Bump the npm_and_yarn group across 1 directory with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
js-yaml	4.1.1	4.2.0
@babel/core	7.29.0	7.29.7
@grpc/grpc-js	1.14.3	1.14.4
protobufjs	8.4.0	8.6.3
protobufjs	7.6.0	7.6.4
form-data	4.0.5	4.0.6
form-data	2.5.5	2.5.6

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @babel/core from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/core's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• 04ea6b2 v7.29.6
• 99f498a [7.x packport]Improve input source map handling (#18001)
• feba0a3 Preserve original identifier names from input sourcemaps (#17992) (#17998)
• See full diff in compare view

Updates @grpc/grpc-js from 1.14.3 to 1.14.4

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.14.4

• Fix a bug that could cause servers to crash when handling malformed requests (advisory GHSA-5375-pq7m-f5r2)
• Fix a bug that could cause clients and servers to crash when handling malformed compressed messages (advisory GHSA-99f4-grh7-6pcq)

Commits

• a380735 Merge pull request #3052 from murgatroid99/grpc-js_1.14.4
• 5b8d37b Merge commit from fork
• 6a97456 Merge commit from fork
• e5e0b1d grpc-js: Bump version to 1.14.4
• 5029a26 Make compression error a static string
• 2fe55fd Fix crashes when receiving malformed compressed data
• 234f917 Fix server crash when handling invalid requests
• acef8d4 Merge pull request #3043 from murgatroid99/rbac_types_change_fix_1.14
• 4f3c58f grpc-js-xds: Update RBAC code to handle Node type change, pin @​types/node
• See full diff in compare view

Updates protobufjs from 8.4.0 to 8.6.3

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.3

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

protobufjs: v8.6.0

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

protobufjs: v8.5.0

8.5.0 (2026-05-29)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)

... (truncated)

Commits

• 8076a5e chore: release master (#2318)
• 4dff8e4 fix: Support utf8_validation during decode (#2325)
• 9c9f8ee fix: Remove renamed reflection objects by identity (#2324)
• de18bbe docs: Document custom constructor registration order (#2323)
• c98a4e5 fix: Include interfaces in API docs and fix FieldMask doc comment (#2319)
• c97cdbe fix: Preserve explicit URLs in path resolution (#2320)
• ec868f3 fix: Consistently reject truncated 64-bit varints (#2322)
• 3359e64 fix: Support Node ESM named imports from CommonJS entrypoints (#2315)
• 41d3517 chore: release master (#2316)
• bf12d56 fix: Discard unknown fields by default (#2310)
• Additional commits viewable in compare view

Updates protobufjs from 7.6.0 to 7.6.4

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.3

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

protobufjs: v8.6.0

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

protobufjs: v8.5.0

8.5.0 (2026-05-29)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.6.3 (2026-06-10)

Bug Fixes

• Consistently reject truncated 64-bit varints (#2322) (ec868f3)
• Include interfaces in API docs and fix FieldMask doc comment (#2319) (c98a4e5)
• Preserve explicit URLs in path resolution (#2320) (c97cdbe)
• Remove renamed reflection objects by identity (#2324) (9c9f8ee)
• Support Node ESM named imports from CommonJS entrypoints (#2315) (3359e64)
• Support utf8_validation during decode (#2325) (4dff8e4)

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)

... (truncated)

Commits

• 8076a5e chore: release master (#2318)
• 4dff8e4 fix: Support utf8_validation during decode (#2325)
• 9c9f8ee fix: Remove renamed reflection objects by identity (#2324)
• de18bbe docs: Document custom constructor registration order (#2323)
• c98a4e5 fix: Include interfaces in API docs and fix FieldMask doc comment (#2319)
• c97cdbe fix: Preserve explicit URLs in path resolution (#2320)
• ec868f3 fix: Consistently reject truncated 64-bit varints (#2322)
• 3359e64 fix: Support Node ESM named imports from CommonJS entrypoints (#2315)
• 41d3517 chore: release master (#2316)
• bf12d56 fix: Discard unknown fields by default (#2310)
• Additional commits viewable in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Updates form-data from 2.5.5 to 2.5.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

This dependency update will be handled internally by our engineering team.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml