chore: bump the npm_and_yarn group across 1 directory with 2 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: basic-ftp and undici.

Updates basic-ftp from 5.1.0 to 5.2.0

Release notes

Sourced from basic-ftp's releases.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

Changelog

Sourced from basic-ftp's changelog.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

Commits

• 5d41e45 Bump version
• 49c2e73 Update dependencies
• 2a2a0e6 Skip invalid filenames
• 65c90d9 Fix permissions for workflows
• 593cb78 Set permissions for workflow jobs
• 36adf11 Remove deprecated CodeQL check
• See full diff in compare view

Updates undici from 5.29.0 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in nodejs/undici#4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in nodejs/undici#4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180) by @​metcoder95 in nodejs/undici#4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#4180) (#4340) by @​metcoder95 in nodejs/undici#4445
• Backport 4472 to v6.x by @​Uzlopak in nodejs/undici#4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

What's Changed

• [Backport v6.x] append crlf to formdata body by @​github-actions in nodejs/undici#4210

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in nodejs/undici#4024
• [v6.x] fix wpts on windows by @​mcollina in nodejs/undici#4093
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

New Contributors

• @​slagiewka made their first contribution in nodejs/undici#4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#3736): back-port 183f8e9 to v6.x by @​ggoodman in nodejs/undici#3855
• fix(#3817): send servername for SNI on TLS (#3821) [backport] by @​metcoder95 in nodejs/undici#3864
• fix: sending formdata bodies with http2 (#3863) [backport] by @​metcoder95 in nodejs/undici#3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in nodejs/undici#3877
• types: [backport] Update return type of RetryCallback (#3851) by @​metcoder95 in nodejs/undici#3876

... (truncated)

Commits

• fbc31e2 Bumped v6.23.0
• 3477c94 chore: release flow using provenance
• d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• f9c9185 Bumped v6.22.0
• f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
• 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
• 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
• 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
• 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
• da0e823 Bumped v6.21.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@actions/http-client	3.0.2	🟢 6.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits
npm/basic-ftp	5.2.0	🟢 5.6	Details Check Score Reason Maintained 🟢 10 15 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/undici	6.23.0	🟢 8.2	Details Check Score Reason Code-Review 🟢 9 Found 22/23 approved changesets -- score normalized to 9 Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 8 binaries present in source code Security-Policy 🟢 9 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4 Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 81 contributing companies or organizations

Scanned Files

• package-lock.json

[felickz]

@copilot fix the failing CI (https://github.com/advanced-security/codeql-sarif-security-standard-annotator/actions/runs/22783905830/job/66096165176?pr=200) for this PR

[Copilot]

@felickz I've opened a new pull request, #203, to work on those changes. Once the pull request is ready, I'll request review from you.

[felickz]

👍