Bump the npm_and_yarn group group with 13 updates

[dependabot]

Bumps the npm_and_yarn group group with 13 updates:

Package	From	To
xlsx	0.17.0	0.18.5
semver	5.7.2	6.3.1
react-scripts	4.0.3	5.0.1
loader-utils	1.4.2	2.0.0
browserslist	4.14.2	4.23.0
ejs	2.7.4	3.1.9
follow-redirects	1.15.3	1.15.5
glob-parent	3.1.0	5.1.2
immer	8.0.1	9.0.21
minimatch	3.0.4	3.1.2
node-forge	0.10.0	1.3.1
postcss	7.0.36	7.0.39
shell-quote	1.7.2	1.8.1

Updates xlsx from 0.17.0 to 0.18.5

Changelog

Sourced from xlsx's changelog.

v0.18.5

• Enabled sideEffects: false in package.json
• Basic NUMBERS write support

v0.18.4

• CSV output omits trailing record separator
• Properly terminate NodeJS Streams
• DBF preserve column types on import and use when applicable on export

v0.18.3

• Removed references to require and process in browser builds

v0.18.2

• Hotfix for unicode processing of XLSX exports

v0.18.1

• Removed Node ESM build script and folded into standard ESM build
• Removed undocumented aliases including make_formulae and get_formulae

v0.18.0

• Browser scripts only expose XLSX variable
• Module no longer ships with dist/jszip.js browser script

v0.17.4

• CLI script moved to xlsx-cli package

v0.17.3

• window.XLSX explicit assignment to satiate LWC
• CSV Proper formatting of errors
• HTML emit data-* attributes

v0.17.2

• Browser and Node optional ESM support
• DSV correct handling of bare quotes (h/t @​bgamrat)

v0.17.1

• XLSB writer uses short cell form when viable

Commits

• 0400a87 version bump 0.18.5: basic NUMBERS write
• e69ecd4 remove broken CDNs [ci skip]
• 0f0b3de popping IIFEs to appease rollup tree shaking
• 2f274dd book_append_sheet rolling names
• a5b3877 Fix rawNumber support inside sheet_to_json
• 69bb1e7 "side-effect free"
• 90a7b4e remove SSF._general_int
• 61487bc use TextEncoder for zip strings (fixes #2616)
• 61b17a8 version bump 0.18.4
• 2cbc28d vue-modify demo [ci skip]
• Additional commits viewable in compare view

Updates semver from 5.7.2 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• 0eeceec 6.3.0
• 2779d96 Expose the token enum on the exports
• 9f5f615 changelog
• ce6190e 6.2.0
• 24af461 Add test coverage for bin file
• 388ec1c Add rtl option to coerce from right to left
• d062593 coerce(number) will coerce to a string
• Additional commits viewable in compare view

Updates react-scripts from 4.0.3 to 5.0.1

Commits

• 19fa58d Publish
• 9802941 fix: webpack noise printed only if error or warning (#12245)
• 2eef1d0 Update templates to use React 18 createRoot (#12220)
• 221e511 Publish
• 5614c87 Add support for Tailwind (#11717)
• 20edab4 fix(webpackDevServer): disable overlay for warnings (#11413)
• 3afbbc0 Update all dependencies (#11624)
• f5467d5 feat(eslint-config-react-app): support ESLint 8.x (#11375)
• c7627ce Update webpack and dev server (#11646)
• 544befe Update package.json (#11597)
• Additional commits viewable in compare view

Updates loader-utils from 1.4.2 to 2.0.0

Release notes

Sourced from loader-utils's releases.

v2.0.0

2.0.0 (2020-03-17)

⚠ BREAKING CHANGES

• minimum required Node.js version is 8.9.0 (#166) (c937e8c)
• the getOptions method returns empty object on empty query (#167) (b595cfb)
• Use md4 by default

Changelog

Sourced from loader-utils's changelog.

2.0.0 (2020-03-17)

⚠ BREAKING CHANGES

• minimum required Node.js version is 8.9.0 (#166) (c937e8c)
• the getOptions method returns empty object on empty query (#167) (b595cfb)
• Use md4 by default

1.4.0 (2020-02-19)

Features

• the resourceQuery is passed to the interpolateName method (#163) (cd0e428)

1.3.0 (2020-02-19)

Features

• support the [query] template for the interpolatedName method (#162) (469eeba)

1.2.3 (2018-12-27)

Bug Fixes

• interpolateName: don't interpolated hashType without hash or contenthash (#140) (3528fd9)

1.2.2 (2018-12-27)

Bug Fixes

• fixed a hash type extracting in interpolateName (#137) (f8a71f4)

... (truncated)

Commits

• d9f4e23 chore(release): 2.0.0
• 865dc03 refactor: switch to md4 by default (#168)
• b595cfb refactor: the getOptions method returns empty object on empty query (#167)
• c937e8c chore: minimum required Node.js version is 8.9.0 (#166)
• c78786d chore: upgrade json5 to fix a vulnerability (#165)
• See full diff in compare view

Updates browserslist from 4.14.2 to 4.23.0

Release notes

Sourced from browserslist's releases.

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

Changelog

Sourced from browserslist's changelog.

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

4.22.3

• Fixed white spaces support in supports query (@​g-plane).
• Fixed shared config like @company/package/browserslist-config (@​boucodes).

4.22.2

• Fixed idempotency in time queries with mobileToDesktop (by Aliaksei Sapach).

4.22.1

• Updated Firefox ESR (by @​lerkor).

4.22

• Added fully supports query (by Ben Scott).
• Added partially supports alias for supports query (by Ben Scott).

4.21.11

• Added warning to --update-db to move to new CLI (by Ivan Vasilev).
• Fixed docs (by Tatsunori Uchino).

4.21.10

• Updated Firefox ESR.

4.21.9

• Fixed Opera Mobile edge cases (by Steve Repsher).

4.21.8

• Fixed supports query and mobileToDesktop (by Steve Repsher).

4.21.7

• Fixed last queries for Android (by Steve Repsher).

4.21.6

• Fixed time queries with mobileToDesktop (by Steve Repsher).
• Fixed docs (by Tatsunori Uchino, Will Stone, and Dominik Pschenitschni).

4.21.5

• Fixed running Browserslist in browser environment.

4.21.4

• Updated Firefox ESR.

4.21.3

• Improved unknown region and unknown feature error (by Alexander Chabin).

4.21.2

• Updated Firefox ESR.

4.21.1

... (truncated)

Commits

• a23d971 Release 4.23 version
• 61e7712 Update dependencies
• 2c313aa Add Github release workflow
• 3caf908 Update CI
• b58ae05 feat: add BROWSERSLIST_ROOT_PATH (#819)
• 8ddc4d8 Update grammar definition file (#817)
• 65ad382 Release 4.22.3 version
• 0efec9b Add Node.js 21 to CI
• aaf5f2b Update dependencies
• a3ba90b Updated regex to have the option of adding an extension after @​companyName bu...
• Additional commits viewable in compare view

Updates ejs from 2.7.4 to 3.1.9

Release notes

Sourced from ejs's releases.

v3.1.9

Version 3.1.9

v3.1.8

Version 3.1.8

v3.1.7

Version 3.1.7

v3.1.6

Version 3.1.6

v3.1.5

Version 3.1.5

v3.0.2

No release notes provided.

Commits

• aed0124 Version 3.1.9
• 7083793 Updated dev deps
• 87f1da6 Merge pull request #707 from mde/dependabot/npm_and_yarn/minimatch-3.1.2
• e41a914 Removed old changelog, please rely on git log
• 9ea36ba Merge pull request #719 from jportner/frozen-prototype-fix
• 181a537 Fall back to assignment, update test
• 58bc2eb Change approach to shadowing "toString" property for escapeXML
• 76c9c61 Bump minimatch from 3.0.4 to 3.1.2
• f818bce Merge pull request #706 from mde/dependabot/npm_and_yarn/flat-and-mocha-5.0.2
• 0fca863 Bump flat and mocha
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.3 to 1.15.5

Commits

• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• 3d42aec Add bracket tests.
• bcbb096 Do not directly set Error properties.
• See full diff in compare view

Updates glob-parent from 3.1.0 to 5.1.2

Release notes

Sourced from glob-parent's releases.

v5.1.2

Bug Fixes

• eliminate ReDoS (#36) (f923116)

v5.1.1

Bug Fixes

• unescape exclamation mark (#26) (a98874f)

v5.1.0

Features

• add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

v5.0.0

⚠ BREAKING CHANGES

• Drop support for node <6 & bump dependencies

Miscellaneous Chores

• Drop support for node <6 & bump dependencies (896c0c0)

v4.0.0

⚠ BREAKING CHANGES

• question marks are valid path characters on Windows so avoid flagging as a glob when alone
• Update is-glob dependency

Features

• hoist regexps and strings for performance gains (4a80667)
• question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
• Update is-glob dependency (e41fcd8)

Changelog

Sourced from glob-parent's changelog.

5.1.2 (2021-03-06)

Bug Fixes

• eliminate ReDoS (#36) (f923116)

6.0.2 (2021-09-29)

Bug Fixes

• Improve performance (#53) (843f8de)

6.0.1 (2021-07-20)

Bug Fixes

• Resolve ReDoS vulnerability from CVE-2021-35065 (#49) (3e9f04a)

6.0.0 (2021-05-03)

⚠ BREAKING CHANGES

• Correct mishandled escaped path separators (#34)
• upgrade scaffold, dropping node <10 support

Bug Fixes

• Correct mishandled escaped path separators (#34) (32f6d52), closes #32

Miscellaneous Chores

• upgrade scaffold, dropping node <10 support (e83d0c5)

5.1.1 (2021-01-27)

Bug Fixes

• unescape exclamation mark (#26) (a98874f)

5.1.0 (2021-01-27)

Features

• add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

5.0.0 (2021-01-27)

⚠ BREAKING CHANGES

• Drop support for node <6 & bump dependencies

... (truncated)

Commits

• eb2c439 chore: update changelog
• 12bcb6c chore: release 5.1.2
• f923116 fix: eliminate ReDoS (#36)
• 0b014a7 chore: add JSDoc returns information (#33)
• 2b24ebd chore: generate initial changelog
• 9b6e874 chore: release 5.1.1
• 749c35e ci: try wrapping the JOB_ID in a string
• 5d39def ci: attempt to switch to published coveralls
• 0b5b37f ci: put the npm step back in for only Windows
• 473f5d8 ci: update azure build images
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by phated, a new releaser for glob-parent since your current version.

Updates immer from 8.0.1 to 9.0.21

Release notes

Sourced from immer's releases.

v9.0.21

9.0.21 (2023-03-23)

Bug Fixes

• ensure type exports is first in package.json export declaration (#1018) (b6ccd0f)

v9.0.20

9.0.20 (2023-03-23)

Bug Fixes

• patching maps failed when using number keys (#1025) (dd83e2e)

v9.0.19

9.0.19 (2023-01-27)

Bug Fixes

• don't freeze drafts returned from produce if they were passed in as draft (#917) (46867f8)
• produce results should never be frozen when returned from nested produces, to prevent 'hiding' drafts. Fixes #935 (a810960)
• release and publish from 'main' rather than 'master' branch (82acc40)
• revert earlier fix (#990) for recursive types (#1014) (3eeb331)
• Upgrade Github actions to Node 16 attempt 1 (9d4ea93)
• Upgrade Github actions to Node 16 attempt 2 (082eecd)

v9.0.18

9.0.18 (2023-01-15)

Bug Fixes

• Preserve insertion order of Sets, fixes #819 (#976) (b3eeb69)
• unnecessarily recursive Draft type (#990) (b9eae1d)

v9.0.17

9.0.17 (2023-01-02)

Bug Fixes

• special case NaN in setter (#912) (5721bb7)

v9.0.16

9.0.16 (2022-10-22)

... (truncated)

Commits

• 7c15339 chore(deps): bump loader-utils from 2.0.0 to 2.0.4 in /website (#1026)
• f07ec9d chore(deps): bump @​sideway/formula from 3.0.0 to 3.0.1 in /website (#1027)
• b6ccd0f fix: ensure type exports is first in package.json export declaration (#1018)
• 385837d chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 in /website (#1017)
• e1696b7 chore(deps): bump webpack from 5.75.0 to 5.76.1 in /website (#1024)
• dd83e2e fix: patching maps failed when using number keys (#1025)
• 082eecd fix: Upgrade Github actions to Node 16 attempt 2
• 9d4ea93 fix: Upgrade Github actions to Node 16 attempt 1
• 82acc40 fix: release and publish from 'main' rather than 'master' branch
• 3eeb331 fix: revert earlier fix (#990) for recursive types (#1014)
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.2

Commits

• 699c459 3.1.2
• 2f2b5ff fix: trim pattern
• 25d7c0d 3.1.1
• 55dda29 fix: treat nocase:true as always having magic
• 5e1fb8d 3.1.0
• f8145c5 Add 'allowWindowsEscape' option
• 570e8b1 add publishConfig for v3 publishes
• 5b7cd33 3.0.6
• 20b4b56 [fix] revert all breaking syntax changes
• 2ff0388 document, expose, and test 'partial:true' option
• Additional commits viewable in compare view

Updates node-forge from 0.10.0 to 1.3.1

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

• RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

• Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
• HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24771
  • GHSA ID: GHSA-cfm4-qjh2-4765
• HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24772
  • GHSA ID: GHSA-x4jg-mjrx-434g
• MEDIUM: Leniency in checking type octet.
  • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  • CVE ID: CVE-2022-24773
  • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

• [asn1] Add fallback to pretty print invalid UTF8 data.
• [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
• [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits

• a0a4a42 Release 1.3.1.
• a33830f Update changelog.
• 740954d Allow optional DigestAlgorithm parameters.
• 56f4316 Allow DigestInfo.DigestAlgorith.parameters to be optional
• cbf0bd5 Start 1.3.1-0.
• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• Additional commits viewable in compare view

Updates postcss from 7.0.36 to 7.0.39

Release notes

Sourced from postcss's releases.

7.0.39

• Reduce package size.
• Backport nanocolors to picocolors migration.

7.0.38

• Update Processor#version.

7.0.37

• Backport chalk to nanocolors migration.

Changelog

Sourced from postcss's changelog.

7.0.39

• Reduce package size.
• Backport nanocolors to picocolors migration.

7.0.38

• Update Processor#version.

7.0.37

• Backport chalk to nanocolors migration.

Commits

• e17c1ef Release 7.0.39 version
• 6791bd3 Reduce npm package
• 44c581a Replace nanocolors with picocolors
• 8ba21fd Remove eslint-ci
• 3994c4a Release 7.0.38 version
• 6944e1d Remove development keys from package.json
• 4dd0af0 Release 7.0.37 version
• 8408eb4 Add compilation step
• 0c68063 Move tests to GitHub Actions
• 98b61ba Replace chalk to nanocolors
• See full diff in compare view

Updates shell-quote from 1.7.2 to 1.8.1

Changelog

Sourced from shell-quote's changelog.

v1.8.1 - 2023-04-07

Fixed

• [Fix] parse: preserve whitespace in comments [#6](https://github.com/ljharb/shell-quote/issues/6)
• [Fix] properly support the escape option [#5](https://github.com/ljharb/shell-quote/issues/5)

Commits

• [Refactor] parse: hoist getVar to module level b42ac73
• [Refactor] hoist some vars to module level 8f0c5c3
• [Refactor] parse: use slice over substr, cache some values fcb2e1a
• [Refactor] parse: a bit of cleanup 6780ec5
• [Refactor] parse: tweak the regex to not match nothing 227d474
• [Tests] increase coverage a66de94
• [Refactor] parse: avoid shadowing a function arg 1d58679

v1.8.0 - 2023-01-30

Commits

• [New] extract parse and quote to their own deep imports 553fdfc
• [Tests] add nyc coverage fd7ddcd
• [New] Add support for here strings (<<<) 9802fb3
• [New] parse: Add syntax support for duplicating input file descriptors 216b198
• [Dev Deps] update @ljharb/eslint-config, aud, tape 85f8e31
• [Tests] add evalmd c5549fc
• [actions] update checkout action 62e9b49

v1.7.4 - 2022-10-12

Merged

• Add node_modules to .gitignore [#48](https://github.com/ljharb/shell-quote/issues/48)

Commits

• [eslint] fix indentation and whitespace aaa9d1f
• [eslint] additional cleanup 397cb62
• [meta] add auto-changelog 497fca5
• [actions] add reusable workflows 4763c36
• [eslint] add eslint 6ee1437
• [readme] rename, add badges 7eb5134
• [meta] update URLs 67381b6
• [meta] create FUNDING.yml; add funding in package.json 8641572
• [meta] use npmignore to autogenerate an npmignore file 2e2007a
• Only apps should have lockfiles f97411e
• [Dev Deps] update tape 051f608
• [meta] add safe-publish-latest 18cadf9
• [Tests] add aud in posttest dc1cc12

... (truncated)

Commits

• da8a3ab v1.8.1
• a66de94 [Tests] increase coverage
• b42ac73 [Refactor] parse: hoist getVar to module level
• fcb2e1a [Refactor] parse: use slice over substr, cache some values
• ecf2a60 [Fix] parse: preserve whitespace in comments
• 1d58679 [Refactor] parse: avoid shadowing a function arg
• 6780ec5 [Refactor] parse: a bit of cleanup
• 227d474 [Refactor] parse: tweak the regex to not match nothing
• 7bcd90e [Fix] properly support the escape option
• 8f0c5c3 [Refactor] hoist some vars to module level
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for shell-quote since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #239.