Bump the npm_and_yarn group across 1 directory with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
brace-expansion	1.1.11	1.1.15
flatted	3.3.3	3.4.2
glob	10.4.5	10.5.0
ip-address	10.0.1	10.2.0
shell-quote	1.7.2	1.8.4
tar	7.5.2	7.5.16
undici	6.26.0	6.27.0

Updates brace-expansion from 1.1.11 to 1.1.15

Release notes

Sourced from brace-expansion's releases.

v1.1.15

• Backport v5.0.6 change to v1 (#111) 0b09384

---

juliangruber/brace-expansion@v1.1.14...v1.1.15

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 2203f4f 1.1.15
• 0b09384 Backport v5.0.6 change to v1 (#111)
• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

• 56774ef 10.5.0
• 1e4e297 bin: Do not expose filenames to shell expansion
• See full diff in compare view

Updates ip-address from 10.0.1 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates shell-quote from 1.7.2 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

• [Fix] quote: validate object-token shapes 4378a6e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
• [Tests] increase coverage 9f3caa3
• [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
• [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

• [Fix] remove unnecessary backslash escaping in single quotes [#15](https://github.com/ljharb/shell-quote/issues/15)

v1.8.2 - 2024-11-27

Fixed

• [Fix] quote: preserve empty strings [#18](https://github.com/ljharb/shell-quote/issues/18)

Commits

• [meta] fix changelog tags 0fb9fd8
• [actions] split out node 10-20, and 20+ 819bd84
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
• [actions] update npm for windows tests fdeb0fd
• [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
• [actions] prevent node 14 on ARM mac from failing 9eecafc
• [meta] exclude more files from the package 4044e7f
• [Tests] replace aud with npm audit 8cfdbd8
• [meta] add missing engines.node 843820e
• [Dev Deps] add missing peer dep 4c3b88d
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

v1.8.1 - 2023-04-07

Fixed

• [Fix] parse: preserve whitespace in comments [#6](https://github.com/ljharb/shell-quote/issues/6)
• [Fix] properly support the escape option [#5](https://github.com/ljharb/shell-quote/issues/5)

Commits

• [Refactor] parse: hoist getVar to module level b42ac73
• [Refactor] hoist some vars to module level 8f0c5c3
• [Refactor] parse: use slice over substr, cache some values fcb2e1a
• [Refactor] parse: a bit of cleanup 6780ec5
• [Refactor] parse: tweak the regex to not match nothing 227d474

... (truncated)

Commits

• ff166e2 v1.8.4
• 4378a6e [Fix] quote: validate object-token shapes
• 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
• 9f3caa3 [Tests] increase coverage
• 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
• 699c511 [Dev Deps] update @ljharb/eslint-config
• 487a9b4 v1.8.3
• 01faaff [Fix] remove unnecessary backslash escaping in single quotes
• b19fc77 v1.8.2
• 59d29ea [Fix] quote: preserve empty strings
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for shell-quote since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates tar from 7.5.2 to 7.5.16

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates undici from 6.26.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0 — v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	6.27.0	b7f252e7
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	6.27.0	25efa447
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	6.27.0	25efa447
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	6.27.0	f4c31d60

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

---

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

• 551138c Bumped v6.27.0 (#5431)
• b7f252e Backport WebSocket maxPayloadSize fixes to v7.x (#5423) (#5428)
• 25efa44 fix(cookies): preserve values and parse SameSite strictly
• f4c31d6 fix: guard idle socket validation to skip fresh sockets (#5400)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.