chore(deps): bump the security-updates group across 1 directory with 11 updates

[dependabot]

Bumps the security-updates group with 11 updates in the / directory:

Package	From	To
@aws-sdk/client-lambda	3.906.0	3.957.0
axios	1.12.2	1.13.2
eciesjs	0.4.7	0.4.16
esbuild	0.27.0	0.27.2
files-from-path	1.0.0	1.1.4
lodash-es	4.17.21	4.17.22
ts-node	10.9.1	10.9.2
@changesets/cli	2.29.7	2.29.8
@tsconfig/node16	16.1.5	16.1.8
@types/estree	1.0.5	1.0.8
@types/lodash	4.17.20	4.17.21

Updates @aws-sdk/client-lambda from 3.906.0 to 3.957.0

Release notes

Sourced from @​aws-sdk/client-lambda's releases.

v3.957.0

3.957.0(2025-12-22)

Chores

• move crc64NvmeCrtContainer to '@​aws-sdk/crc64-nvme' (#7600) (69196b71)
• move e2e tests from cucumber to vitest (#7539) (561b8900)
• build: replace lerna partial-tree build with turbo (#7597) (04bdba3e)

Documentation Changes

• client-pcs: Change API Reference Documentation for default Mode in Accounting and SlurmRest (966f60ac)

New Features

• client-config-service: Added supported resourceTypes for Config from July to November 2025 (2c7dab27)
• client-ec2: Adds support for linkedGroupId on the CreatePlacementGroup and DescribePlacementGroups APIs. The linkedGroupId parameter is reserved for future use. (a492f734)
• client-guardduty: Make accountIds a required field in GetRemainingFreeTrialDays API to reflect service behavior. (53e59c65)
• middleware-flexible-checksums: use CRC64NVME JS implementation if CRT is not available (#7595) (4c6ad409)

Bug Fixes

• middleware-flexible-checksums: advise user on InvalidChunkSizeError (#7598) (6fa3b4cc)

---

For list of updated packages, view updated-packages.md in assets-3.957.0.zip

v3.956.0

3.956.0(2025-12-19)

Chores

• crc64-nvme: add pure JS CRC64NVME implementation (#7592) (03019927)
• codegen:
  • differentiate union and struct schema (#7594) (a3f02028)
  • update for $unknown union member handling (#7591) (2c738294)
  • upgrade smithy to 1.65.0 (#7588) (8e9ad476)

Documentation Changes

• supplemental-docs: typo fixes (#7590) (0f23c869)

New Features

• clients: update client endpoints as of 2025-12-19 (e0360a8f)
• client-wickr: AWS Wickr now provides a suite of admin APIs to allow you to programmatically manage secure communication for Wickr networks at scale. These APIs enable you to automate administrative workflows including user lifecycle management, network configuration, and security group administration. (d105e0ef)
• client-arc-region-switch: Automatic Plan Execution Reports allow customers to maintain a concise record of their Region switch Plan executions. This enables customer SREs and leadership to have a clear view of their recovery posture based on the generated reports for their Plan executions. (33dbf8d8)
• client-workspaces-web: Add support for WebAuthn under user settings. (a42b84c4)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-lambda's changelog.

3.957.0 (2025-12-22)

Note: Version bump only for package @​aws-sdk/client-lambda

3.956.0 (2025-12-19)

Note: Version bump only for package @​aws-sdk/client-lambda

3.955.0 (2025-12-18)

Note: Version bump only for package @​aws-sdk/client-lambda

3.954.0 (2025-12-17)

Note: Version bump only for package @​aws-sdk/client-lambda

3.953.0 (2025-12-16)

Features

• clients: allow protocol selection by class constructor (#7568) (5c5fd2e)

3.952.0 (2025-12-15)

Note: Version bump only for package @​aws-sdk/client-lambda

... (truncated)

Commits

• bd65e3e Publish v3.957.0
• 04bdba3 chore(build): replace lerna partial-tree build with turbo (#7597)
• 561b890 chore: move e2e tests from cucumber to vitest (#7539)
• 7804018 Publish v3.956.0
• a3f0202 chore(codegen): differentiate union and struct schema (#7594)
• 2c73829 chore(codegen): update for $unknown union member handling (#7591)
• 821ba3b Publish v3.955.0
• e9b7f20 chore(clients): export star from models_N (#7586)
• 0bfc110 Publish v3.954.0
• b654d97 chore(clients): bump '@smithy/*' versions (#7582)
• Additional commits viewable in compare view

Updates axios from 1.12.2 to 1.13.2

Release notes

Sourced from axios's releases.

Release v1.13.2

Release notes:

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

Release v1.13.1

Release notes:

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

Release v1.13.0

Release notes:

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma

... (truncated)

Changelog

Sourced from axios's changelog.

1.13.2 (2025-11-04)

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

1.13.1 (2025-10-28)

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

1.13.0 (2025-10-27)

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge

... (truncated)

Commits

• 08b84b5 chore(release): v1.13.2 (#7207)
• 8d37233 fix(http): fix 'socket hang up' bug for keep-alive requests when using timeou...
• 12c314b perf(http): fix early loop exit; (#7202)
• f6d79e7 chore(sponsor): update sponsor block (#7203)
• 0588880 fix(http): use default export for http2 module to support stubs; (#7196)
• 1ef8e72 chore(release): v1.13.1 (#7194)
• bcd5581 fix(http): fixed a regression that caused the data stream to be interrupted f...
• c9b3371 chore: enhance styling and responsiveness in client.html (#7173)
• 9ead04d [Release] v1.13.0 (#7189)
• d000fbf fix(http2): fix possible race condition when handling http2 stream on almost ...
• Additional commits viewable in compare view

Updates eciesjs from 0.4.7 to 0.4.16

Release notes

Sourced from eciesjs's releases.

v0.4.16

What's Changed

• Upgrade biome by @​kigawas in ecies/js#850
• Add x25519 tests by @​kigawas in ecies/js#851
• Bump dependencies by @​kigawas in ecies/js#855
• Mention deno support in README by @​kigawas in ecies/js#856
• Combine get elliptic curve config in utils by @​kigawas in ecies/js#860
• Bump dependencies by @​kigawas in ecies/js#864
• Drop Node 18 by @​kigawas in ecies/js#865
• Prepare for noble-curves v2 by @​kigawas in ecies/js#869

Full Changelog: ecies/js@v0.4.15...v0.4.16

v0.4.15

What's Changed

• Update CHANGELOG.md by @​kigawas in ecies/js#834
• Bump typescript from 5.7.3 to 5.8.2 by @​dependabot in ecies/js#835
• Bump undici from 7.3.0 to 7.4.0 by @​dependabot in ecies/js#837
• Bump dependencies by @​kigawas in ecies/js#838
• Lint code with biome by @​kigawas in ecies/js#839
• Revamp documentation by @​kigawas in ecies/js#840
• Configurable curve in keys and utils by @​kigawas in ecies/js#843
• Bump undici from 7.7.0 to 7.8.0 by @​dependabot in ecies/js#845
• Bump dependencies by @​kigawas in ecies/js#847

Full Changelog: ecies/js@v0.4.14...v0.4.15

v0.4.14

What's Changed

• Bump undici from 7.1.1 to 7.2.0 by @​dependabot in ecies/js#825
• Bump dependencies by @​kigawas in ecies/js#826
• Add sponsor: dotenvx by @​kigawas in ecies/js#827
• Bump undici from 7.2.0 to 7.2.3 by @​dependabot in ecies/js#828
• Bump dependencies by @​kigawas in ecies/js#832
• Add details by @​kigawas in ecies/js#833

Full Changelog: ecies/js@v0.4.13...v0.4.14

v0.4.13

What's Changed

• Bump dependencies by @​kigawas in ecies/js#822
• Revamp doc by @​kigawas in ecies/js#823

Full Changelog: ecies/js@v0.4.12...v0.4.13

v0.4.12

... (truncated)

Changelog

Sourced from eciesjs's changelog.

0.4.16

• Bump dependencies
• Drop Node 18 support
• Remove deprecated @noble/curves usage

0.4.15

• Bump dependencies
• Revamp documentation
• Make curve configurable in keys and utils via argument

0.4.14

• Bump dependencies
• Add details
• Revamp documentation

0.4.13

• Bump dependencies

0.4.12

• Add PublicKey.toBytes and deprecate PublicKey.compressed and PublicKey.uncompressed
• Save uncompressed public key data for secp256k1

0.4.11

• Revamp encapsulate/decapsulate
• Revamp symmetric encryption/decryption
• Revamp elliptic utils
• Add browser tests

0.4.10

• Fix commonjs build

0.4.9

• Add examples
• Update documentation
• Migrate to vitest
• Export all modules to allow full customization
• Introduce @ecies/ciphers as symmetric cipher adapter for different platforms
  • Use pure JS (@noble/ciphers) AES implementation if running in browsers to improve compatibility
  • Use node:crypto's chacha20 implementation on Node runtime to improve performance

0.4.1 ~ 0.4.8

... (truncated)

Commits

• 66c5447 Prepare for noble-curves v2 (#869)
• b42acd2 Drop Node 18 (#865)
• 06aaf7c Bump dependencies (#864)
• 053d5ab Combine get elliptic curve config in utils (#860)
• 3142816 Mention deno support in README (#856)
• 7c6883f Bump dependencies (#855)
• ee4d2ba Add x25519 tests (#851)
• 20c819c Upgrade biome (#850)
• 4e737b4 Bump dependencies (#847)
• 6e3a064 Bump undici from 7.7.0 to 7.8.0 (#845)
• Additional commits viewable in compare view

Updates esbuild from 0.27.0 to 0.27.2

Release notes

Sourced from esbuild's releases.

v0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  // New output (with --minify)

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}

... (truncated)

Commits

• cd83297 publish 0.27.2 to npm
• 2759721 additional tests for switch with break
• fd2b4b3 update release notes
• c8d93a7 fix #4357: -webkit- prefix for mask shorthand (#4358)
• 92ff12c compat table: update @types/node
• a35eceb compat table: fix a type error with the new types
• f598984 fix make compat-table to install dependencies
• f7f6df0 release notes for #4361
• 6f8ec15 fix: allow subpath imports that start with #/ (#4361)
• f7ae61f minify some switch statements to if-else statement
• Additional commits viewable in compare view

Updates files-from-path from 1.0.0 to 1.1.4

Release notes

Sourced from files-from-path's releases.

v1.1.4

1.1.4 (2025-03-25)

Bug Fixes

• build (448b532)

v1.1.3

1.1.3 (2025-02-12)

Bug Fixes

• github URLs (51f7007)

v1.1.2

1.1.2 (2025-02-11)

Bug Fixes

• Add missing types key to package entry point (#41) (b645e00)

v1.1.1

1.1.1 (2024-11-15)

Bug Fixes

• docs (ac4fb2d)

v1.1.0

1.1.0 (2024-11-15)

Features

• normalise paths for windows file paths (#38) (41bb5c5)

v1.0.4

1.0.4 (2023-12-07)

Bug Fixes

• build step cannot be run in dist dir (198359f)

v1.0.3

1.0.3 (2023-11-29)

... (truncated)

Changelog

Sourced from files-from-path's changelog.

1.1.4 (2025-03-25)

Bug Fixes

• build (448b532)

1.1.3 (2025-02-12)

Bug Fixes

• github URLs (51f7007)

1.1.2 (2025-02-11)

Bug Fixes

• Add missing types key to package entry point (#41) (b645e00)

1.1.1 (2024-11-15)

Bug Fixes

• docs (ac4fb2d)

1.1.0 (2024-11-15)

Features

• normalise paths for windows file paths (#38) (41bb5c5)

1.0.4 (2023-12-07)

Bug Fixes

• build step cannot be run in dist dir (198359f)

1.0.3 (2023-11-29)

Bug Fixes

• publish from dist (#33) (fea9816)

1.0.2 (2023-11-20)

... (truncated)

Commits

• 7b7b88f chore(main): release 1.1.4 (#44)
• 448b532 fix: build
• f44ee52 chore(main): release 1.1.3 (#43)
• 8bec0b4 chore: update nodejs version in CI
• 647cd4f Merge branch 'main' of github.com:storacha/files-from-path
• 51f7007 fix: github URLs
• 9bd3b25 chore(main): release 1.1.2 (#42)
• b645e00 fix: Add missing types key to package entry point (#41)
• 724c917 chore(main): release 1.1.1 (#40)
• ac4fb2d fix: docs
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by it-dag-house, a new releaser for files-from-path since your current version.

Updates lodash-es from 4.17.21 to 4.17.22

Commits

• See full diff in compare view

Updates ts-node from 10.9.1 to 10.9.2

Release notes

Sourced from ts-node's releases.

Fix tsconfig.json file not found

Fixed

• Fixed tsconfig.json file not found on latest TypeScript version (TypeStrong/ts-node#2091)

Commits

• 057ac1b 10.9.2
• c8805d5 Update package lock
• 99862f7 Bump swc dependency
• cdc4e88 Ignore test files in build schema
• 08cdfb0 Backport swc fixes on main
• 9639daa Ignore test files in build
• cc1a503 Fix tsconfig.json not found with TS >= 5.3 (#2091)
• See full diff in compare view

Updates @changesets/cli from 2.29.7 to 2.29.8

Commits

• See full diff in compare view

Updates @tsconfig/node16 from 16.1.5 to 16.1.8

Commits

• See full diff in compare view

Updates @types/estree from 1.0.5 to 1.0.8

Commits

• See full diff in compare view

Updates @types/lodash from 4.17.20 to 4.17.21

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

View full job summary