Bump the npm_and_yarn group across 3 directories with 16 updates

Open dependabot[bot] opened this issue 1 year ago • 0 comments

Bumps the npm_and_yarn group with 5 updates in the /controller/web-server directory:

Package	From	To
firebase	`10.1.0`	`10.9.0`
ws	`8.17.1`	`8.18.0`
cross-spawn	`7.0.3`	`7.0.6`
cross-spawn	`6.0.5`	`7.0.6`
postcss	`8.4.39`	`8.5.1`
shell-quote	`1.8.1`	`1.8.2`

Bumps the npm_and_yarn group with 7 updates in the /controller/web-server/server directory:

Package	From	To
ws	`7.5.10`	`8.18.0`
cross-spawn	`7.0.3`	`7.0.6`
cross-spawn	`6.0.5`	`7.0.6`
send	`0.18.0`	`0.19.0`
express	`4.19.2`	`4.21.2`
shell-quote	`1.8.1`	`1.8.2`
cookie	`0.4.1`	`0.7.2`
cookie-parser	`1.4.6`	`1.4.7`

Bumps the npm_and_yarn group with 4 updates in the /policy/frontend directory: nanoid, express, http-proxy-middleware and elliptic.

Updates firebase from 10.1.0 to 10.9.0

Commits

1eb302f Version Packages (#8063)
b498867 Merge master into release
ce88e71 snapshot listeners source from cache (#7982)
6d487d7 Prevent using authTokenSyncURL if the string begins with a double slash (#8060)
b4d59d6 Merge master into release
2b22838 Fix glob pattern to work with Node 20 and its NPM version (#8059)
feb5038 Update CI node.js versions to 20.x (#8055)
245dd26 Enforce authTokenSyncURL being a path and not a url. (#8056)
e60188d Version Packages (#8046)
7e2efbf Merge master into release
Additional commits viewable in compare view

Updates ws from 8.17.1 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

Added support for Blob (#2229).

Commits

976c53c [dist] 8.18.0
59b9629 [feature] Add support for Blob (#2229)
0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
15f11a0 [security] Add new DoS vulnerability to SECURITY.md
See full diff in compare view

Updates ip from 1.1.8 to 2.0.0

Commits

4b2f4e7 2.0.0
369d56d lib: use Buffer.alloc
3cdbc26 Fix typo in comment
0aef004 Added ::ffff:127.0.0.1 for isPrivate method
See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

Updates cross-spawn from 6.0.5 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

Updates postcss from 8.4.39 to 8.5.1

Release notes

Sourced from postcss's releases.

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@romainmenke during his work on Stylelint added Input#document in additional to Input#css.
root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

Tidelift with a Spotify-like subscription model supporting all projects from your lock file.

Direct donations at GitHub Sponsors or Open Collective.

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

8.4.46

Fixed Cannot read properties of undefined (reading 'before').

8.4.45

Removed unnecessary fix which could lead to infinite loop.

8.4.44

Another way to fix markClean is not a function error.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

Added Input#document for sources like CSS-in-JS or HTML (by @romainmenke).

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

8.4.46

Fixed Cannot read properties of undefined (reading 'before').

8.4.45

Removed unnecessary fix which could lead to infinite loop.

8.4.44

Another way to fix markClean is not a function error.

8.4.43

Fixed markClean is not a function error.

8.4.42

Fixed CSS syntax error on long minified files (by @varpstar).

8.4.41

Fixed types (by @nex3 and @querkmachine).

Cleaned up RegExps (by @bluwy).

8.4.40

Moved to getter/setter in nodes types to help Sass team (by @nex3).

Commits

7b02c75 Release 8.5.1 version
4c15339 Update dependencies
7efe91e Improve backwards compat for Input#document (#2000)
6873270 Release 8.5 version
4223bb9 Fix 80 columns limit
80e2401 Add Input#document (#1996)
6f86879 Update dependencies
85cbbec Fix pnpm version on CI
76caa57 Update dependencies
46ff246 Move to pnpm 10
Additional commits viewable in compare view

Updates nanoid from 3.3.7 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

3.3.7

Fixed node16 TypeScript support (by Saadi Myftija).

3.3.6

Fixed package.

3.3.5

Backport funding information.

Commits

3044cd5 Release 3.3.8 version
4fe3495 Update size limit
d643045 Fix pool pollution, infinite loop (#510)
89d82d2 Release 3.3.7 version
5022c35 Update dual-publish
3e7a8e5 Remove benchmark from CI for v3
d356144 Fix CI for v3
37b25df Move to pnpm 8
d96f392 Release 3.3.6 version
8210dfb Release 3.3.5 version
Additional commits viewable in compare view

Updates shell-quote from 1.8.1 to 1.8.2

Changelog

Sourced from shell-quote's changelog.

v1.8.2 - 2024-11-27

Fixed

[Fix] quote: preserve empty strings [#18](https://github.com/ljharb/shell-quote/issues/18)

Commits

[meta] fix changelog tags 0fb9fd8

[actions] split out node 10-20, and 20+ 819bd84

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408

[actions] update npm for windows tests fdeb0fd

[Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b

[actions] prevent node 14 on ARM mac from failing 9eecafc

[meta] exclude more files from the package 4044e7f

[Tests] replace aud with npm audit 8cfdbd8

[meta] add missing engines.node 843820e

[Dev Deps] add missing peer dep 4c3b88d

[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

Commits

b19fc77 v1.8.2
59d29ea [Fix] quote: preserve empty strings
819bd84 [actions] split out node 10-20, and 20+
4c3b88d [Dev Deps] add missing peer dep
fc56408 [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape
8cfdbd8 [Tests] replace aud with npm audit
9eecafc [actions] prevent node 14 on ARM mac from failing
843820e [meta] add missing engines.node
4044e7f [meta] exclude more files from the package
fdeb0fd [actions] update npm for windows tests
Additional commits viewable in compare view

Updates ws from 7.5.10 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

Added support for Blob (#2229).

Commits

976c53c [dist] 8.18.0
59b9629 [feature] Add support for Blob (#2229)
0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
15f11a0 [security] Add new DoS vulnerability to SECURITY.md
See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

Updates cross-spawn from 6.0.5 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

Updates send from 0.18.0 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

@UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: https://github.com/pillarjs/send/compare/0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.0 / 2024-09-10

Remove link renderization in html while redirecting

Commits

9d2db99 0.19.0
ae4f298 Merge commit from fork
See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates express from 4.19.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: [email protected] by @blakeembrey in expressjs/express#5956

deps: bump [email protected] by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

[email protected] by @wesleytodd in expressjs/express#5954

fix(deps): [email protected] by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: [email protected]

Fix backtracking protection

deps: [email protected]

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: [email protected]

includes [email protected]

deps: [email protected]

deps: [email protected]

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

1faf228 4.21.2
2e0fb64 deps: bump [email protected] (#6209)
59fc270 deps: [email protected] (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): [email protected]
7e562c6 4.21.0
1bcde96 fix(deps): [email protected] (#5946)
7d36477 fix(deps): [email protected] (#5951)
40d2d8f fix(deps): [email protected]
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates serve-static from 1.15.0 to 1.16.2

Release notes

Sourced from serve-static's releases.

v1.16.2

What's Changed

encodeurl@~2.0.0 by @wesleytodd in expressjs/serve-static#180

Full Changelog: https://github.com/expressjs/serve-static/compare/v1.16.1...v1.16.2

v1.16.1

What's Changed

bump send to 0.19 by @tommasini in expressjs/serve-static#176

New Contributors

@tommasini made their first contribution in expressjs/serve-static#176

Full Changelog: https://github.com/expressjs/serve-static/compare/1.16.0...v1.16.1

1.16.0

What's Changed

Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

@UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: https://github.com/expressjs/serve-static/compare/v1.15.0...1.16.0

Changelog

Sourced from serve-static's changelog.

1.16.2 / 2024-09-11

deps: encodeurl@~2.0.0

1.16.1 / 2024-09-11

deps: [email protected]

1.16.0 / 2024-09-10

Remove link renderization in html while redirecting

Commits

ec9c5ec 1.16.2
f454d37 fix(deps): encodeurl@~2.0.0
77a8255 1.16.1
4263f49 fix(deps): [email protected]
48c7397 1.16.0
0c11fad Merge commit from fork
See full diff in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for serve-static since your current version.

Updates shell-quote from 1.8.1 to 1.8.2

Changelog

Sourced from shell-quote's changelog.

v1.8.2 - 2024-11-27

Fixed

[Fix] quote: preserve empty strings [#18](https://github.com/ljharb/shell-quote/issues/18)

Commits

[meta] fix changelog tags 0fb9fd8

[actions] split out node 10-20, and 20+ 819bd84

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408

[actions] update npm for windows tests fdeb0fd

[Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b

[actions] prevent node 14 on ARM mac from failing 9eecafc

[meta] exclude more files from the package 4044e7f

[Tests] replace aud with npm audit 8cfdbd8

[meta] add missing engines.node 843820e

[Dev Deps] add missing peer dep 4c3b88d

[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

Commits

b19fc77 v1.8.2
59d29ea [Fix] quote: preserve empty strings
819bd84 [actions] split out node 10-20, and 20+
4c3b88d [Dev Deps] add missing peer dep
fc56408 [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape
8cfdbd8 [Tests] replace aud with npm audit
9eecafc [actions] prevent node 14 on ARM mac from failing
843820e [meta] add missing engines.node
4044e7f [meta] exclude more files from the package
fdeb0fd [actions] update npm for windows tests
Additional commits viewable in compare view

Updates express from 4.19.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: [email protected] by @blakeembrey in expressjs/express#5956

deps: bump [email protected] by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

[email protected] by @wesleytodd in expressjs/express#5954

fix(deps): [email protected] by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: [email protected]

Fix backtracking protection

deps: [email protected]

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: [email protected]

includes [email protected]

deps: [email protected]

deps: [email protected]

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

1faf228 4.21.2
2e0fb64 deps: bump [email protected] (#6209)
59fc270 deps: [email protected] (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): [email protected]
7e562c6 4.21.0
1bcde96 fix(deps): [email protected] (#5946)
7d36477 fix(deps): [email protected] (#5951)
40d2d8f fix(deps): [email protected]
Additional commits viewable in compare view

Description has been truncated

Jan 20 '25 00:01 dependabot[bot]