Skip to content

chore(deps): bump the npm_and_yarn group with 7 updates #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): bump the npm_and_yarn group with 7 updates #158

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Apr 18, 2025

Bumps the npm_and_yarn group with 7 updates:

Package From To
node-fetch 3.3.1 3.3.2
body-parser 2.0.2 2.1.0
cookie 0.7.2 1.0.0
express 4.21.2 5.0.0
path-to-regexp 6.3.0 8.0.0
postcss 8.4.33 8.4.34
semver 7.6.2 7.6.3

Updates node-fetch from 3.3.1 to 3.3.2

Release notes

Sourced from node-fetch's releases.

v3.3.2

3.3.2 (2023-07-25)

Bug Fixes

Commits

Updates body-parser from 2.0.2 to 2.1.0

Release notes

Sourced from body-parser's releases.

v2.1.0

What's Changed

Full Changelog: expressjs/body-parser@2.0.1...v2.1.0

Changelog

Sourced from body-parser's changelog.

2.1.0 / 2025-02-10

  • deps:
    • type-is@^2.0.0
    • debug@^4.4.0
    • Removed destroy
  • refactor: prefix built-in node module imports
  • use the node require cache instead of custom caching
Commits
  • eedea54 2.1.0
  • 2e4fe6b fix(deps): update debug to ^4.4.0 (#579)
  • a729397 fix: remove destroy after bad conflict resolution
  • 2fd8701 fix: cleanup history.md
  • f1380f5 fix: fix type-is incorrect conflict resolution
  • 732a7cc ci: add CodeQL (SAST)
  • 41abe6d Add caret for body-parser dependencies
  • e0f261e Refactor decompression stream creation to remove code duplication
  • 17c3999 cleanup: remove obsolete test env file
  • 07a8f59 fix: remove obsolete dependency destroy
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for body-parser since your current version.


Updates cookie from 0.7.2 to 1.0.0

Release notes

Sourced from cookie's releases.

v1.0.0

Breaking changes

  • Use modern JS features, ship TypeScript definition (#175) 1cc64ff
    • Adds __esModule marker, imports need to use import { parse, serialize } or import * as cookie
  • Minimum node.js v18
  • Uses null prototype object for parse return value
  • Changes strict and priority to match the lower case strings (i.e. low, not LOW or Low)
  • Require maxAge to be an integer using Number.isInteger check
  • Delegates decode implementation details to decode option (i.e. error handling and quote parsing is defined by decode)
    • Delegate quote parsing to decode (#180) c4a2597
    • Shift try/catch to decode (#179) 93a5b97
  • Improve arg/option error messages (#162) e206fd5 @​MaoShizhong

Other

  • Remove hasOwnProperty, use undefined check for performance (#183) 8f3ee9e @​gurgunday

jshttp/cookie@v0.7.2...v1.0.0

Commits

Updates express from 4.21.2 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

  • Node.js version support: Dropped support for Node.js versions before v18.
  • Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
  • Promise support: Middleware can now return rejected promises, caught by the router as errors.
  • body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
  • Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0
  • deps: finalhandler@^2.0.0
  • deps: fresh@^2.0.0
  • deps: body-parser@^2.0.1
  • deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

  • change:
    • Default "query parser" setting to 'simple'
    • Requires Node.js 4+
    • Use mime-types for file to content type mapping
  • deps: array-flatten@3.0.0
  • deps: body-parser@2.0.0-beta.1
    • req.body is no longer always initialized to {}

... (truncated)

Commits

Updates path-to-regexp from 6.3.0 to 8.0.0

Release notes

Sourced from path-to-regexp's releases.

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

  • Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

  • Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
  • Parameter names follow JS identifier rules and allow unicode characters

Added

  • Parameter names can now be quoted, e.g. :"foo-bar"
  • Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

  • Removes loose mode
  • Removes regular expression overrides of parameters

pillarjs/path-to-regexp@v7.1.0...v8.0.0

Support array inputs (again)

Added

  • Support array inputs for match and pathToRegexp 3fdd88f

pillarjs/path-to-regexp@v7.1.0...v7.2.0

Strict mode

Added

  • Adds a strict option to detect potential ReDOS issues

Fixed

  • Fixes separator to default to suffix + prefix when not specified
  • Allows separator to be undefined in TokenData
    • This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

  • I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

pillarjs/path-to-regexp@v7.0.0...v7.1.0

... (truncated)

Commits

Updates postcss from 8.4.33 to 8.4.34

Release notes

Sourced from postcss's releases.

8.4.34

Changelog

Sourced from postcss's changelog.

8.4.34

  • Fixed AtRule#nodes type (by Tim Weißenfels).
  • Cleaned up code (by Dmitry Kirillov).
Commits

Updates semver from 7.6.2 to 7.6.3

Release notes

Sourced from semver's releases.

v7.6.3

7.6.3 (2024-07-16)

Bug Fixes

Documentation

Changelog

Sourced from semver's changelog.

7.6.3 (2024-07-16)

Bug Fixes

Documentation

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group with 7 updates
ead696f 
Bumps the npm_and_yarn group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [node-fetch](https://github.com/node-fetch/node-fetch) | `3.3.1` | `3.3.2` |
| [body-parser](https://github.com/expressjs/body-parser) | `2.0.2` | `2.1.0` |
| [cookie](https://github.com/jshttp/cookie) | `0.7.2` | `1.0.0` |
| [express](https://github.com/expressjs/express) | `4.21.2` | `5.0.0` |
| [path-to-regexp](https://github.com/pillarjs/path-to-regexp) | `6.3.0` | `8.0.0` |
| [postcss](https://github.com/postcss/postcss) | `8.4.33` | `8.4.34` |
| [semver](https://github.com/npm/node-semver) | `7.6.2` | `7.6.3` |


Updates `node-fetch` from 3.3.1 to 3.3.2
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](node-fetch/node-fetch@v3.3.1...v3.3.2)

Updates `body-parser` from 2.0.2 to 2.1.0
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@2.0.2...v2.1.0)

Updates `cookie` from 0.7.2 to 1.0.0
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Commits](jshttp/cookie@v0.7.2...v1.0.0)

Updates `express` from 4.21.2 to 5.0.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.21.2...v5.0.0)

Updates `path-to-regexp` from 6.3.0 to 8.0.0
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v6.3.0...v8.0.0)

Updates `postcss` from 8.4.33 to 8.4.34
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.33...8.4.34)

Updates `semver` from 7.6.2 to 7.6.3
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.6.2...v7.6.3)

---
updated-dependencies:
- dependency-name: node-fetch
  dependency-version: 3.3.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: body-parser
  dependency-version: 2.1.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: cookie
  dependency-version: 1.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-version: 5.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 8.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.4.34
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: semver
  dependency-version: 7.6.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 18, 2025
@netlify Netlify
Copy link

netlify bot commented Apr 18, 2025
edited
Loading

Deploy Preview for phileco failed. Why did it fail? →

Name Link
🔨 Latest commit ead696f
🔍 Latest deploy log https://app.netlify.com/sites/phileco/deploys/6802213f8772a8000819d193

@krishnprakash
Copy link
Owner

https://github.com/krishnprakash/gatsby/pull/158.patch
git pull origin master
git checkout dependabot/npm_and_yarn/npm_and_yarn-8333e3ab96
git merge master
git push -u origin dependabot/npm_and_yarn/npm_and_yarn-8333e3ab96

@krishnprakash krishnprakash enabled auto-merge April 23, 2025 04:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@krishnprakash