Bump the npm_and_yarn group with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 19 updates:

Package	From	To
braces	3.0.2	3.0.3
browserify-sign	4.2.1	4.2.3
cross-spawn	7.0.3	7.0.6
elliptic	6.5.4	6.6.1
express	4.18.2	4.21.2
fast-loops	1.1.3	1.1.4
follow-redirects	1.15.2	1.15.9
http-proxy-middleware	2.0.6	2.0.7
markdown-to-jsx	7.2.0	7.7.1
micromatch	4.0.5	4.0.8
path-to-regexp	0.1.7	0.1.12
postcss	8.4.23	8.4.49
semver	6.3.0	6.3.1
send	0.18.0	0.19.0
serve-static	1.15.0	1.16.2
tar	6.1.14	6.2.1
webpack	5.91.0	5.97.1
word-wrap	1.2.3	1.2.5
ws	7.5.9	7.5.10

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates browserify-sign from 4.2.1 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

Commits

• bf2c3ec v4.2.3
• 9247adf [patch] widen support to 0.12
• f427270 [Deps] update `parse-asn1
• 87f3a35 [Dev Deps] update aud, npmignore, tape
• fb261ce [Deps] update elliptic
• 4d0ee49 [patch] drop minimum node support to v1
• 9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
• 168e16f [Deps] pin elliptic due to a breaking change
• 37a4758 [actions] remove redundant finisher
• 4af5a90 v4.2.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates fast-loops from 1.1.3 to 1.1.4

Commits

• See full diff in compare view

Updates follow-redirects from 1.15.2 to 1.15.9

Commits

• e4e55c7 Release version 1.15.9 of the npm package.
• 31a1abf Attempt much more gentle detection.
• d2aaa97 Fix url field.
• 62558f0 Release version 1.15.8 of the npm package.
• a8d1cee Return subtlety.
• 458ca8e Fix native URL test for Node 20.
• ca49e44 Handle KeepAlive connections in tests.
• f3711d7 Test on Node 20 and 22.
• fda0faf Fix typo.
• 760757f Release version 1.15.7 of the npm package.
• Additional commits viewable in compare view

Updates http-proxy-middleware from 2.0.6 to 2.0.7

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.7

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7

v2.0.7-beta.1

Full Changelog: chimurai/http-proxy-middleware@v2.0.7-beta.0...v2.0.7-beta.1

v2.0.7-beta.0

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7-beta.0

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.7

• ci(github actions): add publish.yml
• fix(filter): handle errors

Commits

• 1e92339 ci(github-actions): fix npm tag
• 90afb7c chore(package): v2.0.7
• 0b4274e fix(filter): handle errors
• 1bd6dd5 ci(github actions): add publish.yml
• See full diff in compare view

Updates markdown-to-jsx from 7.2.0 to 7.7.1

Release notes

Sourced from markdown-to-jsx's releases.

v7.7.1

Patch Changes

• 9d42449: Factor out unnecessary element cloning.
• 8920038: Remove use of explicit React.createElement.

v7.7.0

Minor Changes

• 20777bf: Add support for GFM alert-style blockquotes.

  > [!Note]
  > This is a note-flavored alert blockquote. The "Note" text is injected as a `<header>` by
  > default and the blockquote can be styled via the injected class `markdown-alert-note`
  > for example.

Patch Changes

• 5d7900b: Adjust type signature for <Markdown> component to allow for easier composition.
• 918b44b: Use newer React.JSX.* namespace instead of JSX.* for React 19 compatibility.
• 91a5948: Arbitrary HTML no longer punches out pipes when parsing rows. If you absolutely need a pipe character that isn't a table separator, either escape it or enclose it in backticks to trigger inline code handling.
• 23caecb: Drop encountered ref attributes when processing inline HTML, React doesn't handle it well.

v7.6.2

Patch Changes

• 0274445: Fix false detection of tables in some scenarios.
• 69f815e: Handle class attribute from arbitrary HTML properly to avoid React warnings.
• 857809a: Fenced code blocks are now tolerant to a missing closing sequence; this improves use in LLM scenarios where the code block markdown is being streamed into the editor in chunks.

v7.6.1

Patch Changes

• 87d8bd3: Handle class attribute from arbitrary HTML properly to avoid React warnings.

v7.6.0

Minor Changes

• 2281a4d: Add options.disableAutoLink to customize bare URL handling behavior.

  By default, bare URLs in the markdown document will be converted into an anchor tag. This behavior can be disabled if desired.

  <Markdown options={{ disableAutoLink: true }}>
    The URL https://quantizor.dev will not be rendered as an anchor tag.
  </Markdown>
  // or

... (truncated)

Changelog

Sourced from markdown-to-jsx's changelog.

7.7.1

Patch Changes

• 9d42449: Factor out unnecessary element cloning.
• 8920038: Remove use of explicit React.createElement.

7.7.0

Minor Changes

• 20777bf: Add support for GFM alert-style blockquotes.

  > [!Note]
  > This is a note-flavored alert blockquote. The "Note" text is injected as a `<header>` by
  > default and the blockquote can be styled via the injected class `markdown-alert-note`
  > for example.

Patch Changes

• 5d7900b: Adjust type signature for <Markdown> component to allow for easier composition.
• 918b44b: Use newer React.JSX.* namespace instead of JSX.* for React 19 compatibility.
• 91a5948: Arbitrary HTML no longer punches out pipes when parsing rows. If you absolutely need a pipe character that isn't a table separator, either escape it or enclose it in backticks to trigger inline code handling.
• 23caecb: Drop encountered ref attributes when processing inline HTML, React doesn't handle it well.

7.6.2

Patch Changes

• 0274445: Fix false detection of tables in some scenarios.
• 69f815e: Handle class attribute from arbitrary HTML properly to avoid React warnings.
• 857809a: Fenced code blocks are now tolerant to a missing closing sequence; this improves use in LLM scenarios where the code block markdown is being streamed into the editor in chunks.

7.6.1

Patch Changes

• 87d8bd3: Handle class attribute from arbitrary HTML properly to avoid React warnings.

7.6.0

Minor Changes

• 2281a4d: Add options.disableAutoLink to customize bare URL handling behavior.

  By default, bare URLs in the markdown document will be converted into an anchor tag. This behavior can be disabled if desired.

... (truncated)

Commits

• 86bf62d Version Packages (#633)
• 9d42449 refactor: remove use of cloning so React is no longer strictly required
• f2f58f0 chore: update lockfile
• f1e6238 chore: make type usage consistent
• 8920038 fix: honor options.createElement if passed
• 7be50e9 omg
• 4b337ae chore: annoying
• 55ef1a8 chore: adjust site workflow
• d9dfda1 chore: fix website workflow
• 6564635 Version Packages (#627)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

• Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• 640e694 0.1.12
• f01c26a Merge commit from fork
• 0c71192 0.1.11
• 8f09549 Add error on bad input values
• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• Additional commits viewable in compare view

Updates postcss from 8.4.23 to 8.4.49

Release notes

Sourced from postcss's releases.

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

8.4.48

• Fixed position calculation in error/warnings methods (by @​romainmenke).

8.4.47

• Removed debug code.

8.4.46

• Fixed Cannot read properties of undefined (reading 'before').

8.4.45

• Removed unnecessary fix which could lead to infinite loop.

8.4.44

• Another way to fix markClean is not a function error.

8.4.43

• Fixed markClean is not a function error.

8.4.42

• Fixed CSS syntax error on long minified files (by @​varpstar).

8.4.41

• Fixed types (by @​nex3 and @​querkmachine).
• Cleaned up RegExps (by @​bluwy).

8.4.40

• Moved to getter/setter in nodes types to help Sass team (by @​nex3).

8.4.39

• Fixed CssSyntaxError types (by @​romainmenke).

8.4.38

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

8.4.37

• Fixed original.column are not numbers error in another case.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

8.4.35

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

8.4.34

• Fixed AtRule#nodes type (by @​tim-we).
• Cleaned up code (by @​DrKiraDmitry).

... (truncated)

Changelog

Sourced from postcss's changelog.

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

8.4.48

• Fixed position calculation in error/warnings methods (by @​romainmenke).

8.4.47

• Removed debug code.

8.4.46

• Fixed Cannot read properties of undefined (reading 'before').

8.4.45

• Removed unnecessary fix which could lead to infinite loop.

8.4.44

• Another way to fix markClean is not a function error.

8.4.43

• Fixed markClean is not a function error.

8.4.42

• Fixed CSS syntax error on long minified files (by @​varpstar).

8.4.41

• Fixed types (by @​nex3 and @​querkmachine).
• Cleaned up RegExps (by @​bluwy).

8.4.40

• Moved to getter/setter in nodes types to help Sass team (by @​nex3).

8.4.39

• Fixed CssSyntaxError types (by @​romainmenke).

8.4.38

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

8.4.37

• Fixed original.column are not numbers error in another case.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

8.4.35

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

8.4.34

• Fixed AtRule#nodes type (by Tim Weißenfels).
• Cleaned up code (by Dmitry Kirillov).

... (truncated)

Commits

• aed8b89 Release 8.4.49 version
• 3450630 Fix position calculations when offset is missing (#1983)
• 77420d6 Release 8.4.48 version
• 341529f Update dependencies
• 66fa667 Add Node.js 23 to CI
• 1a8b261 fix inconsistent position calculations (#1980)
• 1cc6ac3 Clarify usage in docs
• 5e6fd13 Release 8.4.47 version
• 714bc10 Typo
• 439d20e Release 8.4.46 version
• Additional commits viewable in compare view

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates send from 0.18.0 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

• @​UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 9d2db99 0.19.0
• ae4f298 Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates serve-static from 1.15.0 to 1.16.2

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

Changelog

Sourced from serve-static's changelog.

1.16.2 / 2024-09-11

• deps: encodeurl@~2.0.0

1.16.1 / 2024-09-11

• deps: send@0.19.0

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• ec9c5ec 1.16.2
• f454d37 fix(deps): encodeurl@~2.0.0
• 77a8255 1.16.1
• 4263f49 fix(deps): send@0.19.0
• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for serve-static since your current version.

Updates tar from 6.1.14 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

• Add support for brotli compression
• Add maxDepth option to prevent extraction into excessively deep folders.

6.1

• remove dead link to benchmarks (#313) (@​yetzt)
• add examples/explanation of using tar.t (@​isaacs)
• ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional c...

  Description has been truncated

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@types/eslint-scope@3.7.7	None	+1	32 kB	types
npm/@types/estree@1.0.6	None	0	25.8 kB	types
npm/@webassemblyjs/ast@1.14.1	None	0	207 kB	xtuc
npm/@webassemblyjs/floating-point-hex-parser@1.13.2	None	0	6.37 kB	xtuc
npm/@webassemblyjs/helper-api-error@1.13.2	None	0	11.3 kB	xtuc
npm/@webassemblyjs/helper-buffer@1.14.1	None	0	10.8 kB	xtuc
npm/@webassemblyjs/helper-numbers@1.13.2	None	0	10.5 kB	xtuc
npm/@webassemblyjs/helper-wasm-bytecode@1.13.2	None	0	34.2 kB	xtuc
npm/@webassemblyjs/helper-wasm-section@1.14.1	None	0	19.7 kB	xtuc
npm/@webassemblyjs/ieee754@1.13.2	None	0	5.34 kB	xtuc
npm/@webassemblyjs/leb128@1.13.2	None	0	48.5 kB	xtuc
npm/@webassemblyjs/utf8@1.13.2	None	0	12.3 kB	xtuc
npm/@webassemblyjs/wasm-edit@1.14.1	None	+1	172 kB	xtuc
npm/@webassemblyjs/wasm-gen@1.14.1	None	0	28.1 kB	xtuc
npm/@webassemblyjs/wasm-opt@1.14.1	None	0	14.4 kB	xtuc
npm/@webassemblyjs/wast-printer@1.14.1	None	0	39.6 kB	xtuc
npm/acorn@8.14.0	None	0	547 kB	marijn
npm/asn1.js@4.10.1	unsafe	0	46.6 kB	indutny
npm/body-parser@1.20.3	network	+2	85.4 kB	ulisesgascon
npm/browserify-rsa@4.1.1	None	0	10.7 kB	cwmma, dcousens, indutny, ...2 more
npm/browserify-sign@4.2.3	None	+4	71.9 kB	ljharb
npm/call-bound@1.0.2	None	+3	44.3 kB	ljharb
npm/cookie@0.7.1	None	0	23.3 kB	blakeembrey
npm/cross-spawn@7.0.6	environment, filesystem, shell	0	16.1 kB	satazor
npm/define-data-property@1.1.4	None	0	30.9 kB	ljharb
npm/dunder-proto@1.0.0	None	0	11.8 kB	ljharb
npm/elliptic@6.6.1	None	0	120 kB	indutny
npm/encodeurl@2.0.0	None	0	6.98 kB	blakeembrey
npm/enhanced-resolve@5.17.1	unsafe	0	212 kB	evilebottnawi
npm/es-errors@1.3.0	None	0	12.3 kB	ljharb
npm/es-object-atoms@1.0.0	None	0	9.17 kB	ljharb
npm/express@4.21.2	environment, filesystem, network	+4	260 kB	jonchurch
npm/fast-loops@1.1.4	None	0	32.6 kB	rofrischmann
npm/fill-range@7.1.1	None	0	16.7 kB	jonschlinkert
npm/finalhandler@1.3.1	environment	+1	23.3 kB	wesleytodd
npm/follow-redirects@1.15.9	network	0	29.9 kB	rubenverborgh
npm/gopd@1.2.0	None	0	9.87 kB	ljharb
npm/hash-base@3.0.5	None	0	7.66 kB	cwmma, dcousens, fanatid, ...1 more
npm/hasown@2.0.2	None	0	8.77 kB	ljharb
npm/http-proxy-middleware@2.0.7	network	+1	68.1 kB	chimurai
npm/markdown-to-jsx@7.7.1	None	0	490 kB	probablyup
npm/math-intrinsics@1.0.0	None	0	16.5 kB	ljharb
npm/merge-descriptors@1.0.3	None	0	5.08 kB	sindresorhus
npm/micromatch@4.0.8	None	+1	101 kB	doowb
npm/object-inspect@1.13.3	None	0	101 kB	emilbayes, ljharb
npm/parse-asn1@5.1.7	None	0	24.7 kB	ljharb
npm/qs@6.13.0	None	0	254 kB	ljharb
npm/raw-body@2.5.2	network, unsafe	0	25.8 kB	dougwilson
npm/semver@7.6.2	None	0	95.4 kB	npm-cli-ops
npm/send@0.19.0	filesystem, network	+2	64.8 kB	ulisesgascon
npm/serve-static@1.16.2	None	0	25.4 kB	wesleytodd
npm/set-function-length@1.2.2	None	+1	25.7 kB	ljharb
npm/side-channel-list@1.0.0	None	0	14.7 kB	ljharb
npm/side-channel-map@1.0.1	None	+3	113 kB	ljharb
npm/side-channel-weakmap@1.0.2	None	0	14.7 kB	ljharb
npm/side-channel@1.1.0	None	0	0 B
npm/source-map-js@1.2.1	None	0	140 kB	7rulnik
npm/tar@6.2.1	environment, filesystem	+2	251 kB	isaacs
npm/webpack@5.97.1	environment, filesystem, network, unsafe Transitive: shell	+8	5.43 MB	evilebottnawi
npm/word-wrap@1.2.5	None	0	11.8 kB	jonschlinkert
npm/ws@7.5.10	network	0	122 kB	lpinca

🚮 Removed packages: npm/@types/eslint-scope@3.7.4, npm/@types/estree@1.0.5, npm/@webassemblyjs/ast@1.12.1, npm/@webassemblyjs/floating-point-hex-parser@1.11.6, npm/@webassemblyjs/helper-api-error@1.11.6, npm/@webassemblyjs/helper-buffer@1.12.1, npm/@webassemblyjs/helper-numbers@1.11.6, npm/@webassemblyjs/helper-wasm-bytecode@1.11.6, npm/@webassemblyjs/helper-wasm-section@1.12.1, npm/@webassemblyjs/ieee754@1.11.6, npm/@webassemblyjs/leb128@1.11.6, npm/@webassemblyjs/utf8@1.11.6, npm/@webassemblyjs/wasm-edit@1.12.1, npm/@webassemblyjs/wasm-gen@1.12.1, npm/@webassemblyjs/wasm-opt@1.12.1, npm/@webassemblyjs/wast-printer@1.12.1, npm/acorn-import-assertions@1.9.0, npm/body-parser@1.20.1, npm/browserify-sign@4.2.1, npm/cookie@0.5.0, npm/cross-spawn@7.0.3, npm/elliptic@6.5.4, npm/enhanced-resolve@5.16.0, npm/express@4.18.2, npm/fast-loops@1.1.3, npm/fill-range@7.0.1, npm/finalhandler@1.2.0, npm/follow-redirects@1.15.2, npm/gopd@1.0.1, npm/hash-base@3.1.0, npm/http-proxy-middleware@2.0.6, npm/lru-cache@6.0.0, npm/markdown-to-jsx@7.2.0, npm/merge-descriptors@1.0.1, npm/micromatch@4.0.5, npm/object-inspect@1.12.3, npm/qs@6.11.0, npm/raw-body@2.5.1, npm/semver@7.6.0, npm/send@0.18.0, npm/serve-static@1.15.0, npm/side-channel@1.0.4, npm/source-map-js@1.2.0, npm/tar@6.1.14, npm/webpack@5.91.0, npm/word-wrap@1.2.3, npm/ws@7.5.9

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
New author	npm/parse-asn1@5.1.7	New Author: ljharb Previous Author: cwmma	yarn.lock	🚫
New author	npm/encodeurl@2.0.0	New Author: blakeembrey Previous Author: dougwilson	yarn.lock	🚫
New author	npm/body-parser@1.20.3	New Author: ulisesgascon Previous Author: dougwilson	yarn.lock	🚫
New author	npm/send@0.19.0	New Author: ulisesgascon Previous Author: wesleytodd	yarn.lock	🚫
New author	npm/express@4.21.2	New Author: jonchurch Previous Author: ulisesgascon	yarn.lock	🚫
Unstable ownership	npm/express@4.21.2	Author: jonchurch	yarn.lock	🚫
Unstable ownership	npm/call-bound@1.0.2	Author: ljharb	yarn.lock	🚫

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is unstable ownership?

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated.

Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/parse-asn1@5.1.7
• @SocketSecurity ignore npm/encodeurl@2.0.0
• @SocketSecurity ignore npm/body-parser@1.20.3
• @SocketSecurity ignore npm/send@0.19.0
• @SocketSecurity ignore npm/express@4.21.2
• @SocketSecurity ignore npm/call-bound@1.0.2