From 0844923ca225c1281d041d484a25e13320c51750 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 18 Jul 2026 00:38:05 +0000 Subject: [PATCH] Bump the npm_and_yarn group across 9 directories with 6 updates Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/library-tests/Extend directory: [merge](https://github.com/yeikos/js.merge). Bumps the npm_and_yarn group with 2 updates in the /javascript/ql/test/library-tests/HtmlSanitizers directory: [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) and [validator](https://github.com/validatorjs/validator.js). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/library-tests/frameworks/Next directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss directory: [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-200/lib directory: [async](https://github.com/caolan/async). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash directory: [lodash](https://github.com/lodash/lodash). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash directory: [lodash](https://github.com/lodash/lodash). Bumps the npm_and_yarn group with 1 update in the /javascript/ql/test/query-tests/Security/CWE-918/Request directory: [next](https://github.com/vercel/next.js). Updates `merge` from 1.2.1 to 2.1.1 - [Release notes](https://github.com/yeikos/js.merge/releases) - [Changelog](https://github.com/swordev/merge/blob/main/CHANGELOG.md) - [Commits](https://github.com/yeikos/js.merge/compare/v1.2.1...v2.1.1) Updates `sanitize-html` from 1.27.5 to 2.17.6 - [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md) - [Commits](https://github.com/apostrophecms/apostrophe/commits/HEAD/packages/sanitize-html) Updates `validator` from 10.11.0 to 13.15.35 - [Release notes](https://github.com/validatorjs/validator.js/releases) - [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md) - [Commits](https://github.com/validatorjs/validator.js/compare/10.11.0...13.15.35) Updates `next` from 10.2.3 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/compare/v10.2.3...v16.2.10) Updates `next` from 10.2.3 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/compare/v10.2.3...v16.2.10) Updates `next` from 10.2.3 to 16.2.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/compare/v10.2.3...v16.2.10) Updates `async` from 3.2.0 to 3.2.2 - [Release notes](https://github.com/caolan/async/releases) - [Changelog](https://github.com/caolan/async/blob/master/CHANGELOG.md) - [Commits](https://github.com/caolan/async/compare/v3.2.0...v3.2.2) Updates `lodash` from 4.17.12 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.12...4.18.1) Updates `lodash` from 4.17.4 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.12...4.18.1) Updates `next` from 15.1.7 to 15.5.18 - [Release notes](https://github.com/vercel/next.js/releases) - [Commits](https://github.com/vercel/next.js/compare/v10.2.3...v16.2.10) --- updated-dependencies: - dependency-name: merge dependency-version: 2.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: sanitize-html dependency-version: 2.17.6 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: validator dependency-version: 13.15.35 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: async dependency-version: 3.2.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.18 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- javascript/ql/test/library-tests/Extend/package.json | 2 +- javascript/ql/test/library-tests/HtmlSanitizers/package.json | 4 ++-- javascript/ql/test/library-tests/frameworks/Next/package.json | 2 +- .../query-tests/Security/CWE-079/DomBasedXss/package.json | 2 +- .../query-tests/Security/CWE-079/ReflectedXss/package.json | 2 +- .../ql/test/query-tests/Security/CWE-200/lib/package.json | 2 +- .../src-non-vulnerable-lodash/package.json | 2 +- .../src-vulnerable-lodash/package.json | 2 +- .../ql/test/query-tests/Security/CWE-918/Request/package.json | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/javascript/ql/test/library-tests/Extend/package.json b/javascript/ql/test/library-tests/Extend/package.json index dd73e8e0a5ec..8c5838265645 100644 --- a/javascript/ql/test/library-tests/Extend/package.json +++ b/javascript/ql/test/library-tests/Extend/package.json @@ -15,7 +15,7 @@ "lodash": "^4.17.10", "lodash.defaultsdeep": "^4.6.0", "lodash.mergewith": "^4.6.1", - "merge": "^1.2.0", + "merge": "^2.1.1", "merge-deep": "^3.0.2", "merge-options": "^1.0.1", "mixin-deep": "^2.0.0", diff --git a/javascript/ql/test/library-tests/HtmlSanitizers/package.json b/javascript/ql/test/library-tests/HtmlSanitizers/package.json index 5de2325254ed..3d9886843f8d 100644 --- a/javascript/ql/test/library-tests/HtmlSanitizers/package.json +++ b/javascript/ql/test/library-tests/HtmlSanitizers/package.json @@ -7,10 +7,10 @@ "he": "^1.1.1", "html-entities": "^1.2.1", "lodash": "^4.17.10", - "sanitize-html": "^1.18.2", + "sanitize-html": "^2.17.6", "sanitizer": "^0.1.3", "underscore": "^1.9.1", - "validator": "^10.4.0", + "validator": "^13.15.35", "xss": "^1.0.3", "xss-filters": "^1.2.7" } diff --git a/javascript/ql/test/library-tests/frameworks/Next/package.json b/javascript/ql/test/library-tests/frameworks/Next/package.json index 5f522e83890b..d70220fd07ad 100644 --- a/javascript/ql/test/library-tests/frameworks/Next/package.json +++ b/javascript/ql/test/library-tests/frameworks/Next/package.json @@ -7,7 +7,7 @@ "start": "next start" }, "dependencies": { - "next": "^10.0.0", + "next": "^16.2.10", "react": "17.0.1", "react-dom": "17.0.1" } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/package.json b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/package.json index 5f522e83890b..d70220fd07ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/package.json @@ -7,7 +7,7 @@ "start": "next start" }, "dependencies": { - "next": "^10.0.0", + "next": "^16.2.10", "react": "17.0.1", "react-dom": "17.0.1" } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/package.json b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/package.json index 5f522e83890b..d70220fd07ad 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/package.json @@ -7,7 +7,7 @@ "start": "next start" }, "dependencies": { - "next": "^10.0.0", + "next": "^16.2.10", "react": "17.0.1", "react-dom": "17.0.1" } diff --git a/javascript/ql/test/query-tests/Security/CWE-200/lib/package.json b/javascript/ql/test/query-tests/Security/CWE-200/lib/package.json index 89ca91e8717e..b8f25ffee342 100644 --- a/javascript/ql/test/query-tests/Security/CWE-200/lib/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-200/lib/package.json @@ -1,6 +1,6 @@ { "name": "foo", "dependencies": { - "async": "3.2.0" + "async": "3.2.2" } } \ No newline at end of file diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/package.json b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/package.json index 26f56110158d..66f6ff399fa7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-non-vulnerable-lodash/package.json @@ -1,5 +1,5 @@ { "dependencies": { - "lodash": "4.17.12" + "lodash": "4.18.1" } } diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/package.json b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/package.json index bdc06dcd8b13..66f6ff399fa7 100644 --- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/src-vulnerable-lodash/package.json @@ -1,5 +1,5 @@ { "dependencies": { - "lodash": "4.17.4" + "lodash": "4.18.1" } } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json b/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json index 329c7acb8239..1f9361d21139 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json @@ -8,6 +8,6 @@ "start": "next start" }, "dependencies": { - "next": "15.1.7" + "next": "15.5.18" } }