chore(deps): bump the npm_and_yarn group across 19 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /apps/database-new directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/docs directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/studio directory: next.
Bumps the npm_and_yarn group with 1 update in the /apps/www directory: next.
Bumps the npm_and_yarn group with 4 updates in the /examples/auth/nextjs directory: next, brace-expansion, flatted and picomatch.
Bumps the npm_and_yarn group with 3 updates in the /examples/caching/with-cloudflare-workers-kv directory: path-to-regexp, picomatch and node-forge.
Bumps the npm_and_yarn group with 4 updates in the /examples/caching/with-nextjs-13 directory: next, brace-expansion, flatted and picomatch.
Bumps the npm_and_yarn group with 4 updates in the /examples/caching/with-nextjs-13-server-components directory: next, brace-expansion, flatted and picomatch.
Bumps the npm_and_yarn group with 4 updates in the /examples/realtime/nextjs-auth-presence directory: next, brace-expansion, flatted and picomatch.
Bumps the npm_and_yarn group with 4 updates in the /examples/slack-clone/nextjs-slack-clone directory: next, brace-expansion, yaml and picomatch.
Bumps the npm_and_yarn group with 5 updates in the /examples/todo-list/nextjs-todo-list directory:

Package	From	To
next	13.1.6	15.5.14
brace-expansion	1.1.11	1.1.13
yaml	1.10.2	1.10.3
flatted	3.2.7	3.4.2
picomatch	2.3.1	2.3.2

Bumps the npm_and_yarn group with 3 updates in the /examples/todo-list/sveltejs-todo-list directory: brace-expansion, yaml and picomatch.
Bumps the npm_and_yarn group with 4 updates in the /examples/user-management/angular-user-management directory: path-to-regexp, brace-expansion, flatted and serialize-javascript.
Bumps the npm_and_yarn group with 6 updates in the /examples/user-management/expo-push-notifications directory:

Package	From	To
brace-expansion	1.1.11	1.1.13
yaml	2.3.3	2.8.3
fast-xml-parser	4.3.2	4.5.6
picomatch	2.3.1	2.3.2
node-forge	1.3.1	1.4.0
@xmldom/xmldom	0.7.13	0.8.12

Bumps the npm_and_yarn group with 7 updates in the /examples/user-management/expo-user-management directory:

Package	From	To
path-to-regexp	0.1.7	0.1.13
brace-expansion	1.1.11	1.1.13
yaml	1.10.2	1.10.3
fast-xml-parser	4.5.0	4.5.6
picomatch	2.3.1	2.3.2
node-forge	1.3.1	1.4.0
@xmldom/xmldom	0.7.10	0.7.13

Bumps the npm_and_yarn group with 4 updates in the /examples/user-management/nextjs-user-management directory: next, brace-expansion, flatted and picomatch.
Bumps the npm_and_yarn group with 5 updates in the /examples/user-management/nuxt3-user-management directory:

Package	From	To
brace-expansion	1.1.11	1.1.13
brace-expansion	2.0.1	2.0.3
yaml	2.5.1	2.8.3
flatted	3.3.1	3.4.2
picomatch	2.3.1	2.3.2
serialize-javascript	6.0.2	7.0.5

Bumps the npm_and_yarn group with 2 updates in the /examples/user-management/sveltekit-user-management directory: brace-expansion and picomatch.
Bumps the npm_and_yarn group with 3 updates in the /examples/with-cloudflare-workers directory: path-to-regexp, picomatch and node-forge.

Updates next from 14.2.35 to 16.2.2

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.18

Core Changes

• Add telemetry for adapterPath config usage: #92228
• Node.js streams: First pass: #90500
• fix: preserve HTTP access fallbacks during prerender recovery: #92231
• Remove unnecessary ALS re-exports from entry-base.ts: #91527
• Allow multi-level .localhost subdomains in dev origin check: #92262

Misc Changes

... (truncated)

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.2.2

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.18

Core Changes

• Add telemetry for adapterPath config usage: #92228
• Node.js streams: First pass: #90500
• fix: preserve HTTP access fallbacks during prerender recovery: #92231
• Remove unnecessary ALS re-exports from entry-base.ts: #91527
• Allow multi-level .localhost subdomains in dev origin check: #92262

Misc Changes

... (truncated)

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.2.2

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.18

Core Changes

• Add telemetry for adapterPath config usage: #92228
• Node.js streams: First pass: #90500
• fix: preserve HTTP access fallbacks during prerender recovery: #92231
• Remove unnecessary ALS re-exports from entry-base.ts: #91527
• Allow multi-level .localhost subdomains in dev origin check: #92262

Misc Changes

... (truncated)

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 16.2.2

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.18

Core Changes

• Add telemetry for adapterPath config usage: #92228
• Node.js streams: First pass: #90500
• fix: preserve HTTP access fallbacks during prerender recovery: #92231
• Remove unnecessary ALS re-exports from entry-base.ts: #91527
• Allow multi-level .localhost subdomains in dev origin check: #92262

Misc Changes

... (truncated)

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates next from 13.4.3 to 15.5.14

Release notes

Sourced from next's releases.

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.18

Core Changes

• Add telemetry for adapterPath config usage: #92228
• Node.js streams: First pass: #90500
• fix: preserve HTTP access fallbacks during prerender recovery: #92231
• Remove unnecessary ALS re-exports from entry-base.ts: #91527
• Allow multi-level .localhost subdomains in dev origin check: #92262

Misc Changes

... (truncated)

Commits

• 52faae3 v16.2.2
• 8d0f77b Backport: #92177
• e151e5f Fix CI for glibc linux builds
• 1a319ea [backport] Fix CSS HMR on Safari (#92174)
• c0edad2 Turbopack: exclude metadata routes from server HMR (#92034)
• d644699 Turbopack: enable server HMR for app route handlers (#91466)
• 34de2ca next.config.js: Accept an option for serverFastRefresh (#91968)
• c4779d1 [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• edcf19a Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• eee3f52 backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates path-to-regexp from 6.2.1 to 6.3.0

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking in 6.x

Fixed

• Add backtrack protection to 6.x (#324) f1253b4

pillarjs/path-to-regexp@v6.2.2...v6.3.0

Updated README

No API changes. Documentation only release.

Changed

• Fix readme example c7ec332
• Update shield URL e828000

pillarjs/path-to-regexp@v6.2.1...v6.2.2

Commits

• 75a92c3 6.3.0
• f1253b4 Add backtrack protection to 6.x (#324)
• 28a5b27 6.2.2
• 270876d Test on min node 16
• d5a42b6 Run tests on ubuntu
• 1c265a1 Upgrade dev deps, prettier format
• c7ec332 Fix readme example
• 25da491 Bump node v14 for tests
• 980d1db Add v8 coverage
• e828000 Update shield URL
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates node-forge from 1.3.1 to 1.4.0

Changelog

Sourced from node-forge's changelog.

1.4.0 - 2026-03-24

Security

• HIGH: Denial of Service in BigInteger.modInverse()
  • A Denial of Service (DoS) vulnerability exists due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.
  • Reported by Kr0emer.
  • CVE ID: CVE-2026-33891
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: Signature forgery in RSA-PKCS due to ASN.1 extra field.
  • RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing "garbage" bytes within the ASN.1 structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN.1 structure, rather than outside of it.
  • Additionally, forge does not validate that signatures include a minimum of 8 bytes of padding as defined by the specification, providing attackers additional space to construct Bleichenbacher forgeries.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33894
  • GHSA ID: GHSA-ppp5-5v6c-4jwp
• HIGH: Signature forgery in Ed25519 due to missing S < L check.
  • Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying on signature uniqueness (i.e., dedup by signature bytes, replay tracking, signed-object canonicalization checks) may be bypassed.
  • Reported as part of a U.C. Berkeley security research project by:
    • Austin Chu, Sohee Kim, and Corban Villa.
  • CVE ID: CVE-2026-33895
  • GHSA ID: GHSA-q67f-28xg-22rw
• HIGH: basicConstraints bypass in certificate chain verification.
  • pki.verifyCertificateChain() does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate (without these extensions) to act as a CA and sign other certificates, which node-forge will accept as valid.
  • Reported by Doruk Tan Ozturk (@​peaktwilight) - doruk.ch
  • CVE ID: CVE-2026-33896
  • GHSA ID: GHSA-2328-f5f3-gj25

... (truncated)

Commits

• fa385f9 Release 1.4.0.
• 07d4e16 Update changelog.
• <...

  Description has been truncated