Bump the npm_and_yarn group across 2 directories with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /test/smoke/automation directory: playwright, tmp and brace-expansion.
Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
tmp	0.2.1	0.2.5
brace-expansion	1.1.11	1.1.12
brace-expansion	2.0.1	2.0.2
js-yaml	3.14.1	3.14.2
js-yaml	4.1.0	4.1.1
qs	6.10.3	6.14.1
tar-fs	2.1.2	2.1.4
validator	13.7.0	13.15.26

Updates playwright from 1.41.2 to 1.55.1

Release notes

Sourced from playwright's releases.

v1.55.1

Highlights

microsoft/playwright#37479 - [Bug]: Upgrade Chromium to 140.0.7339.186. microsoft/playwright#37147 - [Regression]: Internal error: step id not found. microsoft/playwright#37146 - [Regression]: HTML reporter displays a broken chip link when there are no projects. microsoft/playwright#37137 - Revert "fix(a11y): track inert elements as hidden". microsoft/playwright#37532 - chore: do not use -k option

Browser Versions

• Chromium 140.0.7339.186
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.55.0

New APIs

• New Property testStepInfo.titlePath Returns the full title path starting from the test file, including test and step titles.

Codegen

• Automatic toBeVisible() assertions: Codegen can now generate automatic toBeVisible() assertions for common UI interactions. This feature can be enabled in the Codegen settings UI.

Breaking Changes

• ⚠️ Dropped support for Chromium extension manifest v2.

Miscellaneous

• Added support for Debian 13 "Trixie".

Browser Versions

• Chromium 140.0.7339.16
• Mozilla Firefox 141.0
• WebKit 26.0

This version was also tested against the following stable channels:

• Google Chrome 139
• Microsoft Edge 139

v1.54.2

Highlights

microsoft/playwright#36714 - [Regression]: Codegen is not able to launch in Administrator Terminal on Windows (ProtocolError: Protocol error) microsoft/playwright#36828 - [Regression]: Playwright Codegen keeps spamming with selected option microsoft/playwright#36810 - [Regression]: Starting Codegen with target language doesn't work anymore

Browser Versions

... (truncated)

Commits

• ae51df7 chore: mark v1.55.1 (#37530)
• 86dde29 feat(chromium): roll to r1193 (#37529)
• 86328bc chore: do not use -k option (#37532)
• 63799ba cherry-pick(#37214): docs: fix method names in release notes
• 21e29a4 cherry-pick(#37153): fix(html): don't display a chip with empty content with ...
• ba62e6a cherry-pick(#37149): fix(test): attaching in boxed fixture
• 25bb073 cherry-pick(#37137): Revert "fix(a11y): track inert elements as hidden (#36947)"
• f992162 chore: mark v1.55.0 (#37121)
• 4a92ea0 cherry-pick(#37113): docs: add release-notes for v1.55
• aa05507 cherry-pick(#37114): test: move browser._launchServer in child process
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by playwright-bot, a new releaser for playwright since your current version.

Updates tmp from 0.1.0 to 0.2.4

Changelog

Sourced from tmp's changelog.

v0.2.2 (2024-02-28)

🐛 Bug Fix

• #278 Closes #268: Revert "fix #246: remove any double quotes or single quotes… (@​mbargiel)

📝 Documentation

• #279 Closes #266: move paragraph on graceful cleanup to the head of the documentation (@​silkentrance)

Committers: 5

• Carsten Klein (@​silkentrance)
• Dave Nicolson (@​dnicolson)
• KARASZI István (@​raszi)
• Maxime Bargiel (@​mbargiel)
• @​robertoaceves

v0.2.1 (2020-04-28)

🚀 Enhancement

• #252 Closes #250: introduce tmpdir option for overriding the system tmp dir (@​silkentrance)

🏠 Internal

• #253 Closes #191: generate changelog from pull requests using lerna-changelog (@​silkentrance)

Committers: 1

• Carsten Klein (@​silkentrance)

v0.2.0 (2020-04-25)

🚀 Enhancement

• #234 feat: stabilize tmp for v0.2.0 release (@​silkentrance)

🐛 Bug Fix

• #231 Closes #230: regression after fix for #197 (@​silkentrance)
• #220 Closes #197: return sync callback when using the sync interface, otherwise return the async callback (@​silkentrance)
• #193 Closes #192: tmp must not exit the process on its own (@​silkentrance)

📝 Documentation

• #221 Gh 206 document name option (@​silkentrance)

🏠 Internal

• #226 Closes #212: enable direct name option test (@​silkentrance)
• #225 Closes #211: existing tests must clean up after themselves (@​silkentrance)
• #224 Closes #217: name tests must use tmpName (@​silkentrance)
• #223 Closes #214: refactor tests and lib (@​silkentrance)
• #198 Update dependencies to latest versions (@​matsev)

... (truncated)

Commits

• 08fa3ab Update version
• 1cf4ec5 Merge commit from fork
• 188b25e Fix GHSA-52f5-9888-hmc6
• 73b9fe4 Add test case for GHSA-52f5-9888-hmc6
• b8e2f29 Remove broken tests
• 2892a02 Remove outdated URL
• f592318 Reformat package.json
• 995ac8c Merge pull request #301 from raszi/dependabot/npm_and_yarn/braces-3.0.3
• caa758d Bump braces from 3.0.2 to 3.0.3
• 5f0b252 Merge pull request #297 from raszi/feat/release-v0.2.3
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates tmp from 0.2.1 to 0.2.5

Changelog

Sourced from tmp's changelog.

v0.2.2 (2024-02-28)

🐛 Bug Fix

• #278 Closes #268: Revert "fix #246: remove any double quotes or single quotes… (@​mbargiel)

📝 Documentation

• #279 Closes #266: move paragraph on graceful cleanup to the head of the documentation (@​silkentrance)

Committers: 5

• Carsten Klein (@​silkentrance)
• Dave Nicolson (@​dnicolson)
• KARASZI István (@​raszi)
• Maxime Bargiel (@​mbargiel)
• @​robertoaceves

v0.2.1 (2020-04-28)

🚀 Enhancement

• #252 Closes #250: introduce tmpdir option for overriding the system tmp dir (@​silkentrance)

🏠 Internal

• #253 Closes #191: generate changelog from pull requests using lerna-changelog (@​silkentrance)

Committers: 1

• Carsten Klein (@​silkentrance)

v0.2.0 (2020-04-25)

🚀 Enhancement

• #234 feat: stabilize tmp for v0.2.0 release (@​silkentrance)

🐛 Bug Fix

• #231 Closes #230: regression after fix for #197 (@​silkentrance)
• #220 Closes #197: return sync callback when using the sync interface, otherwise return the async callback (@​silkentrance)
• #193 Closes #192: tmp must not exit the process on its own (@​silkentrance)

📝 Documentation

• #221 Gh 206 document name option (@​silkentrance)

🏠 Internal

• #226 Closes #212: enable direct name option test (@​silkentrance)
• #225 Closes #211: existing tests must clean up after themselves (@​silkentrance)
• #224 Closes #217: name tests must use tmpName (@​silkentrance)
• #223 Closes #214: refactor tests and lib (@​silkentrance)
• #198 Update dependencies to latest versions (@​matsev)

... (truncated)

Commits

• 08fa3ab Update version
• 1cf4ec5 Merge commit from fork
• 188b25e Fix GHSA-52f5-9888-hmc6
• 73b9fe4 Add test case for GHSA-52f5-9888-hmc6
• b8e2f29 Remove broken tests
• 2892a02 Remove outdated URL
• f592318 Reformat package.json
• 995ac8c Merge pull request #301 from raszi/dependabot/npm_and_yarn/braces-3.0.3
• caa758d Bump braces from 3.0.2 to 3.0.3
• 5f0b252 Merge pull request #297 from raszi/feat/release-v0.2.3
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates qs from 6.10.3 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0

• [New] parse: add strictDepth option (#511)
• [Tests] use npm audit instead of aud

6.12.3

• [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
• [meta] fix changelog indentation

6.12.2

• [Fix] parse: parse encoded square brackets (#506)
• [readme] add CII best practices badge

6.12.1

• [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
• [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
• [Refactor] utils: use +=
• [Tests] increase coverage

6.12.0

... (truncated)

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

Updates tar-fs from 2.1.2 to 2.1.4

Commits

• f421a23 2.1.4
• c412fa1 refactor to same pattern as v3
• 4b7e868 2.1.3
• 266194b hardlink tweak from main
• See full diff in compare view

Updates validator from 13.7.0 to 13.15.26

Release notes

Sourced from validator's releases.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

New Contributors

• @​ds1371dani made their first contribution in validatorjs/validator.js#2634
• @​Numbers0689 made their first contribution in validatorjs/validator.js#2535

Full Changelog: validatorjs/validator.js@13.15.23...13.15.26

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

Full Changelog: validatorjs/validator.js@13.15.22...13.15.23

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

New Contributors

• @​mbtools made their first contribution in validatorjs/validator.js#2622
• @​koral-- made their first contribution in validatorjs/validator.js#2616

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

... (truncated)

Changelog

Sourced from validator's changelog.

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #2574 isBase64: improve padding regex @​KrayzeeKev
• #2584 isVAT: improve FR locale @​iamAmer
• #2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #2563 @​stoneLeaf
  • #2581 @​camillobruni

13.15.15

Fixes, New Locales and Enhancements

• isMobilePhone
  • #2514 improve el-CY locale @​rezk2ll
  • #2512 improve pt-AO locale @​renaldodev
  • #2502 improve ar-OM locale @​tomcastro
• #2089 isIP: allow usage of option object @​pixelbucket-dev
• #2526 isPassportNumber: improve CA locale @​evanbechtol
• #2491 isBase64: improve validation based on RFC4648 @​aseyfpour

... (truncated)

Commits

• 784e52a docs(matches): add ReDoS note to README (#2640)
• 6531047 fix(isHexColor): add require_hashtag option (#2535)
• f605a9c fix(isURL): handle possible bypass with URL-encoded content (#2633)
• a165ebe fix(isIBAN): improve IR locale (#2634)
• 9113304 fix(build): move to trusted publishing (#2631)
• f2b5c17 maintenance: 2511 release (#2627)
• d457eca fix(isLength): correctly handle Unicode variation selectors (#2616)
• f2e3633 docs: add install instructions to contibution guide (#2621)
• cf40145 fix: URL validation for hostnames with ports (no protocol) (#2622)
• 4af6124 maintenance: 2510 release (#2585)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for validator since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.