frontend(deps): bump the npm_and_yarn group across 1 directory with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /frontend directory: axios, node-forge and undici.

Updates axios from 1.11.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates undici from 6.21.3 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in nodejs/undici#4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in nodejs/undici#4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180) by @​metcoder95 in nodejs/undici#4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#4180) (#4340) by @​metcoder95 in nodejs/undici#4445
• Backport 4472 to v6.x by @​Uzlopak in nodejs/undici#4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

Commits

• fbc31e2 Bumped v6.23.0
• 3477c94 chore: release flow using provenance
• d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• f9c9185 Bumped v6.22.0
• f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
• 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
• 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
• 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
• 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Assignees

The following users could not be added as assignees: arsheenali. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: frontend. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

❌ Your project check has failed because the head coverage (4.15%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.

@@          Coverage Diff           @@
##            main    #166    +/-   ##
======================================
  Coverage   4.15%   4.15%            
======================================
  Files        160     160            
  Lines      35212   35212            
  Branches    4108    4003   -105     
======================================
  Hits        1462    1462            
  Misses     33659   33659            
  Partials      91      91            

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dc7328f...074b975. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.