Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump the npm_and_yarn group across 14 directories with 21 updates

Merged
Number: #2
Type: Pull Request
State: Merged
Author: dependabot[bot] dependabot[bot]
Association: None
Comments: 0
Created: September 12, 2025 at 05:58 AM UTC
(about 2 months ago)
Updated: September 12, 2025 at 06:00 AM UTC
(about 2 months ago)
Merged: September 12, 2025 at 06:00 AM UTC
(about 2 months ago)
by ibiscum
Time to Close: 1 minute
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 1 update in the /Chapter12/stack-trace-app directory: express.
Bumps the npm_and_yarn group with 1 update in the /Chapter12/express-debug-app directory: express.
Bumps the npm_and_yarn group with 1 update in the /Chapter12/debugging-with-chrome directory: express.
Bumps the npm_and_yarn group with 1 update in the /Chapter12/core-debug-logs directory: express.
Bumps the npm_and_yarn group with 10 updates in the /Chapter11/loopback-bookstore directory:

Package From To
express 4.19.2 4.21.2
brace-expansion 1.1.11 1.1.12
cross-spawn 7.0.3 7.0.6
form-data 4.0.0 4.0.4
formidable 3.5.1 3.5.4
nanoid 3.3.7 3.3.11
serialize-javascript 6.0.0 6.0.2
mocha 10.4.0 10.8.2
uglify-js 3.18.0 3.19.3
undici 5.28.4 5.29.0

Bumps the npm_and_yarn group with 4 updates in the /Chapter11/bookstore-web-app directory: express, ejs, on-headers and morgan.
Bumps the npm_and_yarn group with 2 updates in the /Chapter10/optimize-async directory: express and cookie.
Bumps the npm_and_yarn group with 3 updates in the /Chapter10/flamegraph-app directory: express, on-headers and morgan.
Bumps the npm_and_yarn group with 3 updates in the /Chapter10/benchmarking-views directory: express, on-headers and morgan.
Bumps the npm_and_yarn group with 3 updates in the /Chapter10/benchmarking-http directory: express, on-headers and morgan.
Bumps the npm_and_yarn group with 1 update in the /Chapter09/hashing-with-bcrypt directory: brace-expansion.
Bumps the npm_and_yarn group with 4 updates in the /Chapter09/fastify-auth directory: cookie, light-my-request, brace-expansion and find-my-way.
Bumps the npm_and_yarn group with 2 updates in the /Chapter09/express-xss directory: express and cookie.
Bumps the npm_and_yarn group with 2 updates in the /Chapter09/express-input directory: express and cookie.

Updates express from 4.21.0 to 5.1.0

Release notes

Sourced from express's releases.

v5.1.0

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0

... (truncated)

Commits

Updates body-parser from 1.20.3 to 2.2.0

Release notes

Sourced from body-parser's releases.

v2.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/body-parser/compare/v2.1.0...v2.2.0

v2.1.0

What's Changed

Full Changelog: https://github.com/expressjs/body-parser/compare/2.0.1...v2.1.0

2.0.2

What's Changed

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.0 / 2025-03-27

  • refactor: normalize common options for all parsers
  • deps:
    • iconv-lite@^0.6.3

2.1.0 / 2025-02-10

  • deps:
    • type-is@^2.0.0
    • debug@^4.4.0
    • Removed destroy
  • refactor: prefix built-in node module imports
  • use the node require cache instead of custom caching

2.0.2 / 2024-10-31

  • remove unpipe package and use native unpipe() method

2.0.1 / 2024-09-10

  • Restore expected behavior extended to false

2.0.0 / 2024-09-10

Breaking Changes

  • Node.js 18 is the minimum supported version
  • req.body is no longer always initialized to {}
    • it is left undefined unless a body is parsed
  • Remove deprecated bodyParser() combination middleware
  • urlencoded parser now defaults extended to false as released, this is not the case, fixed in 2.0.1
  • urlencoded simple parser now uses qs module instead of querystring module

Features

  • Add brotli support #406
  • urlencoded: Add option to customize the depth with a default value of 32
  • urlencoded: Support iso-8859-1, utf8 sentinel, and numeric entities
  • Use on-finished to determine when body read

Dependencies

  • deps: raw-body@^3.0.0
  • deps: qs@6.12.3
  • deps: debug@3.1.0
  • deps: iconv-lite@0.5.2

... (truncated)

Commits

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates path-to-regexp from 0.1.10 to 8.3.0

Release notes

Sourced from path-to-regexp's releases.

8.3.0

Changed

  • Add custom error class (#398) 2a7f2a4
  • Allow plain objects for TokenData (#391) 687a9bb
  • Escape text should escape backslash (#390) a4a8552
  • Improved error messages and stack size (#363) a6bdf40

Other

  • Minifying the parser
    • PR (#401) 9df2448
    • PR (#395) 4a91505
    • Shaving some bytes d63f44b
    • Remove optional operator 973d15c

https://github.com/pillarjs/path-to-regexp/compare/v8.2.0...v8.3.0

8.2.0

Fixed

  • Allowing path-to-regexp to run on older browsers by targeting ES2015
    • Target ES2015 5969033
      • Also saved 0.22kb (10%!) by removing the private class field down level
    • Remove s flag from regexp 51dbd45

https://github.com/pillarjs/path-to-regexp/compare/v8.1.0...v8.2.0

v8.1.0

Added

  • Adds pathToRegexp method back for generating a regex
  • Adds stringify method for converting TokenData into a path string

https://github.com/pillarjs/path-to-regexp/compare/v8.0.0...v8.1.0

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

  • Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

  • Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
  • Parameter names follow JS identifier rules and allow unicode characters

... (truncated)

Changelog

Sourced from path-to-regexp's changelog.

Moved to GitHub Releases

3.0.0 / 2019-01-13

  • Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
  • Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

2.4.0 / 2018-08-26

  • Support start option to disable anchoring from beginning of the string

2.3.0 / 2018-08-20

  • Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

2.2.1 / 2018-04-24

  • Allow empty string with end: false to match both relative and absolute paths

2.2.0 / 2018-03-06

  • Pass token as second argument to encode option (e.g. encode(value, token))

2.1.0 / 2017-10-20

  • Handle non-ending paths where the final character is a delimiter
    • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

2.0.0 / 2017-08-23

  • New option! Ability to set endsWith to match paths like /test?query=string up to the query string
  • New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
  • Remove isarray dependency
  • Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
  • Remove overloaded keys argument that accepted options
  • Remove keys list attached to the RegExp output
  • Remove asterisk functionality (it's a real pain to properly encode)
  • Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

1.7.0 / 2016-11-08

  • Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

1.6.0 / 2016-10-03

  • Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
  • Allow a delimiter option to be passed in with parse
  • Updated TypeScript definition with Keys and Options updated

1.5.3 / 2016-06-15

... (truncated)

Commits

Updates qs from 6.13.0 to 6.14.0

Changelog

Sourced from qs's changelog.

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup
  • [Tests] utils.merge: add some coverage
  • [Tests] fix a test case
  • [actions] split out node 10-20, and 20+
  • [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape
Commits
  • 32dcc63 v6.14.0
  • 4ec582b [Dev Deps] update es-value-fixtures, has-bigints
  • a240c52 [Tests] increase coverage
  • 25956a7 [Refactor] parse: use utils.combine more
  • b189ed4 [patch] parse: add explicit throwOnLimitExceeded default
  • 1d590de [actions] simplify finisher
  • 6cd60a5 [actions] use shared action
  • 89edfd2 [Deps] update side-channel
  • e26e7a8 [Dev Deps] update has-proto, has-symbols
  • 51fdc98 [actions] re-add finishers
  • Additional commits viewable in compare view

Updates send from 0.19.0 to 1.2.0

Release notes

Sourced from send's releases.

1.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/pillarjs/send/compare/1.1.0...1.2.0

1.1.0

What's Changed

New Contributors

Full Changelog: https://github.com/pillarjs/send/compare/v1.0.0...1.1.0

Changelog

Sourced from send's changelog.

1.2.0 / 2025-03-27

  • deps:
    • mime-types@^3.0.1
    • fresh@^2.0.0
    • removed destroy
  • remove getHeaderNames() polyfill and refactor clearHeaders()

1.1.0 / 2024-09-10

  • Changes from 0.19.0

1.0.0 / 2024-07-25

  • Drop support for Node.js <18.0
  • statuses@^2.0.1
  • range-parser@^1.2.1
  • on-finished@^2.4.1
  • ms@^2.1.3
  • mime-types@^2.1.35
  • http-errors@^2.0.0
  • fresh@^0.5.2
  • etag@^1.8.1
  • escape-html@^1.0.3
  • encodeurl@^2.0.0
  • destroy@^1.2.0
  • debug@^4.3.5

1.0.0-beta.2 / 2024-03-04

  • Changes from 0.18.0

1.0.0-beta.1 / 2022-02-04

  • Drop support for Node.js 0.8
  • Remove hidden option -- use dotfiles option
  • Remove from alias to root -- use root directly
  • Remove send.etag() -- use etag in options
  • Remove send.index() -- use index in options
  • Remove send.maxage() -- use maxAge in options
  • Remove send.root() -- use root in options
  • Use mime-types for file to content type mapping -- removed send.mime
  • deps: debug@3.1.0
    • Add DEBUG_HIDE_DATE environment variable
    • Change timer to per-namespace instead of global

... (truncated)

Commits

Updates serve-static from 1.16.2 to 2.2.0

Release notes

Sourced from serve-static's releases.

v2.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/serve-static/compare/v2.1.0...v2.2.0

2.1.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/serve-static/compare/v1.15.0...2.1.0

2.0.0-beta.1

  • Change dotfiles option default to 'ignore'
  • Drop support for Node.js 0.8
  • Remove hidden option; use dotfiles option instead
  • deps: send@1.0.0-beta.1
    • Use mime-types for file to content type mapping
    • deps: debug@3.1.0
Changelog

Sourced from serve-static's changelog.

2.2.0 / 2025-03-27

  • deps: send@^1.2.0

2.1.0 / 2024-09-10

  • Changes from 1.16.0
  • deps: send@^1.2.0

2.0.0 / 2024-08-23

  • deps:
    • parseurl@^1.3.3
    • excape-html@^1.0.3
    • encodeurl@^2.0.0
    • supertest@^6.3.4
    • safe-buffer@^5.2.1
    • nyc@^17.0.0
    • mocha@^10.7.0
  • Changes from 1.x

2.0.0-beta.2 / 2024-03-20

  • deps: send@1.0.0-beta.2

2.0.0-beta.1 / 2022-02-05

  • Change dotfiles option default to Description has been truncated

Pull Request Statistics
Commits:
1
Files Changed:
23
Additions:
+5811
Deletions:
-2319
Package Dependencies
Package:
mocha
Ecosystem:
npm
Version Change:
10.4.0 → 10.8.2
Update Type:
Minor
Package:
cross-spawn
Ecosystem:
npm
Version Change:
7.0.3 → 7.0.6
Update Type:
Patch
Package:
undici
Ecosystem:
npm
Version Change:
5.28.4 → 5.29.0
Update Type:
Minor
Package:
serialize-javascript
Ecosystem:
npm
Version Change:
6.0.0 → 6.0.2
Update Type:
Patch
Package:
nanoid
Ecosystem:
npm
Version Change:
3.3.7 → 3.3.11
Update Type:
Patch
Package:
express
Ecosystem:
npm
Version Change:
4.19.2 → 4.21.2
Update Type:
Minor
Package:
form-data
Ecosystem:
npm
Version Change:
4.0.0 → 4.0.4
Update Type:
Patch
Package:
formidable
Ecosystem:
npm
Version Change:
3.5.1 → 3.5.4
Update Type:
Patch
Package:
uglify-js
Ecosystem:
npm
Version Change:
3.18.0 → 3.19.3
Update Type:
Minor
Package:
brace-expansion
Ecosystem:
npm
Version Change:
1.1.11 → 1.1.12
Update Type:
Patch
Security Advisories
cookie accepts cookie name, path, and domain with out of bounds characters
GHSA-pxg6-pf52-xh8x CVE-2024-47764 LOW
### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("userName=<script>alert('XSS3')</script>; Max-Age=25920...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 7589061
UUID: 2821374463
Node ID: PR_kwDOPucUxc6oKsH_
Host: GitHub
Repository: ibiscum/Node.js-Cookbook-Fifth-Edition
Merge State: Unknown