Bump the prod-minor-updates group across 1 directory with 7 updates

[dependabot]

Bumps the prod-minor-updates group with 7 updates in the /backend directory:

Package	From	To
better-sqlite3	12.6.2	12.8.0
knex	3.1.0	3.2.9
liquidjs	10.24.0	10.25.3
lodash	4.17.23	4.18.1
mysql2	3.18.2	3.20.0
otplib	13.3.0	13.4.0
pg	8.19.0	8.20.0

Updates better-sqlite3 from 12.6.2 to 12.8.0

Release notes

Sourced from better-sqlite3's releases.

v12.8.0

What's Changed

• Readme: requires Node.js v20 or later by @​Prinzhorn in WiseLibs/better-sqlite3#1443
• Update SQLite to version 3.51.3 in WiseLibs/better-sqlite3#1460
• fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 by @​tstone-1 in WiseLibs/better-sqlite3#1459

New Contributors

• @​tstone-1 made their first contribution in WiseLibs/better-sqlite3#1459

Why SQLite v3.51.3 instead of v3.52.0

From the SQLite team:

Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

Hence, if you were planning to upgrade to 3.52.0 tomorrow (Friday, 2026-03-14), perhaps it would be better to wait a day or so for 3.51.3.

At some point we will do version 3.52.1 which will hopefully resolve the issues that have arisen with the 3.52.0 release.

Full Changelog: WiseLibs/better-sqlite3@v12.7.1...v12.8.0

v12.7.1

Also not a viable release

The V8 API change was more bonkers than expected. See v12.8.0.

What's Changed

• fix: use Holder() instead of This() for Electron 41 compatibility by @​mceachen in WiseLibs/better-sqlite3#1456
• Roll back to SQLite to version 3.51.2 in WiseLibs/better-sqlite3#1457

Full Changelog: WiseLibs/better-sqlite3@v12.7.0...v12.7.1

v12.7.0

CAUTION: NOT A VIABLE RELEASE

Two (!!) reasons:

1. Electron v41 bit us and removed functions we were using, so a bunch of prebuilds are missing
2. From the SQLite team:

   Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

What's Changed

• chore(build.yml): update Electron version support to include v41 by @​mceachen in WiseLibs/better-sqlite3#1452
• Fix Node v25 test errors by @​m4heshd in WiseLibs/better-sqlite3#1454
• Update SQLite to version 3.52.0 in WiseLibs/better-sqlite3#1449
• Revert "Fix Node v25 test errors" by @​mceachen in WiseLibs/better-sqlite3#1455

Full Changelog: WiseLibs/better-sqlite3@v12.6.2...v12.7.0

... (truncated)

Commits

• fe774f5 12.8.0
• 8617ed6 fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 (#1459)
• 959a018 Update SQLite to version 3.51.3 (#1460)
• 43729c0 Readme: requires Node.js v20 or later (#1443)
• 27dc751 12.7.1
• db1119c Update SQLite to version 3.51.2 (#1457)
• d2c4815 fix: use Holder() instead of This() for Electron 41 compatibility (#1456)
• ef9ffce 12.7.0
• 3be46ff Revert "Fix Node v25 test errors" (#1455)
• f3a44a4 Update SQLite to version 3.52.0 (#1449)
• Additional commits viewable in compare view

Updates knex from 3.1.0 to 3.2.9

Release notes

Sourced from knex's releases.

3.2.9

What's Changed

• fix(sqlite): append RETURNING statement when insert empty row by @​ylc395 in knex/knex#5471
• fix(postgres): escape double quotes in searchPath to prevent SQL injection by @​OlivierCavadenti in knex/knex#6411
• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't by @​erulabs in knex/knex#6429
• fix: add type support for Array which is supported in code but not in types. Add test to cover as well by @​erulabs in knex/knex#6428

New Contributors

• @​ylc395 made their first contribution in knex/knex#5471
• @​erulabs made their first contribution in knex/knex#6429

Full Changelog: knex/knex@3.2.8...3.2.9

3.2.8

What's Changed

• fix: TS types for update with subquery by @​tgriesser in knex/knex#6419
• fix: revert exports map added in #6227 by @​tgriesser in knex/knex#6422

Full Changelog: knex/knex@3.2.7...3.2.8

3.2.7

What's Changed

• chore: omit ./scripts from published package by @​myndzi in knex/knex#6356
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn by @​OlivierCavadenti in knex/knex#6407
• fix: sqlite DDL operations failing inside transactions #6402 by @​tgriesser in knex/knex#6408
• fix: correct binding order in delete with subquery join by @​OlivierCavadenti in knex/knex#6412
• docs: add link for the knex-ibmi dialect by @​bskimball in knex/knex#6359
• chore: add codecov by @​tgriesser in knex/knex#6416
• chore: add dockerhub credentials to prevent CI rate limiting by @​tgriesser in knex/knex#6418
• fix: remove __knexTxId from connection on release by @​joshAg in knex/knex#5288
• fix: clone config in client constructor by @​castarco in knex/knex#5633

New Contributors

• @​bskimball made their first contribution in knex/knex#6359
• @​joshAg made their first contribution in knex/knex#5288

Full Changelog: knex/knex@3.2.6...3.2.7

3.2.6

What's Changed

• Fix ESM types by @​kibertoad in knex/knex#6404
• fix ESM exports by @​kibertoad in knex/knex#6405
• fix: add type exports by @​tgriesser in knex/knex#6406

Full Changelog: knex/knex@3.2.3...3.2.6

3.2.3

What's Changed

... (truncated)

Changelog

Sourced from knex's changelog.

3.2.9 - 3 April, 2026

Bug fixes

• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't #6429
• fix(postgres): escape double quotes in searchPath to prevent SQL injection #6411
• fix(sqlite): append RETURNING statement when insert empty row #5471
• fix: add type support for Array #6428

3.2.8 - 30 March, 2026

Bug fixes

• Reverts the breaking changes added in #6227. This means that the ESM import of Knex is reverted to import { knex } from 'knex/knex.mjs #6422
• fix(types): allow a QueryBuilder type as a value in an update #6419

3.2.7 - 27 March, 2026

Bug fixes

• fix sqlite DDL operations failing inside transactions #6408
• fix: handle lowercase INFORMATION_SCHEMA keys in MySQL renameColumn #6407
• fix: clone config in client constructor #5633
• fix: remove __knexTxId from transaction connection on release #5288
• fix: correct binding order in delete with subquery join #6412
• chore: omit ./scripts from published package #6356

3.2.6 - 24 March, 2026

Bug fixes

• Fix module exports #6406

3.2.5 - 23 March, 2026

Bug fixes

• Fix ESM exports #6405

3.2.4 - 23 March, 2026

Bug fixes

• Fix ESM type exports #6404

3.2.1 - 22 March, 2026

Bug fixes

• Fix subpath imports broken by exports field added in 3.2.0. Packages relying on deep imports (e.g. knex/lib/dialects/sqlite3/index) were blocked by the restrictive exports map

... (truncated)

Commits

• b3847cd release 3.2.9
• 59c8f5f fix: add type support for Array<Buffer> (#6428)
• d40095c fix: support DELETE... LIMIT in dialects that support it (mysql), but continu...
• 7ae8857 fix(postgres): escape double quotes in searchPath to prevent SQL injection (#...
• f44f75a fix(sqlite): append RETURNING statement when insert empty row (#5471)
• 8198fa6 release 3.2.8
• a077f37 chore: update changelog & release script
• 94185ae fix: revert exports map added in #6227 (#6422)
• e7f24c1 fix: TS types for update with subquery (#6419)
• 633b4a4 release 3.2.7
• Additional commits viewable in compare view

Updates liquidjs from 10.24.0 to 10.25.3

Release notes

Sourced from liquidjs's releases.

v10.25.3

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

v10.25.2

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

v10.25.1

10.25.1 (2026-03-22)

Bug Fixes

• mem limiter for invalid ranges (95ddefc)
• treat args for replace_first as literal (35d5230)

v10.25.0

10.25.0 (2026-03-07)

Bug Fixes

• path traversal vulnerability, #851 (#855) (3cd024d)

Features

• export error types, resolving #837 (#840) (71aa1b1)

Changelog

Sourced from liquidjs's changelog.

10.25.3 (2026-04-06)

Bug Fixes

• precise memoryLimit for string replace (abc058b)
• use realpath for fs.contains (#867) (529dd67)

10.25.2 (2026-03-25)

Bug Fixes

• handle undefined replacement argument in replace filter (#864) (0ad2b11)

10.25.1 (2026-03-22)

Bug Fixes

• mem limiter for invalid ranges (95ddefc)
• treat args for replace_first as literal (35d5230)

10.25.0 (2026-03-07)

Bug Fixes

• path traversal vulnerability, #851 (#855) (3cd024d)

Features

• export error types, resolving #837 (#840) (71aa1b1)

Commits

• 8f69a08 chore(release): 10.25.3 [skip ci]
• 529dd67 fix: use realpath for fs.contains (#867)
• abc058b fix: precise memoryLimit for string replace
• 521177e chore(release): 10.25.2 [skip ci]
• 75e06ef docs: add joecottam as a contributor for code (#865)
• 0ad2b11 fix: handle undefined replacement argument in replace filter (#864)
• 97d8291 chore(release): 10.25.1 [skip ci]
• 35d5230 fix: treat args for replace_first as literal
• 94440a0 chore: more strict mem limit for string filters
• 95ddefc fix: mem limiter for invalid ranges
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for liquidjs since your current version.

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates mysql2 from 3.18.2 to 3.20.0

Release notes

Sourced from mysql2's releases.

v3.20.0

3.20.0 (2026-03-15)

Features

• add TracingChannel support for native APM instrumentation (#4178) (c06afc2)

Bug Fixes

• explicitly specify in auth plugins (#4175) (#4187) (5ac5563)
• prevent double release from corrupting the connection pool (#4186) (7e57db6)
• restore PoolConnection as subclass of Connection (#4183) (97855a6)

v3.19.1

3.19.1 (2026-03-09)

Security Bug Fixes

• bound null-terminated string read to packet end (fixes a potential OOB read reported by Doruk Tan Ozturk (peaktwilight)) (#4161) (91c5229)
• handle malformed geometry payloads (fixes a potential DoS vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4164) (1869215)
• prevent query param override of URL-defined connection options (fixes a potential config injection vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4162) (3123b4e)
• validate buffer bounds in geometry parser (fixes a potential DoS vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4159) (7c2ae00)

v3.19.0

3.19.0 (2026-03-05)

Features

• use server's preferred auth method to eliminate auth switch roundtrip (#4140) (b57c671)

Bug Fixes

• fix precision loss for large decimal values (#4135) (099beea)

Changelog

Sourced from mysql2's changelog.

3.20.0 (2026-03-15)

Features

• add TracingChannel support for native APM instrumentation (#4178) (c06afc2)

Bug Fixes

• explicitly specify in auth plugins (#4175) (#4187) (5ac5563)
• prevent double release from corrupting the connection pool (#4186) (7e57db6)
• restore PoolConnection as subclass of Connection (#4183) (97855a6)

3.19.1 (2026-03-09)

Bug Fixes

• bound null-terminated string read to packet end (fixes a potential OOB read reported by Doruk Tan Ozturk (peaktwilight)) (#4161) (91c5229)
• handle malformed geometry payloads (fixes a potential DoS vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4164) (1869215)
• prevent query param override of URL-defined connection options (fixes a potential config injection vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4162) (3123b4e)
• validate buffer bounds in geometry parser (fixes a potential DoS vulnerability reported by Doruk Tan Ozturk (peaktwilight)) (#4159) (7c2ae00)

3.19.0 (2026-03-05)

Features

• use server's preferred auth method to eliminate auth switch roundtrip (#4140) (b57c671)

Bug Fixes

• fix precision loss for large decimal values (#4135) (099beea)

Commits

• 6d0ba45 chore(master): release 3.20.0 (#4180)
• 5ac5563 fix: explicitly specify in auth plugins (#4175) (#4187)
• 1993624 ci: improve workflows triggering (#4189)
• ff839c2 docs: improve LLM Agents instructions (#4188)
• 7e57db6 fix: prevent double release from corrupting the connection pool (#4186)
• 92d0724 docs: include instructions to LLM agents (#4185)
• f4ce16a refactor: simplify TracingChannel logic (#4184)
• 97855a6 fix: restore PoolConnection as subclass of Connection (#4183)
• 90a0677 refactor: prevent unintentional breaking change after TracingChannel support ...
• 5b61d86 ci: improve coverage (#4181)
• Additional commits viewable in compare view

Updates otplib from 13.3.0 to 13.4.0

Release notes

Sourced from otplib's releases.

v13.4.0

What's Changed

• fix(deps): resolve markdown-it ReDoS vulnerability by @​yeojz in yeojz/otplib#798
• chore(deps-dev): bump the dev-dependencies-minor group with 3 updates by @​dependabot[bot] in yeojz/otplib#800
• chore: update dependabot to monthly cadence by @​yeojz in yeojz/otplib#802
• chore: upgrade dependencies to latest versions by @​Copilot in yeojz/otplib#804
• Upgrade pnpm to 10.30.1 to fix audit endpoint issue by @​Copilot in yeojz/otplib#805
• chore: override minimatch by @​yeojz in yeojz/otplib#806
• docs: improve package READMEs with accurate API context and usage examples by @​yeojz in yeojz/otplib#803
• Fix docs by @​BobTheShoplifter in yeojz/otplib#807
• ci: skip reporting job on fork PRs by @​yeojz in yeojz/otplib#808
• chore: override ajv to fix moderate ReDoS vulnerability by @​yeojz in yeojz/otplib#809
• feat: add IIFE/CDN build support to otplib by @​yeojz in yeojz/otplib#810
• fix: update release titles to use version-prefixed format by @​yeojz in yeojz/otplib#811
• chore: move otplib-cli to packages/ and sync versioning by @​yeojz in yeojz/otplib#812
• docs(totp): add string secrets and authenticator compatibility notes to README by @​yeojz in yeojz/otplib#813
• chore(deps-dev): bump the dev-dependencies-patch group with 5 updates by @​dependabot[bot] in yeojz/otplib#814
• chore(deps): bump the github-actions group with 3 updates by @​dependabot[bot] in yeojz/otplib#816
• chore(deps-dev): bump @​eslint/js from 9.39.2 to 9.39.3 by @​dependabot[bot] in yeojz/otplib#815
• fix: override undici package security alert by @​yeojz in yeojz/otplib#818
• release(packages): v13.4.0 by @​github-actions[bot] in yeojz/otplib#819

New Contributors

• @​BobTheShoplifter made their first contribution in yeojz/otplib#807

Full Changelog: yeojz/otplib@v13.3.0...v13.4.0

Commits

• e5490bb release(packages): v13.4.0 (#819)
• 3352eeb docs(totp): add string secrets and authenticator compatibility notes to READM...
• 9038272 feat: add IIFE/CDN build support to otplib (#810)
• 4fd86b5 chore: update readme tip/important blocks
• 6c9ed1c docs: improve package READMEs with accurate API context and usage examples (#...
• See full diff in compare view

Updates pg from 8.19.0 to 8.20.0

Changelog

Sourced from pg's changelog.

pg@8.20.0

• Add onConnect callback to pg.Pool constructor options allowing for async initialization of newly created & connected pooled clients.

Commits

• c9070cc Publish
• ad36e3c fix: typo in deprecation notice for client.query() (#3618)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[nginxproxymanagerci]

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5458

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!