chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by dependabot[bot] · Pull Request #2 · clyphy/openclaw

dependabot · 2026-03-14T00:06:31Z

Bumps the npm_and_yarn group with 5 updates in the / directory:

Package	From	To
@discordjs/opus	`0.9.0`	`0.10.0`
file-type	`21.3.0`	`21.3.2`
tar	`7.5.9`	`7.5.11`
undici	`7.22.0`	`7.24.0`
dompurify	`3.3.1`	`3.3.2`

Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: undici.

Updates @discordjs/opus from 0.9.0 to 0.10.0

Release notes

Sourced from @discordjs/opus's releases.

v0.10.0

What's Changed

ci: fix build/release CI by @phenylshima in discordjs/opus#148

chore: General repository touch-up by @Jiralite in discordjs/opus#152

fix: dyld missing symbol called on arm arch by @JacobLinCool in discordjs/opus#150

doc(types): Add JSDoc to decode method by @Kirdock in discordjs/opus#137

fix: add cflag to fix build on gcc 14 by @my60gb in discordjs/opus#155

fix: GHSA-43wq-xrcm-3vgr by @vladfrangu in discordjs/opus#157

feat: macos arm prebuilts by @vladfrangu in discordjs/opus#160

v0.10.0 by @amishshah in discordjs/opus#167

New Contributors

@Jiralite made their first contribution in discordjs/opus#152

@JacobLinCool made their first contribution in discordjs/opus#150

@Kirdock made their first contribution in discordjs/opus#137

@my60gb made their first contribution in discordjs/opus#155

@amishshah made their first contribution in discordjs/opus#167

Full Changelog: discordjs/opus@v0.9.0...v0.10.0

Commits

8c72757 chore: release new version (#167)
31da49d feat: macos arm prebuilts (#160)
8f52fa0 fix: GHSA-43wq-xrcm-3vgr (#157)
b541c5b fix: add cflag to fix build on gcc 14 (#155)
ca04583 doc(types): Add JSDoc to decode method (#137)
a84da82 fix: dyld missing symbol called on arm arch (#150)
bb37897 chore: General repository touch-up (#152)
c12c103 ci: fix build/release CI (#148)
See full diff in compare view

Maintainer changes

This version was pushed to npm by hydrabolt, a new releaser for @discordjs/opus since your current version.

Updates file-type from 21.3.0 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7

Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

sindresorhus/file-type@v21.3.0...v21.3.1

Commits

e18028c 21.3.2
a155cd7 Fix ZIP bomb in known-size ZIP probing
6954817 Harden parser more
370ed91 Fix bound recursive BOM and ID3 detection
d2ecea1 Add a few more safeguards
41fcff5 Update readme
a8f6934 Fix CI
ad5857e 21.3.1
5d2fedf Harden parser
319abf8 Fix infinite loop in ASF parser on malformed input
Additional commits viewable in compare view

Updates tar from 7.5.9 to 7.5.11

Commits

bf776f6 7.5.11
f48b5fa prevent escaping symlinks with drive-relative paths
97cff15 docs: more security info
2b72abc 7.5.10
7bc755d parse root off paths before sanitizing .. parts
c8cb846 update deps
See full diff in compare view

Updates undici from 7.22.0 to 7.24.0

Release notes

Sourced from undici's releases.

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

What's Changed

... (truncated)

Commits

07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
5890c7b fix(deduplicate): stream response chunks to waiting handlers
fbda3c1 Bumped v7.23.0 (#4884)
07276c9 fix: remove unused kSocketPath symbol
Additional commits viewable in compare view

Updates dompurify from 3.3.1 to 3.3.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.2

Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters

Fixed a prototype pollution issue when working with custom elements, thanks @christos-eth

Fixed a lenient config parsing in _isValidAttribute, thanks @christos-eth

Bumped and removed several dependencies, thanks @Rotzbua

Fixed the test suite after bumping dependencies, thanks @Rotzbua

Commits

5e56114 Getting 3.x branch ready for 3.3.2 release (#1208)
e8c95f4 fix: Fixed the broken package-lock.json
9636037 Update package-lock.json
5cad4ce Getting 3.x branch ready for 3.3.2 releas (#1205)
See full diff in compare view

Updates undici from 7.22.0 to 7.24.0

Release notes

Sourced from undici's releases.

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

What's Changed

... (truncated)

Commits

07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
5890c7b fix(deduplicate): stream response chunks to waiting handlers
fbda3c1 Bumped v7.23.0 (#4884)
07276c9 fix: remove unused kSocketPath symbol
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

…updates Bumps the npm_and_yarn group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@discordjs/opus](https://github.com/discordjs/opus) | `0.9.0` | `0.10.0` | | [file-type](https://github.com/sindresorhus/file-type) | `21.3.0` | `21.3.2` | | [tar](https://github.com/isaacs/node-tar) | `7.5.9` | `7.5.11` | | [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.24.0` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.1` | `3.3.2` | Bumps the npm_and_yarn group with 1 update in the /extensions/zalo directory: [undici](https://github.com/nodejs/undici). Updates `@discordjs/opus` from 0.9.0 to 0.10.0 - [Release notes](https://github.com/discordjs/opus/releases) - [Commits](discordjs/opus@v0.9.0...v0.10.0) Updates `file-type` from 21.3.0 to 21.3.2 - [Release notes](https://github.com/sindresorhus/file-type/releases) - [Commits](sindresorhus/file-type@v21.3.0...v21.3.2) Updates `tar` from 7.5.9 to 7.5.11 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.9...v7.5.11) Updates `undici` from 7.22.0 to 7.24.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.0) Updates `dompurify` from 3.3.1 to 3.3.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.1...3.3.2) Updates `undici` from 7.22.0 to 7.24.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.0) --- updated-dependencies: - dependency-name: "@discordjs/opus" dependency-version: 0.10.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: file-type dependency-version: 21.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.11 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.24.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.3.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 7.24.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

vercel · 2026-03-14T00:06:35Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openclaw-ui	Error		Mar 14, 2026 0:07am

dependabot · 2026-04-06T23:51:56Z

Superseded by #4.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 14, 2026

dependabot Bot mentioned this pull request Mar 14, 2026

chore(deps): bump the npm_and_yarn group across 1 directory with 4 updates #1

Closed

vercel Bot had a problem deploying to Preview March 14, 2026 00:07 Failure

dependabot Bot closed this Apr 6, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-eb87cfcfe5 branch April 6, 2026 23:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates#2

chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-eb87cfcfe5

dependabot Bot commented on behalf of github Mar 14, 2026

Uh oh!

vercel Bot commented Mar 14, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 14, 2026

v0.10.0

What's Changed

New Contributors

v21.3.2

v21.3.1

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

v7.23.0

What's Changed

DOMPurify 3.3.2

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

v7.23.0

What's Changed

Uh oh!

vercel Bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dependabot Bot commented on behalf of github Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

vercel Bot commented Mar 14, 2026 •

edited

Loading