Skip to content

Bump umzug from 2.3.0 to 3.8.3 in /www/nodejs-project#116

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/www/nodejs-project/umzug-3.8.3
Open

Bump umzug from 2.3.0 to 3.8.3 in /www/nodejs-project#116
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/www/nodejs-project/umzug-3.8.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Copy link
Copy Markdown
Contributor

Bumps umzug from 2.3.0 to 3.8.3.

Release notes

Sourced from umzug's releases.

v3.8.3

mostly just a security patch update

pnpm audit --prod output before 4272daa25ac2fed4e71973f04253f8219f42c26c:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Validator is Vulnerable to Incomplete Filtering of One │
│                     │ or More Instances of Special Elements                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.22                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.22                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
│                     │ @rushstack/terminal@0.10.0 >                           │
│                     │ @rushstack/node-core-library@4.0.2 > z-schema@5.0.5 >  │
│                     │ validator@13.11.0                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vghf-hv5q-vc2g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Picomatch has a ReDoS vulnerability via extglob        │
│                     │ quantifiers                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ picomatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.0.4                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.0.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > tinyglobby@0.2.13 > fdir@6.4.4 > picomatch@4.0.2   │
│                     │                                                        │
│                     │ . > tinyglobby@0.2.13 > picomatch@4.0.2                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2c7-rcm5-vvqj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ validator.js has a URL validation bypass vulnerability │
│                     │ in its isURL function                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.20                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.20                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
</tr></table> 

... (truncated)

Changelog

Sourced from umzug's changelog.

Change Log

All notable changes to this project until v2.3.0 were documented in this file.

For the change logs for versions above v2.3.0, please refer to the GitHub releases section.

Commits
Maintainer changes

This version was pushed to npm by mmkale, a new releaser for umzug since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [umzug](https://github.com/sequelize/umzug) from 2.3.0 to 3.8.3.
- [Release notes](https://github.com/sequelize/umzug/releases)
- [Changelog](https://github.com/sequelize/umzug/blob/main/CHANGELOG.md)
- [Commits](sequelize/umzug@v2.3.0...v3.8.3)

---
updated-dependencies:
- dependency-name: umzug
  dependency-version: 3.8.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants