Build(deps): Bump the npm_and_yarn group across 2 directories with 2 updates #2005

dependabot · 2026-01-05T16:29:31Z

Bumps the npm_and_yarn group with 2 updates in the /services/kg_dashboard directory: jws and storybook.
Bumps the npm_and_yarn group with 2 updates in the /services/run_dashboard directory: jws and storybook.

Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates storybook from 8.6.14 to 8.6.15

Release notes

Sourced from storybook's releases.

v8.6.15

8.6.15

Core: Fix .env-file parsing, thanks @jreinhold!

Changelog

Sourced from storybook's changelog.

10.1.11

React: Fix several CSF factory bugs - #33354, thanks @kasperpeulen!

UI: Fix React error 300 on some addons - #33381, thanks @Sidnioulz!

10.1.10

Core: Fix .env-file parsing - #33383, thanks @JReinhold!

Next.js: Handle v14 compatibility for draftMode import - #33341, thanks @tanujbhaud!

10.1.9

Telemetry: Remove instance of check for sub-error handling - #33356, thanks @valentinpalkovic!

10.1.8

React-Vite: Update @joshwooding/vite-plugin-react-docgen-typescript - #33349, thanks @valentinpalkovic!

10.1.7

Automigrate: Fix missing await - #33333, thanks @valentinpalkovic!

CLI: Remove REACT_PROJECT projectType - #33334, thanks @valentinpalkovic!

Core: Exclude open from pre-bundling to make local xdg-open reachable - #33325, thanks @Sidnioulz!

Nextjs-Vite: Install vite during migration if not installed yet - #33316, thanks @ghengeveld!

Telemetry: Fix race condition in telemetry cache causing malformed JSON - #33323, thanks @valentinpalkovic!

10.1.6

Manager: Do not display non-existing shortcuts in the settings page - #32711, thanks @DKER2!

Preview: Enforce inert body if manager is focus-trapped - #33186, thanks @Sidnioulz!

Telemetry: Await pending operations in getLastEvents to prevent race conditions - #33285, thanks @valentinpalkovic!

UI: Fix keyboard navigation bug for "reset" option in Select - #33268, thanks @Sidnioulz!

10.1.5

Addon-Vitest: Isolate error reasons during postinstall - #33295, thanks @valentinpalkovic!

CLI: Fix react native template not copying in init - #33308, thanks @dannyhw!

Docs: Support Rolldown bundler module namespace objects - #33280, thanks @akornmeier!

10.1.4

Core: Enhance getPrettier function to provide prettier interface - #33260, thanks @valentinpalkovic!

NextJS: Alias image to use fileURLToPath for better resolution - #33256, thanks @ndelangen!

Telemetry: Cache Storybook metadata by main config content hash - #33247, thanks @valentinpalkovic!

10.1.3

Angular: Honor --loglevel and --logfile in dev/build - #33212, thanks @valentinpalkovic!

Core: Minor UI fixes - #33218, thanks @ghengeveld!

Telemetry: Add playwright-prompt - #33229, thanks @valentinpalkovic!

... (truncated)

Commits

3812b43 Bump version from 8.6.14 to 8.6.15 MANUALLY
4a04cb2 filter env vars from .env files
See full diff in compare view

Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates storybook from 8.5.5 to 8.6.15

Release notes

Sourced from storybook's releases.

v8.6.15

8.6.15

Core: Fix .env-file parsing, thanks @jreinhold!

Changelog

Sourced from storybook's changelog.

10.1.11

React: Fix several CSF factory bugs - #33354, thanks @kasperpeulen!

UI: Fix React error 300 on some addons - #33381, thanks @Sidnioulz!

10.1.10

Core: Fix .env-file parsing - #33383, thanks @JReinhold!

Next.js: Handle v14 compatibility for draftMode import - #33341, thanks @tanujbhaud!

10.1.9

Telemetry: Remove instance of check for sub-error handling - #33356, thanks @valentinpalkovic!

10.1.8

React-Vite: Update @joshwooding/vite-plugin-react-docgen-typescript - #33349, thanks @valentinpalkovic!

10.1.7

Automigrate: Fix missing await - #33333, thanks @valentinpalkovic!

CLI: Remove REACT_PROJECT projectType - #33334, thanks @valentinpalkovic!

Core: Exclude open from pre-bundling to make local xdg-open reachable - #33325, thanks @Sidnioulz!

Nextjs-Vite: Install vite during migration if not installed yet - #33316, thanks @ghengeveld!

Telemetry: Fix race condition in telemetry cache causing malformed JSON - #33323, thanks @valentinpalkovic!

10.1.6

Manager: Do not display non-existing shortcuts in the settings page - #32711, thanks @DKER2!

Preview: Enforce inert body if manager is focus-trapped - #33186, thanks @Sidnioulz!

Telemetry: Await pending operations in getLastEvents to prevent race conditions - #33285, thanks @valentinpalkovic!

UI: Fix keyboard navigation bug for "reset" option in Select - #33268, thanks @Sidnioulz!

10.1.5

Addon-Vitest: Isolate error reasons during postinstall - #33295, thanks @valentinpalkovic!

CLI: Fix react native template not copying in init - #33308, thanks @dannyhw!

Docs: Support Rolldown bundler module namespace objects - #33280, thanks @akornmeier!

10.1.4

Core: Enhance getPrettier function to provide prettier interface - #33260, thanks @valentinpalkovic!

NextJS: Alias image to use fileURLToPath for better resolution - #33256, thanks @ndelangen!

Telemetry: Cache Storybook metadata by main config content hash - #33247, thanks @valentinpalkovic!

10.1.3

Angular: Honor --loglevel and --logfile in dev/build - #33212, thanks @valentinpalkovic!

Core: Minor UI fixes - #33218, thanks @ghengeveld!

Telemetry: Add playwright-prompt - #33229, thanks @valentinpalkovic!

... (truncated)

Commits

3812b43 Bump version from 8.6.14 to 8.6.15 MANUALLY
4a04cb2 filter env vars from .env files
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

lvijnck · 2026-01-07T11:53:20Z

@JacquesVergine approved, as I see CI got through successfully. This should give enough confidence right?

github-actions · 2026-01-22T00:16:07Z

This pull request has been automatically marked as stale because it has had no activity in the last 14 days.

If this PR is still relevant:

Please update it to the latest main/master branch
Address any existing review comments
Leave a comment to keep it open

Otherwise, it will be closed in 2 weeks if no further activity occurs.

…updates Bumps the npm_and_yarn group with 2 updates in the /services/kg_dashboard directory: [jws](https://github.com/brianloveswords/node-jws) and [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core). Bumps the npm_and_yarn group with 2 updates in the /services/run_dashboard directory: [jws](https://github.com/brianloveswords/node-jws) and [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core). Updates `jws` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) Updates `jws` from 3.2.2 to 3.2.3 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) Updates `storybook` from 8.6.14 to 8.6.15 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v8.6.15/code/core) Updates `jws` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) Updates `jws` from 3.2.2 to 3.2.3 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) Updates `storybook` from 8.5.5 to 8.6.15 - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v8.6.15/code/core) --- updated-dependencies: - dependency-name: jws dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jws dependency-version: 3.2.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: storybook dependency-version: 8.6.15 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jws dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: jws dependency-version: 3.2.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: storybook dependency-version: 8.6.15 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot requested a review from a team as a code owner January 5, 2026 16:29

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 5, 2026

dependabot bot requested a review from Dashing-Nelson January 5, 2026 16:29

dependabot bot temporarily deployed to dev January 5, 2026 16:29 Inactive

lvijnck approved these changes Jan 7, 2026

View reviewed changes

github-actions bot added the stale label Jan 22, 2026

dependabot bot force-pushed the dependabot/npm_and_yarn/services/kg_dashboard/npm_and_yarn-65147c3479 branch from 97a058a to 19d342a Compare January 23, 2026 00:49

dependabot bot temporarily deployed to dev January 23, 2026 00:49 Inactive

github-actions bot removed the stale label Jan 24, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build(deps): Bump the npm_and_yarn group across 2 directories with 2 updates #2005

Build(deps): Bump the npm_and_yarn group across 2 directories with 2 updates #2005

Uh oh!

dependabot bot commented on behalf of github Jan 5, 2026 •

edited

Loading

Uh oh!

lvijnck commented Jan 7, 2026

Uh oh!

github-actions bot commented Jan 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Build(deps): Bump the npm_and_yarn group across 2 directories with 2 updates #2005

Are you sure you want to change the base?

Build(deps): Bump the npm_and_yarn group across 2 directories with 2 updates #2005

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v8.6.15

8.6.15

10.1.11

10.1.10

10.1.9

10.1.8

10.1.7

10.1.6

10.1.5

10.1.4

10.1.3

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v8.6.15

8.6.15

10.1.11

10.1.10

10.1.9

10.1.8

10.1.7

10.1.6

10.1.5

10.1.4

10.1.3

Uh oh!

lvijnck commented Jan 7, 2026

Uh oh!

github-actions bot commented Jan 22, 2026

Uh oh!

Reviewers

Assignees

dependabot bot commented on behalf of github Jan 5, 2026 •

edited

Loading