build(deps): bump the npm_and_yarn group across 1 directory with 3 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /api directory: joi, qs and ws.

Updates joi from 17.13.3 to 18.2.1

Commits

• 048fe05 18.2.1
• 2392713 Merge pull request #3113 from hapijs/fix/link-max-call-stack
• fc146a6 fix: protect link recursion from max call stack
• f4e97e0 18.2.0
• 626893d Merge pull request #3111 from hapijs/feat/link-maxRecursion
• 9c7a443 feat: add maxRecursion limit to links
• 7d43b12 18.1.2
• d98c802 Merge pull request #3107 from mahmoodhamdi/fix/json-schema-number-rules
• 7edc591 fix: improve JSON Schema conversion for number.port() and number.sign()
• 06afeb5 18.1.1
• Additional commits viewable in compare view

Updates qs from 6.15.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• 3f5e1c5 v6.15.1
• Additional commits viewable in compare view

Updates ws from 8.18.2 to 8.21.0

Release notes

Sourced from ws's releases.

8.21.0

Features

• Introduced the maxBufferedChunks and maxFragments options (2b2abd45).

Bug fixes

• Fixed a remote memory exhaustion DoS vulnerability (2b2abd45).

A high volume of tiny fragments and data chunks could be sent by a peer, using modest network traffic, to crash a ws server or client due to OOM.

import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebSocketServer({ port: 0 }, function () {
const data = Buffer.alloc(1);
const options = { fin: false };
const { port } = wss.address();
const ws = new WebSocket(ws://localhost:${port});
ws.on('open', function () {
(function send() {
ws.send(data, options, function (err) {
if (err) return;
send();
});
})();
});
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(client close - code: ${code} reason: ${reason.toString()});
});
});
wss.on('connection', function (ws) {
ws.on('error', console.error);
ws.on('close', function (code, reason) {
console.log(server close - code: ${code} reason: ${reason.toString()});
});
});

The vulnerability was responsibly disclosed and fixed by Nadav Magier.

In vulnerable versions, the issue can be mitigated by lowering the value of the maxPayload option if possible.

8.20.1

... (truncated)

Commits

• bca91ad [dist] 8.21.0
• 2b2abd4 [security] Limit retained message parts
• 78eabe2 [security] Add latest vulnerability to SECURITY.md
• 5d9b316 [dist] 8.20.1
• c0327ec [security] Fix uninitialized memory disclosure in websocket.close()
• ce2a3d6 [ci] Test on node 26
• 58e45b8 [ci] Do not test on node 25
• 5f26c24 [ci] Run the lint step on node 24
• 8439255 [dist] 8.20.0
• d3503c1 [minor] Export the PerMessageDeflate class and header utils
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[kilo-code-bot]

WARNING: joi 18 requires Node 20, but this package still advertises Node 16 support

The updated lockfile records joi 18.2.1 with engines.node: >= 20, while this package's own engines.node remains >=16.0.0. Consumers or deployments running Node 16/18 can now fail install-time engine checks or run an unsupported dependency set. Update the package/runtime engine to Node 20+ or keep joi on a Node-16-compatible major.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Changes Introduced

This PR updates the API dependency group: joi from 17.13.3 to 18.2.1, qs from 6.15.0 to 6.15.2, and ws from 8.18.2 to 8.21.0. The lockfile also swaps Joi's transitive packages from the older @sideway/* set to newer @hapi/* packages and records the ws security-fix release.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
api/package.json	72	joi 18 requires Node 20 while the package still advertises Node >=16 support.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
-	-	None

Files Reviewed (2 files)

• api/package.json - 1 issue
• api/package-lock.json - 0 issues

Fix these issues in Kilo Cloud

---

_{Reviewed by gpt-5.5-2026-04-23 · 346,497 tokens}

[dependabot]

Superseded by #26.