chore(deps): bump the security group across 1 directory with 9 updates

[dependabot]

Bumps the security group with 9 updates in the /web directory:

Package	From	To
lodash	4.17.21	4.17.23
@babel/cli	7.28.3	7.28.6
autoprefixer	10.4.22	10.4.27
axios	1.13.2	1.13.6
css-loader	7.1.2	7.1.4
html-webpack-plugin	5.6.5	5.6.6
postcss-loader	8.2.0	8.2.1
sass-loader	16.0.6	16.0.7
webpack-dev-server	5.2.2	5.2.3

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates @babel/cli from 7.28.3 to 7.28.6

Release notes

Sourced from @​babel/cli's releases.

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • #17555 perf: Use lighter traversal for jsx __source,__self (@​liuxingbaoyu)

Committers: 7

• Babel Bot (@​babel-bot)
• Eliot Pontarelli (@​kolvian)
• Huáng Jùnliàng (@​JLHwung)
• Kadhirash Sivakumar (@​kadhirash)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)

v7.28.5 (2025-10-23)

Thank you @​CO0Ki3, @​Olexandr88, and @​youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Commits

• d7f4008 v7.28.6
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• d9fa9c5 [Babel 8]: Bump glob to v12 (#17594)
• c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
• 83964de [Babel 8] chore: bump glob to v11 (#17590)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/cli since your current version.

Updates autoprefixer from 10.4.22 to 10.4.27

Release notes

Sourced from autoprefixer's releases.

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

Changelog

Sourced from autoprefixer's changelog.

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

Commits

• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• 06ea988 Release 10.4.25 version
• 47d8a5b Update dependencies and fix Node.js 25
• 51c596e Add Node.js 25 and 24 to CI
• 5239823 Fix CSS variables in gradients (#1515) (#1544)
• 36692c2 Release 10.4.24 version
• Additional commits viewable in compare view

Updates axios from 1.13.2 to 1.13.6

Release notes

Sourced from axios's releases.

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
• Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#7386)
• @​ybbus (#7392)
• @​Shiwaangee (#7324)
• @​skrtheboss (#7403)
• @​Janaka66 (#7427)
• @​moh3n9595 (#5764)
• @​digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 7108c88 chore(release): prepare release 1.13.6 (#7446)
• 20a0ba3 refactor(deps): migrate @​rollup/plugin-babel from v5.3.1 to v6.1.0 (#7424)
• 885b4af feat: support react native blob objects (#5764)
• 00d97b9 docs(utils): add missing JSDoc comments (#7427)
• 9712548 chore(deps-dev): bump the development_dependencies group across 1 directory w...
• d51accb fix(core): copy status from source error in AxiosError.from (#7403)
• 3e30bbf chore: fix publish to only run on v1 tags
• 672491d fix: safe FormData detection for WeChat Mini Program (#7306) (#7324)
• 822e3e4 fix: make AxiosError.message property enumerable (#7392)
• ef3711d feat: implement prettier and fix all issues (#7385)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates css-loader from 7.1.2 to 7.1.4

Release notes

Sourced from css-loader's releases.

v7.1.4

7.1.4 (2026-02-16)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1652) (aeddefe)

v7.1.3

7.1.3 (2026-01-27)

Bug Fixes

• allow to use module class name (#1649) (01869bc)
• use official createHash for hashes (#1618) (06587e5)
• use official hash* options for hashes (#1619) (9544c3e)

Changelog

Sourced from css-loader's changelog.

7.1.4 (2026-02-16)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1652) (aeddefe)

7.1.3 (2026-01-27)

Bug Fixes

• allow to use module class name (#1649) (01869bc)
• use official createHash for hashes (#1618) (06587e5)
• use official hash* options for hashes (#1619) (9544c3e)

Commits

• 5b795af chore(release): 7.1.4
• aeddefe fix: update peer dependency for @​rspack/core v2 (#1652)
• b2b2de7 chore(release): 7.1.3
• 01869bc fix: allow to use module class name (#1649)
• 7dd15ec chore(deps): bump js-yaml (#1648)
• db26202 chore(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#1647)
• 7daf1b8 Update CONTRIBUTING link to point to GitHub page
• de1e633 chore: correct link path (#1645)
• 563ad63 chore: migrate from contrib and swap branches (#1644)
• e68bf7e chore: update github actions/checkout from v4 to v5 (#1642)
• Additional commits viewable in compare view

Updates html-webpack-plugin from 5.6.5 to 5.6.6

Changelog

Sourced from html-webpack-plugin's changelog.

5.6.6 (2026-01-16)

Bug Fixes

• compatibility with handlebars-loader (#1882) (a8e563b)

Commits

• 723ed41 chore(release): 5.6.6
• a8e563b fix: compatibility with handlebars-loader (#1882)
• See full diff in compare view

Updates postcss-loader from 8.2.0 to 8.2.1

Release notes

Sourced from postcss-loader's releases.

v8.2.1

8.2.1 (2026-02-15)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#717) (a3ed7e2)

Changelog

Sourced from postcss-loader's changelog.

8.2.1 (2026-02-15)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#717) (a3ed7e2)

Commits

• 583677e chore(release): 8.2.1
• a3ed7e2 fix: update peer dependency for @​rspack/core v2 (#717)
• c984ff4 test: fix (#715)
• cc01d2b ci: fix
• d4faa34 docs: update contributing
• b1e4fa5 chore: correct link (#713)
• d990168 chore: migration to main org and branch (#712)
• See full diff in compare view

Updates sass-loader from 16.0.6 to 16.0.7

Release notes

Sourced from sass-loader's releases.

v16.0.7

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

Changelog

Sourced from sass-loader's changelog.

16.0.7 (2026-02-05)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1291) (24d12ec)

Commits

• 694c8d9 chore(release): 16.0.7
• 147d6ab ci: lint fix (#1294)
• 24d12ec fix: update peer dependency for @​rspack/core v2 (#1291)
• 068201f docs: fix link (#1287)
• See full diff in compare view

Updates webpack-dev-server from 5.2.2 to 5.2.3

Release notes

Sourced from webpack-dev-server's releases.

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
• progress indicator styles (#5557) (41a53a1)
• upgrade selfsigned to v5

Changelog

Sourced from webpack-dev-server's changelog.

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
• progress indicator styles (#5557) (41a53a1)
• upgrade selfsigned to v5

Commits

• b550a70 chore(release): 5.2.3
• 9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
• 92bf644 chore: bump express to update qs (#5621)
• 792b2f0 chore(deps-dev): bump the dependencies group with 4 updates (#5606)
• 6d587ca chore(deps): bump the dependencies group across 1 directory with 27 updates (...
• f91baa8 fix(overlay): add ESC key to dismiss overlay (#5598)
• 574026c fix: compatibility with event target and universal target and lazy compilation
• c53955d docs: remove unused files
• efe0aea test: fix
• b6bb50c chore(deps): update
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

✅ Deploy Preview for kurlsh-testgrid ready!

Name	Link
🔨 Latest commit	a8b2272
🔍 Latest deploy log	https://app.netlify.com/projects/kurlsh-testgrid/deploys/69a3a3193553e5000833acba
😎 Deploy Preview	https://deploy-preview-978--kurlsh-testgrid.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for kurlsh-testgrid-staging ready!

Name	Link
🔨 Latest commit	a8b2272
🔍 Latest deploy log	https://app.netlify.com/projects/kurlsh-testgrid-staging/deploys/69a3a3192e9f3a000855aaf8
😎 Deploy Preview	https://deploy-preview-978--kurlsh-testgrid-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.