Skip to content

Bump the npm_and_yarn group across 1 directory with 7 updates#1

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-de9e54a91c
Open

Bump the npm_and_yarn group across 1 directory with 7 updates#1
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-de9e54a91c

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Sep 21, 2024
edited
Loading

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
qs 6.5.2 6.5.3
braces 3.0.2 3.0.3
tough-cookie 2.5.0 4.1.4
jsdom 15.2.1 25.0.0
express 4.18.3 4.21.0
katex 0.16.9 0.16.11

Updates qs from 6.5.2 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

  • [Fix] parse: ignore __proto__ keys (#428)
  • [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
  • [Fix] correctly parse nested arrays
  • [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
  • [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
  • [Fix] when parseArrays is false, properly handle keys ending in []
  • [Fix] fix for an impossible situation: when the formatter is called with a non-string value
  • [Fix] utils.merge: avoid a crash with a null target and an array source
  • [Refactor] utils: reduce observable [[Get]]s
  • [Refactor] use cached Array.isArray
  • [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
  • [Refactor] parse: only need to reassign the var once
  • [Robustness] stringify: avoid relying on a global undefined (#427)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
  • [Docs] Clarify the need for "arrayLimit" option
  • [meta] fix README.md (#399)
  • [meta] add FUNDING.yml
  • [actions] backport actions from main
  • [Tests] always use String(x) over x.toString()
  • [Tests] remove nonexistent tape option
  • [Dev Deps] backport from main
Commits
  • 298bfa5 v6.5.3
  • ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
  • 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
  • 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
  • 12ac1c4 [meta] fix README.md (#399)
  • 0338716 [actions] backport actions from main
  • 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
  • 51b8a0b add FUNDING.yml
  • 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
  • f814a7f [Dev Deps] backport from main
  • Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

Updates tough-cookie from 2.5.0 to 4.1.4

Release notes

Sourced from tough-cookie's releases.

v4.1.4

https://www.npmjs.com/package/tough-cookie/v/4.1.4

What's Changed

New Contributors

Full Changelog: salesforce/tough-cookie@v4.1.3...v4.1.4

4.1.3

Security fix for Prototype Pollution discovery in #282. This is a minor release, although output from the inspect utility is affected by this change, we felt this change was important enough to be pushed into the next patch.

4.1.2 -- Patch and Bugfix Release

What's Changed

Full Changelog: salesforce/tough-cookie@v4.1.1...v4.1.2

4.1.1

Patch Release

What's Changed

Full Changelog: salesforce/tough-cookie@v4.1.0...v4.1.1

4.1.0

v4.1.0

Minor release, focused mainly on resolving reported issues and some minor feature work.

What's Changed

... (truncated)

Commits
  • cacbc37 Bump version to 4.1.4
  • a48fb3a Add tests for url validation
  • 50e69bf Merge pull request #261 from postmanlabs/fix/url-string-validation
  • 1253d58 Merge pull request #409 from corvidism/validators-to-string
  • 238367e Add local alias for toString
  • 4ff4d29 4.1.3 release preparation, update the package and lib/version to 4.1.3. (#284)
  • 12d4747 Prevent prototype pollution in cookie memstore (#283)
  • f06b72d Fix documentation for store.findCookies, missing allowSpecialUseDomain proper...
  • cf6debd Fix incorrect string validation for URL
  • b1a8898 fix: allow set cookies with localhost (#253)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.


Updates jsdom from 15.2.1 to 25.0.0

Release notes

Sourced from jsdom's releases.

Version 25.0.0

This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.

This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.

This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.

Version 24.1.3

  • Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).

Version 24.1.2

  • Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
  • Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)

Version 24.1.1

  • Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)

Version 24.1.0

  • Added the getSetCookie() method to the Headers class. (ushiboy)
  • Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
  • Updated rweb-cssom, which can now parse additional CSS constructs.

Version 24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

Version 23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

Version 23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

Version 23.0.1

  • Fixed the incorrect canvas peer dependency introduced in v23.0.0.

Version 23.0.0

  • Node.js v18 is now the minimum supported version.
  • Updated various dependencies, including whatwg-url which integrates various additions to the URL and URLSearchParams objects.

... (truncated)

Changelog

Sourced from jsdom's changelog.

25.0.0

This major release changes the prototype of a jsdom's EventTarget.prototype to point to the Object.prototype inside the jsdom, instead of pointing to the Node.js Object.prototype. Thus, the prototype chain of Window stays entirely within the jsdom, never crossing over into the Node.js realm.

This only occurs when runScripts is set to non-default values of "dangerously" or "outside-only", as with the default value, there is no separate Object.prototype inside the jsdom.

This will likely not impact many programs, but could cause some changes in instanceof behavior, and so out of an abundance of caution, we're releasing it as a new major version.

24.1.3

  • Fixed calls to postMessage() that were done as a bare property (i.e., postMessage() instead of window.postMessage()).

24.1.2

  • Fixed an issue with the in operator applied to EventTarget methods, e.g. 'addEventListener' in window, which only appeared in Node.js ≥22.5.0. (legendecas)
  • Fixed the events fired by blur(): it no longer fires focus and focusin on the Document, and blur and focusout no longer have their relatedTarget property set. (asamuzaK)

24.1.1

  • Fixed selection methods to trigger the selectionchange event on the Document object. (piotr-oles)

24.1.0

  • Added the getSetCookie() method to the Headers class. (ushiboy)
  • Fixed the creation and parsing of elements with names from Object.prototype, like "constructor" or "toString".
  • Updated rweb-cssom, which can now parse additional CSS constructs.

24.0.0

This release reverts our selector engine back to nwsapi. As discussed in #3659, the performance regressions from @asamuzakjp/dom-selector turned out to be higher than anticipated. In the future, we can revisit @asamuzakjp/dom-selector after it reaches nwsapi's performance on the two real-world benchmarks provided by the community.

Since reverting to nwsapi causes several functionality regressions, e.g. removing :has() support, we've decided to make this a major version.

Additionally:

  • Small fixes to edge-case behavior of the following properties: input.maxLength, input.minLength, input.size, progress.max, tableCell.colSpan, tableCell.rowSpan, tableCol.span, textArea.cols, textArea.maxLength, textArea.minLength, textArea.rows.

23.2.0

This release switches our CSS selector engine from nwsapi to @asamuzakjp/dom-selector. The new engine is more actively maintained, and supports many new selectors: see the package's documentation for the full list. It also works better with shadow trees.

There is a potential of a performance regression due to this change. In our stress test benchmark, which runs most of these 273 selectors against this 128 KiB document, the new engine completes the benchmark only 0.25x as fast. However, we're hopeful that in more moderate usage this will not be a significant issue. Any help speeding up @asamuzakjp/dom-selector is appreciated, and feel free to open an issue if this has had a significant impact on your project.

23.1.0

  • Added an initial implementation of ElementInternals, including the shadowRoot getter and the string-valued ARIA properties. (zjffun)
  • Added the string-valued ARIA attribute-reflecting properties to Element.
  • Fixed history.pushState() and history.replaceState() to follow the latest specification, notably with regards to how they handle empty string inputs and what new URLs are possible.
  • Fixed the input.valueAsANumber setter to handle NaN correctly. (alexandertrefz)
  • Updated various dependencies, including cssstyle which contains several bug fixes.

... (truncated)

Commits
  • c53efc8 Version 25.0.0
  • 784c8a5 Set EventTarget.prototype to the jsdom's Object.prototype
  • 0314f1e Version 24.1.3
  • 46d5d5c Fix postMessage referenced as a bare property
  • a241df6 Version 24.1.2
  • c3a9aed Remove upstreamed WPTs
  • 07fab37 Refactor Window object setup code
  • 3383805 Fix events fired by blur()
  • 065abcb Roll web platform tests
  • 439a43e Setup Window prototype in vm context
  • Additional commits viewable in compare view

Updates express from 4.18.3 to 4.21.0

Release notes

Sourced from express's releases.

4.21.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

  • Prevent open redirect allow list bypass due to encodeurl
  • deps: cookie@0.6.0
Commits
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates ws from 7.5.9 to 8.13.0

Release notes

Sourced from ws's releases.

8.13.0

Features

  • Added the finishRequest option to support late addition of headers (#2123).

8.12.1

Bug fixes

  • Added browser condition to package.json (#2118).

8.12.0

Features

  • Added support for utf-8-validate@6 (ff63bba3).

Other notable changes

  • buffer.isUtf8() is now used instead of utf-8-validate if available (42d79f60).

8.11.0

Features

  • WebSocket.prototype.addEventListener() now supports an event listener specified as an object with a handleEvent() method. (9ab743aa).

Bug fixes

  • WebSocket.prototype.addEventListener() now adds an event listener only if it is not already in the list of the event listeners for the specified event type (1cec17da).

8.10.0

Features

  • Added an export for package.json (211d5d38).

8.9.0

Features

  • Added the ability to connect to Windows named pipes (#2079).

8.8.1

Bug fixes

  • The Authorization and Cookie headers are no longer sent if the original request for the opening handshake is sent to an IPC server and the client is redirected to another IPC server (bc8bd34e).

... (truncated)

Commits

Updates katex from 0.16.9 to 0.16.11

Release notes

Sourced from katex's releases.

v0.16.11

0.16.11 (2024-07-02)

Features

v0.16.10

0.16.10 (2024-03-24)

Bug Fixes

Changelog

Sourced from katex's changelog.

0.16.11 (2024-07-02)

Features

0.16.10 (2024-03-24)

Bug Fixes

Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump the npm_and_yarn group across 1 directory with 7 updates
3d3f7b3 
Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [qs](https://github.com/ljharb/qs) | `6.5.2` | `6.5.3` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [tough-cookie](https://github.com/salesforce/tough-cookie) | `2.5.0` | `4.1.4` |
| [jsdom](https://github.com/jsdom/jsdom) | `15.2.1` | `25.0.0` |
| [express](https://github.com/expressjs/express) | `4.18.3` | `4.21.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.9` | `0.16.11` |



Updates `qs` from 6.5.2 to 6.5.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.5.2...v6.5.3)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `tough-cookie` from 2.5.0 to 4.1.4
- [Release notes](https://github.com/salesforce/tough-cookie/releases)
- [Changelog](https://github.com/salesforce/tough-cookie/blob/master/CHANGELOG.md)
- [Commits](salesforce/tough-cookie@v2.5.0...v4.1.4)

Updates `jsdom` from 15.2.1 to 25.0.0
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](jsdom/jsdom@15.2.1...25.0.0)

Updates `express` from 4.18.3 to 4.21.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.0/History.md)
- [Commits](expressjs/express@4.18.3...4.21.0)

Updates `ws` from 7.5.9 to 8.13.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.5.9...8.13.0)

Updates `katex` from 0.16.9 to 0.16.11
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](KaTeX/KaTeX@v0.16.9...v0.16.11)

---
updated-dependencies:
- dependency-name: qs
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tough-cookie
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: jsdom
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: katex
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 21, 2024
sourcery-ai[bot]
sourcery-ai bot reviewed Sep 21, 2024
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot (hey, dependabot[bot]!). We assume it knows what it's doing!
  • We don't review packaging changes - Let us know if you'd like us to change this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants