Bump the npm_and_yarn group across 1 directory with 20 updates

Open dependabot[bot] opened this issue 3 weeks ago • 5 comments

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package	From	To
webpack-dev-server	`4.13.3`	`5.2.1`
@babel/helpers	`7.21.5`	`7.28.4`
brace-expansion	`1.1.11`	`1.1.12`
browserify-sign	`4.2.1`	`4.2.5`
cipher-base	`1.0.4`	`1.0.7`
cross-spawn	`6.0.5`	`6.0.6`
elliptic	`6.5.4`	`6.6.1`
express	`4.18.2`	`4.22.1`
follow-redirects	`1.15.2`	`1.15.11`
form-data	`3.0.1`	`3.0.4`
min-document	`2.19.0`	`2.19.2`
nanoid	`3.3.4`	`3.3.11`
node-forge	`1.3.1`	`1.3.3`
pbkdf2	`3.1.2`	`3.1.5`
react-devtools-core	`4.27.1`	`4.28.5`
serve-static	`1.15.0`	`1.16.2`
sha.js	`2.4.11`	`2.4.12`
store2	`2.14.2`	`2.14.4`
ws	`6.2.2`	`6.2.3`

Updates webpack-dev-server from 4.13.3 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits

0d22a08 chore(release): 5.2.1
6045b1e chore(deps): update (#5444)
ffd0b86 fix: take the first network found instead of the last one, this restores the ...
9ea7b08 ci: update dependency-review-action (#5442)
5c9378b Merge commit from fork
d2575ad Merge commit from fork
8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
5a39c70 ci: update codecov/codecov-action to v5 (#5406)
55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
Additional commits viewable in compare view

Updates @babel/helpers from 7.21.5 to 7.28.4

Release notes

Sourced from @babel/helpers's releases.

v7.28.4 (2025-09-05)

Thanks @gwillen and @mrginglymus for your first PRs!

:house: Internal

babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types

#17493 Update Jest to v30.1.1 (@JLHwung)

babel-plugin-transform-regenerator

#17455 chore: Clean up transform-regenerator (@liuxingbaoyu)

babel-core

#17474 Switch to @jridgewell/remapping (@mrginglymus)

Committers: 5

Babel Bot (@babel-bot)

Bill Collins (@mrginglymus)

Glenn Willen (@gwillen)

Huáng Jùnliàng (@JLHwung)

@liuxingbaoyu

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jam Balaya (@JamBalaya56562)

Nicolò Ribaudo (@nicolo-ribaudo)

easrng (@easrng)

... (truncated)

Changelog

Sourced from @babel/helpers's changelog.

v7.28.4 (2025-09-05)

:house: Internal

babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types

#17493 Update Jest to v30.1.1 (@JLHwung)

babel-plugin-transform-regenerator

#17455 chore: Clean up transform-regenerator (@liuxingbaoyu)

babel-core

#17474 Switch to @jridgewell/remapping (@mrginglymus)

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

v7.28.2 (2025-07-24)

:bug: Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

v7.28.1 (2025-07-12)

:bug: Bug Fix

babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

#17426 fix: regenerator correctly handles throw outside of try (@liuxingbaoyu)

:memo: Documentation

babel-types

#17422 Add missing FunctionParameter docs (@JLHwung)

... (truncated)

Commits

35055e3 v7.28.4
18d88b8 Improve @babel/core typings (#17471)
ef155f5 v7.28.3
741cbd2 chore: fix various typos across codebase (#17476)
cac0ff4 v7.28.2
f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
baa4cb8 v7.27.6
fdbf1b3 fix: finally causes unexpected return value (#17366)
7d06930 v7.27.4
5b9468d Reduce regenerator size more (#17287)
Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

pkg: publish on tag 1.x c460dbd

fmt ccb8ac6

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

https://github.com/juliangruber/brace-expansion/compare/v1.1.11...v1.1.12

Commits

44f33b4 1.1.12
c460dbd pkg: publish on tag 1.x
ccb8ac6 fmt
c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates browserify-sign from 4.2.1 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

[Tests] clean up tests and convert console info skips to tape skips 37b083c

[Fix] restore node 0.10 support faade86

[Deps] update parse-asn1 5a0f159

[actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

[actions] split out node 10-20, and 20+ 17920d9

[meta] remove files field 6d5b280

[Deps] update bn.js, browserify-rsa, elliptic 31be0c2

[Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982

[Tests] replace aud with npm audit d44b24d

[Dev Deps] add missing peer dep ab975f4

[Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

[patch] widen support to 0.12 9247adf

[patch] drop minimum node support to v1 4d0ee49

[Dev Deps] update aud, npmignore, tape 87f3a35

[actions] remove redundant finisher 37a4758

[Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12

[Deps] update parse-asn1 [f427270`](https://github.com/browserify/browserify-sign/commit/f427270ac11dc6be29f87d7afb046c16376a5a9c)

[Deps] update elliptic fb261ce

[Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

[Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

Only apps should have lockfiles 09a8995

[eslint] switch to eslint 83fe463

[meta] add npmignore and auto-changelog 4418183

[meta] fix package.json indentation 9ac5a5e

[Tests] migrate from travis to github actions d845d85

[Fix] sign: throw on unsupported padding scheme 8767739

[Fix] properly check the upper bound for DSA signatures 85994cd

[Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits

d3a7458 v4.2.5
37b083c [Tests] clean up tests and convert console info skips to tape skips
faade86 [Fix] restore node 0.10 support
5a0f159 [Deps] update parse-asn1
106be97 [actions] drop unsupported nodes from CI
9c37172 v4.2.4
6d5b280 [meta] remove files field
17920d9 [actions] split out node 10-20, and 20+
31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
ab975f4 [Dev Deps] add missing peer dep
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

[Refactor] use to-buffer fd1e5ee

[Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

[Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

[Tests] standard -> eslint, make test dir, etc ae02fd6

[Tests] migrate from travis to GHA 66387d7

[meta] fix package.json indentation 5c02918

[Fix] return valid values on multi-byte-wide TypedArray input 8fd1364

[meta] add auto-changelog 88dc806

[meta] add npmignore and safe-publish-latest 7a137d7

Only apps should have lockfiles 42528f2

[Deps] update inherits, safe-buffer 0e7a2d9

[meta] add missing engines.node f2dc13e

Commits

0056718 v1.0.7
fd1e5ee [Refactor] use to-buffer
08ba803 [Dev Deps] update @ljharb/eslint-config
f5249f9 v1.0.6
b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
f03cebf v1.0.5
88dc806 [meta] add auto-changelog
7a137d7 [meta] add npmignore and safe-publish-latest
5c02918 [meta] fix package.json indentation
8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates cross-spawn from 6.0.5 to 6.0.6

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

disable regexp backtracking (#160) (ba5aaef)

core: support worker threads (#127) (f4af31c)

Commits

d35c865 chore(release): 6.0.6
5a37e19 chore: update package.json and package.lock
ba5aaef fix: disable regexp backtracking (#160)
f4af31c fix(core): support worker threads (#127)
See full diff in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

9b77436 6.6.1
04cb6f5 Merge commit from fork
b8a7edd 6.6.0
34c8534 fix: signature verification due to leading zeros
3e46a48 6.5.7
accb61e lib: DER signature decoding correction
03e06e1 6.5.6
7ac5360 Merge commit from fork
7570078 6.5.5
206da2e lib: lint
Additional commits viewable in compare view

Updates express from 4.18.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: https://github.com/expressjs/express/compare/4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for [email protected] by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: [email protected] by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: https://github.com/expressjs/express/compare/4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: [email protected] by @blakeembrey in expressjs/express#5956

deps: bump [email protected] by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: [email protected]

4.21.2 / 2024-11-06

deps: [email protected]

Fix backtracking protection

deps: [email protected]

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: [email protected]

includes [email protected]

deps: [email protected]

deps: [email protected]

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: [email protected] (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates follow-redirects from 1.15.2 to 1.15.11

Commits

21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
e4e55c7 Release version 1.15.9 of the npm package.
31a1abf Attempt much more gentle detection.
d2aaa97 Fix url field.
62558f0 Release version 1.15.8 of the npm package.
a8d1cee Return subtlety.
Additional commits viewable in compare view

Updates form-data from 3.0.1 to 3.0.4

Release notes

Sourced from form-data's releases.

v3.0.2

Fixes

npmignore temporary build files (#532)

move util.isArray to Array.isArray (#564)

Tests

migrate from travis to GHA

Changelog

Sourced from form-data's changelog.

v3.0.4 - 2025-07-16

Fixed

[Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

[eslint] update linting config f5e7eb0

[meta] add auto-changelog d2eb290

[Tests] handle predict-v8-randomness failures in node < 17 and node > 23 e8c574c

[Fix] Switch to using crypto random for boundary values c6ced61

[Refactor] use hasown 1a78b5d

[Fix] validate boundary type in setBoundary() method 70bbaa0

[Tests] add tests to check the behavior of getBoundary with non-strings b22a64e

[meta] actually ensure the readme backup isn’t published 0150851

[meta] remove local commit hooks fc42bb9

[Dev Deps] remove unused deps a14d09e

[meta] fix scripts to use prepublishOnly 11d9f73

[meta] fix readme capitalization fc38b48

v3.0.3 - 2025-02-14

Merged

[Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

[Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

[Refactor] use Object.prototype.hasOwnProperty.call 7fecefe

[Dev Deps] update @types/node, browserify, coveralls, cross-spawn, eslint, formidable, in-publish, pkgfiles, pre-commit, puppeteer, request, tape, typescript 8261fcb

Only apps should have lockfiles b82f590

[Dev Deps] pin request which via tough-cookie ^2.4 depends on psl e5df7f2

[Deps] update mime-types 5a5bafe

v3.0.2 - 2024-10-10

Merged

fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Commits

[Tests] migrate from travis to GHA 8fdb3bc

[eslint] clean up ignores 3217b3d

fix: move util.isArray to Array.isArray (#564) edb555a

Commits

9c82fcd v3.0.4
e8c574c [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
c6ced61 [Fix] Switch to using crypto random for boundary values
0150851 [meta] actually ensure the readme backup isn’t published
fc38b48 [meta] fix readme capitalization
d2eb290 [meta] add auto-changelog
fc42bb9 [meta] remove local commit hooks
a14d09e [Dev Deps] remove unused deps
002b9b0 [Fix] append: avoid a crash on nullish values
70bbaa0 [Fix] validate boundary type in setBoundary() method
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates http-proxy-middleware from 2.0.6 to 2.0.9

Release notes

Sourced from http-proxy-middlew...

Description has been truncated

Dec 06 '25 16:12 dependabot[bot]

@dependabot rebase

Dec 06 '25 18:12 leotm

Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

Dec 06 '25 18:12 dependabot[bot]

@dependabot recreate

Dec 06 '25 18:12 leotm

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

Dec 06 '25 19:12 socket-security[bot]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	webpack-dev-server@4.13.3 ⏵ 5.2.1		⁺¹³

View full report

Dec 07 '25 19:12 socket-security[bot]