deps(deps): bump the production-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the production-dependencies group with 8 updates in the / directory:

Package	From	To
semver	7.8.4	7.8.5
@azure/storage-blob	12.32.0	12.33.0
@nodable/entities	2.1.1	2.2.0
anynum	1.0.0	1.0.1
fast-xml-parser	5.8.0	5.9.3
form-data	2.5.5	2.5.6
path-expression-matcher	1.5.0	1.6.1
undici	6.26.0	6.27.0

Updates semver from 7.8.4 to 7.8.5

Release notes

Sourced from semver's releases.

v7.8.5

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

Changelog

Sourced from semver's changelog.

7.8.5 (2026-06-19)

Bug Fixes

• 9c8692a #878 include prereleases in tilde range lower bound with includePrerelease (#878) (@​chatman-media)

Commits

• 6e05b76 chore: release 7.8.5 (#879)
• 9c8692a fix: include prereleases in tilde range lower bound with includePrerelease (#...
• See full diff in compare view

Updates @azure/storage-blob from 12.32.0 to 12.33.0

Changelog

Sourced from @​azure/storage-blob's changelog.

12.33.0 (2026-06-24)

Features Added

• Includes all features released in 12.33.0-beta.1.

12.33.0-beta.1 (2026-04-29)

Features Added

• Added support for service version 2026-06-06.
• Added support for Blob Smart Tier.
• Added support for Directory-level SAS and User Delegation SAS.

Commits

• 5806568 Update swagger input-file to point to main-merged spec commit (#39061)
• 10cf325 [Storage] Updated STG102 Release Dates (#39042)
• 3181ad2 [EngSys] Bump min-version to node 22 (#38887) NO_CI
• 7097d6f [storage] use node:stream/consumers in samples and snippets (#38850)
• f6ade9a [storage] releasing storage-common hotfix (#39031)
• fbdff8a [storage] Merge STG102 features to main (#38949)
• See full diff in compare view

Updates @azure/storage-common from 12.4.0 to 12.4.1

Changelog

Sourced from @​azure/storage-common's changelog.

12.4.1 (2026-06-22)

Bugs Fixed

• Fixed the browser and react-native builds of the CRC64 checksum calculator still containing Node.js require('fs')/require('path') calls, which broke esbuild-based bundlers. The post-build step now replaces the unreachable Node-only filesystem read block with a no-op in the browser and react-native copies of crc64.js. Issue #38924.

Commits

• f6ade9a [storage] releasing storage-common hotfix (#39031)
• ffb41a2 [storage-common] Strip Node require() from browser CRC64 build (#38935)
• 6302878 [storage-common] Bump @​azure/core-rest-pipeline to ^1.24.0 (#38848)
• See full diff in compare view

Updates @nodable/entities from 2.1.1 to 2.2.0

Commits

• See full diff in compare view

Updates anynum from 1.0.0 to 1.0.1

Commits

• See full diff in compare view

Updates fast-xml-parser from 5.8.0 to 5.9.3

Release notes

Sourced from fast-xml-parser's releases.

v5.9.3

What's Changed

• Harden GitHub Actions workflows by @​martincostello in NaturalIntelligence/fast-xml-parser#841
• GitHub Actions workflow fixes by @​martincostello in NaturalIntelligence/fast-xml-parser#844

New Contributors

• @​martincostello made their first contribution in NaturalIntelligence/fast-xml-parser#841

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.2...v5.9.3

v5.9.2

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.1...v5.9.2

v5.9.1

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.0...v5.9.1

update strnum, use is-unsafe

• update strnum to 2.3.0
  • you can set hex, binary, enotation, infinity, unicode
• validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.9.3 / 2026-06-19

• update strnum

*5.9.2 / 2026-06-17

• dummy release to test changes in github action

*5.9.1 / 2026-06-17

• dummy release to test release from github action

*5.9.0 / 2026-06-15

• update strnum to 2.3.0
  • you can set hex, binary, enotation, infinity, unicode
• validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change

... (truncated)

Commits

• 93a09f1 5.9.3
• 9c1905e update strnum
• 8d71292 GitHub Actions workflow fixes (#844)
• 784a044 Harden GitHub Actions workflows (#841)
• bf9b81a 5.9.2
• 232abf5 update publish action for better security
• 73411fa update checklist
• d57e33b 5.9.1
• 3be603a testing release from Github
• b6c41ea Add GitHub Actions workflow for npm publishing
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for fast-xml-parser since your current version.

Updates form-data from 2.5.5 to 2.5.6

Changelog

Sourced from form-data's changelog.

v2.5.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames b620316
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, tape 12be578
• [Dev Deps] update js-randomness-predictor 46cfd23
• [Tests] use safe-buffer so the header-injection test runs on node < 4 633044a
• [Deps] update hasown e3b96ee

Commits

• c713349 v2.5.6
• 46cfd23 [Dev Deps] update js-randomness-predictor
• 633044a [Tests] use safe-buffer so the header-injection test runs on node < 4
• e3b96ee [Deps] update hasown
• 12be578 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, tape
• b620316 [Fix] escape CR, LF, and " in field names and filenames
• See full diff in compare view

Updates path-expression-matcher from 1.5.0 to 1.6.1

Commits

• See full diff in compare view

Updates strnum from 2.4.0 to 2.4.1

Commits

• c39852f 2.4.1
• 15b1594 update anynum
• See full diff in compare view

Updates undici from 6.26.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0 — v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	6.27.0	b7f252e7
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	6.27.0	25efa447
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	6.27.0	25efa447
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	6.27.0	f4c31d60

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

---

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

• 551138c Bumped v6.27.0 (#5431)
• b7f252e Backport WebSocket maxPayloadSize fixes to v7.x (#5423) (#5428)
• 25efa44 fix(cookies): preserve values and parse SameSite strictly
• f4c31d6 fix: guard idle socket validation to skip fresh sockets (#5400)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔮 Release Preview

Full Changelog: V2...preview