Skip to content

chore (deps): bump the patch-updates group with 6 updates#2323

Merged
GCHQDeveloper581 merged 2 commits intomasterfrom
dependabot/npm_and_yarn/patch-updates-82f14583f1
Apr 17, 2026
Merged

chore (deps): bump the patch-updates group with 6 updates#2323
GCHQDeveloper581 merged 2 commits intomasterfrom
dependabot/npm_and_yarn/patch-updates-82f14583f1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 17, 2026
edited
Loading

Bumps the patch-updates group with 6 updates:

Package From To
jimp 1.6.0 1.6.1
jsrsasign 11.1.1 11.1.2
protobufjs 7.5.4 7.5.5
grunt 1.6.1 1.6.2
postcss 8.5.8 8.5.10
webpack 5.106.0 5.106.2

Updates jimp from 1.6.0 to 1.6.1

Release notes

Sourced from jimp's releases.

v1.6.1

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3

Changelog

Sourced from jimp's changelog.

v1.6.1 (Tue Apr 07 2026)

🎉 This release contains work from new contributors! 🎉

Thanks for all your work!

❤️ Denys Kashkovskyi (@​Kashkovsky)

❤️ Viki (@​vikiboss)

🐛 Bug Fix

⚠️ Pushed to main

📝 Documentation

Authors: 3

v1.5.0 (Mon Sep 09 2024)

Release Notes

Add support for image decoder options (#1336)

Can now have options for the underlying image codecs

CleanShot 2024-09-07 at 15 26 41

🚀 Enhancement

  • @jimp/core, @jimp/types, @jimp/js-bmp, @jimp/js-jpeg, @jimp/js-png

... (truncated)

Commits

Updates jsrsasign from 11.1.1 to 11.1.2

Release notes

Sourced from jsrsasign's releases.

Security Fix

  • Changes from 11.1.1 to 11.1.2 (2026-Apr-12)
    • Security fixes:
      • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
      • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
      • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
      • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
      • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.
Changelog

Sourced from jsrsasign's changelog.

ChangeLog for jsrsasign

  • Changes from 11.1.1 to 11.1.2 (2026-Apr-12)

    • Security fixes:
      • HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom) reported by Bronson Yen of Calif.io and @​Kr0emer #655.
      • HIGH: ASN.1 Parser Infinite Loop (asn1hex.js) getChildIdx fix to avoid infinite loop reported by Koda Reef.
      • HIGH: DSA Universal Signature Forgery (dsa.js) FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash reported by Koda Reef, Nicholas Carlini and @​Kr0emer.
      • ASN1HEX.getChildIdx DoS (asn1hex.js) getChildIdx may raise DoS because of lacking value length check reported by Yt(yutengsun) and Franciny S Roj.
      • missing JWS crit header parameter validation (jws.js) as reported by Franciny S Roj. Thank you indeed for those vulnerability reports and/or patches.

  • Changes from 11.1.0 to 11.1.1 (2026-Feb-20)

restore KJUR.crypto.Cipher class without RSA/RSAOAEP support

  • Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
    • src/crypto.js
      • restore KJUR.crypto.Cipher class without RSA and RSAOAEP encryption/decryption support

remove RSA and RSAOAEP encryption for Marvin attack

  • Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
    • Major Changes:
      • Stop to support Internet Explorer.
      • Stop to support bower.
      • Modern ECMA functions will be introduced such as Promise, let, Array methods or class.
      • API document generator will be changed from Jsdoc Toolkit to JSDoc3.
      • Module bandler will be used such as browserify or webpack.
      • Not to use YUI compressor.
      • Unit test framework will be changed from QUnit and mocha to jest.
      • W3C Web Crypto API support.
      • split into some modules besides jsrsasign have been all in package before 11.0.0.
    • remove RSA PKCS#1.5 end OAEP encryption/decryption for Marvin attack (#598)
    • src/crypto.js
      • remove KJUR.crypto.Cipher class for RSA and RSAOAEP encryption/decryption
    • ext/{rsa,rsa2}.js remove encrypt/decrypt/encryptOAEP/decryptOAEP for RSAKey class

enhanced support for encrypted PKCS8

  • Changes from 10.8.6 to 10.9.0 (2023-Nov-27)

... (truncated)

Commits

Updates protobufjs from 7.5.4 to 7.5.5

Changelog

Sourced from protobufjs's changelog.

Changelog

8.0.1 (2026-03-11)

Bug Fixes

  • bump protobufjs dependency version for cli package (#2128) (549b05e)
  • correct json syntax in tsconfig.json (#2120) (8065625)
  • descriptor: guard oneof index for non-Type parents (#2122) (1cac5cf)
  • do not allow setting proto in Message constructor (#2126) (f05e3c3)
  • filter invalid characters from the type name (#2127) (535df44)

8.0.0 (2025-12-16)

⚠ BREAKING CHANGES

  • add Edition 2024 Support (#2060)

Features

Commits
Maintainer changes

This version was pushed to npm by fenster, a new releaser for protobufjs since your current version.


Updates grunt from 1.6.1 to 1.6.2

Changelog

Sourced from grunt's changelog.

v1.6.2 date: 2026-04-14 changes: - Update minimatch to 3.1.5. (PR: gruntjs/grunt#1796) - Update nopt to 5.0.0. (PR: gruntjs/grunt#1778)

Commits
Maintainer changes

This version was pushed to npm by krinkle, a new releaser for grunt since your current version.


Updates postcss from 8.5.8 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Changelog

Sourced from postcss's changelog.

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.
Commits

Updates webpack from 5.106.0 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

  • CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

  • Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

  • Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

  • Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

  • Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

  • Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

  • Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

  • CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

  • Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

  • Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

  • Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

  • Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

  • Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

  • Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

  • Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

  • Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

  • Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 17, 2026
@dependabot @GCHQDeveloper581
chore (deps): bump the patch-updates group with 6 updates
b490111 
Bumps the patch-updates group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [jimp](https://github.com/jimp-dev/jimp) | `1.6.0` | `1.6.1` |
| [jsrsasign](https://github.com/kjur/jsrsasign) | `11.1.1` | `11.1.2` |
| [protobufjs](https://github.com/protobufjs/protobuf.js) | `7.5.4` | `7.5.5` |
| [grunt](https://github.com/gruntjs/grunt) | `1.6.1` | `1.6.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.8` | `8.5.10` |
| [webpack](https://github.com/webpack/webpack) | `5.106.0` | `5.106.2` |


Updates `jimp` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/jimp-dev/jimp/releases)
- [Changelog](https://github.com/jimp-dev/jimp/blob/v1.6.1/CHANGELOG.md)
- [Commits](jimp-dev/jimp@v1.6.0...v1.6.1)

Updates `jsrsasign` from 11.1.1 to 11.1.2
- [Release notes](https://github.com/kjur/jsrsasign/releases)
- [Changelog](https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt)
- [Commits](kjur/jsrsasign@11.1.1...11.1.2)

Updates `protobufjs` from 7.5.4 to 7.5.5
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5)

Updates `grunt` from 1.6.1 to 1.6.2
- [Release notes](https://github.com/gruntjs/grunt/releases)
- [Changelog](https://github.com/gruntjs/grunt/blob/main/CHANGELOG)
- [Commits](gruntjs/grunt@v1.6.1...v1.6.2)

Updates `postcss` from 8.5.8 to 8.5.10
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.8...8.5.10)

Updates `webpack` from 5.106.0 to 5.106.2
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.106.0...v5.106.2)

---
updated-dependencies:
- dependency-name: jimp
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: jsrsasign
  dependency-version: 11.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: protobufjs
  dependency-version: 7.5.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: grunt
  dependency-version: 1.6.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: postcss
  dependency-version: 8.5.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
- dependency-name: webpack
  dependency-version: 5.106.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@GCHQDeveloper581 GCHQDeveloper581 force-pushed the dependabot/npm_and_yarn/patch-updates-82f14583f1 branch from 313c34a to b490111 Compare April 17, 2026 08:41
@GCHQDeveloper581
Copy link
Copy Markdown
Contributor

GCHQDeveloper581 commented Apr 17, 2026
edited
Loading

Noting that the updated jsrsasign announces upcoming EOL for that project - #2325 raised in response.

GCHQDeveloper581
GCHQDeveloper581 reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@GCHQDeveloper581 GCHQDeveloper581 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm bumping this one.

protobufjs-7.5.5 is not listed in the changelog for the project (or in the github releases), and is only 2 days old.

On the balance of probabilities it is fine:

  • there is a corresponding tag in the repo
  • a quick scan of the diff between the package tgzs doesn't immediately throw up anything obviously scary

However it doesn't appear to be a vulnerability fix so, with an abundance of caution, I think we'll wait another week and see what the verdict of time is.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 17, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/patch-updates-82f14583f1 branch April 17, 2026 09:56
@GCHQDeveloper581 GCHQDeveloper581 restored the dependabot/npm_and_yarn/patch-updates-82f14583f1 branch April 17, 2026 11:22
@GCHQDeveloper581
Copy link
Copy Markdown
Contributor

GCHQDeveloper581 commented Apr 17, 2026
edited
Loading

There's now a critical vulnerability in protobufjs 7.5.4 so logic for closing no longer applies.

GCHQDeveloper581
GCHQDeveloper581 approved these changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@GCHQDeveloper581 GCHQDeveloper581 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Due diligence:

  • checked for any reported supply chain issues with new versions
  • protobufjs 7.5.5 does not appear in the project ChangeLog. However there is a critical vulnerability in the previous version, and 7.5.5 is specifically mentioned in the project originated announcement of that vulnerability
  • basic inspection of diffs for these updates
  • all tests pass

@GCHQDeveloper581 GCHQDeveloper581 merged commit 4675a7d into master Apr 17, 2026
6 checks passed
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/patch-updates-82f14583f1 branch April 17, 2026 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GCHQDeveloper581 GCHQDeveloper581 GCHQDeveloper581 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GCHQDeveloper581