0a23610 Bumped v7.22.0 (#4829)
f3c5c61 feat: Support async cache stores in revalidation (#4826)
9b78a44 fix(deduplicate): avoid deduping methods not in methods option (#4818)
0ce57ba build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 (#4821)
2453caf fix: route websocket upgrades through new handler API (#4787)
4658cdf feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk (#4676)
a821c56 fix: use OR operator in includesCredentials per WHATWG URL Standard (#4816)
b3326b5 docs: fix syntax highlighting in WebSocket.md (#4814)
393c0da Bumped v7.21.0 (#4813)
47f9b96 fix: set finalizer only for fetch responses (#4803)
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates hono from 4.11.3 to 4.12.3

Release notes

Sourced from hono's releases.

v4.12.3

What's Changed

fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in honojs/hono#4753

fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in honojs/hono#4754

fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in honojs/hono#4764

fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in honojs/hono#4768

fix(types): correct middleware types by @hmnd in honojs/hono#4774

fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in honojs/hono#4759

New Contributors

@YevheniiKotyrlo made their first contribution in honojs/hono#4768

@hmnd made their first contribution in honojs/hono#4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

Thanks @EdamAme-x

What's Changed

fix(context): revert PR #4707 by @yusukebe in honojs/hono#4757

Full Changelog: honojs/hono@v4.12.1...v4.12.2

v4.12.1

What's Changed

fix(client): export ApplyGlobalResponse from hono/client by @sushichan044 in honojs/hono#4743

Full Changelog: honojs/hono@v4.12.0...v4.12.1

v4.12.0

Release Notes

Hono v4.12.0 is now available!

This release includes new features for the Hono client, middleware improvements, adapter enhancements, and significant performance improvements to the router and context.

$path for Hono Client

The Hono client now has a $path() method that returns the path string instead of a full URL. This is useful when you need just the path portion for routing or key-based operations:
const client = hc<typeof app>('http://localhost:8787')
// Get the path string
</tr></table>

... (truncated)

Commits

790c57b 4.12.3
bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
0f505f4 fix(types): correct middleware types (#4774)
eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
b1df304 fix(jwt): fix JwtVariables for ContextVariableMap (#4764)
e4602ad fix(jwt): use Math.floor instead of bitwise OR for safe timestamp (#4754)
4bb70fa fix(validator): prevent type diff bug in form data parsing (#4753)
df97e5f 4.12.2
212c64f fix(context): revert PR #4707 (#4757)
5cc8f8f ci: apply automated fixes
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates rollup from 4.53.2 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (

…dates Bumps the npm_and_yarn group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.25.2` | `1.26.0` | | [ajv](https://github.com/ajv-validator/ajv) | `8.17.1` | `8.18.0` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [axios](https://github.com/axios/axios) | `1.13.2` | `1.13.5` | | [diff](https://github.com/kpdecker/jsdiff) | `8.0.2` | `8.0.3` | | [diff](https://github.com/kpdecker/jsdiff) | `4.0.2` | `4.0.4` | | [diff](https://github.com/kpdecker/jsdiff) | `5.2.0` | `5.2.2` | | [undici](https://github.com/nodejs/undici) | `7.16.0` | `7.22.0` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [rollup](https://github.com/rollup/rollup) | `4.53.2` | `4.59.0` | Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.26.0) Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `axios` from 1.13.2 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.2...v1.13.5) Updates `diff` from 8.0.2 to 8.0.3 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v8.0.2...v8.0.3) Updates `diff` from 4.0.2 to 4.0.4 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v8.0.2...v8.0.3) Updates `diff` from 5.2.0 to 5.2.2 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v8.0.2...v8.0.3) Updates `undici` from 7.16.0 to 7.22.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.16.0...v7.22.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `hono` from 4.11.3 to 4.12.3 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.3...v4.12.3) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `rollup` from 4.53.2 to 4.59.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.2...v4.59.0) --- updated-dependencies: - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.18.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 8.0.3 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: diff dependency-version: 5.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.22.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates#5

chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates#5
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-19469c7795

dependabot bot commented on behalf of github Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 2, 2026

v1.26.0

What's Changed

New Contributors

v1.25.3

What's Changed

v8.18.0

What's Changed

New Contributors

v8.18.0

What's Changed

New Contributors

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Fixes

Features / Improvements

Documentation

CI / Maintenance

New Contributors

v1.13.4

Overview

What's New in v1.13.4

Bug Fixes

Changelog

1.13.3 (2026-01-20)

Bug Fixes

Features

Reverts

Contributors to this release

8.0.3

8.0.3

8.0.3

v7.22.0

What's Changed

New Contributors

v7.21.0

What's Changed

New Contributors

v7.20.0

What's Changed

New Contributors

v7.19.2

What's Changed

v4.12.3

What's Changed

New Contributors

v4.12.2

Security fix

What's Changed

v4.12.1

What's Changed

v4.12.0

Release Notes

$path for Hono Client

v4.59.0

4.59.0

Features

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`$path` for Hono Client