build(deps): bump the npm_and_yarn group across 17 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /pkgs/applications/editors/rstudio directory: ajv, minimatch, tar and yaml.
Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/editors/uivonim directory: ajv.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/applications/networking/browsers/vieb directory: ajv and flatted.
Bumps the npm_and_yarn group with 4 updates in the /pkgs/applications/networking/misc/zammad directory: ajv, minimatch, yaml and flatted.
Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/office/micropad directory: ajv.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/applications/video/epgstation directory: file-type and multer.
Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/video/mirakurun directory: ajv.
Bumps the npm_and_yarn group with 3 updates in the /pkgs/development/compilers/emscripten directory: ajv, minimatch and flatted.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/development/python-modules/apache-airflow directory: yaml and svgo.
Bumps the npm_and_yarn group with 1 update in the /pkgs/development/tools/yarn2nix-moretea/yarn2nix directory: minimatch.
Bumps the npm_and_yarn group with 3 updates in the /pkgs/servers/monitoring/grafana-image-renderer directory: minimatch, yaml and flatted.
Bumps the npm_and_yarn group with 1 update in the /pkgs/servers/monitoring/matrix-alertmanager directory: flatted.
Bumps the npm_and_yarn group with 4 updates in the /pkgs/servers/web-apps/hedgedoc directory: yaml, flatted, file-type and svgo.
Bumps the npm_and_yarn group with 1 update in the /pkgs/servers/web-apps/lemmy directory: serialize-javascript.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/tools/admin/meshcentral directory: ajv and bn.js.
Bumps the npm_and_yarn group with 6 updates in the /pkgs/tools/admin/pgadmin directory:

Package	From	To
ajv	8.9.0	8.18.0
minimatch	3.0.4	3.1.5
yaml	1.10.2	1.10.3
flatted	3.2.2	3.4.2
svgo	2.8.0	2.8.2
underscore	1.13.1	1.13.8

Bumps the npm_and_yarn group with 1 update in the /pkgs/tools/graphics/puppeteer-cli directory: minimatch.

Updates ajv from 6.12.0 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates tar from 6.1.11 to 6.2.1

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

• cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

• 57493ee #332 ensuring close event is emited after stream has ended (@​webark)
• b003c64 #314 replace deprecated String.prototype.substr() (#314) (@​CommanderRoot, @​lukekarrys)

Documentation

• f129929 #313 remove dead link to benchmarks (#313) (@​yetzt)
• c1faa9f add examples/explanation of using tar.t (@​isaacs)

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Updates yaml from 1.7.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates flatted from 3.2.5 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates ajv from 8.8.2 to 8.18.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates yaml from 1.10.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates flatted from 3.2.4 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• fe59143 6.12.6
• d580d3e Merge pull request #1298 from ajv-validator/fix-url
• fd36389 fix: regular expression for "url" format
• Additional commits viewable in compare view

Updates file-type from 16.5.3 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

• Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
• Fix bound recursive BOM and ID3 detection 370ed91

---

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

• Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

---

sindresorhus/file-type@v21.3.0...v21.3.1

v21.3.0

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#779) d223491

---

sindresorhus/file-type@v21.2.0...v21.3.0

v21.2.0

• Add support for SPSS data files (#787) 889f638
• Add support for JMP (#784) 093dba0

---

sindresorhus/file-type@v21.1.1...v21.2.0

v21.1.1

• Fix handling of partial Gunzip file (#783) 710e053

---

sindresorhus/file-type@v21.1.0...v21.1.1

v21.1.0

• Add support for .tar.gz (gunzipped tarball file) (#763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#767) f8d62be
• Fix: Handle partial unzip (#773) 7ad3a90

---

sindresorhus/file-type@v21.0.0...v21.1.0

v21.0.0

Breaking

... (truncated)

Commits

• e18028c 21.3.2
• a155cd7 Fix ZIP bomb in known-size ZIP probing
• 6954817 Harden parser more
• 370ed91 Fix bound recursive BOM and ID3 detection
• d2ecea1 Add a few more safeguards
• 41fcff5 Update readme
• a8f6934 Fix CI
• ad5857e 21.3.1
• 5d2fedf Harden parser
• 319abf8 Fix infinite loop in ASF parser on malformed input
• Additional commits viewable in compare view

Updates multer from 1.4.3 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

... (truncated)

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

2.0.2

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

2.0.1

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

2.0.0

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

1.4.5-lts.2

• Fix out-of-band error event from busboy (#1177)

1.4.5-lts.1

• No changes

1.4.4-lts.1

• Bugfix: Bump busboy to fix CVE-2022-24434 (#1097)
• Breaking: Require Node.js 10.16.0 or later (#1097)

1.4.4 - 2021-12-07

• Bugfix: Handle missing field names (#913)
• Docs: Add Vietnamese translation (#803)
• Docs: Improve Spanish translation (#948)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for multer since your current version.

Updates ajv from 6.12.6 to 6.14.0

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges,