Bump the npm_and_yarn group with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates:

Package	From	To
braces	3.0.2	3.0.3
micromatch	4.0.4	4.0.8
minimatch	3.0.4	3.0.8
qs	6.5.2	6.5.3
tough-cookie	2.5.0	removed
less	3.5.0	3.13.1

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.4 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

[4.0.1 - 4.0.5]

[4.0.0] - 2019-03-20

Added

• Adds support for options.onMatch. See the readme for details
• Adds support for options.onIgnore. See the readme for details
• Adds support for options.onResult. See the readme for details

Breaking changes

• Require Node.js >= 8.6
• Removed support for passing an array of brace patterns to micromatch.braces().
• To strictly enforce closing brackets (for {, [, and (), you must now use strictBrackets=true instead of strictErrors.
• cache - caching and all related options and methods have been removed
• options.unixify was renamed to options.windows
• options.nodupes Was removed. Duplicates are always removed by default. You can override this with custom behavior by using the onMatch, onResult and onIgnore functions.
• options.snapdragon was removed, as snapdragon is no longer used.
• options.sourcemap was removed, as snapdragon is no longer used, which provided sourcemap support.

[3.0.0] - 2017-04-11

Complete overhaul, with 36,000+ new unit tests validated against actual output generated by Bash and minimatch. More specifically, 35,000+ of the tests:

• micromatch results are directly compared to bash results
• in rare cases, when micromatch and bash disagree, micromatch's results are compared to minimatch's results
• micromatch is much more accurate than minimatch, so there were cases where I had to make assumptions. I'll try to document these.

This refactor introduces a parser and compiler that are supersets of more granular parsers and compilers from other sub-modules. Each of these sub-modules has a singular responsibility and focuses on a certain type of matching that aligns with a specific part of the Bash "expansion" API.

These sub-modules work like plugins to seamlessly create the micromatch parser/compiler, so that strings are parsed in one pass, an AST is created, then a new string is generated by the compiler.

... (truncated)

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.0.8

Commits

• 782c264 3.0.8
• 6ade2da fix: trim pattern
• a6f52b0 3.0.7
• e4cd434 fix: treat nocase:true as always having magic
• e6bbe1c publishConfig for 3.0
• 5b7cd33 3.0.6
• 20b4b56 [fix] revert all breaking syntax changes
• 2ff0388 document, expose, and test 'partial:true' option
• 5dbd6a7 ci: tests and makework
• dbda065 full test coverage, adding tests, deleting dead code
• Additional commits viewable in compare view

Updates qs from 6.5.2 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
• f814a7f [Dev Deps] backport from main
• Additional commits viewable in compare view

Removes tough-cookie

Updates less from 3.5.0 to 3.13.1

Changelog

Sourced from less's changelog.

v3.13.1 (2020-12-18)

• #3575 Fixes #3574 (#3575) (@​matthew-dean)

v3.13.0 (2020-12-12)

• #3572 Fixes #3434 - memory / runtime improvements (#3572) (@​matthew-dean)
• #3550 Examples contain more valid CSS, to test with a new parser (#3550) (@​matthew-dean)
• #3546 Bug fixes - fixes #3446 #3368 (#3546) (@​matthew-dean)

v3.12.2 (2020-07-16)

• #3545 Release 3.12.2 (#3545) (@​matthew-dean)

v3.12.1 (2020-07-16)

• #3544 Fixes #3533 (#3544) (@​matthew-dean)
• #3543 Fixes #3541 (#3543) (@​matthew-dean)

v3.12.0 (2020-07-13)

• #3540 v3.12.0-RC.2 (#3540) (@​matthew-dean)
• #3532 Fixes #3371 Allow conditional evaluation of function args (#3532) (@​matthew-dean)
• #3531 Remove lib folder from git (#3531) (@​matthew-dean)
• #3530 Move changelog to root (#3530) (@​matthew-dean)
• #3529 Duplicate dist files in root for older links (#3529) (@​matthew-dean)
• #3525 Test-data module (#3525) (@​matthew-dean)
• #3523 Fixes #3504 / organizes tests (#3523) (@​matthew-dean)
• #3501 Restore nuked scripts (?), replace dependencies (#3501) (#3522) (@​matthew-dean)
• #3521 Lerna refactor / TS compiling w/o bundling (#3521) (@​matthew-dean)
• #3517 Resolve #3398 Add flag to disable sourcemap url annotation (#3517) (@​hirosato)
• #3294 fix(#3294): use loadFileSync when loading plugins with syncImport: true (#3506) (@​Justineo)

v3.11.3 (2020-06-05)

• #3509 Fixes #3508 (#3509) (@​matthew-dean)

v3.11.2 (2020-06-01)

• #3498 Remove tree caching in import manager (#3498) (@​matthew-dean)
• #3482 issue#3481 ignore missing debugInfo (#3482) (@​5UtJAjiRWj1q)
• #3494 Additional check to avoid evaluating an expression if it is a comment (#3494) (@​rgroothuijsen)
• #3490 fix: Use make-dir instead of mkdirp (#3490) (@​eps1lon)
• #3493 Properly exit calc mode after use (#3493) (@​rgroothuijsen)
• #3477 Convert to auto-changelog (#3477) (@​matthew-dean)

v3.11.1 (2020-02-11)

• #3475 Fixes #3469 - Include tslib dependency (#3475) (@​matthew-dean)

v3.11.0 (2020-02-09)

• #3468 3.11.0 (#3468) (@​matthew-dean)
• #3453 Import file with dots in file name (#3453) (@​life777)
• #3460 - Fixed replacer when visitor returns array of nodes (#3460) (@​lmartorella)
• #3454 Added financial contributors to the README (#3454) (@​monkeywithacupcake)
• #3431 Fixes #3430: Removed unnecessary 'important' from NamespaceValue. (#3431) (@​batchunag)
• #3426 Fixes #3405 (#3426) (@​matthew-dean)

... (truncated)

Commits

• 283b1b4 Fixes #3574 (#3575)
• 5423802 Update CHANGELOG.md
• 257efdd Fixes #3434 - memory / runtime improvements (#3572)
• 0e26859 Examples contain more valid CSS, to test with a new parser (#3550)
• 76132ef Bug fixes - fixes #3446 #3368 (#3546)
• ef4baa5 Release 3.12.2 (#3545)
• b93a085 Fixes #3533 (#3544)
• e188f44 Fixes #3541 (#3543)
• 2870163 Update changelog
• e4f7551 v3.12.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.