Skip to content

Bump the npm_and_yarn group across 1 directory with 12 updates#3

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-072cffa24f
Open

Bump the npm_and_yarn group across 1 directory with 12 updates#3
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-072cffa24f

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Dec 31, 2025

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
express 4.19.2 4.22.0
braces 3.0.2 3.0.3
form-data 4.0.0 4.0.5
js-yaml 3.14.1 3.14.2
on-headers 1.0.2 1.1.0
undici 5.28.4 5.29.0

Updates express from 4.19.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
Commits

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

New Contributors

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

  • deps: qs@~6.14.0
  • deps: use tilde notation for dependencies
  • deps: http-errors@~2.0.1
  • deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates braces from 3.0.2 to 3.0.3

Commits

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

  • Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

jshttp/cookie@v0.6.0...v0.7.0

Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates form-data from 4.0.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

  • [meta] add auto-changelog 811f682
  • [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
  • [Fix] Switch to using crypto random for boundary values 3d17230
  • [Tests] fix linting errors 5e34080
  • [meta] actually ensure the readme backup isn’t published 316c82b
  • [Dev Deps] update @ljharb/eslint-config 58c25d7
  • [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

Commits

  • [eslint] use a shared config 426ba9a
  • [eslint] fix some spacing issues 2094191
  • [Refactor] use hasown 81ab41b
  • [Fix] validate boundary type in setBoundary() method 8d8e469
  • [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
  • [Dev Deps] remove unused deps 870e4e6
  • [meta] remove local commit hooks e6e83cc
  • [Dev Deps] update eslint 4066fd6
  • [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

Fixed

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

  • [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
  • [Dev Deps] update @ljharb/eslint-config, eslint 5822467
  • [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

  • [meta] add auto-changelog 811f682
  • [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
  • [Fix] Switch to using crypto random for boundary values 3d17230
  • [Tests] fix linting errors 5e34080
  • [meta] actually ensure the readme backup isn’t published 316c82b
  • [Dev Deps] update @ljharb/eslint-config 58c25d7
  • [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

Commits

  • [eslint] use a shared config 426ba9a
  • [eslint] fix some spacing issues 2094191
  • [Refactor] use hasown 81ab41b
  • [Fix] validate boundary type in setBoundary() method 8d8e469
  • [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
  • [Dev Deps] remove unused deps 870e4e6
  • [meta] remove local commit hooks e6e83cc
  • [Dev Deps] update eslint 4066fd6
  • [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

Fixed

... (truncated)

Commits
  • 68ff7dd v4.0.5
  • 5822467 [Dev Deps] update @ljharb/eslint-config, eslint
  • 76d0dee [Fix] set Symbol.toStringTag in the proper place
  • 16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
  • 41996f5 v4.0.4
  • 316c82b [meta] actually ensure the readme backup isn’t published
  • 2300ca1 [meta] fix readme capitalization
  • 811f682 [meta] add auto-changelog
  • 5e34080 [Tests] fix linting errors
  • 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.


Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

What's Changed

New Contributors

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

Commits
  • 4b017af 1.1.0
  • b636f2d ♻️ refactor header array code
  • 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
  • 172eb41 ✨ support duplicate headers
  • c6e3849 🔒️ fix array handling
  • 6893518 💚 update CI - add newer node versions
  • 56a345d ✨ add script to update known hashes
  • 175ab21 👷 add upstream change detection (#31)
  • ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
  • 1a38c54 fix: use ubuntu-latest as ci runner (#19)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.


Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

  • Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

  • Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

  • Add backtrack protection to parameters 29b96b4
    • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

  • Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

  • Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

Updates qs from 6.11.0 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

  • [Fix] ensure arrayLength applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup
  • [Tests] utils.merge: add some coverage
  • [Tests] fix a test case
  • [actions] split out node 10-20, and 20+
  • [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0

  • [New] parse: add strictDepth option (#511)
  • [Tests] use npm audit instead of aud

6.12.3

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • [meta] fix changelog indentation

6.12.2

  • [Fix] parse: parse encoded square brackets (#506)
  • [readme] add CII best practices badge

6.12.1

  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
  • [Refactor] utils: use +=
  • [Tests] increase coverage

6.12.0

... (truncated)

Commits
  • 3fa11a5 v6.14.1
  • a626704 [Dev Deps] update npmignore
  • 3086902 [Fix] ensure arrayLength applies to [] notation as well
  • fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
  • 0b06aac [Dev Deps] update @ljharb/eslint-config
  • 64951f6 [Refactor] parse: extract key segment splitting helper
  • e1bd259 [Dev Deps] update @ljharb/eslint-config
  • f4b3d39 [eslint] add eslint 9 optional peer dep
  • 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
  • 973dc3c [actions] add workflow permissions
  • Additional commits viewable in compare view

Updates send from 0.18.0 to 0.19.2

Release notes

Sourced from send's releases.

0.19.2

What's Changed

Full Changelog: pillarjs/send@0.19.1...0.19.2

0.19.1

What's Changed

Full Changelog: pillarjs/send@0.19.0...0.19.1

0.19.0

What's Changed

New Contributors

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.2 / 2025-12-15

  • deps: use tilde notation for dependencies
  • deps: http-errors@~2.0.1
  • deps: statuses@~2.0.2

0.19.1 / 2024-10-09

  • deps: encodeurl@~2.0.0

0.19.0 / 2024-09-10

  • Remove link renderization in html while redirecting
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.


Updates serve-static from 1.15.0 to 1.16.3

Release notes

Sourced from serve-static's releases.

v1.16.3

What's Changed

Full Changelog: expressjs/serve-static@v1.16.2...v1.16.3

v1.16.2

What's Changed

Full Changelog: https://github.com/expressjs/serve-static/compare...

Description has been truncated

@dependabot
Bump the npm_and_yarn group across 1 directory with 12 updates
3ebbc5b 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [express](https://github.com/expressjs/express) | `4.19.2` | `4.22.0` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [form-data](https://github.com/form-data/form-data) | `4.0.0` | `4.0.5` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` |
| [on-headers](https://github.com/jshttp/on-headers) | `1.0.2` | `1.1.0` |
| [undici](https://github.com/nodejs/undici) | `5.28.4` | `5.29.0` |



Updates `express` from 4.19.2 to 4.22.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md)
- [Commits](expressjs/express@4.19.2...4.22.0)

Updates `body-parser` from 1.20.2 to 1.20.4
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.20.2...1.20.4)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `cookie` from 0.6.0 to 0.7.2
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Commits](jshttp/cookie@v0.6.0...v0.7.2)

Updates `form-data` from 4.0.0 to 4.0.5
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.0...v4.0.5)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](jshttp/on-headers@v1.0.2...v1.1.0)

Updates `path-to-regexp` from 0.1.7 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.12)

Updates `qs` from 6.11.0 to 6.14.1
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.0...v6.14.1)

Updates `send` from 0.18.0 to 0.19.2
- [Release notes](https://github.com/pillarjs/send/releases)
- [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md)
- [Commits](pillarjs/send@0.18.0...0.19.2)

Updates `serve-static` from 1.15.0 to 1.16.3
- [Release notes](https://github.com/expressjs/serve-static/releases)
- [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md)
- [Commits](expressjs/serve-static@v1.15.0...v1.16.3)

Updates `undici` from 5.28.4 to 5.29.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.28.4...v5.29.0)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 4.22.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: body-parser
  dependency-version: 1.20.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cookie
  dependency-version: 0.7.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: on-headers
  dependency-version: 1.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 0.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: send
  dependency-version: 0.19.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: serve-static
  dependency-version: 1.16.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 31, 2025
@dependabot dependabot bot mentioned this pull request Dec 31, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants