chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates by dependabot[bot] · Pull Request #63 · skilld-dev/skilld

dependabot · 2026-04-04T01:13:13Z

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
brace-expansion	`1.1.12`	`1.1.13`
fastify	`5.7.4`	`5.8.4`
lodash	`4.17.23`	`4.18.1`
picomatch	`4.0.3`	`4.0.4`
tar	`7.5.9`	`7.5.13`
yaml	`2.8.2`	`2.8.3`

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

6c353ca 1.1.13
7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
See full diff in compare view

Updates fastify from 5.7.4 to 5.8.4

Release notes

Sourced from fastify's releases.

v5.8.4

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

docs(readme): add @Tony133 to plugin team by @Tony133 in fastify/fastify#6565

Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @kyrylchenko in fastify/fastify#6566

test: use fastify.test in test case by @climba03003 in fastify/fastify#6568

docs: use fastify.example in documentation by @climba03003 in fastify/fastify#6567

docs: add common performance degradation guidance by @maxpetrusenko in fastify/fastify#6520

docs(server): fix camelCase anchor links in TOC by @Deepvamja in fastify/fastify#6530

ci(link-checker): fix root-relative links resolution by @barba-rossa in fastify/fastify#6535

docs: update syntax markdown, absolute paths and links by @Tony133 in fastify/fastify#6569

docs: clarify content-type parser/schema mismatch is outside threat model by @mcollina in fastify/fastify#6537

docs: fix incorrect code examples in Reply and Request reference by @mahmoodhamdi in fastify/fastify#6582

docs: replace redirected npm.im http-errors link by @mcollina in fastify/fastify#6588

types: Allow port to be null in request type definition by @TristanBarlow in fastify/fastify#6589

docs: update links by @Tony133 in fastify/fastify#6593

ci(lock-threads): use shared lock-threads workflow by @Fdawgs in fastify/fastify#6592

New Contributors

@kyrylchenko made their first contribution in fastify/fastify#6566

@maxpetrusenko made their first contribution in fastify/fastify#6520

@Deepvamja made their first contribution in fastify/fastify#6530

@barba-rossa made their first contribution in fastify/fastify#6535

@mahmoodhamdi made their first contribution in fastify/fastify#6582

@TristanBarlow made their first contribution in fastify/fastify#6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

docs(ecosystem): add @yeliex/fastify-problem-details by @yeliex in fastify/fastify#6546

Revert "chore: upgrade borp to v1.0.0" by @climba03003 in fastify/fastify#6564

docs: document body validation with custom content type parsers by @mcollina in fastify/fastify#6556

docs(ecosystem): add fastify-file-router by @bhouston in fastify/fastify#6441

docs: add fastify-svelte-view to Ecosystem list by @matths in fastify/fastify#6453

fix: anchor keyValuePairsReg to prevent quadratic backtracking by @mcollina in fastify/fastify#6558

docs: added note on handling of invalid URLs in setNotFoundHandler by @leftieFriele in fastify/fastify#5661

docs(guides): update codemod links by @OluchiEzeifedikwa in fastify/fastify#6479

docs: add @glidemq/fastify to community plugins by @avifenesh in fastify/fastify#6560

New Contributors

@yeliex made their first contribution in fastify/fastify#6546

@matths made their first contribution in fastify/fastify#6453

@leftieFriele made their first contribution in fastify/fastify#5661

... (truncated)

Commits

af92d0d Bumped v5.8.4
a3e77ce Bumped v5.8.3
4e1db5b fix: gate host and protocol getters on proxy trust function
a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
1851f20 docs: update links (#6593)
9cc5187 types: Allow port to be null in request type definition (#6589)
722d83b docs: replace redirected npm.im http-errors link (#6588)
a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.13

Commits

d6611ae 7.5.13
119c401 fix(extract): prevent raced symlink writes outside cwd
2a294d3 7.5.12
01082a4 fix: reject top promise on floating addFilesAsync rejections
dd1c36a linting
35a1ffe doc: more clarity in security warning
bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

Add trailingComma ToString option for multiline flow formatting (#670)

Catch stack overflow during node composition (1e84ebb)

Commits

ce14587 2.8.3
1e84ebb fix: Catch stack overflow during node composition
6b24090 ci: Include Prettier check in lint action
9424dee chore: Refresh lockfile
d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
4321509 ci: Drop the branch filter from GitHub PR actions
47207d0 chore: Update docs-slate
5212fae chore: Update docs-slate
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates Bumps the npm_and_yarn group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.13` | | [fastify](https://github.com/fastify/fastify) | `5.7.4` | `5.8.4` | | [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [tar](https://github.com/isaacs/node-tar) | `7.5.9` | `7.5.13` | | [yaml](https://github.com/eemeli/yaml) | `2.8.2` | `2.8.3` | Updates `brace-expansion` from 1.1.12 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.13) Updates `fastify` from 5.7.4 to 5.8.4 - [Release notes](https://github.com/fastify/fastify/releases) - [Commits](fastify/fastify@v5.7.4...v5.8.4) Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `tar` from 7.5.9 to 7.5.13 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.9...v7.5.13) Updates `yaml` from 2.8.2 to 2.8.3 - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.2...v2.8.3) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fastify dependency-version: 5.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: yaml dependency-version: 2.8.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 4, 2026

dependabot bot mentioned this pull request Apr 4, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates #62

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates#63

chore(deps): bump the npm_and_yarn group across 1 directory with 6 updates#63
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-10dc557baf

dependabot bot commented on behalf of github Apr 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 4, 2026

v5.8.4

v5.8.3

⚠️ Security Release

What's Changed

New Contributors

v5.8.2

What's Changed

New Contributors

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

4.0.4

What's Changed

v2.8.3

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`lodash.*` modular packages