chore(deps): bump the security-updates group across 1 directory with 13 updates

[dependabot]

Bumps the security-updates group with 13 updates in the / directory:

Package	From	To
@aws-sdk/client-lambda	3.906.0	3.986.0
axios	1.12.2	1.13.5
eciesjs	0.4.7	0.4.17
esbuild	0.27.0	0.27.3
files-from-path	1.0.0	1.1.4
lodash-es	4.17.21	4.17.23
semver	7.7.3	7.7.4
ts-node	10.9.1	10.9.2
@changesets/cli	2.29.7	2.29.8
@tsconfig/node16	16.1.5	16.1.8
@types/estree	1.0.5	1.0.8
@types/lodash	4.17.20	4.17.23
typescript	5.7.3	5.9.3

Updates @aws-sdk/client-lambda from 3.906.0 to 3.986.0

Release notes

Sourced from @​aws-sdk/client-lambda's releases.

v3.986.0

3.986.0(2026-02-09)

Chores

• codegen: smithy-typescript-aws-codegen 0.44.0 (#7719) (1a8de1bf)

Documentation Changes

• client-lakeformation: Allow cross account v5 in put data lake settings (e10aebc6)
• client-transfer: This release adds a documentation update for MdnResponse of type "ASYNC" (a9087979)

New Features

• clients: update client endpoints as of 2026-02-09 (b81f169c)
• client-connectcampaignsv2: Add the missing event type for WhatsApp (6b19703e)
• client-pcs: Introduces RESUMING state for clusters, compute node groups, and queues. (78ec45d5)
• client-eks: Amazon EKS adds a new DescribeUpdate update type, VendedLogsUpdate, to support an integration between EKS Auto Mode and Amazon CloudWatch Vended Logs. (85135c4a)
• client-neptunedata: Added edgeOnlyLoad boolean parameter to Neptune bulk load request. When TRUE, files are loaded in order without scanning. When FALSE (default), the loader scans files first, then loads vertex files before edge files automatically. (012843ab)
• client-imagebuilder: EC2 Image Builder now supports wildcard patterns in lifecycle policies with recipes and enhances the experience of tag-scoped policies. (f015ab63)
• client-ec2: Amazon Secondary Networks is a networking feature that provides high-performance, low-latency connectivity for specialized workloads. (0ba27c28)

Tests

• middleware-websocket: improve integ test for websocket (#7718) (e25063ae)

---

For list of updated packages, view updated-packages.md in assets-3.986.0.zip

v3.985.0

3.985.0(2026-02-06)

Chores

• codegen: generate caret versions for aws-sdk dependencies (#7714) (5682d095)

New Features

• client-bedrock-data-automation-runtime: Add OutputConfiguration to InvokeDataAutomation input and output to support S3 output (72c126f0)
• client-deadline: Adds support for tagging jobs during job creation (444dcec9)
• client-sagemaker: Adding g7e instance support in Sagemaker Training (01f57c15)
• client-partnercentral-selling: Releasing AWS Opportunity Snapshots for SDK release. (9b27cd2b)
• client-iot-managed-integrations: Adding support for Custom(General) Authorization in managed integrations for AWS IoT Device Management cloud connectors. (f683f7b9)

Bug Fixes

• core/protocols: nested Error objects in REST XML (#7717) (2c0d671f)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-lambda's changelog.

3.986.0 (2026-02-09)

Note: Version bump only for package @​aws-sdk/client-lambda

3.985.0 (2026-02-06)

Note: Version bump only for package @​aws-sdk/client-lambda

3.984.0 (2026-02-05)

Note: Version bump only for package @​aws-sdk/client-lambda

3.983.0 (2026-02-04)

Note: Version bump only for package @​aws-sdk/client-lambda

3.982.0 (2026-02-03)

Note: Version bump only for package @​aws-sdk/client-lambda

3.981.0 (2026-02-02)

Note: Version bump only for package @​aws-sdk/client-lambda

3.980.0 (2026-01-30)

... (truncated)

Commits

• a635e84 Publish v3.986.0
• e64db5e Publish v3.985.0
• 5682d09 chore(codegen): generate caret versions for aws-sdk dependencies (#7714)
• 4272704 Publish v3.984.0
• 66d159c Publish v3.983.0
• 179b42c Publish v3.982.0
• 15514da Publish v3.981.0
• 0306270 Publish v3.980.0
• b951130 chore: use yarn workspace versioning for monorepo packages (#7693)
• a1794f7 Publish v3.978.0
• Additional commits viewable in compare view

Updates axios from 1.12.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates eciesjs from 0.4.7 to 0.4.17

Release notes

Sourced from eciesjs's releases.

v0.4.17

What's Changed

• Prepare for ESM by @​kigawas in ecies/js#870
• Revamp example by @​kigawas in ecies/js#873
• Refactor config by @​kigawas in ecies/js#874
• Bump undici from 7.16.0 to 7.18.2 by @​dependabot[bot] in ecies/js#877
• Bump dependencies by @​kigawas in ecies/js#878

Full Changelog: ecies/js@v0.4.16...v0.4.17

v0.4.16

What's Changed

• Upgrade biome by @​kigawas in ecies/js#850
• Add x25519 tests by @​kigawas in ecies/js#851
• Bump dependencies by @​kigawas in ecies/js#855
• Mention deno support in README by @​kigawas in ecies/js#856
• Combine get elliptic curve config in utils by @​kigawas in ecies/js#860
• Bump dependencies by @​kigawas in ecies/js#864
• Drop Node 18 by @​kigawas in ecies/js#865
• Prepare for noble-curves v2 by @​kigawas in ecies/js#869

Full Changelog: ecies/js@v0.4.15...v0.4.16

v0.4.15

What's Changed

• Update CHANGELOG.md by @​kigawas in ecies/js#834
• Bump typescript from 5.7.3 to 5.8.2 by @​dependabot in ecies/js#835
• Bump undici from 7.3.0 to 7.4.0 by @​dependabot in ecies/js#837
• Bump dependencies by @​kigawas in ecies/js#838
• Lint code with biome by @​kigawas in ecies/js#839
• Revamp documentation by @​kigawas in ecies/js#840
• Configurable curve in keys and utils by @​kigawas in ecies/js#843
• Bump undici from 7.7.0 to 7.8.0 by @​dependabot in ecies/js#845
• Bump dependencies by @​kigawas in ecies/js#847

Full Changelog: ecies/js@v0.4.14...v0.4.15

v0.4.14

What's Changed

• Bump undici from 7.1.1 to 7.2.0 by @​dependabot in ecies/js#825
• Bump dependencies by @​kigawas in ecies/js#826
• Add sponsor: dotenvx by @​kigawas in ecies/js#827
• Bump undici from 7.2.0 to 7.2.3 by @​dependabot in ecies/js#828
• Bump dependencies by @​kigawas in ecies/js#832
• Add details by @​kigawas in ecies/js#833

... (truncated)

Changelog

Sourced from eciesjs's changelog.

0.4.17

• Bump dependencies
• Prepare for ESM

0.4.16

• Bump dependencies
• Drop Node 18 support
• Remove deprecated @noble/curves usage

0.4.15

• Bump dependencies
• Revamp documentation
• Make curve configurable in keys and utils via argument

0.4.14

• Bump dependencies
• Add details
• Revamp documentation

0.4.13

• Bump dependencies

0.4.12

• Add PublicKey.toBytes and deprecate PublicKey.compressed and PublicKey.uncompressed
• Save uncompressed public key data for secp256k1

0.4.11

• Revamp encapsulate/decapsulate
• Revamp symmetric encryption/decryption
• Revamp elliptic utils
• Add browser tests

0.4.10

• Fix commonjs build

0.4.9

• Add examples
• Update documentation
• Migrate to vitest
• Export all modules to allow full customization
• Introduce @ecies/ciphers as symmetric cipher adapter for different platforms

... (truncated)

Commits

• a204284 Bump dependencies (#878)
• 4f8cf3b Bump undici from 7.16.0 to 7.18.2 (#877)
• a028eac Refactor config (#874)
• 24c99e7 Revamp example (#873)
• dd393ee Prepare for ESM (#870)
• 66c5447 Prepare for noble-curves v2 (#869)
• b42acd2 Drop Node 18 (#865)
• 06aaf7c Bump dependencies (#864)
• 053d5ab Combine get elliptic curve config in utils (#860)
• 3142816 Mention deno support in README (#856)
• Additional commits viewable in compare view

Updates esbuild from 0.27.0 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Updates files-from-path from 1.0.0 to 1.1.4

Release notes

Sourced from files-from-path's releases.

v1.1.4

1.1.4 (2025-03-25)

Bug Fixes

• build (448b532)

v1.1.3

1.1.3 (2025-02-12)

Bug Fixes

• github URLs (51f7007)

v1.1.2

1.1.2 (2025-02-11)

Bug Fixes

• Add missing types key to package entry point (#41) (b645e00)

v1.1.1

1.1.1 (2024-11-15)

Bug Fixes

• docs (ac4fb2d)

v1.1.0

1.1.0 (2024-11-15)

Features

• normalise paths for windows file paths (#38) (41bb5c5)

v1.0.4

1.0.4 (2023-12-07)

Bug Fixes

• build step cannot be run in dist dir (198359f)

v1.0.3

1.0.3 (2023-11-29)

... (truncated)

Changelog

Sourced from files-from-path's changelog.

1.1.4 (2025-03-25)

Bug Fixes

• build (448b532)

1.1.3 (2025-02-12)

Bug Fixes

• github URLs (51f7007)

1.1.2 (2025-02-11)

Bug Fixes

• Add missing types key to package entry point (#41) (b645e00)

1.1.1 (2024-11-15)

Bug Fixes

• docs (ac4fb2d)

1.1.0 (2024-11-15)

Features

• normalise paths for windows file paths (#38) (41bb5c5)

1.0.4 (2023-12-07)

Bug Fixes

• build step cannot be run in dist dir (198359f)

1.0.3 (2023-11-29)

Bug Fixes

• publish from dist (#33) (fea9816)

1.0.2 (2023-11-20)

... (truncated)

Commits

• 7b7b88f chore(main): release 1.1.4 (#44)
• 448b532 fix: build
• f44ee52 chore(main): release 1.1.3 (#43)
• 8bec0b4 chore: update nodejs version in CI
• 647cd4f Merge branch 'main' of github.com:storacha/files-from-path
• 51f7007 fix: github URLs
• 9bd3b25 chore(main): release 1.1.2 (#42)
• b645e00 fix: Add missing types key to package entry point (#41)
• 724c917 chore(main): release 1.1.1 (#40)
• ac4fb2d fix: docs
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by it-dag-house, a new releaser for files-from-path since your current version.

Updates lodash-es from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates semver from 7.7.3 to 7.7.4

Release notes

Sourced from semver's releases.

v7.7.4

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@​mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@​mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@​dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@​reggi)
• 5816d4c #829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from semver's changelog.

7.7.4 (2026-01-16)

Bug Fixes

• a29faa5 #835 cli: pass options to semver.valid() for loose version validation (#835) (@​mldangelo)

Documentation

• 1d28d5e #836 fix typos and update -n CLI option documentation (#836) (@​mldangelo)

Dependencies

• 120968b #840 @npmcli/template-oss@4.29.0 (#840)

Chores

• 44d7130 #824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824) (@​dependabot[bot])
• 7073576 #820 reorder parameters in invalid-versions.js test (#820) (@​reggi)
• 5816d4c #829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829) (@​dependabot[bot], @​npm-cli-bot)

Commits

• 5993c2e chore: release 7.7.4 (#839)
• 120968b deps: @​npmcli/template-oss@​4.29.0 (#840)
• a29faa5 fix(cli): pass options to semver.valid() for loose version validation (#835)
• 1d28d5e docs: fix typos and update -n CLI option documentation (#836)
• 5816d4c chore: bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#829)
• ab9e28a chore: bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#827)
• 44d7130 chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#824)
• 7073576 chore: reorder parameters in invalid-versions.js test (#820)
• 16a35f5 chore: bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#823)
• 3a3459d chore: bump @​npmcli/template-oss from 4.25.1 to 4.26.0 (#818)
• See full diff in compare view

Updates ts-node from 10.9.1 to 10.9.2

Release notes

Sourced from ts-node's releases.

Fix tsconfig.json file not found

Fixed

• Fixed tsconfig.json file not found on latest TypeScript version (TypeStrong/ts-node#2091)

Commits

• 057ac1b 10.9.2
• c8805d5 Update package lock
• 99862f7 Bump swc dependency
• cdc4e88 Ignore test files in build schema
• 08cdfb0 Backport swc fixes on main
• 9639daa Ignore test files in build
• cc1a503 Fix tsconfig.json not found with TS >= 5.3 (#2091)
• See full diff in compare view

Updates @changesets/cli from 2.29.7 to 2.29.8

Commits

• See full diff in compare view

Updates @tsconfig/node16 from 16.1.5 to 16.1.8

Commits

• See full diff in compare view

Updates @types/estree from 1.0.5 to 1.0.8

Commits

• See full diff in compare view

Updates @types/lodash from 4.17.20 to 4.17.23

Commits

• See full diff in compare view

Updates typescript from 5.7.3 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

TypeScript 5.9

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

• npm

TypeScript 5.9 RC

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.