build(deps): bump the npm-deps group with 9 updates

[dependabot]

Bumps the npm-deps group with 9 updates:

Package	From	To
@zxcvbn-ts/core	4.1.1	4.1.2
@zxcvbn-ts/language-common	4.1.1	4.1.2
@zxcvbn-ts/language-en	4.1.0	4.1.1
@types/chrome	0.1.43	0.2.0
eslint-plugin-jsdoc	63.0.2	63.0.7
lint-staged	17.0.7	17.0.8
mailparser	3.9.9	3.9.11
typescript-eslint	8.61.0	8.61.1
undici-types	8.4.1	8.5.0

Updates @zxcvbn-ts/core from 4.1.1 to 4.1.2

Commits

• 2199f62 Publish
• 281ead6 fix(dictionary): resolve cjs issues with compression import (#324)
• 2148b0e chore(repo): fix badge
• See full diff in compare view

Updates @zxcvbn-ts/language-common from 4.1.1 to 4.1.2

Commits

• 2199f62 Publish
• 281ead6 fix(dictionary): resolve cjs issues with compression import (#324)
• 2148b0e chore(repo): fix badge
• See full diff in compare view

Updates @zxcvbn-ts/language-en from 4.1.0 to 4.1.1

Commits

• 2199f62 Publish
• 281ead6 fix(dictionary): resolve cjs issues with compression import (#324)
• 2148b0e chore(repo): fix badge
• f8a12a6 Publish
• 5449f15 chore: Test to prevent build type issues (#321)
• acf40cc fix(common): resolve issue with wrong type generation again (#320)
• See full diff in compare view

Updates @types/chrome from 0.1.43 to 0.2.0

Commits

• See full diff in compare view

Updates eslint-plugin-jsdoc from 63.0.2 to 63.0.7

Release notes

Sourced from eslint-plugin-jsdoc's releases.

v63.0.7

63.0.7 (2026-06-21)

Bug Fixes

• no-undefined-types: predefine Iterable/Iterator types; fixes #1712 (804a13d)

v63.0.6

63.0.6 (2026-06-17)

Bug Fixes

• iterateAllJsdocs free comments after each file (ebe0d08)

v63.0.5

63.0.5 (2026-06-17)

Bug Fixes

• no-undefined-types: check descendant scopes for variables; fixes #1704 (a50f71f)

v63.0.4

63.0.4 (2026-06-16)

Bug Fixes

• ensure tsModule check can catch multiple modules (b993425)

v63.0.3

63.0.3 (2026-06-16)

Bug Fixes

• no-undefined-types: treat TS module vars as defined; fixes #1701 (d8f4738)

Commits

• 804a13d fix(no-undefined-types): predefine Iterable/Iterator types; fixes #1712
• ebe0d08 fix: iterateAllJsdocs free comments after each file
• a50f71f fix(no-undefined-types): check descendant scopes for variables; fixes #1704
• b993425 fix: ensure tsModule check can catch multiple modules
• d8f4738 fix(no-undefined-types): treat TS module vars as defined; fixes #1701
• See full diff in compare view

Updates lint-staged from 17.0.7 to 17.0.8

Release notes

Sourced from lint-staged's releases.

v17.0.8

Patch Changes

• #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

• #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Changelog

Sourced from lint-staged's changelog.

17.0.8

Patch Changes

• #1809 179b437 - Fix lint-staged discarding the ongoing merge conflict status (.git/MERGE_HEAD) when using the --hide-unstaged or --hide-all options.

• #1811 3d0b2c0 - Fix issues with Git commands that are successful but also emit warnings to stderr, by ignoring the stderr output completely when the process exits with code 0. This was the behavior when using nano-spawn and execa, but when switching to tinyexec in 16.3.0 both stdout and stderr were used as interleaved output.

Commits

• 5f3b8f2 Merge pull request #1812 from lint-staged/changeset-release/main
• 43a9b8d chore(changeset): release
• 630e2f6 Merge pull request #1809 from lint-staged/restore-merge-status
• 179b437 fix: restore Git merge status after creating backup stash
• 6bae2e2 Merge pull request #1811 from lint-staged/exec-git-ignore-stderr
• b82a830 ci: run npm audit omitting dev, including prod dependencies
• 0b19b80 build(deps): update dependencies
• 3d0b2c0 fix: ignore stderr when doing Git operations
• See full diff in compare view

Updates mailparser from 3.9.9 to 3.9.11

Changelog

Sourced from mailparser's changelog.

3.9.11 (2026-06-19)

Bug Fixes

• bump nodemailer to 9.0.1 (020f140)

3.9.10 (2026-06-15)

Bug Fixes

• bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4) (262ecff)

Commits

• 04116f0 chore(master): release 3.9.11 [skip-ci] (#425)
• 020f140 fix: bump nodemailer to 9.0.1
• b890336 docs: add PGP-signed SECURITY.txt (RFC 9116) [skip ci]
• 705c237 chore(master): release 3.9.10 [skip-ci] (#424)
• 588e483 chore: add CLAUDE.md, security policy and CodeQL workflow, modernize CI
• 262ecff fix: bump dependencies (nodemailer 9, eslint 10.5, prettier 3.8.4)
• See full diff in compare view

Updates typescript-eslint from 8.61.0 to 8.61.1

Release notes

Sourced from typescript-eslint's releases.

v8.61.1

8.61.1 (2026-06-15)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] do not remove comments when fixing (#12396, #10577)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive for template literal expressions (#12281)
• eslint-plugin: [no-unnecessary-type-assertion] wrap object literal in parens when removing TSTypeAssertion in arrow body (#12394, #12393)
• eslint-plugin: [no-unnecessary-boolean-literal-compare] fix precedence bug in autofix (#12413)
• eslint-plugin: [no-unnecessary-template-expression] respect ECMAScript line terminators (#12388)

❤️ Thank You

• Anas @​anasm266
• Deftera @​Deftera186
• Kirk Waiblinger @​kirkwaiblinger
• lumir
• Sarath Francis @​sarathfrancis90

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.61.1 (2026-06-15)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• aaad718 chore(release): publish 8.61.1
• See full diff in compare view

Updates undici-types from 8.4.1 to 8.5.0

Release notes

Sourced from undici-types's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	8.5.0	32dbf0b3
GHSA-38rv-x7px-6hhq	CVE-2026-9675	High (7.5)	8.5.0	b4c287b3
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	8.5.0	42d49559
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	8.2.0	a516f870
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	8.5.0	cb105d7c
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	8.5.0	5655ea43
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	8.5.0	5655ea43
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	8.5.0	6ea54ef8

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits

• a0806e1 Bumped v8.5.0 (#5429)
• 8a0392c test: detect available python command in wpt runner (#5427)
• f4045b9 ci: increase Node.js workflow timeout (#5426)
• 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
• c5ed787 websocket: handle empty fragments and stream limits
• e114e77 align EventSource with spec (#5418)
• 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
• 32dbf0b websocket: limit the number of fragments in a message
• 0d6ecc5 add bodymixin.textStream() (#5416)
• 42d4955 fix: honor requestTls when proxy is SOCKS5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions