Update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v6.0.2 → v6.0.3
codecov/codecov-action	action	patch	v5.5.4 → v5.5.5
github/codeql-action	action	patch	v3.36.0 → v3.36.2
yarn (source)	packageManager	minor	4.15.0 → 4.17.0
net.sourceforge.plantuml:plantuml	dependencies	patch	1.2026.5 → 1.2026.6
tools.jackson.core:jackson-core	dependencies	patch	3.1.0 → 3.1.1
tools.jackson.core:jackson-databind (source)	dependencies	minor	3.1.0 → 3.2.0
com.fasterxml.jackson.core:jackson-annotations (source)	dependencies	minor	2.21 → 2.22
io.netty:netty-codec-http (source)	dependencies	patch	4.2.14.Final → 4.2.15.Final
io.netty:netty-codec (source)	dependencies	patch	4.2.14.Final → 4.2.15.Final
io.netty:netty-handler (source)	dependencies	patch	4.2.14.Final → 4.2.15.Final
io.netty:netty-handler-proxy (source)	dependencies	patch	4.2.14.Final → 4.2.15.Final
com.github.javaparser:javaparser-core (source)	dependencies	patch	3.28.1 → 3.28.2
io.netty:netty-codec-socks (source)	dependencies	patch	4.2.14.Final → 4.2.15.Final
com.squareup.okhttp3:okhttp (source)	dependencies	minor	5.3.2 → 5.4.0
com.datadoghq:datadog-api-client	dependencies	minor	2.55.0 → 2.56.0
io.projectreactor.netty:reactor-netty-core	dependencies	patch	1.3.5 → 1.3.6
io.opentelemetry:opentelemetry-api	dependencies	minor	1.62.0 → 1.63.0
io.projectreactor.netty:reactor-netty-http	dependencies	patch	1.3.5 → 1.3.6
org.asynchttpclient:async-http-client	dependencies	minor	2.15.0 → 2.16.0
org.jetbrains.kotlin.jvm (source)	plugin	minor	2.3.21 → 2.4.0

---

Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers

GHSA-2m67-wjpj-xhg9

More information

Details

Summary

Jackson Core 3.x does not consistently enforce StreamReadConstraints.maxDocumentLength. Oversized JSON documents can be accepted without a StreamConstraintsException in multiple parser entry points, which allows configured size limits to be bypassed and weakens denial-of-service protections.

Details

Three code paths where maxDocumentLength is not fully enforced:

1. Blocking parsers skip validation of the final in-memory buffer

Blocking parsers validate only previously processed buffers, not the final in-memory buffer:

• ReaderBasedJsonParser.java:255
• UTF8StreamJsonParser.java:208

Relevant code:

_currInputProcessed += bufSize;
_streamReadConstraints.validateDocumentLength(_currInputProcessed);

This means the check occurs only when a completed buffer is rolled over. If an oversized document is fully contained in the final buffer, parsing can complete without any document-length exception.

2. Async parsers skip validation of the final chunk on end-of-input

Async parsers validate previously processed chunks, but do not validate the final chunk on end-of-input:

• NonBlockingByteArrayJsonParser.java:49
• NonBlockingByteBufferJsonParser.java:57
• NonBlockingUtf8JsonParserBase.java:75

Relevant code:

_currInputProcessed += _origBufferLen;
_streamReadConstraints.validateDocumentLength(_currInputProcessed);

public void endOfInput() {
    _endOfInput = true;
}

endOfInput() marks EOF but does not perform a final validateDocumentLength(...) call, so an oversized last chunk is accepted.

3. DataInput parser path does not enforce maxDocumentLength at all

• JsonFactory.java:457

Relevant construction path:

int firstByte = ByteSourceJsonBootstrapper.skipUTF8BOM(input);
return new UTF8DataInputJsonParser(readCtxt, ioCtxt,
        readCtxt.getStreamReadFeatures(_streamReadFeatures),
        readCtxt.getFormatReadFeatures(_formatReadFeatures),
        input, can, firstByte);

UTF8DataInputJsonParser does not call StreamReadConstraints.validateDocumentLength(...), so maxDocumentLength is effectively disabled for createParser(..., DataInput) users.

Note: This issue appears distinct from the recently published nesting-depth and number-length constraint advisories because it affects document-length enforcement.

PoC

Async path reproducer

import java.nio.charset.StandardCharsets;
import tools.jackson.core.JsonParser;
import tools.jackson.core.ObjectReadContext;
import tools.jackson.core.StreamReadConstraints;
import tools.jackson.core.async.ByteArrayFeeder;
import tools.jackson.core.json.JsonFactory;

public class Poc {
    public static void main(String[] args) throws Exception {
        JsonFactory factory = JsonFactory.builder()
                .streamReadConstraints(StreamReadConstraints.builder()
                        .maxDocumentLength(10L)
                        .build())
                .build();

        byte[] doc = "{\"a\":1,\"b\":2}".getBytes(StandardCharsets.UTF_8);

        try (JsonParser p = factory.createNonBlockingByteArrayParser(ObjectReadContext.empty())) {
            ByteArrayFeeder feeder = (ByteArrayFeeder) p.nonBlockingInputFeeder();
            feeder.feedInput(doc, 0, doc.length);
            feeder.endOfInput();

            while (p.nextToken() != null) { }
        }

        System.out.println("Parsed successfully");
    }
}

• Expected result: Parsing should fail because the configured document-length limit is 10, while the input is longer than 10 bytes.
• Actual result: The document is accepted and parsing completes.

Blocking path reproducer

import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import tools.jackson.core.JsonParser;
import tools.jackson.core.StreamReadConstraints;
import tools.jackson.core.json.JsonFactory;

public class Poc2 {
    public static void main(String[] args) throws Exception {
        JsonFactory factory = JsonFactory.builder()
                .streamReadConstraints(StreamReadConstraints.builder()
                        .maxDocumentLength(10L)
                        .build())
                .build();

        byte[] doc = "{\"a\":1,\"b\":2}".getBytes(StandardCharsets.UTF_8);

        try (JsonParser p = factory.createParser(new ByteArrayInputStream(doc))) {
            while (p.nextToken() != null) { }
        }

        System.out.println("Parsed successfully");
    }
}

Impact

Applications that rely on maxDocumentLength as a safety control for untrusted JSON can accept oversized inputs without error. In network-facing services this weakens an explicit denial-of-service protection and can increase CPU and memory consumption by allowing larger-than-configured request bodies to be processed.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/FasterXML/jackson-core/security/advisories/GHSA-2m67-wjpj-xhg9
• https://github.com/FasterXML/jackson-core/commit/74c9ee255d1534c179bc7d3de48941bf39a9079c
• https://github.com/advisories/GHSA-2m67-wjpj-xhg9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

github/codeql-action (github/codeql-action)

v3.36.2

Compare Source

• Cache CodeQL CLI version information across Actions steps. #​3943
• Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
• Update default CodeQL bundle version to 2.25.6. #​3948

v3.36.1

Compare Source

No user facing changes.

yarnpkg/berry (yarn)

v4.17.0: v4.17.0

Compare Source

What's Changed

• Adds support for package map generation by @​arcanis in #​7184
• fix: add catalog settings to yarnrc schema by @​cyphercodes in #​7179
• docs: clarify background job exit codes by @​StantonMatt in #​7167
• fix: explain peer-default dependencies in why by @​StantonMatt in #​7168
• Docs: fix npmMinimalAgeGate default by @​clemyan in #​7181
• feat(plugin-npm): allow npmMinimalAgeGate per npmScope by @​erlandasz in #​7156

New Contributors

• @​cyphercodes made their first contribution in #​7179
• @​StantonMatt made their first contribution in #​7167
• @​erlandasz made their first contribution in #​7156

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.16.0...@​yarnpkg/cli/4.17.0

v4.16.0: v4.16.0

Compare Source

What's Changed

• PnP: Include Node 22.22.3 in fstat workaround by @​junjuny0227 in #​7141
• Implements yarn npm stage by @​arcanis in #​7147
• fix: Stop using EBADF workaround for Node 24.16.0+ by @​MJDSys in #​7152
• Bumps eslint-plugin-arca by @​arcanis in #​7163
• Enables staged publishing by @​arcanis in #​7164
• feat: Add editor SDK support for oxc (oxfmt & oxlint) by @​slainless in #​7078
• docs: fix npmMinimalAgeGate default value. by @​ryanfox1985 in #​7125

New Contributors

• @​junjuny0227 made their first contribution in #​7141
• @​MJDSys made their first contribution in #​7152
• @​slainless made their first contribution in #​7078
• @​ryanfox1985 made their first contribution in #​7125

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.15.0...@​yarnpkg/cli/4.16.0

javaparser/javaparser (com.github.javaparser:javaparser-core)

v3.28.2

issues resolved

Added

• fix: implement phase-2 poly-expression inference for method/construct or references (JLS §15.12.2.7) (PR #​5031 by @​jlerbsc)
• Enforce JLS §14.11.1 language-level rules for multi-pattern case labels (PR #​5010 by @​jlerbsc)

Changed

• build: add OSGi support to all deployable modules (#​1477) (PR #​5011 by @​ethan-godden)

Fixed

• fix: resolve constructor references via context rather than constructed type (PR #​5030 by @​jlerbsc)
• fix: handle wildcard actualType in matchTypeParameters (issue #​3751) (PR #​5029 by @​jlerbsc)
• Fix: UnsupportedOperationException when resolving method calls inside lambdas in Comparator.comparing (#​2716) (PR #​5026 by @​jlerbsc)
• fix: resolve constructor parameter type for lambda in ObjectCreationExpr (PR #​5024 by @​jlerbsc)
• fix(FunctionalInterfaceLogic): return empty() for non-reference types (#​3625) (PR #​5022 by @​jlerbsc)
• Fix lambda type inference for fully-qualified static method calls (#​3476 (PR #​5019 by @​jlerbsc)
• fix(grammar): allow text block ending in escaped backslash before closing """ (PR #​5017 by @​ethan-godden)
• Fix parsing of multiple patterns in switch case labels (issue #​4996) (PR #​5009 by @​jlerbsc)

Uncategorised

• fix: resolve NameExpr to field when local variable with same name is declared later (PR #​5025 by @​jlerbsc)

❤️ Contributors

Thank You to all contributors who worked on this release!

• @​ethan-godden
• @​jlerbsc

square/okhttp (com.squareup.okhttp3:okhttp)

v5.4.0

2026-06-08

• New: Add superpowers to interceptors. Interceptors can now override anything settable on
  OkHttpClient.Builder, such as the cache, connection pool, socket factory, and DNS. We expect
  this will allow most users to use interceptors everywhere, insted of mixing and matching
  interceptors with custom Call.Factory wrappers.
• Fix: Limit each HTTP/2 response to 256 KiB of total headers.
• Upgrade: [kotlinx.coroutines 1.11.0][coroutines_1_11_0]. This is used by the optional
  okhttp-coroutines artifact.
• Upgrade: [GraalVM 25.0.3][graalvm_25].
• Upgrade: [Okio 3.17.0][okio_3_17_0].

DataDog/datadog-api-client-java (com.datadoghq:datadog-api-client)

v2.56.0

Added

• Add captureNetworkPayloads for Synthetics Browser tests #​4002
• Set x-keep-typed-in-additional-properties on UsageSummary schemas #​4001
• add OpenAPI spec for Tag Policies API #​3996
• Mark ServiceNow triage endpoints as stable #​3994
• Add restore rule version endpoint in detection rules #​3987
• Document LLM Observability Patterns API #​3985
• Add OpenAPI spec for max session duration endpoint #​3982
• Additional Forms v2 API endpoints #​3981
• Add observability pipelines Generate metrics processor #​3978
• Add GET /api/v2/integration/slack/user-bindings to Slack integration spec #​3976
• Add OpenAPI spec for CSM settings endpoints #​3975
• Add OpenAPI spec for CSM ownership-api endpoints #​3974
• Add configuration field to deployment gates evaluation API #​3970
• Add triage endpoint and fields to IoC Explorer API docs #​3969
• Add GetSingleEntityContext endpoint to security monitoring spec #​3967
• Add int64 format and extract inline schemas #​3966
• Add metric filter query parameter to Cloud Cost Management tag metadata tag sources endpoint #​3965
• Document SendSecurityMonitoringNotificationPreview endpoint #​3962
• Add filter[owned_by] parameter to GET /api/v2/application_keys #​3961
• Add OpenAPI spec for App Builder Forms v2 API #​3959
• Add JWT authentication type for Synthetics HTTP API tests #​3958
• Add shared dashboard list OpenAPI spec #​3955
• Expose usage summary keys for June SKUs #​3954
• Add OpenAPI spec for SAML configuration endpoints #​3953
• Add slo_query to SLO Correction API for global correction support #​3952
• Add OpenAPI spec for /api/v2/network-health-insights #​3950
• Add OpenAPI spec for OAuth2 well-known sites endpoint #​3949
• [error-tracking] Add Linear issue to API endpoints response schemas #​3948
• Add OpenAPI spec for ASM services v2 endpoint #​3947
• Add OpenAPI spec for stegadography get-widgets endpoint #​3943
• Add available_fields endpoint to usage summary #​3941
• add issue_stream to public spec #​3938
• Add public OpenAPI spec for report schedule create and update #​3937
• Add ListWorkflows endpoint to Workflow Automation #​3936
• Add edited_before and viewed_before filters to ListDashboardsUsage #​3932
• Add tag indexing rule APIs to v2 metrics spec #​3931
• Add OpenAPI spec for global orgs endpoint #​3929
• doc ml obs Expose LLM Observability annotation endpoints #​3928
• Add OpenAPI spec for sourcemap-admin public endpoints #​3926
• RUM - Add OpenAPI spec for hardcoded retention filters #​3925
• Add missing query parameter to CNM aggregated connections and DNS endpoints #​3924
• Add RUM rate limit configuration v2 endpoints #​3923
• Update ListVolumesByMetricName description for Metric Name Pricing #​3922
• Add status-page resource to restriction policy API docs #​3920
• Add public OpenAPI ops for Salesforce-incidents orgs and templates #​3919
• Add partitioning_attributes and lookup_attributes to Log Archives spec #​3917
• Add OpenAPI spec for security monitoring bulk convert rules endpoint #​3916
• Add public OpenAPI ops for Webhooks OAuth2 client credentials #​3915
• Add public OpenAPI ops for Statuspage account and URL settings #​3914
• Add new Host Map widget infrastructure request type #​3913
• Add public OpenAPI ops for Opsgenie accounts CRUD #​3912
• Allow llm-observability data source in formula event queries #​3910
• Add OpenAPI spec for APM spans-public-api trace endpoints #​3908
• Add DeleteSyncConfig OpenAPI endpoint for Storage Management #​3906
• Add OpenAPI spec for OAuth2 client endpoints #​3905
• Add OpenAPI specs for SCA licenses and dependency scan endpoints #​3904
• Allow apm metrics data source for distribution histogram request #​3901
• Add is_backfilled to our Status Pages degradations and maintenances API responses. #​3897
• Add OpenAPI for LLM Observability dataset export batch_update clone restore and records upload SSE #​3895
• Add OpenAPI specs for secmon-public-api datasets endpoints #​3893
• Add OpenAPI specs for static-analysis-api missing endpoints #​3891
• RUM - add API endpoints for permanent retention filters #​3890
• Add siem_12mo_retention and siem_6mo_retention to usage API #​3887
• Add serverless_apps_dsm_fargate_tasks fields to usage metering API #​3886
• Add Cloud Cost Management tag_metadata months endpoint #​3885
• Add observability pipelines splunk HEC metrics destination #​3884
• Add comparison to QueryValueWidgetRequest for surfacing the change indicator feature #​3883
• Support for In-App WAF policies operations #​3882
• Adjust TS generated clients to query extra pages unless an empty set was returned #​3880
• Add OpenAPI for LLM Observability dataset draft state and versions #​3879
• Document LLM Observability org config endpoints #​3877
• Add OpenAPI spec for IDP entity integration configs #​3876
• Add OpenAPI specs for app-builder blueprints, tags, and private query endpoints #​3875
• Add buffer support to remaining Observability Pipelines destinations #​3874
• Add critical_query / critical_recovery_query to MonitorThresholds #​3873
• Sync 'status_pages.yaml' files with backend #​3872
• Add OpenAPI spec for v2 customer org disable endpoint #​3871
• Add Annotations API v2 spec #​3870
• Document LLM Observability LLM provider integration endpoints #​3868
• Add ValidateAWSCCMConfig operation to AWS integration v2 spec #​3867
• Add baselineUserLocationsDuration to Impossible Travel rule options #​3866
• Add OpenAPI spec for RUM insight aggregation endpoints #​3864
• Add OpenAPI definitions for path-param tag_description endpoints #​3863
• Monitors Augmented Query Add Group By Source #​3862
• Add mcp step subtype to synthetics multi-step api tests #​3861
• Document Cloud SIEM Growth and Content owned endpoints #​3859
• Add API fields for jobs_monitoring_orchestrators #​3857
• Add OpenAPI specs for 36 undocumented case-rapid-api v2 endpoints #​3856
• Document LLM Observability Experiments search endpoints #​3855
• Add new metrics processors in Observability Pipelines #​3853
• Add OpenAPI spec for Model Lab API v2 endpoints #​3852
• Update observability pipelines databricks_zerobus destination endpoint fields to be secret #​3851
• Add csm_host_pro hosts agentless scanners to usage metering API #​3850
• Add Dashboards Usage v2 endpoints #​3849
• observability pipelines add tls.verify_certificate field to multiple push sources #​3848
• Update Synthetics downtime spec: gate write ops on default-settings and add monthly weekday positions #​3847
• Add TCP congestion signals to CNM aggregated connections spec #​3846
• Add ListReferenceTableRows endpoint to Reference Tables #​3845
• Cloud Cost Recommendations Search API #​3839
• Add Cloud Cost Management tag_metadata endpoints #​3838
• feat - Add data-jobs alert monitor type support #​3834
• Add display_block interaction type to LLM Obs annotation queues #​3832
• Add exclude-attribute processor to logs pipelines #​3821
• Add missing scorecards OpenAPI specs #​3820
• Adding valid tokens to Splunk and HTTP server source #​3816
• Add escalation policy routing action with support hours and acknowledgment timeout to On-Call routing rules #​3798
• Add created_at/modified_at to LLM Obs annotation queue interaction responses #​3746

Removed

• Remove deprecated incident services APIs (/api/v2/services) #​3990
• Make fleet-automation clusters and instrumented_pods specs private #​3979

Changed

• Add DELETE user-binding endpoint to Microsoft Teams Integration spec #​3984
• Add Google Chat organizations, delegated-user, and target-audience OpenAPI operations #​3960
• Update param spec for GET experiments in LLM Observability #​3934
• Add risk-scores entityID spec #​3927
• Update PAT and SAT api spec #​3909
• Rename Tiers for Org Group Policies and Remove Include Memberships Support #​3878
• Document LLM Observability span search and data deletion endpoints #​3865

Deprecated

• Deprecate bulk tag config API endpoints #​3977
• Move MuteFindings operation to private spec #​3968

Fixed

• Fix RUM casing in descriptions and summaries #​3939
• Reconcile SIEM historical detections OpenAPI with current schema #​3896
• security-monitoring - Change histsignals/search method from GET to POST #​3892

reactor/reactor-netty (io.projectreactor.netty:reactor-netty-core)

v1.3.6

Reactor Netty 1.3.6 is part of 2025.0.6 Release Train.

What's Changed

⚠️ Update considerations and deprecations

• Tweak DNS resolver channel allocation strategy by @​violetagg in #​4230

✨ New features and improvements

• Depend on Reactor Core v3.8.6 by @​violetagg in 511a3b6, see release notes
• Depend on Netty v4.2.15.Final by @​violetagg in #​4237
• Remove multipart exception from isSelfDefinedMessageLength for keep-alive by @​violetagg in #​4200
• Store HTTP/2 websocket CONNECT :protocol/:path in channel attributes by @​violetagg in #​4202
• Update HTTP/3 configuration by @​violetagg in 1a4c422

🐞 Bug fixes

• Fix keep-alive race when creating HttpServerOperations by @​koisyu in #​4189
• Fix HTTP/3 connection pool drain when server replenishes streams to same level by @​violetagg in #​4193
• Fix missing metrics for AdaptiveByteBufAllocator by @​lukas-riedler-dynatrace in #​4217
• Throw DecoderException with hostname when SNI AsyncMapping resolves to null by @​kwondh5217 in #​4212
• Refine header handling during redirects by @​violetagg in e7ef551

📖 Documentation

• Add WebSocket echo server example by @​Yelagandula in #​4177
• Document TCP/UDP metrics remote.address tag cardinality by @​violetagg in #​4201

New Contributors

• @​koisyu made their first contribution in #​4189
• @​Yelagandula made their first contribution in #​4177
• @​lukas-riedler-dynatrace made their first contribution in #​4217
• @​kwondh5217 made their first contribution in #​4212

Full Changelog: reactor/reactor-netty@v1.3.5...v1.3.6

open-telemetry/opentelemetry-java (io.opentelemetry:opentelemetry-api)

v1.63.0

API

• Add missing setAttribute shortcuts to Span and LogRecordBuilder
  (#​8255)
• Promote InstrumentationUtil to public class in io.opentelemetry.api.impl package
  (#​8413)
• Fix index-out-of-bounds in StrictContextStorage
  (#​8294)

Incubating

• BREAKING Remove deprecated ExtendedAttributes and related code
  (#​8395)

SDK

Metrics

• Collect async exemplars when exemplar filter is always_on
  (#​8363)
• Move delta record/collect coordination from instrument to series level
  (#​8313)

Exporters

• Add noop() factory method to SpanExporter and LogRecordExporter
  (#​8435)
• BREAKING OTLP: Remove support for deprecated GrpcSenderProvider and HttpSenderProvider SPI
  property names (use io.opentelemetry.sdk.common.export.GrpcSenderProvider /
  io.opentelemetry.sdk.common.export.HttpSenderProvider instead)
  (#​8392)
• OTLP: Bound OkHttp sender dispatchers and surface rejections
  (#​8422)
• Prometheus: Limit exemplar label characters to conform to Prometheus limits
  (#​8362)
• Logging: Fix LoggingSpanExporter.flush() to preserve flush failures
  (#​8361)
• Zipkin: Make exporter self-contained by removing shared internal code dependencies
  (#​8413)

Extensions

• BREAKING Autoconfigure: Remove deprecated otel.experimental.config.file property
  (#​8393)
• BREAKING Incubator: Remove deprecated ViewConfig/ViewConfigCustomizer view file config mechanism
  (#​8394)
• Declarative config: Fix model package
  (#​8403)
• Declarative config: Fix Java module name to io.opentelemetry.sdk.autoconfigure.declarativeconfig
  (#​8452)

Shims

• Deprecate OpenTracing shim public API
  (#​8373)

Project tooling

• Finish adding OSGi support across all modules
  (#​8401,
  #​8417)
• Force io.zipkin.zipkin2:zipkin:3.6.1 to avoid problematic gson version
  (#​8430)

JetBrains/kotlin (org.jetbrains.kotlin.jvm)

v2.4.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 8.46%. Comparing base (e8f568b) to head (1460688).

Additional details and impacted files

@@            Coverage Diff             @@
##              main   #1095      +/-   ##
==========================================
- Coverage     9.58%   8.46%   -1.12%     
+ Complexity    2001    1569     -432     
==========================================
  Files         8196    8196              
  Lines        78344   78344              
  Branches       344     344              
==========================================
- Hits          7509    6634     -875     
- Misses       70647   71547     +900     
+ Partials       188     163      -25     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.