Bump the npm_and_yarn group across 1 directory with 10 updates

Open dependabot[bot] opened this issue 1 year ago • 2 comments

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
postcss	`8.4.31`	`8.4.32`
@adobe/css-tools	`4.2.0`	`4.4.0`
ejs	`3.1.9`	`3.1.10`
es5-ext	`0.10.62`	`0.10.64`
express	`4.18.2`	`4.19.2`
follow-redirects	`1.15.5`	`1.15.6`
msgpackr	`1.9.1`	`1.11.0`
tar	`6.1.14`	`6.2.1`
vite	`5.1.4`	`5.4.2`
word-wrap	`1.2.3`	`1.2.5`

Updates postcss from 8.4.31 to 8.4.32

Release notes

Sourced from postcss's releases.

8.4.32

Fixed postcss().process() types (by @ferreira-tb).

Changelog

Sourced from postcss's changelog.

8.4.32

Fixed postcss().process() types (by Andrew Ferreira).

Commits

a0d9f10 Release 8.4.32 version
0146b3e Add Node.js 21 to CI
2398534 Update dependencies
1918533 Merge pull request #1902 from ferreira-tb/main
395e6dc Fix ProcessOptions interface
fa8cd15 Update dependencies
199a7c4 Typo
2528047 Update EM link
See full diff in compare view

Updates @adobe/css-tools from 4.2.0 to 4.4.0

Changelog

Sourced from @adobe/css-tools's changelog.

4.4.0 / 2024-06-05

add support for @starting-style #319

4.3.3 / 2024-01-24

Update export property #271

4.3.2 / 2023-11-28

Fix redos vulnerability with specific crafted css string - CVE-2023-48631

Fix Problem parsing with :is() and nested :nth-child() #211

4.3.1 / 2023-03-14

Fix redos vulnerability with specific crafted css string - CVE-2023-26364

4.3.0 / 2023-03-07

Update build tools

Update exports path and files

Commits

See full diff in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

d3f807d Version 3.1.10
9ee26dd Mocha TDD
e469741 Basic pollution protection
715e950 Merge pull request #756 from Jeffrey-mu/main
cabe314 Include advanced usage examples
29b076c Added header
11503c7 Merge branch 'main' of github.com:mde/ejs into main
7690404 Added security banner to README
f47d7ae Update SECURITY.md
828cea1 Update SECURITY.md
Additional commits viewable in compare view

Updates es5-ext from 0.10.62 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

Do not rely on problematic regex (3551cdd), addresses #201

Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021

Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

Simplify the manifest message (7855319)

Comparison since last release

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

Do not rely on problematic regex (3551cdd), addresses #201

Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021

Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

Simplify the manifest message (7855319)

Commits

f76b03d chore: Release v0.10.64
2881acd chore: Bump dependencies
c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
16f2b72 docs: Fix date in the changelog
de4e03c chore: Release v0.10.63
3fd53b7 chore: Upgrade lint-staged to v13
bf8ed79 chore: Ensure postinstall script does not crash on Windows
2cbbb07 chore: Bump dependencies
22d0416 chore: Bump LICENSE year
a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
Additional commits viewable in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

Improved fix for open redirect allow list bypass

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

Fix ci after location patch by @wesleytodd in expressjs/express#5552

fixed un-edited version in history.md for 4.19.0 by @wesleytodd in expressjs/express#5556

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

fix typo in release date by @UlisesGascon in expressjs/express#5527

docs: nominating @wesleytodd to be project captian by @wesleytodd in expressjs/express#5511

docs: loosen TC activity rules by @wesleytodd in expressjs/express#5510

Add note on how to update docs for new release by @crandmck in expressjs/express#5541

Prevent open redirect allow list bypass due to encodeurl

Release 4.19.0 by @wesleytodd in expressjs/express#5551

New Contributors

@crandmck made their first contribution in expressjs/express#5541

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

Fix routing requests without method

deps: [email protected]

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

deps: [email protected]

Other Changes

Use https: protocol instead of deprecated git: protocol by @vcsjones in expressjs/express#5032

build: [email protected] and [email protected] by @abenhamdine in expressjs/express#5034

ci: update actions/checkout to v3 by @armujahid in expressjs/express#5027

test: remove unused function arguments in params by @raksbisht in expressjs/express#5124

Remove unused originalIndex from acceptParams by @raksbisht in expressjs/express#5119

Fixed typos by @raksbisht in expressjs/express#5117

examples: remove unused params by @raksbisht in expressjs/express#5113

fix: parameter str is not described in JSDoc by @raksbisht in expressjs/express#5130

fix: typos in History.md by @raksbisht in expressjs/express#5131

build : add [email protected] by @abenhamdine in expressjs/express#5028

test: remove unused function arguments in params by @raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

Prevent open redirect allow list bypass due to encodeurl

deps: [email protected]

4.18.3 / 2024-02-29

Fix routing requests without method

deps: [email protected]

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

deps: [email protected]

deps: [email protected]

Add partitioned option

Commits

04bc627 4.19.2
da4d763 Improved fix for open redirect allow list bypass
4f0f6cc 4.19.1
a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
a1fa90f fixed un-edited version in history.md for 4.19.0
11f2b1d build: fix build due to inconsistent supertest behavior in older versions
084e365 4.19.0
0867302 Prevent open redirect allow list bypass due to encodeurl
567c9c6 Add note on how to update docs for new release (#5541)
69a4cf2 deps: [email protected]
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates follow-redirects from 1.15.5 to 1.15.6

Commits

35a517c Release version 1.15.6 of the npm package.
c4f847f Drop Proxy-Authorization across hosts.
8526b4a Use GitHub for disclosure.
See full diff in compare view

Updates msgpackr from 1.9.1 to 1.11.0

Commits

See full diff in compare view

Updates tar from 6.1.14 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.4

Deprecate onentry in favor of onReadEntry for clarity.

7.3

Add onWriteEntry option

7.2

DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

Update minipass to v7.1.0

Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

Rewrite in TypeScript, provide ESM and CommonJS hybrid interface

Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.

Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.

Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

Add support for brotli compression

Add maxDepth option to prevent extraction into excessively deep folders.

6.1

remove dead link to benchmarks (#313) (@yetzt)

add examples/explanation of using tar.t (@isaacs)

ensure close event is emited after stream has ended (@webark)

... (truncated)

Commits

bef7b1e 6.2.1
fe8cd57 prevent extraction in excessively deep subfolders
fe7ebfd remove security.md
5bc9d40 6.2.0
fe1ef5e changelog 6.2
e483220 get rid of npm lint stuff
689928a ci that works outside of npm org
db6f539 file inference improvements for .tbr and .tgz
336fa8f refactor: dry and other pr comments
eeba222 chore: lint fixes
Additional commits viewable in compare view

Updates vite from 5.1.4 to 5.4.2

Release notes

Sourced from vite's releases.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.2 (2024-08-20)

chore: remove stale TODOs (#17866) (e012f29), closes #17866

refactor: remove redundant prepend/strip base (#17887) (3b8f03d), closes #17887

fix: resolve relative URL generated by renderBuiltUrl passed to module preload (#16084) (fac3a8e), closes #16084

feat: support originalFilename (#17867) (7d8c0e2), closes #17867

5.4.1 (2024-08-15)

fix: build.modulePreload.resolveDependencies is optimizable (#16083) (e961b31), closes #16083

fix: align CorsOptions.origin type with @types/cors (#17836) (1bda847), closes #17836

fix: typings for vite:preloadError (#17868) (6700594), closes #17868

fix(build): avoid re-define __vite_import_meta_env__ (#17876) (e686d74), closes #17876

fix(deps): update all non-major dependencies (#17869) (d11711c), closes #17869

fix(lightningcss): search for assets with correct base path (#17856) (4e5ce3c), closes #17856

fix(worker): handle self reference url worker in dependency for build (#17846) (391bb49), closes #17846

chore: fix picocolors import for local dev (#17884) (9018255), closes #17884

refactor: remove handleHotUpdate from watch-package-data plugin (#17865) (e16bf1f), closes #17865

5.4.0 (2024-08-07)

fix(build): windows platform build output path error (#17818) (6ae0615), closes #17818

fix(deps): update launch-editor to consume fix for windows paths (#17828) (cf2f90d), closes #17828

fix(ssr): fix global variable name conflict (#17809) (6aa2206), closes #17809

fix(worker): fix importScripts injection breaking iife code (#17827) (bb4ba9f), closes #17827

chore: bump typescript-eslint to v8 (#17624) (d1891fd), closes #17624

chore(deps): update all non-major dependencies (#17820) (bb2f8bb), closes #17820

perf(ssr): do a single-pass over AST with node cache arrays (#17812) (81327eb), closes #17812

5.4.0-beta.1 (2024-08-01)

fix: handle encoded base paths (#17577) (720447e), closes #17577

fix: opt-in server.fs.cachedChecks (#17807) (4de659c), closes #17807

feat(css): support sass compiler api and sass-embedded package (#17754) (1025bb6), closes #17754

5.4.0-beta.0 (2024-07-30)

fix: specify own Node version as target when bundling config files (#17307) (bbf001f), closes #17307

fix(build): handle invalid JSON in import.meta.env (#17648) (659b720), closes #17648

fix(deps): update all non-major dependencies (#17780) (e408542), closes #17780

fix(mergeConfig): don't recreate server.hmr.server instance (#17763) (5c55b29), closes #17763

feat(css): support sass modern api (#17728) (73a3de0), closes #17728

... (truncated)

Commits

b1ecdaf release: v5.4.2
e012f29 chore: remove stale TODOs (#17866)
3b8f03d refactor: remove redundant prepend/strip base (#17887)
fac3a8e fix: resolve relative URL generated by renderBuiltUrl passed to module prel...
7d8c0e2 feat: support originalFilename (#17867)
b44c20c release: v5.4.1
391bb49 fix(worker): handle self reference url worker in dependency for build (#17846)
e686d74 fix(build): avoid re-define __vite_import_meta_env__ (#17876)
9018255 chore: fix picocolors import for local dev (#17884)
1bda847 fix: align CorsOptions.origin type with @types/cors (#17836)
Additional commits viewable in compare view

Updates word-wrap from 1.2.3 to 1.2.5

Release notes

Sourced from word-wrap's releases.

1.2.5

Changes:

Reverts default value for options.indent to two spaces ' '.

Full Changelog: https://github.com/jonschlinkert/word-wrap/compare/1.2.4...1.2.5

1.2.4

What's Changed

Remove default indent by @mohd-akram in jonschlinkert/word-wrap#24

🔒fix: CVE 2023 26115 (2) by @OlafConijn in jonschlinkert/word-wrap#41

:lock: fix: CVE-2023-26115 by @aashutoshrathi in jonschlinkert/word-wrap#33

chore: publish workflow by @OlafConijn in jonschlinkert/word-wrap#42

New Contributors

@mohd-akram made their first contribution in jonschlinkert/word-wrap#24

@OlafConijn made their first contribution in jonschlinkert/word-wrap#41

@aashutoshrathi made their first contribution in jonschlinkert/word-wrap#33

Full Changelog: https://github.com/jonschlinkert/word-wrap/compare/1.2.3...1.2.4

Commits

207044e 1.2.5
9894315 revert default indent
f64b188 run verb to generate README
03ea082 Merge pull request #42 from jonschlinkert/chore/publish-workflow
420dce9 Merge pull request #41 from jonschlinkert/fix/CVE-2023-26115-2
bfa694e Update .github/workflows/publish.yml
ace0b3c chore: bump version to 1.2.4
6fd7275 chore: add publish workflow
30d6daf chore: fix test
655929c chore: remove package-lock
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the Security Alerts page.

Aug 21 '24 00:08 dependabot[bot]

This is a big set of changes. Voting to close the ticket while we vet them? @tamara-corbalt @kim-cmsds @pwolfert @zarahzachz

Aug 23 '24 20:08 jack-ryan-nava-pbc

Closing sounds good to me. Dependabot's trying to do too much

Aug 23 '24 22:08 pwolfert

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

Sep 04 '24 19:09 dependabot[bot]