Bump the npm_and_yarn group across 2 directories with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the /tools/lint/eslint/eslint-plugin-mozilla directory:

Package	From	To
acorn	7.0.0	7.4.1
ajv	6.10.2	6.15.0
ansi-regex	4.1.0	4.1.1
ansi-regex	3.0.0	3.0.1
brace-expansion	1.1.11	1.1.14
cross-spawn	6.0.5	6.0.6
semver	5.7.1	5.7.2
semver	6.3.0	6.3.1
flatted	2.0.1	3.4.2
js-yaml	3.13.1	4.1.1

Bumps the npm_and_yarn group with 1 update in the /testing/xpcshell/dns-packet directory: ip.

Updates acorn from 7.0.0 to 7.4.1

Commits

• 88c2669 Mark version 7.4.1
• 9c9142a Fix potentially-exponential regular expression in use-strict-scanning
• 54efb62 Mark version 7.4.0
• 856b720 Remove link to plugin that's part of the repository now
• e376a66 add numeric separators
• d20ade2 update test262
• fe7b3f1 add logical assignment operators
• 459fa1e update test262
• 4e2c0e2 Also add license header to other packages
• 31d3b1c Add "MIT License" at the top of acorn License file
• Additional commits viewable in compare view

Updates ajv from 6.10.2 to 6.15.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

• error logging example (@​RadiationSickness)
• TypeScript usage notes (@​thetric)

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• Additional commits viewable in compare view

Updates ansi-regex from 4.1.0 to 4.1.1

Commits

• 64735d2 v4.1.1
• 75a657d Fix potential ReDoS (#37)
• See full diff in compare view

Updates ansi-regex from 3.0.0 to 3.0.1

Commits

• 64735d2 v4.1.1
• 75a657d Fix potential ReDoS (#37)
• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.14

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates cross-spawn from 6.0.5 to 6.0.6

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

• disable regexp backtracking (#160) (ba5aaef)
• core: support worker threads (#127) (f4af31c)

Commits

• d35c865 chore(release): 6.0.6
• 5a37e19 chore: update package.json and package.lock
• ba5aaef fix: disable regexp backtracking (#160)
• f4af31c fix(core): support worker threads (#127)
• See full diff in compare view

Updates semver from 5.7.1 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates flatted from 2.0.1 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates js-yaml from 3.13.1 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

... (truncated)

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• 2cef47b 4.1.0 released
• 810b149 dist rebuild
• 2b5620e Export built-in types, type override now preserves order
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 9.0.9

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates y18n from 4.0.0 to 5.0.8

Release notes

Sourced from y18n's releases.

y18n y18n-v4.0.3

Bug Fixes

• release: 4.x.x should not enforce Node 10 (#126) (1e21a53)

y18n y18n-v4.0.2

Bug Fixes

• security: ensure entry exists for backport (#120) (b22c0df)

Changelog

Sourced from y18n's changelog.

5.0.8 (2021-04-07)

Bug Fixes

• deno: force modern release for Deno (b1c215a)

5.0.7 (2021-04-07)

Bug Fixes

• deno: force release for deno (#121) (d3f2560)

5.0.6 (2021-04-05)

Bug Fixes

• webpack: skip readFileSync if not defined (#117) (6966fa9)

5.0.5 (2020-10-25)

Bug Fixes

• address prototype pollution issue (#108) (a9ac604)

5.0.4 (2020-10-16)

Bug Fixes

• exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#105) (4f85d80)

5.0.3 (2020-10-16)

Bug Fixes

• exports: node 13.0-13.6 require a string fallback (#103) (e39921e)

5.0.2 (2020-10-01)

Bug Fixes

• deno: update types for deno ^1.4.0 (#100) (3834d9a)

5.0.1 (2020-09-05)

... (truncated)

Commits

• 58a9a3c chore: release 5.0.8 (#129)
• b1c215a fix(deno): force modern release for Deno
• e73fb19 chore: release 5.0.7 (#123)
• d3f2560 fix(deno): force release for deno (#121)
• e9fda61 chore: release 5.0.6 (#118)
• 6966fa9 fix(webpack): skip readFileSync if not defined (#117)
• c755582 docs: add entry for v4.0.1 (#114)
• 2d4c56c chore(deps): update dependency standardx to v6 (#110)
• b64ae70 chore: release 5.0.5 (#109)
• a9ac604 fix: address prototype pollution issue (#108)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for y18n since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates yargs-parser from 11.1.1 to 21.1.1

Release notes

Sourced from yargs-parser's releases.

yargs-parser: v21.1.1

21.1.1 (2022-08-04)

Bug Fixes

• typescript: ignore .cts files during publish (#454) (d69f9c3), closes #452

yargs-parser: v21.1.0

21.1.0 (2022-08-03)

Features

• allow the browser build to be imported (#443) (a89259f)

Bug Fixes

• halt-at-non-option: prevent known args from being parsed when "unknown-options-as-args" is enabled (#438) (c474bc1)
• node version check now uses process.versions.node (#450) (d07bcdb)
• parse options ending with 3+ hyphens (#434) (4f1060b)

yargs-parser: v21.0.1

21.0.1 (2022-02-27)

Bug Fixes

• return deno env object (#432) (b00eb87)

yargs-parser yargs-parser-v21.0.0

⚠ BREAKING CHANGES

• drops support for 10 (#421)

Bug Fixes

• esm json import (#416) (90f970a)
• parser should preserve inner quotes (#407) (ae11f49)

Code Refactoring

• drops support for 10 (#421) (3aaf878)

yargs-parser yargs-parser-v20.2.9

... (truncated)

Changelog

Sourced from yargs-parser's changelog.

21.1.1 (2022-08-04)

Bug Fixes

• typescript: ignore .cts files during publish (#454) (d69f9c3), closes #452

21.1.0 (2022-08-03)

Features

• allow the browser build to be imported (#443) (a89259f)

Bug Fixes

• halt-at-non-option: prevent known args from being parsed when "unknown-options-as-args" is enabled (#438) (c474bc1)
• node version check now uses process.versions.node (#450) (d07bcdb)
• parse options ending with 3+ hyphens (#434) (4f1060b)

21.0.1 (2022-02-27)

Bug Fixes

• return deno env object (#432) (b00eb87)

21.0.0 (2021-11-15)

⚠ BREAKING CHANGES

• drops support for 10 (#421)

Bug Fixes

• esm json import (#416) (90f970a)
• parser should preserve inner quotes (#407) (ae11f49)

Code Refactoring

• drops support for 10 (#421) (3aaf878)

20.2.9 (2021-06-20)

Bug Fixes

... (truncated)

Commits

• 3aba24c chore(main): release yargs-parser 21.1.1 (#455)
• d69f9c3 fix(typescript): ignore .cts files during publish (#454)
• 90067a0 chore(main): release yargs-parser 21.1.0 (#446)
• d07bcdb fix: node version check now uses process.versions.node (#450)
• c0c6079 chore(deps): update dependency puppeteer to v16 (#451)
• a89259f feat: allow the browser build to be imported (#443)
• c474bc1 fix(halt-at-non-option): prevent known args from being parsed when "unknown-o...
• fd30238 chore(deps): update dependency serve to v14 (#449)
• a072f9a chore(deps): update dependency puppeteer to v15 (#444)
• 4f1060b fix: parse options ending with 3+ hyphens (#434)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates ip from 1.1.9 to 2.0.1

Commits

• 3b0994a 2.0.1
• 32f468f lib: fixed CVE-2023-42282 and added unit test
• 4b2f4e7 2.0.0
• 369d56d lib: use Buffer.alloc
• a1a101a Merge pull request #38 from bryanwayb/master
• 3d4689e Added npm installation information.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.