Bump the npm_and_yarn group across 8 directories with 5 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: axios and uuid.
Bumps the npm_and_yarn group with 2 updates in the /examples/nodejs-example directory: axios and protobufjs.
Bumps the npm_and_yarn group with 2 updates in the /examples/react-native-example directory: protobufjs and tmp.
Bumps the npm_and_yarn group with 3 updates in the /examples/web-example directory: axios, protobufjs and liquidjs.
Bumps the npm_and_yarn group with 2 updates in the /examples/webview-server directory: axios and protobufjs.
Bumps the npm_and_yarn group with 1 update in the /packages/data-store directory: uuid.
Bumps the npm_and_yarn group with 1 update in the /packages/dids directory: uuid.
Bumps the npm_and_yarn group with 2 updates in the /packages/wasm directory: axios and uuid.

Updates axios from 0.25.0 to 0.32.0

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits

• 8db2d44 chore: bump version to v0.32.0 (#10840)
• 2af6116 chore: backport fixes from the v1x branch (#10838)
• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates uuid from 8.3.2 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

• rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates axios from 1.12.2 to 1.16.0

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits

• 8db2d44 chore: bump version to v0.32.0 (#10840)
• 2af6116 chore: backport fixes from the v1x branch (#10838)
• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Updates uuid from 7.0.3 to 8.3.2

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

• rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates protobufjs from 7.5.4 to 8.6.2

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

protobufjs: v8.6.0

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

protobufjs: v8.5.0

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

8.4.2 (2026-05-22)

... (truncated)

Commits

• 41d3517 chore: release master (#2316)
• bf12d56 fix: Discard unknown fields by default (#2310)
• 6b57a8a chore: release master (#2309)
• b38748d fix(cli): Preserve indentation in multiline declarations (#2307)
• a3b8dc7 fix: Preserve descriptor metadata needed by protoc-gen-pbjs (#2308)
• 87ff02f fix(cli): Consistently wait for pbts output before JSDoc exit (#2306)
• cc42616 fix: Remove inquire submodule (#2305)
• 8631d9b chore: release master (#2301)
• 29f7c96 fix(cli): Vendor patched Catharsis for pbts (#2304)
• ce013ab fix: Avoid name collisions in generated code (#2302)
• Additional commits viewable in compare view

Updates protobufjs from 6.11.4 to 6.11.6

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

protobufjs: v8.6.0

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

protobufjs: v8.5.0

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

... (truncated)

Changelog

Sourced from protobufjs's changelog.

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

8.6.1 (2026-06-07)

Bug Fixes

• cli: Consistently wait for pbts output before JSDoc exit (#2306) (87ff02f)
• cli: Preserve indentation in multiline declarations (#2307) (b38748d)
• Preserve descriptor metadata needed by protoc-gen-pbjs (#2308) (a3b8dc7)
• Remove inquire submodule (#2305) (cc42616)

8.6.0 (2026-06-04)

Features

• Add spec-compliant protojson extension (#2297) (ffd3d51)

Bug Fixes

• Avoid name collisions in generated code (#2302) (ce013ab)
• cli: Vendor patched Catharsis for pbts (#2304) (29f7c96)
• Remove postinstall script (#2299) (b8ed7be)
• Support null-prototype plain objects in converters (#2300) (bf20d84)

8.5.0 (2026-05-29)

Features

• Add option to discard unknown fields (#2289) (f8c489b)
• Expose RPC metadata on service methods (#2286) (711a279)

Bug Fixes

• cli: Consistently handle derived names (#2293) (9e80030)
• Consistently reject null message argument in fromObject (#2287) (0f6178d)
• Prefer nested type resolution over global fallback (#2288) (4b4c703)

8.4.2 (2026-05-22)

... (truncated)

Commits

• 41d3517 chore: release master (#2316)
• bf12d56 fix: Discard unknown fields by default (#2310)
• 6b57a8a chore: release master (#2309)
• b38748d fix(cli): Preserve indentation in multiline declarations (#2307)
• a3b8dc7 fix: Preserve descriptor metadata needed by protoc-gen-pbjs (#2308)
• 87ff02f fix(cli): Consistently wait for pbts output before JSDoc exit (#2306)
• cc42616 fix: Remove inquire submodule (#2305)
• 8631d9b chore: release master (#2301)
• 29f7c96 fix(cli): Vendor patched Catharsis for pbts (#2304)
• ce013ab fix: Avoid name collisions in generated code (#2302)
• Additional commits viewable in compare view

Updates protobufjs from 8.0.0 to 8.6.2

Release notes

Sourced from protobufjs's releases.

protobufjs: v8.6.2

8.6.2 (2026-06-09)

Bug Fixes

• Discard unknown fields by default (#2310) (bf12d56)

protobufjs: v8.6.1