chore(deps): bump the npm_and_yarn group across 5 directories with 24 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the / directory:

Package	From	To
validator	13.12.0	13.15.22
aws-sdk	2.925.0	2.1693.0
jsonwebtoken	8.5.1	9.0.0
jszip	3.7.0	3.8.0
nanoid	3.3.4	3.3.8
axios	1.9.0	1.13.5
@langchain/community	0.0.32	1.1.14
@langchain/core	0.1.63	0.3.80
langchain	0.1.37	0.2.19
semver	5.7.0	5.7.2
js-yaml	3.14.1	3.14.2
body-parser	1.19.0	1.20.4
express	4.17.1	4.22.1
cookie	0.4.0	0.7.2
decode-uri-component	0.2.0	0.2.2
jws	3.2.2	3.2.3

Bumps the npm_and_yarn group with 3 updates in the /ai-assistants-samples directory: @langchain/community, @langchain/core and langchain.
Bumps the npm_and_yarn group with 1 update in the /patient-appointment-management directory: jsonwebtoken.
Bumps the npm_and_yarn group with 1 update in the /voice-client-javascript directory: jsonwebtoken.
Bumps the npm_and_yarn group with 1 update in the /voice-javascript-sdk directory: jsonwebtoken.

Updates validator from 13.12.0 to 13.15.22

Release notes

Sourced from validator's releases.

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

New Contributors

• @​mbtools made their first contribution in validatorjs/validator.js#2622
• @​koral-- made their first contribution in validatorjs/validator.js#2616

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

New Contributors

• @​stoneLeaf made their first contribution in validatorjs/validator.js#2563
• @​WardKhaddour made their first contribution in validatorjs/validator.js#2556
• @​avadootharajesh made their first contribution in validatorjs/validator.js#2576
• @​KrayzeeKev made their first contribution in validatorjs/validator.js#2574
• @​iamAmer made their first contribution in validatorjs/validator.js#2584
• @​camillobruni made their first contribution in validatorjs/validator.js#2581
• @​theofidry made their first contribution in validatorjs/validator.js#2608

Full Changelog: validatorjs/validator.js@13.15.15...13.15.20

13.15.15

Fixes, New Locales and Enhancements

• isMobilePhone
  • #2514 improve el-CY locale @​rezk2ll
  • #2512 improve pt-AO locale @​renaldodev
  • #2502 improve ar-OM locale @​tomcastro
• #2089 isIP: allow usage of option object @​pixelbucket-dev
• #2526 isPassportNumber: improve CA locale @​evanbechtol
• #2491 isBase64: improve validation based on RFC4648 @​aseyfpour
• #2479 isPostalCode: improve FR locale @​Rajput-Balram
• #2088 isBefore: allow usage of option object @​pixelbucket-dev
• #2346 isRgbColor: allow second digit in rgba alpha value @​controlol

... (truncated)

Changelog

Sourced from validator's changelog.

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

13.15.15

Fixes, New Locales and Enhancements

• isMobilePhone
  • #2514 improve el-CY locale @​rezk2ll
  • #2512 improve pt-AO locale @​renaldodev
  • #2502 improve ar-OM locale @​tomcastro
• #2089 isIP: allow usage of option object @​pixelbucket-dev
• #2526 isPassportNumber: improve CA locale @​evanbechtol
• #2491 isBase64: improve validation based on RFC4648 @​aseyfpour
• #2479 isPostalCode: improve FR locale @​Rajput-Balram
• #2088 isBefore: allow usage of option object @​pixelbucket-dev
• #2346 isRgbColor: allow second digit in rgba alpha value @​controlol
• #2453 isIP: improve IPv6 regex @​ShreySinha02
• #2052 isPostalCode: add PK locale @​mateeni-dev
• #2529 isPostalCode: improve TW locale @​Crocsx
• #2550 isPassportNumber: improve US locale @​yitzchak-schechter
• #2553 isUUID: add loose option @​bc-m
• #2551 isPostalCode: add BD locale @​tanvirrb
• #2555 isLicensePlate: improve pt-PT locale @​castrosu
• Doc fixes and others:
  • #2372 @​EmersonRabelo
  • #2538 @​WikiRik
  • #2539 @​WikiRik
  • #2540 @​WikiRik
  • #2549 @​WikiRik
  • #2537 @​sgress454

... (truncated)

Commits

• f2b5c17 maintenance: 2511 release (#2627)
• d457eca fix(isLength): correctly handle Unicode variation selectors (#2616)
• f2e3633 docs: add install instructions to contibution guide (#2621)
• cf40145 fix: URL validation for hostnames with ports (no protocol) (#2622)
• 4af6124 maintenance: 2510 release (#2585)
• 30d4fe0 13.15.20
• cbef508 fix(isURL): improve protocol detection. Resolves CVE-2025-56200 (#2608)
• 6f436be Fix typo in validators.test.js (#2581)
• 3c85708 Fix: correct French VAT (FR) validation regex and add tests (#2584)
• eee525c #2491 #2573 Simplify isBase64 to prevent stack overflow (#2574)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wikirik, a new releaser for validator since your current version.

Updates aws-sdk from 2.925.0 to 2.1693.0

Release notes

Sourced from aws-sdk's releases.

Release v2.1693.0

See changelog for more information.

Release v2.1692.0

See changelog for more information.

Release v2.1691.0

See changelog for more information.

Release v2.1690.0

See changelog for more information.

Release v2.1689.0

See changelog for more information.

Release v2.1688.0

See changelog for more information.

Release v2.1687.0

See changelog for more information.

Release v2.1686.0

See changelog for more information.

Release v2.1685.0

See changelog for more information.

Release v2.1684.0

See changelog for more information.

Release v2.1683.0

See changelog for more information.

Release v2.1682.0

See changelog for more information.

Release v2.1681.0

See changelog for more information.

Release v2.1680.0

See changelog for more information.

Release v2.1679.0

See changelog for more information.

Release v2.1678.0

See changelog for more information.

Release v2.1677.0

See changelog for more information.

... (truncated)

Commits

• 9d3c66e Updates SDK to v2.1693.0
• c039567 test(client-elastictranscoder): remove feature test (#4711)
• f5b1a6f docs: end-of-support (#4706)
• 657d6fe chore: use ssh private key for git sync (#4705)
• c12585b chore: remove regression label management (#4699)
• 966fa6c Updates SDK to v2.1692.0
• 5d0e38a Delete EC2 launch configuration e2e tests (#4685)
• b9ce346 chore: fix issue config (#4683)
• c066681 Update issue template config and disable docs requests (#4682)
• 163a7cf Modified bug issue template to add checkbox to report potential regression. (...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by aws-sdk-bot, a new releaser for aws-sdk since your current version.

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates jszip from 3.7.0 to 3.8.0

Changelog

Sourced from jszip's changelog.

v3.8.0 2022-03-30

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1 2021-08-05

• Fix build of dist files.
  • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

Commits

• 3b98cfc 3.8.0
• 2edab36 Sanitize filenames with loadAsync to prevent zip slip attacks
• 1f631b0 Update contributing
• 459ff79 Add tests for utils that remove leading slash
• d4702a7 Merge pull request #541 from PatricSteffen/patch-1
• 2ebb7e8 Merge pull request #737 from satoshicano/update-types-JSZipLoadOptions
• 85c4989 Merge pull request #796 from Stuk/ghci
• 40cc7f4 Add dependency caching
• 5ee321e Install deps needed for Playwright on Github Actions
• eeb841e Remove code and dependencies used for Saucelabs
• Additional commits viewable in compare view

Updates nanoid from 3.3.4 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

3.3.7

• Fixed node16 TypeScript support (by Saadi Myftija).

3.3.6

• Fixed package.

3.3.5

• Backport funding information.

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• 89d82d2 Release 3.3.7 version
• 5022c35 Update dual-publish
• 3e7a8e5 Remove benchmark from CI for v3
• d356144 Fix CI for v3
• 37b25df Move to pnpm 8
• d96f392 Release 3.3.6 version
• 8210dfb Release 3.3.5 version
• Additional commits viewable in compare view

Updates axios from 1.9.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates @langchain/community from 0.0.32 to 1.1.14

Release notes

Sourced from @​langchain/community's releases.

@​langchain/community@​1.1.14

Patch Changes

• #9990 d5e3db0 Thanks @​hntrl! - feat(core): Add SSRF protection module (@langchain/core/utils/ssrf) with utilities for validating URLs against private IPs, cloud metadata endpoints, and localhost.

  fix(community): Harden RecursiveUrlLoader against SSRF attacks by integrating validateSafeUrl and replacing string-based URL comparison with origin-based isSameOrigin from the shared SSRF module.

• Updated dependencies [d5e3db0, 6939dab, ad581c7]:

  • @​langchain/core@​1.1.21
  • @​langchain/openai@​1.2.7
  • @​langchain/classic@​1.0.17

@​langchain/community@​1.1.12

Patch Changes

• Updated dependencies [0870ca0, 8f0757f, cf46089]:
  • @​langchain/openai@​1.2.5
  • @​langchain/classic@​1.0.15

@​langchain/community@​1.1.11

Patch Changes

• #9905 41bfea5 Thanks @​christian-bromann! - fix(classic/community/core): avoid long lived abort signals

• Updated dependencies [41bfea5]:

  • @​langchain/classic@​1.0.14
  • @​langchain/openai@​1.2.4

@​langchain/community@​1.1.10

Patch Changes

• #9883 ea00005 Thanks @​FilipZmijewski! - support aborting for Model Gateway and WatsonxLLM for IBM

• #9896 70f329a Thanks @​Axadali! - Add score normalization feature to PGVectorStore allowing users to choose between returning raw distances or normalized similarity scores. This makes PGVectorStore consistent with other vector stores in the LangChain ecosystem where higher scores indicate greater similarity. Maintains full backward compatibility by defaulting to distance mode.

• #9874 a995a3f Thanks @​phong-phuong! - fix jira failing to fetch issues

• Updated dependencies [1fa865b, 28efb57, 4e42452, a9b5059, a9b5059]:

  • @​langchain/openai@​1.2.4
  • @​langchain/classic@​1.0.13

@​langchain/community@​1.1.9

Patch Changes

• Updated dependencies [1d58bf2]:
  • @​langchain/classic@​1.0.12

@​langchain/community@​1.1.8

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​langchain/community since your current version.

Updates @langchain/core from 0.1.63 to 0.3.80

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by hntrl, a new releaser for @​langchain/core since your current version.

Updates langchain from 0.1.37 to 0.2.19

Commits

• d5ba68d chore(langchain): Release 0.2.19 (#6742)
• 26f75b6 chore(langchain): Release 0.2.19
• 7fbae88 fix(ci): Fix ci (#6741)
• 87ce560 fix(ci): Fix esbuild tests (#6739)
• a8ff65d fix(ci): Fix cf-workers export test (#6738)
• 1010d1c fix(ci): Fix cf exports test (#6737)
• a0fad77 fix(langchain): Fix local file store traversal issue (#6736)
• 08092cd google-common[major]: Media manager (#5835)
• 6a723fa docs: Update wording in tool choice guide (#6732)
• 630283b docs: Fix typo in chatbot tutorial (#6730)
• Additional commits viewable in compare view

Updates semver from 5.7.0 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• c83c18c 5.7.1
• 956e228 Correct typo in README
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide t...

  Description has been truncated