chore(deps): bump the npm_and_yarn group across 4 directories with 26 updates

[dependabot]

Bumps the npm_and_yarn group with 17 updates in the /dashboard directory:

Package	From	To
@backstage/plugin-auth-backend	0.14.1	0.27.1
@backstage/integration	1.13.0	1.20.1
@smithy/config-resolver	2.0.18	2.2.0
cipher-base	1.0.4	1.0.7
flatted	3.2.9	3.4.2
immutable	3.8.2	3.8.3
jsonpath	1.1.1	1.3.0
jws	3.2.2	3.2.3
min-document	2.19.0	2.19.2
node-forge	1.3.1	1.4.0
pbkdf2	3.1.2	3.1.5
qs	6.5.3	6.5.5
rollup	2.79.1	2.80.0
sha.js	2.4.11	2.4.12
svgo	2.8.0	2.8.2
undici	5.28.4	5.29.0
webpack	5.89.0	5.105.4

Bumps the npm_and_yarn group with 1 update in the /dashboard/packages/backend directory: @backstage/plugin-auth-backend.
Bumps the npm_and_yarn group with 8 updates in the /rs/dre-canisters/node_status_canister directory:

Package	From	To
brace-expansion	1.1.11	1.1.12
minimatch	3.1.2	3.1.5
node-forge	1.3.1	1.4.0
on-headers	1.0.2	1.1.0
qs	6.11.0	6.14.2
serialize-javascript	6.0.1	6.0.2
webpack	5.88.2	5.105.4
@remix-run/router	1.8.0	1.23.2

Bumps the npm_and_yarn group with 2 updates in the /rs/dre-canisters/trustworthy-node-metrics directory: next and vite.

Updates @backstage/plugin-auth-backend from 0.14.1 to 0.27.1

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

@​backstage/plugin-auth-backend

0.28.0-next.0

Minor Changes

• d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

  With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

  To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

  The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

• dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.1-next.0
  • @​backstage/plugin-auth-node@​0.6.15-next.0
  • @​backstage/plugin-catalog-node@​2.1.1-next.0
  • @​backstage/catalog-model@​1.7.7
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2

0.27.2

Patch Changes

• 1ccad86: Added who-am-i action to the auth backend actions registry. Returns the catalog entity and user info for the currently authenticated user.
• d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
• 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
• e9b6e97: Fixed a security vulnerability where the CIMD metadata fetch could follow HTTP redirects to internal hosts, bypassing SSRF protections.
• 0f9d673: Improved redirect URI validation in the experimental OIDC provider to match against normalized URLs rather than raw strings.
• a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.
• 634eded: Fixed a foreign key constraint violation when issuing refresh tokens for CIMD clients, and prevented a failed refresh token issuance from failing the entire token exchange. Fixed AWS ALB auth provider incorrectly returning HTTP 500 instead of 401 for JWT validation failures, which caused retry loops and memory pressure under load.
• 619be54: Update migrations to be reversible
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0
  • @​backstage/plugin-catalog-node@​2.1.0
  • @​backstage/catalog-model@​1.7.7
  • @​backstage/plugin-auth-node@​0.6.14

0.27.1-next.2

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/integration from 1.13.0 to 1.20.1

Changelog

Sourced from @​backstage/integration's changelog.

@​backstage/integration

2.0.0

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Minor Changes

• d933f62: Add configurable throttling and retry mechanism for GitLab integration.

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.
• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.

2.0.0-next.2

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.

2.0.0-next.1

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Patch Changes

• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.
• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.21.0-next.0

Minor Changes

... (truncated)

Commits

• c8a8aac Version Packages
• 4aa43f6 chore(deps): update dependency cross-fetch to v4
• f577e11 Version Packages (next)
• 11153a0 Merge remote-tracking branch 'upstream/master' into entra-rename
• ad7d38c fix tests
• 243c655 Updated Azure Active Directory to Entra ID
• 8cdb8c2 Version Packages
• e43d3eb Version Packages (next)
• 0b55f77 Removed some unused dependencies
• bea3617 Version Packages (next)
• Additional commits viewable in compare view

Updates @smithy/config-resolver from 2.0.18 to 2.2.0

Changelog

Sourced from @​smithy/config-resolver's changelog.

2.2.0

Minor Changes

• 38f9a61f: Update package dependencies

Patch Changes

• Updated dependencies [38f9a61f]
• Updated dependencies [661f1d60]
  • @​smithy/node-config-provider@​2.3.0
  • @​smithy/util-config-provider@​2.3.0
  • @​smithy/util-middleware@​2.2.0
  • @​smithy/types@​2.12.0

2.1.5

Patch Changes

• Updated dependencies [43f3e1e2]
  • @​smithy/types@​2.11.0
  • @​smithy/node-config-provider@​2.2.5
  • @​smithy/util-middleware@​2.1.4

2.1.4

Patch Changes

• @​smithy/node-config-provider@​2.2.4

2.1.3

Patch Changes

• Updated dependencies [dd0d9b4b]
  • @​smithy/types@​2.10.1
  • @​smithy/node-config-provider@​2.2.3
  • @​smithy/util-middleware@​2.1.3

2.1.2

Patch Changes

• Updated dependencies [d70a00ac]
• Updated dependencies [1e23f967]
  • @​smithy/types@​2.10.0
  • @​smithy/node-config-provider@​2.2.2
  • @​smithy/util-middleware@​2.1.2

2.1.1

... (truncated)

Commits

• a53fe36 Version NPM packages
• 38f9a61 chore: bulk upgrade npm dependencies (#1202)
• 85a275d Version NPM packages
• beea449 Version NPM packages
• 3357fda Version NPM packages
• 7baf4b1 Version NPM packages
• 3769699 Version NPM packages
• 1d85e7d Version NPM packages
• 9939f82 feat: use inline cjs build (#1146)
• e3b13dd Version NPM packages
• Additional commits viewable in compare view

Updates axios from 1.7.4 to 1.13.6

Release notes

Sourced from axios's releases.

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
• Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#7386)
• @​ybbus (#7392)
• @​Shiwaangee (#7324)
• @​skrtheboss (#7403)
• @​Janaka66 (#7427)
• @​moh3n9595 (#5764)
• @​digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 7108c88 chore(release): prepare release 1.13.6 (#7446)
• 20a0ba3 refactor(deps): migrate @​rollup/plugin-babel from v5.3.1 to v6.1.0 (#7424)
• 885b4af feat: support react native blob objects (#5764)
• 00d97b9 docs(utils): add missing JSDoc comments (#7427)
• 9712548 chore(deps-dev): bump the development_dependencies group across 1 directory w...
• d51accb fix(core): copy status from source error in AxiosError.from (#7403)
• 3e30bbf chore: fix publish to only run on v1 tags
• 672491d fix: safe FormData detection for WeChat Mini Program (#7306) (#7324)
• 822e3e4 fix: make AxiosError.message property enumerable (#7392)
• ef3711d feat: implement prettier and fix all issues (#7385)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

• [Refactor] use to-buffer fd1e5ee
• [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• 0056718 v1.0.7
• fd1e5ee [Refactor] use to-buffer
• 08ba803 [Dev Deps] update @ljharb/eslint-config
• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates flatted from 3.2.9 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates immutable from 3.8.2 to 3.8.3

Release notes

Sourced from immutable's releases.

v3.8.3

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• c407425 bump v3.8.3
• c6ff68a release script on 3.x branch
• a675a66 Merge pull request #2179 from immutable-js/port-patch-for-cve-2026-29063
• 6e2cf1c Port patch for CVE 2026-29063 onto branch 3.x
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates jsonpath from 1.1.1 to 1.3.0

Commits

• See full diff in compare view

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates min-document from 2.19.0 to 2.19.2

Commits

• 0d14150 2.19.2
• 49c2e06 Merge pull request #56 from wasabina67/fix/prototype-pollution-removeAttribut...
• 9666461 Fix prototype pollution vulnerability in removeAttributeNS
• 4490b40 2.19.1
• 2cd5871 update ignore
• fe32e8d Merge pull request #55 from jameswassink/fix/prototype-pollution-removeAttrib...
• 6c5f31a Better prototype pollution fix
• 0d4e819 Fix prototype pollution in removeAttributeNS
• bf7b691 Update package.json
• 1b5402d Merge pull request #49 from PixnBits/patch-1
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• cb90fd9 Update changelog.
• 963e7c5 Add unit test for "pseudonym"
• f0b6f5b Add pseudonym OID
• 3df48a3 Fix missing CVE ID.
• 2e49283 Add x509 basicConstraints check.
• bdecf11 Add canonical signature scaler check for S < L.
• af094e6 Add RSA padding and DigestInfo length checks.
• 796eeb1 Improve jsbn fix.
• Additional commits viewable in compare view

Updates pbkdf2 from 3.1.2 to 3.1.5

Changelog

Sourced from pbkdf2's changelog.

v3.1.5 - 2025-09-23

Commits

• [Fix] only allow finite iterations 67bd94d
• [Fix] restore node 0.10 support 8f59d96
• [Fix] check parameters before the "no Promise" bailout d2dc5f0

v3.1.4 - 2025-09-22

Commits

• [Deps] update create-hash, ripemd160, sha.js, to-buffer 8dbf49b
• [meta] update repo URLs d15bc35
• [Dev Deps] update @ljharb/eslint-config aaf870b

v3.1.3 - 2025-06-20

Commits

• Only apps should have lockfiles 8b06730
• [lint] fix whitespace 9a76e2f
• [lint] fix parens/curlies/semis/etc 6fd84bf
• [meta] add auto-changelog 796c38d
• [Tests] fix tests in node 17 3661fb0
• Revert "[Tests] fix tests in node < 3" 7431b57
• [Tests] fix tests in node < 3 eb9f97a
• [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
• [Tests] add GHA, always run nyc 513906a
• [lint] fix a few more rules ab04da8
• [lint] switch to eslint 89694cf
• [Tests] add coverage d0d534b
• [Refactor] use to-buffer e3102a8
• [readme] improve badges fca0c9d
• [Tests] remove unused travis file a2c7d93
• [meta] switch from files to npmignore 7f31fbc
• [Tests] use .nycrc 8d628e8
• [Refactor] minor tweaks fc61005
• [Deps] update create-hmac, safe-buffer, sha.js ae2a7d0
• [Fix] pin create-hash, ripemd160 due to breaking changes e079968
• [Tests] fix tests in node 3 45fbcf3
• [meta] skip publishing benchmarks 19ea57b
• [Dev Deps] add missing peer dep 645e252

Commits

• 3687905 v3.1.5
• 67bd94d [Fix] only allow finite iterations
• 8f59d96 [Fix] restore node 0.10 support
• d2dc5f0 [Fix] check parameters before the "no Promise" bailout
• b2ad615 v3.1.4
• ...

  Description has been truncated