build(deps): bump the npm_and_yarn group across 2 directories with 6 updates by dependabot[bot] · Pull Request #10 · agentic-dev-io/LibreChat-HF

dependabot · 2026-03-11T01:53:11Z

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
express-rate-limit	`8.2.1`	`8.2.2`
file-type	`18.7.0`	`21.3.1`
multer	`2.0.2`	`2.1.1`
dompurify	`3.3.0`	`3.3.2`
rollup	`4.37.0`	`4.59.0`
minimatch	`3.1.2`	`3.1.5`

Bumps the npm_and_yarn group with 1 update in the /api directory: file-type.

Updates express-rate-limit from 8.2.1 to 8.2.2

Commits

a009ad6 8.2.2
72cd30e chore: update dependencies
1ddb1cc fix: handle ipv4 mapped to ipv6 (GHSA-46wh-pxpv-q5gq)
See full diff in compare view

Maintainer changes

This version was pushed to npm by gamemaker1, a new releaser for express-rate-limit since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (8.2.1) was attested. Review the package versions before updating.

Updates file-type from 18.7.0 to 21.3.1

Release notes

Sourced from file-type's releases.

v21.3.1

Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

sindresorhus/file-type@v21.3.0...v21.3.1

v21.3.0

Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#779) d223491

sindresorhus/file-type@v21.2.0...v21.3.0

v21.2.0

Add support for SPSS data files (#787) 889f638

Add support for JMP (#784) 093dba0

sindresorhus/file-type@v21.1.1...v21.2.0

v21.1.1

Fix handling of partial Gunzip file (#783) 710e053

sindresorhus/file-type@v21.1.0...v21.1.1

v21.1.0

Add support for .tar.gz (gunzipped tarball file) (#763) eda03a7

Add support for Windows registry (.reg) files 0db61ec 7d2ddcf

Add support for Windows registry hive file (.dat) (#767) f8d62be

Fix: Handle partial unzip (#773) 7ad3a90

sindresorhus/file-type@v21.0.0...v21.1.0

v21.0.0

Breaking

Require Node.js 20 24aec1f

Drop Adobe Illustrator (.ai) detection support (#743) af169f3

Correct Matroska (video) MIME-type to formal IANA registration (#753) f53f5ff

Correct FLAC MIME-type to formal IANA registration (#755) b9fda36

Correct Apache Parquet MIME-type to formal IANA registration (#748) 98e3f8e

Correct Apache Arrow MIME-type to formal IANA registration (#754) 7184775

Improvements

... (truncated)

Commits

ad5857e 21.3.1
5d2fedf Harden parser
319abf8 Fix infinite loop in ASF parser on malformed input
1ca9281 Mention @file-type/cfbf plugin (#791)
2033ea7 21.3.0
d223491 Add support for Mach-O Universal (aka "Fat") binaries and additional architec...
2ca86b3 Docs: Remove BYOB stream requirement warning (#790)
4d7393a List @file-type/pdf in available plugins (#788)
810e1d8 21.2.0
889f638 Add support for SPSS data files (#787)
Additional commits viewable in compare view

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

chore: add node version to 25.x in CI by @imangas in expressjs/multer#1372

chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @dependabot[bot] in expressjs/multer#1378

chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/multer#1377

chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @dependabot[bot] in expressjs/multer#1376

chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @dependabot[bot] in expressjs/multer#1375

chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @dependabot[bot] in expressjs/multer#1374

fix error/abort handling by @ctcpip in expressjs/multer#1373

2.1.1 by @UlisesGascon in expressjs/multer#1380

New Contributors

@imangas made their first contribution in expressjs/multer#1372

@dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)

Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

chore: add funding to package.json by @bjohansebas in expressjs/multer#1346

chore: drop mkdirp dependency by @wojtekmaj in expressjs/multer#1350

chore: drop object-assign dependency by @wojtekmaj in expressjs/multer#1351

chore: drop xtend dependency by @wojtekmaj in expressjs/multer#1352

chore(gitignore): ignore .nyc_output directory by @ShubhamOulkar in expressjs/multer#1332

Fix typo in README-vi.md regarding file upload by @Kunniii in expressjs/multer#1366

Fix typo in README-pt-br.md for array method by @matheushbm192 in expressjs/multer#1367

headers-support-utf8 by @Doc999tor in expressjs/multer#1210

Add Turkish translation (README-tr.md) by @Sabandogan in expressjs/multer#1360

Release: 2.1.0 by @UlisesGascon in expressjs/multer#1371

New Contributors

@wojtekmaj made their first contribution in expressjs/multer#1350

@ShubhamOulkar made their first contribution in expressjs/multer#1332

@Kunniii made their first contribution in expressjs/multer#1366

@matheushbm192 made their first contribution in expressjs/multer#1367

@Doc999tor made their first contribution in expressjs/multer#1210

@Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

fix error/abort handling

2.1.0

Add defParamCharset option for UTF-8 filename support (#1210)

Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)

Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

368c8a1 2.1.1 (#1380)
7e66481 🐛 fix recursion issue
643571e ✅ add explicit test for client able to send body without abrupt disconnect
e86fa52 fix error/abort handling
ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
17d7f51 chore: add node version to 25.x in CI
Additional commits viewable in compare view

Updates dompurify from 3.3.0 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

DOMPurify 3.3.1

Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @MariusRumpf

Updated the ESM import syntax to be more correct, thanks @binhpv

Commits

5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
e8c95f4 fix: Fixed the broken package-lock.json
9636037 Update package-lock.json
5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
6fc446a Merge pull request #1175 from cure53/main
3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
9863f41 chore: Preparing 3.3.1 release
b4e0295 chore: Preparing 3.3.0 release
077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
Additional commits viewable in compare view

Updates rollup from 4.37.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

#6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@njg7194, @lukastaegert)

#6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@millerick, @lukastaegert)

#6260: fix(deps): update rust crate swc_compiler_base to v47 (@renovate[bot], @lukastaegert)

#6261: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#6262: Avoid unnecessary cloning of the code string (@lukastaegert)

#6263: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6265: chore(deps): lock file maintenance (@renovate[bot])

#6267: fix(deps): update minor/patch updates (@renovate[bot])

#6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@renovate[bot], @lukastaegert)

#6269: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6270: chore(deps): lock file maintenance (@renovate[bot])

#6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

Fix heap corruption issue in Windows (#6251)

Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

#6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@alan-agius4, @lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6275: Validate bundle stays within output dir (@lukastaegert)

4.58.0

2026-02-20

Features

Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

#6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@njg7194, @lukastaegert)

#6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@millerick, @lukastaegert)

#6260: fix(deps): update rust crate swc_compiler_base to v47 (@renovate[bot], @lukastaegert)

#6261: fix(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#6262: Avoid unnecessary cloning of the code string (@lukastaegert)

#6263: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6265: chore(deps): lock file maintenance (@renovate[bot])

#6267: fix(deps): update minor/patch updates (@renovate[bot])

#6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@renovate[bot], @lukastaegert)

#6269: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6270: chore(deps): lock file maintenance (@renovate[bot])

#6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@lukastaegert)

4.57.1

2026-01-30

Bug Fixes

Fix heap corruption issue in Windows (#6251)

Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

#6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@alan-agius4, @lukastaegert)

#6252: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6253: chore(deps): lock file maintenance minor/patch updates (@renovate[bot], @lukastaegert)

#6254: Fully include dynamic imports in a try-catch (@lukastaegert)

... (truncated)

Commits

ae84695 4.59.0
b39616e Update audit-resolve
c60770d Validate bundle stays within output dir (#6275)
33f39c1 4.58.0
b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
7f00689 Extend agent instructions
e7b2b85 chore(deps): lock file maintenance (#6270)
2aa5da9 fix(deps): update minor/patch updates (#6267)
4319837 chore(deps): update dependency lru-cache to v11 (#6269)
c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates minimatch from 3.1.2 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates file-type from 18.7.0 to 21.3.1

Release notes

Sourced from file-type's releases.

v21.3.1

Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

sindresorhus/file-type@v21.3.0...v21.3.1

v21.3.0

Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#779) d223491

sindresorhus/file-type@v21.2.0...v21.3.0

v21.2.0

Add support for SPSS data files (#787) 889f638

Add support for JMP (#784) 093dba0

sindresorhus/file-type@v21.1.1...v21.2.0

v21.1.1

Fix handling of partial Gunzip file (#783) 710e053

sindresorhus/file-type@v21.1.0...v21.1.1

v21.1.0

Add support for .tar.gz (gunzipped tarball file) (#763) eda03a7

Add support for Windows registry (.reg) files 0db61ec 7d2ddcf

Add support for Windows registry hive file (.dat) (#767) f8d62be

Fix: Handle partial unzip (#773) 7ad3a90

sindresorhus/file-type@v21.0.0...v21.1.0

v21.0.0

Breaking

Require Node.js 20 24aec1f

Drop Adobe Illustrator (.ai) detection support (#743) af169f3

Correct Matroska (video) MIME-type to formal IANA registration (#753) f53f5ff

Correct FLAC MIME-type to formal IANA registration (#755) b9fda36

Correct Apache Parquet MIME-type to formal IANA registration (#748) 98e3f8e

Correct Apache Arrow MIME-type to formal IANA registration (#754) 7184775

Improvements

... (truncated)

Commits

ad5857e 21.3.1
5d2fedf Harden parser
319abf8 Fix infinite loop in ASF parser on malformed input
1ca9281 Mention @file-type/cfbf plugin (#791)
2033ea7 21.3.0
d223491 Add support for Mach-O Universal (aka "Fat") binaries and additional architec...
2ca86b3 Docs: Remove BYOB stream requirement warning (#790)
4d7393a List @file-type/pdf in available plugins (#788)
810e1d8 21.2.0
889f638 Add support for SPSS data files (#787)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates Bumps the npm_and_yarn group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.2.1` | `8.2.2` | | [file-type](https://github.com/sindresorhus/file-type) | `18.7.0` | `21.3.1` | | [multer](https://github.com/expressjs/multer) | `2.0.2` | `2.1.1` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.0` | `3.3.2` | | [rollup](https://github.com/rollup/rollup) | `4.37.0` | `4.59.0` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | Bumps the npm_and_yarn group with 1 update in the /api directory: [file-type](https://github.com/sindresorhus/file-type). Updates `express-rate-limit` from 8.2.1 to 8.2.2 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.2.1...v8.2.2) Updates `file-type` from 18.7.0 to 21.3.1 - [Release notes](https://github.com/sindresorhus/file-type/releases) - [Commits](sindresorhus/file-type@v18.7.0...v21.3.1) Updates `multer` from 2.0.2 to 2.1.1 - [Release notes](https://github.com/expressjs/multer/releases) - [Changelog](https://github.com/expressjs/multer/blob/main/CHANGELOG.md) - [Commits](expressjs/multer@v2.0.2...v2.1.1) Updates `dompurify` from 3.3.0 to 3.3.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.0...3.3.2) Updates `rollup` from 4.37.0 to 4.59.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.37.0...v4.59.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `file-type` from 18.7.0 to 21.3.1 - [Release notes](https://github.com/sindresorhus/file-type/releases) - [Commits](sindresorhus/file-type@v18.7.0...v21.3.1) --- updated-dependencies: - dependency-name: express-rate-limit dependency-version: 8.2.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: file-type dependency-version: 21.3.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: multer dependency-version: 2.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.59.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: file-type dependency-version: 21.3.1 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 11, 2026

dependabot bot mentioned this pull request Mar 11, 2026

build(deps-dev): bump the npm_and_yarn group across 1 directory with 2 updates #9

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 2 directories with 6 updates#10

build(deps): bump the npm_and_yarn group across 2 directories with 6 updates#10
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-fc8f97d34f

dependabot bot commented on behalf of github Mar 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 11, 2026

v21.3.1

v21.3.0

v21.2.0

v21.1.1

v21.1.0

v21.0.0

Breaking

Improvements

v2.1.1

Important

What's Changed

New Contributors

v2.1.0

Important

What's Changed

New Contributors

2.1.1

2.1.0

DOMPurify 3.3.2

DOMPurify 3.3.1

v4.59.0

4.59.0

Features

Pull Requests

v4.58.0

4.58.0

Features

Pull Requests

v4.57.1

4.57.1

Bug Fixes

Pull Requests

4.59.0

Features

Pull Requests

4.58.0

Features

Pull Requests

4.57.1

Bug Fixes

Pull Requests

v21.3.1

v21.3.0

v21.2.0

v21.1.1

v21.1.0

v21.0.0

Breaking

Improvements

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants