Bump the npm_and_yarn group across 3 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 1 update in the /.codesandbox directory: vite.
Bumps the npm_and_yarn group with 7 updates in the /packages/wallet/wallet-contracts directory:

Package	From	To
brace-expansion	1.1.12	1.1.14
brace-expansion	2.0.2	2.1.0
flatted	3.3.3	3.4.2
handlebars	4.7.8	4.7.9
ip-address	10.1.0	10.2.0
picomatch	2.3.1	2.3.2
picomatch	4.0.3	4.0.4
follow-redirects	1.15.11	1.16.0
fast-xml-parser	5.2.5	5.7.2

Updates next from 15.5.14 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• See full diff in compare view

Updates basic-ftp from 5.0.5 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Changelog

Sourced from basic-ftp's changelog.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

• Fixed: Improve control character rejection, fixes GHSA-6v7q-wjvx-w8wg.

5.2.1

• Fixed: Reject control character injection attempts using paths. See GHSA-chqc-8p9q-pq6q.

5.2.0

• Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Commits

• 980371b Guard against unbounded control response
• 50827c7 Adjust changelog to match release notes
• c9378a8 Fix test
• 22abe43 Update Github Actions
• 0feaaec Fix test
• 6629d7d Improve error message
• 9c3bf4f Set higher default value for max size of directory listing
• acd3942 Bump version
• 1304429 Offer maxListingBytes as an option
• 5cb5367 Add bounded StringWriter
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates ip-address from 10.1.0 to 10.2.0

Commits

• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates vite from 5.2.6 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

• feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736
• fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735
• test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

• fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

• fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
• refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

• fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vite since your current version.

Updates brace-expansion from 1.1.12 to 1.1.14

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates brace-expansion from 2.0.2 to 2.1.0

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• See full diff in compare view

Updates fast-xml-parser from 5.2.5 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

5.5.12 / 2026-04-13

• Performance Improvement: update path-expression-matcher
  • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

... (truncated)

Commits

• b1d5b90 update releas info
• 78571ae tests for long tag expression
• ebaedc0 allow numerical external entities for backward compatibility
• 91245eb update changelog
• 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
• d6bce3b allow long attribute expressions
• 9a2561b remove unnecessary
• 0f08303 fix typo
• f529642 update to release v5.7.0
• 52a8583 Revert "improve performance of attributes reading"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	May 7, 2026 6:06am
sequence-js-web	Ready	Preview, Comment	May 7, 2026 6:06am

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/dargon789-forge?upgradeToPro=build-rate-limit

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.