Bump the npm_and_yarn group across 1 directory with 17 updates

[dependabot]

Bumps the npm_and_yarn group with 13 updates in the / directory:

Package	From	To
axios	0.24.0	0.30.0
body-parser	1.18.3	1.20.3
ejs	3.1.7	3.1.10
express	4.16.4	4.20.0
ws	7.5.3	7.5.10
engine.io	6.5.4	6.5.5
socket.io-adapter	2.5.2	2.5.5
braces	3.0.2	3.0.3
cookie	0.3.1	0.7.2
cookie-parser	1.4.3	1.4.7
express	4.20.0	4.21.2
socket.io	4.7.2	4.8.1
cross-spawn	7.0.3	7.0.6
micromatch	4.0.5	4.0.8

Updates axios from 0.24.0 to 0.30.0

Release notes

Sourced from axios's releases.

Release v0.30.0

Release notes:

Bug Fixes

• fix: modify log while request is aborted by @​mori5321 in axios/axios#4917
• fix: update CHANGELOG.md for v0.x by @​TehZarathustra in axios/axios#6271
• fix: modify upgrade guide for 0.28.1's breaking change by @​nafeger in axios/axios#6787
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @​thatguyinabeanie in axios/axios#6829
• fix: add allowAbsoluteUrls type by @​thatguyinabeanie in axios/axios#6849

Contributors to this release

• @​mori5321 made their first contribution in axios/axios#4917
• @​TehZarathustra made their first contribution in axios/axios#6271
• @​nafeger made their first contribution in axios/axios#6787
• @​thatguyinabeanie made their first contribution in axios/axios#6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #6167 and #6163 to v0.x by @​Sean-Powell in axios/axios#6402
• fix: omit nulls in params by @​Willshaw in axios/axios#6394
• fix(backport): fix paramsSerializer function validation by @​solonzhu in axios/axios#6361
• fix: Regular Expression Denial of Service (ReDoS) by @​qiongshusheng in axios/axios#6708

Contributors to this release

• @​Sean-Powell made their first contribution in axios/axios#6402
• @​Willshaw made their first contribution in axios/axios#6394
• @​solonzhu made their first contribution in axios/axios#6361
• @​qiongshusheng made their first contribution in axios/axios#6708

Release v0.28.1

Release notes:

Release notes:

Bug Fixes

• fix(backport): custom params serializer support (#6263)
• fix(backport): uncaught ReferenceError req is not defined (#6307)

Release v0.28.0

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated #4745

... (truncated)

Changelog

Sourced from axios's changelog.

0.30.0 (2025-03-26)

Release notes:

Bug Fixes

• fix: modify log while request is aborted (#4917)
• fix: update CHANGELOG.md for v0.x (#6271)
• fix: modify upgrade guide for 0.28.1's breaking change (#6787)
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x (#6829)
• fix: add allowAbsoluteUrls type (#6849)

0.29.0 (2024-11-21)

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #6167 and #6163 (#6402)
• fix: omit nulls in params (#6394)
• fix(backport): fix paramsSerializer function validation (#6361)
• fix: regular expression denial of service (ReDoS) (#6708)

0.28.1 (2024-03-24)

Release notes:

Bug Fixes

• fix(backport): custom params serializer support (#6263)
• fix(backport): uncaught ReferenceError req is not defined (#6307)

0.28.0 (2024-02-12)

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated (#4745)
• Fixed timeout error message for HTTP (#4738)
• Added axios.formToJSON method (#4735)
• URL params serializer (#4734)
• Fixed toFormData Blob issue on node>v17 (#4728)
• Adding types for progress event callbacks (#4675)
• Fixed max body length defaults (#4731)

... (truncated)

Commits

• 6e922e4 chore: added build artifacts
• a06ed1e chore: added pre-release artifacts
• c010622 feat: add type for allowAbsoluteUrls (#6849)
• 02c3c69 fix: backport allowAbsoluteUrls vuln fix to v0.x (#6829)
• 8603e67 docs: modify upgrade guide for 0.28.1's breaking change (#6787)
• f0642ee fix(docs): update CHANGELOG.md for v0.x (#6271)
• 0630c32 fix: modify log while request is aborted (#4917)
• 7750b8c chore(release): prep release v0.29.0
• 4840cb2 fix: regular expression denial of service issues (#6708)
• 2e36cdb fix(backport): fix paramsSerializer function validation (#6361)
• Additional commits viewable in compare view

Updates body-parser from 1.18.3 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to [email protected] by @​wesleytodd in expressjs/body-parser#527
• deps: [email protected] by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: [email protected]

1.20.1

• deps: [email protected]
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: [email protected]

1.20.1 / 2022-10-06

• deps: [email protected]
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: [email protected]
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: [email protected]
  • deps: [email protected]
  • deps: [email protected]
• deps: [email protected]
• deps: [email protected]
• deps: [email protected]
  • deps: [email protected]

1.19.2 / 2022-02-15

• deps: [email protected]
• deps: [email protected]
  • Fix handling of __proto__ keys
• deps: [email protected]
  • deps: [email protected]

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates ejs from 3.1.7 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

v3.1.8

Version 3.1.8

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates express from 4.16.4 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• [email protected] by @​blakeembrey in expressjs/express#5902

New Contributors

• @​marco-ippolito made their first contribution in expressjs/express#5565
• @​inigomarquinez made their first contribution in expressjs/express#5590
• @​mertcanaltin made their first contribution in expressjs/express#5627
• @​ctcpip made their first contribution in expressjs/express#5690
• @​bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

... (truncated)

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]

... (truncated)

Commits

• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for question and discuss
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @​IamLizu to the triage team (#5836)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates ws from 7.5.3 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

• Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

• Backported 0fdcc0af to the 7.x release line (2758ed35).
• Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

• Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

• Backported b8186dd1 to the 7.x release line (73dec34b).
• Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

• Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

• Backported 6a72da3e to the 7.x release line (76087fbf).
• Backported 869c9892 to the 7.x release line (27997933).

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 8a78f87 [dist] 7.5.9
• 0435e6e [security] Fix same host check for ws+unix: redirects
• 4271f07 [dist] 7.5.8
• dc1781b [security] Drop sensitive headers when following insecure redirects
• 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
• a370613 [dist] 7.5.7
• 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
• 8ecd890 [dist] 7.5.6
• Additional commits viewable in compare view

Updates engine.io from 6.5.4 to 6.5.5

Commits

• See full diff in compare view

Updates socket.io-adapter from 2.5.2 to 2.5.5

Release notes

Sourced from socket.io-adapter's releases.

2.5.4

Bug Fixes

• ensure the order of the commands (a13f35f)
• types: ensure compatibility with TypeScript < 4.5 (ca397f3)

Links

• Diff: socketio/socket.io-adapter@2.5.3...2.5.4

2.5.3

Two abstract classes were imported from the Redis adapter repository:

• the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
• the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances

Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):

class MyAdapter extends ClusterAdapterWithHeartbeat {
  constructor(nsp, pubSub, opts) {
    super(nsp, opts);
    this.pubSub = pubSub;
    pubSub.subscribe("main-channel", (message) => this.onMessage(message));
    pubSub.subscribe("specific-channel#" + this.uid, (response) => this.onResponse(response));
  }
doPublish(message) {
return this.pubSub.publish("main-channel", message);
}
doPublishResponse(requesterUid, response) {
return this.pubSub.publish("specific-channel#" + requesterUid, response);
}
}

Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.

Bug Fixes

• cluster: fix count in fetchSockets() method (80af4e9)
• cluster: notify the other nodes when closing (0e23ff0)

Performance Improvements

• cluster: use timer.refresh() (d99a71b)

... (truncated)

Changelog

Sourced from socket.io-adapter's changelog.

2.5.5 (2024-06-18)

This release contains a bump of the ws dependency, which includes an important security fix.

Advisory: GHSA-3h5v-q93c-6h6q

2.5.4 (2024-02-22)

Bug Fixes

• ensure the order of the commands (a13f35f)
• types: ensure compatibility with TypeScript < 4.5 (ca397f3)

2.5.3 (2024-02-21)

Two abstract classes were imported from the Redis adapter repository:

• the ClusterAdapter class, which manages the messages sent between the server instances of the cluster
• the ClusterAdapterWithHeartbeat class, which extends the ClusterAdapter and adds a heartbeat mechanism in order to check the healthiness of the other instances

Other adapters can then just extend those classes and only have to implement the pub/sub mechanism (and not the internal chit-chat protocol):

class MyAdapter extends ClusterAdapterWithHeartbeat {
  constructor(nsp, pubSub, opts) {
    super(nsp, opts);
    this.pubSub = pubSub;
    pubSub.subscribe("main-channel", (message) => this.onMessage(message));
    pubSub.subscribe("specific-channel#" + this.uid, (response) => this.onResponse(response));
  }
doPublish(message) {
return this.pubSub.publish("main-channel", message);
}
doPublishResponse(requesterUid, response) {
return this.pubSub.publish("specific-channel#" + requesterUid, response);
}
}

Besides, the number of "timeout reached: only x responses received out of y" errors (which can happen when a server instance leaves the cluster) should be greatly reduced by this commit.

Bug Fixes

... (truncated)

Commits

• 05a190a chore(release): 6.5.5
• 93fe190 chore(deps): bump ws from 8.11.0 to 8.17.1 (#93)
• 5eae5a0 chore(release): 2.5.4
• 005d546 ci: test with older TypeScript version
• a13f35f fix: ensure the order of the commands
• 207c0db refactor: break circular dependency (2)
• abc93a9 refactor: break circular dependency (1)
• 9d4c4a7 refactor(cluster): export ClusterAdapterOptions and MessageType types
• ca397f3 fix(types): ensure compatibility with TypeScript < 4.5
• 549156c chore(release): 2.5.3
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.3.1 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

0.4.2

• pref: read value only when assigning in parse
• pref: remove unnecessary regexp in parse

0.4.1

• Fix maxAge option to reject invalid values

0.4.0

• Add SameSite=None support

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates cookie-parser from 1.4.3 to 1.4.7

Release notes

Sourced from cookie-parser's releases.

1.4.7

What's Changed

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cookie-parser#103
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/cookie-parser#104
• ci: Use GITHUB_OUTPUT envvar instead of set-output command by @​arunsathiya in expressjs/cookie-parser#100
• deps: [email protected] by @​SamChatfield in expressjs/cookie-parser#116
• Release: 1.4.7 by @​UlisesGascon in expressjs/cookie-parser#117

New Contributors

• @​inigomarquinez made their first contribution in expressjs/cookie-parser#103
• @​arunsathiya made their first contribution in expressjs/cookie-parser#100
• @​SamChatfield made their first contribution in expressjs/cookie-parser#116
• @​UlisesGascon made their first contribution in expressjs/cookie-parser#117

Full Changelog: expressjs/cookie-parser@1.4.6...1.4.7

1.4.6

• deps: [email protected]

1.4.5

• deps: [email protected]

1.4.4

• perf: normalize secret argument only once

Changelog

Sourced from cookie-parser's changelog.

1.4.7 / 2024-10-08

• deps: [email protected]
  • Fix object assignment of hasOwnProperty
• deps: [email protected]
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: [email protected]
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack
• deps: [email protected]
  • Add partitioned option
• deps: [email protected]
  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse
• deps: [email protected]
  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

1.4.6 / 2021-11-16

• deps: [email protected]

1.4.5 / 2020-03-14

• deps: [email protected]

1.4.4 / 2019-02-12

• perf: normalize secret argument only once

Commits

• 5d61e1e 1.4.7
• ccf1f54 deps: [email protected] (#116)
• 429cfd4 ci: Use GITHUB_OUTPUT envvar instead of set-output command (#100)
• ca4c97e ci: fix errors in ci pipeline for node 8 and 9 (#104)
• 97bdf39 ci: add support for OSSF scorecard reporting (#103)
• e5862bd build: [email protected]
• f0688d2 build: [email protected]
• 44ec541 build: [email protected]
• 695435a deps: [email protected]
• f66e7e1 build: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cookie-parser since your current version.

Updates express from 4.20.0 to 4.21.2

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml