Bump the npm_and_yarn group across 16 directories with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /examples/bot-ready-signalling/client/javascript directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/bot-ready-signalling/client/react-native directory: tar.
Bumps the npm_and_yarn group with 1 update in the /examples/deployment/modal-example/client/javascript directory: vite.
Bumps the npm_and_yarn group with 3 updates in the /examples/deployment/pipecat-cloud-daily-pstn-server/nextjs-webhook-server directory: js-yaml, axios and next.
Bumps the npm_and_yarn group with 2 updates in the /examples/fal-smart-turn/client directory: js-yaml and next.
Bumps the npm_and_yarn group with 1 update in the /examples/freeze-test/client directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/instant-voice/client/javascript directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/news-chatbot/client/javascript directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/p2p-webrtc/video-transform/client/typescript directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/simple-chatbot/client/javascript directory: vite.
Bumps the npm_and_yarn group with 2 updates in the /examples/simple-chatbot/client/react directory: vite and js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /examples/simple-chatbot/client/react-native directory: node-forge, tar and undici.
Bumps the npm_and_yarn group with 2 updates in the /examples/storytelling-chatbot/client directory: js-yaml and next.
Bumps the npm_and_yarn group with 1 update in the /examples/twilio-chatbot/client/typescript directory: vite.
Bumps the npm_and_yarn group with 1 update in the /examples/websocket/client directory: vite.
Bumps the npm_and_yarn group with 3 updates in the /examples/word-wrangler-gemini-live/client directory: js-yaml, tar and next.

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.15 (2026-02-19)

Features

• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)

Bug Fixes

• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#21642) (e54e25f)
• dev: prevent concurrent server restarts (#21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#21652) (e240df2)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#21632) (235140b)
• use tsconfig cache for oxc transform in dev (#21643) (57ff177)

Miscellaneous Chores

• deps: remove fdir and @rollup/plugin-commonjs (#21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#21097) (44b5bdf)

8.0.0-beta.14 (2026-02-12)

Features

• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)

Bug Fixes

• clear tsconfig cache only when tsconfig.json is cached (#21622) (50c9675)
• deps: update all non-major dependencies (#21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#21612) (db2ecc7)

Miscellaneous Chores

• fix broken link for future deprecations (#21603) (25f4501)
• update customResolver deprecation message to mention enforce: 'pre' (#21576) (2ce34d5)

Code Refactoring

• enable some native plugins even with enable native plugin false (#21608) (5a4f692)
• use rolldown/utils (#21577) (e56103f)
• use internal devtools config (#21609) (9aea20f)
• use parseEnv (#21586) (f859d2c)
• wasm: remove native wasm helper plugin usage (#21566) (71a86be)

Tests

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates undici from 6.21.2 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in nodejs/undici#4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in nodejs/undici#4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180) by @​metcoder95 in nodejs/undici#4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#4180) (#4340) by @​metcoder95 in nodejs/undici#4445
• Backport 4472 to v6.x by @​Uzlopak in nodejs/undici#4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

What's Changed

• [Backport v6.x] append crlf to formdata body by @​github-actions in nodejs/undici#4210

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

Commits

• fbc31e2 Bumped v6.23.0
• 3477c94 chore: release flow using provenance
• d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• f9c9185 Bumped v6.22.0
• f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
• 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
• 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
• 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
• 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
• da0e823 Bumped v6.21.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.15 (2026-02-19)

Features

• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)

Bug Fixes

• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#21642) (e54e25f)
• dev: prevent concurrent server restarts (#21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#21652) (e240df2)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#21632) (235140b)
• use tsconfig cache for oxc transform in dev (#21643) (57ff177)

Miscellaneous Chores

• deps: remove fdir and @rollup/plugin-commonjs (#21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#21097) (44b5bdf)

8.0.0-beta.14 (2026-02-12)

Features

• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)

Bug Fixes

• clear tsconfig cache only when tsconfig.json is cached (#21622) (50c9675)
• deps: update all non-major dependencies (#21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#21612) (db2ecc7)

Miscellaneous Chores

• fix broken link for future deprecations (#21603) (25f4501)
• update customResolver deprecation message to mention enforce: 'pre' (#21576) (2ce34d5)

Code Refactoring

• enable some native plugins even with enable native plugin false (#21608) (5a4f692)
• use rolldown/utils (#21577) (e56103f)
• use internal devtools config (#21609) (9aea20f)
• use parseEnv (#21586) (f859d2c)
• wasm: remove native wasm helper plugin usage (#21566) (71a86be)

Tests

... (truncated)

Commits

• 0a0c50a refactor: simplify pluginFilter implementation (#19828)
• 59d0b35 perf(css): avoid constructing renderedModules (#19775)
• 175a839 fix: reject requests with # in request-target (#19830)
• e2e11b1 fix(module-runner): allow already resolved id as entry (#19768)
• 7200dee fix: correct the behavior when multiple transform filter options are specifie...
• b125172 fix(css): remove empty chunk imports correctly when chunk file name contained...
• 8fe3538 test: tweak generateCodeFrame test (#19812)
• 36935b5 fix(types): remove the keepProcessEnv from the DefaultEnvironmentOptions ...
• a0e1a04 docs(vite): fix description of transformIndexHtml hook (#19799)
• 71227be fix: unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates axios from 1.11.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates next from 14.2.30 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

v15.1.12

Please see this changelog for more information about this security patch.

v15.0.8

Please see this changelog for more information about this security patch.

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• c5de33e v15.5.9
• dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
• 7526cd6 v15.5.8
• 1e9ec41 Update React Version (#41)
• 16141e5 Update React Version (#30)
• e01e589 Backport Next.js changes to v15.5.8 (#23)
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates next from 15.3.3 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

v15.4.11

Please see this changelog for more information about this security patch.

v15.3.9

Please see this changelog for more information about this security patch.

v15.2.9

Please see this changelog for more information about this security patch.

v15.1.12

Please see this changelog for more information about this security patch.

v15.0.8

Please see this changelog for more information about this security patch.

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• c5de33e v15.5.9
• dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
• 7526cd6 v15.5.8
• 1e9ec41 Update React Version (#41)
• 16141e5 Update React Version (#30)
• e01e589 Backport Next.js changes to v15.5.8 (#23)
• Additional commits viewable in compare view

Updates vite from 6.3.5 to 6.4.1

Release notes

Sourced from vite's releases.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.0-beta.15 (2026-02-19)

Features

• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)

Bug Fixes

• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#21642) (e54e25f)
• dev: prevent concurrent server restarts (#21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#21652) (e240df2)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#21632) (235140b)
• use tsconfig cache for oxc transform in dev (#21643) (57ff177)

Miscellaneous Chores

• deps: remove fdir and @rollup/plugin-commonjs (#21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#21097) (44b5bdf)

8.0.0-beta.14 (2026-02-12)

Features

• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)

Bug Fixes

• clear tsconfig cache only when tsconfig.json is cached (#21622) (50c9675)
• deps: update all non-major dependencies (#21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#21612) (db2ecc7)

Miscellaneous Chores

• fix broken link for future deprecations (