Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump the npm_and_yarn group across 1 directory with 13 updates

Closed
Number: #325
Type: Pull Request
State: Closed
Author: dependabot[bot] dependabot[bot]
Association: Contributor
Comments: 0
Created: June 13, 2025 at 05:16 PM UTC
(12 months ago)
Updated: August 05, 2025 at 05:40 PM UTC
(10 months ago)
Closed: August 05, 2025 at 05:40 PM UTC
(10 months ago)
Time to Close: about 2 months
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package From To
@lhci/cli 0.10.0 0.15.0
@open-wc/testing 3.1.6 4.0.0
@web/dev-server-esbuild 0.3.2 1.0.4
@web/test-runner 0.14.0 0.20.2
body-parser 1.20.0 1.20.3
express 4.18.1 4.21.2
braces 3.0.2 3.0.3

Updates @lhci/cli from 0.10.0 to 0.15.0

Release notes

Sourced from @​lhci/cli's releases.

v0.15.0

v0.15.0 (2025-06-09)

BREAKING CHANGE

  • upgrade to lighthouse 12.6.1

v0.14.0

v0.14.0 (2024-06-20)

  • feat: upgrade to lighthouse 12.0.0 (#1035) (cc564a6), closes #1035
  • feat: support .htm files in fallback server (#1033) (2ed3b31), closes #1033
  • feat: increase column width for project name (#1006) (8fe7e8d), closes #1006
  • feat: upgrade to lighthouse 12.1.0 (#1046) (8a0e3dc), closes #1046
  • feat(cli): add --lhr to assert command to load LHRs from anywhere (#1024) (19c7ca6), closes #1024
  • fix(cli): use ProxyAgent instead of HttpsProxyAgent (#1038) (cdf4605), closes #1038
  • chore: bump lhci references to 0.13 (083d639)
  • misc(release): remove hulk from release process (mostly) (36e629e)

BREAKING CHANGE

  • upgrade to lighthouse 12.1.0

v0.13.0

v0.13.0 (2023-12-15)

... (truncated)

Commits

Updates @open-wc/testing from 3.1.6 to 4.0.0

Release notes

Sourced from @​open-wc/testing's releases.

@​open-wc/testing@​4.0.0

Major Changes

  • Updated dependencies [c69af75f]
    • @​open-wc/testing-helpers@​3.0.0

If you're using a fixture like so with scoped elements:

await fixture(html`...`, { scopedElements: ... });

You're gonna have to load the @​webcomponents/scoped-custom-element-registry polyfill yourself first.

@​open-wc/testing@​3.2.2

Patch Changes

  • e94ca9aa: chore(testing): remove unused dependencies"

@​open-wc/testing@​3.2.1

Patch Changes

  • 84e38ab1: Use split versions for all lit dependencies
  • Updated dependencies [84e38ab1]
    • @​open-wc/testing-helpers@​2.3.1

@​open-wc/testing@​3.1.8

Patch Changes

  • 91a5d224: fix(deps): update dependency @​types/chai-dom to v1
  • Updated dependencies [077d07eb]
    • @​open-wc/testing-helpers@​2.2.1

@​open-wc/testing@​3.1.7

Patch Changes

  • b187c0bc: Add types export for node16 module resolution
  • Updated dependencies [b187c0bc]
    • @​open-wc/testing-helpers@​2.1.4
Changelog

Sourced from @​open-wc/testing's changelog.

4.0.0

Major Changes

  • Updated dependencies [c69af75f]
    • @​open-wc/testing-helpers@​3.0.0

If you're using a fixture like so with scoped elements:

await fixture(html`...`, { scopedElements: ... });

You're gonna have to load the @​webcomponents/scoped-custom-element-registry polyfill yourself first.

3.2.2

Patch Changes

  • e94ca9aa: chore(testing): remove unused dependencies"

3.2.1

Patch Changes

  • 84e38ab1: Use split versions for all lit dependencies
  • Updated dependencies [84e38ab1]
    • @​open-wc/testing-helpers@​2.3.1

3.2.0

Minor Changes

  • 935c8ffe: Drop support for Node@14

Patch Changes

  • 3289e0eb: Add oneDefaultPreventedEvent export into testing package and no-side-effect indexes
  • Updated dependencies [935c8ffe]
  • Updated dependencies [3289e0eb]
  • Updated dependencies [80c6ae66]
    • chai-a11y-axe@1.5.0
    • @​open-wc/semantic-dom-diff@​0.20.0
    • @​open-wc/testing-helpers@​2.3.0

3.1.8

Patch Changes

  • 91a5d224: fix(deps): update dependency @​types/chai-dom to v1

... (truncated)

Commits

Updates @web/dev-server-esbuild from 0.3.2 to 1.0.4

Release notes

Sourced from @​web/dev-server-esbuild's releases.

@​web/dev-server-esbuild@​1.0.4

Patch Changes

  • d826727: upgrade esbuild to 0.25.x

@​web/dev-server-esbuild@​1.0.3

Patch Changes

  • f506af31: Upgrade esbuild to 0.24.x
  • Updated dependencies [fb33d75c]
    • @​web/dev-server-core@​0.7.4
Changelog

Sourced from @​web/dev-server-esbuild's changelog.

1.0.4

Patch Changes

  • d826727: upgrade esbuild to 0.25.x

1.0.3

Patch Changes

  • f506af31: Upgrade esbuild to 0.24.x
  • Updated dependencies [fb33d75c]
    • @​web/dev-server-core@​0.7.4

1.0.2

Patch Changes

  • fix: update @​web/dev-server-core

1.0.1

Patch Changes

  • e31de569: Update @web/dev-server-rollup to latest version

1.0.0

Major Changes

  • 8218a0a5: Update ESBuild to latest version.

    ESBuild has changed how TypeScript decorators are enabled in preparation for JavaScript decorators to land in browsers. ESBuild now requires the experimentalDecorators key to be set to true in the tsconfig.json for TypeScript decorators to be enabled.

    If you are having issues with decorators after updating to this version, try setting the experimentalDecorators key in your tsconfig.json.

Minor Changes

  • c185cbaa: Set minimum node version to 18

Patch Changes

  • Updated dependencies [c185cbaa]
    • @​web/dev-server-core@​0.7.0

0.4.4

Patch Changes

  • ef6b2543: Use split versions for all lit dependencies

... (truncated)

Commits
  • 3a6bf8f Version Packages
  • d826727 fix: upgrade esbuild to 0.25.x
  • 5f4f351 Version Packages
  • dc23517 chore: bump esbuild to 0.24.0
  • f506af3 chore: upgrade esbuild to 0.20.x
  • 03f3c6f Version Packages
  • 54d65a4 ci: align reporters across all packages
  • 90e4472 ci: use workspaces to run node tests
  • 0780a22 Version Packages
  • ce40a8f update @​web/dev-server-rollup in more places
  • Additional commits viewable in compare view

Updates @web/test-runner from 0.14.0 to 0.20.2

Release notes

Sourced from @​web/test-runner's releases.

@​web/test-runner@​0.20.2

Patch Changes

  • 7aedbaa: Summary Reporter - re-enabled error reporting and made option to disable browser logs and error reporting in this reporter

@​web/test-runner@​0.20.1

Patch Changes

  • 24e3290: Improve debug message for test runner uncaught exceptions

    This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

  • Updated dependencies [79b0ba4]

    • @​web/test-runner-chrome@​0.18.1

@​web/test-runner@​0.20.0

Minor Changes

  • 86eaa21: Upgrade puppeteer version to v24

Patch Changes

  • Updated dependencies [86eaa21]
    • @​web/test-runner-chrome@​0.18.0

@​web/test-runner@​0.19.0

Minor Changes

  • b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

  • Updated dependencies [b546e8b5]
    • @​web/test-runner-chrome@​0.17.0

@​web/test-runner@​0.18.3

Patch Changes

  • 6914f3b6: Show suites names for summaryReporter when flatten option is true

@​web/test-runner@​0.18.2

Patch Changes

  • 6a97a691: Unify visual-written representation of skipped tests.

@​web/test-runner@​0.18.1

Patch Changes

... (truncated)

Changelog

Sourced from @​web/test-runner's changelog.

0.20.2

Patch Changes

  • 7aedbaa: Summary Reporter - re-enabled error reporting and made option to disable browser logs and error reporting in this reporter

0.20.1

Patch Changes

  • 24e3290: Improve debug message for test runner uncaught exceptions

    This should make debugging easier. It wasn't very easy to figure out where the errors originated from (because of how the actual uncaught exception only happened with many concurrent builds inside a sandbox environment that is hard to debug).

  • Updated dependencies [79b0ba4]

    • @​web/test-runner-chrome@​0.18.1

0.20.0

Minor Changes

  • 86eaa21: Upgrade puppeteer version to v24

Patch Changes

  • Updated dependencies [86eaa21]
    • @​web/test-runner-chrome@​0.18.0

0.19.0

Minor Changes

  • b546e8b5: Upgrade puppeteer-core and puppeteer to v23

Patch Changes

  • Updated dependencies [b546e8b5]
    • @​web/test-runner-chrome@​0.17.0

0.18.3

Patch Changes

  • 6914f3b6: Show suites names for summaryReporter when flatten option is true

0.18.2

... (truncated)

Commits
  • 9645344 Version Packages
  • 61260d5 Turned error reporting back on by default to match old behviour before it was...
  • 4fa7523 add back broken error reporting and make log reporting optional
  • db00ed5 Version Packages
  • 24e3290 refactor: improve debug message for test runner uncaught exceptions
  • f00a581 Version Packages
  • fcb71cd Version Packages
  • 8834ad8 Version Packages
  • d5ae228 Version Packages (#2803)
  • 9a88d83 Version Packages (#2774)
  • Additional commits viewable in compare view

Updates esbuild from 0.14.38 to 0.15.7

Changelog

Sourced from esbuild's changelog.

0.15.7

  • Add --watch=forever to allow esbuild to never terminate (#1511, #1885)

    Currently using esbuild's watch mode via --watch from the CLI will stop watching if stdin is closed. The rationale is that stdin is automatically closed by the OS when the parent process exits, so stopping watch mode when stdin is closed ensures that esbuild's watch mode doesn't keep running forever after the parent process has been closed. For example, it would be bad if you wrote a shell script that did esbuild --watch & to run esbuild's watch mode in the background, and every time you run the script it creates a new esbuild process that runs forever.

    However, there are cases when it makes sense for esbuild's watch mode to never exit. One such case is within a short-lived VM where the lifetime of all processes inside the VM is expected to be the lifetime of the VM. Previously you could easily do this by piping the output of a long-lived command into esbuild's stdin such as sleep 999999999 | esbuild --watch &. However, this possibility often doesn't occur to people, and it also doesn't work on Windows. People also sometimes attempt to keep esbuild open by piping an infinite stream of data to esbuild such as with esbuild --watch </dev/zero & which causes esbuild to spin at 100% CPU. So with this release, esbuild now has a --watch=forever flag that will not stop watch mode when stdin is closed.

  • Work around PATH without node in install script (#2519)

    Some people install esbuild's npm package in an environment without the node command in their PATH. This fails on Windows because esbuild's install script runs the esbuild command before exiting as a sanity check, and on Windows the esbuild command has to be a JavaScript file because of some internal details about how npm handles the bin folder (specifically the esbuild command lacks the .exe extension, which is required on Windows). This release attempts to work around this problem by using process.execPath instead of "node" as the command for running node. In theory this means the installer can now still function on Windows if something is wrong with PATH.

0.15.6

  • Lower for await loops (#1930)

    This release lowers for await loops to the equivalent for loop containing await when esbuild is configured such that for await loops are unsupported. This transform still requires at least generator functions to be supported since esbuild's lowering of await currently relies on generators. This new transformation is mostly modeled after what the TypeScript compiler does. Here's an example:

    async function f() {
  for await (let x of y)
    x()
}

    The code above will now become the following code with --target=es2017 (omitting the code for the __forAwait helper function):

    async function f() {
  try {
    for (var iter = __forAwait(y), more, temp, error; more = !(temp = await iter.next()).done; more = false) {
      let x = temp.value;
      x();
    }
  } catch (temp) {
    error = [temp];
  } finally {
    try {
      more && (temp = iter.return) && await temp.call(iter);
    } finally {
      if (error)
        throw error[0];
    }
  }
}

  • Automatically fix invalid supported configurations (#2497)

    The --target= setting lets you tell esbuild to target a specific version of one or more JavaScript runtimes such as chrome80,node14 and esbuild will restrict its output to only those features supported by all targeted JavaScript runtimes. More recently, esbuild introduced the --supported: setting that lets you override which features are supported on a per-feature basis. However, this now lets you configure nonsensical things such as --supported:async-await=false --supported:async-generator=true. Previously doing this could result in esbuild building successfully but producing invalid output.

... (truncated)

Commits
  • c0b8a53 publish 0.15.7 to npm
  • 976b57a validate await in shorthand destructuring
  • 8ac7529 tests: ignore new top-level await test262 tests
  • dbd21a8 tests: skip new features in test262
  • 7331a34 ci: upgrade to yarn 3.2.3, enable more tests
  • 31e1cee install script: tiny wasm tree-shaking improvement
  • 0438f64 ci: run deno tests on windows
  • 7549073 ci: pin deno version to avoid test flakes
  • 6a26f59 tests: use unused test in node-unref-tests
  • 037ffbb tests: remove source-map from js-api-tests
  • Additional commits viewable in compare view

Updates body-parser from 1.20.0 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

New Contributors

Full Changelog: https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3

1.20.2

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
    • perf: skip value escaping when unnecessary
  • deps: raw-body@2.5.2

1.20.1 / 2022-10-06

  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates express from 4.18.1 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates braces from 3.0.2 to 3.0.3

Commits

Updates cookie from 0.3.1 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

0.6.0

  • Add partitioned option

0.5.0

  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse

0.4.2

  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

0.4.1

  • Fix maxAge option to reject invalid values

0.4.0

  • Add SameSite=None support
Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates express from 4.18.1 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: https://github.com/expressjs/express/compare/4.21.0...4.21.1

4.21.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/express/compare/4.20.0...4.21.0

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

Pull Request Statistics
Commits:
1
Files Changed:
2
Additions:
+11851
Deletions:
-1231
Package Dependencies
Package:
 braces
Ecosystem:
npm
Version Change:
3.0.2 → 3.0.3
Update Type:
Patch
Package:
express
Ecosystem:
npm
Version Change:
4.18.1 → 4.21.2
Update Type:
Minor
Package:
body-parser
Ecosystem:
npm
Version Change:
1.20.0 → 1.20.3
Update Type:
Patch
Package:
@web/test-runner
Ecosystem:
npm
Version Change:
0.14.0 → 0.20.2
Update Type:
Minor
Package:
@open-wc/testing
Ecosystem:
npm
Version Change:
3.1.6 → 4.0.0
Update Type:
Major
Package:
@lhci/cli
Ecosystem:
npm
Version Change:
0.10.0 → 0.15.0
Update Type:
Minor
Package:
@web/dev-server-esbuild
Ecosystem:
npm
Version Change:
0.3.2 → 1.0.4
Update Type:
Major
Security Advisories
cookie accepts cookie name, path, and domain with out of bounds characters
GHSA-pxg6-pf52-xh8x CVE-2024-47764 LOW
### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=25920...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 4645523
UUID: 2590840949
Node ID: PR_kwDODk9xUM6abRh1
Host: GitHub
Repository: github/catalyst
Mergeable: Yes
Merge State: Unstable