Bump the npm_and_yarn group across 1 directory with 24 updates

[dependabot]

Bumps the npm_and_yarn group with 20 updates in the / directory:

Package	From	To
gh-pages	4.0.0	5.0.0
@adobe/css-tools	4.0.1	4.4.2
semver	6.3.0	6.3.1
@babel/traverse	7.20.1	7.26.9
body-parser	1.20.1	1.20.3
express	4.18.2	4.21.2
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
ejs	3.1.8	3.1.10
follow-redirects	1.15.2	1.15.9
http-proxy-middleware	2.0.6	2.0.7
json5	1.0.1	1.0.2
micromatch	4.0.5	4.0.8
nanoid	3.3.4	3.3.9
rollup	2.79.1	2.79.2
serialize-javascript	6.0.0	6.0.2
tough-cookie	4.1.2	4.1.4
webpack	5.75.0	5.98.0
webpack-dev-middleware	5.3.3	5.3.4
word-wrap	1.2.3	1.2.5

Updates gh-pages from 4.0.0 to 5.0.0

Release notes

Sourced from gh-pages's releases.

v5.0.0

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

What's Changed

• Assorted updates by @​tschaub in tschaub/gh-pages#452
• Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. by @​Nezteb in tschaub/gh-pages#445
• Bump actions/checkout from 2 to 3 by @​dependabot in tschaub/gh-pages#453
• Bump actions/setup-node from 1 to 3 by @​dependabot in tschaub/gh-pages#455
• Bump email-addresses from 3.0.1 to 5.0.0 by @​dependabot in tschaub/gh-pages#454
• Bump async from 2.6.4 to 3.2.4 by @​dependabot in tschaub/gh-pages#459
• Remove quotation marks by @​Vicropht in tschaub/gh-pages#438

New Contributors

• @​Nezteb made their first contribution in tschaub/gh-pages#445
• @​Vicropht made their first contribution in tschaub/gh-pages#438

Full Changelog: tschaub/gh-pages@v4.0.0...v5.0.0

Changelog

Sourced from gh-pages's changelog.

v5.0.0

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

• #438 - Remove quotation marks (@​Vicropht)
• #459 - Bump async from 2.6.4 to 3.2.4 (@​tschaub)
• #454 - Bump email-addresses from 3.0.1 to 5.0.0 (@​tschaub)
• #455 - Bump actions/setup-node from 1 to 3 (@​tschaub)
• #453 - Bump actions/checkout from 2 to 3 (@​tschaub)
• #445 - Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. (@​Nezteb)
• #452 - Assorted updates (@​tschaub)

Commits

• f729b97 5.0.0
• 51534c7 Log changes
• ace063b Merge pull request #438 from Vicropht/patch-1
• 58e54be Merge pull request #459 from tschaub/dependabot/npm_and_yarn/async-3.2.4
• 2189df3 Bump async from 2.6.4 to 3.2.4
• 051846e Merge pull request #454 from tschaub/dependabot/npm_and_yarn/email-addresses-...
• 5c91c67 Merge pull request #455 from tschaub/dependabot/github_actions/actions/setup-...
• fe0ad83 Merge pull request #453 from tschaub/dependabot/github_actions/actions/checko...
• b89287d Merge pull request #445 from Nezteb/patch-1
• e890bd1 Bump email-addresses from 3.0.1 to 5.0.0
• Additional commits viewable in compare view

Updates @adobe/css-tools from 4.0.1 to 4.4.2

Changelog

Sourced from @​adobe/css-tools's changelog.

4.4.2 / 2025-02-12

• Fix regular expression for quoted values in parentheses

4.4.0 / 2024-06-05

• add support for @​starting-style #319

4.3.3 / 2024-01-24

• Update export property #271

4.3.2 / 2023-11-28

• Fix redos vulnerability with specific crafted css string - CVE-2023-48631
• Fix Problem parsing with :is() and nested :nth-child() #211

4.3.1 / 2023-03-14

• Fix redos vulnerability with specific crafted css string - CVE-2023-26364

4.3.0 / 2023-03-07

• Update build tools
• Update exports path and files

4.2.0 / 2023-02-21

• Add @​container support
• Add @​layer support

4.1.0 / 2023-01-25

• Support ESM Modules

4.0.2 / 2023-01-12

• #71 : @​import does not work if url contains ';'
• #77 : Regression in selector parsing: Attribute selectors not parsed correctly

Commits

• See full diff in compare view

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates @babel/traverse from 7.20.1 to 7.26.9

Release notes

Sourced from @​babel/traverse's releases.

v7.26.9 (2025-02-14)

🐛 Bug Fix

• babel-types
  • #17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jamie Kyle (@​jamiebuilds-signal)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.26.8 (2025-02-08)

🏠 Internal

• babel-preset-env
  • #17097 Update dependency babel-plugin-polyfill-corejs3 to ^0.11.0

v7.26.7 (2025-01-24)

Thanks @​branchseer and @​tquetano-netflix for your first PRs!

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

Committers: 6

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Tony Quetano (@​tquetano-netflix)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.26.9 (2025-02-14)

🐛 Bug Fix

• babel-types
  • #17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

v7.26.7 (2025-01-24)

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

v7.26.6 (2025-01-13)

🐛 Bug Fix

• babel-plugin-transform-nullish-coalescing-operator
  • #17061 fix: Chaining nullish coalescing operators output size regression (@​liuxingbaoyu)

v7.26.5 (2025-01-10)

👓 Spec Compliance

• babel-parser
  • #17011 Allow the dynamic import.defer() form of import defer (@​babel-bot)

🐛 Bug Fix

• babel-plugin-transform-block-scoped-functions
  • #17024 chore: Avoid calling isInStrictMode in Babel 7 (@​liuxingbaoyu)
• babel-plugin-transform-typescript
  • #17026 fix: Correctly generate exported const enums in namespace (@​liuxingbaoyu)
• babel-parser
  • #17045 [estree] Unify method type parameters handling (@​JLHwung)
  • #17013 fix: Correctly set position for @(a.b)() (@​liuxingbaoyu)
  • #16996 [estree] Adjust the start loc of class methods with type params (@​nicolo-ribaudo)
• babel-generator, babel-parser, babel-plugin-transform-flow-strip-types, babel-types

... (truncated)

Commits

• 64bca7b v7.26.9
• 4cf5c9e [babel 8] Use @babel/types for parser's return type (#17117)
• 5315446 [babel 8] Remove babel 7-specific imports (#17111)
• 0593941 v7.26.8
• e02b0ff [Babel 8] Create TSTemplateLiteralType (#17066)
• 2d95140 v7.26.7
• ad572fd fix: Remove type-only import x = y.z (#17025)
• 74181cf v7.26.5
• d35794e [Babel 8] Create TSEnumBody for TSEnumDeclaration (#16979)
• cd24cc0 chore: Update TS 5.7 (#17053)
• Additional commits viewable in compare view

Updates body-parser from 1.20.1 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: qs@6.12.3 (#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.5.0 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

Commits

• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• d6f39b0 Fix tests for old node
• 6bb701f Remove failing scorecard
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates ejs from 3.1.8 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)