chore(deps): bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 4 updates in the / directory: js-yaml, @types/node, js-cookie and semver.

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @types/node from 25.7.0 to 25.9.1

Commits

• See full diff in compare view

Updates js-cookie from 3.0.5 to 3.0.8

Release notes

Sourced from js-cookie's releases.

v3.0.8

• Restore ES5 compatibility, inadvertently broken in 3.0.7 - #959
• Lift Node version restriction, inadvertently restricted to >= 20 in 3.0.7 - #956

v3.0.7

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

Commits

• d7a1096 Craft v3.0.8 release
• 248e685 Use existing Chrome with puppeteer
• fc04269 Remove QUnit related workaround in Grunt config
• 265a685 Tidy up package lock file
• 478e591 Disable Node deprecation DEP0044 for release workflow
• 331d524 Fix node version config for E2E test job
• 11d773d Ensure ECMAScript compatibility
• d788646 Remove engines property from package
• e7d9a4d Fix typo in test assertion message
• b5fca24 Make credentials use explicit in release workflow
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

Updates semver from 7.8.0 to 7.8.1

Release notes

Sourced from semver's releases.

v7.8.1

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@​owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@​puneetdixit200, Puneet Dixit)

Changelog

Sourced from semver's changelog.

7.8.1 (2026-05-21)

Bug Fixes

• 17aa702 #869 strip build metadata before comparator trimming (#869) (@​owlstronaut)
• 5f3ca13 #867 handle prerelease bounds in subset (#867) (@​puneetdixit200, Puneet Dixit)

Commits

• 7641608 chore: release 7.8.1 (#868)
• 17aa702 fix: strip build metadata before comparator trimming (#869)
• 5f3ca13 fix: handle prerelease bounds in subset (#867)
• See full diff in compare view

Updates undici-types from 7.21.0 to 7.24.6

Release notes

Sourced from undici-types's releases.

v7.24.6

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in nodejs/undici#4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in nodejs/undici#4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in nodejs/undici#4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in nodejs/undici#4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in nodejs/undici#4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in nodejs/undici#4834
• docs: clarify fetch and FormData pairing by @​mcollina in nodejs/undici#4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in nodejs/undici#4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in nodejs/undici#4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in nodejs/undici#4926
• test: auto-init WPT submodule by @​mcollina in nodejs/undici#4930

New Contributors

• @​rozzilla made their first contribution in nodejs/undici#4909
• @​veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

What's Changed

• Formdata tests by @​KhafraDev in nodejs/undici#4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in nodejs/undici#4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in nodejs/undici#4913

New Contributors

• @​metalix2 made their first contribution in nodejs/undici#4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

... (truncated)

Commits

• 38eab36 Bumped v7.24.6 (#4931)
• 993609d test: auto-init WPT submodule (#4930)
• 1eacc49 build(deps-dev): bump typescript from 5.9.3 to 6.0.2 (#4926)
• b64e7e4 fix: avoid prototype collisions in parseHeaders (#4923)
• deba679 Revert "fix: assume http/https scheme for scheme-less proxy env vars (#4914)"
• feef62b fix: support Connection header with connection-specific header names per RFC ...
• a613d9a docs: clarify fetch and FormData pairing (#4922)
• 2ba99a3 fix: wrap kConnector call in try/catch to prevent client hang (#4834)
• a7398c0 fix(cache): check Authorization on request headers per RFC 9111 §3.5 (#4911)
• 2b2afbc fix: assume http/https scheme for scheme-less proxy env vars (#4914)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions