Skip to content

chore: bump the dependencies-major group across 1 directory with 3 updates#127

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-major-0049269548
Open

chore: bump the dependencies-major group across 1 directory with 3 updates#127
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-major-0049269548

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the dependencies-major group with 3 updates in the / directory: node-html-parser, undici and yargs.

Updates node-html-parser from 7.1.0 to 8.0.2

Changelog

Sourced from node-html-parser's changelog.

8.0.2 (2026-06-21)

Bug Fixes

  • preserve backslashes in attribute values during serialization and round-trip parsing #306 (a9882b2)
  • update casing of HTML tag names in usage example #289 (801d278)

8.0.1 (2026-06-20)

Bug Fixes

  • refactor: update import statements to use type keyword for Options and decodeHTML function #308 (000ec5d)

8.0.0 (2026-06-20)

⚠ BREAKING CHANGES

  • replace dependences he to entities

Features

  • replace dependences he to entities (97fe577)

7.1.1 (2026-06-20)

Commits
  • 3b6df23 chore(release): 8.0.2
  • 801d278 fix: update casing of HTML tag names in usage example #289
  • 71e2453 test: add test for preserving CDATA with angle brackets in namespaced structu...
  • 512287e Add tests for parsing valid HTML with missing closing tags
  • a9882b2 fix: preserve backslashes in attribute values during serialization and round-...
  • 44abb1e chore(release): 8.0.1
  • 000ec5d fix: refactor: update import statements to use type keyword for Options and d...
  • fec99c9 chore(release): 8.0.0
  • 97fe577 feat!: replace dependences he to entities
  • 50e98f2 chore(release): 7.1.1
  • Additional commits viewable in compare view

Updates undici from 7.25.0 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 8.5.0 32dbf0b3
GHSA-38rv-x7px-6hhq CVE-2026-9675 High (7.5) 8.5.0 b4c287b3
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 8.5.0 42d49559
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 8.2.0 a516f870
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 8.5.0 cb105d7c
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 8.5.0 5655ea43
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 8.5.0 5655ea43
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 8.5.0 6ea54ef8

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits
  • a0806e1 Bumped v8.5.0 (#5429)
  • 8a0392c test: detect available python command in wpt runner (#5427)
  • f4045b9 ci: increase Node.js workflow timeout (#5426)
  • 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
  • c5ed787 websocket: handle empty fragments and stream limits
  • e114e77 align EventSource with spec (#5418)
  • 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
  • 32dbf0b websocket: limit the number of fragments in a message
  • 0d6ecc5 add bodymixin.textStream() (#5416)
  • 42d4955 fix: honor requestTls when proxy is SOCKS5
  • Additional commits viewable in compare view

Updates yargs from 17.7.2 to 18.0.0

Changelog

Sourced from yargs's changelog.

18.0.0 (2025-05-26)

⚠ BREAKING CHANGES

  • command names are not derived from modules passed to command.
  • singleton usage of yargs yargs.foo, yargs().argv, has been removed.
  • minimum node.js versions now ^20.19.0 || ^22.12.0 || >=23.
  • yargs is now ESM first

Features

Bug Fixes

  • addDirectory do not support absolute command dir (#2465) (3a40a78)
  • allows ESM modules commands to be extensible using visit option (#2468) (200e1aa)
  • browser: fix shims so that yargs continues working in browser context (#2457) (4ae5f57)
  • build: address problems with typescript compilation (#2445) (8d72fb3)
  • coerce should play well with parser configuration (#2308) (8343c66)
  • deps: update dependency yargs-parser to v22 (#2470) (639130d)
  • exit after async handler done (#2313) (e326cde)
  • handle spaces in bash completion (#2452) (83b7788)
  • parser-configuration should work well with generated completion script (#2332) (888db19)
  • propagate Dictionary including undefined in value type (#2393) (2b2f7f5)
  • zsh: completion no longer requires double tab when using autoloaded (0dd8fe4)

Code Refactoring

  • command names are not derived from modules passed to command. (d90af45)
  • singleton usage of yargs yargs.foo, yargs().argv, has been removed. (d90af45)

Build System

  • minimum node.js versions now ^20.19.0 || ^22.12.0 || >=23. (d90af45)
Commits
  • 0bc7255 chore(main): release 18.0.0 (#2325)
  • 639130d fix(deps): update dependency yargs-parser to v22 (#2470)
  • 200e1aa fix: allows ESM modules commands to be extensible using visit option (#2468)
  • 888db19 fix: parser-configuration should work well with generated completion script (...
  • 3a40a78 fix: addDirectory do not support absolute command dir (#2465)
  • 90e9eca docs: remove to old slack channel (#2466)
  • 0dd8fe4 fix(zsh): completion no longer requires double tab when using autoloaded
  • 27eec18 feat: commandDir now works with ESM files (#2461)
  • f9c72a7 docs: update examples to run from examples folder (#2463)
  • e02c91b feat(zsh): Add default completion as fallback (#2331)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…dates

Bumps the dependencies-major group with 3 updates in the / directory: [node-html-parser](https://github.com/taoqf/node-fast-html-parser), [undici](https://github.com/nodejs/undici) and [yargs](https://github.com/yargs/yargs).


Updates `node-html-parser` from 7.1.0 to 8.0.2
- [Release notes](https://github.com/taoqf/node-fast-html-parser/releases)
- [Changelog](https://github.com/taoqf/node-html-parser/blob/main/CHANGELOG.md)
- [Commits](taoqf/node-html-parser@v7.1.0...v8.0.2)

Updates `undici` from 7.25.0 to 8.5.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.25.0...v8.5.0)

Updates `yargs` from 17.7.2 to 18.0.0
- [Release notes](https://github.com/yargs/yargs/releases)
- [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs@v17.7.2...v18.0.0)

---
updated-dependencies:
- dependency-name: node-html-parser
  dependency-version: 8.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies-major
- dependency-name: undici
  dependency-version: 8.5.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies-major
- dependency-name: yargs
  dependency-version: 18.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 22, 2026
@socket-security

socket-security Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednode-html-parser@​7.1.0 ⏵ 8.0.210010010090 -2100
Updatedyargs@​17.7.2 ⏵ 18.0.099 +1100100 +193100
Updatedundici@​7.25.0 ⏵ 8.5.097100 +31100 +197100

View full report

@socket-security

socket-security Bot commented Jun 22, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: npm-shrinkwrap.jsonnpm/@commitlint/cli@19.8.1npm/c8@9.1.0npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants