fix(deps): update dependency cloudinary to v2.7.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
cloudinary (source)	2.0.3 -> 2.7.0

GitHub Vulnerability Alerts

CVE-2025-12613

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing security checks, altering data, or manipulating the application's behavior.

Note:
Following our established security policy, we attempted to contact the maintainer regarding this vulnerability, but haven't received a response.

---

Release Notes

cloudinary/cloudinary_npm (cloudinary)

v2.7.0

Compare Source

==================

• fix: prevent parameter injection via ampersand in parameter values (#​709)

v2.6.1

Compare Source

==================

v2.6.0

Compare Source

==================

• chore: bumped jsdoc
• fix: defaults for related asset methods and proper content_type
• chore: Updated Sample Projects (#​698)
• fix: metadata field datasource type (#​693)
• feat: Add support for DELETE /resources/backup/:asset_id (#​700)
• chore: dev dependencies cleanup
• chore: new node version support in CI

v2.5.1

Compare Source

==================

• fix: added missing stream method to ts spec

v2.5.0

Compare Source

==================

• feat: auto_transcription on upload and explicit support (#​690)
• feat: auto_chaptering on upload and explicit support (#​689)
• feat: access key management via provisioning api (#​687)

v2.4.0

Compare Source

==================

• feat: exposing config endpoint from admin api
• fix: update metadata field added missing param default_disabled
• fix: types definitions

v2.3.1

Compare Source

==================

• fix: use 0.0.0 as fallback when package.json unavailable
• fix: upload_chunked_stream works properly with more than 2 chunks

v2.3.0

Compare Source

==================

• fix: url analytics property name
• fix: dependencies explicit version (fix for CI)
• fix: decoding transformation string before sending in upload payload
• feat: update folders

v2.2.0

Compare Source

==================

• feat: selective response for admin and search api
• feat: multiple values support for fields and with_field methods in search api

v2.1.0

Compare Source

==================

• feat: added support for new api in beta - analyze api
• chore: added state to datasource entry type
• fix: metadata field api response datasource type improved
• feat: notification-url for rename and destroy methods

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[korbit-ai]

By default, I don't review pull requests opened by bots. If you would like me to review this pull request anyway, you can request a review via the /korbit-review command in a comment.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[korbit-ai]

I was unable to write a description for this pull request. This could be because I only found files I can't scan.