Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 10 updates#5

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-51e45f58be
Closed

build(deps): bump the npm_and_yarn group across 1 directory with 10 updates#5
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-51e45f58be

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 18, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
hono 4.12.7 4.12.18
openclaw 2026.3.11 2026.5.12
axios 1.13.5 1.16.1
basic-ftp 5.2.0 5.3.1
fast-uri 3.1.0 3.1.2
sanitize-html 2.17.1 2.17.4

Updates hono from 4.12.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36


Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

New Contributors

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

... (truncated)

Commits

Updates openclaw from 2026.3.11 to 2026.5.12

Release notes

Sourced from openclaw's releases.

openclaw 2026.5.12

Highlights

  • Leaner installs: WhatsApp, Slack, Amazon Bedrock, Anthropic Vertex, and related provider/plugin dependency cones moved out of the core runtime so installs only pull what you use.
  • Telegram got much more resilient: isolated polling, durable local spooling, safer group-media handling, and preserved HTML/Markdown formatting in streamed and scheduled replies.
  • Codex/OpenAI paths are smoother: auth-profile-backed media tools, MCP server projection, context-engine thread rotation, and better app-server/runtime fallback behavior.
  • Plugin installs and updates are harder to wedge, with pnpm 11 support, peer-dependency preservation, safer runtime scans, and source/git install fixes.
  • Gateway, browser, Slack, node pairing, sandbox, and transcript paths picked up a broad security/provenance hardening pass.
  • UI and reply delivery improved across Control UI, WebChat, TUI, rich-only replies, session history, and streaming auto-scroll.

Changes

  • Amazon Bedrock: externalize the Bedrock and Bedrock Mantle provider packages so core installs no longer pull AWS SDK dependencies unless those providers are installed.
  • Plugins: externalize Slack, OpenShell sandbox, and Anthropic Vertex so their runtime dependency cones install only when those plugins are installed.
  • Control UI/WebChat: add a persisted auto-scroll mode selector so users can keep the current near-bottom behavior, always follow streaming output, or turn automatic streaming scroll off and use the New messages button manually. Fixes #7648 and #81287. Thanks @​BunsDev.
  • ACP: add acp.fallbacks so ACP turns can try configured backup runtime backends when the primary backend is unavailable before any output is emitted. (#69542) Thanks @​kaseonedge.

Fixes

  • Doctor/Codex: stop warning that the message tool is unavailable for source-reply paths where OpenClaw grants message at runtime, keeping update and doctor output aligned with the OpenAI happy path. Thanks @​pashpashpash.
  • Channels/Weixin: bump the external Weixin catalog entry to @tencent-weixin/openclaw-weixin@2.4.3 with the matching package integrity. (#81730) Thanks @​scotthuang.
  • Agents/subagents: apply agents.defaults.subagents.model before target agent primary models during sessions_spawn, so model-scoped runtimes such as claude-cli stay attached to default child runs. Fixes #81395. (#81783) Thanks @​joshavant.
  • Telegram: keep Bot API polling alive during main event-loop stalls by moving ingress to an isolated worker with a durable local spool. Fixes #81132. (#81746) Thanks @​joshavant.
  • Telegram: preserve rendered HTML formatting through lazy cron announce delivery so Markdown links stay clickable instead of falling back to literal anchor tags. Fixes #81742. (#81758)
  • Telegram: skip unmentioned group media before download when requireMention is active, avoiding failed media-download replies for messages that should be ignored. Fixes #81181. (#81785) Thanks @​joshavant.
  • CLI/plugins: keep bare plugin and parent-command help on the lightweight path, avoiding plugin registry discovery before rendering help.
  • Gateway/session history: carry monotonic transcript message sequence through live updates and refresh SSE history when stale sequence input would otherwise append bad incremental state. (#81474) Thanks @​samzong.
  • Security/sandbox: include Windows USERPROFILE in the sandbox blocked home roots so credential-bearing binds (such as .codex, .openclaw, or .ssh under the Windows user profile) are denied even when HOME points at a different shell home. (#63074) Thanks @​luoyanglang.
  • Models config/auth: stop inferring provider env-var markers from broad ^[A-Z_][A-Z0-9_]*$ strings, and resolve config-backed provider apiKey values only through structured env SecretRefs (secrets.providers[id] / secrets.defaults), so unrelated env vars cannot accidentally become provider credentials. Thanks @​sallyom.
  • Media fetch: skip allocating and buffering the response body for bodyless media responses (HEAD probes and 204-style empty bodies), avoiding wasted heap on streams that carry no payload. Thanks @​shakkernerd.
  • CLI/onboarding: forward provider-specific auth flags (e.g. --openai-api-key) through the onboarding wizard so they reach provider auth methods via ctx.opts, letting --openai-api-key "$OPENAI_API_KEY" skip the redundant "use existing env var?" prompt in non-interactive harnesses. (#81669) Thanks @​sjf.
  • CLI/migrate: drop trailing periods from Codex migrate item messages and REASON_CODE_MESSAGES strings so plan/result rows read as labels instead of sentence fragments. (#81705) Thanks @​sjf.
  • Slack: treat malformed private-file redirect Location headers as unfollowable redirects instead of failing Slack media downloads.
  • Plugins: discover provider plugins from setup.providers[].envVars credentials during provider discovery while keeping the deprecated providerAuthEnvVars fallback. (#81542) Thanks @​JARVIS-Glasses.
  • Docs/Codex harness: clarify that per-agent CODEX_HOME isolates ~/.codex while inherited HOME intentionally keeps .agents discovery and subprocess user-home state available.
  • Auth: reclaim dead-owner stale file locks before retrying locked writes, so crashed OAuth refreshes no longer wedge auth-profiles.json until manual cleanup.
  • CLI tables: preserve muted/color styling on wrapped continuation lines after multiline cells, keeping openclaw plugins list descriptions readable.
  • Process execution: collapse case-insensitive duplicate child environment keys on Windows so caller-provided overrides such as PATH cannot be shadowed by host Path.
  • Gateway/diagnostics: suppress cold-start liveness warnings during the startup grace window while still sampling liveness metrics. Fixes #79915. (#81699) Thanks @​joshavant.
  • Codex harness: keep oauthRef-backed Codex OAuth profiles usable and stop high-confidence app-server OAuth refresh invalidation from retry-spamming raw token-refresh errors without turning entitlement or usage-limit payloads into re-auth prompts.
  • Browser CLI: request the existing operator.admin gateway scope explicitly for browser control commands, avoiding unnecessary scope-upgrade approval loops. Fixes #81555. (#81716) Thanks @​joshavant.
  • Gateway/diagnostics: suppress cold-start liveness warnings during the startup grace window while still sampling liveness metrics. Fixes #79915. (#81699) Thanks @​joshavant.
  • Plugin SDK: restore the deprecated openclaw/plugin-sdk/memory-core package subpath as an alias of memory-host-core, so published memory companion plugins that still import it resolve on current hosts.
  • Control UI/i18n: use the installed workspace pi runtime for locale refreshes, update the fallback package pin, prefer the Anthropic CI provider when available, and skip invalid provider credentials instead of failing main.
  • Codex harness: classify native app-server token-refresh logout and relogin failures as authentication refresh errors, so users get re-authentication guidance instead of a raw runtime failure.
  • Codex startup: treat selectable configured OpenAI agent models as Codex runtime requirements during plugin auto-enable, startup planning, and doctor install repair, so Anthropic-primary configs can still switch to OpenAI/Codex cleanly.
  • Agents: preserve source-reply delivery metadata when merging tool-returned media into the final reply, keeping message-tool-only replies deliverable and mirrored. Thanks @​pashpashpash and @​vincentkoc.
  • Replies: treat rich presentation, interactive controls, and channel-native payload data as outbound content across follow-up, heartbeat, cron, ACP, and block-streaming delivery paths, preventing card/button-only replies from being dropped as empty.
  • WebChat/TUI: route Codex tools.message source replies to the active internal UI turn and mirror them to session history, so message-tool-only harness replies, including rich presentation and button-only replies, no longer disappear while WebChat and TUI remain non-targetable outbound channels. (#81586) Thanks @​pashpashpash.
  • Replies: deliver rich-only block replies even when block-streaming coalescing is enabled, keeping card and button payloads from being dropped by the text coalescer. Thanks @​pashpashpash.

... (truncated)

Commits
  • f066dd2 chore(release): prepare 2026.5.12
  • 2f27dcb fix(config): stabilize heartbeat target help
  • 7a0548e docs(changelog): mention Weixin catalog bump
  • 31f0c9b Fix/weixin catalog update 2.4.3 (#81730)
  • cfab222 fix(doctor): respect runtime message tool grants
  • c230b08 fix(telegram): avoid worker postMessage lint suppression
  • df70248 ci(release): retry ClawHub publish verification errors
  • 097daf9 chore(release): bump beta 8 versions
  • 9798e95 fix: reconcile managed plugin peers
  • 7d6ba4c fix: honor git no-update installs
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for openclaw since your current version.

Install script changes

This version adds preinstall, postinstall scripts that run during installation. Review the package contents before updating.


Updates @opentelemetry/exporter-prometheus from 0.213.0 to 0.218.0

Release notes

Sourced from @​opentelemetry/exporter-prometheus's releases.

experimental/v0.218.0

0.218.0

🚀 Features

  • feat(otlp-transformer): replace protobufjs metrics serialization with custom implementation #6625 @​pichlermarc
  • feat(configuration): show all config validation errors, if there are multiple #6683 @​trentm
  • feat(sdk-node): allow startNodeSDK() without an arg #6688 @​trentm

🏠 Internal

  • refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions #6691 @​david-luna
  • refactor(sdk-logs): use Logger.enabled() within Logger.emit() implementation #6680 @​david-luna

experimental/v0.217.0

0.217.0

🚀 Features

  • feat(otlp-transformer): replace protobufjs trace serialization with custom implementation #6625 @​pichlermarc
  • feat(configuration): auto-generate TypeScript types from OTel declarative config JSON schema (stable v1.0.0) using json-schema-to-typescript and ajv #6533 @​MikeGoldsmith
  • feat(configuration, sdk-node): startNodeSDK() code path now uses log_level configuration to setup a DiagConsoleLogger #6668 @​trentm
    • Note that allowed values for log_level in a configuration YAML file are not the same set as for OTEL_LOG_LEVEL. Use log_level: trace to see all logs (equivalent of OTEL_LOG_LEVEL=ALL). Use log_level: fatal to effectively disable the SDK's internal diagnostic logger (equivalent of OTEL_LOG_LEVEL=NONE).
    • If log_level is not specified, a diagnostic console logger at "info" level will be setup.
    • An invalid YAML config file will now result in a noop OTel SDK.

🐛 Bug Fixes

  • fix(configuration): do not validate OTEL_CONFIG_FILE value before using it for file config #6643 @​trentm
  • fix(configuration): improve how 'additionalProperties' in JSON schema is translated to TS types #6650 @​trentm
  • fix(configuration): remove stripMinItems and preprocessNullArrays from validation/parsing #6657 @​trentm
  • fix(configuration): improve handling of enums in generated types #6659 @​trentm
  • fix(configuration): improve the technique for removing '| null' on types the JSON Schema #6662 @​trentm
  • fix(sampler-jaeger-remote): add missing axios dep #6656 @​trentm
  • fix(exporter-prometheus): handle malformed URLs in Prometheus exporter request handler #6674 @​homanp

experimental/v0.216.0

0.216.0

🚀 Features

🐛 Bug Fixes

  • fix(instrumentation-xml-http-request): avoid unwrapping XMLHttpRequest API when disabling #6611 @​david-luna
  • fix(instrumentation-fetch): tolerate non-writable globalThis.fetch and fix premature _isEnabled / _isFetchPatched flips in enable() @​brunorodmoreira

... (truncated)

Commits
  • 06ad0ea chore: prepare next release (#6703)
  • 38ca257 feat(otlp-transformer): replace protobufjs metrics serialization with custom ...
  • 013c600 chore: prepare next release (#6699)
  • b7a0c63 feat(semantic-conventions): update semantic conventions to v1.41.1 (#6695)
  • 774143b chore(renovate): add minimumReleaseAge to config (#6697)
  • e0dafe0 fix(otlp-exporter-base): remove brackets from IPv6 hostname in HTTP transport...
  • f804c93 chore(deps): update github/codeql-action digest to 68bde55 (#6682)
  • 95e48e7 refactor(sdk-logs): alias LoggerProviderConfig to LoggerProviderOptions (...
  • 907b627 feat(sdk-node): allow startNodeSDK() without an arg (#6688)
  • 0d15261 docs: Add SIG meeting info and welcoming language (#6689)
  • Additional commits viewable in compare view

Updates axios from 1.13.5 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

  • Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
  • Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
  • CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

  • Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
  • Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
  • XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
  • Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
  • Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
  • URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

  • Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
  • composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
  • AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
  • Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
  • Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
  • Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Commits
  • 1337d6b chore(release): prepare release 1.16.1 (#10877)
  • 858a790 fix: remove all caches (#10882)
  • 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
  • 847d89b fix: support URL object as config.url input (#10866)
  • 4094886 fix(progress): guard malformed XHR upload events (#10868)
  • 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
  • 64e1095 chore: update PR and issue template to use h2 (#10865)
  • 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
  • c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
  • caa00a9 fix: https data in cleartext to proxy (#10858)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates basic-ftp from 5.2.0 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

Changelog

Sourced from basic-ftp's changelog.

5.3.1

5.3.0

  • Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
  • Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

5.2.2

5.2.1

Commits
Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates brace-expansion from 5.0.4 to 5.0.6

Commits

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

…pdates

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [hono](https://github.com/honojs/hono) | `4.12.7` | `4.12.18` |
| [openclaw](https://github.com/openclaw/openclaw) | `2026.3.11` | `2026.5.12` |
| [axios](https://github.com/axios/axios) | `1.13.5` | `1.16.1` |
| [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | `5.2.0` | `5.3.1` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) | `2.17.1` | `2.17.4` |



Updates `hono` from 4.12.7 to 4.12.18
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.7...v4.12.18)

Updates `openclaw` from 2026.3.11 to 2026.5.12
- [Release notes](https://github.com/openclaw/openclaw/releases)
- [Commits](openclaw/openclaw@v2026.3.11...v2026.5.12)

Updates `@opentelemetry/exporter-prometheus` from 0.213.0 to 0.218.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.213.0...experimental/v0.218.0)

Updates `axios` from 1.13.5 to 1.16.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.16.1)

Updates `basic-ftp` from 5.2.0 to 5.3.1
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](patrickjuchli/basic-ftp@v5.2.0...v5.3.1)

Updates `brace-expansion` from 5.0.4 to 5.0.6
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@v5.0.4...v5.0.6)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `protobufjs` from 6.8.8 to 7.5.4
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@6.8.8...protobufjs-v7.5.4)

Updates `sanitize-html` from 2.17.1 to 2.17.4
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/HEAD/packages/sanitize-html)

Updates `simple-git` from 3.32.3 to 3.36.0
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.36.0/simple-git)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.18
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: openclaw
  dependency-version: 2026.5.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/exporter-prometheus"
  dependency-version: 0.218.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: basic-ftp
  dependency-version: 5.3.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.5.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sanitize-html
  dependency-version: 2.17.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: simple-git
  dependency-version: 3.36.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 18, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 19, 2026

Copy link
Copy Markdown
Author

Superseded by #6.

@dependabot dependabot Bot closed this May 19, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-51e45f58be branch May 19, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants