Bump the npm_and_yarn group across 5 directories with 4 updates by dependabot[bot] · Pull Request #374 · advanced-security/codeql-sap-js

dependabot · 2026-05-29T11:46:08Z

Bumps the npm_and_yarn group with 1 update in the /extractors/cds/tools directory: tmp.
Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/cap/test/models/cds/entityreference directory: qs.
Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights directory: qs.
Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML directory: qs.
Bumps the npm_and_yarn group with 3 updates in the /javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example directory: tmp, @tootallnate/once and ws.

Updates tmp from 0.2.5 to 0.2.6

Commits

41f7159 Bump up the version
efa4a06 Merge commit from fork
7ef2728 Check for relative values
See full diff in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Updates qs from 6.14.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Updates tmp from 0.2.5 to 0.2.7

Commits

41f7159 Bump up the version
efa4a06 Merge commit from fork
7ef2728 Check for relative values
See full diff in compare view

Updates @tootallnate/once from 2.0.0 to 2.0.1

Release notes

Sourced from @tootallnate/once's releases.

v2.0.1

Patch Changes

a1e5e2d: Fix promise hang when AbortSignal is aborted

Changelog

Sourced from @tootallnate/once's changelog.

2.0.1

Patch Changes

a1e5e2d: Fix promise hang when AbortSignal is aborted

Commits

bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
dc24387 Version Packages (2.x) (#12)
b8a6f80 CI: test all Node versions on Linux only
dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
b464efc Update CI: modern Node versions, fix macOS ARM64 compat
a1e5e2d Fix promise hang when AbortSignal is aborted
See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @tootallnate/once since your current version.

Updates ws from 8.17.1 to 8.20.1

Release notes

Sourced from ws's releases.

8.20.1

Bug fixes

Fixed an uninitialized memory disclosure issue in websocket.close() (c0327ec1).

Providing a TypedArray (e.g. Float32Array) as the reason argument for websocket.close(), rather than the supported string or Buffer types, caused uninitialized memory to be disclosed to the remote peer.
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer(
{ port: 0, skipUTF8Validation: true },
function () {
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port}, {
skipUTF8Validation: true
});
ws.on('close', function (code, reason) {
  deepStrictEqual(reason, Buffer.alloc(80));
});

}
);
wss.on('connection', function (ws) {
ws.close(1000, new Float32Array(20));
});
The issue was privately reported by Nikita Skovoroda.

8.20.0

Features

Added exports for the PerMessageDeflate class and utilities for the Sec-WebSocket-Extensions and Sec-WebSocket-Protocol headers (d3503c1f).

8.19.0

Features

Added the closeTimeout option (#2308).

Bug fixes

Handled a forthcoming breaking change in Node.js core (19984854).

... (truncated)

Commits

5d9b316 [dist] 8.20.1
c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
ce2a3d6 [ci] Test on node 26
58e45b8 [ci] Do not test on node 25
5f26c24 [ci] Run the lint step on node 24
8439255 [dist] 8.20.0
d3503c1 [minor] Export the PerMessageDeflate class and header utils
3ee5349 [api] Convert the isServer and maxPayload parameters to options
91707b4 [doc] Add missing space
8b55319 [pkg] Update eslint to version 10.0.1
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 1 update in the /extractors/cds/tools directory: [tmp](https://github.com/raszi/node-tmp). Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/cap/test/models/cds/entityreference directory: [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights directory: [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 1 update in the /javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML directory: [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 3 updates in the /javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example directory: [tmp](https://github.com/raszi/node-tmp), [@tootallnate/once](https://github.com/TooTallNate/once) and [ws](https://github.com/websockets/ws). Updates `tmp` from 0.2.5 to 0.2.6 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.2.5...v0.2.6) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `qs` from 6.14.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.2...v6.15.2) Updates `tmp` from 0.2.5 to 0.2.7 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.2.5...v0.2.6) Updates `@tootallnate/once` from 2.0.0 to 2.0.1 - [Release notes](https://github.com/TooTallNate/once/releases) - [Changelog](https://github.com/TooTallNate/once/blob/v2.0.1/CHANGELOG.md) - [Commits](TooTallNate/once@2.0.0...v2.0.1) Updates `ws` from 8.17.1 to 8.20.1 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@8.17.1...8.20.1) --- updated-dependencies: - dependency-name: tmp dependency-version: 0.2.6 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: 0.2.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@tootallnate/once" dependency-version: 2.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.20.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026

dependabot Bot mentioned this pull request May 29, 2026

Bump the npm_and_yarn group across 5 directories with 3 updates #373

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 5 directories with 4 updates#374

Bump the npm_and_yarn group across 5 directories with 4 updates#374
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/extractors/cds/tools/npm_and_yarn-d526163938

dependabot Bot commented on behalf of github May 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 29, 2026

6.15.2

6.15.1

6.15.0

6.15.2

6.15.1

6.15.0

6.15.2

6.15.1

6.15.0

v2.0.1

Patch Changes

2.0.1

Patch Changes

8.20.1

Bug fixes

8.20.0

Features

8.19.0

Features

Bug fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants