Bump the npm_and_yarn group across 1 directory with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
cloudinary	2.0.3	2.7.0
express	4.19.2	4.22.1
mongoose	8.2.3	8.9.5
multer	1.4.4	2.0.2
form-data	4.0.0	4.0.5
js-yaml	4.1.0	4.1.1
jws	4.0.0	4.0.1
jws	3.2.2	3.2.3
on-headers	1.0.2	1.1.0
validator	13.9.0	13.15.26

Updates cloudinary from 2.0.3 to 2.7.0

Release notes

Sourced from cloudinary's releases.

Version 2.7.0

• fix: prevent parameter injection via ampersand in parameter values (#709)

Version 2.6.1

No release notes provided.

Version 2.6.1-rc.1

• fix: uploader interface

Version 2.6.0

• chore: bumped jsdoc
• fix: defaults for related asset methods and proper content_type
• chore: Updated Sample Projects (#698)
• fix: metadata field datasource type (#693)
• feat: Add support for DELETE /resources/backup/:asset_id (#700)
• chore: dev dependencies cleanup
• chore: new node version support in CI

Version 2.5.1

• fix: added missing stream method to ts spec

Version 2.5.0

• feat: auto_transcription on upload and explicit support (#690)
• feat: auto_chaptering on upload and explicit support (#689)
• feat: access key management via provisioning api (#687)

Version 2.4.0

• feat: exposing config endpoint from admin api
• fix: update metadata field added missing param default_disabled
• fix: types definitions

Version 2.3.1

• fix: use 0.0.0 as fallback when package.json unavailable
• fix: upload_chunked_stream works properly with more than 2 chunks

Version 2.3.0

• fix: url analytics property name
• fix: dependencies explicit version (fix for CI)
• fix: decoding transformation string before sending in upload payload
• feat: update folders

Version 2.2.0

• feat: selective response for admin and search api
• feat: multiple values support for fields and with_field methods in search api

Version 2.1.0

• feat: added support for new api in beta - analyze api
• chore: added state to datasource entry type
• fix: metadata field api response datasource type improved
• feat: notification-url for rename and destroy methods

Changelog

Sourced from cloudinary's changelog.

2.7.0 / 2025-06-18

• fix: prevent parameter injection via ampersand in parameter values (#709)

2.6.1 / 2025-05-05

2.6.1-rc.1 / 2025-05-05

• fix: uploader interface

2.6.0 / 2025-03-11

• chore: bumped jsdoc
• fix: defaults for related asset methods and proper content_type
• chore: Updated Sample Projects (#698)
• fix: metadata field datasource type (#693)
• feat: Add support for DELETE /resources/backup/:asset_id (#700)
• chore: dev dependencies cleanup
• chore: new node version support in CI

2.5.1 / 2024-10-08

• fix: added missing stream method to ts spec

2.5.0 / 2024-09-15

• feat: auto_transcription on upload and explicit support (#690)
• feat: auto_chaptering on upload and explicit support (#689)
• feat: access key management via provisioning api (#687)

2.4.0 / 2024-07-30

• feat: exposing config endpoint from admin api
• fix: update metadata field added missing param default_disabled
• fix: types definitions

2.3.1 / 2024-07-25

• fix: use 0.0.0 as fallback when package.json unavailable

... (truncated)

Commits

• 923a66e Version 2.7.0
• ec4b65f fix: prevent parameter injection via ampersand in parameter values (#709)
• c7f784d Version 2.6.1
• 4afcd36 fix: uploader methods return correct type (#706)
• ad90190 Version 2.6.0
• 64bdc9d fix: defaults for related asset methods and proper content_type (#705)
• 25e04e6 Updated Sample Projects (#698)
• 265ccb8 fix: metadata field datasource type (#693)
• d6c51e2 feat: Add support for DELETE /resources/backup/:asset_id (#700)
• c072e37 Minor typo fix (#703)
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates mongoose from 8.2.3 to 8.9.5

Release notes

Sourced from mongoose's releases.

8.9.5 / 2025-01-13

• fix: disallow nested $where in populate match
• fix(schema): handle bitwise operators on Int32 #15176 #15170

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
• docs: fix <code> in header ids #15159
• docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
• types: make BufferToBinary avoid Document instances #15123 #15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
• types(schema): add missing removeIndex #15134
• types: add cleanIndexes() to IndexManager interface #15127
• docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
• types: add UUID to RefType #15115 #15101
• docs: remove link to Mongoose 5.x docs from dropdown #15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107

8.9.1 / 2024-12-16

• fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092
• fix(model): handle discriminators in castObject() #15096 #15075
• fix(schema): throw error if duplicate index definition using unique in schema path and subsequent .index() call #15093 #15056
• fix: mark documents that are populated using hydratedPopulatedDocs option as populated in top-level doc #15080 #15048
• fix(document+schema): improve error message for get() on invalid path #15098 #15071
• docs: remove more callback doc references & some small other changes #15095

8.9.0 / 2024-12-13

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.9.5 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061
• fix(schema): handle bitwise operators on Int32 #15176 #15170

7.8.4 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

6.13.6 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
• docs: fix <code> in header ids #15159
• docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
• types: make BufferToBinary avoid Document instances #15123 #15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
• types(schema): add missing removeIndex #15134
• types: add cleanIndexes() to IndexManager interface #15127
• docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
• types: add UUID to RefType #15115 #15101
• docs: remove link to Mongoose 5.x docs from dropdown #15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107

8.9.1 / 2024-12-16

• fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092

... (truncated)

Commits

• 5af0a10 chore: release 8.9.5
• a42d8f5 Merge branch '7.x'
• 73e81ab chore: release 7.8.4
• 4fe9a90 Merge branch '6.x' into 7.x
• e59e342 chore: release 6.13.6
• 64a9f97 fix: disallow nested $where in populate match
• fa33717 Merge pull request #15176 from Automattic/vkarpov15/gh-15170
• 0728602 test: make test cast non-boolean value
• 0cad0d7 fix(schema): handle bitwise operators on Int32
• 39886fb docs: quick changelog formatting fix
• Additional commits viewable in compare view

Updates multer from 1.4.4 to 2.0.2

Release notes

Sourced from multer's releases.

v2.0.2

Important

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

Full Changelog: expressjs/multer@v2.0.1...v2.0.2

v2.0.1

Important

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

What's Changed

• add Arabic translation for README .. by @​3imed-jaberi in expressjs/multer#762
• Update README.md to fix issue #1114 by @​Mohamed-Abdelfattah in expressjs/multer#1169
• Improved documentation translation to Spanish by @​juliomontenegro in expressjs/multer#1174
• Translated to french by @​AlanLg in expressjs/multer#1182
• Improve the Brazilian Portuguese translation by @​vitorRibeiro7 in expressjs/multer#1204
• doc: uzbek language by @​eugene0928 in expressjs/multer#1232
• Fix a mistake with README-pt-br.md by @​Igor-CA in expressjs/multer#1251
• Update in Readme-pt-br and fix in Readme-ko by @​carlosstenzel in expressjs/multer#1252
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/multer#1260
• ci: replace travis with github action by @​inigomarquinez in expressjs/multer#1259
• docs: improve readability by @​Sreejit-Sengupto in expressjs/multer#1255
• test: add test for out-of-band error event by @​LinusU in expressjs/multer#1294
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/multer#1290
• Documentation: remove unfortunate abbreviation from readme by @​MaddyGuthridge in expressjs/multer#1299
• ci: use ubuntu-latest as default runner by @​UlisesGascon in expressjs/multer#1308
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/multer#1289
• Update readme badges by @​bjohansebas in expressjs/multer#1268
• 📝 fix changelog information by @​ctcpip in expressjs/multer#1316
• master -> v2 by @​ctcpip in expressjs/multer#1317
• chore: fix typo by @​saucecodee in expressjs/multer#993
• Remove --save from README by @​username1001 in expressjs/multer#929
• feat - update link badge in docs by @​carlosstenzel in expressjs/multer#1273
• ci: change branch reference by @​UlisesGascon in expressjs/multer#1319
• ♻️ use version tag for CI, fix CI badge, fix references to master/main by @​ctcpip in expressjs/multer#1324
• deps: update dependencies to latest versions by @​bjohansebas in expressjs/multer#1328
• 📝 list languages in table to prevent GH right-aligning list due to RTL language by @​ctcpip in expressjs/multer#1325
• [StepSecurity] Apply security best practices by @​step-security-bot in expressjs/multer#1311

New Contributors

• @​3imed-jaberi made their first contribution in expressjs/multer#762
• @​Mohamed-Abdelfattah made their first contribution in expressjs/multer#1169
• @​juliomontenegro made their first contribution in expressjs/multer#1174
• @​AlanLg made their first contribution in expressjs/multer#1182
• @​vitorRibeiro7 made their first contribution in expressjs/multer#1204
• @​eugene0928 made their first contribution in expressjs/multer#1232
• @​Igor-CA made their first contribution in expressjs/multer#1251

... (truncated)

Changelog

Sourced from multer's changelog.

2.0.2

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

2.0.1

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

2.0.0

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

1.4.5-lts.2

• Fix out-of-band error event from busboy (#1177)

1.4.5-lts.1

• No changes

1.4.4-lts.1

• Bugfix: Bump busboy to fix CVE-2022-24434 (#1097)
• Breaking: Require Node.js 10.16.0 or later (#1097)

Commits

• e5db9ca 🔖 2.0.2
• adfeaf6 🥅 improve error handling
• e259a7e 🔖 2.0.1
• 35a3272 Fixes expressjs/multer#1233. Makes multer handle mi...
• f897007 ci: apply security best practices (#1311)
• 061f4cb 📝 list languages in table to prevent GH right-aligning list due to RTL language
• 854d769 deps: update dependencies to latest versions (#1328)
• 256da2f ♻️ use version tag for CI, fix CI badge, fix references to master/main
• dd9dde4 📝 fix badges in translation files (#1321)
• dc2a880 ci: change branch reference
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for multer since your current version.

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

• Remove redundant depth check by @​blakeembrey in expressjs/body-parser#538
• ci: add support for Node.js v23 by @​Phillip9587 in expressjs/body-parser#553
• ci: restore CI for 1.x branch by @​bjohansebas in expressjs/body-parser#665
• deps: qs@^6.14.0 by @​bjohansebas in expressjs/body-parser#664
• deps: use tilde notation and update certain dependencies by @​Phillip9587 in expressjs/body-parser#668
• chore: remove SECURITY.md by @​Phillip9587 in expressjs/body-parser#669
• ci: add CodeQL (SAST) by @​Phillip9587 in expressjs/body-parser#670
• Release: 1.20.4 by @​UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 7db202c 1.20.4 (#672)
• d8f8adb ci: add CodeQL (SAST) (#670)
• 6d133c1 chore: remove SECURITY.md (#669)
• fcd1535 deps: use tilde notation and update certain dependencies (#668)
• ec5fa29 deps: qs@~6.14.0 (#664)
• ffb95c1 ci: restore CI for 1.x branch (#665)
• 48a5f07 ci: add support for Node.js v23 (#553)
• f20f6ad Remove redundant depth check (#538)
• 1752951 1.20.3
• 39744cf chore: linter (#534)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates form-data from 4.0.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly Description has been truncated