chore(deps): bump the npm_and_yarn group across 2 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
lodash	4.17.21	4.17.23
preact	10.28.1	10.28.4
@anthropic-ai/claude-code	1.0.128	removed
devalue	5.6.1	5.6.3
diff	5.2.0	5.2.2
h3	1.15.4	1.15.5
undici	7.16.0	7.22.0

Bumps the npm_and_yarn group with 1 update in the /.github/actions/translation-tracker directory: @octokit/plugin-paginate-rest.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates preact from 10.28.1 to 10.28.4

Release notes

Sourced from preact's releases.

10.28.4

Fixes

• Fix crash where a synchronous effect render unmounts the tree (#5026, thanks @​JoviDeCroock)

Performance

• Core size optimizations (#5022, thanks @​JoviDeCroock)
• Hooks size optimizations (#5021, thanks @​JoviDeCroock)
• Make oldProps diffing more compact (#5004) (#5019, thanks @​JoviDeCroock)
• Compat size optimizations (#5020, thanks @​JoviDeCroock)
• Land size optimization separately (#5018, thanks @​JoviDeCroock)

10.28.3

Fixes

• Avoid scheduling suspense state udpates (#5006, thanks @​JoviDeCroock)
• Resolve some suspense crashes (#4999, thanks @​JoviDeCroock)
• Support inheriting namespace through portals (#4993, thanks @​JoviDeCroock)

Maintenance

• Update test with addition of _original (#4989, thanks @​JoviDeCroock)

10.28.2

Fixes

• Enforce strict equality for VNode object constructors

Commits

• b4f9cab 10.28.4 (#5027)
• 8cbed5f Fix crash where a synchronous effect render unmounts the tree (#5026)
• 4ac7204 Core size optimizations (#5022)
• e02fd69 Make forEach --> some (#5021)
• 387d8f2 refactor(diff): make oldProps diffing more compact (#5004) (#5019)
• 084b75f Transform forEach to some and consolidate condition (#5020)
• 3c8506d Land size optimization separately (#5018)
• eb1b8c8 10.28.3 (#5007)
• 5023ce8 Avoid scheduling suspense state udpates (#5006)
• 2ac91c4 Resolve some suspense crashes (#4999)
• Additional commits viewable in compare view

Removes @anthropic-ai/claude-code

Updates devalue from 5.6.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• See full diff in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

• b7b6339 v5.2.2
• b5377ab Update package version to 5.2.1
• 7801789 Backport kpdecker/jsdiff#649
• 042a837 Backport kpdecker/jsdiff#647
• See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

Commits

• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• 589625c chore: update publish tag to 1.x
• b4dce71 chore: update ci
• 0a4a115 chore: add test:types script
• c934599 chore: update ci
• Additional commits viewable in compare view

Updates undici from 7.16.0 to 7.22.0

Release notes

Sourced from undici's releases.

v7.22.0

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @​styfle in nodejs/undici#4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @​jackhax in nodejs/undici#4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @​SuperOleg39 in nodejs/undici#4676
• fix: route WebSocket upgrades through onRequestUpgrade by @​mcollina in nodejs/undici#4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @​dependabot[bot] in nodejs/undici#4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @​mcollina in nodejs/undici#4818
• feat: Support async cache stores in revalidation by @​marcopiraccini in nodejs/undici#4826

New Contributors

• @​jackhax made their first contribution in nodejs/undici#4816
• @​marcopiraccini made their first contribution in nodejs/undici#4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in nodejs/undici#4796
• test: restore global dispatcher after fetch tests by @​mcollina in nodejs/undici#4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in nodejs/undici#4802
• fix: error stream instead of canceling by @​KhafraDev in nodejs/undici#4804
• Fix clientTtl cleanup race in Agent by @​mcollina in nodejs/undici#4807
• feat(#4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in nodejs/undici#4296
• fix: handle undefined __filename in bundled environments by @​mcollina in nodejs/undici#4812
• fix: set finalizer only for fetch responses by @​tsctx in nodejs/undici#4803

New Contributors

• @​piotr-cz made their first contribution in nodejs/undici#4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

What's Changed

• fix: preserve fetch stack traces by @​mcollina in nodejs/undici#4778
• Fix error handling in MockPool example by @​dave-kennedy in nodejs/undici#4781
• feat: expose statusText in request() ResponseData by @​domenic in nodejs/undici#4784
• test: reduce retry-after invalid date flake by @​mcollina in nodejs/undici#4788
• extractBody fixes by @​KhafraDev in nodejs/undici#4791
• fix: MockAgent delayed response with AbortSignal (#4693) by @​mcollina in nodejs/undici#4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in nodejs/undici#4758

New Contributors

• @​dave-kennedy made their first contribution in nodejs/undici#4781
• @​vbfox made their first contribution in nodejs/undici#4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

What's Changed

... (truncated)

Commits

• 0a23610 Bumped v7.22.0 (#4829)
• f3c5c61 feat: Support async cache stores in revalidation (#4826)
• 9b78a44 fix(deduplicate): avoid deduping methods not in methods option (#4818)
• 0ce57ba build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 (#4821)
• 2453caf fix: route websocket upgrades through new handler API (#4787)
• 4658cdf feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk (#4676)
• a821c56 fix: use OR operator in includesCredentials per WHATWG URL Standard (#4816)
• b3326b5 docs: fix syntax highlighting in WebSocket.md (#4814)
• 393c0da Bumped v7.21.0 (#4813)
• 47f9b96 fix: set finalizer only for fetch responses (#4803)
• Additional commits viewable in compare view

Updates @octokit/plugin-paginate-rest from 2.21.3 to 14.0.0

Release notes

Sourced from @​octokit/plugin-paginate-rest's releases.

v14.0.0

14.0.0 (2025-10-31)

Features

• add immutable releases, enterprise team membership, enterprise team organization endpoints (413e899)

BREAKING CHANGES

• Remove GET /projects/{project_id}/columns
• Remove GET /enterprises/{enterprise}/secret-scanning/alerts

v13.2.1

13.2.1 (2025-10-20)

Bug Fixes

• deps: update @octokit/types (#698) (ba56fbc)

v13.2.0

13.2.0 (2025-09-29)

Features

• new Projects v2 endpoints, new code scanning dismissal endpoints, many other endpoints (#690) (0e236cb)

v13.1.1

13.1.1 (2025-06-27)

Bug Fixes

• handle url in response when using pagination with compareCommits (#686) (8e5da25)

v13.1.0

13.1.0 (2025-06-16)

Features

• add paginatantion support for compareCommits and compareCommitsWithBasehead (#678) (6d8ea8a)

v13.0.1

13.0.1 (2025-05-25)

... (truncated)

Commits

• 413e899 feat: add immutable releases, enterprise team membership, enterprise team org...
• 3d311d6 chore(deps): update dependency @​types/node to v24 (#701)
• ba56fbc fix(deps): update @octokit/types (#698)
• 80745be ci(action): update actions/checkout action to v5 (#687)
• 0e236cb feat: new Projects v2 endpoints, new code scanning dismissal endpoints, many ...
• bf19e3e chore(deps): update dependency prettier to v3.6.2 (#685)
• 4f9fc56 ci(action): update actions/setup-node action to v5 (#688)
• 8e5da25 fix: handle url in response when using pagination with compareCommits (#686)
• 6d8ea8a feat: add paginatantion support for compareCommits and `compareCommitsWith...
• 8ec2713 fix(deps): update @octokit/types - no new paginated endpoints (#680)
• Additional commits viewable in compare view

Updates @octokit/request from 5.6.3 to 10.0.7

Release notes

Sourced from @​octokit/request's releases.

v10.0.7

10.0.7 (2025-11-13)

Bug Fixes

• readme: properly structure the options for custom agent (#786) (f17c1c1), closes #785

v10.0.6

10.0.6 (2025-10-30)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#783) (1aeac56)

v10.0.5

10.0.5 (2025-09-29)

Bug Fixes

• deps: update octokit deps (#772) (30f83b6)

v10.0.4

10.0.4 (2025-09-29)

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#775) (ad78b4c)

v10.0.3

10.0.3 (2025-06-20)

Bug Fixes

• pkg: unreplaced version number in dist-bundle/ (#765) (5b181af)

v10.0.2

10.0.2 (2025-05-20)

Bug Fixes

• deps: update octokit monorepo (major) (#759) (fe8bb4b), closes #728 #760

v10.0.1

10.0.1 (2025-05-20)

... (truncated)

Commits

• f17c1c1 fix(readme): properly structure the options for custom agent (#786)
• ea46fa9 ci(action): update github/codeql-action action to v4 (#778)
• 8166d28 chore(deps): update vitest monorepo to v4 (major) (#781)
• 1aeac56 fix(deps): update dependency @​octokit/types to v16 (#783)
• b5b08a2 ci(action): update actions/setup-node action to v6 (#779)
• 9a78123 chore(deps): update dependency @​types/node to v24 (#782)
• 30f83b6 fix(deps): update octokit deps (#772)
• b07d593 ci(action): update actions/checkout action to v5 (#770)
• 928c3d7 chore(deps): update dependency prettier to v3.6.2 (#766)
• a84613e ci(action): update actions/setup-node action to v5 (#771)
• Additional commits viewable in compare view

Updates @octokit/request-error from 2.1.0 to 7.1.0

Release notes

Sourced from @​octokit/request-error's releases.

v7.1.0

7.1.0 (2025-11-13)

Features

• inherit options from base Error class to add support for the cause property (#535/#536) (2ea2780)

v7.0.2

7.0.2 (2025-10-30)

Bug Fixes

• deps: update dependency @​octokit/types to v16 (#533) (e5a75ef)

v7.0.1

7.0.1 (2025-09-29)

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#522) (4a453f2)

v7.0.0

7.0.0 (2025-05-20)

Continuous Integration

• stop testing against NodeJS v18 (#512) (8eee0c1)

BREAKING CHANGES

• Drop support for NodeJS v18

• build: set minimal node version in build script to v20

• ci: stop testing against NodeJS v18

v6.1.8

6.1.8 (2025-04-10)

Bug Fixes

• deps: update dependency @​octokit/types to v14 (#505) (ab4ea7b)

v6.1.7

... (truncated)

Commits

• 2ea2780 feat: inherit options from base Error class to add support for the cause ...
• ac7b309 chore(deps): update vitest monorepo to v4 (major) (#531)
• dadc76d ci(action): update peter-evans/create-or-update-comment action to v5 (#525)
• f57f2e6 build(deps): lock file maintenance (#534)
• e5a75ef fix(deps): update dependency @​octokit/types to v16 (#533)
• e5d5de2 chore(deps): update dependency @​types/node to v24 (#532)
• 8cc127b ci(action): update actions/setup-node action to v6 (#529)
• b3a876b build(deps): lock file maintenance (#527)
• cf1817b ci(action): update github/codeql-action action to v4 (#528)
• 61f1e87 chore(deps): update dependency tinybench to v5 (#519)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.