Bump the npm_and_yarn group across 2 directories with 29 updates

Open

Number: #45
Type: Pull Request
State: Open

Author:

dependabot[bot]
Association: None
Comments: 0

Created: September 04, 2025 at 08:34 PM UTC
(2 days ago)

Updated: September 04, 2025 at 08:34 PM UTC
(2 days ago)

Labels:
dependencies javascript

Description:

Bumps the npm_and_yarn group with 22 updates in the /mocaverse-embed/moca-wagmi-example directory:

Package	From	To
@babel/helpers	`7.23.9`	`7.28.3`
@babel/runtime	`7.23.9`	`7.28.3`
ws	`6.2.2`	`6.2.3`
body-parser	`1.20.1`	`1.20.3`
express	`4.18.2`	`4.21.2`
brace-expansion	`1.1.11`	`1.1.12`
cross-spawn	`7.0.3`	`7.0.6`
ejs	`3.1.9`	`3.1.10`
elliptic	`6.5.4`	`6.6.1`
fast-xml-parser	`4.3.5`	`4.5.3`
follow-redirects	`1.15.5`	`1.15.11`
form-data	`3.0.1`	`3.0.4`
http-proxy-middleware	`2.0.6`	`2.0.9`
image-size	`1.1.1`	`1.2.1`
micromatch	`4.0.5`	`4.0.8`
on-headers	`1.0.2`	`1.1.0`
compression	`1.7.4`	`1.8.1`
rollup	`2.79.1`	`2.79.2`
secp256k1	`5.0.0`	`5.0.1`
sha.js	`2.4.11`	`2.4.12`
webpack	`5.90.3`	`5.101.3`
webpack-dev-middleware	`5.3.3`	`5.3.4`

Bumps the npm_and_yarn group with 20 updates in the /mocaverse-embed/moca-react-example directory:

Package	From	To
@babel/helpers	`7.23.9`	`7.28.3`
@babel/runtime	`7.23.9`	`7.28.3`
body-parser	`1.20.1`	`1.20.3`
express	`4.18.2`	`4.21.2`
brace-expansion	`1.1.11`	`1.1.12`
braces	`3.0.2`	`3.0.3`
cross-spawn	`7.0.3`	`7.0.6`
ejs	`3.1.9`	`3.1.10`
elliptic	`6.5.4`	`6.6.1`
follow-redirects	`1.15.5`	`1.15.11`
form-data	`3.0.1`	`3.0.4`
http-proxy-middleware	`2.0.6`	`2.0.9`
micromatch	`4.0.5`	`4.0.8`
nanoid	`3.3.7`	`3.3.11`
on-headers	`1.0.2`	`1.1.0`
compression	`1.7.4`	`1.8.1`
rollup	`2.79.1`	`2.79.2`
webpack	`5.90.3`	`5.101.3`
webpack-dev-middleware	`5.3.3`	`5.3.4`
web3-utils	`4.2.0`	`4.3.3`

Updates @babel/helpers from 7.23.9 to 7.28.3

Release notes

Sourced from @babel/helpers's releases.

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jam Balaya (@JamBalaya56562)

Nicolò Ribaudo (@nicolo-ribaudo)

easrng (@easrng)

v7.28.2 (2025-07-24)

Thanks @souhailaS for your first PR!

:bug: Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Nicolò Ribaudo (@nicolo-ribaudo)

SOUHAILA SERBOUT (@souhailaS)

@liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @babel/helpers's changelog.

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

v7.28.2 (2025-07-24)

:bug: Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

v7.28.1 (2025-07-12)

:bug: Bug Fix

babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

#17426 fix: regenerator correctly handles throw outside of try (@liuxingbaoyu)

:memo: Documentation

babel-types

#17422 Add missing FunctionParameter docs (@JLHwung)

:leftwards_arrow_with_hook: Revert

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types

#17432 Do not mark OptionalMemberExpresion as LVal (@JLHwung)

v7.28.0 (2025-07-02)

:rocket: New Feature

babel-node

#17147 Support top level await in node repl (@liuxingbaoyu)

babel-types

... (truncated)

Commits

ef155f5 v7.28.3
741cbd2 chore: fix various typos across codebase (#17476)
cac0ff4 v7.28.2
f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
baa4cb8 v7.27.6
fdbf1b3 fix: finally causes unexpected return value (#17366)
7d06930 v7.27.4
5b9468d Reduce regenerator size more (#17287)
cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
49c0dbb Fix iterator compatibility of regeneratorValues (#17335)
Additional commits viewable in compare view

Updates @babel/runtime from 7.23.9 to 7.28.3

Release notes

Sourced from @babel/runtime's releases.

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jam Balaya (@JamBalaya56562)

Nicolò Ribaudo (@nicolo-ribaudo)

easrng (@easrng)

v7.28.2 (2025-07-24)

Thanks @souhailaS for your first PR!

:bug: Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Nicolò Ribaudo (@nicolo-ribaudo)

SOUHAILA SERBOUT (@souhailaS)

@liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @babel/runtime's changelog.

v7.28.3 (2025-08-14)

:eyeglasses: Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

:bug: Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

:nail_care: Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

:memo: Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

:house: Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

:microscope: Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

v7.28.2 (2025-07-24)

:bug: Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

v7.28.1 (2025-07-12)

:bug: Bug Fix

babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

#17426 fix: regenerator correctly handles throw outside of try (@liuxingbaoyu)

:memo: Documentation

babel-types

#17422 Add missing FunctionParameter docs (@JLHwung)

:leftwards_arrow_with_hook: Revert

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types

#17432 Do not mark OptionalMemberExpresion as LVal (@JLHwung)

v7.28.0 (2025-07-02)

:rocket: New Feature

babel-node

#17147 Support top level await in node repl (@liuxingbaoyu)

babel-types

... (truncated)

Commits

ef155f5 v7.28.3
cac0ff4 v7.28.2
f68ac51 chore: Avoid CITGM errors (#17382)
baa4cb8 v7.27.6
7d06930 v7.27.4
5b9468d Reduce regenerator size more (#17287)
cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
da5e371 v7.27.3
eebd3a0 v7.27.1
Additional commits viewable in compare view

Updates ws from 6.2.2 to 6.2.3

Release notes

Sourced from ws's releases.

6.2.3

Bug fixes

Backported e55e5106 to the 6.x release line (eeb76d31).

Commits

d87f3b6 [dist] 6.2.3
eeb76d3 [security] Fix crash when the Upgrade header cannot be read (#2231)
See full diff in compare view

Updates body-parser from 1.20.1 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3

1.20.2

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

Commits

1752951 1.20.3
39744cf chore: linter (#534)
b2695c4 Merge commit from fork
ade0f3f add scorecard to readme (#531)
99a1bd6 deps: qs@6.12.3 (#521)
9478591 fix: pin to node@22.4.1
83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
9d4e212 chore: add support for OSSF scorecard reporting (#522)
ee91374 1.20.2
368a93a Fix strict json error message on Node.js 19+
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

finalhandler@1.3.1 by @wesleytodd in expressjs/express#5954

fix(deps): serve-static@1.16.2 by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

1faf228 4.21.2
2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
59fc270 deps: path-to-regexp@0.1.11 (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): cookie@0.7.1
7e562c6 4.21.0
1bcde96 fix(deps): qs@6.13.0 (#5946)
7d36477 fix(deps): serve-static@1.16.2 (#5951)
40d2d8f fix(deps): finalhandler@1.3.1
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

pkg: publish on tag 1.x c460dbd

fmt ccb8ac6

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

https://github.com/juliangruber/brace-expansion/compare/v1.1.11...v1.1.12

Commits

44f33b4 1.1.12
c460dbd pkg: publish on tag 1.x
ccb8ac6 fmt
c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates cookie from 0.5.0 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

Allow leading dot for domain (#174)

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

perf: parse cookies ~10% faster (#144 by @kurtextrem and #170)

fix: narrow the validation of cookies to match RFC6265 (#167 by @bewinsnw)

fix: add main to package.json for rspack (#166 by @proudparrot2)

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

0.6.0

Add partitioned option

Commits

cf4658f 0.7.1
6a8b8f5 Allow leading dot for domain (#174)
58015c0 Remove more code and perf wins (#172)
ab057d6 0.7.0
5f02ca8 Migrate history to GitHub releases
a5d591c Migrate history to GitHub releases
51968f9 Skip isNaN
9e7ca51 perf(parse): cache length, return early (#144)
d6f39b0 Fix tests for old node
6bb701f Remove failing scorecard
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

d3f807d Version 3.1.10
9ee26dd Mocha TDD
e469741 Basic pollution protection
715e950 Merge pull request #756 from Jeffrey-mu/main
cabe314 Include advanced usage examples
29b076c Added header
11503c7 Merge branch 'main' of github.com:mde/ejs into main
7690404 Added security banner to README
f47d7ae Update SECURITY.md
828cea1 Update SECURITY.md
Additional commits viewable in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

9b77436 6.6.1
04cb6f5 Merge commit from fork
b8a7edd 6.6.0
34c8534 fix: signature verification due to leading zeros
3e46a48 6.5.7
accb61e lib: DER signature decoding correction
03e06e1 6.5.6
7ac5360 Merge commit from fork
7570078 6.5.5
206da2e lib: lint
Additional commits viewable in compare view

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

finalhandler@1.3.1 by @wesleytodd in expressjs/express#5954

fix(deps): serve-static@1.16.2 by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
Description has been truncated

Pull Request Statistics

Commits:
1

Files Changed:
2

Additions:
+1643

Deletions:
-1138

Package Dependencies

Package:
@babel/helpers

Ecosystem:
npm

Version Change:
7.23.9 → 7.28.3

Update Type:
Minor

Package:
@babel/runtime

Ecosystem:
npm

Version Change:
7.23.9 → 7.28.3

Update Type:
Minor

Package:
cross-spawn

Ecosystem:
npm

Version Change:
7.0.3 → 7.0.6

Update Type:
Patch

Package:
http-proxy-middleware

Ecosystem:
npm

Version Change:
2.0.6 → 2.0.9

Update Type:
Patch

Package:
ws

Ecosystem:
npm

Version Change:
6.2.2 → 6.2.3

Update Type:
Patch

Package:
webpack

Ecosystem:
npm

Version Change:
5.90.3 → 5.101.3

Update Type:
Minor

Package:
elliptic

Ecosystem:
npm

Version Change:
6.5.4 → 6.6.1

Update Type:
Minor

Package:
fast-xml-parser

Ecosystem:
npm

Version Change:
4.3.5 → 4.5.3

Update Type:
Minor

Package:
express

Ecosystem:
npm

Version Change:
4.18.2 → 4.21.2

Update Type:
Minor

Package:
micromatch

Ecosystem:
npm

Version Change:
4.0.5 → 4.0.8

Update Type:
Patch

Package:
rollup

Ecosystem:
npm

Version Change:
2.79.1 → 2.79.2

Update Type:
Patch

Package:
form-data

Ecosystem:
npm

Version Change:
3.0.1 → 3.0.4

Update Type:
Patch

Package:
follow-redirects

Ecosystem:
npm

Version Change:
1.15.5 → 1.15.11

Update Type:
Patch

Package:
image-size

Ecosystem:
npm

Version Change:
1.1.1 → 1.2.1

Update Type:
Minor

Package:
ejs

Ecosystem:
npm

Version Change:
3.1.9 → 3.1.10

Update Type:
Patch

Package:
secp256k1

Ecosystem:
npm

Version Change:
5.0.0 → 5.0.1

Update Type:
Patch

Package:
body-parser

Ecosystem:
npm

Version Change:
1.20.1 → 1.20.3

Update Type:
Patch

Package:
webpack-dev-middleware

Ecosystem:
npm

Version Change:
5.3.3 → 5.3.4

Update Type:
Patch

Package:
compression

Ecosystem:
npm

Version Change:
1.7.4 → 1.8.1

Update Type:
Minor

Package:
brace-expansion

Ecosystem:
npm

Version Change:
1.1.11 → 1.1.12

Update Type:
Patch

Package:
sha.js

Ecosystem:
npm

Version Change:
2.4.11 → 2.4.12

Update Type:
Patch

Package:
on-headers

Ecosystem:
npm

Version Change:
1.0.2 → 1.1.0

Update Type:
Minor

Security Advisories

cookie accepts cookie name, path, and domain with out of bounds characters

GHSA-pxg6-pf52-xh8x CVE-2024-47764 LOW

### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=25920...

Actions

View on GitHub View Repository All Dependabot PRs

Technical Details

ID:	`6980596`
UUID:	`2800785406`
Node ID:	`PR_kwDOLYoSbs6m8Jf-`
Host:	GitHub
Repository:	MetaMask/wallet-ecosystems-examples
Merge State:	Unknown