chore(deps): bump the npm_and_yarn group across 4 directories with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /data/scripts directory: form-data.
Bumps the npm_and_yarn group with 6 updates in the /src/back directory:

Package	From	To
form-data	2.5.2	4.0.4
form-data	4.0.1	4.0.4
multer	2.0.0	2.0.2
esbuild	0.25.4	0.25.8
on-headers	1.0.2	1.1.0
compression	1.8.0	1.8.1
morgan	1.10.0	1.10.1

Bumps the npm_and_yarn group with 1 update in the /src/common directory: @babel/runtime.
Bumps the npm_and_yarn group with 6 updates in the /src/website directory:

Package	From	To
on-headers	1.0.2	1.1.0
compression	1.8.0	1.8.1
morgan	1.10.0	1.10.1
vite	5.4.11	5.4.19
@babel/runtime	7.26.0	7.28.2
tar-fs	2.1.1	2.1.3

Updates form-data from 2.5.1 to 2.5.5

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 6e682d4
• [Dev Deps] update @types/node, browserify, coveralls, eslint, formidable, in-publish, phantomjs-prebuilt, pkgfiles, pre-commit, request, tape, typescript 819f6b7
• Only apps should have lockfiles b170ee2
• [Deps] update combined-stream, mime-types 6b1ca1d
• Bumped version 2.5.3 9457283
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl 9dbe192

v2.5.2 - 2024-10-10

... (truncated)

Commits

• 40de5a7 v2.5.5
• 026abe5 [Fix] use proper dependency
• 10626c0 [meta] actually ensure the readme backup isn’t published
• efe6c26 v2.5.4
• c97cfbe [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 0e93122 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• b88316c [Fix] Switch to using crypto random for boundary values
• b70869d [Fix] append: avoid a crash on nullish values
• 131ae5e [Fix] validate boundary type in setBoundary() method
• 8bf2492 [eslint] update linting config
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates form-data from 2.5.2 to 4.0.4

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 6e682d4
• [Dev Deps] update @types/node, browserify, coveralls, eslint, formidable, in-publish, phantomjs-prebuilt, pkgfiles, pre-commit, request, tape, typescript 819f6b7
• Only apps should have lockfiles b170ee2
• [Deps] update combined-stream, mime-types 6b1ca1d
• Bumped version 2.5.3 9457283
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl 9dbe192

v2.5.2 - 2024-10-10

... (truncated)

Commits

• 40de5a7 v2.5.5
• 026abe5 [Fix] use proper dependency
• 10626c0 [meta] actually ensure the readme backup isn’t published
• efe6c26 v2.5.4
• c97cfbe [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 0e93122 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• b88316c [Fix] Switch to using crypto random for boundary values
• b70869d [Fix] append: avoid a crash on nullish values
• 131ae5e [Fix] validate boundary type in setBoundary() method
• 8bf2492 [eslint] update linting config
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates form-data from 4.0.1 to 4.0.4

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 6e682d4
• [Dev Deps] update @types/node, browserify, coveralls, eslint, formidable, in-publish, phantomjs-prebuilt, pkgfiles, pre-commit, request, tape, typescript 819f6b7
• Only apps should have lockfiles b170ee2
• [Deps] update combined-stream, mime-types 6b1ca1d
• Bumped version 2.5.3 9457283
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl 9dbe192

v2.5.2 - 2024-10-10

... (truncated)

Commits

• 40de5a7 v2.5.5
• 026abe5 [Fix] use proper dependency
• 10626c0 [meta] actually ensure the readme backup isn’t published
• efe6c26 v2.5.4
• c97cfbe [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 0e93122 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• b88316c [Fix] Switch to using crypto random for boundary values
• b70869d [Fix] append: avoid a crash on nullish values
• 131ae5e [Fix] validate boundary type in setBoundary() method
• 8bf2492 [eslint] update linting config
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates multer from 2.0.0 to 2.0.2

Release notes

Sourced from multer's releases.

v2.0.2

Important

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

Full Changelog: expressjs/multer@v2.0.1...v2.0.2

v2.0.1

Important

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

What's Changed

• add Arabic translation for README .. by @​3imed-jaberi in expressjs/multer#762
• Update README.md to fix issue #1114 by @​Mohamed-Abdelfattah in expressjs/multer#1169
• Improved documentation translation to Spanish by @​juliomontenegro in expressjs/multer#1174
• Translated to french by @​AlanLg in expressjs/multer#1182
• Improve the Brazilian Portuguese translation by @​vitorRibeiro7 in expressjs/multer#1204
• doc: uzbek language by @​eugene0928 in expressjs/multer#1232
• Fix a mistake with README-pt-br.md by @​Igor-CA in expressjs/multer#1251
• Update in Readme-pt-br and fix in Readme-ko by @​carlosstenzel in expressjs/multer#1252
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/multer#1260
• ci: replace travis with github action by @​inigomarquinez in expressjs/multer#1259
• docs: improve readability by @​Sreejit-Sengupto in expressjs/multer#1255
• test: add test for out-of-band error event by @​LinusU in expressjs/multer#1294
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/multer#1290
• Documentation: remove unfortunate abbreviation from readme by @​MaddyGuthridge in expressjs/multer#1299
• ci: use ubuntu-latest as default runner by @​UlisesGascon in expressjs/multer#1308
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/multer#1289
• Update readme badges by @​bjohansebas in expressjs/multer#1268
• 📝 fix changelog information by @​ctcpip in expressjs/multer#1316
• master -> v2 by @​ctcpip in expressjs/multer#1317
• chore: fix typo by @​saucecodee in expressjs/multer#993
• Remove --save from README by @​username1001 in expressjs/multer#929
• feat - update link badge in docs by @​carlosstenzel in expressjs/multer#1273
• ci: change branch reference by @​UlisesGascon in expressjs/multer#1319
• ♻️ use version tag for CI, fix CI badge, fix references to master/main by @​ctcpip in expressjs/multer#1324
• deps: update dependencies to latest versions by @​bjohansebas in expressjs/multer#1328
• 📝 list languages in table to prevent GH right-aligning list due to RTL language by @​ctcpip in expressjs/multer#1325
• [StepSecurity] Apply security best practices by @​step-security-bot in expressjs/multer#1311

New Contributors

• @​3imed-jaberi made their first contribution in expressjs/multer#762
• @​Mohamed-Abdelfattah made their first contribution in expressjs/multer#1169
• @​juliomontenegro made their first contribution in expressjs/multer#1174
• @​AlanLg made their first contribution in expressjs/multer#1182
• @​vitorRibeiro7 made their first contribution in expressjs/multer#1204
• @​eugene0928 made their first contribution in expressjs/multer#1232
• @​Igor-CA made their first contribution in expressjs/multer#1251

... (truncated)

Changelog

Sourced from multer's changelog.

2.0.2

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

2.0.1

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

Commits

• e5db9ca 🔖 2.0.2
• adfeaf6 🥅 improve error handling
• e259a7e 🔖 2.0.1
• 35a3272 Fixes expressjs/multer#1233. Makes multer handle mi...
• f897007 ci: apply security best practices (#1311)
• 061f4cb 📝 list languages in table to prevent GH right-aligning list due to RTL language
• 854d769 deps: update dependencies to latest versions (#1328)
• 256da2f ♻️ use version tag for CI, fix CI badge, fix references to master/main
• dd9dde4 📝 fix badges in translation files (#1321)
• dc2a880 ci: change branch reference
• Additional commits viewable in compare view

Updates esbuild from 0.25.4 to 0.25.8

Release notes

Sourced from esbuild's releases.

v0.25.8

• Fix another TypeScript parsing edge case (#4248)

  This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

  class CachedDict {
    #has = (a: string) => dict.has(a);
    has = window
      ? (word: string): boolean => this.#has(word)
      : this.#has;
  }

• Fix a regression with the parsing of source phase imports

  The change in the previous release to parse source phase imports failed to properly handle the following cases:

  import source from 'bar'
  import source from from 'bar'
  import source type foo from 'bar'

  Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

v0.25.7

• Parse and print JavaScript imports with an explicit phase (#4238)

  This release adds basic syntax support for the defer and source import phases in JavaScript:

  • defer

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:

    import defer * as foo from "<specifier>";
    const bar = await import.defer("<specifier>");

    Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".

  • source

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:

    import source foo from "<specifier>";
    const bar = await import.source("<specifier>");

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.25.8

• Fix another TypeScript parsing edge case (#4248)

  This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:

  class CachedDict {
    #has = (a: string) => dict.has(a);
    has = window
      ? (word: string): boolean => this.#has(word)
      : this.#has;
  }

• Fix a regression with the parsing of source phase imports

  The change in the previous release to parse source phase imports failed to properly handle the following cases:

  import source from 'bar'
  import source from from 'bar'
  import source type foo from 'bar'

  Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

0.25.7

• Parse and print JavaScript imports with an explicit phase (#4238)

  This release adds basic syntax support for the defer and source import phases in JavaScript:

  • defer

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:

    import defer * as foo from "<specifier>";
    const bar = await import.defer("<specifier>");

    Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".

  • source

    This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:

    import source foo from "<specifier>";

... (truncated)

Commits

• 8c71947 publish 0.25.8 to npm
• 0508f24 some parsing fixes for source phase imports
• 6e4be2f js parser: recover from bad #private identifiers
• c9c6357 fix #4248: #private ids in arrow fn body in ?:
• 9b42f68 publish 0.25.7 to npm
• 9ba01d1 abs-paths: js api and tests
• ca196c9 fix for parser backtracking crash
• 2979b84 fix #4241: ts arrow function type backtrack (hack)
• 1180410 fix an unused variable warning
• fc3da57 fix #4238: add defer and source import phases
• Additional commits viewable in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates compression from 1.8.0 to 1.8.1

Release notes

Sourced from compression's releases.

v1.8.1

What's Changed

• fix(docs): update multiple links from http to https by @​Phillip9587 in expressjs/compression#222
• ci: add dependabot for github actions by @​bjohansebas in expressjs/compression#207
• build(deps): bump github/codeql-action from 2.23.2 to 3.28.15 by @​dependabot[bot] in expressjs/compression#228
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.1 by @​dependabot[bot] in expressjs/compression#229
• build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 by @​dependabot[bot] in expressjs/compression#230
• build(deps-dev): bump supertest from 6.2.3 to 6.3.4 by @​dependabot[bot] in expressjs/compression#231
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in expressjs/compression#235
• build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 by @​dependabot[bot] in expressjs/compression#243
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 by @​dependabot[bot] in expressjs/compression#239
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/compression#240
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/compression#241
• build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 by @​dependabot[bot] in expressjs/compression#244
• deps: on-headers@1.1.0 by @​UlisesGascon in expressjs/compression#246
• Release: 1.8.1 by @​UlisesGascon in expressjs/compression#247

New Contributors

• @​dependabot[bot] made their first contribution in expressjs/compression#228
• @​step-security-bot made their first contribution in expressjs/compression#235

Full Changelog: expressjs/compression@1.8.0...v1.8.1

Changelog

Sourced from compression's changelog.

1.8.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 83a0c45 1.8.1
• ce62713 deps: on-headers@1.1.0 (#246)
• f4acb23 build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 (#244)
• 6eaebe6 build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#241)
• 37e0623 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#240)
• bc436b2 build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 (#239)
• 2f9f572 build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 (#243)
• 5f13b14 [StepSecurity] ci: Harden GitHub Actions (#235)
• 76e0945 build(deps-dev): bump supertest from 6.2.3 to 6.3.4 (#231)
• ae6ee80 build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 (#230)
• Additional commits viewable in compare view

Updates morgan from 1.10.0 to 1.10.1

Release notes

Sourced from morgan's releases.

1.10.1

What's Changed

• renaming simple to sample in readme by @​ryhinchey in expressjs/morgan#237
• adding installation instructions to readme by @​ryhinchey in expressjs/morgan#233
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/morgan#291
• ci: replace travis with github actions by @​inigomarquinez in expressjs/morgan#290
• docs: add example output for log formats by @​jonchurch in expressjs/morgan#299
• ci: use ubuntu-latest by @​bjohansebas in expressjs/morgan#301
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in expressjs/morgan#300
• remove --bail by @​jonchurch in expressjs/morgan#314
• ⬆️ bump on-headers by @​ctcpip in expressjs/morgan#319

New Contributors

• @​inigomarquinez made their first contribution in expressjs/morgan#291
• @​jonchurch made their first contribution in expressjs/morgan#299
• @​bjohansebas made their first contribution in expressjs/morgan#301
• @​UlisesGascon made their first contribution in expressjs/morgan#300
• @​ctcpip made their first contribution in expressjs/morgan#319

Full Changelog: expressjs/morgan@1.10.0...1.10.1

Changelog

Sourced from morgan's changelog.

1.10.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• c1c7f10 🔖 1.10.1
• eb896c2 ⬆️ bump on-headers
• 1c3eec6 remove --bail (