Bump the npm_and_yarn group across 1 directory with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package	From	To
fast-json-patch	2.2.1	3.1.1
moment-timezone	0.5.26	0.5.35
snyk	1.334.0	1.1295.3
@babel/traverse	7.5.5	7.26.8
color-string	1.5.3	1.9.1
cookiejar	2.1.2	2.1.4
decode-uri-component	0.2.0	0.2.2
elliptic	6.5.3	6.6.1
express	4.17.1	4.21.2
fsevents	1.2.9	1.2.13
handlebars	4.7.6	4.7.8
hosted-git-info	2.8.4	2.8.9
json5	2.1.0	2.2.3
minimatch	3.0.4	3.1.2
mongodb	3.3.1	3.7.4
path-parse	1.0.6	1.0.7
tmpl	1.0.4	1.0.5
word-wrap	1.2.3	1.2.5
ws	5.2.2	5.2.4

Updates fast-json-patch from 2.2.1 to 3.1.1

Release notes

Sourced from fast-json-patch's releases.

3.1.1

Security Fix for Prototype Pollution - huntr.dev #262

Bug fixes and ES6 modules

Use ES6 Modules

• package now exports non-bundled ES module Starcounter-Jack/JSON-Patch#232
• main still points to CommonJS module for backward compatibility
• README recommends use of named ES imports

List of changes Starcounter-Jack/JSON-Patch@v2.2.1...3.0.0-0

Use ES6 Modules

• package now exports non-bundled ES module Starcounter-Jack/JSON-Patch#232
• main still points to CommonJS module for backward compatibility
• README recommends use of named ES imports

Full list of changes Starcounter-Jack/JSON-Patch@v2.2.1...3.0.0-0

Commits

• 9d313ac fix(tests): Updated tests to reflect new error message
• e4f4eb3 3.1.1
• d7903fb fix: typescript codegen changes
• 5f04488 Bumping version number
• 7e9fe13 Typescript provided
• 097864a Documentation updated
• 51964ed feat: Cleaned up vars vs consts
• 8a6a360 New build
• adeb422 Update .gitignore
• 59336fe Merge pull request #292 from Starcounter-Jack/dependabot/npm_and_yarn/ajv-6.12.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mountain-jack, a new releaser for fast-json-patch since your current version.

Updates moment-timezone from 0.5.26 to 0.5.35

Release notes

Sourced from moment-timezone's releases.

Release 0.5.35

• Fix command injection in data pipeline GHSA-56x4-j7p9-fcf9
• Fix cleartext transmission of sensitive information GHSA-v78c-4p63-2j6c

Thanks to the OpenSSF Alpha-Omega project for reporting these!

Release 0.5.34

• Updated data to IANA TZDB 2021e

Release 0.5.33

• Updated data to IANA TZDB 2021a

Release 0.5.32

• Updated data to IANA TZDB 2020d

Release 0.5.31

Fixed Travis builds for Node.js 4 and 6

Release 0.5.30

• Updated data to IANA TZDB 2020a
• Fixed typescript definitions

NOTE: You might need to un-install @types/moment-timezone. Check moment/moment-timezone#858 for more info.

Release 0.5.29

• Fixed es6 module loading issue moment/moment-timezone@1fd4234
• Fixed typescript declarations moment/moment-timezone@ed529ea
• Fixed changelog moment/moment-timezone@adb7d7b

Release 0.5.28

Merged pull request #410 from @​adgrace:

• Added a method moment.tz.zonesForCountry(country_code) which returns all timezones for the country
• Added a method moment.tz(timezone_id).countries() to get countries for some time zone
• Added a method moment.tz.countries() to get all country codes
• And as you know moment.tz.names() already exists

Release 0.5.27

0.5.27 2019-10-14

• Updated data to IANA TZDB `2019c

Changelog

Sourced from moment-timezone's changelog.

0.5.35 2022-08-23

• Fix command injection in data pipeline GHSA-56x4-j7p9-fcf9
• Fix cleartext transmission of sensitive information GHSA-v78c-4p63-2j6c

Thanks to the OpenSSF Alpha-Omega project for reporting these!

0.5.34 2021-11-10

• Updated data to IANA TZDB 2021e

0.5.33 2021-02-06

• Updated data to IANA TZDB 2021a

0.5.32 2020-11-14

• Updated data to IANA TZDB 2020d

0.5.31 2020-05-16

• Fixed Travis builds for Node.js 4 and 6

0.5.30 2020-05-16

• Updated data to IANA TZDB 2020a
• Fixed typescript definitions

NOTE: You might need to un-install @​types/moment-timezone. Check moment/moment-timezone#858 for more info

0.5.29 2020-05-16

• Merged fix of es6 module loading issue moment/moment-timezone@1fd4234
• Merged PR with typescript declarations moment/moment-timezone@ed529ea
• Merged fixes to changelog moment/moment-timezone@adb7d7b

0.5.28 2020-02-21

Merged pull request #410 from @​adgrace:

• Added a method moment.tz.zonesForCountry(country_code) which returns all timezones for the country
• Added a method moment.tz(timezone_id).countries() to get countries for some time zone
• Added a method moment.tz.countries() to get all country codes
• And as you know moment.tz.zones() already exists

0.5.27 2019-10-14

• Updated data to IANA TZDB 2019c

Commits

• b8fb1ba Build moment-timezone 0.5.35
• f1b5e5a Add changelog for 0.5.35
• 8b0eb0c Bump version to 0.5.35
• 7915ac5 Bugfix: Prevent cleartext transmission of tz data during build
• ce955a3 Bugfix: Fix command injection vulnerability in grunt tzdata pipeline
• 9430b4c Merge remote-tracking branch 'origin/master' into develop
• feaf900 Updated contributing.md + added 2021e files
• 704cfac updated contributing.md
• 877c863 Updated contributing.md + added 2021e files
• 5a3015c updated contributing.md
• Additional commits viewable in compare view

Updates snyk from 1.334.0 to 1.1295.3

Release notes

Sourced from snyk's releases.

v1.1295.3

1.1295.3 (2025-02-11)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades dependencies to address CVE-2025-21614
• language-server: Improved memory usage when executing code scans on large projects
• language-server: Fix incorrect filtering of files when executing code scans which could fail the analysis
• language-server: Fix random unexpected logouts when using OAuth2 authentication

v1.1295.2

1.1295.2 (2025-01-24)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• general: revert dependencies upgrade which introduced a regression on a number of Linux installations

v1.1295.1

1.1295.1 (2025-01-23)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Bug Fixes

• security: Upgrades goproxy to 1.5 to address a high severity vulnerability
• security: Upgrades dependencies in IaC plugin to address CVE-2025-21614

v1.1295.0

1.1295.0 (2025-01-08)

The Snyk CLI is being deployed to different deployment channels, users can select the stability level according to their needs. For details please see this documentation

Features

• iac: include evidence field in json output [IAC-3161] (9487a08)
• auth: auto detect API Url during OAuth authentication (6884511)

Bug Fixes

• test: support verbose gradle graphs for sbom generation (600ef50)
• general: prevent snyk-policy lib from interrupting stdout to ensure valid --json --sarif output (469edf5)
• general: improved error messages around network requests (f6fc5f7)
• general: only read SNYK_ prefixed env vars (5bfcbe8)
• instrumentation: add default oss product for monitor as well (83cabc3)
• container: optional dependencies are properly connected in the dep-graph (3205e66)

... (truncated)

Commits

• af678f3 Merge pull request #5727 from snyk/chore/update_1295.3
• f2e34bf Merge branch 'release-candidate' into chore/update_1295.3
• 10c15bb Merge pull request #5725 from snyk/hotfix/incorrect_version_bump
• c01e768 fix: Fix incorrect version bump by temporary hard coding patch
• 1df0938 Merge pull request #5720 from snyk/release-candidate
• 030a343 Merge pull request #5722 from snyk/hotfix/rollback_goproxy
• 8ea76d5 revert: Undo dependency change to reduce risk for hotfix
• ce5b1f6 Merge pull request #5715 from snyk/hotfix/releasenotes-1.1295.3
• 679c175 docs: update release notes
• 4a80e78 Merge pull request #5717 from snyk/ls-hotfix-to-release-candidate-1.1295.3
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by snyk-admin, a new releaser for snyk since your current version.

Updates @babel/traverse from 7.5.5 to 7.26.8

Release notes

Sourced from @​babel/traverse's releases.

v7.26.8 (2025-02-08)

🏠 Internal

• babel-preset-env
  • #17097 Update dependency babel-plugin-polyfill-corejs3 to ^0.11.0

v7.26.7 (2025-01-24)

Thanks @​branchseer and @​tquetano-netflix for your first PRs!

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

Committers: 6

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Tony Quetano (@​tquetano-netflix)
• @​branchseer
• @​liuxingbaoyu

v7.26.6 (2025-01-13)

🐛 Bug Fix

• babel-plugin-transform-nullish-coalescing-operator
  • #17061 fix: Chaining nullish coalescing operators output size regression (@​liuxingbaoyu)

Committers: 1

• @​liuxingbaoyu

v7.26.5 (2025-01-10)

👓 Spec Compliance

• babel-parser
  • #17011 Allow the dynamic import.defer() form of import defer (@​babel-bot)

🐛 Bug Fix

• babel-plugin-transform-block-scoped-functions
  • #17024 chore: Avoid calling isInStrictMode in Babel 7 (@​liuxingbaoyu)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

Changelog

Tags:

• 💥 [Breaking Change]
• 👓 [Spec Compliance]
• 🚀 [New Feature]
• 🐛 [Bug Fix]
• 📝 [Documentation]
• 🏠 [Internal]
• 💅 [Polish]

Note: Gaps between patch versions are faulty, broken or test releases.

This file contains the changelog starting from v7.15.0.

• See CHANGELOG - v7.0.0 to v7.14.9 for v7.0.0 to v7.14.9 changes.
• See CHANGELOG - v7 prereleases for v7.0.0-alpha.1 to v7.0.0-rc.4 changes.
• See CHANGELOG - v4, CHANGELOG - v5, and CHANGELOG - v6 for v4.x-v6.x changes.
• See CHANGELOG - 6to5 for the pre-4.0.0 version changelog.
• See Babylon's CHANGELOG for the Babylon pre-7.0.0-beta.29 version changelog.
• See babel-eslint's releases for the changelog before @babel/eslint-parser 7.8.0.
• See eslint-plugin-babel's releases for the changelog before @babel/eslint-plugin 7.8.0.

v7.26.7 (2025-01-24)

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

v7.26.6 (2025-01-13)

🐛 Bug Fix

• babel-plugin-transform-nullish-coalescing-operator
  • #17061 fix: Chaining nullish coalescing operators output size regression (@​liuxingbaoyu)

v7.26.5 (2025-01-10)

👓 Spec Compliance

... (truncated)

Commits

• 0593941 v7.26.8
• e02b0ff [Babel 8] Create TSTemplateLiteralType (#17066)
• 2d95140 v7.26.7
• ad572fd fix: Remove type-only import x = y.z (#17025)
• 74181cf v7.26.5
• d35794e [Babel 8] Create TSEnumBody for TSEnumDeclaration (#16979)
• cd24cc0 chore: Update TS 5.7 (#17053)
• cf7b9cd v7.26.4
• f33704a Revert "perf: Improve scope information collection performance" (#17005)
• 36ca8fa v7.26.3
• Additional commits viewable in compare view

Updates async from 1.5.2 to 3.2.0

Release notes

Sourced from async's releases.

v2.3.0

• Added support for ES2017 async functions. Wherever you can pass a Node-style/CPS function that uses a callback, you can also pass an async function. Previously, you had to wrap async functions with asyncify. The caveat is that it will only work if async functions are supported natively in your environment, transpiled implementations can't be detected. (#1386, #1390)

v2.2.0

• Added groupBy, and the Series/Limit equivalents, analogous to _.groupBy (#1364)
• Fixed transform bug when callback was not passed (#1381)

v2.1.5

• Fix auto bug when function names collided with Array.prototype (#1358)
• Improve some error messages (#1349)
• Avoid stack overflow case in queue
• Fixed an issue in some, every and find where processing would continue after the result was determined.
• Cleanup implementations of some, every and find

v2.1.3

• Make bundle size smaller
• Create optimized hotpath for filter in array case.

v2.1.2

• Fixed a stackoverflow bug with detect, some, every on large inputs (#1293).

v2.1.0

• retry and retryable now support an optional errorFilter function that determines if the task should retry on the error (#1256, #1261)
• Optimized array iteration in race, cargo, queue, and priorityQueue (#1253)

v2.0.0

Lots of changes here!

First and foremost, we have a slick new site for docs. Special thanks to @​hargasinski for his work converting our old docs to jsdoc format and implementing the new website. Also huge ups to @​ivanseidel for designing our new logo. It was a long process for both of these tasks, but I think these changes turned out extraordinary well.

The biggest feature is modularization. You can now require("async/series") to only require the series function. Every Async library function is available this way. You still can require("async") to require the entire library, like you could do before.

We also provide Async as a collection of ES2015 modules. You can now import {each} from 'async-es' or import waterfall from 'async-es/waterfall'. If you are using only a few Async functions, and are using a ES bundler such as Rollup, this can significantly lower your build size.

Major thanks to @​Kikobeats, @​aearly and @​megawac for doing the majority of the modularization work, as well as @​jdalton and @​Rich-Harris for advisory work on the general modularization strategy.

Another one of the general themes of the 2.0 release is standardization of what an "async" function is. We are now more strictly following the node-style continuation passing style. That is, an async function is a function that:

1. Takes a variable number of arguments
2. The last argument is always a callback
3. The callback can accept any number of arguments
4. The first argument passed to the callback will be treated as an error result, if the argument is truthy
5. Any number of result arguments can be passed after the "error" argument
6. The callback is called once and exactly once, either on the same tick or later tick of the JavaScript event loop.

There were several cases where Async accepted some functions that did not strictly have these properties, most notably auto, every, some, and filter.

Another theme is performance. We have eliminated internal deferrals in all cases where they make sense. For example, in waterfall and auto, there was a setImmediate between each task -- these deferrals have been removed. A setImmediate call can add up to 1ms of delay. This might not seem like a lot, but it can add up if you are using many Async functions in the course of processing a HTTP request, for example. Nearly all asynchronous functions that do I/O already have some sort of deferral built in, so the extra deferral is unnecessary. The trade-off of this change is removing our built-in stack-overflow defense. Many synchronous callback calls in series can quickly overflow the JS call stack. If you do have a function that is sometimes synchronous (calling its callback on the same tick), and are running into stack overflows, wrap it with async.ensureAsync().

Another big performance win has been re-implementing queue, cargo, and priorityQueue with doubly linked lists instead of arrays. This has lead to queues being an order of magnitude faster on large sets of tasks.

... (truncated)

Changelog

Sourced from async's changelog.

v3.2.0

• Fix a bug in Safari related to overwriting func.name
• Remove built-in browserify configuration (#1653)
• Varios doc fixes (#1688, #1703, #1704)

v3.1.1

• Allow redefining name property on wrapped functions.

v3.1.0

• Added q.pushAsync and q.unshiftAsync, analagous to q.push and q.unshift, except they always do not accept a callback, and reject if processing the task errors. (#1659)
• Promises returned from q.push and q.unshift when a callback is not passed now resolve even if an error ocurred. (#1659)
• Fixed a parsing bug in autoInject with complicated function bodies (#1663)
• Added ES6+ configuration for Browserify bundlers (#1653)
• Various doc fixes (#1664, #1658, #1665, #1652)

v3.0.1

Bug fixes

• Fixed a regression where arrays passed to queue and cargo would be completely flattened. (#1645)
• Clarified Async's browser support (#1643)

v3.0.0

The async/await release!

There are a lot of new features and subtle breaking changes in this major version, but the biggest feature is that most Async methods return a Promise if you omit the callback, meaning you can await them from within an async function.

const results = await async.mapLimit(urls, 5, async url => {
    const resp = await fetch(url)
    return resp.body
})

Breaking Changes

• Most Async methods return a Promise when the final callback is omitted, making them await-able! (#1572)
• We are now making heavy use of ES2015 features, this means we have dropped out-of-the-box support for Node 4 and earlier, and many old versions of browsers. (#1541, #1553)
• In queue, priorityQueue, cargo and cargoQueue, the "event"-style methods, like q.drain and q.saturated are now methods that register a callback, rather than properties you assign a callback to. They are now of the form q.drain(callback). If you do not pass a callback a Promise will be returned for the next occurrence of the event, making them await-able, e.g. await q.drain(). (#1586, #1641)
• Calling callback(false) will cancel an async method, preventing further iteration and callback calls. This is useful for preventing memory leaks when you break out of an async flow by calling an outer callback. (#1064, #1542)
• during and doDuring have been removed, and instead whilst, doWhilst, until and doUntil now have asynchronous test functions. (#850, #1557)
• limits of less than 1 now cause an error to be thrown in queues and collection methods. (#1249, #1552)
• memoize no longer memoizes errors (#1465, #1466)
• applyEach/applyEachSeries have a simpler interface, to make them more easily type-able. It always returns a function that takes in a single callback argument. If that callback is omitted, a promise is returned, making it awaitable. (#1228, #1640)

New Features

• Async generators are now supported in all the Collection methods. (#1560)
• Added cargoQueue, a queue with both concurrency and payload size parameters. (#1567)
• Queue objects returned from queue now have a Symbol.iterator method, meaning they can be iterated over to inspect the current list of items in the queue. (#1459, #1556)

... (truncated)

Commits

• 98ccc7c Version 3.2.0
• ea7365a Update built files
• 2130a82 fix tests related to wrapped function names
• 0e4087b update changelog
• 9204af1 remove setting asyncFn.name to fix a safari bug
• f4d19c7 remove redundant npm test in xyz
• 6919fa0 remove browserify configuration. Closes #1653
• a7b030d regen docs
• 8141ac0 fix cargoQueue return type. Closes #1704
• d13a589 regen docs
• Additional commits viewable in compare view

Updates color-string from 1.5.3 to 1.9.1

Release notes

Sourced from color-string's releases.

1.9.0

Minor Release 1.9.0

• Add parsing of exponential alpha values for HWB and HSL (#66)

Thanks to @​babycannotsay for their contribution!

1.8.2

Patch release 1.8.2

• Fix incorrect handling of optional comma in rgb() regex (#65)

Thanks to @​gerdasi and @​mastertheblaster for reporting and confirming the bug!

1.8.1

Patch release 1.8.1

• Fix rgb alpha percentage parsing from int to float (#61)

Thanks to @​clytras for their contribution!

1.8.0

Minor release 1.8.0

• Add anchors to keyword regex (#64)

Thanks to @​cq360767996 for their contribution!

1.7.4

Patch Release 1.7.4

• Fix bug in .to.hex() output if the inputs aren't rounded numbers (#25)

1.7.3

Patch Release 1.7.3

• Fix hue modulo operation (#50)

Thanks to @​adroitwhiz for their contributions.

1.7.2

Patch Release 1.7.2

• Fix issue where color-string with incorrectly return a color for properties on Object's prototype like "constructor". (#45)

Thanks to @​tolmasky for their contributions.

1.7.1

Patch release 1.7.1

... (truncated)

Commits

• See full diff in compare view

Updates cookiejar from 2.1.2 to 2.1.4

Commits

• See full diff in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates elliptic from 6.5.3 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates express from 4.17.1 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates fsevents from 1.2.9 to 1.2.13

Release notes

Sourced from fsevents's releases.

Release v1.2.13

Only build on Mac-OSX

Release v1.2.11

Removing node-pre-gyp so that building fsevents becomes easier and enabled without the download of binaries.

The credentials to the AWS store have been lost. Releasing to AWS is both insecure and no longer possible due to the lost credentials.

Intermediate Release

No release notes provided.

Commits

• 844a05d Version Bump