Bump the npm_and_yarn group across 6 directories with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: pnpm.
Bumps the npm_and_yarn group with 2 updates in the /image-maker/functions directory: express and lodash.
Bumps the npm_and_yarn group with 1 update in the /image-sharp/functions directory: sharp.
Bumps the npm_and_yarn group with 1 update in the /okta-auth/functions directory: @okta/oidc-middleware.
Bumps the npm_and_yarn group with 1 update in the /template-handlebars/functions directory: express-handlebars.
Bumps the npm_and_yarn group with 1 update in the /testlab-to-slack/functions directory: axios.

Updates pnpm from 6.35.1 to 9.10.0

Release notes

Sourced from pnpm's releases.

pnpm 9.10

Minor Changes

• Support for a new CLI flag, --exclude-peers, added to the list and why commands. When --exclude-peers is used, peer dependencies are not printed in the results, but dependencies of peer dependencies are still scanned #8506.

• Added a new setting to package.json at pnpm.auditConfig.ignoreGhsas for ignoring vulnerabilities by their GHSA code #6838.

  For instance:

  {
    "pnpm": {
      "auditConfig": {
        "ignoreGhsas": [
          "GHSA-42xw-2xvc-qx8m",
          "GHSA-4w2v-q235-vp99",
          "GHSA-cph5-m8f7-6c5x",
          "GHSA-vh95-rmgr-6w4m"
        ]
      }
    }
  }

Patch Changes

• Throw an exception if pnpm switches to the same version of itself.
• Reduce memory usage during peer dependencies resolution.

Platinum Sponsors

Gold Sponsors

... (truncated)

Commits

• fe996fe chore(release): 9.10.0
• 201d88e test: matchCatalogResolveResult test case (#8309)
• 3af07cb feat: add an option to list and why to exclude peer dependencies from the...
• db420ab refactor(cafs): create a separate function for creating index file path (#8508)
• 681fba5 refactor: remove unused parameter (#8505)
• 86732af chore: migrate ESLint Configuration to the new flat config format (#8482)
• d500d9f feat(audit): add ability to ignore Github Security Advisory (#8483)
• 2ed4594 test: pin micromatch latest tag (#8484)
• 3247d44 chore(release): libs
• 624e8b9 test: fix failures when retry downloading node (#8477)
• Additional commits viewable in compare view

Updates express from 4.17.1 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• [email protected] by @​blakeembrey in expressjs/express#5902

New Contributors

• @​marco-ippolito made their first contribution in expressjs/express#5565
• @​inigomarquinez made their first contribution in expressjs/express#5590
• @​mertcanaltin made their first contribution in expressjs/express#5627
• @​ctcpip made their first contribution in expressjs/express#5690
• @​bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

... (truncated)

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]

... (truncated)

Commits

• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for question and discuss
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @​IamLizu to the triage team (#5836)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates lodash from 4.17.15 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates sharp from 0.23.4 to 0.32.6

Changelog

Sourced from sharp's changelog.

v0.32.6 - 18th September 2023

• Upgrade to libvips v8.14.5 for upstream bug fixes.

• Ensure composite tile images are fully decoded (regression in 0.32.0). #3767

• Ensure withMetadata can add ICC profiles to RGB16 output. #3773

• Ensure withMetadata does not reduce 16-bit images to 8-bit (regression in 0.32.5). #3773

• TypeScript: Add definitions for block and unblock. #3799 @​ldrick

v0.32.5 - 15th August 2023

• Upgrade to libvips v8.14.4 for upstream bug fixes.

• TypeScript: Add missing WebpPresetEnum to definitions. #3748 @​pilotso11

• Ensure compilation using musl v1.2.4. #3755 @​kleisauke

• Ensure resize with a fit of inside respects 90/270 degree rotation. #3756

• TypeScript: Ensure minSize property of WebpOptions is boolean. #3758 @​sho-xizz

• Ensure withMetadata adds default sRGB profile. #3761

v0.32.4 - 21st July 2023

• Upgrade to libvips v8.14.3 for upstream bug fixes.

• Expose ability to (un)block low-level libvips operations by name.

• Prebuilt binaries: restore support for tile-based output. #3581

v0.32.3 - 14th July 2023

... (truncated)

Commits

• eefaa99 Release v0.32.6
• dbce6fa Upgrade to libvips v8.14.5
• af0fcb3 Docs: changelog for #3799
• c6f54e5 Bump devDeps
• 846563e TypeScript: add definitions for block and unblock (#3799)
• 9c217ab Ensure withMetadata can add RGB16 profiles #3773
• e7381e5 Alternative fix for 4340d60, uses existing StaySequential
• 4340d60 Ensure composite tile images fully decoded #3767
• 7f64d46 Docs: add missing returns property to raw
• 67e927b Docs: ensure all functions include method signature #3777
• Additional commits viewable in compare view

Updates @okta/oidc-middleware from 4.5.1 to 5.4.1

Release notes

Sourced from @​okta/oidc-middleware's releases.

5.4.0

#78 fix: replaces deprecated csurf package

5.3.0

Other

• #77 - upgrades openid-client

5.2.1

Fix

• 75 fix: adds types in output bundle

okta-oidc-middleware-5.2.0

Other

• #74 feat: adds Node 20 support

5.1.0

• #64 Added type declarations

5.0.1

• #60 chore: dependency updates
• #61 chore: adds Node 18 support

5.0.0

Breaking Changes

• #54 Requires Node >= 12.19.0. Update production dependencies:
  • [email protected] (was 3.12.2)

Changelog

Sourced from @​okta/oidc-middleware's changelog.

5.4.1

-#82 fix: includes types in output bundle (#75 wasn't properly backported)

5.4.0

-#78 fix: replaces deprecated csurf package

5.3.1

-#81 fix: includes types in output bundle (#75 wasn't properly backported)

5.3.0

-#77 upgrades openid-client

5.2.1

-#75 fix: includes types in output bundle

5.2.0

• #74 feat: adds Node 20 support

5.1.0

-#64 Added type declarations

5.0.1

-#60 chore: dependency updates -#61 chore: adds Node 18 support

5.0.0

Breaking Changes

• # Requires Node >= 12.19.0. Update production dependencies:
  • [email protected] (was 3.12.2)

4.6

-#53 Fix: prevents open redirects

Commits

• c729605 Jp 5 4 type fix (#82)
• 00393d9 Merge remote-tracking branch 'origin/5.2' into jp-backport-5-2-to-5-4
• e7aba94 replaces deprecated csurf package (#78)
• 3e0dac0 Releng: Revving up to version(s) 5.4.0 for artifact(s) None
• 74911bb chore: dep upgrade (#77)
• 71a6035 includes types in output bundle (#75)
• c5dc4d9 Releng: Revving up to version(s) 5.3.0 for artifact(s) None
• 834bc69 feat: adds support for Node 20 (#74)
• 074880f chore: enables semgrep (#72)
• 94b54bf Read secret from Vault (#71)
• Additional commits viewable in compare view

Updates express-handlebars from 3.1.0 to 8.0.1

Release notes

Sourced from express-handlebars's releases.

v8.0.1

8.0.1 (2024-08-07)

Bug Fixes

• remove module type (#857) (efca370)

v8.0.0

8.0.0 (2024-08-07)

Bug Fixes

• require node v20 (#854) (cb0358e)

BREAKING CHANGES

• minimum node v20

v7.1.3

7.1.3 (2024-06-19)

Bug Fixes

• deps: update dependency glob to ^10.4.2 (#782) (676a537)

v7.1.2

7.1.2 (2023-08-08)

Bug Fixes

• use types from handlebars for helpers (#617) (bc38da4)

v7.1.1

7.1.1 (2023-08-02)

Bug Fixes

• deps: update dependency handlebars to ^4.7.8 (#616) (54ef900)

v7.1.0

7.1.0 (2023-07-20)

Features

... (truncated)

Changelog

Sourced from express-handlebars's changelog.

8.0.1 (2024-08-07)

Bug Fixes

• remove module type (#857) (efca370)

8.0.0 (2024-08-07)

Bug Fixes

• require node v20 (#854) (cb0358e)

BREAKING CHANGES

• minimum node v20

7.1.3 (2024-06-19)

Bug Fixes

• deps: update dependency glob to ^10.4.2 (#782) (676a537)

7.1.2 (2023-08-08)

Bug Fixes

• use types from handlebars for helpers (#617) (bc38da4)

7.1.1 (2023-08-02)

Bug Fixes

• deps: update dependency handlebars to ^4.7.8 (#616) (54ef900)

7.1.0 (2023-07-20)

Features

• add resetCache (#554) (868e9b4)

7.0.7 (2023-04-15)

... (truncated)

Commits

• 8e7efb4 chore(release): 8.0.1 [skip ci]
• efca370 fix: remove module type (#857)
• 8abe846 chore(release): 8.0.0 [skip ci]
• cb0358e fix: require node v20 (#854)
• e90da8e chore(deps): update github/codeql-action action to v3 (#728)
• b8032b3 chore(deps): update dependency glob to ^10.4.5 (#834)
• 017c3ac chore: update eslint (#853)
• fcf4d6d chore(deps): update devdependency @​types/node to ^18.19.43
• 5ba9eed chore(deps): update devdependency ts-jest to ^29.2.4
• 75076f8 chore(deps): update typescript-eslint monorepo to ^7.18.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for express-handlebars since your current version.

Updates axios from 0.19.2 to 1.7.7

Release notes

Sourced from axios's releases.

Release v1.7.7

Release notes:

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

Release v1.7.6

Release notes:

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#6524) (085f568)
• fetch: optimize signals composing logic; (#6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

Release v1.7.5

Release notes:

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

Release v1.7.4

Release notes:

Bug Fixes

• sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

Contributors to this release

• Lev Pachmanov

... (truncated)

Changelog

Sourced from axios's changelog.

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#6524) (085f568)
• fetch: optimize signals composing logic; (#6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

... (truncated)

Commits

• 5b8a826 chore(release): v1.7.7 (#6585)
• 364993f fix(http): fixed support for IPv6 literal strings in url (#5731)
• d198085 fix(fetch): fix stream handling in Safari by fallback to using a stream reade...
• d584fcf chore(release): v1.7.6 (#6583)
• bc03c6c chore(examples): fix module import (#6575)
• df9889b fix(fetch): optimize signals composing logic; (#6582)
• ee208cf chore(sponsor): update sponsor block (#6576)
• 085f568 fix(fetch): fix content length calculation for FormData payload; (#6524)
• 59cd6b0 chore(release): v1.7.5 (#6574)
• 6700a8a fix(core): add the missed implementation of AxiosError#status property; (#6573)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.