Bump umzug from 3.8.2 to 3.8.3 by dependabot[bot] · Pull Request #641 · 2colours/rad.io

dependabot · 2026-05-01T23:07:01Z

Bumps umzug from 3.8.2 to 3.8.3.

Release notes

v3.8.3

mostly just a security patch update

pnpm audit --prod output before 4272daa25ac2fed4e71973f04253f8219f42c26c:

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Validator is Vulnerable to Incomplete Filtering of One │
│                     │ or More Instances of Special Elements                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.22                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.22                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
│                     │ @rushstack/terminal@0.10.0 >                           │
│                     │ @rushstack/node-core-library@4.0.2 > z-schema@5.0.5 >  │
│                     │ validator@13.11.0                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-vghf-hv5q-vc2g      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Picomatch has a ReDoS vulnerability via extglob        │
│                     │ quantifiers                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ picomatch                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.0.4                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.0.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > tinyglobby@0.2.13 > fdir@6.4.4 > picomatch@4.0.2   │
│                     │                                                        │
│                     │ . > tinyglobby@0.2.13 > picomatch@4.0.2                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c2c7-rcm5-vvqj      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ validator.js has a URL validation bypass vulnerability │
│                     │ in its isURL function                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ validator                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <13.15.20                                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=13.15.20                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @rushstack/ts-command-line@4.19.1 >                │
</tr></table>

... (truncated)

Commits

d79c19f 3.8.3
b70ce38 Merge branch 'main' of https://github.com/sequelize/umzug
4272daa Clear production dependency audit findings
abda313 chore(deps): update dependency uuid to v14 [security] (#719)
61d255d chore(deps): update dependency lodash to v4.18.1 [security] (#721)
fed3a8d bump test timeout? (#711)
165efc6 update vitest coverage package
9c7e96f no output in tests
8bce216 bump sqlite3 and vitest
317623c lint fix
Additional commits viewable in compare view

Bumps [umzug](https://github.com/sequelize/umzug) from 3.8.2 to 3.8.3. - [Release notes](https://github.com/sequelize/umzug/releases) - [Changelog](https://github.com/sequelize/umzug/blob/main/CHANGELOG.md) - [Commits](sequelize/umzug@v3.8.2...v3.8.3) --- updated-dependencies: - dependency-name: umzug dependency-version: 3.8.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 1, 2026

dependabot Bot force-pushed the dependabot/bun/umzug-3.8.3 branch from a82477f to 7a3f491 Compare May 31, 2026 12:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump umzug from 3.8.2 to 3.8.3#641

Bump umzug from 3.8.2 to 3.8.3#641
dependabot[bot] wants to merge 1 commit into
debugfrom
dependabot/bun/umzug-3.8.3

dependabot Bot commented on behalf of github May 1, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v3.8.3

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github May 1, 2026 •

edited

Loading