build(deps): bump the production-dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the production-dependencies group with 6 updates in the / directory:

Package	From	To
dotenv	17.3.1	17.4.2
helmet	8.1.0	8.2.0
mongodb	7.1.1	7.2.0
mongoose	9.3.3	9.6.2
swagger-jsdoc	6.2.8	6.3.0
zod	4.3.6	4.4.3

Updates dotenv from 17.3.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

• Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates helmet from 8.1.0 to 8.2.0

Changelog

Sourced from helmet's changelog.

8.2.0 - 2026-05-21

• Cross-Origin-Opener-Policy: support noopener-allow-popups. See #522
• Improve error message when passing duplicate options

Commits

• 638e43b 8.2.0
• fdf25a8 Update changelog for 8.2.0 release
• bd293b7 Update devDependencies to latest versions
• 81ce5cc Test supported Node versions on CI
• 807a888 Update to new URL
• d4e0128 Add direct link to FAQ
• 437d2eb Bump actions/setup-node from 6.3.0 to 6.4.0 (#537)
• a6bd779 Upgrade actions/setup-node to 6.3.0
• 1e09f5f Fix changelog typo
• d526f5c Bump Picomatch dev sub-dependency
• Additional commits viewable in compare view

Updates mongodb from 7.1.1 to 7.2.0

Release notes

Sourced from mongodb's releases.

v7.2.0

7.2.0 (2026-04-17)

The MongoDB Node.js team is pleased to announce version 7.2.0 of the mongodb package!

Release Notes

⚙️ Added support for MongoDB's Intelligent Workload Management

Added support for MongoDB's Intelligent Workload Management (IWM) and ingress connection rate limiting features. The driver now gracefully handles write-blocking scenarios and optimizes connection establishment during high-load conditions to maintain application availability.

Two new client options are available:

• maxAdaptiveRetries (default: 2) - configures the maximum number of retries during server overload. Set to 0 to disable overload retries.
• enableOverloadRetargeting (default: false) - when enabled, the driver will deprioritize servers that return overload errors during retry server selection.

🧩 Runtime and platform compatibility improvements

Node-specific platform APIs replaced with standards-based equivalents

The following Node-specific APIs have been replaced with standards-based equivalents:

• The driver now uses the standard Uint8Array APIs instead of the Node‑specific Buffer APIs.
• The driver now uses the standard Web Crypto API globalThis.crypto instead of the Node‑specific crypto API.

These changes reduce the number of patches required to run the driver outside of Node.js and improve compatibility with non-Node.js runtimes.

Experimental Support for Dependency Injection of Nodejs Runtime Dependencies

This release introduces a new MongoClient option, runtimeAdapters. runtimeAdapters allows injection of core Nodejs APIs, to allow users of the driver to use alternative runtimes that don't support Nodejs compatibility or work in restricted environments.

[!WARNING] runtimeAdapters is experimental and the actual interface of each dependency might change at any time.

Notes about usage of runtimeAdapters:

1. If no runtimeAdapter is provided for a core Nodejs module that the driver uses, the driver will import the corresponding module from Nodejs.
2. Adapters are per-client.
3. Each adapter specifies the required APIs as a part of its Typescript API definition. There are no runtime checks to ensure all required functions are provided; the onus is on users to ensure that all required module dependencies are provided.
4. The runtimeAdapters Typescript types currently rely on Nodejs' type definitions (@types/node). To use runtimeAdapters in a Typescript project, @types/node must be installed as well.
5. When providing a module in runtimeAdapters, all required functions inside that module must be provided. For example, when injecting the os module, the platform() function cannot be omitted.

runtimeAdapters supports injecting Nodejs' os module

The os module is pluggable using runtimeAdapters:

const os: OsAdapter = {
  // implement the required OSAdapter interface
}
</tr></table> 

... (truncated)

Changelog

Sourced from mongodb's changelog.

7.2.0 (2026-04-17)

Features

• NODE-7142: Exponential backoff and jitter in retry loops (#4871) (22c6031)
• NODE-7315: Use BSON ByteUtils instead of Nodejs Buffer (#4840) (1add538)
• NODE-7335: Create dedicated mocha runner with isolated vm context (#4876) (a4cba4c)
• NODE-7379: Refactor Crypto to Web Crypto API (#4862) (ac98f4a)
• NODE-7385: add experimental os runtime adapter (#4851) (d2ad07f)
• NODE-7441: add ChangeStream.bufferedCount (#4870) (f7ea421)
• NODE-7452: restrict server deprioritization on replica sets to overload errors (#4875) (87a3465)
• NODE-7467: make token bucket optional in client backpressure (#4878) (4fb0a0a)
• NODE-7491: finalize client backpressure implementation for phase 1 rollout (#4920) (2cc7983)

Bug Fixes

• NODE-7430: throw timeout error when withTransaction retries exceed deadline (#4897) (16a899d)
• NODE-7459: explicitly call setKeepAlive and setNoDelay on socket (#4879) (778a2a1)
• NODE-7469: overload retry when retryReads/Writes=false (#4888) (4157b26)
• NODE-7478: OIDC host allowlist fix (#4905) (f36b754)

7.1.0 (2026-02-02)

Features

• NODE-5393: aws4 no longer required for AWS authentication (#4824) (0f46db8)
• NODE-7121: prevent connection churn on backpressure errors when establishing connections (#4800) (4cb2b87)
• NODE-7122: exponential backoff between retries in convenient transaction API (#4765) (e70fdc9)
• NODE-7304: remove usages in src of promisify (#4799) (761b9bf)
• NODE-7306: Replace global process with import node:process (#4820) (cc503cb)
• NODE-7310: Replace process.arch with os.arch() (#4823) (f0af829)
• NODE-7311: Replace process.platform with os.platform() (#4822) (c58ca1f)
• NODE-7317: use BSON.NumberUtils to determine endianness (#4808) (4e9467e)
• NODE-7319: update allowed hosts list with *.mongo.com (#4802) (bfb7160)
• NODE-7330: deprecate RenameCollectionOptions.new_collection (#4815) (a96fa26)
• NODE-7333: add support for deprioritized servers to all topologies (#4821) (a4211e7)

Bug Fixes

• NODE-7290: use valueof for error code check (#4791) (1cc3d1c)
• NODE-7298: ensure commonWireVersion is computed from server maxWireVersion (#4805) (2b2366d)
• NODE-7307: Replace node:process.hrtime() with performance.now() (#4816) (ae2e037)
• NODE-7308: replace process.nextTick with queueMicrotask (#4817) (b1b6e81)

7.0.0 (2025-11-06)

... (truncated)

Commits

• 7e53685 chore(main): release 7.2.0 (#4861)
• dbdd932 test(NODE-7540): run BSON compability tests against server version 8.0 (#4923)
• fb70658 test(NODE-7538): ignore unknown fields in listIndexes (#4922)
• affc3f9 docs: generate docs from latest main [skip-ci] (#4863)
• 2cc7983 feat(NODE-7491): finalize client backpressure implementation for phase 1 roll...
• 16a899d fix(NODE-7430): throw timeout error when withTransaction retries exceed dea...
• 1fc0e09 test(NODE-7513): relax regression test for emptyGetMore (#4916)
• 01eb278 ci: exclude spec files from copilot review (#4919)
• 1cf791f test(NODE-7508): Fix inconsistent wording for prose retryable writes test 6, ...
• f36b754 fix(NODE-7478): OIDC host allowlist fix (#4905)
• Additional commits viewable in compare view

Updates mongoose from 9.3.3 to 9.6.2

Release notes

Sourced from mongoose's releases.

9.6.2 / 2026-05-08

• fix(document): correctly handle modified subpaths when parent path is unset after modifying #16271 #16252
• types: handle compiling with exactOptionalPropertyTypes #16277 #16273
• chore: align Node version docs and types #16270 AbdelrahmanHafez

9.6.1 / 2026-04-29

• types(objectid): fix _id getter helper on ObjectId #16251 noseworthy

9.6.0 / 2026-04-28

• feat: upgrade mongodb node driver to 7.2 #16245
• feat(schematype): support allowNull option to disallow null values even if not required #16237 #15905
• types(query): make QueryFilter respect string unions and enums #16242 #16240
• types: export Projector and ArrayProjectionOperators #16243 #16235

9.5.0 / 2026-04-20

• feat(debug): add timestamp option to debug output #16216 rejunp
• feat(query): add cloneUpdate option to explicitly disable update cloning #16230 #16202
• feat(query): extend defaults query option to find() #16226 sderrow
• fix(query): avoid cloning update until absolutely necessary to better support updates with __proto__ #16230 #16202
• fix(query): avoid treating documents with a $set() method as objects with a $set property when casting updates #16230
• fix(queryHelpers): pass default options to discriminators #16227 #16226
• fix(document): handle including and excluding nested paths with optimistic concurrency #16177 #16054
• fix(model): throw ObjectParameterError in insertOne() if doc is not an object #16221 IshitaSingh0822
• fix(cast): preserve reason in CastError message after setModel() #16167 White-Devil2839
• perf(model): remove unnecessary clone in findOneAndUpdate() #16230
• perf: use kareem 3.3.0 mongoosejs/kareem#45 #16229
• chore: use TSTyche assertions #16222 mrazauskas

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098
• fix(setDefaultsOnInsert): run setters on default values during upsert #16051 mahmoodhamdi
• fix(utils): properly compare Set objects in deepEqual KhanjarSingh
• fix(utils): wrap discriminator merge check in parentheses to fix precedence Necro-Rohan
• fix(schema): correct template literal in encryptionType error message Mridul012
• fix(schema): correct error when unsupported query operator with number #16062
• fix(types): make MergeType and UnpackedIntersection distributive over union types techcodie

... (truncated)

Changelog

Sourced from mongoose's changelog.

9.6.2 / 2026-05-08

• fix(document): correctly handle modified subpaths when parent path is unset after modifying #16271 #16252
• types: handle compiling with exactOptionalPropertyTypes #16277 #16273
• chore: align Node version docs and types #16270 AbdelrahmanHafez

9.6.1 / 2026-04-29

• types(objectid): fix _id getter helper on ObjectId #16251 noseworthy

9.6.0 / 2026-04-28

• feat: upgrade mongodb node driver to 7.2 #16245
• feat(schematype): support allowNull option to disallow null values even if not required #16237 #15905
• types(query): make QueryFilter respect string unions and enums #16242 #16240
• types: export Projector and ArrayProjectionOperators #16243 #16235

8.23.1 / 2026-04-23

• fix(model): support sort option in Model.bulkWrite() updateOne and replaceOne operations #16091 #16079
• fix(setDefaultsOnInsert): check child filter paths before applying defaults (backport #16031 to 8.x) #16219 marklai1998
• fix(schema): always pass raw string value to error validators, only trim to 30 chars for maxlength validator #16238 #16236 #15550 #15571

9.5.0 / 2026-04-20

• feat(debug): add timestamp option to debug output #16216 rejunp
• feat(query): add cloneUpdate option to explicitly disable update cloning #16230 #16202
• feat(query): extend defaults query option to find() #16226 sderrow
• fix(query): avoid cloning update until absolutely necessary to better support updates with __proto__ #16230 #16202
• fix(query): avoid treating documents with a $set() method as objects with a $set property when casting updates #16230
• fix(queryHelpers): pass default options to discriminators #16227 #16226
• fix(document): handle including and excluding nested paths with optimistic concurrency #16177 #16054
• fix(model): throw ObjectParameterError in insertOne() if doc is not an object #16221 IshitaSingh0822
• fix(cast): preserve reason in CastError message after setModel() #16167 White-Devil2839
• perf(model): remove unnecessary clone in findOneAndUpdate() #16230
• perf: use kareem 3.3.0 mongoosejs/kareem#45 #16229
• chore: use TSTyche assertions #16222 mrazauskas

9.4.1 / 2026-04-03

• Revert "fix(setDefaultsOnInsert): run setters on default values during upsert" #16218 #16051

9.4.0 / 2026-04-03

• perf(document+model): avoid parallel save error instantiation, simplify resetting atomics, streamline validation and collection handling
• feat(document): add $getChanges() alias, deprecate getChanges() #15959 techcodie
• fix(schema): support toJSONSchema on unions #16179
• fix(schema): implement validation for Union schemas and subdocuments techcodie
• fix(connection): snapshot Date in heartbeat handler and flush queue on recovery #16183 andreialecu
• fix(model): use duck-typing with version check to validate the argument to useConnection() is actually a connection #16098

... (truncated)

Commits

• 45230cc chore: release 9.6.2
• ccac981 Merge pull request #16277 from Automattic/vkarpov15/gh-16273
• a917973 types: handle compiling with exactOptionalPropertyTypes
• 2b7bb96 Merge pull request #16271 from Automattic/vkarpov15/gh-16252
• ca7f2a0 new affiliate links
• aa9a2e3 Merge branch 'master' into vkarpov15/affiliate
• 5f86a12 Merge pull request #16232 from Automattic/vkarpov15/website-relayout
• 378f90b increment latest release numbers
• bef3027 color cleanup and minor fixes from review
• 70f0699 use Mongoose red for links
• Additional commits viewable in compare view

Updates swagger-jsdoc from 6.2.8 to 6.3.0

Release notes

Sourced from swagger-jsdoc's releases.

v6.3.0

What's Changed

• Fix/extract annotations error handling by @​nejclovrencic in Surnet/swagger-jsdoc#363
• fix: Update Glob to fix memory leak issue from inflight by @​mkonikov in Surnet/swagger-jsdoc#430
• chore(deps): bump @​babel/helpers from 7.18.9 to 7.28.4 in /docusaurus by @​dependabot[bot] in Surnet/swagger-jsdoc#433
• chore(deps): bump @​babel/runtime from 7.18.9 to 7.28.4 in /docusaurus by @​dependabot[bot] in Surnet/swagger-jsdoc#434
• fix: replace mikeal/merge-release with direct npm publish, update actions to v5 by @​mkonikov in Surnet/swagger-jsdoc#448
• Fix security vulnerabilities by @​jpage-godaddy in Surnet/swagger-jsdoc#425

New Contributors

• @​nejclovrencic made their first contribution in Surnet/swagger-jsdoc#363
• @​mkonikov made their first contribution in Surnet/swagger-jsdoc#430
• @​jpage-godaddy made their first contribution in Surnet/swagger-jsdoc#425

Full Changelog: Surnet/swagger-jsdoc@v6.2.8...v6.3.0

Commits

• 04cbcb6 Version Bump
• a761cf7 Fix security vulnerabilities (#425)
• cb90faf fix: replace mikeal/merge-release with direct npm publish, update actions to ...
• 3ebd8d2 chore(deps): bump @​babel/runtime from 7.18.9 to 7.28.4 in /docusaurus (#434)
• 51f408d chore(deps): bump @​babel/helpers from 7.18.9 to 7.28.4 in /docusaurus (#433)
• 3778b42 fix: Update Glob to fix memory leak issue from inflight (#430)
• 2325600 Merge pull request #363 from nejclovrencic/fix/extract-annotations-error-hand...
• f92ee06 Update express and body-parser to fix qs vulnerability
• fc52de9 Update yarn.lock
• af64d34 Add try catch to build function for loop
• Additional commits viewable in compare view

Updates zod from 4.3.6 to 4.4.3

Release notes

Sourced from zod's releases.

v4.4.3

Commits:

• 4c2fa95ce3f3390fbc522324e406b4e9e89b88f9 docs: use Zernio primary wordmark for gold sponsor logo
• 2aeec83eb135e3a83756e973ef44845fc5a455d2 docs: prune lapsed gold sponsors and rebalance logo sizing
• 7391be88ac1ee5cd02057f5ccc012a1f5df4efd0 docs: prune lapsed silver/bronze sponsors and add active ones
• 2c703322a21b4e2b12f33f49ea8430c451a68b4f docs: normalize bronze sponsor logos to github avatar pattern
• 9195250cab0e7950efe39c3926d6c203b4b0a170 docs: remove Mintlify from bronze sponsors (churned)
• b8dffe9e62f17e6571e6249d05cc5102b54d94e4 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 1cab69383fcdeae2a366d5e2a2fc4d8fc765d168 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• c2be4f819064eed62c7c350a2d399b5faecd15f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)
• f3c9ec03ba7a28ae72d25cc295f38674bee0f559 4.4.3
• 1fb56a5c18c27102dbc92260a4007c7732a0ccca docs: document release procedure in AGENTS.md

v4.4.2

Commits:

• 0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
• 20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
• 6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
• 4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
• bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
• cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
• 292c894a5fd2aa42e527900b83d8d7a3009a709c docs: add Zernio gold sponsor
• 1fc9f311c28dcf80d0bb5a36b177086cbc3d8eca docs: document codec inversion
• 1373c85da9aeff704a9762d27bc58699618aefb7 docs: remove AI disclosure guidance
• e20d02b473c08e3a4e557bc610b1b5fac079b649 chore: ignore triage notes
• e58ea4d91b1dfe8194b73508203213cbc7e9c936 docs: test Zod Mini tab code heights
• 905761a5d127e8d5dd2ebb3bc88c75cb0b8149ff docs: document preprocess input type narrowing
• bf64bac850d4dee2b7dde7e64909d5d796d32043 chore: tighten test guidance in AGENTS.md
• 8ec4e73f4c4693b6361ad591be40fb41eb8a9f95 chore: update play.ts scratch
• 02c2baf7d0d615872fa4528a8020603b71211702 Make z.preprocess defer optionality to inner schema (#5929)
• 88015df8e25c44fb5385eb3ef28935119cd5edea fix(docs): drop deprecated baseUrl from tsconfig
• c59d4474e3b4cad1b323462186cf607178ce8267 4.4.2

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

... (truncated)

Commits

• 1fb56a5 docs: document release procedure in AGENTS.md
• f3c9ec0 4.4.3
• c2be4f8 fix(v4): generalize optin/fallback to transform; restore preprocess on absent...
• 1cab693 fix(v4): restore catch handling for absent object keys (#5937) (#5939)
• b8dffe9 docs: remove Numeric and Speakeasy (2+ missed monthly cycles)
• 9195250 docs: remove Mintlify from bronze sponsors (churned)
• 2c70332 docs: normalize bronze sponsor logos to github avatar pattern
• 7391be8 docs: prune lapsed silver/bronze sponsors and add active ones
• 2aeec83 docs: prune lapsed gold sponsors and rebalance logo sizing
• 4c2fa95 docs: use Zernio primary wordmark for gold sponsor logo
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.