deps(backend): bump the backend-patches group across 1 directory with 3 updates

[dependabot]

Bumps the backend-patches group with 3 updates in the /backend directory: otplib, sanitize-html and vitest.

Updates otplib from 13.4.0 to 13.4.1

Release notes

Sourced from otplib's releases.

v13.4.1

What's Changed

• fix: override flatted package security alert by @​yeojz in yeojz/otplib#820
• fix: override picomatch and yaml package security alerts by @​yeojz in yeojz/otplib#822
• refactor(testing): replace custom Deno adapter with @​std/expect by @​yeojz in yeojz/otplib#821
• fix: override brace-expansion package security alert by @​yeojz in yeojz/otplib#824
• chore: update github actions pinned images by @​yeojz in yeojz/otplib#823
• Add @​otplib/plugin-base32-alt to dependencies by @​yeojz in yeojz/otplib#825
• chore: harden supply chain with cooldown and version pinning by @​yeojz in yeojz/otplib#826
• refactor(testing): centralize test secrets into shared module by @​yeojz in yeojz/otplib#831
• chore(deps): bump the github-actions group with 5 updates by @​dependabot[bot] in yeojz/otplib#827
• refactor(testing): rename test secret constants for semantic clarity by @​yeojz in yeojz/otplib#832
• chore(deps-dev): bump the dev-dependencies-minor group with 4 updates by @​dependabot[bot] in yeojz/otplib#828
• refactor: replace size-limit with native bundle size check by @​yeojz in yeojz/otplib#835
• chore(deps-dev): bump vite from 7.3.1 to 8.0.0 by @​dependabot[bot] in yeojz/otplib#830
• refactor/docs/unusedImport by @​ValeriYanev98 in yeojz/otplib#837
• fix(security): address npm audit vulnerabilities by @​yeojz in yeojz/otplib#839
• fix(docker): bump pnpm to 10.30.1 to match packageManager by @​yeojz in yeojz/otplib#847
• docs: note short-secret guardrail override for legacy/test secrets by @​yeojz in yeojz/otplib#848
• docs(getting-started): clarify when each function runs by @​yeojz in yeojz/otplib#846
• chore(deps): bump vite from 5.4.21 to 8.0.10 by @​dependabot[bot] in yeojz/otplib#845
• chore(deps-dev): bump the dev-dependencies-patch group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#849
• chore(deps-dev): bump the dev-dependencies-minor group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#841
• docs(otplib): note 16-byte minimum and fix broken secret-handling link by @​yeojz in yeojz/otplib#851
• chore(deps-dev): bump @​codecov/bundle-analyzer from 1.9.1 to 2.0.1 by @​dependabot[bot] in yeojz/otplib#843
• fix(benchmarks): adapt to tinybench v6 TaskResult shape by @​yeojz in yeojz/otplib#852
• chore(deps): bump the github-actions group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#844
• chore(deps): bump @​noble/hashes and @​scure/base to 2.2.0 by @​yeojz in yeojz/otplib#853
• chore(deps-dev): bump turbo from 2.9.9 to 2.9.14 by @​dependabot[bot] in yeojz/otplib#855
• ci: split security audit into blocking prod and informational full scans by @​yeojz in yeojz/otplib#857
• chore(deps-dev): bump vite from 8.0.10 to 8.0.11 by @​dependabot[bot] in yeojz/otplib#856
• release(packages): v13.4.1 by @​github-actions[bot] in yeojz/otplib#854

New Contributors

• @​ValeriYanev98 made their first contribution in yeojz/otplib#837

Full Changelog: yeojz/otplib@v13.4.0...v13.4.1

Commits

• 1d997b0 release(packages): v13.4.1 (#854)
• 0e9566f docs(otplib): note 16-byte minimum and fix broken secret-handling link (#851)
• e01b4f1 chore(deps-dev): bump the dev-dependencies-patch group across 1 directory wit...
• 212534b chore(deps-dev): bump the dev-dependencies-minor group with 4 updates (#828)
• b54adad refactor(testing): rename test secret constants for semantic clarity (#832)
• 4898252 refactor(testing): centralize test secrets and normalize naming (#831)
• See full diff in compare view

Updates sanitize-html from 2.17.2 to 2.17.5

Changelog

Sourced from sanitize-html's changelog.

2.17.5 (2026-06-10)

Security

• Added a number of new attributes to be protected against unsafe URLs, e.g. javascript: and similar. None of these are used in the default configuration of sanitize-html or apostrophe or likely to be used there, and some attributes, like an action for a form, are inherently unsafe to allow if XSS protection is your goal. Nevertheless it makes sense to block certain URL types where they are not appropriate. Some attributes are not supported at all by modern browsers but are included for completeness. Thanks to crattack for reporting the vulnerability.
• Address a potential vulnerability when nonTextTags is configured in a nonstandard way. While it is never a good idea to remove known non-text tags from the standard list e.g. script, styles, etc., this change ensures that doing so does not result in nested tags being passed through without sanitization when they are not expressly allowed. (ApostropheCMS would never trigger this situation.) Thanks to Dipanshu singh for pointing out the issue and contributing the fix.

2.17.4

Changes

• sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

• Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

• Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.

Commits

• 2427508 release and changelog edits (#5465)
• 5a88e96 Latest security q2 (#5464)
• 958d162 merge main to latest (#5460)
• e9b0ab0 release only (changelogs formatted) (#5408)
• f03fa5b Latest security merge (#5407)
• 96cf174 For release only (#5381)
• 7ca2d16 Merge commit from fork
• 297a422 Bump dependencies (#5376)
• See full diff in compare view

Updates vitest from 4.1.4 to 4.1.9

Release notes

Sourced from vitest's releases.

v4.1.9

🐞 Bug Fixes

• Fix importOriginal with optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in vitest-dev/vitest#10546 (a5180)
• browser:
  • Wait for orchestrator readiness before resolving browser sessions [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10555 (7fb29)
  • Wait for iframe tester readiness before preparing [backport to v4] - by Vladimir and Séamus O'Connor in vitest-dev/vitest#10497 and vitest-dev/vitest#10556 (fbc62)
• mocker:
  • Hoist vi.mock() for vite-plus/test imports [backport to v4] - by Hiroshi Ogawa, LongYinan, Claude Opus 4.8 and Vladimir in vitest-dev/vitest#10548 (2c955)
• pool:
  • Prevent test run hang on worker crash [backport to v4] - by Ari Perkkiö and Jattioui Ismail in vitest-dev/vitest#10543 and vitest-dev/vitest#10564 (934b0)

View changes on GitHub

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

v4.1.6

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in vitest-dev/vitest#10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in vitest-dev/vitest#10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in vitest-dev/vitest#10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in vitest-dev/vitest#10276 (9f7b1)

    View changes on GitHub

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

... (truncated)

Commits

• a7a61e7 chore: release v4.1.9 (#10598)
• 934b0f5 fix(pool): prevent test run hang on worker crash (#10543) [backport to v4] (#...
• 7fb2965 fix(browser): wait for orchestrator readiness before resolving browser sessio...
• a518019 fix: fix importOriginal with optimizer and query import [backport to v4] (#...
• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• a09d472 chore: release v4.1.7
• a8fd24c chore: release v4.1.6
• 18af98c fix(browser): simplify orchestrator otel carrier (#10285)
• 3188260 feat(browser): provide project reference in ToMatchScreenshotResolvePath (#...
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: backend, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.