fix(deps): update dependency graphql-upload to v17

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
graphql-upload	^15.0.2 → ^17.0.0

---

Release Notes

jaydenseric/graphql-upload (graphql-upload)

v17.0.0

Compare Source

Major

• Updated Node.js support to ^18.18.0 || ^20.9.0 || >=22.0.0.

• Updated dev dependencies, some of which require newer Node.js versions than previously supported.

• Use the TypeScript v5.5+ JSDoc tag @import to import types in modules.

• Removed JSDoc tag @typedef that were unintentionally re-exporting types; to migrate import TypeScript types from the correct module:

  - import type { GraphQLUpload } from "graphql-upload/Upload.mjs";
  + import type GraphQLUpload from "graphql-upload/GraphQLUpload.mjs";

  - import type { processRequest } from "graphql-upload/Upload.mjs";
  + import type processRequest from "graphql-upload/processRequest.mjs";

  - import type { GraphQLUpload } from "graphql-upload/processRequest.mjs";
  + import type GraphQLUpload from "graphql-upload/GraphQLUpload.mjs";

• Refactored tests to use the standard AbortController, fetch, File, and FormData APIs available in modern Node.js and removed the dev dependencies node-abort-controller and node-fetch.

• Replaced the test utility function streamToString with the function text from node:stream/consumers that’s available in modern Node.js.

• Use the Node.js test runner API and remove the dev dependency test-director.

Minor

• Support Express v5 by updating the optional peer dependency @types/express to 4.0.29 - 5 and the dev dependency express to v5, via #​389.

Patch

• Tweaked the package description.
• Updated the package.json field repository to conform to new npm requirements.
• Updated the package scripts:
  • Reordered the scripts.
  • Replaced npm run with node --run.
• Updated GitHub Actions CI config:
  • No longer run the workflow on pull request.
  • Enable manual workflow dispatching.
  • Run checks in seperate jobs.
  • Removed custom step names.
  • Replaced npm run with node --run.
  • Updated the tested Node.js versions to v18, v20, v22.
  • Updated actions/checkout to v4.
  • Updated actions/setup-node to v4.
• Migrated to the ESLint v9 CLI and “flat” config.
• Integrated a new dev dependency eslint-plugin-jsdoc and revised types.
• Removed the Node.js CLI option --unhandled-rejections=throw in the package script tests as it’s now the default for all supported Node.js versions.
• Avoid hardcoding a default value in the type FileUploadCreateReadStreamOptions property highWaterMark description and use the function getDefaultHighWaterMark from node:stream in tests.
• Replaced the test helper class Deferred with polyfilled Promise.withResolvers.
• Removed an unnecessary await in tests.
• Omit unused catch bindings in the function processRequest.
• Corrected the JSDoc type FileUploadCreateReadStreamOptions in the module processRequest.mjs.
• Avoid using return in the middleware.
• Added a new dev dependency async-listen to replace the test utility function listen.
• Enabled the TypeScript compiler options noUnusedLocals and noUnusedParameters and used the prefix _ for purposefully unused function parameters in tests.
• Updated the GitHub Markdown syntax for alerts in the readme.
• Tweaked wording in the readme and JSDoc descriptions.

v16.0.2

Compare Source

Patch

• Updated dev dependencies.
• Use the node: URL scheme for Node.js builtin module imports.
• Improved JSDoc in the module GraphQLUpload.mjs.
• Revamped the readme:
  • Removed the badges.
  • More detailed installation instructions.
  • Added information about TypeScript config and optimal JavaScript module design.

v16.0.1

Compare Source

Patch

• Support non latin1 characters in file names by setting the busboy option defParamCharset to utf8, fixing #​328.
• Removed a redundant @ts-ignore comment.

v16.0.0

Compare Source

Major

• Updated the fs-capacitor dependency to v8, fixing #​318.

• The type FileUploadCreateReadStreamOptions from the processRequest.mjs module now uses types from fs-capacitor that are slightly more specific.

• The API is now ESM in .mjs files instead of CJS in .js files, accessible via import but not require. To migrate imports:

  - import GraphQLUpload from "graphql-upload/GraphQLUpload.js";
  + import GraphQLUpload from "graphql-upload/GraphQLUpload.mjs";

  - import graphqlUploadExpress from "graphql-upload/graphqlUploadExpress.js";
  + import graphqlUploadExpress from "graphql-upload/graphqlUploadExpress.mjs";

  - import graphqlUploadKoa from "graphql-upload/graphqlUploadKoa.js";
  + import graphqlUploadKoa from "graphql-upload/graphqlUploadKoa.mjs";

  - import processRequest from "graphql-upload/processRequest.js";
  + import processRequest from "graphql-upload/processRequest.mjs";

  - import Upload from "graphql-upload/Upload.js";
  + import Upload from "graphql-upload/Upload.mjs";

Patch

• Updated dev dependencies.
• Updated examples in JSDoc comments.
• Updated the changelog entry for v14.0.0 to show how to migrate imports.

---

Configuration

📅 Schedule: Branch creation - "before 7am on Tuesday,before 7am on Wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: React Router has Path Traversal in File Session Storage in npm @remix-run/node CVE: GHSA-9583-h5hc-x8cw React Router has Path Traversal in File Session Storage (CRITICAL) Affected versions: < 2.17.2 Patched version: 2.17.2 From: examples/framework-remix/package.json → npm/@remix-run/node@1.19.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@remix-run/node@1.19.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​remix-run/​node@​1.19.3
	@​types/​uuid@​11.0.0
	@​types/​lodash.debounce@​4.0.9
	@​remix-run/​react@​1.19.3
	@​types/​mime@​2.0.3
	@​ts-gql/​tag@​0.7.3
	@​keystatic/​next@​5.0.4
	@​ts-gql/​eslint-plugin@​0.9.1
	@​react-stately/​overlays@​3.6.21
	@​types/​uuid@​9.0.8
	@​remix-run/​serve@​1.19.3
	@​react-aria/​label@​3.7.23
	@​types/​body-parser@​1.19.6
	@​types/​prompts@​2.4.9
	@​types/​ms@​0.7.34
	@​types/​passport-oauth2@​1.8.0
	@​types/​express@​4.17.25
	@​types/​js-yaml@​4.0.9
	@​types/​gtag.js@​0.0.20
	@​react-stately/​list@​3.13.2
	@​opentelemetry/​sdk-trace-node@​2.5.0
	@​types/​rss@​0.0.32
	@​types/​superagent@​4.1.24
	@​types/​resolve@​1.20.6
	@​preconstruct/​next@​4.0.0
	@​types/​node-fetch@​2.6.13
	@​types/​jsonwebtoken@​9.0.10
	@​react-aria/​i18n@​3.12.14
	@​prisma/​generator-helper@​6.19.2
	@​ts-gql/​compiler@​0.16.8
	@​types/​ws@​8.18.1
	@​react-stately/​data@​3.15.0
	@​hapi/​iron@​7.0.1
See 37 more rows in the dashboard

View full report