chore(deps): bump the npm_and_yarn group across 4 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: ajv and micromatch.
Bumps the npm_and_yarn group with 3 updates in the /apps/admin-ui directory: ajv, firebase and @babel/runtime.
Bumps the npm_and_yarn group with 1 update in the /apps/cli directory: js-yaml.
Bumps the npm_and_yarn group with 3 updates in the /apps/course directory: cookie, katex and mermaid.

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates firebase from 9.23.0 to 10.9.0

Commits

• 1eb302f Version Packages (#8063)
• b498867 Merge master into release
• ce88e71 snapshot listeners source from cache (#7982)
• 6d487d7 Prevent using authTokenSyncURL if the string begins with a double slash (#8060)
• b4d59d6 Merge master into release
• 2b22838 Fix glob pattern to work with Node 20 and its NPM version (#8059)
• feb5038 Update CI node.js versions to 20.x (#8055)
• 245dd26 Enforce authTokenSyncURL being a path and not a url. (#8056)
• e60188d Version Packages (#8046)
• 7e2efbf Merge master into release
• Additional commits viewable in compare view

Updates @babel/runtime from 7.24.0 to 7.28.6

Release notes

Sourced from @​babel/runtime's releases.

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • #17555 perf: Use lighter traversal for jsx __source,__self (@​liuxingbaoyu)

Committers: 7

• Babel Bot (@​babel-bot)
• Eliot Pontarelli (@​kolvian)
• Huáng Jùnliàng (@​JLHwung)
• Kadhirash Sivakumar (@​kadhirash)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)

v7.28.5 (2025-10-23)

Thank you @​CO0Ki3, @​Olexandr88, and @​youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Commits

• d7f4008 v7.28.6
• 35055e3 v7.28.4
• ef155f5 v7.28.3
• cac0ff4 v7.28.2
• f68ac51 chore: Avoid CITGM errors (#17382)
• baa4cb8 v7.27.6
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/runtime since your current version.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates cookie from 0.4.2 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates katex from 0.16.10 to 0.16.32

Release notes

Sourced from katex's releases.

v0.16.32

0.16.32 (2026-02-22)

Bug Fixes

• italic separation in \mathnormal (#4143) (71305a0)

v0.16.31

0.16.31 (2026-02-22)

Bug Fixes

• \*frac sizing (#4137) (ef51f18)

v0.16.30

0.16.30 (2026-02-22)

Bug Fixes

• no line breaks after \not (#4140) (2d1ba86)

v0.16.29

0.16.29 (2026-02-22)

Bug Fixes

• \imath and other \html@mathml macros in arguments (#4139) (a850cce)

v0.16.28

0.16.28 (2026-01-25)

Bug Fixes

• type: add missing types definition path to package.json (#4125) (0ef8921)

v0.16.27

0.16.27 (2025-12-07)

Features

• support equals sign and surrounding whitespace in \htmlData attribute values (#4112) (c77aaec)

v0.16.26

0.16.26 (2025-12-07)

... (truncated)

Changelog

Sourced from katex's changelog.

0.16.32 (2026-02-22)

Bug Fixes

• italic separation in \mathnormal (#4143) (71305a0)

0.16.31 (2026-02-22)

Bug Fixes

• \*frac sizing (#4137) (ef51f18)

0.16.30 (2026-02-22)

Bug Fixes

• no line breaks after \not (#4140) (2d1ba86)

0.16.29 (2026-02-22)

Bug Fixes

• \imath and other \html@mathml macros in arguments (#4139) (a850cce)

0.16.28 (2026-01-25)

Bug Fixes

• type: add missing types definition path to package.json (#4125) (0ef8921)

0.16.27 (2025-12-07)

Features

• support equals sign and surrounding whitespace in \htmlData attribute values (#4112) (c77aaec)

0.16.26 (2025-12-07)

Bug Fixes

• \mathop followed by integral symbol (6fbad18)

0.16.25 (2025-10-13)

... (truncated)

Commits

• 3590b82 chore(release): 0.16.32 [ci skip]
• 71305a0 fix: italic separation in \mathnormal (#4143)
• 7933853 chore(release): 0.16.31 [ci skip]
• ef51f18 fix: \*frac sizing (#4137)
• 9ff1ac0 chore(release): 0.16.30 [ci skip]
• 2d1ba86 fix: no line breaks after \not (#4140)
• f472dc6 chore(release): 0.16.29 [ci skip]
• a850cce fix: \imath and other \html@mathml macros in arguments (#4139)
• a39921c refactor: optimize string lookups using Set instead of Array (#4094)
• 8645837 refactor: remove default exports from stretchy and delimiter (#4141)
• Additional commits viewable in compare view

Updates mermaid from 10.8.0 to 11.12.3

Release notes

Sourced from mermaid's releases.

mermaid@11.12.3

Patch Changes

• Updated dependencies [7243340]:
  • @​mermaid-js/parser@​1.0.0

mermaid@11.12.2

Patch Changes

• #7200 de7ed10 Thanks @​shubhamparikh2704! - fix: validate dates and tick interval to prevent UI freeze/crash in gantt diagramtype

mermaid@11.12.1

Patch Changes

• #7107 cbf8946 Thanks @​shubhamparikh2704! - fix: Updated the dependency dagre-d3-es to 7.0.13 to fix GHSA-cc8p-78qf-8p7q

mermaid@11.12.0

Minor Changes

• #6921 764b315 Thanks @​quilicicf! - feat: Add IDs in architecture diagrams

Patch Changes

• #6950 a957908 Thanks @​shubhamparikh2704! - chore: Fix mindmap rendering in docs and apply tidytree layout

• #6826 1d36810 Thanks @​darshanr0107! - fix: Ensure edge label color is applied when using classDef with edge IDs

• #6945 d318f1a Thanks @​darshanr0107! - fix: Resolve gantt chart crash due to invalid array length

• #6918 cfe9238 Thanks @​shubhamparikh2704! - chore: revert marked dependency from ^15.0.7 to ^16.0.0

  • Reverted marked package version to ^16.0.0 for better compatibility
  • This is a dependency update that maintains API compatibility
  • All tests pass with the updated version

mermaid@11.11.0

Minor Changes

• #6704 012530e Thanks @​omkarht! - feat: Added support for new participant types (actor, boundary, control, entity, database, collections, queue) in sequenceDiagram.

• #6802 c8e5027 Thanks @​darshanr0107! - feat: Update mindmap rendering to support multiple layouts, improved edge intersections, and new shapes

Patch Changes

• #6905 33bc4a0 Thanks @​darshanr0107! - fix: Render newlines as spaces in class diagrams

• #6886 e0b45c2 Thanks @​darshanr0107! - fix: Handle arrows correctly when auto number is enabled

mermaid@11.10.1

Patch Changes

... (truncated)

Commits

• cbe7015 Merge pull request #7397 from mermaid-js/changeset-release/master
• 69fccd2 Version Packages
• 56ecd66 Fixed issue with hero text
• 3735098 Merge pull request #7377 from aloisklink/chore/upgrade-to-langium-v4
• ea46407 Update link with source
• dc30a46 Updating the Hero on the docs side
• 426a616 chore(dev-deps): update @​argos-ci/cypress to 6.2.2
• 16bc9e6 chore(deps): update dependency lodash-es to v4.17.23
• 7243340 chore(parser)!: upgrade parser to Langium v4
• 156dc11 chore(deps): upgrade to langium 3.5.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for mermaid since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.