Bump the npm_and_yarn group across 5 directories with 30 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@octokit/plugin-paginate-rest	6.0.0	11.4.2
@octokit/rest	19.0.7	21.1.1
elliptic	6.5.4	6.6.1
webpack	5.88.2	5.98.0
ws	8.13.0	8.18.0

Bumps the npm_and_yarn group with 15 updates in the /docroot/design-system directory:

Package	From	To
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
nanoid	3.3.6	3.3.8
elliptic	6.5.4	6.6.1
micromatch	4.0.5	4.0.8
serialize-javascript	6.0.1	6.0.2
webpack	5.83.1	5.98.0
ws	8.14.2	8.18.0
ws	6.2.2	8.18.0
ws	7.5.9	8.18.0
body-parser	1.20.1	1.20.3
express	4.18.2	4.21.2
ejs	3.1.9	3.1.10
ip	2.0.0	removed
storybook	7.4.6	7.6.20
markdown-to-jsx	7.3.2	7.7.4
store2	2.14.2	2.14.4

Bumps the npm_and_yarn group with 7 updates in the /docroot/modules/custom/va_gov_graphql/assets/explorer directory:

Package	From	To
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
micromatch	4.0.4	4.0.8
serialize-javascript	6.0.1	6.0.2
webpack	5.88.2	5.98.0
dset	3.1.2	3.1.4
@graphql-tools/url-loader	7.16.19	7.17.18

Bumps the npm_and_yarn group with 15 updates in the /docroot/themes/custom/vagovclaro directory:

Package	From	To
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
nanoid	3.3.6	3.3.8
elliptic	6.5.4	6.6.1
micromatch	4.0.5	4.0.8
serialize-javascript	6.0.1	6.0.2
webpack	5.76.2	5.98.0
ws	8.11.0	8.17.1
socket.io-client	4.6.1	4.8.1
socket.io	4.6.1	4.8.1
ip	2.0.0	removed
socks	2.7.1	2.8.4
send	0.16.2	0.19.1
browser-sync	2.29.0	3.0.3
axios	1.6.1	1.7.4

Bumps the npm_and_yarn group with 5 updates in the /scripts/cd_metrics directory:

Package	From	To
@octokit/plugin-paginate-rest	6.1.2	11.4.2
@octokit/rest	19.0.11	21.1.1
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
micromatch	4.0.5	4.0.8

Updates @octokit/plugin-paginate-rest from 6.0.0 to 11.4.2

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v11.4.2

11.4.2 (2025-02-13)

Bug Fixes

• types: add back the pagination keys (#653) (8b8c500), closes #652

v11.4.1

11.4.1 (2025-02-13)

Bug Fixes

• mitigate ReDos issues & linting issues (#659) (7d1fade), fixes #657

v11.4.0

11.4.0 (2025-01-08)

Features

• new action runner groups endpoints, new code scanning alerts autofix endpoints, new sub-issues endpoints, new private registries enpoints, new code security endpoints, various description updates (#646) (a73883f)

v11.3.6

11.3.6 (2024-11-26)

Bug Fixes

• types: bump @octokit/types to improve Deno compatibility (#642) (acb6a6e)

v11.3.5

11.3.5 (2024-09-29)

Bug Fixes

• types: improve type extraction for namespaced responses and correct async iterator types (#637) (e95444d)

v11.3.4

11.3.4 (2024-09-27)

Bug Fixes

• deps: bump @octokit/types (#636) (b2dc51c)

... (truncated)

Commits

• 8b8c500 fix(types): add back the pagination keys (#653)
• 41876f4 chore(deps): update dependency prettier to v3.5.1 (#658)
• 7d1fade fix: mitigate ReDos issues & linting issues (#659)
• bb6c4f9 Merge commit from fork
• d9c1e8f chore(deps): update dependency esbuild to ^0.25.0 (#656)
• 7ed5627 build(deps-dev): bump vitest and @​vitest/coverage-v8 (#655)
• 4a41307 build: remove @​types/fetch-mock (#654)
• 31f8fe9 build(deps): bump vite from 5.4.6 to 6.0.11 (#651)
• bc38852 chore(deps): update vitest monorepo to v3 (major) (#650)
• a73883f feat: new action runner groups endpoints, new code scanning alerts autofix en...
• Additional commits viewable in compare view

Updates @octokit/rest from 19.0.7 to 21.1.1

Release notes

Sourced from @​octokit/rest's releases.

v21.1.1

21.1.1 (2025-02-14)

Bug Fixes

• deps: update Octokit dependencies to mitigate ReDos [security] (#484) (ca256c3)

v21.1.0

21.1.0 (2025-01-08)

Features

• new endpoints, bump Octokit deps to fix Deno (#477) (908b1c8)

v21.0.2

21.0.2 (2024-08-16)

Bug Fixes

• docs: update to react 18 and latest gatsby deps (#462) (9a80f06), closes #216 #230 #460

v21.0.1

21.0.1 (2024-07-17)

Bug Fixes

• update deps (#456) (93d5afb)

v21.0.0

21.0.0 (2024-06-20)

Features

• v21 (#413) (12b6c65)

BREAKING CHANGES

• package is now ESM

v21.0.0-beta.4

21.0.0-beta.4 (2024-06-19)

Bug Fixes

... (truncated)

Commits

• ca256c3 fix(deps): update Octokit dependencies to mitigate ReDos [security] (#484)
• e791111 chore(deps): update dependency esbuild to ^0.25.0 (#483)
• facaa50 build(deps-dev): Bump vitest and @​vitest/coverage-v8 (#481)
• 8a0c472 chore(deps): update dependency undici to v6.21.1 [security] (#480)
• 4abc914 chore(deps): update vitest monorepo to v3 (major) (#478)
• 908b1c8 feat: new endpoints, bump Octokit deps to fix Deno (#477)
• 751b522 chore(deps): update dependency fetch-mock to v12 (#470)
• 5ad12fd chore(deps): update dependency @​types/node to v22 (#472)
• c88980a ci(action): update actions/checkout digest to 11bd719 (#469)
• 94443df ci(action): update actions/checkout digest to eef6144 (#467)
• Additional commits viewable in compare view

Updates @octokit/request from 6.2.3 to 9.2.2

Release notes

Sourced from @​octokit/request's releases.

v9.2.2

9.2.2 (2025-02-14)

Bug Fixes

• deps: update dependency @​octokit/request-error to v6.1.7 [security] (#740) (4b2f485)

v9.2.1

9.2.1 (2025-02-13)

Bug Fixes

• mitigate ReDos vulnerabilities & lint (#738) (6bb29ba)

v9.2.0

9.2.0 (2025-01-16)

Features

• correctly parse response bodies as JSON where the Content-Type is application/scim+json (#731) (00bf316)

v9.1.4

9.1.4 (2024-12-29)

Bug Fixes

• deps: bump @octokit/types to fix deno compat (#730) (324ffef)

v9.1.3

9.1.3 (2024-07-14)

Bug Fixes

• improve toErrorMessage (#714) (fcc5b25)

v9.1.2

9.1.2 (2024-07-13)

Bug Fixes

• refactor: async await instead of Promise chain (#711) (611b275)

v9.1.1

9.1.1 (2024-04-15)

... (truncated)

Commits

• 4b2f485 fix(deps): update dependency @​octokit/request-error to v6.1.7 [security] (#740)
• 0320a42 chore(deps): update dependency prettier to v3.5.1 (#737)
• 6bb29ba fix: mitigate ReDos vulnerabilities & lint (#738)
• 34ff07e Merge commit from fork
• a0e96b3 chore(deps): update dependency esbuild to ^0.25.0 (#736)
• d27daa7 build(deps-dev): bump vitest and @​vitest/coverage-v8 (#735)
• bc07c8a build(deps): bump vite from 5.4.6 to 6.0.11 (#734)
• 4266a84 build(deps-dev): bump undici from 6.19.2 to 6.21.1 (#733)
• c2d27a2 chore(deps): update vitest monorepo to v3 (major) (#732)
• 00bf316 feat: correctly parse response bodies as JSON where the Content-Type is `appl...
• Additional commits viewable in compare view

Updates @octokit/request-error from 3.0.3 to 6.1.7

Release notes

Sourced from @​octokit/request-error's releases.

v6.1.7

6.1.7 (2025-02-13)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (d558320874a4bc8d356babf1079e6f0056a59b9e)

v6.1.6

6.1.6 (2024-12-29)

Bug Fixes

• deps: bump @octokit/types to fix Deno compat (#483) (e01d470)

v6.1.5

6.1.5 (2024-09-24)

Bug Fixes

• types: add explicit | undefined to optional fields (#462) (43fc3bd)

v6.1.4

6.1.4 (2024-07-11)

Bug Fixes

• improve perf of request error instantiations (#444) (ba04ffa)

v6.1.3

6.1.3 (2024-07-11)

Bug Fixes

• docs: correct title in README (#443) (e24d923)

v6.1.2

6.1.2 (2024-07-10)

Bug Fixes

• ensure statusCode is always an integer (#439) (6eb8634)

v6.1.1

6.1.1 (2024-04-16)

... (truncated)

Commits

• c346f5c fix: linting issues (#494)
• d558320 Merge commit from fork
• 5046116 chore(deps): update dependency esbuild to ^0.25.0 (#491)
• 50513ba build(deps): lock file maintenance (#490)
• bd5e83f build(deps): lock file maintenance (#488)
• d204ea3 build(deps): lock file maintenance (#486)
• ab1585a chore(deps): update vitest monorepo to v3 (major) (#487)
• 03a7e12 build(deps): lock file maintenance (#485)
• cb4feec build(deps): lock file maintenance (#484)
• e01d470 fix(deps): bump @octokit/types to fix Deno compat (#483)
• Additional commits viewable in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates webpack from 5.88.2 to 5.98.0

Release notes

Sourced from webpack's releases.

v5.98.0

Fixes

• Avoid the deprecation message #19062 by @​alexander-akait
• Should not escape CSS local ident in JS #19060 by @​JSerFeng
• MF parse range not compatible with Safari #19083 by @​alexander-akait
• Preserve filenameTemplate in new split chunk #19104 by @​henryqdineen
• Use module IDs for final render order #19184 by @​dmichon-msft
• Strip blob: protocol when public path is auto #19199 by @​alexander-akait
• Respect output.charset everywhere #19202 by @​alexander-akait
• Node async WASM loader generation #19210 by @​ashi009
• Correct BuildInfo and BuildMeta type definitions #19200 by @​inottn

Performance Improvements

• Improve FlagDependencyExportsPlugin for large JSON by depth #19058 by @​hai-x
• Optimize assign-depths #19193 by @​dmichon-msft
• Use startsWith for matching instead of converting the string to a regex #19207 by @​inottn

Chores

• Bump nanoid from 3.3.7 to 3.3.8 #19063 by @​dependabot
• Fixed incorrect typecast in DefaultStatsFactoryPlugin #19156 by @​Andarist
• Improved readme.md by adding video links for understanding webpack #19101 by @​Vansh5632
• Typo fix #19205 by @​hai-x
• Adopt the new webpack governance model #18804 by @​ovflowd

Features

• Implement /* webpackIgnore: true */ for require.resolve #19201 by @​alexander-akait

Continuous Integration

• CI fix #19196 by @​alexander-akait

New Contributors

• @​Andarist made their first contribution in webpack/webpack#19156
• @​Vansh5632 made their first contribution in webpack/webpack#19101
• @​ashi009 made their first contribution in webpack/webpack#19210
• @​ovflowd made their first contribution in webpack/webpack#18804

Full Changelog: webpack/webpack@v5.97.1...v5.98.0

v5.97.1

Bug Fixes

• Performance regression
• Sub define key should't be renamed when it's a defined variable

v5.97.0

Bug Fixes

• Don't crash with filesystem cache and unknown scheme
• Generate a valid code when output.iife is true and output.library.type is umd
• Fixed conflict variable name with concatenate modules and runtime code
• Merge duplicate chunks before

... (truncated)

Commits

• f1bdec5 5.98.0
• 9579f22 chore: adopt the new webpack governance model (#18804)
• a1edb20 fix: node async wasm loader now use output.module to determinate code gener...
• e55b08b perf: use startsWith for matching instead of converting the string to a regex
• 6e14dba chore: fix typo (#19205)
• f123ce5 fix: respect output.charset everywhere (#19202)
• af20c7b fix: strip blob: protocol when public path is auto (#19199)
• 80826c5 feat: implement /* webpackIgnore: true */ for require.resolve (#19201)
• ac6ffca fix(types): correct BuildInfo and BuildMeta type definitions (#19200)
• 8ac130a ci: fix
• Additional commits viewable in compare view

Updates ws from 8.13.0 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

• 976c53c [dist] 8.18.0
• 59b9629 [feature] Add support for Blob (#2229)
• 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
• 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates nanoid from 3.3.6 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

3.3.7

• Fixed node16 TypeScript support (by Saadi Myftija).

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• 89d82d2 Release 3.3.7 version
• 5022c35 Update dual-publish
• 3e7a8e5 Remove benchmark from CI for v3
• d356144 Fix CI for v3
• 37b25df Move to pnpm 8
• See full diff in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates serialize-javascript from 6.0.1 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

• fix: serialize URL string contents to prevent XSS (#173) f27d65d
• Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
• docs: update readme with URL support (#146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

Commits

• b71ec23 6.0.2
• f27d65d fix: serialize URL string contents to prevent XSS (#173)
• 02499c0 Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171)
• 0d88527 docs: update readme with URL support (#146)
• e2a3a91 chore: update node version and lock file
• 5a1fa64 fix typo (#164)
• See full diff in compare view

Updates webpack from 5.83.1 to 5.98.0

Release notes

Sourced from webpack's releases.

v5.98.0

Fixes

• Avoid the deprecation message #19062 by @​alexander-akait
• Should not escape CSS local ident in JS #19060 by @​JSerFeng
• MF parse range not compatible with Safari #19083 by @​alexander-akait
• Preserve filenameTemplate in new split chunk #19104 by @​henryqdineen
• Use module IDs for final render order #19184 by @​dmichon-msft
• Strip blob: protocol when public path is auto #19199 by @​alexander-akait
• Respect output.charset everywhere #19202 by @​alexander-akait
• Node async WASM loader generation #19210 by @​ashi009
• Correct BuildInfo and BuildMeta type definitions #19200 by @​inottn

Performance Improvements

• Improve FlagDependencyExportsPlugin for large JSON by depth #19058 by @​hai-x
• Optimize assign-depths #19193 by @​dmichon-msft
• Use startsWith for matching instead of converting the string to a regex #19207 by @​inottn

Chores

• Bump nanoid from 3.3.7 to 3.3.8 #19063 by @​dependabot
• Fixed incorrect typecast in DefaultStatsFactoryPlugin #19156 by @​Andarist
• Improved readme.md by adding video links for understanding webpack #19101 by @​Vansh5632
• Typo fix #19205 by @​hai-x
• Adopt the new webpack governance model #18804 by @​ovflowd

Features

• Implement /* webpackIgnore: true */ for require.resolve #19201 by @​alexander-akait

Continuous Integration

• CI fix #19196 by @​alexander-akait

New Contributors

• @​Andarist made their first contribution in webpack/webpack#19156
• @​Vansh5632 made their first contribution in webpack/webpack#19101
• @​ashi009 made their first contribution in webpack/webpack#19210
• @​ovflowd made their first contribution in webpack/webpack#18804

Full Changelog: webpack/webpack@v5.97.1...v5.98.0

v5.97.1

Bug Fixes

• Performance regression
• Sub define key should't be renamed when it's a defined variable

v5.97.0

Bug Fixes

• Don't crash with filesystem cache and unknown scheme
• Generate a valid code when output.iife is true and output.library.type is umd
• Fixed conflict variable name with concatenate modules and runtime code
• Merge duplicate chunks before

... (truncated)

Commits

• f1bdec5 5.98.0
• 9579f22 chore: adopt the new webpack governance model (#18804)
• a1edb20 fix: node async wasm loader now use output.module to determinate code gener...
• e55b08b perf: use startsWith for matching instead of converting the string to a regex
• 6e14dba chore: fix typo (#19205)
• f123ce5 fix: respect output.charset everywhere (#19202)
• af20c7b fix: strip blob: protocol when public path is auto (#19199)
• 80826c5 feat: implement /* webpackIgnore: true */ for require.resolve (#19201)
• ac6ffca fix(types): correct BuildInfo and BuildMeta type definitions (#19200)
• 8ac130a ci: fix
• Additional commits viewable in compare view

Updates ws from 8.14.2 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const...
Description has been truncated

[github-actions]

Checking composer.lock changes...

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml