chore(deps): bump the dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dependencies group with 7 updates in the / directory:

Package	From	To
ini	6.0.0	7.0.0
markdown-it	14.1.1	14.2.0
vis-data	8.0.3	8.0.4
vis-network	10.0.2	10.1.0
cacache	20.0.4	21.0.0
find-my-way	9.5.0	9.6.0
ws	8.20.0	8.21.0

Updates ini from 6.0.0 to 7.0.0

Release notes

Sourced from ini's releases.

v7.0.0

7.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

• ini now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 55b6841 #301 bump to new node engine range (@​owlstronaut)
• 2b11ba8 #301 template-oss-apply (@​owlstronaut)

Chores

• f6ed5be #301 template-oss-apply (@​owlstronaut)
• a2c835e #293 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#293) (@​dependabot[bot])
• 3661dce #296 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#296) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from ini's changelog.

7.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

• ini now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 55b6841 #301 bump to new node engine range (@​owlstronaut)
• 2b11ba8 #301 template-oss-apply (@​owlstronaut)

Chores

• f6ed5be #301 template-oss-apply (@​owlstronaut)
• a2c835e #293 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#293) (@​dependabot[bot])
• 3661dce #296 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#296) (@​dependabot[bot], @​npm-cli-bot)

Commits

• 847941c chore: release 7.0.0 (#302)
• f6ed5be chore: template-oss-apply
• 55b6841 feat!: bump to new node engine range
• 2b11ba8 feat!: template-oss-apply
• e8d16cb deps & engine update
• 3661dce chore: bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#296)
• 5d67f4b chore: bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#294)
• a2c835e chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#293)
• See full diff in compare view

Updates markdown-it from 14.1.1 to 14.2.0

Changelog

Sourced from markdown-it's changelog.

[14.2.0] - 2026-05-24

Added

• isPunctCharCode to utilities.

Fixed

• Don't end HTML comment blocks on a blank line, #1155.
• Properly recognize astral chars (surrogates) in delimiter scans for emphasis-like markers, #1072. Big thanks to @​tats-u for his global efforts with improving CJK support.
• Preserve unicode whitespaces when trimm headings/paragraphs, #1074.
• More strict entities decode to avoid false positives ;, #1096.
• Restore block parser state on fail in lheading rule, #1131.

Security

• Fixed poor smartquotes perfomance on > 70k quotes in single block
• Bumped linkify-it to 5.0.1 with fixed potential perfomance issues.

Commits

• 829797a 14.2.0 released
• 9ce2087 Fix smartquotes perfomance
• 02e73b8 linkify-it bump
• 68cfb8c fix: don't end HTML comment blocks on a blank line (#1155)
• 1083137 Readme cleanup
• 97c7ca2 Update funding info
• c471b55 Changelog update
• 7769621 isPunctChar => isPunctCharCode
• aa2aa70 fix: always reset parentType in lheading rule (#1131)
• 59955f2 Polish PRs #1072, #1074
• Additional commits viewable in compare view

Updates vis-data from 8.0.3 to 8.0.4

Release notes

Sourced from vis-data's releases.

v8.0.4

8.0.4 (2026-05-07)

Bug Fixes

• deps: support UUID v14 and use it in standalone/peer exports (#1319) (c49bf5d)

Commits

• c49bf5d fix(deps): support UUID v14 and use it in standalone/peer exports (#1319)
• 5a483c8 chore(deps): update pnpm to v10.33.3 (#1318)
• dc8b13b chore(deps): update pnpm to v10.33.2 (#1317)
• f55718b chore(deps): update dependency npm to v11.13.0 (#1315)
• 107f97d chore(deps): update pnpm to v10.33.1 (#1314)
• 10801df chore(deps): update node.js to v24.15.0 (#1312)
• a2afb64 chore(deps): update node.js to v24.15.0 (#1311)
• a758ad9 chore(deps): update dependency @​types/node to v24.12.2 (#1309)
• 2aab1e4 chore(deps): update dependency typedoc to v0.28.19 (#1310)
• cc295b7 chore(deps): update dependency npm to v11.12.1 (#1308)
• Additional commits viewable in compare view

Updates vis-network from 10.0.2 to 10.1.0

Release notes

Sourced from vis-network's releases.

v10.1.0

10.1.0 (2026-05-15)

Features

• physics: add custom wind function with nodeId argument (#2430) (5e1608c)

v10.0.3

10.0.3 (2026-05-07)

Bug Fixes

• deps: support UUID v14 and use it in standalone/peer exports (#2425) (224e002)

Commits

• 5e1608c feat(physics): add custom wind function with nodeId argument (#2430)
• dfa56ec chore(deps): update dependency npm to v11.14.0 (#2427)
• 63a21b0 chore: migrate from Volta to Mise (#2428)
• 8e2233a chore(deps): update pnpm to v10.33.4 (#2426)
• 224e002 fix(deps): support UUID v14 and use it in standalone/peer exports (#2425)
• 1bd028e chore(deps): update dependency uuid to v13.0.2 (#2422)
• ba4c24c chore(deps): update pnpm to v10.33.3 (#2421)
• e77e3c9 chore(deps): update dependency postcss to v8.5.14 (#2420)
• 977ac39 chore(deps): update dependency postcss to v8.5.13 (#2419)
• dbe1536 chore(deps): update dependency npm to v11.13.0 (#2418)
• Additional commits viewable in compare view

Updates cacache from 20.0.4 to 21.0.0

Release notes

Sourced from cacache's releases.

v21.0.0

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

• cacache now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 224c45a #339 bump to new node engine range (@​owlstronaut)
• 2929aa5 #339 template-oss-apply (@​owlstronaut)

Dependencies

• 4a9b643 #339 ssri@14.0.0
• 23f4ca7 #339 @npmcli/fs@6.0.0

Chores

• 8f85b88 #339 template-oss-apply (@​owlstronaut)
• af6256e #339 bumping @​npmcli/template-oss from 4.30.0 to 5.1.0 (@​owlstronaut)
• c1a85be #330 template-oss-apply (#330) (@​owlstronaut)
• 5929444 #331 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#331) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from cacache's changelog.

21.0.0 (2026-05-18)

⚠️ BREAKING CHANGES

• cacache now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 224c45a #339 bump to new node engine range (@​owlstronaut)
• 2929aa5 #339 template-oss-apply (@​owlstronaut)

Dependencies

• 4a9b643 #339 ssri@14.0.0
• 23f4ca7 #339 @npmcli/fs@6.0.0

Chores

• 8f85b88 #339 template-oss-apply (@​owlstronaut)
• af6256e #339 bumping @​npmcli/template-oss from 4.30.0 to 5.1.0 (@​owlstronaut)
• c1a85be #330 template-oss-apply (#330) (@​owlstronaut)
• 5929444 #331 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#331) (@​dependabot[bot], @​npm-cli-bot)

Commits

• 1e665fb chore: release 21.0.0 (#340)
• 4a9b643 deps: ssri@14.0.0
• 23f4ca7 deps: @​npmcli/fs@​6.0.0
• 8f85b88 chore: template-oss-apply
• 224c45a feat!: bump to new node engine range
• 2929aa5 feat!: template-oss-apply
• af6256e chore: bumping @​npmcli/template-oss from 4.30.0 to 5.1.0
• 5929444 chore: bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#331)
• c1a85be chore: template-oss-apply (#330)
• See full diff in compare view

Updates find-my-way from 9.5.0 to 9.6.0

Release notes

Sourced from find-my-way's releases.

v9.6.0

What's Changed

• chore: bump borp from 0.21.0 to 1.0.0 in the dev-dependencies group by @​dependabot[bot] in delvedor/find-my-way#419
• perf: optimize bitmask handler retrieval using Math.clz32 by @​gurgunday in delvedor/find-my-way#420
• chore: bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in delvedor/find-my-way#429
• chore: bump pre-commit from 1.2.2 to 2.0.0 in the dev-dependencies group by @​dependabot[bot] in delvedor/find-my-way#430
• feat: add onMaxParamLength to support 414 URI Too Long by @​oldregime in delvedor/find-my-way#432

New Contributors

• @​oldregime made their first contribution in delvedor/find-my-way#432

Full Changelog: delvedor/find-my-way@v9.5.0...v9.6.0

Commits

• 7d3ec5f feat: add onMaxParamLength to support 414 URI Too Long (#432)
• 8a557ee chore: bump pre-commit from 1.2.2 to 2.0.0 in the dev-dependencies group (#430)
• 120d64a chore: bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 (#429)
• eb8ec6f perf: optimize bitmask handler retrieval using Math.clz32 (#420)
• 24df8d2 chore: bump borp from 0.21.0 to 1.0.0 in the dev-dependencies group (#419)
• See full diff in compare view

Updates ws from 8.20.0 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: aec5550

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vis-data@​8.0.3 ⏵ 8.0.4	+1
	markdown-it@​14.1.1 ⏵ 14.2.0	+1		+1
	find-my-way@​9.6.0
	ini@​7.0.0
	cacache@​21.0.0
	vis-network@​10.0.2 ⏵ 10.1.0	+1
	ws@​8.20.0 ⏵ 8.21.0	+1	+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/markdown-it@14.2.0 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report