Skip to content

Bump the npm_and_yarn group across 3 directories with 6 updates#1

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pkg/archperf-pro/usr/share/archperf/npm_and_yarn-0b062c224f
Open

Bump the npm_and_yarn group across 3 directories with 6 updates#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/pkg/archperf-pro/usr/share/archperf/npm_and_yarn-0b062c224f

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github May 25, 2026

Bumps the npm_and_yarn group with 1 update in the /pkg/archperf-pro/usr/share/archperf directory: electron.
Bumps the npm_and_yarn group with 5 updates in the / directory:

Package From To
electron 28.3.3 39.8.5
@tootallnate/once 2.0.0 2.0.1
@xmldom/xmldom 0.8.11 0.8.13
lodash 4.17.23 4.18.1
tar 6.2.1 7.5.15

Bumps the npm_and_yarn group with 2 updates in the /archperf-orchestrator directory: @tootallnate/once and axios.

Updates electron from 28.3.3 to 42.2.0

Release notes

Sourced from electron's releases.

electron v42.2.0

Release Notes for v42.2.0

Features

  • Allowed the --experimental-inspector-network-resource Node.js flag to be passed through Electron. #51378 (Also in 41)

Fixes

  • Fixed crash for Notification close. #51657 (Also in 41, 43)

Other Changes

  • Backported fixes for a use-after-free in touch-event queue teardown, a runtime-effect validation gap in Skia image filters, and an integer overflow in the GLSL translator. #51646
  • Backported fixes for an out-of-bounds write in WebAudio worklet setup, a heap overflow in the ANGLE GL backend, a use-after-free in the GTK Wayland platform, an accessibility tree-state validation issue, and an integer overflow in text bidi handling. #51666
  • Improved performance of app.getApplicationNameForProtocol() on Linux. #51628

Documentation

  • Documentation changes: #51688

electron v42.1.0

Release Notes for v42.1.0

Fixes

  • Fixed a crash in the macOS Touch ID WebAuthn prompt caused by a missing string resource, and added touchID.promptReason to app.configureWebAuthn() to customize the prompt text. #51594 (Also in 41, 43)
  • Fixed a crash on MacOS when a user clicked into a title bar or top view. #51605 (Also in 43)

Other Changes

  • Improved performance of webRequest header conversions and several other gin converter hot paths. #51607 (Also in 43)
  • Improved performance of native event emission, IPC dispatch, and option-dictionary parsing. #51614 (Also in 41)

electron v42.0.1

Release Notes for v42.0.1

Fixes

  • Fixed DesktopCapturer crash on macOS. #51506
  • Fixed ELECTRON_INSTALL_PLATFORM being ignored when resolving the Electron executable path during postinstall, which caused path.txt to be written for the host platform instead of the requested target and made isInstalled() always re-download on subsequent installs. #51370
  • Fixed app.getLoginItemSettings() returning undefined for executableWillLaunchAtLogin on macOS; the property is now always a boolean. #51507 (Also in 40, 41)
  • Fixed a potential race condition crash when closing DevTools. #51473 (Also in 41)

Other Changes

  • Updated Chromium to 148.0.7778.97. #51517

electron v42.0.0

Release Notes for v42.0.0

Stack Upgrades

... (truncated)

Commits
  • 87740a8 fix: skip current instance's child processes in Windows orphan killer (#51686)
  • db2296d docs: update Notification 'failed' support info (#51688)
  • c084f3d feat: allow --experimental-inspector-network-resource node flag (#51378)
  • 365cd49 docs: update Azure Artifact Signing and EV cert docs (#51677)
  • 4f2f73d fix: Crash for Notification close (#51657)
  • 71627f0 chore: cherry-pick 5 changes from chromium, angle (42-x-y) (#51666)
  • 2c8e90d perf: use GIO instead of xdg-mime for app.getApplicationNameForProtocol()...
  • 9f5cd23 refactor: SafeStorage never emits, so do not inherit from EventEmitter (#5105...
  • 9d75899 chore: cherry-pick 3 changes from chromium, skia, angle (42-x-y) (#51646)
  • 804962d test: wait for navigation to settle in loadURL tests (#51644)
  • Additional commits viewable in compare view

Updates electron from 28.3.3 to 39.8.5

Release notes

Sourced from electron's releases.

electron v42.2.0

Release Notes for v42.2.0

Features

  • Allowed the --experimental-inspector-network-resource Node.js flag to be passed through Electron. #51378 (Also in 41)

Fixes

  • Fixed crash for Notification close. #51657 (Also in 41, 43)

Other Changes

  • Backported fixes for a use-after-free in touch-event queue teardown, a runtime-effect validation gap in Skia image filters, and an integer overflow in the GLSL translator. #51646
  • Backported fixes for an out-of-bounds write in WebAudio worklet setup, a heap overflow in the ANGLE GL backend, a use-after-free in the GTK Wayland platform, an accessibility tree-state validation issue, and an integer overflow in text bidi handling. #51666
  • Improved performance of app.getApplicationNameForProtocol() on Linux. #51628

Documentation

  • Documentation changes: #51688

electron v42.1.0

Release Notes for v42.1.0

Fixes

  • Fixed a crash in the macOS Touch ID WebAuthn prompt caused by a missing string resource, and added touchID.promptReason to app.configureWebAuthn() to customize the prompt text. #51594 (Also in 41, 43)
  • Fixed a crash on MacOS when a user clicked into a title bar or top view. #51605 (Also in 43)

Other Changes

  • Improved performance of webRequest header conversions and several other gin converter hot paths. #51607 (Also in 43)
  • Improved performance of native event emission, IPC dispatch, and option-dictionary parsing. #51614 (Also in 41)

electron v42.0.1

Release Notes for v42.0.1

Fixes

  • Fixed DesktopCapturer crash on macOS. #51506
  • Fixed ELECTRON_INSTALL_PLATFORM being ignored when resolving the Electron executable path during postinstall, which caused path.txt to be written for the host platform instead of the requested target and made isInstalled() always re-download on subsequent installs. #51370
  • Fixed app.getLoginItemSettings() returning undefined for executableWillLaunchAtLogin on macOS; the property is now always a boolean. #51507 (Also in 40, 41)
  • Fixed a potential race condition crash when closing DevTools. #51473 (Also in 41)

Other Changes

  • Updated Chromium to 148.0.7778.97. #51517

electron v42.0.0

Release Notes for v42.0.0

Stack Upgrades

... (truncated)

Commits
  • 87740a8 fix: skip current instance's child processes in Windows orphan killer (#51686)
  • db2296d docs: update Notification 'failed' support info (#51688)
  • c084f3d feat: allow --experimental-inspector-network-resource node flag (#51378)
  • 365cd49 docs: update Azure Artifact Signing and EV cert docs (#51677)
  • 4f2f73d fix: Crash for Notification close (#51657)
  • 71627f0 chore: cherry-pick 5 changes from chromium, angle (42-x-y) (#51666)
  • 2c8e90d perf: use GIO instead of xdg-mime for app.getApplicationNameForProtocol()...
  • 9f5cd23 refactor: SafeStorage never emits, so do not inherit from EventEmitter (#5105...
  • 9d75899 chore: cherry-pick 3 changes from chromium, skia, angle (42-x-y) (#51646)
  • 804962d test: wait for navigation to settle in loadURL tests (#51644)
  • Additional commits viewable in compare view

Updates @tootallnate/once from 2.0.0 to 2.0.1

Release notes

Sourced from @​tootallnate/once's releases.

v2.0.1

Patch Changes

  • a1e5e2d: Fix promise hang when AbortSignal is aborted
Changelog

Sourced from @​tootallnate/once's changelog.

2.0.1

Patch Changes

  • a1e5e2d: Fix promise hang when AbortSignal is aborted
Commits
  • bcbb21d ci: fix OIDC publishing — Node 24, npm latest, provenance
  • dc24387 Version Packages (2.x) (#12)
  • b8a6f80 CI: test all Node versions on Linux only
  • dabcc0f ci: drop EOL Node.js 14.x/16.x, add 22.x
  • b464efc Update CI: modern Node versions, fix macOS ARM64 compat
  • a1e5e2d Fix promise hang when AbortSignal is aborted
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tootallnate/once since your current version.


Updates @xmldom/xmldom from 0.8.11 to 0.8.13

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.12

Commits

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

  • Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
    • Comment: throws when data contains -->
    • ProcessingInstruction: throws when data contains ?>
    • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
  • Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

Fixed

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

  • updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

0.8.12

Fixed

... (truncated)

Commits
  • e5c1480 0.8.13
  • 9611e20 style: drop unused import in test file
  • dc4dff3 docs: add 0.8.13 changelog entry
  • 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
  • aeff69f test: add normalize behavioral coverage to node.test.js
  • cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
  • 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
  • c007c51 refactor: migrate serializeToString to walkDOM
  • 2bb3899 test: add serializeToString coverage for uncovered branches
  • e69f38d refactor: migrate importNode to walkDOM
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.


Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.15

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Removes @tootallnate/once

Updates axios from 0.21.4 to 0.31.1

Release notes

Sourced from axios's releases.

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

  • Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

  • Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
  • Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
  • FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
  • Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20+) unchanged. (#10737)
  • Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

  • CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

  • Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

  • CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

  • TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

  • Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

  • Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 3 directories with 6 updates
42fb57c 
Bumps the npm_and_yarn group with 1 update in the /pkg/archperf-pro/usr/share/archperf directory: [electron](https://github.com/electron/electron).
Bumps the npm_and_yarn group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [electron](https://github.com/electron/electron) | `28.3.3` | `39.8.5` |
| [@tootallnate/once](https://github.com/TooTallNate/once) | `2.0.0` | `2.0.1` |
| [@xmldom/xmldom](https://github.com/xmldom/xmldom) | `0.8.11` | `0.8.13` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [tar](https://github.com/isaacs/node-tar) | `6.2.1` | `7.5.15` |

Bumps the npm_and_yarn group with 2 updates in the /archperf-orchestrator directory: [@tootallnate/once](https://github.com/TooTallNate/once) and [axios](https://github.com/axios/axios).


Updates `electron` from 28.3.3 to 42.2.0
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v28.3.3...v42.2.0)

Updates `electron` from 28.3.3 to 39.8.5
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v28.3.3...v42.2.0)

Updates `@tootallnate/once` from 2.0.0 to 2.0.1
- [Release notes](https://github.com/TooTallNate/once/releases)
- [Changelog](https://github.com/TooTallNate/once/blob/v2.0.1/CHANGELOG.md)
- [Commits](TooTallNate/once@2.0.0...v2.0.1)

Updates `@xmldom/xmldom` from 0.8.11 to 0.8.13
- [Release notes](https://github.com/xmldom/xmldom/releases)
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md)
- [Commits](xmldom/xmldom@0.8.11...0.8.13)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `tar` from 6.2.1 to 7.5.15
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.15)

Removes `@tootallnate/once`

Updates `axios` from 0.21.4 to 0.31.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.21.4...v0.31.1)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 42.2.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: electron
  dependency-version: 39.8.5
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version: 2.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@xmldom/xmldom"
  dependency-version: 0.8.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.15
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@tootallnate/once"
  dependency-version:
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 0.31.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants