Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update backend dependencies (major) #1212

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update backend dependencies (major) #1212

wants to merge 1 commit into from

Conversation

ggrossetie
Copy link
Collaborator

@ggrossetie ggrossetie commented Jan 27, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
@graphql-tools/schema (source) dependencies major ^9.0.12 -> ^10.0.0
@shelf/jest-mongodb devDependencies major ~4.3 -> ~5.1.0
bcryptjs dependencies major ^2.4.3 -> ^3.0.0
connect-mongo dependencies major ^3.2.0 -> ^5.0.0
css-tree dependencies major ^2.3.1 -> ^3.0.0
dompurify dependencies major ^2.4.3 -> ^3.0.0
eslint (source) devDependencies major ~8.57 -> ~9.22.0
jsdom dependencies major ^21.0.0 -> ^26.0.0
mongoose (source) dependencies major ^5.11.1 -> ^8.0.0
npm (source) volta major 10.9.2 -> 11.2.0
pino (source) dependencies major ^7.11.0 -> ^9.0.0
pino-http dependencies major ^7.0.0 -> ^10.0.0
y-websocket dependencies major ^1.5.0 -> ^2.0.0

Release Notes

ardatan/graphql-tools (@​graphql-tools/schema)

v10.0.21

Compare Source

Patch Changes

v10.0.20

Compare Source

Patch Changes

v10.0.19

Compare Source

Patch Changes

v10.0.18

Compare Source

Patch Changes

v10.0.17

Compare Source

Patch Changes

v10.0.16

Compare Source

Patch Changes

v10.0.15

Compare Source

Patch Changes

v10.0.14

Compare Source

Patch Changes

v10.0.13

Compare Source

Patch Changes

v10.0.12

Compare Source

Patch Changes

v10.0.11

Compare Source

Patch Changes

v10.0.10

Compare Source

Patch Changes

v10.0.9

Compare Source

Patch Changes

v10.0.8

Compare Source

Patch Changes

v10.0.7

Compare Source

Patch Changes

v10.0.6

Compare Source

Patch Changes

v10.0.5

Compare Source

Patch Changes

v10.0.4

Compare Source

Patch Changes

v10.0.3

Compare Source

Patch Changes

v10.0.2

Compare Source

Patch Changes

v10.0.1

Compare Source

Patch Changes

v10.0.0

Compare Source

Major Changes
Patch Changes
shelfio/jest-mongodb (@​shelf/jest-mongodb)

v5.1.0

What's Changed

  • [BREAKING CHANGE] Node 22 is now required
  • Update mongo dependency to v6.14.0

v5.0.0

  • Switched node version 18->22
dcodeIO/bcrypt.js (bcryptjs)

v3.0.2

Compare Source

Bug fixes
  • Use upstream fix to emit interop helpers (28e5103)

v3.0.1

Compare Source

Bug fixes
  • Separate ESM and UMD type definitions (e7055ca)

v3.0.0

Compare Source

Breaking changes
  • Modernize project structure (2f45985)
    The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
  • Generate 2b hashes by default (d36bfb4)
    This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.
Features
  • Add helper to check for password input length (d5656b3)
Other
  • Update publish workflow (2a9bea9)
  • Add note on using the ESM variant in the browser (e09eb9a)
  • Update types (58333a1)
  • Merge lint and test workflows (2e3b176)
  • Fix tests (ec02e8a)
  • Update legacy fallback to handle crypto dependency (9db275f)
  • Update lint workflow title (ac70ac5)
  • Adapt crypto module usage for ESM environments (574d690)
  • Format with prettier (e746547)
  • Rename default branch to 'main' (548559d)
  • Update description to mention TypeScript support (4977df0)
  • Add stale action for issues and PRs (a84d4e4)
  • Fix typo (c8c9c01)
  • Fix Node.js version in CI (1b54cc4)
Backlog from v2
  • Added externs to .npmignore (#​124) (7e2e93a)
    The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
  • Make sure the bin script uses LF (684fac6)
  • Post-merge; Clean up a bit (b09f7f2)
  • Improve safeStringCompare using xor (#​77) (648482a)
  • Added bin entry (49a1d1a)
jdesboeufs/connect-mongo (connect-mongo)

v5.1.0

Compare Source

Changed
  • Extend mongodb peer dependency allowed versions to 6.x
  • Upgrade dependency

v5.0.0

Compare Source

BREAKING CHANGES
  • Upgraded peer dependency mongodb to 5.0.0
  • Change engines to require Node 12.9 or newer, matching the upgrade to mongodb that occurred in v4.5.0
Fixed
  • Declare express-session as a peer dependency.

v4.6.0

Compare Source

Changed
  • Moved mongodb to a peer dependency (and also as a dev dependency for connect-mongo developers). connect-mongo is no longer pinned to a specific version of mongodb. This allows end users to avoid errors due to Typescript definition changes when moving to new versions of mongodb. Users can use any version of mongodb that provides a compatible (non-breaking) interface to mongodb ^4.1.0. Tested on mongodb 4.1.0 and 4.1.1. Should fix: #​433 #​434 #​436
Fixed
  • Fixed "Callback was already called" when some code throws immediately after calling the set function

v4.5.0

Compare Source

BREAKING CHANGES
  • Drop Node 10 support
Changed
Fixed
  • Move writeConcern away from top-level option to fix deprecation warning #​422

v4.4.1

Compare Source

Fixed
  • store.all() method not working with encrypted store #​410 #​411
  • Update and unpin mongodb dependency due to upstream fix has been deployed #​409

v4.4.0

Compare Source

BREAKING CHANGES
  • Use export = for better cjs require without .default
Added
  • Add typescript example

v4.3.1

Compare Source

Fixed
  • Fix incorrect assertion checking after adding client options

v4.3.0

Compare Source

Added
  • Add client option for non-promise client

v4.2.2

Compare Source

Fixed
  • Fix crypto parsing error by upgrading kruptein to v3.0.0 and change encodeas to base64

v4.2.1

Compare Source

v4.2.0

Compare Source

Added
  • Added mongoose example
  • Revert createAutoRemoveIdx and add back autoRemove and autoRemoveInterval
Fixed
  • Use matchedCount instead of modifiedCount to avoid throwing exceptions when nothing to modify #​390
  • Fixed Warning: Accessing non-existent property 'MongoError' of module exports inside circular dependency by downgrade to [email protected]
  • Revert update session when touch #​351
  • Fix cannot read property lastModified of null
  • Fix TS typing error

v4.1.0

Compare Source

BREAKING CHANGES
  • Support Node.Js 10.x, 12.x and 14.x and drop older support.
  • Review method to connect to MongoDB and keep only mongoUrl and clientPromise options.
  • Remove the "Remove expired sessions compatibility mode". Now library user can choose to create auto remove index on startup or not.
  • Remove fallbackMemory options.
  • Rewrite the library and test case using typescript.

Checkout the complete migration guide for more details.

v4.0.0

Compare Source

csstree/csstree (css-tree)

v3.1.0

Compare Source

  • Added support for boolean expression multiplier in syntax definition, i.e. <boolean-expr[ test ]> (#​304)
  • Added source, startOffset, startLine, and startColumn parameters to OffsetToLocation constructor, eliminating the need to call setSource() after creating a new OffsetToLocation instance
  • Exposed OffsetToLocation class in the main entry point, which was previously accessible only via css-tree/tokenizer
  • Fixed Raw node value consumption by ignoring stop tokens inside blocks, resolving an issue where Raw value consumption stopped prematurely. This fix also enables parsing of functions whose content includes stop characters (e.g., semicolons and curly braces) within declaration values, aligning with the latest draft of CSS Values and Units Module Level 5.
  • Fixed TokenStream#balance computation to handle unmatched brackets correctly. Previously, when encountering a closing bracket, the TokenStream would prioritize it over unmatched opening brackets, leading to improper parsing. For example, the parser would incorrectly consume the declaration value of .a { prop: ([{); } as ([{) instead of consuming it until all opened brackets were closed (([{); }). Now, unmatched closing brackets are discarded unless they match the most recent opening bracket on the stack. This change aligns CSSTree with CSS specifications and browser behavior.
  • Fixed syntax definition parser to allow a token to be followed by a multiplier (#​303)
  • Fixed location for Layer node (#​310)
  • Bumped mdn/data to 2.12.2

v3.0.1

Compare Source

  • Bumped mdn/data to 2.12.1
  • Added errors array to the Lexer#validate() method result, providing details on problematic syntax.
  • Added CSS wide keyword customization and introspection:
    • Added a Lexer#cssWideKeywords dictionary to list CSS-wide keywords
    • Updated the Lexer's constructor to consider config.cssWideKeywords for overriding the default list
    • Expanded the lexer's dump output to include the cssWideKeywords dictionary
    • Modified the fork() method to accept a cssWideKeywords option, allowing the addition of new keywords to the existing list
  • Reverted changes to Block to include { and }, and Atrule and Rule to exclude { and } for a block (#​296)
  • Removed second parameter (assign) for the callback in the fork() method (e.g., syntax.fork((config, assign) => { ... })), as it simply refers to Object.assign()
  • Fixes in syntaxes: <basic-shapes>, <absolute-color-function> and <'stroke-opacity'>

v3.0.0

Compare Source

  • Added support for the @container at-rule
  • Added support for the @starting-style at-rule
  • Added support for the @scope at-rule
  • Added support for the @position-try at-rule
  • Added support for the @layer at-rule
  • Added support for layer, layer() and supports() in the @media at-rule (according to the @​import rule in Cascading and Inheritance 5)
  • Added Layer and LayerList node types
  • Added TokenStream#lookupTypeNonSC() method
  • Added <dashed-ident> to generic types
  • Bumped mdn/data to 2.10.0
  • Aligned <'font'> to CSS Fonts 4
  • Aligned <color> to CSS Color 5
  • Fixed initialization when Object.prototype is extended or polluted (#​262)
  • Fixed fork() method to consider the generic option when creating a Lexer instance (#​266)
  • Fixed crash on parse error when custom line or offset is specified via options (#​251)
  • Fixed speak syntax patch (#​241)
  • Fixed :lang() to accept a list of <ident> or <string> per spec (#​265)
  • Fixed lexer matching for syntaxes referred to as <'property'>, when the syntax has a top-level #-multiplier (#​102)
  • Relaxed parsing of syntax definition to allow whitespaces in range multiplier (#​270)
  • Changed parseWithFallback() to rollback tokenIndex before calling a fallback
  • Changed Block to not include { and }
  • Changed Atrule and Rule to include { and } for a block
  • Changed Ratio parsing:
    • Left and right parts contain nodes instead of strings
    • Both left and right parts of a ratio can now be any number; validation of number range is no longer within the parser's scope.
    • Both parts can now be functions. Although not explicitly mentioned in the specification, mathematical functions can replace numbers, addressing potential use cases (#​162).
    • As per the CSS Values and Units Level 4 specification, the right part of Ratio can be omitted. While this can't be a parser output (which would produce a Number node), it's feasible during Ratio node construction or transformation.
  • Changes to query-related at-rules:

    • Added new node types:

      • Feature: represents features like (feature) and (feature: value), fundamental for both @media and @container at-rules
      • FeatureRange: represents features in a range context
      • FeatureFunction: represents functional features such as @supports's selector() or @container's style()
      • Condition: used across all query-like at-rules, encapsulating queries with features and the not, and, and or operators
      • GeneralEnclosure: represents the <general-enclosed> production, which caters to unparsed parentheses or functional expressions

      Note: All new nodes include a kind property to define the at-rule type. Supported kinds are media, supports, and container.

    • Added support for functions for features and features in a range context, e.g. (width: calc(100cm / 6))

    • Added a condition value for the parser's context option to parse queries. Use the kind option to specify the condition type, e.g., parse('...', { context: 'condition', kind: 'media' }).

    • Introduced a features section in the syntax configuration for defining functional features of at-rules. Expand definitions using the fork() method. The current definition is as follows:

      features: {
    supports: { selector() { /* ... */ } },
    container: { style() { /* ... */ } }
}

    • Changes for @media at-rule:

      • Enhanced prelude parsing for complex queries. Parentheses with errors will be parsed as GeneralEnclosed.
      • Added support for features in a range context, e.g. (width > 100px) or (100px < height < 400px)
      • Transitioned from MediaFeature node type to the Feature node type with kind: "media".
      • Changed MediaQuery node structure into the following form: 
        type MediaQuery = {
    type: "MediaQuery";
    modifier: string | null; // e.g. "not", "only", etc.
    mediaType: string | null; // e.g. "all", "screen", etc.
    condition: Condition | null;
}

    • Changes for @supports at-rule:

      • Enhanced prelude parsing for complex queries. Parentheses with errors will be parsed as GeneralEnclosed.
      • Added support for features in a range context, e.g. (width > 100px) or (100px < height < 400px)
      • Added SupportsDeclaration node type to encapsulate a declaration in a query, replacing Parentheses.
      • Parsing now employs Condition or SupportsDeclaration nodes of kind supports instead of Parentheses.
      • Added support for the selector() feature via the FeatureFunction node (configured in features.supports.selector).
cure53/DOMPurify (dompurify)

v3.2.4: DOMPurify 3.2.4

Compare Source

  • Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
  • Added a new feature to allow specific hook removal, thanks @​davecardwell
  • Added purify.js and purify.min.js to exports, thanks @​Aetherinox
  • Added better logic in case no window object is president, thanks @​yehuya
  • Updated some dependencies called out by dependabot
  • Updated license files etc to show the correct year

v3.2.3: DOMPurify 3.2.3

Compare Source

v3.2.2: DOMPurify 3.2.2

Compare Source

  • Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
  • Fixed several minor issues with the type definitions, thanks again @​reduckted
  • Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
  • Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

v3.2.1: DOMPurify 3.2.1

Compare Source

v3.2.0: DOMPurify 3.2.0

Compare Source

v3.1.7: DOMPurify 3.1.7

Compare Source

  • Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
  • Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
  • Added better support for Angular compiler, thanks @​jeroen1602
  • Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
  • Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
  • Bumped several dependencies to be more up to date

v3.1.6: DOMPurify 3.1.6

Compare Source

  • Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
  • Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
  • Fixed a minor problem with the bower file pointing to the wrong dist path
  • Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
  • Updated several development dependencies

v3.1.5: DOMPurify 3.1.5

Compare Source

  • Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
  • Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

v3.1.4: DOMPurify 3.1.4

Compare Source

  • Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
  • Added several new popover attributes to allow-list, thanks @​Gigabyte5671
  • Fixed the tests and adjusted the test runner to cover all branches

v3.1.3: DOMPurify 3.1.3

Compare Source

  • Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
  • Added better configurability for comment scrubbing default behavior
  • Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
  • Added better handling and readability of the nodeType property, thanks @​ssi02014
  • Fixed some smaller issues in README and other documentation

v3.1.2: DOMPurify 3.1.2

Compare Source

  • Addressed and fixed a mXSS variation found by @​kevin-mizu
  • Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
  • Updated tests for older Safari and Chrome versions

v3.1.1: DOMPurify 3.1.1

Compare Source

  • Fixed an mXSS sanitiser bypass reported by @​icesfont
  • Added new code to track element nesting depth
  • Added new code to enforce a maximum nesting depth of 255
  • Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

v3.1.0: DOMPurify 3.1.0

Compare Source

  • Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
  • Updated README to warn about happy-dom not being safe for use with DOMPurify yet
  • Updated the LICENSE file to show the accurate year number
  • Updated several build and test dependencies

v3.0.11: DOMPurify 3.0.11

Compare Source

  • Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
  • Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

v3.0.10: DOMPurify 3.0.10

Compare Source

  • Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser
  • Bumped up some build and test dependencies

v3.0.9: DOMPurify 3.0.9

Compare Source

  • Fixed a problem with proper detection of Custom Elements, thanks @​kevin-mizu
  • Refactored the hasOwnProperty logic, thanks @​ssi02014
  • Removed a superfluous console.warn making HappyDom happier, thanks @​HugoPoi
  • Modernized some of the demo hooks for better looks, thanks @​Steb95

v3.0.8: DOMPurify 3.0.8

Compare Source

  • Fixed errors caused by conditional exports, thanks @​ssi02014
  • Fixed a type error when working with custom element config, thanks @​cpmotion

v3.0.7: DOMPurify 3.0.7

Compare Source

  • Added better protection against CSPP attacks, thanks @​kevin-mizu
  • Updated browser versions for automated tests
  • Updated Node versions for automated tests
  • Refactored code base, thanks @​ssi02014
  • Refactored build system & deployment, thanks @​ssi02014

v3.0.6: DOMPurify 3.0.6

Compare Source

  • Refactored the core code-base and several utilities, thanks @​ssi02014
  • Updated and fixed several sections of the README, thanks @​ssi02014
  • Updated several outdated build and test dependencies

v3.0.5: DOMPurify 3.0.5

Compare Source

  • Fixed a licensing issue spotted and reported by @​george-thomas-hill
  • Updated several build and test dependencies

v3.0.4: DOMPurify 3.0.4

Compare Source

  • Fixed a bypass in jsdom 22 in case the noframes element is permitted, thanks @​leeN
  • Fixed a typo with shadowrootmod which should be shadowrootmode, thanks @​masatokinugawa

v3.0.3: DOMPurify 3.0.3

Compare Source

  • Added new TRUSTED_TYPES_POLICY configuration option, thanks @​dejang
  • Added feDropShadow to the SVG filter allow-list, thanks @​SelfMadeSystem

v3.0.2: DOMPurify 3.0.2

Compare Source

  • Fixed an issue with ALLOWED_URI_REGEXP not being reset, thanks @​mukilane
  • Added mprescripts tag to allowed MathML elements, thanks @​duyhai94
  • Added SMS URI scheme to allowed URI schemes, tanks @​Kiwka
  • Updated supported browser versions for nicer code and smaller size, thanks @​buzinas

v3.0.1: DOMPurify 3.0.1

Compare Source

  • Fixed a problem with improper reset of custom HTML options, thanks @​ammaraskar

v3.0.0: DOMPurify 3.0.0

Compare Source

  • Removed all code that is for MSIE-only
  • Removed all tests that are for MSIE-only
  • Modified documentation to reflect new state of MSIE support
  • Added support for ALLOW_SELF_CLOSE_IN_ATTR flag, thanks @​edg2s @​AndreVirtimo
  • Added better support for shadowrootmode, thanks @​mfreed7

NOTE Please use the 2.4.4 release if you still need MSIE support, 3.0.0 comes without the MSIE overhead

eslint/eslint (eslint)

v9.22.0

Compare Source

Features
  • 7ddb095 feat: Export defineConfig, globalIgnores (#​19487) (Nicholas C. Zakas)
Bug Fixes
  • 19c0127 fix: improve message for no-console suggestions (#​19483) (Francesco Trotta)
  • 49e624f fix: improve error message for falsy parsed JS AST (#​19458) (Josh Goldberg ✨)
Documentation
  • 86c5f37 docs: Update README (GitHub Actions Bot)
  • fbdeff0 docs: Update README (GitHub Actions Bot)
  • c9e8510 docs: generate deprecation notice in TSDoc comments from rule metadata (#​19461) (Francesco Trotta)
  • [2f386ad](https://redirect

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@netlify Netlify
Copy link

netlify bot commented Jan 27, 2025
edited
Loading

Deploy Preview for stylo-docs canceled.

Name Link
🔨 Latest commit b18bf4c
🔍 Latest deploy log https://app.netlify.com/sites/stylo-docs/deploys/67cbaa2efa40a900084b68f8

@ggrossetie ggrossetie force-pushed the renovate/major-backend-dependencies branch from c90fe12 to cbcef31 Compare January 30, 2025 02:31
@ggrossetie ggrossetie force-pushed the renovate/major-backend-dependencies branch 4 times, most recently from b9cb318 to 8f8c614 Compare February 14, 2025 02:36
@ggrossetie ggrossetie force-pushed the renovate/major-backend-dependencies branch 3 times, most recently from fc44eb3 to e34aa50 Compare February 25, 2025 02:35
@ggrossetie ggrossetie force-pushed the renovate/major-backend-dependencies branch from e34aa50 to 28ef755 Compare March 6, 2025 02:37
@ggrossetie ggrossetie force-pushed the renovate/major-backend-dependencies branch from 28ef755 to b18bf4c Compare March 8, 2025 02:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ggrossetie