Bump the prod-patch-updates group across 1 directory with 5 updates

[dependabot]

Bumps the prod-patch-updates group with 5 updates in the /backend directory:

Package	From	To
@apidevtools/json-schema-ref-parser	15.3.5	15.3.6
better-sqlite3	12.10.0	12.10.1
mysql2	3.22.3	3.22.5
otplib	13.4.0	13.4.1
proxy-agent	8.0.1	8.0.2

Updates @apidevtools/json-schema-ref-parser from 15.3.5 to 15.3.6

Release notes

Sourced from @​apidevtools/json-schema-ref-parser's releases.

v15.3.6

15.3.6 (2026-06-11)

Bug Fixes

• block unsafe pointer set tokens (a786bc6)
• harden safe URL resolver (dea50b0)

Commits

• 5b1aee5 chore: migrate to pnpm
• dea50b0 fix: harden safe URL resolver
• a786bc6 fix: block unsafe pointer set tokens
• See full diff in compare view

Updates better-sqlite3 from 12.10.0 to 12.10.1

Release notes

Sourced from better-sqlite3's releases.

v12.10.1

What's Changed

• Bump the github-actions group across 1 directory with 4 updates by @​dependabot[bot] in WiseLibs/better-sqlite3#1451
• Fix V8 external API usage for Electron 42 by @​tstone-1 in WiseLibs/better-sqlite3#1475

Full Changelog: WiseLibs/better-sqlite3@v12.10.0...v12.10.1

Commits

• da6152c 12.10.1
• 5bb63a2 Fix V8 external API usage for Electron 42 (#1475)
• ca60e36 Bump the github-actions group across 1 directory with 4 updates (#1451)
• f93f490 Update SQLite to version 3.53.2 (#1483)
• See full diff in compare view

Updates mysql2 from 3.22.3 to 3.22.5

Release notes

Sourced from mysql2's releases.

v3.22.5

3.22.5 (2026-06-06)

Bug Fixes

• keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4327) (2af33a1)

v3.22.4

3.22.4 (2026-05-24)

Bug Fixes

• pool: reject queued requests on end (#4291) (fbff09c)

Changelog

Sourced from mysql2's changelog.

3.22.5 (2026-06-06)

Bug Fixes

• keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4327) (2af33a1)

3.22.4 (2026-05-26)

Bug Fixes

• pool: reject queued requests on end (#4291) (fbff09c)

Commits

• 14a479b chore(master): release 3.22.5 (#4328)
• 2af33a1 fix: keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4...
• f3ce399 docs: add Cursor Cloud development environment instructions
• b895afe build(deps-dev): bump rollup in the dev-dependencies group (#4326)
• b8131c5 build(deps-dev): bump the dev-dependencies group with 5 updates (#4322)
• 63a8803 build(deps): bump the react group across 1 directory with 2 updates (#4323)
• 188a342 build(deps-dev): bump tsx (#4324)
• 8fc97ba build(deps): bump @​easyops-cn/docusaurus-search-local in /website (#4325)
• dd1fc93 build(deps-dev): bump eslint-plugin-prettier (#4318)
• 3fbadbd build(deps): bump postcss from 8.5.6 to 8.5.15 in /website (#4320)
• Additional commits viewable in compare view

Updates otplib from 13.4.0 to 13.4.1

Release notes

Sourced from otplib's releases.

v13.4.1

What's Changed

• fix: override flatted package security alert by @​yeojz in yeojz/otplib#820
• fix: override picomatch and yaml package security alerts by @​yeojz in yeojz/otplib#822
• refactor(testing): replace custom Deno adapter with @​std/expect by @​yeojz in yeojz/otplib#821
• fix: override brace-expansion package security alert by @​yeojz in yeojz/otplib#824
• chore: update github actions pinned images by @​yeojz in yeojz/otplib#823
• Add @​otplib/plugin-base32-alt to dependencies by @​yeojz in yeojz/otplib#825
• chore: harden supply chain with cooldown and version pinning by @​yeojz in yeojz/otplib#826
• refactor(testing): centralize test secrets into shared module by @​yeojz in yeojz/otplib#831
• chore(deps): bump the github-actions group with 5 updates by @​dependabot[bot] in yeojz/otplib#827
• refactor(testing): rename test secret constants for semantic clarity by @​yeojz in yeojz/otplib#832
• chore(deps-dev): bump the dev-dependencies-minor group with 4 updates by @​dependabot[bot] in yeojz/otplib#828
• refactor: replace size-limit with native bundle size check by @​yeojz in yeojz/otplib#835
• chore(deps-dev): bump vite from 7.3.1 to 8.0.0 by @​dependabot[bot] in yeojz/otplib#830
• refactor/docs/unusedImport by @​ValeriYanev98 in yeojz/otplib#837
• fix(security): address npm audit vulnerabilities by @​yeojz in yeojz/otplib#839
• fix(docker): bump pnpm to 10.30.1 to match packageManager by @​yeojz in yeojz/otplib#847
• docs: note short-secret guardrail override for legacy/test secrets by @​yeojz in yeojz/otplib#848
• docs(getting-started): clarify when each function runs by @​yeojz in yeojz/otplib#846
• chore(deps): bump vite from 5.4.21 to 8.0.10 by @​dependabot[bot] in yeojz/otplib#845
• chore(deps-dev): bump the dev-dependencies-patch group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#849
• chore(deps-dev): bump the dev-dependencies-minor group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#841
• docs(otplib): note 16-byte minimum and fix broken secret-handling link by @​yeojz in yeojz/otplib#851
• chore(deps-dev): bump @​codecov/bundle-analyzer from 1.9.1 to 2.0.1 by @​dependabot[bot] in yeojz/otplib#843
• fix(benchmarks): adapt to tinybench v6 TaskResult shape by @​yeojz in yeojz/otplib#852
• chore(deps): bump the github-actions group across 1 directory with 6 updates by @​dependabot[bot] in yeojz/otplib#844
• chore(deps): bump @​noble/hashes and @​scure/base to 2.2.0 by @​yeojz in yeojz/otplib#853
• chore(deps-dev): bump turbo from 2.9.9 to 2.9.14 by @​dependabot[bot] in yeojz/otplib#855
• ci: split security audit into blocking prod and informational full scans by @​yeojz in yeojz/otplib#857
• chore(deps-dev): bump vite from 8.0.10 to 8.0.11 by @​dependabot[bot] in yeojz/otplib#856
• release(packages): v13.4.1 by @​github-actions[bot] in yeojz/otplib#854

New Contributors

• @​ValeriYanev98 made their first contribution in yeojz/otplib#837

Full Changelog: yeojz/otplib@v13.4.0...v13.4.1

Commits

• 1d997b0 release(packages): v13.4.1 (#854)
• 0e9566f docs(otplib): note 16-byte minimum and fix broken secret-handling link (#851)
• e01b4f1 chore(deps-dev): bump the dev-dependencies-patch group across 1 directory wit...
• 212534b chore(deps-dev): bump the dev-dependencies-minor group with 4 updates (#828)
• b54adad refactor(testing): rename test secret constants for semantic clarity (#832)
• 4898252 refactor(testing): centralize test secrets and normalize naming (#831)
• See full diff in compare view

Updates proxy-agent from 8.0.1 to 8.0.2

Release notes

Sourced from proxy-agent's releases.

proxy-agent@8.0.2

Patch Changes

• Updated dependencies [1852c75]
• Updated dependencies [d8f2926]
• Updated dependencies [84e85ed]
• Updated dependencies [8487a78]
• Updated dependencies [3ebf4b2]
• Updated dependencies [ce0243e]
  • https-proxy-agent@9.1.0
  • http-proxy-agent@9.1.0
  • pac-proxy-agent@9.1.0
  • socks-proxy-agent@10.1.0

Changelog

Sourced from proxy-agent's changelog.

8.0.2

Patch Changes

• Updated dependencies [1852c75]
• Updated dependencies [d8f2926]
• Updated dependencies [84e85ed]
• Updated dependencies [8487a78]
• Updated dependencies [3ebf4b2]
• Updated dependencies [ce0243e]
  • https-proxy-agent@9.1.0
  • http-proxy-agent@9.1.0
  • pac-proxy-agent@9.1.0
  • socks-proxy-agent@10.1.0

Commits

• b7e5f7c test: increase timeout for flaky keepAlive test on Windows (#434)
• 065d1ff Version Packages (#416)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[nginxproxymanagerci]

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5660

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!