Bump the prod-minor-updates group across 1 directory with 8 updates

[dependabot]

Bumps the prod-minor-updates group with 8 updates in the /backend directory:

Package	From	To
ajv	8.18.0	8.20.0
better-sqlite3	12.6.2	12.9.0
knex	3.1.0	3.2.9
liquidjs	10.24.0	10.25.7
lodash	4.17.23	4.18.1
mysql2	3.18.2	3.22.3
otplib	13.3.0	13.4.0
pg	8.19.0	8.20.0

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates better-sqlite3 from 12.6.2 to 12.9.0

Release notes

Sourced from better-sqlite3's releases.

v12.9.0

What's Changed

• Update SQLite to version 3.53.0 in WiseLibs/better-sqlite3#1464

Full Changelog: WiseLibs/better-sqlite3@v12.8.0...v12.9.0

v12.8.0

What's Changed

• Readme: requires Node.js v20 or later by @​Prinzhorn in WiseLibs/better-sqlite3#1443
• Update SQLite to version 3.51.3 in WiseLibs/better-sqlite3#1460
• fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 by @​tstone-1 in WiseLibs/better-sqlite3#1459

New Contributors

• @​tstone-1 made their first contribution in WiseLibs/better-sqlite3#1459

Why SQLite v3.51.3 instead of v3.52.0

From the SQLite team:

Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

Hence, if you were planning to upgrade to 3.52.0 tomorrow (Friday, 2026-03-14), perhaps it would be better to wait a day or so for 3.51.3.

At some point we will do version 3.52.1 which will hopefully resolve the issues that have arisen with the 3.52.0 release.

Full Changelog: WiseLibs/better-sqlite3@v12.7.1...v12.8.0

v12.7.1

Also not a viable release

The V8 API change was more bonkers than expected. See v12.8.0.

What's Changed

• fix: use Holder() instead of This() for Electron 41 compatibility by @​mceachen in WiseLibs/better-sqlite3#1456
• Roll back to SQLite to version 3.51.2 in WiseLibs/better-sqlite3#1457

Full Changelog: WiseLibs/better-sqlite3@v12.7.0...v12.7.1

v12.7.0

CAUTION: NOT A VIABLE RELEASE

Two (!!) reasons:

1. Electron v41 bit us and removed functions we were using, so a bunch of prebuilds are missing
2. From the SQLite team:

   Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

What's Changed

... (truncated)

Commits

• 4058d24 12.9.0
• f653513 Update SQLite to version 3.53.0 (#1464)
• fe774f5 12.8.0
• 8617ed6 fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 (#1459)
• 959a018 Update SQLite to version 3.51.3 (#1460)
• 43729c0 Readme: requires Node.js v20 or later (#1443)
• 27dc751 12.7.1
• db1119c Update SQLite to version 3.51.2 (#1457)
• d2c4815 fix: use Holder() instead of This() for Electron 41 compatibility (#1456)
• ef9ffce 12.7.0
• Additional commits viewable in compare view

Updates knex from 3.1.0 to 3.2.9

Release notes

Sourced from knex's releases.

3.2.9

What's Changed

• fix(sqlite): append RETURNING statement when insert empty row by @​ylc395 in knex/knex#5471
• fix(postgres): escape double quotes in searchPath to prevent SQL injection by @​OlivierCavadenti in knex/knex#6411
• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't by @​erulabs in knex/knex#6429
• fix: add type support for Array which is supported in code but not in types. Add test to cover as well by @​erulabs in knex/knex#6428

New Contributors

• @​ylc395 made their first contribution in knex/knex#5471
• @​erulabs made their first contribution in knex/knex#6429

Full Changelog: knex/knex@3.2.8...3.2.9

3.2.8

What's Changed

• fix: TS types for update with subquery by @​tgriesser in knex/knex#6419
• fix: revert exports map added in #6227 by @​tgriesser in knex/knex#6422

Full Changelog: knex/knex@3.2.7...3.2.8

3.2.7

What's Changed

• chore: omit ./scripts from published package by @​myndzi in knex/knex#6356
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn by @​OlivierCavadenti in knex/knex#6407
• fix: sqlite DDL operations failing inside transactions #6402 by @​tgriesser in knex/knex#6408
• fix: correct binding order in delete with subquery join by @​OlivierCavadenti in knex/knex#6412
• docs: add link for the knex-ibmi dialect by @​bskimball in knex/knex#6359
• chore: add codecov by @​tgriesser in knex/knex#6416
• chore: add dockerhub credentials to prevent CI rate limiting by @​tgriesser in knex/knex#6418
• fix: remove __knexTxId from connection on release by @​joshAg in knex/knex#5288
• fix: clone config in client constructor by @​castarco in knex/knex#5633

New Contributors

• @​bskimball made their first contribution in knex/knex#6359
• @​joshAg made their first contribution in knex/knex#5288

Full Changelog: knex/knex@3.2.6...3.2.7

3.2.6

What's Changed

• Fix ESM types by @​kibertoad in knex/knex#6404
• fix ESM exports by @​kibertoad in knex/knex#6405
• fix: add type exports by @​tgriesser in knex/knex#6406

Full Changelog: knex/knex@3.2.3...3.2.6

3.2.3

What's Changed

... (truncated)

Changelog

Sourced from knex's changelog.

3.2.9 - 3 April, 2026

Bug fixes

• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't #6429
• fix(postgres): escape double quotes in searchPath to prevent SQL injection #6411
• fix(sqlite): append RETURNING statement when insert empty row #5471
• fix: add type support for Array #6428

3.2.8 - 30 March, 2026

Bug fixes

• Reverts the breaking changes added in #6227. This means that the ESM import of Knex is reverted to import { knex } from 'knex/knex.mjs #6422
• fix(types): allow a QueryBuilder type as a value in an update #6419

3.2.7 - 27 March, 2026

Bug fixes

• fix sqlite DDL operations failing inside transactions #6408
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn #6407
• fix: clone config in client constructor #5633
• fix: remove __knexTxId from transaction connection on release #5288
• fix: correct binding order in delete with subquery join #6412
• chore: omit ./scripts from published package #6356

3.2.6 - 24 March, 2026

Bug fixes

• Fix module exports #6406

3.2.5 - 23 March, 2026

Bug fixes

• Fix ESM exports #6405

3.2.4 - 23 March, 2026

Bug fixes

• Fix ESM type exports #6404

3.2.1 - 22 March, 2026

Bug fixes

• Fix subpath imports broken by exports field added in 3.2.0. Packages relying on deep imports (e.g. knex/lib/dialects/sqlite3/index) were blocked by the restrictive exports map

... (truncated)

Commits

• b3847cd release 3.2.9
• 59c8f5f fix: add type support for Array<Buffer> (#6428)
• d40095c fix: support DELETE... LIMIT in dialects that support it (mysql), but continu...
• 7ae8857 fix(postgres): escape double quotes in searchPath to prevent SQL injection (#...
• f44f75a fix(sqlite): append RETURNING statement when insert empty row (#5471)
• 8198fa6 release 3.2.8
• a077f37 chore: update changelog & release script
• 94185ae fix: revert exports map added in #6227 (#6422)
• e7f24c1 fix: TS types for update with subquery (#6419)
• 633b4a4 release 3.2.7
• Additional commits viewable in compare view

Updates liquidjs from 10.24.0 to 10.25.7

Release notes

Sourced from liquidjs's releases.

v10.25.7

10.25.7 (2026-04-23)

Bug Fixes

• filters: support Buffer input in base64_encode to prevent binary data corruption (#881) (0ee6dbb)

v10.25.6

10.25.6 (2026-04-19)

Bug Fixes

• nested block for layout (#883) (e2311df)

v10.25.5

10.25.5 (2026-04-07)

Bug Fixes

• enforce root containment for renderFile/parseFile lookups (#870) (f41c1fc)
• null date should return empty (#868) (#872) (4f9a499)
• rounding negative away from zero when half (#873) (1cdf10b)

v10.25.4

10.25.4 (2026-04-07)

Bug Fixes

• sort and sort_natural filters bypass ownPropertyOnly (#869) (e743da0)

v10.25.3

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

v10.25.2

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

... (truncated)

Changelog

Sourced from liquidjs's changelog.

10.25.7 (2026-04-23)

Bug Fixes

• filters: support Buffer input in base64_encode to prevent binary data corruption (#881) (0ee6dbb)

10.25.6 (2026-04-19)

Bug Fixes

• nested block for layout (#883) (e2311df)

10.25.5 (2026-04-07)

Bug Fixes

• enforce root containment for renderFile/parseFile lookups (#870) (f41c1fc)
• null date should return empty (#868) (#872) (4f9a499)
• rounding negative away from zero when half (#873) (1cdf10b)

10.25.4 (2026-04-07)

Bug Fixes

• sort and sort_natural filters bypass ownPropertyOnly (#869) (e743da0)

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

10.25.1 (2026-03-22)

Bug Fixes

... (truncated)

Commits

• 3487795 chore(release): 10.25.7 [skip ci]
• 75c815a docs: add @​talboren as financial contributor (#886)
• f1f896c docs: add talboren as a contributor for code (#885)
• 0ee6dbb fix(filters): support Buffer input in base64_encode to prevent binary data co...
• 30e04ba chore(release): 10.25.6 [skip ci]
• e2311df fix: nested block for layout (#883)
• 2def22c docs(readme): add Kibana to README.md (#882)
• 4af7be6 chore(release): 10.25.5 [skip ci]
• 05c47da refactor: replace shell scripts with JS for cross-platform support (#875)
• 66011d1 docs: add timbze as a contributor for code (#874)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for liquidjs since your current version.

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates mysql2 from 3.18.2 to 3.22.3

Release notes

Sourced from mysql2's releases.

v3.22.3

3.22.3 (2026-04-24)

Bug Fixes

• allow resetOnRelease in connection config validation (#4278) (e72f923)

v3.22.2

3.22.2 (2026-04-21)

Bug Fixes

• promise: point rejection stacks at caller for promise API (#4267) (c79a3f3)

v3.22.1

3.22.1 (2026-04-17)

Bug Fixes

• async stack traces not pointing to correct source, regression introduced by #4257 (#4265) (5b6206c)
• packet: return INVALID_DATE for zero dates with numeric timezone offset (#1019) (#4258) (cb5adcc)

v3.22.0

3.22.0 (2026-04-10)

Features

• disable mysql_clear_password plugin by default (#4236) (884bec5), closes #1617
• implement COM_RESET_CONNECTION with pool integration (#4148) (49a64cc)

Performance Improvements

• defer Error object creation to error handlers in promise wrappers (#4257) (ab131de)

v3.21.1

3.21.1 (2026-04-09)

Bug Fixes

• limit client flags to server capabilities (#4227) (e1930b8)
• use Number.isSafeInteger for supportBigNumbers boundary check (#4225) (295264b)

v3.21.0

3.21.0 (2026-04-09)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.22.3 (2026-04-24)

Bug Fixes

• allow resetOnRelease in connection config validation (#4278) (e72f923)

3.22.2 (2026-04-21)

Bug Fixes

• promise: point rejection stacks at caller for promise API (#4267) (c79a3f3)

3.22.1 (2026-04-17)

Bug Fixes

• async stack traces not pointing to correct source, regression introduced by #4257 (#4265) (5b6206c)
• packet: return INVALID_DATE for zero dates with numeric timezone offset (#1019) (#4258) (cb5adcc)

3.22.0 (2026-04-10)

Features

• disable mysql_clear_password plugin by default (#4236) (884bec5), closes #1617
• implement COM_RESET_CONNECTION with pool integration (#4148) (49a64cc)

Performance Improvements

• defer Error object creation to error handlers in promise wrappers (#4257) (ab131de)

3.21.1 (2026-04-09)

Bug Fixes

• limit client flags to server capabilities (#4227) (e1930b8)
• use Number.isSafeInteger for supportBigNumbers boundary check (#4225) (295264b)

3.21.0 (2026-04-09)

Features

• add support for query attributes (#4223) (d732f78)
• types: export ExecuteValues and QueryValues from entry point (9fafd6f)

... (truncated)

Commits

• 908402e chore(master): release 3.22.3 (#4279)
• 8078ad0 build(deps): bump lucide-react from 1.8.0 to 1.9.0 in /website (#4280)
• e72f923 fix: allow resetOnRelease in connection config validation (#4278)
• 77afd80 build(deps-dev): bump the dev-dependencies group with 2 updates (#4274)
• 77626a7 chore(master): release 3.22.2 (#4271)
• d615967 build(deps-dev): bump the dev-dependencies group with 2 updates (#4272)
• 9245c08 build(deps-dev): bump poku (#4273)
• c79a3f3 fix(promise): point rejection stacks at caller for promise API (#4267)
• fe5df8e cd: ensure settings are processed by release-please (#4270)
• a65c706 ci(github-actions): upgrade workflows to Node 24 action runtimes (#4268)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mysql2 since your current version.

Updates otplib from 13.3.0 to 13.4.0

Release notes

Sourced from otplib's releases.

v13.4.0

What's Changed

• fix(deps): resolve markdown-it ReDoS vulnerability by @​yeojz in yeojz/otplib#798
• chore(deps-dev): bump the dev-dependencies-minor group with 3 updates by @​dependabot[bot] in yeojz/otplib#800
• chore: update dependabot to monthly cadence by @​yeojz in yeojz/otplib#802
• chore: upgrade dependencies to latest versions by @​Copilot in yeojz/otplib#804
• Upgrade pnpm to 10.30.1 to fix audit endpoint issue by @​Copilot in yeojz/otplib#805
• chore: override minimatch by @​yeojz in yeojz/otplib#806
• docs: improve package READMEs with accurate API context and usage examples by @​yeojz in yeojz/otplib#803
• Fix docs by @​BobTheShoplifter in yeojz/otplib#807
• ci: skip reporting job on fork PRs by @​yeojz in yeojz/otplib#808
• chore: override ajv to fix moderate ReDoS vulnerability by @​yeojz in yeojz/otplib#809
• feat: add IIFE/CDN build support to otplib by @​yeojz in yeojz/otplib#810
• fix: update release titles to use version-prefixed format by @​yeojz in yeojz/otplib#811
• chore: move otplib-cli to packages/ and sync versioning by @​yeojz in yeojz/otplib#812
• docs(totp): add string secrets and authenticator compatibility notes to README by @​yeojz in yeojz/otplib#813
• chore(deps-dev): bump the dev-dependencies-patch group with 5 updates by @​dependabot[bot] in yeojz/otplib#814
• chore(deps): bump the github-actions group with 3 updates by @​dependabot[bot] in yeojz/otplib#816
• chore(deps-dev): bump @​eslint/js from 9.39.2 to 9.39.3 by @​dependabot[bot] in yeojz/otplib#815
• fix: override undici package security alert by @​yeojz in yeojz/otplib#818
• release(packages): v13.4.0 by @​github-actions[bot] in yeojz/otplib#819

New Contributors

• @​BobTheShoplifter made their first contribution in yeojz/otplib#807

Full Changelog: yeojz/otplib@v13.3.0...v13.4.0

Commits

• e5490bb release(packages): v13.4.0 (#819)
• 3352eeb docs(totp): add string secrets and authenticator compatibility notes to READM...
• 9038272 feat: add IIFE/CDN build support to otplib (#810)
• 4fd86b5 chore: update readme tip/important blocks
• 6c9ed1c docs: improve package READMEs with accurate API context and usage examples (#...
• See full diff in compare view

Updates pg from 8.19.0 to 8.20.0

Changelog

Sourced from pg's changelog.

pg@8.20.0

• Add onConnect callback to pg.Pool constructor options allowing for async initialization of newly created & connected pooled clients.

Commits

• c9070cc Publish
• ad36e3c fix: typo in deprecation notice for client.query() (#3618)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[nginxproxymanagerci]

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5510

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!