Skip to content

Bump the npm_and_yarn group across 5 directories with 10 updates#27

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/screenpipe-js/cli/npm_and_yarn-46e774b68d
Closed

Bump the npm_and_yarn group across 5 directories with 10 updates#27
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/screenpipe-js/cli/npm_and_yarn-46e774b68d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 7 updates in the /screenpipe-js/cli directory:

Package From To
axios 1.8.1 1.16.0
@hono/node-server 1.19.12 1.19.14
qs 6.15.0 6.15.2
fast-uri 3.1.0 3.1.2
fast-xml-builder 1.1.4 1.2.0
hono 4.12.9 4.12.25
ip-address 10.1.0 10.2.0

Bumps the npm_and_yarn group with 4 updates in the /pipes/reddit-auto-posts directory: qs, dompurify, prismjs and protobufjs.
Bumps the npm_and_yarn group with 3 updates in the /pipes/pipe-for-loom directory: qs, dompurify and protobufjs.
Bumps the npm_and_yarn group with 6 updates in the /pipes/obsidian directory:

Package From To
@hono/node-server 1.19.12 1.19.14
fast-uri 3.1.0 3.1.2
hono 4.12.9 4.12.25
dompurify 3.3.3 3.4.9
prismjs 1.27.0 1.30.0
protobufjs 7.5.4 7.6.3

Bumps the npm_and_yarn group with 6 updates in the /pipes/example-pipe directory:

Package From To
@hono/node-server 1.19.12 1.19.14
qs 6.15.0 6.15.2
fast-uri 3.0.6 3.1.2
hono 4.12.9 4.12.25
ip-address 10.1.0 10.2.0
prismjs 1.27.0 1.30.0

Updates axios from 1.8.1 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Commits
  • df53d7d chore(release): prepare release 1.16.0 (#10834)
  • 9d92bcd fix: gadgets and smaller issues (#10833)
  • 5107ee6 fix: prevent undefined error codes in settle (#7276)
  • e573499 fix(fetch): defer global access in fetch adapter (#7260)
  • ad68e1a fix(http): honor timeout during connect without redirects (#10819)
  • 2a51828 fix(http): decode URL basic auth credentials (#10825)
  • 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
  • 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
  • 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
  • cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @hono/node-server from 1.19.12 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

Commits

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage
Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • 3f5e1c5 v6.15.1
  • Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

What's Changed

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

What's Changed

New Contributors

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits
  • 919dd8e Bumped v3.1.2
  • c65ba57 fixup: linting
  • 6c86c17 Merge commit from fork
  • a95158a Handle malformed fragment decoding without throwing (#171)
  • cea547c Bumped v3.1.1
  • 876ce79 Merge commit from fork
  • dcdf690 ci: add lock-threads workflow (#169)
  • c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
  • 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
  • 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
  • Additional commits viewable in compare view

Updates fast-xml-builder from 1.1.4 to 1.2.0

Changelog

Sourced from fast-xml-builder's changelog.

1.2.0 (2026-05-08)

  • Add support for sanitizeName option
  • Support xml-naming for validating and sanitizing tag and attribute names

1.1.9 (2026-05-06)

  • fix: format output for preserve order when indent by is set to empty string

1.1.8 (2026-05-05)

  • fix: skip text property for PI tags
  • improve typings

1.1.7 (2026--05-04)

  • fix security issues when attribute value contains quotes

1.1.6 (2026--05-04)

  • fix security issues related to comment
  • skip comment with null value

1.1.5 (2026-04-17)

  • fix security issues related to comment and cdata

1.1.4 (2026-03-16)

  • support maxNestedTags option

1.1.3 (2026-03-13)

  • declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

1.1.2 (2026-03-11)

  • fix typings

1.1.1 (2026-03-11)

  • upgrade path-expression-matcher to 1.1.3

1.1.0 (2026-03-10)

Commits

Updates hono from 4.12.9 to 4.12.25

Release notes

Sourced from hono's releases.

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

v4.12.24

What's Changed

Full Changelog: honojs/hono@v4.12.23...v4.12.24

v4.12.23

What's Changed

Full Changelog: honojs/hono@v4.12.22...v4.12.23

v4.12.22

What's Changed

... (truncated)

Commits

Updates ip-address from 10.1.0 to 10.2.0

Commits
  • 80fccaa 10.2.0
  • abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
  • 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
  • 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
  • 80bc76e Validate static factories instead of silently overflowing (#201)
  • 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
  • a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
  • ec52105 Add networkForm() for CIDR network-address strings (#199)
  • a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
  • f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
  • Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage
Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • 3f5e1c5 v6.15.1
  • Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.9

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

  • Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
  • Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
  • Added more test coverage for IN_PLACE and general DOM Clobbering attacks
  • Bumped several dependencies where possible

DOMPurify 3.4.5

  • Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

  • Added the selectedcontent element to default allow-list, thanks @​lukewarlow
  • Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
  • Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
  • Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
  • Updated demo website and made sure it uses the latest from main
  • Updated existing workflows, fuzzer, dependabot, etc., added more tests
  • Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

  • Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
  • Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
  • Updated the node iteration code to catch more Shadow DOM related issues
  • Updated Playwright and added Node 26 to test matrix
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

DOMPurify 3.4.2

... (truncated)

Com...

Description has been truncated

Bumps the npm_and_yarn group with 7 updates in the /screenpipe-js/cli directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.8.1` | `1.16.0` |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.12` | `1.19.14` |
| [qs](https://github.com/ljharb/qs) | `6.15.0` | `6.15.2` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.2.0` |
| [hono](https://github.com/honojs/hono) | `4.12.9` | `4.12.25` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |

Bumps the npm_and_yarn group with 4 updates in the /pipes/reddit-auto-posts directory: [qs](https://github.com/ljharb/qs), [dompurify](https://github.com/cure53/DOMPurify), [prismjs](https://github.com/PrismJS/prism) and [protobufjs](https://github.com/protobufjs/protobuf.js).
Bumps the npm_and_yarn group with 3 updates in the /pipes/pipe-for-loom directory: [qs](https://github.com/ljharb/qs), [dompurify](https://github.com/cure53/DOMPurify) and [protobufjs](https://github.com/protobufjs/protobuf.js).
Bumps the npm_and_yarn group with 6 updates in the /pipes/obsidian directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.12` | `1.19.14` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [hono](https://github.com/honojs/hono) | `4.12.9` | `4.12.25` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.9` |
| [prismjs](https://github.com/PrismJS/prism) | `1.27.0` | `1.30.0` |
| [protobufjs](https://github.com/protobufjs/protobuf.js) | `7.5.4` | `7.6.3` |

Bumps the npm_and_yarn group with 6 updates in the /pipes/example-pipe directory:

| Package | From | To |
| --- | --- | --- |
| [@hono/node-server](https://github.com/honojs/node-server) | `1.19.12` | `1.19.14` |
| [qs](https://github.com/ljharb/qs) | `6.15.0` | `6.15.2` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.0.6` | `3.1.2` |
| [hono](https://github.com/honojs/hono) | `4.12.9` | `4.12.25` |
| [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` |
| [prismjs](https://github.com/PrismJS/prism) | `1.27.0` | `1.30.0` |



Updates `axios` from 1.8.1 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.8.1...v1.16.0)

Updates `@hono/node-server` from 1.19.12 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.12...v1.19.14)

Updates `qs` from 6.15.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.0...v6.15.2)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `fast-xml-builder` from 1.1.4 to 1.2.0
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0)

Updates `hono` from 4.12.9 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.9...v4.12.25)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `qs` from 6.13.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.0...v6.15.2)

Updates `dompurify` from 3.3.3 to 3.4.9
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.9)

Updates `prismjs` from 1.27.0 to 1.30.0
- [Release notes](https://github.com/PrismJS/prism/releases)
- [Changelog](https://github.com/PrismJS/prism/blob/v2/CHANGELOG.md)
- [Commits](PrismJS/prism@v1.27.0...v1.30.0)

Updates `protobufjs` from 7.5.4 to 7.6.3
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.3/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.6.3)

Updates `qs` from 6.14.2 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.0...v6.15.2)

Updates `dompurify` from 3.3.3 to 3.4.9
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.9)

Updates `protobufjs` from 7.5.4 to 7.6.3
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.3/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.6.3)

Updates `@hono/node-server` from 1.19.12 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.12...v1.19.14)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `hono` from 4.12.9 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.9...v4.12.25)

Updates `dompurify` from 3.3.3 to 3.4.9
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.9)

Updates `prismjs` from 1.27.0 to 1.30.0
- [Release notes](https://github.com/PrismJS/prism/releases)
- [Changelog](https://github.com/PrismJS/prism/blob/v2/CHANGELOG.md)
- [Commits](PrismJS/prism@v1.27.0...v1.30.0)

Updates `protobufjs` from 7.5.4 to 7.6.3
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/protobufjs-v7.6.3/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.6.3)

Updates `@hono/node-server` from 1.19.12 to 1.19.14
- [Release notes](https://github.com/honojs/node-server/releases)
- [Commits](honojs/node-server@v1.19.12...v1.19.14)

Updates `qs` from 6.15.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.0...v6.15.2)

Updates `fast-uri` from 3.0.6 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `hono` from 4.12.9 to 4.12.25
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.9...v4.12.25)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](beaugunderson/ip-address@v10.1.0...v10.2.0)

Updates `prismjs` from 1.27.0 to 1.30.0
- [Release notes](https://github.com/PrismJS/prism/releases)
- [Changelog](https://github.com/PrismJS/prism/blob/v2/CHANGELOG.md)
- [Commits](PrismJS/prism@v1.27.0...v1.30.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-builder
  dependency-version: 1.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: prismjs
  dependency-version: 1.30.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: prismjs
  dependency-version: 1.30.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-version: 7.6.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@hono/node-server"
  dependency-version: 1.19.14
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: prismjs
  dependency-version: 1.30.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 11, 2026
@cr-gpt

cr-gpt Bot commented Jun 11, 2026

Copy link
Copy Markdown

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

@ecc-tools

ecc-tools Bot commented Jun 11, 2026

Copy link
Copy Markdown

Analyzing 200 commits...

@ecc-tools

ecc-tools Bot commented Jun 11, 2026

Copy link
Copy Markdown

Analysis Complete

Generated ECC bundle from 1 commits | Confidence: 50%

View Pull Request #28

Repository Profile
Attribute Value
Language TypeScript
Framework Not detected
Commit Convention freeform
Test Directory separate
Changed Files (8)
Metric Value
Files changed 8
Additions 683
Deletions 922

Top hotspots

Path Status +/-
pipes/reddit-auto-posts/package-lock.json modified +169 / -255
pipes/example-pipe/package-lock.json modified +162 / -256
pipes/obsidian/package-lock.json modified +119 / -212
screenpipe-js/cli/package-lock.json modified +163 / -83
pipes/pipe-for-loom/package-lock.json modified +67 / -113

Top directories

Directory Files Total changes
pipes/reddit-auto-posts 2 426
pipes/example-pipe 2 420
pipes/obsidian 2 333
screenpipe-js/cli 1 246
pipes/pipe-for-loom 1 180
Analysis Depth Readiness (commit-history, 7%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area Status Evidence / Next Step
Commit history Partial 1 commits sampled
CI/CD signals Missing Add workflow files or CI troubleshooting evidence so ECC Tools can reason about pipeline setup.
Security evidence Missing Add AgentShield, audit, SARIF, SBOM, or security review evidence so recommendations can cover security posture.
Harness configuration Missing Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence Missing Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls Missing Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking Missing Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.
Reference Set Readiness (0/7, 0%)
Area Status Evidence / Next Step
Deep analyzer corpus Missing Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison Missing Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus Missing Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus Missing Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility Missing Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence Missing Attach security evidence such as SBOMs, SARIF, audit reports, or AgentShield evidence packs.
CI failure-mode evidence Missing Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.
Likely Future Issues (1)
Severity Signal Why it may show up
MEDIUM CLI changes may ship without shell or end-to-end coverage 1 CLI surface paths changed; 0 CLI-focused integration or e2e tests changed
  • CLI changes may ship without shell or end-to-end coverage: The PR changes CLI, bin, or command-entry files without touching any obvious CLI-focused integration or end-to-end tests.
Suggested Follow-up Work (1)
Type Suggested title Targets
PR test: add CLI coverage for screenpipe-js/cli/package-lock.json screenpipe-js/cli/package-lock.json
  • test: add CLI coverage for screenpipe-js/cli/package-lock.json: Backfill CLI coverage before another command-surface change lands on the touched paths.

Copy-ready bodies

test: add CLI coverage for screenpipe-js/cli/package-lock.json

## Summary
- Add shell, CLI, or end-to-end coverage for the recently changed command surface.

## Why
- Backfill CLI coverage before another command-surface change lands on the touched paths.

## Touched paths
- `screenpipe-js/cli/package-lock.json`

## Validation
- Add or extend shell, CLI, or end-to-end coverage for the changed command surface.
- Exercise the user-facing command invocation and expected exit/output behavior.
Detected Workflows (1)
Workflow Description
multi-package-dependency-update Updates dependencies across multiple package.json and package-lock.json files in several subdirectories, typically as part of an automated process (e.g., Dependabot).
Generated Instincts (15)
Domain Count
git 2
code-style 9
testing 2
workflow 2

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/screenpipe-instincts.yaml

Files

  • .claude/ecc-tools.json
  • .claude/skills/screenpipe/SKILL.md
  • .agents/skills/screenpipe/SKILL.md
  • .agents/skills/screenpipe/agents/openai.yaml
  • .claude/identity.json
  • .codex/config.toml
  • .codex/AGENTS.md
  • .codex/agents/explorer.toml
  • .codex/agents/reviewer.toml
  • .codex/agents/docs-researcher.toml
  • .claude/homunculus/instincts/inherited/screenpipe-instincts.yaml

ECC Tools | Everything Claude Code

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@dependabot @github

dependabot Bot commented on behalf of github Jun 13, 2026

Copy link
Copy Markdown
Author

Superseded by #30.

@dependabot dependabot Bot closed this Jun 13, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/screenpipe-js/cli/npm_and_yarn-46e774b68d branch June 13, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants