build(deps): bump the npm_and_yarn group across 3 directories with 37 updates

[dependabot]

Bumps the npm_and_yarn group with 32 updates in the / directory:

Package	From	To
@nestjs/common	9.4.3	10.4.16
@sentry/node	8.30.0	8.49.0
axios	1.7.3	1.12.0
dompurify	3.1.6	3.2.4
next	14.0.4	14.2.35
nodemailer	6.9.14	7.0.11
qs	6.13.0	6.14.1
tsup	8.2.4	8.3.5
esbuild	0.23.0	0.25.0
playwright	1.46.0	1.55.1
storybook	7.6.20	7.6.21
vite	5.4.0	5.4.21
vitest	1.4.0	1.6.1
@nestjs/devtools-integration	0.1.6	0.2.1
langchain	0.2.13	0.2.19
@babel/helpers	7.25.0	7.28.4
@tiptap/extension-link	2.5.9	2.27.1
brace-expansion	1.1.11	1.1.12
cipher-base	1.0.4	1.0.7
elliptic	6.5.6	6.6.1
formidable	2.1.2	2.1.5
hono	4.5.4	4.11.3
js-yaml	3.14.1	3.14.2
jws	3.2.2	3.2.3
nanoid	3.3.7	3.3.11
node-forge	1.3.1	1.3.3
pbkdf2	3.1.2	3.1.5
prismjs	1.29.0	1.30.0
sha.js	2.4.11	2.4.12
store2	2.14.3	2.14.4
tar-fs	2.1.1	2.1.4
validator	13.12.0	13.15.26

Bumps the npm_and_yarn group with 1 update in the /packages/twenty-server directory: @nestjs/devtools-integration.
Bumps the npm_and_yarn group with 5 updates in the /packages/twenty-server/src/engine/core-modules/serverless/drivers/layers/1 directory:

Package	From	To
axios	1.7.5	1.12.0
nodemailer	6.9.14	7.0.11
brace-expansion	1.1.11	1.1.12
cross-spawn	7.0.3	7.0.6
jws	3.2.2	3.2.3

Updates @nestjs/common from 9.4.3 to 10.4.16

Release notes

Sourced from @​nestjs/common's releases.

v10.4.16

What's Changed

• fix(common): introduce magic file type validator to nestjs common by @​Chathula in nestjs/nest#14948

Full Changelog: nestjs/nest@v10.4.15...v10.4.16

v10.4.15 (2024-12-09)

Dependencies

• platform-express
  • #14282 fix(deps): update dependency express to v4.21.2 (@​renovate[bot])

v10.4.13 (2024-12-03)

Bug fixes

• common
  • #14256 chore(common): Add type declaration for RawBody decorator with pipes (@​sapenlei)

Dependencies

• #14257 fix(deps): update dependency @​fastify/static to v7.0.4 (@​renovate[bot])
• #14258 fix(deps): update dependency @​nestjs/sequelize to v10.0.1 (@​renovate[bot])
• #14249 chore(deps): bump @​apollo/gateway from 2.4.8 to 2.8.5 in /sample/32-graphql-federation-schema-first/users-application (@​dependabot[bot])
• #14250 chore(deps): update jest monorepo (@​renovate[bot])
• #14245 chore(deps): update dependency mqtt to v5.10.3 (@​renovate[bot])
• #14247 fix(deps): update nest monorepo to v10.4.12 (@​renovate[bot])
• #14251 chore(deps-dev): bump graphql-tools from 9.0.3 to 9.0.5 (@​dependabot[bot])
• #14246 chore(deps): update nest monorepo (@​renovate[bot])

Committers: 3

• Kamil Mysliwiec (@​kamilmysliwiec)
• Micael Levi L. Cavalcante (@​micalevisk)
• sapenlei (@​sapenlei)

v10.4.12 (2024-11-29)

Bug fixes

• common
  • #14241 fix(common): enforce string type in validationpipe (@​LhonRafaat)

Dependencies

• Other
  • #14243 chore(deps): update dependency @​types/node to v20.17.9 (@​renovate[bot])
  • #14240 chore(deps): update dependency @​types/multer to v1.4.12 (@​renovate[bot])
  • #14239 chore(deps): update dependency @​types/chai to v4.3.20 (@​renovate[bot])
  • #14237 chore(deps): update confluentinc/cp-zookeeper docker tag to v7.7.2 (@​renovate[bot])
  • #14236 chore(deps): update confluentinc/cp-kafka docker tag to v7.7.2 (@​renovate[bot])
  • #12253 fix(deps): update apollo graphql packages (@​renovate[bot])
  • #14235 chore(deps-dev): bump @​commitlint/config-angular from 19.5.0 to 19.6.0 (@​dependabot[bot])
  • #14233 chore(deps): update nest monorepo (@​renovate[bot])

... (truncated)

Commits

• 6c8aec6 chore(@​nestjs) publish v10.4.16 release
• 2b9e132 chore: update outdated tests, make file-type optional
• cb0d650 chore: remove duplicate packages
• 6196ab2 Merge branch 'Chathula-fix-nestjs-common-mime-validator'
• 0ac7959 chore: minor tweaks
• 312a54a Update packages/common/pipes/file/file-type.validator.ts
• a28fc03 refactor(common): move back file type validator options type
• 07b4b38 refactor(common): move file-type package to peer dependencies
• 0b7af8a refactor(common): refactor code to use simple eval
• 6953b7a fix(common): used eval import
• Additional commits viewable in compare view

Updates @sentry/node from 8.30.0 to 8.49.0

Changelog

Sourced from @​sentry/node's changelog.

8.49.0

• feat(v8/browser): Flush offline queue on flush and browser online event (#14969)
• feat(v8/react): Add a handled prop to ErrorBoundary (#14978)
• fix(profiling/v8): Don't put require, __filename and __dirname on global object (#14952)
• fix(v8/node): Enforce that ContextLines integration does not leave open file handles (#14997)
• fix(v8/replay): Disable mousemove sampling in rrweb for iOS browsers (#14944)
• fix(v8/sveltekit): Ensure source maps deletion is called after source ma… (#14963)
• fix(v8/vue): Re-throw error when no errorHandler exists (#14943)

Work in this release was contributed by @​HHK1 and @​mstrokin. Thank you for your contribution!

8.48.0

Deprecations

• feat(v8/core): Deprecate getDomElement method (#14799)

  Deprecates getDomElement. There is no replacement.

Other changes

• fix(nestjs/v8): Use correct main/module path in package.json (#14791)
• fix(v8/core): Use consistent continueTrace implementation in core (#14819)
• fix(v8/node): Correctly resolve debug IDs for ANR events with custom appRoot (#14823)
• fix(v8/node): Ensure NODE_OPTIONS is not passed to worker threads (#14825)
• fix(v8/angular): Fall back to element tagName when name is not provided to TraceDirective (#14828)
• fix(aws-lambda): Remove version suffix from lambda layer (#14843)
• fix(v8/node): Ensure express requests are properly handled (#14851)
• feat(v8/node): Add openTelemetrySpanProcessors option (#14853)
• fix(v8/react): Use Set as the allRoutes container. (#14878) (#14884)
• fix(v8/react): Improve handling of routes nested under path="/" (#14897)
• feat(v8/core): Add normalizedRequest to samplingContext (#14903)
• fix(v8/feedback): Avoid lazy loading code for syncFeedbackIntegration (#14918)

Work in this release was contributed by @​arturovt. Thank you for your contribution!

8.47.0

• feat(v8/core): Add updateSpanName helper function (#14736)
• feat(v8/node): Do not overwrite prisma db.system in newer Prisma versions (#14772)
• feat(v8/node/deps): Bump @​prisma/instrumentation from 5.19.1 to 5.22.0 (#14755)
• feat(v8/replay): Mask srcdoc iframe contents per default (#14779)
• ref(v8/nextjs): Fix typo in source maps deletion warning (#14776)

Work in this release was contributed by @​aloisklink and @​benjick. Thank you for your contributions!

8.46.0

• feat: Allow capture of more than 1 ANR event [v8] (#14713)

... (truncated)

Commits

• db51933 release: 8.49.0
• 629fba2 meta(changelog): Update CHANGELOG for 8.49.0 (#15019)
• f5ac627 fix(v8/node): Enforce that ContextLines integration does not leave open file ...
• 286f6b0 test(v8/e2e): Fix node-express test transitive dependency (#15004)
• 798a932 feat(v8/browser): Flush offline queue on flush and browser online event (#14969)
• 0c3b2a4 fix(v8/replay): Disable mousemove sampling in rrweb for iOS browsers (#14944)
• fda1aee feat(v8/react): Add a handled prop to ErrorBoundary (#14978)
• 5182853 chore(v8/repo): Add missing v7 changelog entries (#14961)
• af00c8f fix(v8/sveltekit): Ensure source maps deletion is called after source ma… (#1...
• 8926cb7 fix(v8/vue): Re-throw error when no errorHandler exists (#14943)
• Additional commits viewable in compare view

Updates axios from 1.7.3 to 1.12.0

Release notes

Sourced from axios's releases.

Release v1.12.0

Release notes:

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

... (truncated)

Changelog

Sourced from axios's changelog.

1.12.0 (2025-09-11)

Bug Fixes

• adding build artifacts (9ec86de)
• dont add dist on release (a2edc36)
• fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
• node: enforce maxContentLength for data: URLs (#7011) (945435f)
• package exports (#5627) (aa78ac2)
• params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
• release pr run (fd7f404)
• types: change the type guard on isCancel (#5595) (0dbb7fd)

Features

• adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
• fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
• support reviver on JSON.parse (#5926) (2a97634), closes #5924
• types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

Contributors to this release

• Willian Agostini
• Dmitriy Mozgovoy
• khani
• Ameer Assadi
• Emiedonmokumo Dick-Boro
• Zeroday BYTE
• Jason Saayman
• 최예찬
• Gligor Kotushevski
• Aleksandar Dimitrov

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail

... (truncated)

Commits

• 0d8ad6e chore(release): v1.12.0 (#7013)
• fd7f404 fix: release pr run
• a2edc36 fix: dont add dist on release
• 9ec86de fix: adding build artifacts
• 945435f fix(node): enforce maxContentLength for data: URLs (#7011)
• 28e5e30 chore(sponsor): update sponsor block (#7005)
• d03f245 chore(CI): fixed release info script to use npm registry instead of git as fi...
• a0bc911 chore: removing dist files from src (#7002)
• c959ff2 feat(fetch): add fetch, Request, Response env config variables for the adapte...
• a9f47af fix(fetch-adapter): set correct Content-Type for Node FormData (#6998)
• Additional commits viewable in compare view

Updates dompurify from 3.1.6 to 3.2.4

Release notes

Sourced from dompurify's releases.

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

DOMPurify 3.1.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

Commits

• ec29e65 Merge pull request #1062 from cure53/main
• 1c1b183 chore: Preparing 3.2.4 release
• d18ffcb fix: Changed the template literal regex to avoid a config-dependent bypass
• 0d64d2b Merge pull request #1060 from yehuya/initializeTestImprovements
• 9ad7933 tests: DOMPurify custom window tests improvements
• 72760ca Merge pull request #1059 from yehuya/fixMissingWindowElement
• bc72d44 Fix tests
• 363a89d fix: handle undefined Element in DOMPurify initialization
• f41b45d Update LICENSE
• b25bf26 Update README.md
• Additional commits viewable in compare view

Updates next from 14.0.4 to 14.2.35

Release notes

Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

Commits

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Updates nodemailer from 6.9.14 to 7.0.11

Release notes

Sourced from nodemailer's releases.

v7.0.11

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

v7.0.10

7.0.10 (2025-10-23)

Bug Fixes

• Increase data URI size limit from 100KB to 50MB and preserve content type (28dbf3f)

v7.0.9

7.0.9 (2025-10-07)

Bug Fixes

• release: Trying to fix release proecess by upgrading Node version in runner (579fce4)

v7.0.8

7.0.8 (2025-10-07)

Bug Fixes

• addressparser: flatten nested groups per RFC 5322 (8f8a77c)

v7.0.7

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

7.0.6 (2025-08-27)

Bug Fixes

... (truncated)

Changelog

Sourced from nodemailer's changelog.

7.0.11 (2025-11-26)

Bug Fixes

• prevent stack overflow DoS in addressparser with deeply nested groups (b61b9c0)

7.0.10 (2025-10-23)

Bug Fixes

• Increase data URI size limit from 100KB to 50MB and preserve content type (28dbf3f)

7.0.9 (2025-10-07)

Bug Fixes

• release: Trying to fix release proecess by upgrading Node version in runner (579fce4)

7.0.8 (2025-10-07)

Bug Fixes

• addressparser: flatten nested groups per RFC 5322 (8f8a77c)

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

7.0.6 (2025-08-27)

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

7.0.5 (2025-07-07)

Bug Fixes

... (truncated)

Commits

• 3d17dbe chore(master): release 7.0.11 (#1783)
• 15879f8 Bumped dev dependencies
• b61b9c0 fix: prevent stack overflow DoS in addressparser with deeply nested groups
• 4175e4b chore(master): release 7.0.10 (#1776)
• d882ccf Merge branch 'master' of github.com:nodemailer/nodemailer
• 1d7e4f7 Bumped deps
• 10bd871 chore: correct typo in variable name (#1773)
• 28dbf3f fix: Increase data URI size limit from 100KB to 50MB and preserve content type
• 92ae1c4 chore(master): release 7.0.9 (#1769)
• c675d9e Merge branch 'master' of github.com:nodemailer/nodemailer
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nodemailer since your current version.

Updates qs from 6.13.0 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

Updates tsup from 8.2.4 to 8.3.5

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

v8.3.0

8.3.0 (2024-09-17)

Bug Fixes

• fix experimentalDts file cleaning and watching (#1199) (76dc18b)

Features

• add support for cts and mts config files (#1178) (ec811b3)
• add support for async injectStyle (#1193) (f25a9db)

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

Updates esbuild from 0.23.0 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's develo...

  Description has been truncated