Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Bump the npm_and_yarn group across 1 directory with 10 updates

Open
Number: #20
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Contributor
Comments: 1
Created: May 09, 2025 at 07:03 AM UTC
(4 months ago)
Updated: May 09, 2025 at 07:04 AM UTC
(4 months ago)
Labels:
dependencies javascript
Description:

Bumps the npm_and_yarn group with 4 updates in the /script directory: express, braces, got and nodemon.

Updates express from 4.21.2 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

  • Node.js version support: Dropped support for Node.js versions before v18.
  • Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
  • Promise support: Middleware can now return rejected promises, caught by the router as errors.
  • body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
  • Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0
  • deps: finalhandler@^2.0.0
  • deps: fresh@^2.0.0
  • deps: body-parser@^2.0.1
  • deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

  • change:
    • Default "query parser" setting to 'simple'
    • Requires Node.js 4+
    • Use mime-types for file to content type mapping
  • deps: array-flatten@3.0.0
  • deps: body-parser@2.0.0-beta.1
    • req.body is no longer always initialized to {}

... (truncated)

Commits

Updates body-parser from 1.18.3 to 2.2.0

Release notes

Sourced from body-parser's releases.

v2.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/body-parser/compare/v2.1.0...v2.2.0

v2.1.0

What's Changed

Full Changelog: https://github.com/expressjs/body-parser/compare/2.0.1...v2.1.0

2.0.2

What's Changed

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.0 / 2025-03-27

  • refactor: normalize common options for all parsers
  • deps:
    • iconv-lite@^0.6.3

2.1.0 / 2025-02-10

  • deps:
    • type-is@^2.0.0
    • debug@^4.4.0
    • Removed destroy
  • refactor: prefix built-in node module imports
  • use the node require cache instead of custom caching

2.0.2 / 2024-10-31

  • remove unpipe package and use native unpipe() method

2.0.1 / 2024-09-10

  • Restore expected behavior extended to false

2.0.0 / 2024-09-10

  • Propagate changes from 1.20.3
  • add brotli support #406
  • Breaking Change: Node.js 18 is the minimum supported version

2.0.0-beta.2 / 2023-02-23

This incorporates all changes after 1.19.1 up to 1.20.2.

  • Remove deprecated bodyParser() combination middleware
  • deps: debug@3.1.0
    • Add DEBUG_HIDE_DATE environment variable
    • Change timer to per-namespace instead of global
    • Change non-TTY date format
    • Remove DEBUG_FD environment variable support
    • Support 256 namespace colors
  • deps: iconv-lite@0.5.2
    • Add encoding cp720
    • Add encoding UTF-32
  • deps: raw-body@3.0.0-beta.1

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates braces from 3.0.2 to 3.0.3

Commits

Updates cookie from 0.3.1 to 0.4.1

Release notes

Sourced from cookie's releases.

0.4.1

  • Fix maxAge option to reject invalid values

0.4.0

  • Add SameSite=None support
Changelog

Sourced from cookie's changelog.

0.4.1 / 2020-04-21

  • Fix maxAge option to reject invalid values

0.4.0 / 2019-05-15

  • Add SameSite=None support
Commits

Removes got

Updates nodemon from 2.0.15 to 2.0.22

Release notes

Sourced from nodemon's releases.

v2.0.22

2.0.22 (2023-03-22)

Bug Fixes

  • remove ts mapping if loader present (f7816e4), closes #2083

v2.0.21

2.0.21 (2023-03-02)

Bug Fixes

  • remove ts mapping if loader present (1468397), closes #2083

v2.0.20

2.0.20 (2022-09-16)

Bug Fixes

  • remove postinstall script (e099e91)

v2.0.19

2.0.19 (2022-07-05)

Bug Fixes

v2.0.18

2.0.18 (2022-06-23)

Bug Fixes

  • revert update-notifier forcing esm (1b3bc8c)

v2.0.17

2.0.17 (2022-06-23)

Bug Fixes

v2.0.16

... (truncated)

Commits
  • c971fdc Merge branch 'main' of github.com:remy/nodemon
  • b9679a2 chore: supporters
  • f7816e4 fix: remove ts mapping if loader present
  • 9f3ffdb One more fix
  • abc8522 Get rid of spawning shell windows if nodemon is started without console.
  • b11ddd1 Merge branch 'main' of github.com:remy/nodemon
  • 204af11 chore: missing supporters
  • 1468397 fix: remove ts mapping if loader present
  • 26b1f0f chore: add conventional commit check
  • adaafa1 One more fix
  • Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 8.2.0

Release notes

Sourced from path-to-regexp's releases.

8.2.0

Fixed

  • Allowing path-to-regexp to run on older browsers by targeting ES2015
    • Target ES2015 5969033
      • Also saved 0.22kb (10%!) by removing the private class field down level
    • Remove s flag from regexp 51dbd45

https://github.com/pillarjs/path-to-regexp/compare/v8.1.0...v8.2.0

v8.1.0

Added

  • Adds pathToRegexp method back for generating a regex
  • Adds stringify method for converting TokenData into a path string

https://github.com/pillarjs/path-to-regexp/compare/v8.0.0...v8.1.0

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

  • Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

  • Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
  • Parameter names follow JS identifier rules and allow unicode characters

Added

  • Parameter names can now be quoted, e.g. :"foo-bar"
  • Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

  • Removes loose mode
  • Removes regular expression overrides of parameters

https://github.com/pillarjs/path-to-regexp/compare/v7.1.0...v8.0.0

Support array inputs (again)

Added

  • Support array inputs for match and pathToRegexp 3fdd88f

https://github.com/pillarjs/path-to-regexp/compare/v7.1.0...v7.2.0

... (truncated)

Changelog

Sourced from path-to-regexp's changelog.

Moved to GitHub Releases

3.0.0 / 2019-01-13

  • Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
  • Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

2.4.0 / 2018-08-26

  • Support start option to disable anchoring from beginning of the string

2.3.0 / 2018-08-20

  • Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

2.2.1 / 2018-04-24

  • Allow empty string with end: false to match both relative and absolute paths

2.2.0 / 2018-03-06

  • Pass token as second argument to encode option (e.g. encode(value, token))

2.1.0 / 2017-10-20

  • Handle non-ending paths where the final character is a delimiter
    • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

2.0.0 / 2017-08-23

  • New option! Ability to set endsWith to match paths like /test?query=string up to the query string
  • New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
  • Remove isarray dependency
  • Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
  • Remove overloaded keys argument that accepted options
  • Remove keys list attached to the RegExp output
  • Remove asterisk functionality (it's a real pain to properly encode)
  • Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

1.7.0 / 2016-11-08

  • Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

1.6.0 / 2016-10-03

  • Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
  • Allow a delimiter option to be passed in with parse
  • Updated TypeScript definition with Keys and Options updated

1.5.3 / 2016-06-15

... (truncated)

Commits

Updates qs from 6.5.2 to 6.13.0

Changelog

Sourced from qs's changelog.

6.13.0

  • [New] parse: add strictDepth option (#511)
  • [Tests] use npm audit instead of aud

6.12.3

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • [meta] fix changelog indentation

6.12.2

  • [Fix] parse: parse encoded square brackets (#506)
  • [readme] add CII best practices badge

6.12.1

  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
  • [Refactor] utils: use +=
  • [Tests] increase coverage

6.12.0

  • [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#488)
  • [New] parse: add duplicates option
  • [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#487)
  • [Refactor] parse/stringify: move allowDots config logic to its own variable
  • [Refactor] stringify: move option-handling code into normalizeStringifyOptions
  • [readme] update readme, add logos (#484)
  • [readme] stringify: clarify default arrayFormat behavior
  • [readme] fix line wrapping
  • [readme] remove dead badges
  • [Deps] update side-channel
  • [meta] make the dist build 50% smaller
  • [meta] add sideEffects flag
  • [meta] run build in prepack, not prepublish
  • [Tests] parse: remove useless tests; add coverage
  • [Tests] stringify: increase coverage
  • [Tests] use mock-property
  • [Tests] stringify: improve coverage
  • [Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
  • [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

6.11.2

  • [Fix] parse: Fix parsing when the global Object prototype is frozen (#473)
  • [Tests] add passing test cases with empty keys (#473)

6.11.1

  • [Fix] stringify: encode comma values more consistently (#463)
  • [readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#447)
  • [meta] remove extraneous code backticks (#457)
  • [meta] fix changelog markdown

... (truncated)

Commits
  • 5cf516c v6.13.0
  • 8d56df2 [New] parse: add strictDepth option
  • c9a6694 [Tests] use npm audit instead of aud
  • f90cc35 v6.12.3
  • 1bf9f7a [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • 7ebf48b [meta] fix changelog indentation
  • d0dff11 v6.12.2
  • f0b8d03 [Dev Deps] update @ljharb/eslint-config, object-inspect, tape
  • 81835ff [Fix]: parse: parse encoded square brackets
  • db47dcc [readme] add CII best practices badge
  • Additional commits viewable in compare view

Updates send from 0.16.2 to 1.2.0

Release notes

Sourced from send's releases.

1.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/pillarjs/send/compare/1.1.0...1.2.0

1.1.0

What's Changed

New Contributors

Full Changelog: https://github.com/pillarjs/send/compare/v1.0.0...1.1.0

0.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/pillarjs/send/compare/0.18.0...0.19.0

Changelog

Sourced from send's changelog.

1.2.0 / 2025-03-27

  • deps:
    • mime-types@^3.0.1
    • fresh@^2.0.0
    • removed destroy
  • remove getHeaderNames() polyfill and refactor clearHeaders()

1.1.0 / 2024-09-10

  • Changes from 0.19.0

1.0.0 / 2024-07-25

  • Drop support for Node.js <18.0
  • statuses@^2.0.1
  • range-parser@^1.2.1
  • on-finished@^2.4.1
  • ms@^2.1.3
  • mime-types@^2.1.35
  • http-errors@^2.0.0
  • fresh@^0.5.2
  • etag@^1.8.1
  • escape-html@^1.0.3
  • encodeurl@^2.0.0
  • destroy@^1.2.0
  • debug@^4.3.5

1.0.0-beta.2 / 2024-03-04

  • Changes from 0.18.0

1.0.0-beta.1 / 2022-02-04

  • Drop support for Node.js 0.8
  • Remove hidden option -- use dotfiles option
  • Remove from alias to root -- use root directly
  • Remove send.etag() -- use etag in options
  • Remove send.index() -- use index in options
  • Remove send.maxage() -- use maxAge in options
  • Remove send.root() -- use root in options
  • Use mime-types for file to content type mapping -- removed send.mime
  • deps: debug@3.1.0
    • Add DEBUG_HIDE_DATE environment variable
    • Change timer to per-namespace instead of global

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.


Updates serve-static from 1.13.2 to 2.2.0

Release notes

Sourced from serve-static's releases.

v2.2.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/serve-static/compare/v2.1.0...v2.2.0

2.1.0

What's Changed

New Contributors

Full Changelog: https://github.com/expressjs/serve-static/compare/v1.15.0...2.1.0

2.0.0-beta.1

  • Change dotfiles option default to 'ignore'
  • Drop support for Node.js 0.8
  • Remove hidden option; use dotfiles option instead
  • deps: send@1.0.0-beta.1
    • Use mime-types for file to content type mapping
    • deps: debug@3.1.0

v1.16.2

What's Changed

... (truncated)

Changelog

Sourced from serve-static's changelog.

2.2.0 / 2025-03-27

  • deps: send@^1.2.0

2.1.0 / 2024-09-10

  • Changes from 1.16.0
  • deps: send@^1.2.0

2.0.0 / 2024-08-23

  • deps:
    • parseurl@^1.3.3
    • excape-html@^1.0.3
    • encodeurl@^2.0.0
    • supertest@^6.3.4
    • safe-buffer@^5.2.1
    • nyc@^17.0.0
    • mocha@^10.7.0
  • Changes from 1.x

2.0.0-beta.2 / 2024-03-20

  • deps: send@1.0.0-beta.2

2.0.0-beta.1 / 2022-02-05

  • Change dotfiles option default to 'ignore'
  • Drop support for Node.js 0.8
  • Remove hidden option; use dotfiles option instead
  • Remove mime export; use mime-types package instead
  • deps: send@1.0.0-beta.1
    • Use mime-types for file to content type mapping
    • deps: debug@3.1.0

1.16.0 / 2024-09-10

  • Remove link renderization in html while redirecting

1.15.0 / 2022-03-24

  • deps: send@0.18.0
    • Fix emitted 416 error missing headers property

... (truncated)

Commits
Pull Request Statistics
Commits:
0
Files Changed:
0
Additions:
+0
Deletions:
-0
Package Dependencies
Package:
 nodemon
Ecosystem:
npm
Version Change:
2.0.15 → 2.0.22
Update Type:
Patch
Package:
braces
Ecosystem:
npm
Version Change:
3.0.2 → 3.0.3
Update Type:
Patch
Package:
express
Ecosystem:
npm
Version Change:
4.21.2 → 5.0.0
Update Type:
Major
Package:
serve-static
Ecosystem:
npm
Version Change:
1.13.2 → 2.2.0
Update Type:
Major
Package:
qs
Ecosystem:
npm
Version Change:
6.5.2 → 6.13.0
Update Type:
Minor
Package:
path-to-regexp
Ecosystem:
npm
Version Change:
0.1.7 → 8.2.0
Update Type:
Major
Package:
cookie
Ecosystem:
npm
Version Change:
0.3.1 → 0.4.1
Update Type:
Minor
Package:
body-parser
Ecosystem:
npm
Version Change:
1.18.3 → 2.2.0
Update Type:
Major
Package:
send
Ecosystem:
npm
Version Change:
0.16.2 → 1.2.0
Update Type:
Major
Security Advisories
body-parser vulnerable to denial of service when url encoding is enabled
GHSA-qwcr-r2fm-qrc7 CVE-2024-45590 HIGH
### Impact body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of re...
Actions
View on GitHub View Repository All Dependabot PRs
Technical Details
ID: 125015
UUID: 3051196835
Node ID: PR_kwDOGqLqSs6ViWKL
Host: GitHub
Repository: rfatolahzade/Dockerizing-a-NodeJS-web-app