Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates#1535

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-6bb3295a55
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates#1535
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-6bb3295a55

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 22, 2026

Bumps the npm_and_yarn group with 1 update in the / directory: effect.

Updates effect from 3.18.4 to 3.21.2

Release notes

Sourced from effect's releases.

effect@3.21.2

Patch Changes

  • #6194 74f3267 Thanks @​mikearnaldi! - Fix TestClock.unsafeCurrentTimeNanos() to floor fractional millisecond instants before converting them to BigInt.

effect@3.21.1

Patch Changes

  • #6139 f99048e Thanks @​marbemac! - Fix batched request resolver defects causing consumer fibers to hang forever.

    When a RequestResolver.makeBatched resolver died with a defect, the request Deferreds were never completed because the cleanup logic in invokeWithInterrupt used flatMap (which only runs on success). Changed to ensuring so uncompleted request entries are always resolved regardless of exit type.

effect@3.21.0

Minor Changes

  • #5780 f7bb09b Thanks @​kitlangton! - Add Cron.prev and reverse iteration support, aligning next/prev lookup tables, fixing DST handling symmetry, and expanding cron backward/forward test coverage.

  • #5780 bd7552a Thanks @​mattiamanzati! - Add type-level utils to asserting layer types

  • #5780 ad1a7eb Thanks @​schickling! - RcMap: support dynamic idleTimeToLive values per key

    The idleTimeToLive option can now be a function that receives the key and returns a duration, allowing different TTL values for different resources.

    const map =
  yield *
  RcMap.make({
    lookup: (key: string) => acquireResource(key),
    idleTimeToLive: (key: string) => {
      if (key.startsWith("premium:")) return Duration.minutes(10)
      return Duration.minutes(1)
    }
  })

  • #5780 0d32048 Thanks @​mikearnaldi! - Fix annotateCurrentSpan, add Effect.currentPropagatedSpan

Patch Changes

  • #5780 0d32048 Thanks @​mikearnaldi! - Add logs to first propagated span, in the following case before this fix the log would not be added to the p span because Effect.fn adds a fake span for the purpose of adding a stack frame.

    import { Effect } from "effect"
const f = Effect.fn(function* () {
yield* Effect.logWarning("FooBar")
return yield* Effect.fail("Oops")
})
const p = f().pipe(Effect.withSpan("p"))

... (truncated)

Changelog

Sourced from effect's changelog.

3.21.2

Patch Changes

  • #6194 74f3267 Thanks @​mikearnaldi! - Fix TestClock.unsafeCurrentTimeNanos() to floor fractional millisecond instants before converting them to BigInt.

3.21.1

Patch Changes

  • #6139 f99048e Thanks @​marbemac! - Fix batched request resolver defects causing consumer fibers to hang forever.

    When a RequestResolver.makeBatched resolver died with a defect, the request Deferreds were never completed because the cleanup logic in invokeWithInterrupt used flatMap (which only runs on success). Changed to ensuring so uncompleted request entries are always resolved regardless of exit type.

3.21.0

Minor Changes

  • #5780 f7bb09b Thanks @​kitlangton! - Add Cron.prev and reverse iteration support, aligning next/prev lookup tables, fixing DST handling symmetry, and expanding cron backward/forward test coverage.

  • #5780 bd7552a Thanks @​mattiamanzati! - Add type-level utils to asserting layer types

  • #5780 ad1a7eb Thanks @​schickling! - RcMap: support dynamic idleTimeToLive values per key

    The idleTimeToLive option can now be a function that receives the key and returns a duration, allowing different TTL values for different resources.

    const map =
  yield *
  RcMap.make({
    lookup: (key: string) => acquireResource(key),
    idleTimeToLive: (key: string) => {
      if (key.startsWith("premium:")) return Duration.minutes(10)
      return Duration.minutes(1)
    }
  })

  • #5780 0d32048 Thanks @​mikearnaldi! - Fix annotateCurrentSpan, add Effect.currentPropagatedSpan

Patch Changes

  • #5780 0d32048 Thanks @​mikearnaldi! - Add logs to first propagated span, in the following case before this fix the log would not be added to the p span because Effect.fn adds a fake span for the purpose of adding a stack frame.

    import { Effect } from "effect"
const f = Effect.fn(function* () {
yield* Effect.logWarning("FooBar")
return yield* Effect.fail("Oops")

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for effect since your current version.


Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates tmp from 0.0.33 to 0.2.5

Changelog

Sourced from tmp's changelog.

v0.2.2 (2024-02-28)

🐛 Bug Fix

📝 Documentation

Committers: 5

v0.2.1 (2020-04-28)

🚀 Enhancement

🏠 Internal

Committers: 1

v0.2.0 (2020-04-25)

🚀 Enhancement

🐛 Bug Fix

📝 Documentation

🏠 Internal

... (truncated)

Commits

Updates undici from 6.21.3 to 8.3.0

Release notes

Sourced from undici's releases.

v8.3.0

What's Changed

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.


Updates ws from 8.18.3 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

  • Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

  • Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

  • Added the closeTimeout option (#2308).

Bug fixes

  • Handled a forthcoming breaking change in Node.js core (19984854).
Commits
  • 5d9b316 [dist] 8.20.1
  • c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
  • ce2a3d6 [ci] Test on node 26
  • 58e45b8 [ci] Do not test on node 25
  • 5f26c24 [ci] Run the lint step on node 24
  • 8439255 [dist] 8.20.0
  • d3503c1 [minor] Export the PerMessageDeflate class and header utils
  • 3ee5349 [api] Convert the isServer and maxPayload parameters to options
  • 91707b4 [doc] Add missing space
  • 8b55319 [pkg] Update eslint to version 10.0.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 1 directory with 5 up…
3185a23 
…dates

Bumps the npm_and_yarn group with 1 update in the / directory: [effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect).


Updates `effect` from 3.18.4 to 3.21.2
- [Release notes](https://github.com/Effect-TS/effect/releases)
- [Changelog](https://github.com/Effect-TS/effect/blob/main/packages/effect/CHANGELOG.md)
- [Commits](https://github.com/Effect-TS/effect/commits/effect@3.21.2/packages/effect)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `tmp` from 0.0.33 to 0.2.5
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.0.33...v0.2.5)

Updates `undici` from 6.21.3 to 8.3.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.21.3...v8.3.0)

Updates `ws` from 8.18.3 to 8.20.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.18.3...8.20.1)

---
updated-dependencies:
- dependency-name: effect
  dependency-version: 3.21.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tmp
  dependency-version: 0.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 8.3.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.20.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 22, 2026
@dependabot dependabot Bot requested a review from kdev as a code owner May 22, 2026 12:41
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kdev kdev Awaiting requested review from kdev kdev is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants