Skip to content

Comments

chore(deps): bump the npm_and_yarn group across 8 directories with 14 updates#67

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/partners/dynamic/npm_and_yarn-4d10c2e253
Open

chore(deps): bump the npm_and_yarn group across 8 directories with 14 updates#67
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/partners/dynamic/npm_and_yarn-4d10c2e253

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 19, 2026

Bumps the npm_and_yarn group with 7 updates in the /partners/dynamic directory:

Package From To
@metamask/sdk 0.32.1 0.33.1
next 15.3.8 15.5.10
@hpke/core 1.7.4 1.7.5
h3 1.15.4 1.15.5
js-yaml 3.14.1 3.14.2
node-forge 1.3.1 1.3.3
tar 7.4.3 7.5.9

Bumps the npm_and_yarn group with 7 updates in the /partners/web3auth directory:

Package From To
next 15.4.10 15.5.10
@eslint/plugin-kit 0.3.1 0.3.5
brace-expansion 1.1.11 1.1.12
h3 1.15.3 1.15.5
js-yaml 4.1.0 4.1.1
lodash 4.17.21 4.17.23
tar 7.4.3 7.5.9

Bumps the npm_and_yarn group with 5 updates in the /quickstarts/connectkit directory:

Package From To
@metamask/sdk 0.33.0 0.33.1
h3 1.15.4 1.15.5
js-yaml 4.1.0 4.1.1
lodash 4.17.21 4.17.23
vite 7.1.3 7.1.11

Bumps the npm_and_yarn group with 2 updates in the /quickstarts/javascript directory: @metamask/sdk and vite.
Bumps the npm_and_yarn group with 3 updates in the /quickstarts/next directory: @metamask/sdk, next and js-yaml.
Bumps the npm_and_yarn group with 4 updates in the /quickstarts/rainbowkit directory: @metamask/sdk, h3, js-yaml and vite.
Bumps the npm_and_yarn group with 3 updates in the /quickstarts/react directory: @metamask/sdk, js-yaml and vite.
Bumps the npm_and_yarn group with 4 updates in the /quickstarts/wagmi directory: next, glob, h3 and js-yaml.

Updates @metamask/sdk from 0.32.1 to 0.33.1

Changelog

Sourced from @​metamask/sdk's changelog.

[0.33.1]

Fixed

  • chore: pin debug package to 4.3.4 due to npm compromise (#1342)

[0.33.0]

Added

  • Add rpc ingore list to analytics (#1293)
  • Integrate sdk-analytics with SDK (#1289)

Fixed

  • Updates and Fixes to Analytics (#1294)
Commits

Updates next from 15.3.8 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

Commits

Updates @hpke/core from 1.7.4 to 1.7.5

Release notes

Sourced from @​hpke/core's releases.

@​hpke/core@​1.7.5

See core/CHANGES.

Commits

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)
Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

🤖 CI

❤️ Contributors

Commits
  • 24231b9 chore(release): v1.15.5
  • bd92b74 chore: fix more ts/lint issues
  • d18c074 chore: update deps
  • c9ebf80 chore: fix ts issue
  • 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
  • 401c9b8 ci: fix publish tag
  • 589625c chore: update publish tag to 1.x
  • b4dce71 chore: update ci
  • 0a4a115 chore: add test:types script
  • c934599 chore: update ci
  • Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

  • [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

  • HIGH: ASN.1 Validator Desynchronization
    • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-12816
    • GHSA ID: GHSA-5gfm-wpxj-wjgq
  • HIGH: ASN.1 Unbounded Recursion
    • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66031
    • GHSA ID: GHSA-554w-wpv2-vw27
  • MODERATE: ASN.1 OID Integer Truncation
    • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
    • Reported by Hunter Wodzenski.
    • CVE ID: CVE-2025-66030
    • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

  • [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
  • [asn1] Add fromDer() max recursion depth check.
    • Add a asn1.maxDepth global configurable maximum depth of 256.
    • Add a asn1.fromDer() per-call maxDepth option.
    • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
    • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

Updates tar from 7.4.3 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates next from 15.4.10 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

Commits

Updates @eslint/plugin-kit from 0.3.1 to 0.3.5

Release notes

Sourced from @​eslint/plugin-kit's releases.

plugin-kit: v0.3.5

0.3.5 (2025-08-05)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.15.1 to ^0.15.2

plugin-kit: v0.3.4

0.3.4 (2025-07-21)

Bug Fixes

  • potential quadratic runtime in regular expression (#240) (b283f64)

plugin-kit: v0.3.3

0.3.3 (2025-06-25)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.15.0 to ^0.15.1

plugin-kit: v0.3.2

0.3.2 (2025-06-09)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.14.0 to ^0.15.0
Changelog

Sourced from @​eslint/plugin-kit's changelog.

0.3.5 (2025-08-05)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.15.1 to ^0.15.2

0.3.4 (2025-07-21)

Bug Fixes

  • potential quadratic runtime in regular expression (#240) (b283f64)

0.3.3 (2025-06-25)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.15.0 to ^0.15.1

0.3.2 (2025-06-09)

Dependencies

  • The following workspace dependencies were updated
    • dependencies
      • @​eslint/core bumped from ^0.14.0 to ^0.15.0
Commits

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates h3 from 1.15.3 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)
Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

  • readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

🤖 CI

❤️ Contributors

Commits
  • 24231b9 chore(release): v1.15.5
  • bd92b74 chore: fix more ts/lint issues
  • d18c074 chore: update deps
  • c9ebf80 chore: fix ts issue
  • 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
  • 401c9b8 ci: fix publish tag
  • 589625c chore: update publish tag to 1.x
  • b4dce71 chore: update ci
  • 0a4a115 chore: add test:types script
  • c934599 chore: update ci
  • Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates lodash from 4.17.21 to 4.17.23

Commits

Updates preact from 10.26.6 to 10.28.4

Release notes

Sourced from preact's releases.

10.28.4

Fixes

Performance

10.28.3

Fixes

Maintenance

10.28.2

Fixes

  • Enforce strict equality for VNode object constructors

10.28.1

Fixes

10.28.0

Types

Fixes

Performance

... (truncated)

Commits

Updates sha.js from 2.4.11 to 2.4.12

Changelog

Sourced from sha.js's changelog.

v2.4.12 - 2025-07-01

Commits

  • [eslint] switch to eslint 7acadfb
  • [meta] add auto-changelog b46e711
  • [eslint] fix package.json indentation df9d521
  • [Tests] migrate from travis to GHA c43c64a
  • [Fix] support multi-byte wide typed arrays f2a258e
  • [meta] reorder package.json d8d77c0
  • [meta] add npmignore 35aec35
  • [Tests] avoid console logs 73e33ae
  • [Tests] fix tests run in batch 2629130
  • [Tests] drop node requirement to 0.10 00c7f23
  • [Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5
  • [Tests] drop node requirement to v3 Description has been truncated


    [!NOTE]
    Low Risk
    Low risk because it only updates dependency versions, but regressions are possible due to framework/runtime changes in the Next.js bump.

    Overview
    Dependency updates for partners/dynamic: bumps @metamask/sdk from 0.32.1 to 0.33.1 and upgrades next from 15.3.8 to 15.5.10 in package.json.

    No application code changes; this is a version-only update intended to pull in upstream fixes (including security patches in newer Next.js releases).

    Written by Cursor Bugbot for commit 067941a. This will update automatically on new commits. Configure here.

… updates

Bumps the npm_and_yarn group with 7 updates in the /partners/dynamic directory:

| Package | From | To |
| --- | --- | --- |
| [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk) | `0.32.1` | `0.33.1` |
| [next](https://github.com/vercel/next.js) | `15.3.8` | `15.5.10` |
| [@hpke/core](https://github.com/dajiaji/hpke-js) | `1.7.4` | `1.7.5` |
| [h3](https://github.com/h3js/h3) | `1.15.4` | `1.15.5` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` |
| [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.9` |

Bumps the npm_and_yarn group with 7 updates in the /partners/web3auth directory:

| Package | From | To |
| --- | --- | --- |
| [next](https://github.com/vercel/next.js) | `15.4.10` | `15.5.10` |
| [@eslint/plugin-kit](https://github.com/eslint/rewrite/tree/HEAD/packages/plugin-kit) | `0.3.1` | `0.3.5` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` |
| [h3](https://github.com/h3js/h3) | `1.15.3` | `1.15.5` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.9` |

Bumps the npm_and_yarn group with 5 updates in the /quickstarts/connectkit directory:

| Package | From | To |
| --- | --- | --- |
| [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk) | `0.33.0` | `0.33.1` |
| [h3](https://github.com/h3js/h3) | `1.15.4` | `1.15.5` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.1.3` | `7.1.11` |

Bumps the npm_and_yarn group with 2 updates in the /quickstarts/javascript directory: [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
Bumps the npm_and_yarn group with 3 updates in the /quickstarts/next directory: [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk), [next](https://github.com/vercel/next.js) and [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 4 updates in the /quickstarts/rainbowkit directory: [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk), [h3](https://github.com/h3js/h3), [js-yaml](https://github.com/nodeca/js-yaml) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
Bumps the npm_and_yarn group with 3 updates in the /quickstarts/react directory: [@metamask/sdk](https://github.com/MetaMask/metamask-sdk/tree/HEAD/packages/sdk), [js-yaml](https://github.com/nodeca/js-yaml) and [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite).
Bumps the npm_and_yarn group with 4 updates in the /quickstarts/wagmi directory: [next](https://github.com/vercel/next.js), [glob](https://github.com/isaacs/node-glob), [h3](https://github.com/h3js/h3) and [js-yaml](https://github.com/nodeca/js-yaml).


Updates `@metamask/sdk` from 0.32.1 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `next` from 15.3.8 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.3.8...v15.5.10)

Updates `@hpke/core` from 1.7.4 to 1.7.5
- [Release notes](https://github.com/dajiaji/hpke-js/releases)
- [Changelog](https://github.com/dajiaji/hpke-js/blob/main/CHANGES.md)
- [Commits](https://github.com/dajiaji/hpke-js/compare/@hpke/core@1.7.4...@hpke/core@1.7.5)

Updates `h3` from 1.15.4 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `node-forge` from 1.3.1 to 1.3.3
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.3.3)

Updates `tar` from 7.4.3 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.4.3...v7.5.9)

Updates `next` from 15.4.10 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.3.8...v15.5.10)

Updates `@eslint/plugin-kit` from 0.3.1 to 0.3.5
- [Release notes](https://github.com/eslint/rewrite/releases)
- [Changelog](https://github.com/eslint/rewrite/blob/main/packages/plugin-kit/CHANGELOG.md)
- [Commits](https://github.com/eslint/rewrite/commits/plugin-kit-v0.3.5/packages/plugin-kit)

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `h3` from 1.15.3 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `preact` from 10.26.6 to 10.28.4
- [Release notes](https://github.com/preactjs/preact/releases)
- [Commits](preactjs/preact@10.26.6...10.28.4)

Updates `sha.js` from 2.4.11 to 2.4.12
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](browserify/sha.js@v2.4.11...v2.4.12)

Updates `tar` from 7.4.3 to 7.5.9
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.4.3...v7.5.9)

Updates `@metamask/sdk` from 0.33.0 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `h3` from 1.15.4 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `lodash` from 4.17.21 to 4.17.23
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.17.23)

Updates `vite` from 7.1.3 to 7.1.11
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

Updates `@metamask/sdk` from 0.33.0 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `vite` from 7.1.3 to 7.1.11
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

Updates `@metamask/sdk` from 0.33.0 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `next` from 15.5.9 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.3.8...v15.5.10)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `@metamask/sdk` from 0.33.0 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `h3` from 1.15.4 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `vite` from 7.1.3 to 7.1.11
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

Updates `@metamask/sdk` from 0.33.0 to 0.33.1
- [Release notes](https://github.com/MetaMask/metamask-sdk/releases)
- [Changelog](https://github.com/MetaMask/metamask-sdk/blob/main/packages/sdk/CHANGELOG.md)
- [Commits](https://github.com/MetaMask/metamask-sdk/commits/@metamask/sdk@0.33.1/packages/sdk)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `vite` from 7.1.3 to 7.1.11
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

Updates `next` from 15.4.10 to 15.5.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v15.3.8...v15.5.10)

Updates `glob` from 10.4.5 to 10.5.0
- [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md)
- [Commits](isaacs/node-glob@v10.4.5...v10.5.0)

Updates `h3` from 1.15.4 to 1.15.5
- [Release notes](https://github.com/h3js/h3/releases)
- [Changelog](https://github.com/h3js/h3/blob/v1.15.5/CHANGELOG.md)
- [Commits](h3js/h3@v1.15.4...v1.15.5)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

---
updated-dependencies:
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@hpke/core"
  dependency-version: 1.7.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.3.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@eslint/plugin-kit"
  dependency-version: 0.3.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: preact
  dependency-version: 10.28.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@metamask/sdk"
  dependency-version: 0.33.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: next
  dependency-version: 15.5.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: glob
  dependency-version: 10.5.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: h3
  dependency-version: 1.15.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 19, 2026
@vercel
Copy link
Contributor

vercel bot commented Feb 19, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
metamask-connectkit-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-dynamic-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-javascript-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-next-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-rainbowkit-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-react-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-sdk-examples Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-wagmi-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm
metamask-web3auth-demo Ready Ready Preview, Comment Feb 19, 2026 3:00pm

Request Review

@socket-security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednext@​15.5.9 ⏵ 15.5.106899 +1791 +19770
Updatedvite@​7.1.3 ⏵ 7.1.1198 +7100 +48299100
Updated@​metamask/​sdk@​0.32.1 ⏵ 0.33.197 +2100 +299 +186 +150

View full report

@socket-security
Copy link

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Potential code anomaly (AI signal): npm js-yaml is 100.0% likely to have a medium risk anomaly

Notes: The script functions as a straightforward JSON↔YAML translator CLI with standard error handling. The primary security concern is the use of yaml.loadAll without a safeLoad alternative, which could enable YAML deserialization risks if inputs contain crafted tags. To improve security, switch to a safe loader (e.g., yaml.safeLoadAll or equivalent) or ensure the library is configured to restrict risky constructors. Overall, no malware indicators were observed; the risk is confined to YAML deserialization semantics.

Confidence: 1.00

Severity: 0.60

From: partners/dynamic/pnpm-lock.yamlnpm/@dynamic-labs/ethereum@4.29.1npm/js-yaml@3.14.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@3.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm next is 100.0% likely to have a medium risk anomaly

Notes: No definitive malicious activity detected within this code fragment. The patterns align with a sophisticated SSR/streaming framework (likely React server components) that includes instrumentation, taint-tracking scaffolding, and cross-context reference management. Primary security considerations involve validating input handling, safeguarding taint data and cross-process references, and ensuring that console patching and error reporting do not unintentionally leak sensitive information. A broader repository review is recommended to confirm that taint registries do not expose metadata across boundaries and that streaming paths do not inadvertently expose form data to unintended destinations.

Confidence: 1.00

Severity: 0.60

From: quickstarts/wagmi/package.jsonnpm/next@15.5.10

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.5.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm socket.io-parser is 100.0% likely to have a medium risk anomaly

Notes: The code fragment represents a legitimate, well-structured Socket.IO v5 encoder/decoder with proper binary payload handling and input validation. No malicious indicators found, and the risk profile is low to moderate for this isolated module. No hardcoded secrets or exfiltration logic detected. Recommend treating as safe for use within a secure codebase, with standard review of imported utilities to confirm their integrity.

Confidence: 1.00

Severity: 0.60

From: quickstarts/javascript/pnpm-lock.yamlnpm/@metamask/sdk@0.33.1npm/socket.io-parser@4.2.5

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socket.io-parser@4.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants