chore(deps): bump the npm_and_yarn group with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates:

Package	From	To
node-fetch	3.3.1	3.3.2
body-parser	2.0.2	2.1.0
cookie	0.7.2	1.0.0
express	4.21.2	5.0.0
path-to-regexp	6.3.0	8.0.0
postcss	8.4.33	8.4.34
semver	7.6.2	7.6.3
terser	5.39.0	5.39.1
base-x	3.0.9	3.0.11
tar-fs	2.1.2	2.1.3

Updates node-fetch from 3.3.1 to 3.3.2

Release notes

Sourced from node-fetch's releases.

v3.3.2

3.3.2 (2023-07-25)

Bug Fixes

• Remove the default connection close header. (#1736) (8b3320d), closes #1735 #1473

Commits

• 8b3320d fix: Remove the default connection close header. (#1736)
• See full diff in compare view

Updates body-parser from 2.0.2 to 2.1.0

Release notes

Sourced from body-parser's releases.

v2.1.0

What's Changed

• fix: update package.json engines field to reflect minimum supported node version by @​Phillip9587 in expressjs/body-parser#541
• fix: remove brotli support check by @​Phillip9587 in expressjs/body-parser#542
• fix: remove unpipe package and use native unpipe method by @​Phillip9587 in expressjs/body-parser#543
• Remove unused devDependency methods by @​Phillip9587 in expressjs/body-parser#548
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/body-parser#546
• Remove devDependency safe-buffer by @​Phillip9587 in expressjs/body-parser#547
• test: remove AsyncLocalStorage check by @​Phillip9587 in expressjs/body-parser#549
• perf: use the node require cache instead of custom caching by @​Phillip9587 in expressjs/body-parser#562
• ci: disable fail-fast in CI workflow by @​Phillip9587 in expressjs/body-parser#565
• chore(deps): update type-is to v2.0.0 by @​Phillip9587 in expressjs/body-parser#571
• refactor: prefix built-in node module imports by @​Phillip9587 in expressjs/body-parser#573
• fix: remove obsolete dependency destroy by @​Phillip9587 in expressjs/body-parser#570
• cleanup: remove obsolete test env file by @​Phillip9587 in expressjs/body-parser#569
• Refactor decompression stream creation to remove code duplication by @​Phillip9587 in expressjs/body-parser#564
• Add caret for body-parser dependencies by @​wesleytodd in expressjs/body-parser#577
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/body-parser#559
• chore(deps): update debug to ^4.4.0 by @​Phillip9587 in expressjs/body-parser#579
• Release v2.1.0 by @​wesleytodd in expressjs/body-parser#578

Full Changelog: expressjs/body-parser@2.0.1...v2.1.0

Changelog

Sourced from body-parser's changelog.

2.1.0 / 2025-02-10

• deps:
  • type-is@^2.0.0
  • debug@^4.4.0
  • Removed destroy
• refactor: prefix built-in node module imports
• use the node require cache instead of custom caching

Commits

• eedea54 2.1.0
• 2e4fe6b fix(deps): update debug to ^4.4.0 (#579)
• a729397 fix: remove destroy after bad conflict resolution
• 2fd8701 fix: cleanup history.md
• f1380f5 fix: fix type-is incorrect conflict resolution
• 732a7cc ci: add CodeQL (SAST)
• 41abe6d Add caret for body-parser dependencies
• e0f261e Refactor decompression stream creation to remove code duplication
• 17c3999 cleanup: remove obsolete test env file
• 07a8f59 fix: remove obsolete dependency destroy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for body-parser since your current version.

Updates cookie from 0.7.2 to 1.0.0

Release notes

Sourced from cookie's releases.

v1.0.0

Breaking changes

• Use modern JS features, ship TypeScript definition (#175) 1cc64ff
  • Adds __esModule marker, imports need to use import { parse, serialize } or import * as cookie
• Minimum node.js v18
• Uses null prototype object for parse return value
• Changes strict and priority to match the lower case strings (i.e. low, not LOW or Low)
• Require maxAge to be an integer using Number.isInteger check
• Delegates decode implementation details to decode option (i.e. error handling and quote parsing is defined by decode)
  • Delegate quote parsing to decode (#180) c4a2597
  • Shift try/catch to decode (#179) 93a5b97
• Improve arg/option error messages (#162) e206fd5 @​MaoShizhong

Other

• Remove hasOwnProperty, use undefined check for performance (#183) 8f3ee9e @​gurgunday

jshttp/cookie@v0.7.2...v1.0.0

Commits

• c69cef6 1.0.0
• 42025f7 Use workflow status for badge
• ad9c960 Update option documentation (#186)
• c4a2597 Delegate quote parsing to decode (#180)
• 88704d6 Use shields for badges (#185)
• 8f3ee9e Remove hasOwnProperty, use undefined (#183)
• 93a5b97 Shift try/catch to decode (#179)
• 0f56c6e Update top sites cookies (#182)
• 0ecf9bd Enable codecov (#178)
• 1cc64ff Use modern JS features, ship TS defs (#175)
• Additional commits viewable in compare view

Updates express from 4.21.2 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• Use object with null prototype for various app properties by @​EvanHahn in expressjs/express#4861
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

• change:
  • Default "query parser" setting to 'simple'
  • Requires Node.js 4+
  • Use mime-types for file to content type mapping
• deps: array-flatten@3.0.0
• deps: body-parser@2.0.0-beta.1
  • req.body is no longer always initialized to {}

... (truncated)

Commits

• 344b022 5.0.0
• 0c49926 fix(deps): send@^1.1.0
• b3906cb fix(deps): serve-static@^2.1.0
• fed8c2a fix(deps): body-parser@^2.0.1
• bdd81f8 Delete back as a magic string (#5933)
• 6c98f80 🔧 update CI, remove unsupported versions, clean up
• f9256ef Merge branch '5.0' into 5-merge
• e5feb9f Merge tag '4.20.0' into 5.0
• 0264908 feat(deps)!: router@^2.0.0 (#5885)
• 4d713d2 update to fresh@2.0.0 (#5916)
• Additional commits viewable in compare view

Updates path-to-regexp from 6.3.0 to 8.0.0

Release notes

Sourced from path-to-regexp's releases.

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

Added

• Parameter names can now be quoted, e.g. :"foo-bar"
• Match accepts an array of values, so the signature is now string | TokenData | Array<string | TokenData>

Removed

• Removes loose mode
• Removes regular expression overrides of parameters

pillarjs/path-to-regexp@v7.1.0...v8.0.0

Support array inputs (again)

Added

• Support array inputs for match and pathToRegexp 3fdd88f

pillarjs/path-to-regexp@v7.1.0...v7.2.0

Strict mode

Added

• Adds a strict option to detect potential ReDOS issues

Fixed

• Fixes separator to default to suffix + prefix when not specified
• Allows separator to be undefined in TokenData
  • This is only relevant if you are building TokenData manually, previously parse filled it in automatically

Comments

• I highly recommend enabling strict: true and I'm probably releasing a V8 with it enabled by default ASAP as a necessary security mitigation

pillarjs/path-to-regexp@v7.0.0...v7.1.0

... (truncated)

Commits

• ed1095e 8.0.0
• 60f2121 Rewrite and simplify API
• 74f97b5 Create SECURITY.md
• fb4d11d Remove matches from tests
• 26551ec Code gen smaller and faster regexps
• 0d20b15 Split using a string
• 341f873 Test for double decoding
• 6b7a452 Throw on unmatched closing paren (#286)
• 208cc83 Refactor params to match up to next token
• cbf2c73 Add debug URL to all errors
• Additional commits viewable in compare view

Updates postcss from 8.4.33 to 8.4.34

Release notes

Sourced from postcss's releases.

8.4.34

• Fixed AtRule#nodes type (by @​tim-we).
• Cleaned up code (by @​DrKiraDmitry).

Changelog

Sourced from postcss's changelog.

8.4.34

• Fixed AtRule#nodes type (by Tim Weißenfels).
• Cleaned up code (by Dmitry Kirillov).

Commits

• 477b3bb Release 8.4.34 version
• 25af117 Update dependencies
• bb0314a Merge pull request #1922 from tim-we/improve-at-rule-types
• 9dd5a93 Fix at-rule test
• 8322d11 Fix visitor test
• ee7fcd4 Fix Document#nodes
• 5e7dde7 Remove whitespaces
• 8fda920 Add unit test
• b787a64 Remove whitespaces
• e288c8d Update AtRule#nodes documentation
• Additional commits viewable in compare view

Updates semver from 7.6.2 to 7.6.3

Release notes

Sourced from semver's releases.

v7.6.3

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

Changelog

Sourced from semver's changelog.

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

Commits

• 0a12d6c chore: release 7.6.3 (#720)
• 73a3d79 fix: optimize Range parsing and formatting (#726)
• 2975ece docs: fix extra backtick typo (#719)
• See full diff in compare view

Updates terser from 5.39.0 to 5.39.1

Changelog

Sourced from terser's changelog.

v5.39.1

• Fix bitwise operations that could mix BigInt and number

Commits

• baaac9c 5.39.1
• fe8bae2 update changelog
• 00a9ca4 take into account bitwise ops can have BigInt operands. Closes #1587
• 3c9fc20 add is_number_or_bigint check
• d528103 improve bigint detection (related to #1587, but not the fix)
• See full diff in compare view

Updates base-x from 3.0.9 to 3.0.11

Commits

• 043a888 3.0.11
• 2705ddd [backport 3.x] Prohibit char codes that would overflow the BASE_MAP
• 3d43c0e 3.0.10
• 0a35446 Improve decoding performance
• See full diff in compare view

Updates tar-fs from 2.1.2 to 2.1.3

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

✅ Deploy Preview for phileco canceled.

Name	Link
🔨 Latest commit	c023796
🔍 Latest deploy log	https://app.netlify.com/projects/phileco/deploys/683ea059a755a4000882987e