Bump pbkdf2 from 3.1.1 to 3.1.5

[dependabot]

Bumps pbkdf2 from 3.1.1 to 3.1.5.

Changelog

Sourced from pbkdf2's changelog.

v3.1.5 - 2025-09-23

Commits

• [Fix] only allow finite iterations 67bd94d
• [Fix] restore node 0.10 support 8f59d96
• [Fix] check parameters before the "no Promise" bailout d2dc5f0

v3.1.4 - 2025-09-22

Commits

• [Deps] update create-hash, ripemd160, sha.js, to-buffer 8dbf49b
• [meta] update repo URLs d15bc35
• [Dev Deps] update @ljharb/eslint-config aaf870b

v3.1.3 - 2025-06-20

Commits

• Only apps should have lockfiles 8b06730
• [lint] fix whitespace 9a76e2f
• [lint] fix parens/curlies/semis/etc 6fd84bf
• [meta] add auto-changelog 796c38d
• [Tests] fix tests in node 17 3661fb0
• Revert "[Tests] fix tests in node < 3" 7431b57
• [Tests] fix tests in node < 3 eb9f97a
• [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
• [Tests] add GHA, always run nyc 513906a
• [lint] fix a few more rules ab04da8
• [lint] switch to eslint 89694cf
• [Tests] add coverage d0d534b
• [Refactor] use to-buffer e3102a8
• [readme] improve badges fca0c9d
• [Tests] remove unused travis file a2c7d93
• [meta] switch from files to npmignore 7f31fbc
• [Tests] use .nycrc 8d628e8
• [Refactor] minor tweaks fc61005
• [Deps] update create-hmac, safe-buffer, sha.js ae2a7d0
• [Fix] pin create-hash, ripemd160 due to breaking changes e079968
• [Tests] fix tests in node 3 45fbcf3
• [meta] skip publishing benchmarks 19ea57b
• [Dev Deps] add missing peer dep 645e252

v3.1.2 - 2021-04-09

Commits

• handle nextTick 36457b9
• Check for process before accessing 449e510

... (truncated)

Commits

• 3687905 v3.1.5
• 67bd94d [Fix] only allow finite iterations
• 8f59d96 [Fix] restore node 0.10 support
• d2dc5f0 [Fix] check parameters before the "no Promise" bailout
• b2ad615 v3.1.4
• 8dbf49b [Deps] update create-hash, ripemd160, sha.js, to-buffer
• aaf870b [Dev Deps] update @ljharb/eslint-config
• d15bc35 [meta] update repo URLs
• 3e40827 v3.1.3
• e3102a8 [Refactor] use to-buffer
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for pbkdf2 since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dg-appsec-cxone]

Checkmarx One – Scan Summary & Details – 9fcb475f-696d-4cb0-b907-d84c42cee501

New Issues (13)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-66418	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2025-66471	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-0775	Npm-npm-6.14.9	details Recommended version: 11.9.0 Description: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges ... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package
4		CVE-2026-21441	Python-urllib3-1.26.20	details Recommended version: 2.6.3 Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-23745	Npm-tar-4.4.13	details Recommended version: 7.5.7 Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
6		CVE-2026-23950	Npm-tar-4.4.13	details Recommended version: 7.5.7 Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-24842	Npm-tar-4.4.13	details Recommended version: 7.5.7 Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2025-13465	Npm-lodash-4.17.19	details Recommended version: 4.17.23 Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2025-14505	Npm-elliptic-6.5.4	details Description: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
10		CVE-2025-15284	Npm-qs-6.5.2	details Recommended version: 6.5.4 Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2025-50537	Npm-eslint-6.8.0	details Recommended version: 9.26.0 Description: Stack Overflow vulnerability in ESLint prior to 9.26.0 when serializing objects with circular references in "eslint/lib/shared/serialization.js". T... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
12		CVE-2025-64718	Npm-js-yaml-3.14.0	details Recommended version: 3.14.2 Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2026-2391	Npm-qs-6.5.2	details Recommended version: 6.5.4 Description: ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

Fixed Issues (3)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2025-6545	Npm-pbkdf2-3.1.1
	CVE-2025-6547	Npm-pbkdf2-3.1.1
	CVE-2025-9288	Npm-sha.js-2.4.11

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR