chore(deps): bump undici, jsonld, @rdfjs/serializer-jsonld-ext and release-it

[dependabot]

Bumps undici to 6.25.0 and updates ancestor dependencies undici, jsonld, @rdfjs/serializer-jsonld-ext and release-it. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.25.0

Release notes

Sourced from undici's releases.

v6.25.0

What's Changed

Full Changelog: nodejs/undici@v6.24.1...v6.25.0

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

... (truncated)

Commits

• 3420499 Bumped v6.25.0 (#5029)
• d7a1e55 feat: add configurable maxPayloadSize for WebSocket (#4955)
• a9d1848 Do not mark v6.x releases as latest
• 0126586 Ignore local agent configuration files
• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates jsonld from 8.3.3 to 9.0.0

Changelog

Sourced from jsonld's changelog.

9.0.0 - 2025-11-20

Added

• Add minimal support for React Native.
  • Add react-native section to package.json.
  • Add instructions to README.md.

Changed

• BREAKING: Drop support for Node.js < 18.
• BREAKING: Upgrade dependencies.
  • @digitalbazaar/http-client@4.
  • canonicalize@2.
  • rdf-canonize@5: See the [rdf-canonize][] 4.x and 5.x changelog for important changes and upgrade notes. Of note:
    • The URDNA2015 default algorithm has been changed to RDFC-1.0 from [rdf-canon][].
    • Complexity control defaults maxWorkFactor or maxDeepIterations may need to be adjusted to process graphs with certain blank node constructs.
    • A signal option is available to use an AbortSignal to limit resource usage.
    • The internal digest algorithm can be changed.
    • Support for [rdf-canonize-native][] was removed.
• BREAKING: Only the JavaScript implementation of [rdf-canon][] from [rdf-canonize][] is supported. The API here can be updated to allow implementation switching if support for native or other [rdf-canon][] implementations is needed.
• Update development dependencies.
• Update karma testing.
  • Remove older fixes in favor of more default behavior.
• Update bundle build.
  • Use newer corejs version.
  • Build with modern browserslist defaults and no IE support.
  • Support for older browsers requires a custom build.
• Refactor test framework.
  • Test runtime loads test files from a web server.
  • Allows testing of manifests on remote web servers.
  • Trading off some performance to align node and browser testing.
  • Moves some test setup code into config data and manifest.

Fixed

• Fix fromRdf#t0027 and useNativeTypes handling.

Removed

• BREAKING: Remove application/nquads alias for application/n-quads.

Commits

• 27a2b81 Release 9.0.0.
• 0a7f6da Update changelog.
• 44ed43a Fix codespell issues.
• 8793d07 Add fix to changelog.
• ded42f7 Add minimal support for React Native.
• f2d39a1 Update workflow.
• 84b1b33 Use rdf-canonize@5.
• ae1d6db Update dev dependencies.
• d31aa17 Fix useNativeTypes handling.
• 5e4dcbe Fix conditional.
• Additional commits viewable in compare view

Updates @rdfjs/serializer-jsonld-ext from 4.0.0 to 4.0.2

Commits

• e804ce3 4.0.2
• f628c57 Merge pull request #19 from rdfjs-base/dependabot/npm_and_yarn/jsonld-9.0.0
• b7d9fab Merge pull request #18 from rdfjs-base/dependabot/github_actions/actions/chec...
• 5517316 Bump jsonld from 8.3.3 to 9.0.0
• d406194 Bump actions/checkout from 5 to 6
• 897b40a Merge pull request #17 from rdfjs-base/dependabot/github_actions/actions/setu...
• 90a1710 Bump actions/setup-node from 5 to 6
• fc0148e Merge pull request #16 from rdfjs-base/dependabot/github_actions/actions/setu...
• c0a48c9 Bump actions/setup-node from 4 to 5
• 7cd9a4b Merge pull request #15 from rdfjs-base/dependabot/github_actions/actions/chec...
• Additional commits viewable in compare view

Updates release-it from 18.1.2 to 20.0.0

Release notes

Sourced from release-it's releases.

Release 20.0.0

• fix: remove leading slashes from owner (#1288) (5585b720e9389fa857ba50f86161245ccb3b9589) - thanks @​driiftkiing!
• Fix write: false guard in npm.bump (resolve #1267) (a2d1b99bfe52fff1b6768f904cae5c4aaa78cfb1)
• Format (f427a85758999073a5ea4f666c6ddb4cd5586d61)

Release 20.0.0-1

• Fix test (56cae4cd441e00a58d3d91fbc15b1503d423a775)
• Update changelog & docs for v20 (509e50b043003f8adf3f347af949819e2954b639)
• Improve guessPreReleaseTag → getRegistryDistTags (a62509e6c7374e3d6898b17ae9ec8c365296fe64)

Release 20.0.0-0

• fix: upgrade undici from 6.23.0 to 7.24.3 to resolve security vulnerabilities (#1285) (cd100eb1368d084f5892a9a2bbad0c14d511125e) - thanks @​nbouvrette!
• Fix Logger.info() on Node.js 25 (#1284) (dcc0b43fc6bb693b3ec176cd8d77bbb40f454164) - thanks @​bidord!
• Update proxy-agent to fix DEP0169 (#1287) (c660ef5f34536988abd203807f53ec3ea5c1c742) - thanks @​risantos!
• Update dependencies (9dc313e29e617af912ace05a5aaa5cc34fdf35a3)
• Fix lint issues (a0522ff8777fc6877bf03f5f441e33561c9dc25b)
• Bump engines.node (5654b9badae6dd08a3d654772d2f280f6b1d84c3)
• Don't roll back if isReleased is set (resolve #1281) (f2a31231f587cb4809415f4eae81a99617177341)
• Fix if not running test using npm (332f40536ec32bbd816f9872bb89bc864ee66136)
• Migrate to @​inquirer/prompts (resolve #1260) (6c21e95c9188e88d41bb30840672cbd5fe99f5b6)
• Pop it (c90c4c97e11da8f90b398f045e5337f8ec5e0439)

Release 19.2.4

• chore: update dependencies to resolve security vulnerabilities (#1273) (b45dd1aa3749d74ce279600dea242cb3c9dd5e8d) - thanks @​Yeom-JinHo!
• Update a few dev deps (cd8acdc8fdb50cf60ba45e8bd5128c4669a04f00)

Release 19.2.3

• Reuse generated changelog (316dbfa458d670fc92d2da7fe7298ad90f44dc68)
• Remove obsolete eslint compat packages/config (f6cc8f3622995ebe98c43a8a5adb8d62b2de70b8)
• Update remark-preset-webpro and fix broken links (6e6dd4b893bd53a621ea2bee9ad48d5fa42f6279)

Release 19.2.2

• Improve getChangelog method (7a56364997d8ca4a640251bc9be37ed7cbf8568c)

Release 19.2.1

• Improve commit prompt (b7aca7c159b3d34fe45f6fb722bb5f664c4bae9a)
• Remedy potential edge case in template helper (5c0a6eeeddf7ed1ce0e4cfcffc1c2c72ab63a01b)

Release 19.2.0

• Add option to exit gracefully (e1f825dce259118401f17c1d9de0002233e21e67)
• Update dependencies (424c9f6c1d9681f4e4a3a37552dd2a99a750a3d2)
• Auto-format docs (06f41bbb4b0cbb59ef39a6bd426ee9034b6f396e)
• fix: add shell mode for npm commands on windows (#1266) (382e3464095628c23ef9c85c363933f3bf1db09e) - thanks @​julienbenac!
• Feat: Add publishPackageManager config option in NPM plugin to allow using different package manager for publishing (e.g. Bun) (#1169) (0dafc0b72159931f088e7232da6c34f0f1e8b06f) - thanks @​chrispader!
• Only use --workspaces=false with npm (12bb89ccaacdc2cbc0ba231f93d7bd389241d6a4)
• Fix up docs/types a bit (05a59863648a0b4ce9186b65cd21225a8421e181)
• Format (c9d6ebf0415d264e42945f967baae845401d016b)

Release 19.1.0

• Ignore .npmrc (8ccd060)

... (truncated)

Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: [https://github.com/release-it/release-it/releases][1]

v20 (2026-03-24)

• Upgraded undici from v6 to v7 to resolve security vulnerabilities.
• Upgraded proxy-agent from v6 to v7 to fix DEP0169 (url.parse() deprecation).
• Migrated from deprecated inquirer to @inquirer/prompts.
• Bumped engines.node to minimum Node.js v20.19.0 (was v20.12.0).

v19 (2025-04-18)

• No breaking changes (dependency party)

v18 (2025-01-06)

• Removed support for Node.js v18.

v17 (2023-11-11)

• Removed support for Node.js v16.

v16 (2023-07-05)

• Removed support for Node.js v14.

v15 (2022-04-30)

• Removed support for Node.js v10 and v12.
• Removed support for GitLab v12.4 and lower.
• Removed anonymous metrics (and the option to disable it).
• Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

• Removed global property from plugins. Use this.config[key] instead.
• Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

• Dropped support for Node v8
• Dropped support for GitLab v11.6 and lower.
• Deprecated scripts are removed (in favor of [hooks][2]).
• Removed deprecated --non-interactive (-n) argument. Use --ci instead.
• Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

... (truncated)

Commits

• c03780d Release 20.0.0
• f427a85 Format
• a2d1b99 Fix write: false guard in npm.bump (resolve #1267)
• 5585b72 fix: remove leading slashes from owner (#1288)
• 5a36283 Release 20.0.0-1
• a62509e Improve guessPreReleaseTag → getRegistryDistTags
• 509e50b Update changelog & docs for v20
• 56cae4c Fix test
• 12e33f5 Release 20.0.0-0
• c90c4c9 Pop it
• Additional commits viewable in compare view

[alexcos20]

@dependabot rebase