Bump the npm_and_yarn group across 4 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: picomatch and yaml.
Bumps the npm_and_yarn group with 4 updates in the /backend directory: yaml, brace-expansion, effect and path-to-regexp.
Bumps the npm_and_yarn group with 1 update in the /docs directory: astro.
Bumps the npm_and_yarn group with 1 update in the /swagger-ui directory: brace-expansion.

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates yaml from 2.8.0 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

v2.8.2

• Serialize -0 as -0 (#638)
• Do not double newlines for empty map values (#642)

v2.8.1

• Preserve empty block literals (#634)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• 086fa6b 2.8.2
• 95f01e9 chore: Add funding to package.json
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

v2.8.2

• Serialize -0 as -0 (#638)
• Do not double newlines for empty map values (#642)

v2.8.1

• Preserve empty block literals (#634)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• 086fa6b 2.8.2
• 95f01e9 chore: Add funding to package.json
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.12 to 1.1.13

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates effect from 3.18.4 to 3.20.0

Release notes

Sourced from effect's releases.

effect@3.20.0

Minor Changes

• #6124 8798a84 Thanks @​mikearnaldi! - Fix scheduler task draining to isolate AsyncLocalStorage across fibers.

Patch Changes

• #6107 fc82e81 Thanks @​gcanti! - Backport Types.VoidIfEmpty to 3.x

• #6088 82996bc Thanks @​taylorOntologize! - Schema: fix Schema.omit producing wrong result on Struct with optionalWith({ default }) and index signatures

  getIndexSignatures now handles Transformation AST nodes by delegating to ast.to, matching the existing behavior of getPropertyKeys and getPropertyKeyIndexedAccess. Previously, Schema.omit on a struct combining Schema.optionalWith (with { default }, { as: "Option" }, etc.) and Schema.Record would silently take the wrong code path, returning a Transformation with property signatures instead of a TypeLiteral with index signatures.

• #6086 4d97a61 Thanks @​taylorOntologize! - Schema: fix getPropertySignatures crash on Struct with optionalWith({ default }) and other Transformation-producing variants

  SchemaAST.getPropertyKeyIndexedAccess now handles Transformation AST nodes by delegating to ast.to, matching the existing behavior of getPropertyKeys. Previously, calling getPropertySignatures on a Schema.Struct containing Schema.optionalWith with { default }, { as: "Option" }, { nullable: true }, or similar options would throw "Unsupported schema (Transformation)".

• #6097 f6b0960 Thanks @​gcanti! - Fix TupleWithRest post-rest validation to check each tail index sequentially.

effect@3.19.19

Patch Changes

• #6079 4eb5c00 Thanks @​tim-smart! - add short circuit to fiber.await internals

• #6079 4eb5c00 Thanks @​tim-smart! - build ManagedRuntime synchronously if possible

• #6081 2d2bb13 Thanks @​tim-smart! - fix semaphore race condition where permits could be leaked

effect@3.19.18

Patch Changes

• #6062 12b1f1e Thanks @​tim-smart! - prevent Stream.changes from writing empty chunks

effect@3.19.17

Patch Changes

• #6040 a8c436f Thanks @​jacobconley! - Fix Stream.decodeText to correctly handle multi-byte UTF-8 characters split across chunk boundaries.

effect@3.19.16

Patch Changes

• #6018 e71889f Thanks @​codewithkenzo! - fix(Match): handle null/undefined in Match.tag and Match.tagStartsWith

  Added null checks to discriminator and discriminatorStartsWith predicates to prevent crashes when matching nullable union types.

  Fixes #6017

effect@3.19.15

Patch Changes

... (truncated)

Changelog

Sourced from effect's changelog.

3.20.0

Minor Changes

• #6124 8798a84 Thanks @​mikearnaldi! - Fix scheduler task draining to isolate AsyncLocalStorage across fibers.

Patch Changes

• #6107 fc82e81 Thanks @​gcanti! - Backport Types.VoidIfEmpty to 3.x

• #6088 82996bc Thanks @​taylorOntologize! - Schema: fix Schema.omit producing wrong result on Struct with optionalWith({ default }) and index signatures

  getIndexSignatures now handles Transformation AST nodes by delegating to ast.to, matching the existing behavior of getPropertyKeys and getPropertyKeyIndexedAccess. Previously, Schema.omit on a struct combining Schema.optionalWith (with { default }, { as: "Option" }, etc.) and Schema.Record would silently take the wrong code path, returning a Transformation with property signatures instead of a TypeLiteral with index signatures.

• #6086 4d97a61 Thanks @​taylorOntologize! - Schema: fix getPropertySignatures crash on Struct with optionalWith({ default }) and other Transformation-producing variants

  SchemaAST.getPropertyKeyIndexedAccess now handles Transformation AST nodes by delegating to ast.to, matching the existing behavior of getPropertyKeys. Previously, calling getPropertySignatures on a Schema.Struct containing Schema.optionalWith with { default }, { as: "Option" }, { nullable: true }, or similar options would throw "Unsupported schema (Transformation)".

• #6097 f6b0960 Thanks @​gcanti! - Fix TupleWithRest post-rest validation to check each tail index sequentially.

3.19.19

Patch Changes

• #6079 4eb5c00 Thanks @​tim-smart! - add short circuit to fiber.await internals

• #6079 4eb5c00 Thanks @​tim-smart! - build ManagedRuntime synchronously if possible

• #6081 2d2bb13 Thanks @​tim-smart! - fix semaphore race condition where permits could be leaked

3.19.18

Patch Changes

• #6062 12b1f1e Thanks @​tim-smart! - prevent Stream.changes from writing empty chunks

3.19.17

Patch Changes

• #6040 a8c436f Thanks @​jacobconley! - Fix Stream.decodeText to correctly handle multi-byte UTF-8 characters split across chunk boundaries.

3.19.16

Patch Changes

• #6018 e71889f Thanks @​codewithkenzo! - fix(Match): handle null/undefined in Match.tag and Match.tagStartsWith

  Added null checks to discriminator and discriminatorStartsWith predicates to prevent crashes when matching nullable union types.

... (truncated)

Commits

• aa47393 Version Packages (#6089)
• 8798a84 fix(effect): isolate scheduler runners per fiber (#6124)
• fc82e81 Backport Types.VoidIfEmpty to 3.x (#6107)
• f6b0960 Backport: Fix TupleWithRest post-rest index drift validation bug (#6097)
• 82996bc fix(Schema): handle Transformation in getIndexSignatures for correct omit beh...
• 4d97a61 Schema: fix getPropertySignatures crash on Struct with optionalWith({ default...
• ab3b64c Version Packages (#6080)
• 2d2bb13 fix semaphore race condition where permits could be leaked (#6081)
• 4eb5c00 build ManagedRuntime synchronously if possible (#6079)
• 4f21075 Version Packages (#6063)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for effect since your current version.

Updates path-to-regexp from 8.2.0 to 8.4.0

Release notes

Sourced from path-to-regexp's releases.

8.4.0

Important

• Fix CVE-2026-4926 (GHSA-j3q9-mxjg-w52f)
• Fix CVE-2026-4923 (GHSA-27v5-c462-wpq7)

Fixed

• Restricts wildcard backtracking when using more than 1 in a path (pillarjs/path-to-regexp#421)

Changed

• Dedupes regex prefixes (pillarjs/path-to-regexp#422)
  • This will result in shorter regular expressions for some cases using optional groups
• Rejects large optional route combinations (pillarjs/path-to-regexp#424)
  • When using groups such as /users{/delete} it will restrict the number of generated combinations to < 256, equivalent to 8 top-level optional groups and unlikely to occur in a real world application, but avoids exploding the regex size for applications that accept user created routes

8.3.0

Changed

• Add custom error class (#398) 2a7f2a4
• Allow plain objects for TokenData (#391) 687a9bb
• Escape text should escape backslash (#390) a4a8552
• Improved error messages and stack size (#363) a6bdf40

Other

• Minifying the parser
  • PR (#401) 9df2448
  • PR (#395) 4a91505
  • Shaving some bytes d63f44b
  • Remove optional operator 973d15c

pillarjs/path-to-regexp@v8.2.0...v8.3.0

Commits

• 34cb451 8.4.0
• 22a9679 Reject large optional route combinations (#424)
• 8881a88 Byte optimization (#423)
• 43669ac Dedupe regex prefixes (#422)
• 4864654 Restrict repeated wildcard backtracking (#421)
• 05a5a97 Remove dependabot config (#404)
• 5b635cd Remove package-lock.json (#407)
• c4f5b3f 8.3.0
• 6587c81 Move parameter name errors up in docs (#402)
• 9df2448 Remove more bytes from parser (#401)
• Additional commits viewable in compare view

Updates astro from 5.16.11 to 5.18.1

Release notes

Sourced from astro's releases.

astro@5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

Changelog

Sourced from astro's changelog.

5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

... (truncated)

Commits

• 434d9cc [ci] release (#15829)
• c2cd371 fix(helpers): Backport remote patterns segments fix (#15828)
• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• Additional commits viewable in compare view

Updates brace-expansion from 5.0.4 to 5.0.5

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.