chore(deps): bump the npm_and_yarn group across 2 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
react-router	6.30.1	6.30.2
@backstage/backend-defaults	0.6.2	0.15.2
qs	6.14.0	6.14.2
@backstage/cli-common	0.1.15	0.1.18
@backstage/plugin-techdocs-node	1.13.10	1.14.2
@smithy/config-resolver	4.3.2	4.4.6
diff	4.0.2	4.0.4
js-yaml	3.14.1	3.14.2
jws	3.2.2	3.2.3
lodash	4.17.21	4.17.23
node-forge	1.3.1	1.3.3
vm2	3.10.0	3.10.5

Bumps the npm_and_yarn group with 1 update in the /plugins/stack-overflow-teams-backend directory: @backstage/backend-defaults.

Updates react-router from 6.30.1 to 6.30.2

Release notes

Sourced from react-router's releases.

v6.30.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

Changelog

Sourced from react-router's changelog.

v6.30.2

Date: 2025-11-13

Security Notice

This release addresses 1 security vulnerability:

• Unexpected external redirect via untrusted paths

Patch Changes

• Normalize double-slashes in resolvePath (#14537)

Full Changelog: v6.30.1...v6.30.2

Commits

• 26b5d45 chore: Update version for release (#14541)
• 919f8a8 chore: Update version for release (pre-v6) (#14540)
• 69bf705 Normalize double slashes in resolvePath (#14537)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router since your current version.

Updates @backstage/backend-defaults from 0.6.2 to 0.15.2

Changelog

Sourced from @​backstage/backend-defaults's changelog.

0.15.2

Patch Changes

• 7455dae: Use node prefix on native imports
• 44f5d04: Minor internal restructure of the postgres config loading code
• 4fc7bf0: Bump to tar v7
• 5dd683f: createRateLimitMiddleware is now exported from @backstage/backend-defaults/httpRouter
• 8dd518a: Support connection.type: azure in database client to use Microsoft Entra authentication with Azure database for PostgreSQL
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/backend-app-api@​1.5.0
  • @​backstage/integration@​1.20.0
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/backend-dev-utils@​0.1.7
  • @​backstage/config-loader@​1.10.8
  • @​backstage/cli-node@​0.2.18
  • @​backstage/plugin-auth-node@​0.6.13
  • @​backstage/plugin-permission-node@​0.10.10
  • @​backstage/plugin-events-node@​0.4.19

0.15.2-next.1

Patch Changes

• 8dd518a: Support connection.type: azure in database client to use Microsoft Entra authentication with Azure database for PostgreSQL
• Updated dependencies
  • @​backstage/integration@​1.20.0-next.1
  • @​backstage/cli-node@​0.2.18-next.1
  • @​backstage/backend-plugin-api@​1.7.0-next.1

0.15.1-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• 44f5d04: Minor internal restructure of the postgres config loading code
• 4fc7bf0: Bump to tar v7
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/integration-aws-node@​0.1.20-next.0
  • @​backstage/backend-plugin-api@​1.7.0-next.0
  • @​backstage/backend-dev-utils@​0.1.7-next.0
  • @​backstage/config-loader@​1.10.8-next.0
  • @​backstage/integration@​1.19.3-next.0
  • @​backstage/cli-node@​0.2.17-next.0
  • @​backstage/plugin-auth-node@​0.6.12-next.0
  • @​backstage/backend-app-api@​1.5.0-next.0
  • @​backstage/plugin-permission-node@​0.10.9-next.0

... (truncated)

Commits

• See full diff in compare view

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates @backstage/cli-common from 0.1.15 to 0.1.18

Changelog

Sourced from @​backstage/cli-common's changelog.

0.1.18

Patch Changes

• 7455dae: Use node prefix on native imports

0.1.18-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.17

Patch Changes

• ae4dd5d: Move some of the symlink resolution to isChildPath

0.1.16

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.
• c8c2329: Add proxy configuration from env-vars to create-app tasks
• 2bae83a: Bumped dev dependencies @types/node

0.1.16-next.2

Patch Changes

• 2bae83a: Bumped dev dependencies @types/node
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.16-next.1

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.

0.1.16-next.0

Patch Changes

• c8c2329: Add proxy configuration from env-vars to create-app tasks

Commits

• See full diff in compare view

Updates @backstage/plugin-techdocs-node from 1.13.10 to 1.14.2

Changelog

Sourced from @​backstage/plugin-techdocs-node's changelog.

1.14.2

Patch Changes

• 7455dae: Use node prefix on native imports
• 3c455d4: Some security fixes
• Updated dependencies
  • @​backstage/integration@​1.20.0
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/plugin-search-common@​1.2.22

1.14.2-next.1

Patch Changes

• 3c455d4: Some security fixes
• Updated dependencies
  • @​backstage/integration@​1.20.0-next.1
  • @​backstage/backend-plugin-api@​1.7.0-next.1

1.14.1-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• Updated dependencies
  • @​backstage/integration-aws-node@​0.1.20-next.0
  • @​backstage/backend-plugin-api@​1.7.0-next.0
  • @​backstage/plugin-search-common@​1.2.22-next.0
  • @​backstage/integration@​1.19.3-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.0

Minor Changes

• 63c459c: BREAKING: It's now possible to use the credentials from the integrations.awsS3 config to authenticate with AWS S3. The new priority is:

  1. aws.accounts
  2. techdocs.publisher.awsS3.credentials
  3. integrations.awsS3
  4. Default credential chain

  In case of multiple integrations.awsS3 are present, the target integration is determined by the accessKeyId in techdocs.publisher.awsS3.credentials if provided. Otherwise, the default credential chain is used.

  This means that depending on your setup, this feature may break your existing setup.

... (truncated)

Commits

• See full diff in compare view

Updates @smithy/config-resolver from 4.3.2 to 4.4.6

Release notes

Sourced from @​smithy/config-resolver's releases.

@​smithy/util-defaults-mode-browser@​4.3.32

Patch Changes

• @​smithy/smithy-client@​4.11.5

@​smithy/middleware-compression@​4.3.31

Patch Changes

• Updated dependencies [c5db01c]
  • @​smithy/core@​3.23.2

@​smithy/util-defaults-mode-browser@​4.3.31

Patch Changes

• @​smithy/smithy-client@​4.11.4

@​smithy/util-defaults-mode-browser@​4.3.30

Patch Changes

• @​smithy/smithy-client@​4.11.3

@​smithy/middleware-compression@​4.3.30

Patch Changes

• Updated dependencies [6f96c01]
  • @​smithy/core@​3.23.1

@​smithy/util-defaults-mode-browser@​4.3.29

Patch Changes

• @​smithy/smithy-client@​4.11.2

@​smithy/middleware-compression@​4.3.29

Patch Changes

• Updated dependencies [4f05c6a]
  • @​smithy/core@​3.23.0

@​smithy/util-defaults-mode-browser@​4.3.28

Patch Changes

• @​smithy/smithy-client@​4.11.1

@​smithy/middleware-compression@​4.3.28

Patch Changes

• @​smithy/core@​3.22.1

@​smithy/middleware-compression@​4.3.27

Patch Changes

... (truncated)

Changelog

Sourced from @​smithy/config-resolver's changelog.

4.4.6

Patch Changes

• Updated dependencies [745867a]
  • @​smithy/types@​4.12.0
  • @​smithy/node-config-provider@​4.3.8
  • @​smithy/util-endpoints@​3.2.8
  • @​smithy/util-middleware@​4.2.8

4.4.5

Patch Changes

• Updated dependencies [9ccb841]
  • @​smithy/types@​4.11.0
  • @​smithy/node-config-provider@​4.3.7
  • @​smithy/util-endpoints@​3.2.7
  • @​smithy/util-middleware@​4.2.7

4.4.4

Patch Changes

• Updated dependencies [5a56762]
  • @​smithy/types@​4.10.0
  • @​smithy/node-config-provider@​4.3.6
  • @​smithy/util-endpoints@​3.2.6
  • @​smithy/util-middleware@​4.2.6

4.4.3

Patch Changes

• Updated dependencies [3926fd7]
  • @​smithy/types@​4.9.0
  • @​smithy/node-config-provider@​4.3.5
  • @​smithy/util-endpoints@​3.2.5
  • @​smithy/util-middleware@​4.2.5

4.4.2

Patch Changes

• 372b46f: allow * region with warning

4.4.1

Patch Changes

... (truncated)

Commits

• 0e8cc49 Version NPM packages
• 7e4bbf6 chore: upgrade rimraf to v5.0.10 (#1829)
• 521d67c Version NPM packages
• 8b90f36 Version NPM packages
• cc0124e Version NPM packages
• 07f95d9 Version NPM packages
• 372b46f fix(config-resolver): allow asterisk region with warning (#1760)
• 472a5ea Version NPM packages
• 8af2d33 Version NPM packages
• 13c5cd9 chore(config-resolver): add region validation cache (#1750)
• Additional commits viewable in compare view

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

• f06f3e4 v4.0.4
• 0179a48 v4.0.3
• 4568cae Backport kpdecker/jsdiff#649
• 4de0ffa Backport kpdecker/jsdiff#647
• See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates form-data from 2.3.3 to 2.5.5

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Dev Improvements

• Fixed error in the documentations as indicated in #439
• Added remaining combined-stream options to typedef
• Bumped rimraf to 2.7.1 (dev-dep)
• Added constructor options to TypeScript defs
• Fixed error in callback signatures

Added Types

• Added TS types
• Improved documentation

Added getBuffer method

Updated test builds to support node10 and 12.

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 6e682d4
• [Dev Deps] update @types/node, browserify, coveralls, eslint, formidable, in-publish, phantomjs-prebuilt, pkgfiles, pre-commit, request, tape, typescript 819f6b7
• Only apps should have lockfiles b170ee2
• [Deps] update combined-stream, mime-types 6b1ca1d
• Bumped version 2.5.3 9457283
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl 9dbe192

v2.5.2 - 2024-10-10

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates jsonpath-plus from 7.2.0 to 10.3.0

Release notes

Sourced from jsonpath-plus's releases.

v10.3.0

What's Changed

• fix(eval): rce using non-string prop names by @​80avin in JSONPath-Plus/JSONPath#237
• feat(demo): make demo link shareable by @​80avin in JSONPath-Plus/JSONPath#238

Full Changelog: JSONPath-Plus/JSONPath@v10.2.0...v10.3.0

Changelog

Sourced from jsonpath-plus's changelog.

10.3.0

• fix(eval): rce using non-string prop names (#237)
• feat(demo): make demo link shareable (#238)
• chore: update deps. and devDeps.

10.2.0

• fix(eval): improve security of safe-eval (#233)
• chore: update deps. and devDeps.

10.1.0

• feat: add typeof operator to safe script

10.0.7

• fix(security): prevent constructor access
• docs: add security policy file

10.0.6

• fix(security): prevent call/apply invocation of Function

10.0.5

• fix: remove overly aggressive disabling of native functions but disallow __proto__

10.0.4

• fix(security): further prevent binding of Function calls which may evade detection

10.0.3

• fix(security): prevent binding of Function calls which may evade detection

10.0.2

• fix(security): prevent Function calls outside of member expressions

10.0.1

• fix(security): prohibit Function in "safe" vm

10.0.0

BREAKING CHANGES:

• Require Node 18+

... (truncated)

Commits

• 9754e4b chore: bump version
• f690da1 chore: update deps and devDeps
• 313a9b4 Merge pull request #238 from 80avin/shareable-demo
• 39a0d03 Merge pull request #237 from 80avin/fix-10.2.0-rce
• 1c532fc feat(demo): make demo link shareable
• 3094289 fix(eval): rce using non-string prop names
• 8e4acf8 chore: bump version
• f0708a4 chore: update deps. and devDeps.
• 0bfda55 build(deps): bump @​eslint/plugin-kit from 0.2.0 to 0.2.3 (#234)
• 73ad72e fix(eval): improve security of safe-eval (#233)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by 80avin, a new releaser for jsonpath-plus since your current version.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

• Code reorganization, thanks @​fearphage! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)

Commits

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates tough-cookie from 2.5.0 to 4.1.4

Release notes

Sourced from tough-cookie's releases.

v4.1.4

https://www.npmjs.com/package/tough-cookie/v/4.1.4

What's Changed

• Add local alias for toString by @​corvidism in salesforce/tough-cookie#409
• Fix incorrect string validation for URL by @​coditva in salesforce/tough-cookie#261

New Contributors

• @​corvidism made their first contribution in salesforce/tough-cookie#409
• @​coditva made their first contribution in salesforce/tough-cookie#261

Full Changelog: salesforce/tough-cookie@v4.1.3...v4.1.4

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

4.1.2 -- Patch and Bugfix Release

What's Changed

• fix: allow set cookies with localhost by @​colincasey in salesforce/tough-cookie#253

Full Changelog: salesforce/tough-cookie@v4.1.1...v4.1.2

4.1.1

Patch Release

What's Changed

• fix: allow special use domains by default by @​colincasey in salesforce/tough-cookie#249
• 4.1.1 Patch -- allow special use domains by default by @​awaterma in salesforce/tough-cookie#250

Full Changelog: salesforce/tough-cookie@v4.1.0...v4.1.1

4.1.0

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

• Create CHANGELOG.md by @​ShivanKaul in salesforce/tough-cookie#189
• Missing param validation issue145 by @​medelibero-sfdc in salesforce/tough-cookie#193
• Create SECURITY.md by @​ShivanKaul in salesforce/tough-cookie#201
• Create CODE_OF_CONDUCT.md by @​ShivanKaul in salesforce/tough-cookie#200
• Fix for issue #195 by @​medelibero-sfdc in salesforce/tough-cookie#202
• Add explanation and more special-use domains by @​ShivanKaul in salesforce/tough-cookie#203
• Sync of constructor options for serialization by @​medelibero-sfdc in salesforce/tough-cookie#204
• Returned null in case of empty cookie value by @​vsin12 in salesforce/tough-cookie#196
• 132 str trim not a function by @​awaterma in salesforce/tough-cookie#209
• Fix for issue #153 by @​medelibero-sfdc in salesforce/tough-cookie#210
• Fix permuteDomain with trailing dot by @​ruoho-sfdc in salesforce/tough-cookie#216
• Issue #213 -- added gh-actions flow for building and testing tough-co… by @​awaterma in salesforce/tough-cookie#218

... (truncated)

Commits

• cacbc37 Bump version to 4.1.4
• a48fb3a Add tests for url validation
• 50e69bf Merge pull request #261 from postmanlabs/fix/url-string-validation
• 1253d58 Merge pull request #409 from corvidism/validators-to-string
• 238367e Add local alias for toString
• 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
• 12d4747 Prevent prototype pollution in cookie memstore (#283)
• f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain proper...
• cf6debd Fix incorrect string validation for URL
• b1a8898 fix: allow set cookies with localhost (#253)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.

Updates vm2 from 3.10.0 to 3.10.5
...

Description has been truncated