Bump basic-ftp from 5.0.5 to 5.2.0

[dependabot]

Bumps basic-ftp from 5.0.5 to 5.2.0.

Release notes

Sourced from basic-ftp's releases.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Changelog

Sourced from basic-ftp's changelog.

5.2.0

• Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Commits

• 5d41e45 Bump version
• 49c2e73 Update dependencies
• 2a2a0e6 Skip invalid filenames
• 65c90d9 Fix permissions for workflows
• 593cb78 Set permissions for workflow jobs
• 36adf11 Remove deprecated CodeQL check
• 9da4af0 Update changelog
• 6993039 Improve naming
• 0b8f756 Improve naming
• 67a53f2 Bump version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cursor]

PR Summary

Medium Risk
Moderate risk due to a third-party dependency upgrade that may change FTP download behavior and (per upstream) introduces a new install-time prepare script/new releaser, which can impact supply-chain/runtime behavior.

Overview
Updates the locked basic-ftp dependency from 5.0.5 to 5.2.0 in yarn.lock.

This pulls in upstream changes including handling of invalid filenames during downloadToDir (and associated security fix per upstream notes).

^{Written by Cursor Bugbot for commit 38b66f0. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	Feb 27, 2026 9:27am
petrinaut	Ready	Preview	Feb 27, 2026 9:27am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign	Ignored	Preview	Feb 27, 2026 9:27am
hashdotdesign-tokens	Ignored	Preview	Feb 27, 2026 9:27am

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the npm dependency basic-ftp from 5.0.5 to 5.2.0 (lockfile update), primarily to pick up the upstream security fix for CVE-2026-27699.

Changes: Includes 5.1.0’s PASV transfer-host behavior option and 5.2.0’s stricter handling of invalid filenames in downloadToDir.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.