Bump the npm_and_yarn group across 1 directory with 5 updates #7

dependabot · 2024-09-10T21:49:04Z

Bumps the npm_and_yarn group with 5 updates in the /workshop/VulnerableAppTwo directory:

Package	From	To
express	`4.16.0`	`4.20.0`
lodash	`4.17.10`	`4.17.21`
marked	`0.3.6`	`4.0.10`
mongoose	`5.0.16`	`5.13.20`
request	`2.81.0`	`2.88.2`

Updates express from 4.16.0 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

deps: encodeurl@~2.0.0 by @blakeembrey in expressjs/express#5569

skip QUERY method test by @jonchurch in expressjs/express#5628

ignore ETAG query test on 21 and 22, reuse skip util by @jonchurch in expressjs/express#5639

add support Node.js@22 in the CI by @mertcanaltin in expressjs/express#5627

doc: add table of contents, tc/triager lists to readme by @mertcanaltin in expressjs/express#5619

List and sort all projects, add captains by @blakeembrey in expressjs/express#5653

docs: add @UlisesGascon as captain for cookie-parser by @UlisesGascon in expressjs/express#5666

✨ bring back query tests for node 21 by @ctcpip in expressjs/express#5690

[v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @jonchurch in expressjs/express#5672

skip QUERY tests for Node 21 only, still not supported by @jonchurch in expressjs/express#5695

📝 update people, add ctcpip to TC by @ctcpip in expressjs/express#5683

remove minor version pinning from ci by @jonchurch in expressjs/express#5722

Fix link variable use in attribution section of CODE OF CONDUCT by @IamLizu in expressjs/express#5762

Replace Appveyor windows testing with GHA by @jonchurch in expressjs/express#5599

Add OSSF Scorecard badge by @UlisesGascon in expressjs/express#5436

update scorecard link by @bjohansebas in expressjs/express#5814

Nominate @IamLizu to the triage team by @UlisesGascon in expressjs/express#5836

deps: [email protected] by @blakeembrey in expressjs/express#5603

docs: specify new instructions for question and discuss by @IamLizu in expressjs/express#5835

4.x: Upgrade merge-descriptors dependency by @RobinTail in expressjs/express#5781

[email protected] by @blakeembrey in expressjs/express#5902

New Contributors

@marco-ippolito made their first contribution in expressjs/express#5565

@inigomarquinez made their first contribution in expressjs/express#5590

@mertcanaltin made their first contribution in expressjs/express#5627

@ctcpip made their first contribution in expressjs/express#5690

@bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

... (truncated)

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

Prevent open redirect allow list bypass due to encodeurl

deps: [email protected]

4.18.3 / 2024-02-29

Fix routing requests without method

deps: [email protected]

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

deps: [email protected]

deps: [email protected]

Add partitioned option

4.18.2 / 2022-10-08

Fix regression routing a large stack in a single route

deps: [email protected]

... (truncated)

Commits

21df421 4.20.0
4c9ddc1 feat: upgrade to [email protected]
9ebe5d5 feat: upgrade to [email protected] (#5928)
ec4a01b feat: upgrade to [email protected] (#5926)
54271f6 fix: don't render redirect values in anchor href
125bb74 [email protected] (#5902)
2a980ad [email protected] (#5781)
a3e7e05 docs: specify new instructions for question and discuss
c5addb9 deps: [email protected] (#5603)
e35380a docs: add @IamLizu to the triage team (#5836)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates lodash from 4.17.10 to 4.17.21

Commits

f299b52 Bump to v4.17.21
c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
3469357 Prevent command injection through _.template's variable option
ded9bc6 Bump to v4.17.20.
63150ef Documentation fixes.
00f0f62 test.js: Remove trailing comma.
846e434 Temporarily use a custom fork of lodash-cli.
5d046f3 Re-enable Travis tests on 4.17 branch.
aa816b3 Remove /npm-package.
d7fbc52 Bump to v4.17.19
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates marked from 0.3.6 to 4.0.10

Release notes

Sourced from marked's releases.

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

security: fix redos vulnerabilities (8f80657)

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

retain line breaks in tokens properly (#2341) (a9696e2)

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

spaces on a newline after a table (#2319) (f82ea2c)

v4.0.7

4.0.7 (2021-12-09)

Bug Fixes

Fix every third list item broken (#2318) (346b162), closes #2314

v4.0.6

4.0.6 (2021-12-02)

Bug Fixes

speed up parsing long lists (#2302) (e0005d8)

v4.0.5

4.0.5 (2021-11-25)

Bug Fixes

table after paragraph without blank line (#2298) (5714212)

v4.0.4

4.0.4 (2021-11-19)

... (truncated)

Commits

ae01170 chore(release): 4.0.10 [skip ci]
fceda57 🗜️ build [skip ci]
8f80657 fix(security): fix redos vulnerabilities
c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
98996b8 chore(deps-dev): Bump @babel/preset-env from 7.16.5 to 7.16.7 (#2353)
ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
e5171a9 chore(release): 4.0.9 [skip ci]
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for marked since your current version.

Updates mongoose from 5.0.16 to 5.13.20

Changelog

Sourced from mongoose's changelog.

8.6.1 / 2024-09-03

fix(document): avoid unnecessary clone() in applyGetters() that was preventing getters from running on 3-level deep subdocuments #14844 #14840 #14835

fix(model): throw error if bulkSave() did not insert or update any documents #14837 #14763

fix(cursor): throw error in ChangeStream constructor if changeStreamThunk() throws a sync error #14846

types(query): add $expr to RootQuerySelector #14845

docs: update populate.md to fix missing match: { } #14847 makhoulshbeeb

8.6.0 / 2024-08-28

feat: upgrade mongodb -> 6.8.0, handle throwing error on closed cursor in Mongoose with MongooseError instead of MongoCursorExhaustedError #14813

feat(model+query): support options parameter for distinct() #14772 #8006

feat(QueryCursor): add getDriverCursor() function that returns the raw driver cursor #14745

types: change query selector to disallow unknown top-level keys by default #14764 alex-statsig

types: make toObject() and toJSON() not generic by default to avoid type widening #14819 #12883

types: avoid automatically inferring lean result type when assigning to explicitly typed variable #14734

8.5.5 / 2024-08-28

fix(populate): fix a couple of other places where Mongoose gets the document's _id with getters #14833 #14827 #14759

fix(discriminator): shallow clone Schema.prototype.obj before merging schemas to avoid modifying original obj #14821

types: fix schema type based on timestamps schema options value #14829 #14825 ark23CIS

8.5.4 / 2024-08-23

fix: add empty string check for collection name passed #14806 Shubham2552

docs(model): add 'throw' as valid strict value for bulkWrite() and add some more clarification on throwOnValidationError #14809

7.8.1 / 2024-08-19

fix(query): handle casting $switch in $expr #14761

docs(mongoose): remove out-of-date callback-based example for mongoose.connect() #14811 #14810

8.5.3 / 2024-08-13

fix(document): call required functions on subdocuments underneath nested paths with correct context #14801 #14788

fix(populate): avoid throwing error when no result and lean() set #14799 #14794 #14759 MohOraby

fix(document): apply virtuals to subdocuments if parent schema has virtuals: true for backwards compatibility #14774 #14771 #14623 #14394

types: make HydratedSingleSubdocument and HydratedArraySubdocument merge types instead of using & #14800 #14793

types: support schema type inference based on schema options timestamps as well #14773 #13215 ark23CIS

types(cursor): indicate that cursor.next() can return null #14798 #14787

types: allow mongoose.connection.db to be undefined #14797 #14789

docs: add schema type widening advice #14790 JstnMcBrd

8.5.2 / 2024-07-30

perf(clone): avoid further unnecessary checks if cloning a primitive value #14762 #14394

fix: allow setting document array default to null #14769 #14717 #6691

fix(model): support session: null option for save() to opt out of automatic session option with transactionAsyncLocalStorage #14744 #14736

fix(model+document): avoid depopulating manually populated doc as getter value #14760 #14759

... (truncated)

Commits

0f3997a chore: release 5.13.20
f1efabf fix: avoid prototype pollution on init
98e0762 chore: release 5.13.19
7e36d21 chore: release 5.13.18
6759c60 undo accidental changes and actually pin @types/json-schema
4ed4a89 chore: pin version of @types/json-schema because of install issues on node v4...
9a9536d Merge pull request #13535 from lorand-horvath/patch-12
26424d5 5.x - bump mongodb driver to 3.7.4
4b8b0a9 add versionNumber to 5.x
1bc07ec chore: release 5.13.17
Additional commits viewable in compare view

Updates request from 2.81.0 to 2.88.2

Changelog

Sourced from request's changelog.

Change Log

v2.88.0 (2018/08/10)

#2996 fix(uuid): import versioned uuid (@kwonoj)

#2994 Update to oauth-sign 0.9.0 (@dlecocq)

#2993 Fix header tests (@simov)

#2904 #515, #2894 Strip port suffix from Host header if the protocol is known. (#2904) (@paambaati)

#2791 Improve AWS SigV4 support. (#2791) (@vikhyat)

#2977 Update test certificates (@simov)

v2.87.0 (2018/05/21)

#2943 Replace hawk dependency with a local implemenation (#2943) (@hueniverse)

v2.86.0 (2018/05/15)

#2885 Remove redundant code (for Node.js 0.9.4 and below) and dependency (@ChALkeR)

#2942 Make Test GREEN Again! (@simov)

#2923 Alterations for failing CI tests (@gareth-robinson)

v2.85.0 (2018/03/12)

#2880 Revert "Update hawk to 7.0.7 (#2880)" (@simov)

v2.84.0 (2018/03/12)

#2793 Fixed calculation of oauth_body_hash, issue #2792 (@dvishniakov)

#2880 Update hawk to 7.0.7 (#2880) (@kornel-kedzierski)

v2.83.0 (2017/09/27)

#2776 Updating tough-cookie due to security fix. (#2776) (@karlnorling)

v2.82.0 (2017/09/19)

#2703 Add Node.js v8 to Travis CI (@ryysud)

#2751 Update of hawk and qs to latest version (#2751) (@Olivier-Moreau)

#2658 Fixed some text in README.md (#2658) (@Marketionist)

#2635 chore(package): update aws-sign2 to version 0.7.0 (#2635) (@greenkeeperio-bot)

#2641 Update README to simplify & update convenience methods (#2641) (@FredKSchott)

#2541 Add convenience method for HTTP OPTIONS (#2541) (@jamesseanwright)

#2605 Add promise support section to README (#2605) (@FredKSchott)

#2579 refactor(lint): replace eslint with standard (#2579) (@ahmadnassri)

#2598 Update codecov to version 2.0.2 🚀 (@greenkeeperio-bot)

#2590 Adds test-timing keepAlive test (@nicjansma)

#2589 fix tabulation on request example README.MD (@odykyi)

#2594 chore(dependencies): har-validator to 5.x [removes babel dep] (@ahmadnassri)

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the npm_and_yarn group with 5 updates in the /workshop/VulnerableAppTwo directory: | Package | From | To | | --- | --- | --- | | [express](https://github.com/expressjs/express) | `4.16.0` | `4.20.0` | | [lodash](https://github.com/lodash/lodash) | `4.17.10` | `4.17.21` | | [marked](https://github.com/markedjs/marked) | `0.3.6` | `4.0.10` | | [mongoose](https://github.com/Automattic/mongoose) | `5.0.16` | `5.13.20` | | [request](https://github.com/request/request) | `2.81.0` | `2.88.2` | Updates `express` from 4.16.0 to 4.20.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.16.0...4.20.0) Updates `lodash` from 4.17.10 to 4.17.21 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.10...4.17.21) Updates `marked` from 0.3.6 to 4.0.10 - [Release notes](https://github.com/markedjs/marked/releases) - [Changelog](https://github.com/markedjs/marked/blob/master/.releaserc.json) - [Commits](markedjs/marked@v0.3.6...v4.0.10) Updates `mongoose` from 5.0.16 to 5.13.20 - [Release notes](https://github.com/Automattic/mongoose/releases) - [Changelog](https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md) - [Commits](Automattic/mongoose@5.0.16...5.13.20) Updates `request` from 2.81.0 to 2.88.2 - [Changelog](https://github.com/request/request/blob/master/CHANGELOG.md) - [Commits](https://github.com/request/request/commits) --- updated-dependencies: - dependency-name: express dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: marked dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: mongoose dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: request dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Sep 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 5 updates #7

Bump the npm_and_yarn group across 1 directory with 5 updates #7

dependabot bot commented on behalf of github Sep 10, 2024

Bump the npm_and_yarn group across 1 directory with 5 updates #7

Are you sure you want to change the base?

Bump the npm_and_yarn group across 1 directory with 5 updates #7

Conversation

dependabot bot commented on behalf of github Sep 10, 2024

4.20.0

What's Changed

Important

Other Changes

New Contributors

4.20.0 / 2024-09-10

4.19.2 / 2024-03-25

4.19.1 / 2024-03-20

4.19.0 / 2024-03-20

4.18.3 / 2024-02-29

4.18.2 / 2022-10-08

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

v4.0.7

4.0.7 (2021-12-09)

Bug Fixes

v4.0.6

4.0.6 (2021-12-02)

Bug Fixes

v4.0.5

4.0.5 (2021-11-25)

Bug Fixes

v4.0.4

4.0.4 (2021-11-19)

8.6.1 / 2024-09-03

8.6.0 / 2024-08-28

8.5.5 / 2024-08-28

8.5.4 / 2024-08-23

7.8.1 / 2024-08-19

8.5.3 / 2024-08-13

8.5.2 / 2024-07-30

Change Log

v2.88.0 (2018/08/10)

v2.87.0 (2018/05/21)

v2.86.0 (2018/05/15)

v2.85.0 (2018/03/12)

v2.84.0 (2018/03/12)

v2.83.0 (2017/09/27)

v2.82.0 (2017/09/19)