build(deps): bump the npm_and_yarn group across 2 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
hono	4.12.12	4.12.21
uuid	13.0.0	14.0.0
ws	8.20.0	8.20.1
dompurify	3.3.3	3.4.0
marked	18.0.0	18.0.2

Bumps the npm_and_yarn group with 1 update in the /extensions/whatsapp directory: @whiskeysockets/baileys.

Updates hono from 4.12.12 to 4.12.21

Release notes

Sourced from hono's releases.

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in honojs/hono#4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in honojs/hono#4947

New Contributors

• @​ashunar0 made their first contribution in honojs/hono#4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

v4.12.19

What's Changed

• ci: pin GitHub Actions to SHAs by @​yusukebe in honojs/hono#4932
• fix(serveStatic): make options parameter optional in all adapters by @​mixelburg in honojs/hono#4934
• fix(cookie): return the first cookie when there are multiple cookies with the same name by @​usualoma in honojs/hono#4922
• feat(bearer-auth): make bearerAuth generic for typed context in verifyToken by @​justinnais in honojs/hono#4913
• feat(cache): key cache entries by configured vary headers by @​usualoma in honojs/hono#4915
• feat(request): add bytes() by @​yusukebe in honojs/hono#4921
• fix(stream): upgrade @hono/node-server to v2 and fix abort handling by @​yusukebe in honojs/hono#4940

New Contributors

• @​justinnais made their first contribution in honojs/hono#4913

Full Changelog: honojs/hono@v4.12.18...v4.12.19

... (truncated)

Commits

• a83ddb8 4.12.21
• 6cbb025 Merge commit from fork
• c831020 Merge commit from fork
• 905aedb Merge commit from fork
• 5463db2 Merge commit from fork
• c657a39 4.12.20
• eb2d0c2 fix(jsx): widen jsx and jsxFn children to Child[] (#4947)
• dcabbec fix(route): preserve the base path of the mounted route() app (#4942)
• 7e62bcd 4.12.19
• e2f252a fix(stream): upgrade @hono/node-server to v2 and fix abort handling (#4940)
• Additional commits viewable in compare view

Updates uuid from 13.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

• rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Updates ws from 8.20.0 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

• Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.

import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});

The issue was privately reported by Nikita Skovoroda.

Commits

• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Updates dompurify from 3.3.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Updates marked from 18.0.0 to 18.0.2

Release notes

Sourced from marked's releases.

v18.0.2

18.0.2 (2026-04-18)

Bug Fixes

• fix infinite loop for indented code blank line (#3947) (58a52e8)

v18.0.1

18.0.1 (2026-04-17)

Bug Fixes

• rules: ensure lookbehind regex is evaluated correctly by minifiers (#3945) (abd907a)

Commits

• c4f4529 chore(release): 18.0.2 [skip ci]
• 58a52e8 fix: fix infinite loop for indented code blank line (#3947)
• 98b3824 chore(release): 18.0.1 [skip ci]
• abd907a fix(rules): ensure lookbehind regex is evaluated correctly by minifiers (#3945)
• 96351c4 chore(deps-dev): bump marked-highlight from 2.2.3 to 2.2.4 (#3946)
• c132699 chore: update testutils (#3942)
• See full diff in compare view

Updates @grpc/grpc-js from 1.14.3 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

Commits

• a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
• 5b8d37b Merge commit from fork
• 6a97456 Merge commit from fork
• e5e0b1d grpc-js: Bump version to 1.14.4
• 5029a26 Make compression error a static string
• 2fe55fd Fix crashes when receiving malformed compressed data
• 234f917 Fix server crash when handling invalid requests
• acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
• 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
• See full diff in compare view

Updates @opentelemetry/exporter-prometheus from 0.214.0 to 0.219.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.219.0

0.219.0

💥 Breaking Changes

• fix(configuration)!: stop removing null values from parsed config object #6679 @​trentm
  • It is now the responsibility of the user of a parsed declarative config object, typically just the sdk-node package, to handle null values.
• fix(api-logs)!: Removed NOOP_LOGGER and NoopLogger exports from @opentelemetry/api-logs. Use createNoopLogger(): Logger instead. #6713 @​dyladan
• feat(api-logs)!: rename scopeAttributes to attributes in LoggerOptions #6573 @​pichlermarc
• fix(sdk-node)!: remove buildSamplerFromConfig export #6784 @​trentm

🚀 Features

• feat(sdk-node): wire up metric producers from declarative config #6712 @​MikeGoldsmith
• feat(sdk-logs)!: add support for attributes in LoggerOptions #6573 @​pichlermarc

🐛 Bug Fixes

• fix(sdk-node): pass all config properties to log record exporters in declarative config #6708 @​MikeGoldsmith
• fix(sdk-node): warn and ignore zero exporter timeout in declarative config #6711 @​MikeGoldsmith
• fix(sdk-node): pass gRPC credentials and headers to span exporter in declarative config #6705 @​MikeGoldsmith
• fix(otlp-transformer): do not attempt to skip groups #6704 @​pichlermarc
• fix(otlp-grpc-exporter-base): recreate client after 5 consecutive DEADLINE_EXCEEDED to recover from connection dropped deadlock #6296 @​afharo
• fix(browser-detector): use the right semantic convention for user agent resource attribute #6729 @​david-luna
• fix(browser-detector): user agent resource attribute always #6754 @​david-luna
• fix(opentelemetry-exporter-prometheus): handle additional edge cases in metric name conversion #6727 @​cjihrig
• fix(sdk-logs): avoid null dereference in BatchLogRecordProcessor._flushAll when an in-flight export completes between awaits #6763 @​Janealter
• fix(configuration): improve environment variable substitution to handle all the cases shown in the spec #6757 @​trentm

📚 Documentation

• docs(otlp-exporter-base): index the package's public API in generated docs so types like OTLPExporterNodeConfigBase resolve and link from consumer exporter pages #6725 @​devareddy05

🏠 Internal

• refactor(configuration): remove redundant env var parsing in EnvironmentConfigFactory #6710 @​MikeGoldsmith

experimental/v0.218.0

0.218.0

🚀 Features

• feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
• feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
• feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

• refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna

... (truncated)

Commits

• 13a035b chore: prepare next release (#6756)
• 4b13587 Merge commit from fork
• 71d195c chore(renovate): set minimumReleaseAge to 3 days (#6792)
• 555fca6 Update renovate.json to use matchManagers (#6141)
• b711a81 docs(otlp-exporter-base): add typedoc entry points so public API is indexed a...
• da70402 fix(ci): supply-chain sec: disable caching in release-related workflow (#6790)
• 002267b chore: complete the move to the smaller SPDX license header (#6791)
• 056ef9c feat(sdk-metrics): implement metric reader metrics (#6449)
• 3bd69ce fix(configuration): improve environment variable substitution to handle all t...
• bfbda7c docs(exporter-trace-otlp-grpc): import CompressionAlgorithm from otlp-exporte...
• Additional commits viewable in compare view

Updates protobufjs from 6.8.8 to 7.5.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.4

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

protobufjs: v7.5.3

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

protobufjs: v7.5.2

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

protobufjs: v7.5.1

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

protobufjs: v7.5.0

7.5.0 (2025-04-15)

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.5.4 (2025-08-15)

Bug Fixes

• invalid syntax in descriptor.proto (#2092) (5a3769a)

7.5.3 (2025-05-28)

Bug Fixes

• descriptor extensions handling post-editions (#2075) (6e255d4)

7.5.2 (2025-05-14)

Bug Fixes

• ensure that types are always resolved (#2068) (4b51cb2)

7.5.1 (2025-05-08)

Bug Fixes

• optimize regressions from editions implementations (#2066) (6406d4c)
• reserved field inside group blocks fail parsing (#2058) (56782bf)

7.5.0 (2025-04-15)

Features

• add Edition 2023 Support (f04ded3)
• add Edition 2023 Support (ac9a3b9)
• add Edition 2023 Support (e5ca5c8)
• add Edition 2023 Support (a84409b)
• add Edition 2023 Support (9c5a178)
• add Edition 2023 Support (b2c6867)
• add Edition 2023 Support (60f3e51)
• add Edition 2023 Support (a656361)
• add Edition 2023 Support (869a95b)
• add Edition 2023 Support (b936af4)
• add Edition 2023 Support (a938467)
• add Edition 2023 Support (1af8454)
• add Edition 2023 Support (785416f)
• add feature resolution (a9ffc8a)
• add feature resolution and tests (68b5339)
• add feature resolution for protobuf editions (547afa2)

... (truncated)

Commits

• 827ff8e chore: release master (#2093)
• 5a3769a fix: invalid syntax in descriptor.proto (#2092)
• f42297b chore: release master (#2076)
• 6e255d4 fix: descriptor extensions handling post-editions (#2075)
• 9467abe chore: release master (#2070)
• 4b51cb2 fix: ensure that types are always resolved (#2068)
• 69cced8 chore: release master (#2067)
• 6406d4c fix: optimize regressions from editions implementations (#2066)
• 56782bf fix: reserved field inside group blocks fail parsing (#2058)
• 1dbcfe3 Merge pull request #2035 from protobufjs/release-please--branches--master
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for protobufjs since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates @whiskeysockets/baileys from 7.0.0-rc.9 to 7.0.0-rc12

Release notes

Sourced from @​whiskeysockets/baileys's releases.

v7.0.0-rc12

7.0.0-rc12

This version patches the security flaw addressed in GHSA-qvv5-jq5g-4cgg. Please exercise extreme caution and upgrade to the latest version or latest legacy version (6.7.22).

v7.0.0-rc11

A quick release meant to pin the libsignal pipeline to the NPM registry. The release also includes a small bug fix for old VPSes lacking SIMD support for the WASM. We moved Baileys's dep from git to NPM:

1. This should remove the need to install git to install baileys.
2. This should increase code transparency & security as libsignal now goes under the same Trusted Publishing and Provenance as Baileys rc10.

Read the full rc10 patch notes here: https://github.com/WhiskeySockets/Baileys/releases/tag/v7.0.0-rc10

We are working on migrating away from the libsignal dep as soon as possible to our own Rust-based equivalent to prevent licensing issues. Note that libsignal is in GPLv3 but Baileys is under MIT (Adhiraj left us a mess 😓).

v7.0.0-rc10

Since September, I've been working really hard on version 7. This is a really important version for Baileys. We introduced ESM, modernized the syntax and DX a lot compared to previous versions and been shipping stability fix after another. We faced a lot of challenges: LIDs, restrictions, WAM, warnings, bans, random logouts, decryption & encryption errors to name a few.

It is now, that I'm proud to announce, our biggest release yet:

VERSION 7.0.0-rc10 THE FINAL RELEASE CANDIDATE.

This is the largest release since we started the WhiskeySockets fork. Baileys hasn't been released since November 21, 2025, for a period of over 5 months.

Key changes include since rc9:

• Stability fixes for resending messages. @​YonkoSam
• Proper phone requests for missing messages @​jlucaso1
• improved media upload handling @​jlucaso1
• Mutex redesign @​Santosl2
• memory leaks fixes (down a lot, tested on prod and refined since then, we have decreased spikes immediately as of rc10 with shorter mem growth graphs, aiming to resolve entirely by v7). Multiple PRs of work by @​yonkosam @​purpshell @​jlucaso1
• improved offline node batching @​Santosl2
• improvements to the app state logic @​vinikjkkj @​purpshell @​jlucaso1 across multiple PRs
• Member labels support @​Santosl2
• Reporting tokens support @​jlucaso1
• wire consistencies @​gusquadri @​vinikjkkj
• FB and interop JID support for incoming Interoperability EU APIs @​vinikjkkj
• Encryption failures handling @​vinikjkkj
• Long data type handling in new WAProto structure (no need for silly hydrate function anymore) by @​jlucaso1
• Sending of TC (Trusted Contact) Tokens upon outgoing message, profile update, presence subscribe and more. @​Santosl2 @​jlucaso1
• Message type function revamp @​purpshell
• critical mem leak discovery @​YonkoSam
• Fix connection deadlocks @​purpshell
• Fix race condition (detected by Bartender!) @​jlucaso1
• LID<->PN Mappings from contactAction, historySync, and more @​jlucaso1
• Caching the children of getBinaryNodeChildren calls to ACHIEVE A 30X return on speed during binary children lookups. All optimized with WeakMap so the garbage collector knows when to clean it. @​purpshell
• Changed shouldSyncHistoryMessage behavior and enriched Contact data types across all that produces them, so they are consistent across the library and lack no data @​purpshell
• Fix for ghost sessions!! Discovered partly with bartender @​jlucaso1
• Unified session telemetry @​Santosl2
• Rust App state sync @​jlucaso1
• Caching and batching overhaul @​jlucaso1

... (truncated)

Changelog

Sourced from @​whiskeysockets/baileys's changelog.

7.0.0-rc12 (2026-05-20)

Bug Fixes

• process-message: only drop self-only protocolMessages from non-self senders (3beb08e)

Commits

• 1aee6ed chore(release): v7.0.0-rc12
• 3beb08e fix(process-message): only drop self-only protocolMessages from non-self senders
• 28ca087 fix: guard fetch dispatcher option (#2557)
• 988a34f chore(release): v7.0.0-rc11
• 25bc999 Fix release and move to NPM based libsignal
• 6cb7d34 feat: expose group online count in presence updates (#2545)
• a263cb0 chore: bump whatsapp-rust-bridge@0.5.4 to support non simd (#2542)
• dfad98f fix release
• 04f6d70 ci: Update publishing to use Trusted Publishers
• 42c19c7 chore(release): v7.0.0-rc10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​whiskeysockets/baileys since your current version.

Install script changes

This version adds preinstall, prepare scripts that run during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #7.