Skip to content

Bump the npm_and_yarn group across 1 directory with 8 updates#752

Merged
yeasy merged 2 commits into
mainfrom
dependabot/npm_and_yarn/src/dashboard/npm_and_yarn-7a791d2a53
Jun 30, 2026
Merged

Bump the npm_and_yarn group across 1 directory with 8 updates#752
yeasy merged 2 commits into
mainfrom
dependabot/npm_and_yarn/src/dashboard/npm_and_yarn-7a791d2a53

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 28, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 8 updates in the /src/dashboard directory:

Package From To
body-parser 2.2.0 2.2.1
express 5.1.0 5.2.0
lodash 4.17.21 4.18.1
qs 6.14.0 6.15.2
validator 13.15.15 13.15.22
jws 3.2.2 3.2.3
min-document 2.19.0 2.19.2
sha.js 2.4.11 2.4.12

Updates body-parser from 2.2.0 to 2.2.1

Release notes

Sourced from body-parser's releases.

v2.2.1

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.1 / 2025-11-24

  • Security fix for GHSA-wqch-xfxh-vrr4
  • deps:
    • type-is@^2.0.1
    • iconv-lite@^0.7.0
      • Handle split surrogate pairs when encoding UTF-8
      • Avoid false positives in encodingExists by using prototype-less objects
    • raw-body@^3.0.1
    • debug@^4.4.3
Commits
  • d96b63d 2.2.1 (#659)
  • b204886 sec: security patch for CVE-2025-13466
  • e20e351 feat: remove history.md from being packaged on publish (#660)
  • 0d7ce71 docs: switch badges from badgen.net to shields.io (#661)
  • 168afff ci: also test on first supported node.js version (#646)
  • e539a71 build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654)
  • 9391612 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655)
  • 57baafb build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656)
  • a6a088e build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657)
  • 10a114d test: add test for urlencoded invalid defaultCharset (#643)
  • Additional commits viewable in compare view

Updates express from 5.1.0 to 5.2.0

Release notes

Sourced from express's releases.

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.
Commits

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

  • Add security notice for _.template in threat model and API docs (#6099)
  • Document lower > upper behavior in _.random (#6115)
  • Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

Commits
  • cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
  • 75535f5 chore: prune stale advisory refs (#6170)
  • 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
  • 59be2de release(minor): bump to 4.18.0 (#6161)
  • af63457 fix: broken tests for _.template 879aaa9
  • 1073a76 fix: linting issues
  • 879aaa9 fix: validate imports keys in _.template
  • fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
  • 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
  • b819080 ci: add dist sync validation workflow (#6137)
  • Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect
Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • 3f5e1c5 v6.15.1
  • Additional commits viewable in compare view

Updates validator from 13.15.15 to 13.15.22

Release notes

Sourced from validator's releases.

13.15.22

Fixes, New Locales and Enhancements

New Contributors

Full Changelog: validatorjs/validator.js@13.15.20...13.15.22

13.15.20

Fixes, New Locales and Enhancements

New Contributors

Full Changelog: validatorjs/validator.js@13.15.15...13.15.20

Changelog

Sourced from validator's changelog.

13.15.22

Fixes, New Locales and Enhancements

13.15.20

Fixes, New Locales and Enhancements

Commits
Maintainer changes

This version was pushed to npm by wikirik, a new releaser for validator since your current version.


Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v3.2.3

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.
Changelog

Sourced from jws's changelog.

[3.2.3]

Changed

  • Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
  • Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

  • BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (6b6de48)

  • Code reorganization, thanks @​fearphage! (7880050)

Added

  • Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. (6b6de48)
Commits
  • 4f6e73f Merge commit from fork
  • bd0fea5 version 3.2.3
  • 7c3b4b4 Enhance tests for HMAC streaming sign and verify
  • a9b8ed9 Improve secretOrKey initialization in VerifyStream
  • 6707fde Improve secret handling in SignStream
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.


Updates min-document from 2.19.0 to 2.19.2

Commits
  • 0d14150 2.19.2
  • 49c2e06 Merge pull request #56 from wasabina67/fix/prototype-pollution-removeAttribut...
  • 9666461 Fix prototype pollution vulnerability in removeAttributeNS
  • 4490b40 2.19.1
  • 2cd5871 update ignore
  • fe32e8d Merge pull request #55 from jameswassink/fix/prototype-pollution-removeAttrib...
  • 6c5f31a Better prototype pollution fix
  • 0d4e819 Fix prototype pollution in removeAttributeNS
  • bf7b691 Update package.json
  • 1b5402d Merge pull request #49 from PixnBits/patch-1
  • Additional commits viewable in compare view

Updates sha.js from 2.4.11 to 2.4.12

Changelog

Sourced from sha.js's changelog.

v2.4.12 - 2025-07-01

Commits

  • [eslint] switch to eslint 7acadfb
  • [meta] add auto-changelog b46e711
  • [eslint] fix package.json indentation df9d521
  • [Tests] migrate from travis to GHA c43c64a
  • [Fix] support multi-byte wide typed arrays f2a258e
  • [meta] reorder package.json d8d77c0
  • [meta] add npmignore 35aec35
  • [Tests] avoid console logs 73e33ae
  • [Tests] fix tests run in batch 2629130
  • [Tests] drop node requirement to 0.10 00c7f23
  • [Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5
  • [Tests] drop node requirement to v3 9b5eca8
  • [meta] set engines to &gt;= 4 807084c
  • Only apps should have lockfiles c72789c
  • [Deps] update inherits, safe-buffer 5428cfc
  • [Dev Deps] update @ljharb/eslint-config 2dbe0aa
  • update README to reflect LICENSE 8938256
  • [Dev Deps] add missing peer dep d528896
  • [Dev Deps] remove unused buffer dep 94ca724
Commits
  • eb4ea2f v2.4.12
  • d8d77c0 [meta] reorder package.json
  • df9d521 [eslint] fix package.json indentation
  • 35aec35 [meta] add npmignore
  • d528896 [Dev Deps] add missing peer dep
  • b46e711 [meta] add auto-changelog
  • 94ca724 [Dev Deps] remove unused buffer dep
  • 2dbe0aa [Dev Deps] update @ljharb/eslint-config
  • Description has been truncated

@dependabot dependabot Bot added Dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Feb 28, 2026
@ryjones

ryjones commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@ryjones ryjones requested a review from a team June 17, 2026 22:07
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/dashboard/npm_and_yarn-7a791d2a53 branch from 47be35e to 8c856de Compare June 17, 2026 22:07
@ryjones

ryjones commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps the npm_and_yarn group with 8 updates in the /src/dashboard directory:

| Package | From | To |
| --- | --- | --- |
| [body-parser](https://github.com/expressjs/body-parser) | `2.2.0` | `2.2.1` |
| [express](https://github.com/expressjs/express) | `5.1.0` | `5.2.0` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [qs](https://github.com/ljharb/qs) | `6.14.0` | `6.15.2` |
| [validator](https://github.com/validatorjs/validator.js) | `13.15.15` | `13.15.22` |
| [jws](https://github.com/brianloveswords/node-jws) | `3.2.2` | `3.2.3` |
| [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` |
| [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` |



Updates `body-parser` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@v2.2.0...v2.2.1)

Updates `express` from 5.1.0 to 5.2.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v5.1.0...v5.2.0)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `qs` from 6.14.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.0...v6.15.2)

Updates `validator` from 13.15.15 to 13.15.22
- [Release notes](https://github.com/validatorjs/validator.js/releases)
- [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md)
- [Commits](validatorjs/validator.js@13.15.15...13.15.22)

Updates `jws` from 3.2.2 to 3.2.3
- [Release notes](https://github.com/brianloveswords/node-jws/releases)
- [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jws@v3.2.2...v3.2.3)

Updates `min-document` from 2.19.0 to 2.19.2
- [Commits](Raynos/min-document@v2.19.0...v2.19.2)

Updates `sha.js` from 2.4.11 to 2.4.12
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](browserify/sha.js@v2.4.11...v2.4.12)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-version: 2.2.1
  dependency-type: direct:production
- dependency-name: express
  dependency-version: 5.2.0
  dependency-type: direct:production
- dependency-name: jws
  dependency-version: 3.2.3
  dependency-type: indirect
- dependency-name: lodash
  dependency-version: 4.17.23
  dependency-type: direct:production
- dependency-name: min-document
  dependency-version: 2.19.2
  dependency-type: indirect
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: direct:production
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: indirect
- dependency-name: validator
  dependency-version: 13.15.22
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/src/dashboard/npm_and_yarn-7a791d2a53 branch from 8c856de to 49c9f22 Compare June 18, 2026 08:32
@yeasy yeasy enabled auto-merge June 30, 2026 12:01
@yeasy yeasy merged commit 8530cc0 into main Jun 30, 2026
6 checks passed
@yeasy yeasy deleted the dependabot/npm_and_yarn/src/dashboard/npm_and_yarn-7a791d2a53 branch June 30, 2026 12:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants