deps(nodegoat): bump the npm-minor-patch group in /NodeGoat with 18 updates by dependabot[bot] · Pull Request #8 · timothywarner-org/github-security-testbed

dependabot · 2025-12-06T02:38:17Z

Bumps the npm-minor-patch group in /NodeGoat with 18 updates:

Package	From	To
body-parser	`1.18.3`	`1.20.4`
csurf	`1.9.0`	`1.11.0`
dont-sniff-mimetype	`1.0.0`	`1.1.0`
express	`4.16.4`	`4.22.1`
express-session	`1.15.6`	`1.18.2`
marked	`0.3.5`	`0.8.2`
needle	`2.2.4`	`2.9.1`
serve-favicon	`2.5.0`	`2.5.1`
underscore	`1.9.1`	`1.13.7`
async	`2.6.1`	`2.6.4`
cross-env	`7.0.2`	`7.0.3`
cypress	`3.3.1`	`3.8.3`
grunt	`1.0.3`	`1.6.1`
grunt-cli	`1.3.2`	`1.4.3`
grunt-mocha-test	`0.12.7`	`0.13.3`
jshint	`2.12.0`	`2.13.6`
nodemon	`1.19.1`	`1.19.4`
zaproxy	`0.2.0`	`0.3.0`

Updates body-parser from 1.18.3 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

1.20.1

deps: qs@6.11.0

perf: remove unnecessary object clone

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

deps: qs@~6.14.0

deps: use tilde notation for dependencies

deps: http-errors@~2.0.1

deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

1.20.1 / 2022-10-06

deps: qs@6.11.0

perf: remove unnecessary object clone

1.20.0 / 2022-04-02

Fix error message for json parse whitespace in strict

Fix internal error when inflated body exceeds limit

Prevent loss of async hooks context

Prevent hanging when request already read

deps: depd@2.0.0

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: http-errors@2.0.0

deps: depd@2.0.0

deps: statuses@2.0.1

deps: on-finished@2.4.1

deps: qs@6.10.3

deps: raw-body@2.5.1

deps: http-errors@2.0.0

1.19.2 / 2022-02-15

... (truncated)

Commits

7db202c 1.20.4 (#672)
d8f8adb ci: add CodeQL (SAST) (#670)
6d133c1 chore: remove SECURITY.md (#669)
fcd1535 deps: use tilde notation and update certain dependencies (#668)
ec5fa29 deps: qs@~6.14.0 (#664)
ffb95c1 ci: restore CI for 1.x branch (#665)
48a5f07 ci: add support for Node.js v23 (#553)
f20f6ad Remove redundant depth check (#538)
1752951 1.20.3
39744cf chore: linter (#534)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates csurf from 1.9.0 to 1.11.0

Release notes

Sourced from csurf's releases.

1.11.0

deps: cookie@0.4.0

Add SameSite=None support

deps: http-errors@~1.7.3

deps: inherits@2.0.4

1.10.0

deps: csrf@3.1.0

Remove base64-url dependency

deps: tsscmp@1.0.6

deps: uid-safe@2.1.5

deps: http-errors@~1.7.2

Make message property enumerable for HttpErrors

Set constructor name when possible

deps: depd@~1.1.2

deps: inherits@2.0.3

deps: setprototypeof@1.1.1

deps: statuses@'>= 1.5.0 < 2'

perf: remove argument reassignment

perf: use plain object for internal cookie options

Changelog

Sourced from csurf's changelog.

1.11.0 / 2020-01-18

deps: cookie@0.4.0

Add SameSite=None support

deps: http-errors@~1.7.3

deps: inherits@2.0.4

1.10.0 / 2019-04-22

deps: csrf@3.1.0

Remove base64-url dependency

deps: tsscmp@1.0.6

deps: uid-safe@2.1.5

deps: http-errors@~1.7.2

Make message property enumerable for HttpErrors

Set constructor name when possible

deps: depd@~1.1.2

deps: inherits@2.0.3

deps: setprototypeof@1.1.1

deps: statuses@'>= 1.5.0 < 2'

perf: remove argument reassignment

perf: use plain object for internal cookie options

Commits

daaeb5d 1.11.0
62429d0 build: mocha@7.0.0
daab742 build: eslint-plugin-import@2.20.0
9660c1e build: cookie-session@1.4.0
a18eef0 build: Node.js@13.6
2745086 deps: cookie@0.4.0
445eda6 docs: add reference links in readme for patterns
05307de build: nyc@15.0.0
f35b20e build: eslint-plugin-node@11.0.0
2601bf3 build: Node.js@13.5
Additional commits viewable in compare view

Updates dont-sniff-mimetype from 1.0.0 to 1.1.0

Changelog

Sourced from dont-sniff-mimetype's changelog.

1.1.0 - 2019-05-11

Added

Added TypeScript type definitions. See #4 and helmetjs/helmet#188

Created a changelog

Changed

Updated some package metadata

Excluded some files from npm package

Changes in versions 1.0.0 and below can be found in Helmet's changelog.

Commits

8f84846 1.1.0
a85ea88 Update changelog for 1.1.0 release
8c98fb5 Add a changelog
1e0a2cb Add /dist/ to gitignore
045a827 Convert module to TypeScript
10a1198 Travis should test on Node 10
74d3598 Update some package metadata
df8c47b Update license year for 2019
4163e0c Add note about CORB
d9d45f6 Travis shouldn't test on EOL'd Node 4
Additional commits viewable in compare view

Updates express from 4.16.4 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: qs@6.14.0 (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates express-session from 1.15.6 to 1.18.2

Release notes

Sourced from express-session's releases.

v1.18.2

What's Changed

fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @BaileyFirman in expressjs/session#1003

feat: gencert script to regenerate the test ssl certs by @wesleytodd in expressjs/session#1015

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/session#1008

ci: add CodeQL (SAST) by @bjohansebas in expressjs/session#1005

[StepSecurity] Apply security best practices by @step-security-bot in expressjs/session#1047

build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in expressjs/session#1061

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot[bot] in expressjs/session#1048

build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 by @dependabot[bot] in expressjs/session#1050

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/session#1049

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/session#1052

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/session#1051

chore: fix typos by @noritaka1166 in expressjs/session#1066

deps: on-headers@1.1.0 by @UlisesGascon in expressjs/session#1069

🔖 v1.18.2 by @ctcpip in expressjs/session#1070

New Contributors

@BaileyFirman made their first contribution in expressjs/session#1003

@wesleytodd made their first contribution in expressjs/session#1015

@carpasse made their first contribution in expressjs/session#1008

@step-security-bot made their first contribution in expressjs/session#1047

@dependabot[bot] made their first contribution in expressjs/session#1061

@noritaka1166 made their first contribution in expressjs/session#1066

@ctcpip made their first contribution in expressjs/session#1070

Full Changelog: expressjs/session@v1.18.1...v1.18.2

1.18.1

What's Changed

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/session#984

dep: cookie@0.7.2 by @knolleary in expressjs/session#997

Release: 1.18.1 by @UlisesGascon in expressjs/session#998

New Contributors

@inigomarquinez made their first contribution in expressjs/session#984

@knolleary made their first contribution in expressjs/session#997

@UlisesGascon made their first contribution in expressjs/session#998

Full Changelog: expressjs/session@v1.18.0...v1.18.1

1.18.0

Add debug log for pathname mismatch

Add partitioned to cookie options

Add priority to cookie options

Fix handling errors from setting cookie

Support any type in secret that crypto.createHmac supports

deps: cookie@0.6.0

Fix expires option to reject invalid dates

perf: improve default decode speed

... (truncated)

Changelog

Sourced from express-session's changelog.

1.18.2 / 2025-07-17

deps: mocha@10.8.2

deps: on-headers@~1.1.0

Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

1.18.1 / 2024-10-08

deps: cookie@0.7.2

Fix object assignment of hasOwnProperty

deps: cookie@0.7.1

Allow leading dot for domain

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing

deps: cookie@0.7.0

perf: parse cookies ~10% faster

fix: narrow the validation of cookies to match RFC6265

fix: add main to package.json for rspack

1.18.0 / 2024-01-28

Add debug log for pathname mismatch

Add partitioned to cookie options

Add priority to cookie options

Fix handling errors from setting cookie

Support any type in secret that crypto.createHmac supports

deps: cookie@0.6.0

Fix expires option to reject invalid dates

perf: improve default decode speed

perf: remove slow string split in parse

deps: cookie-signature@1.0.7

1.17.3 / 2022-05-11

Fix resaving already-saved new session at end of request

deps: cookie@0.4.2

1.17.2 / 2021-05-19

Fix res.end patch to always commit headers

deps: cookie@0.4.1

deps: safe-buffer@5.2.1

1.17.1 / 2020-04-16

... (truncated)

Commits

d10709f 🔖 v1.18.2 (#1070)
5808783 deps: on-headers@1.1.0 (#1069)
b9fcad8 chore: fix typos (#1066)
a698c81 build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1051)
ec1957b build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 (#1052)
2caff6a build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#1049)
2633e88 build(deps): bump github/codeql-action from 3.24.7 to 3.28.18 (#1050)
7e2c696 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#1048)
92dd300 build(deps-dev): bump mocha from 10.2.0 to 10.8.2 (#1061)
168271c fix(dependabot): do not update major versions
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express-session since your current version.

Updates marked from 0.3.5 to 0.8.2

Commits

4af69d3 Merge pull request #1624 from UziTech/release-0.8.2
19f0d4f 0.8.2
38403c0 build
d7b05cb update devdeps
17ee15f build [skip ci]
58e9fed Merge pull request #1622 from UziTech/render-html
193a41e simplify tag regex
7330a9c add html test to heading ids
f01ba94 add html to TextRenderer
cf3d0a0 Merge pull request #1620 from julien-c/patch-1
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for marked since your current version.

Updates needle from 2.2.4 to 2.9.1

Release notes

Sourced from needle's releases.

v2.9.0

What's Changed

Add support for application/vnd.api+json content types by @kfitzgerald in tomas/needle#362

underscore in nonce breaks the digest request by @ManjunathaN in tomas/needle#356

Removed usage of deprecated API by @adityapatadia in tomas/needle#348

treat xml and json mime types as text by @yetzt in tomas/needle#351

Replace all .pipe calls with stream module pipeline method by @alolis in tomas/needle#370

New Contributors

@ManjunathaN made their first contribution in tomas/needle#356

@adityapatadia made their first contribution in tomas/needle#348

@alolis made their first contribution in tomas/needle#370

Full Changelog: tomas/needle@v2.7.0...v2.9.0

v2.8.0

What's Changed

Add support for application/vnd.api+json content types by @kfitzgerald in tomas/needle#362

Full Changelog: tomas/needle@v2.7.0...v2.8.0

v2.7.0

What's Changed

add lookup param for request by @machao in tomas/needle#360

New Contributors

@machao made their first contribution in tomas/needle#360

Full Changelog: tomas/needle@v2.6.0...v2.7.0

v2.6.0

What's Changed

Support brotli compression on Node 10+ by @colinskow in tomas/needle#282

Fix typo by @markhoney in tomas/needle#290

Add permanent redirect status code by @dkontorovskyy in tomas/needle#293

test: change octal escape to Unicode escape by @brettz9 in tomas/needle#295

Fix parsing xml CDATA values by @adexin-team in tomas/needle#301

Add follow_if_different_location config by @laurent35240 in tomas/needle#300

Add support for RFC-2069 by @mslosarek in tomas/needle#305

Pass request cookies in redirects if follow_set_cookies is true by @tomas in tomas/needle#307

Fix request cookies lost during multiple redirects by @ash0080 in tomas/needle#291

Charset detection not default as utf-8 #306 by @alexburley in tomas/needle#308

Simple request URI modification logic by @awiejacha in tomas/needle#311

feat: allow needle to accept IP family as a parameter by @dkontorovskyy in tomas/needle#316

Added hpagent to proxy section by @delvedor in tomas/needle#325

Update regex for matching header by @alexburley in tomas/needle#329

Fixed zlib_options used for zlib.BrotliDecompress by @Phygon in tomas/needle#326

chore: README typo by @FauxFaux in tomas/needle#333

fix: Allow brackets in www-authentication header values by @TimBailey-pnk in tomas/needle#341

... (truncated)

Commits

See full diff in compare view

Updates serve-favicon from 2.5.0 to 2.5.1

Release notes

Sourced from serve-favicon's releases.

2.5.1

What's Changed

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/serve-favicon#49

ci: replace travis with github action by @inigomarquinez in expressjs/serve-favicon#48

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/serve-favicon#50

deps: ms@2.1.1->2.1.3 by @legobeat in expressjs/serve-favicon#46

deps: safe-buffer@5.1.1->5.2.1 by @legobeat in expressjs/serve-favicon#45

fix: use ubuntu-latest as ci runner by @UlisesGascon in expressjs/serve-favicon#52

fix: update HISTORY file by @UlisesGascon in expressjs/serve-favicon#51

ci: apply OSSF Scorecard security best practices by @UlisesGascon in expressjs/serve-favicon#53

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot in expressjs/serve-favicon#54

build(deps): bump github/codeql-action from 3.27.9 to 3.28.19 by @dependabot in expressjs/serve-favicon#55

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot in expressjs/serve-favicon#56

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @dependabot in expressjs/serve-favicon#57

build(deps-dev): bump supertest from 7.0.0 to 7.1.1 by @dependabot in expressjs/serve-favicon#58

build(deps-dev): bump eslint-plugin-standard from 3.0.1 to 3.1.0 by @dependabot in expressjs/serve-favicon#59

build(deps-dev): bump eslint-plugin-markdown from 1.0.0-beta.6 to 1.0.2 by @dependabot in expressjs/serve-favicon#63

ci: upgrade Node versions by @UlisesGascon in expressjs/serve-favicon#64

build(deps-dev): bump mocha from 10.4.0 to 10.8.2 by @dependabot in expressjs/serve-favicon#60

build(deps-dev): bump eslint-plugin-import from 2.10.0 to 2.31.0 by @dependabot in expressjs/serve-favicon#62

build(deps-dev): bump eslint-plugin-promise from 3.7.0 to 3.8.0 by @dependabot in expressjs/serve-favicon#61

feat: remove appveyor by @UlisesGascon in expressjs/serve-favicon#66

docs: include scorecard badge by @UlisesGascon in expressjs/serve-favicon#67

feat: adopt flexible deps policy by @UlisesGascon in expressjs/serve-favicon#69

Release: 2.5.1 by @UlisesGascon in expressjs/serve-favicon#68

New Contributors

@inigomarquinez made their first contribution in expressjs/serve-favicon#49

@carpasse made their first contribution in expressjs/serve-favicon#50

@legobeat made their first contribution in expressjs/serve-favicon#46

@UlisesGascon made their first contribution in expressjs/serve-favicon#52

@dependabot made their first contribution in expressjs/serve-favicon#54

Full Changelog: expressjs/serve-favicon@2.5.0...2.5.1

Changelog

Sourced from serve-favicon's changelog.

2.5.1 / 2025-06-10

deps:

safe-buffer@5.2.1

ms@2.1.3

Commits

83da8d5 2.5.1 (#68)
c03a88b feat: adopt flexible deps policy (#69)
262b7bf docs: include scorecard badge (#67)
47663ae feat: remove appveyor (#66)
d83f56c build(deps-dev): bump eslint-plugin-promise from 3.7.0 to 3.8.0 (#61)
872a751 build(deps-dev): bump eslint-plugin-import from 2.10.0 to 2.31.0 (#62)
19e8af3 build(deps-dev): bump mocha from 10.4.0 to 10.8.2 (#60)
d976602 ci: upgrade Node versions (#64)
623e26e build(deps-dev): bump eslint-plugin-markdown from 1.0.0-beta.6 to 1.0.2 (#63)
14fae4f build(deps-dev): bump eslint-plugin-standard from 3.0.1 to 3.1.0 (#59)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-favicon since your current version.

Updates underscore from 1.9.1 to 1.13.7

Commits

d2e7e61 Update autogenerated files for 1.13.7
b1d4f23 Add a change log entry for 1.13.7
473970a Bump the copyright years
a1cbb48 Bump the version to 1.13.7
1205eb5 Merge pull request #2996 from elkcityhazard/feature/theme-toggle
bd3468b even more css formatting
dd23fd0 formatting, filter, darker darkmode
184aae5 unncessary prefers-color-scheme: light removal
55720c0 minimal dark mode implementation
de20b6f incorporated stylesheet that was already available
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.

Updates async from 2.6.1 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

Fix potential prototype pollution exploit (#1828)

v2.6.3

Updated lodash to squelch a security warning (#1675)

v2.6.2

Updated lodash to squelch a security warning (#1620)

Commits

c6bdaca Version 2.6.4
8870da9 Update built files
4df6754 update changelog
8f7f903 Fix prototype pollution vulnerability (#1828)
f1d8383 Version 2.6.3
2b674c1 update changelog
eab740f fix: udpate lodash. closes #1675
eaf32be Version 2.6.2
684b42e Update built files
e1bd3da update changelog
Additional commits viewable in compare view

Maintainer changesDescription has been truncated

Bumps the npm-minor-patch group in /NodeGoat with 18 updates: | Package | From | To | | --- | --- | --- | | [body-parser](https://github.com/expressjs/body-parser) | `1.18.3` | `1.20.4` | | [csurf](https://github.com/expressjs/csurf) | `1.9.0` | `1.11.0` | | [dont-sniff-mimetype](https://github.com/helmetjs/dont-sniff-mimetype) | `1.0.0` | `1.1.0` | | [express](https://github.com/expressjs/express) | `4.16.4` | `4.22.1` | | [express-session](https://github.com/expressjs/session) | `1.15.6` | `1.18.2` | | [marked](https://github.com/markedjs/marked) | `0.3.5` | `0.8.2` | | [needle](https://github.com/tomas/needle) | `2.2.4` | `2.9.1` | | [serve-favicon](https://github.com/expressjs/serve-favicon) | `2.5.0` | `2.5.1` | | [underscore](https://github.com/jashkenas/underscore) | `1.9.1` | `1.13.7` | | [async](https://github.com/caolan/async) | `2.6.1` | `2.6.4` | | [cross-env](https://github.com/kentcdodds/cross-env) | `7.0.2` | `7.0.3` | | [cypress](https://github.com/cypress-io/cypress) | `3.3.1` | `3.8.3` | | [grunt](https://github.com/gruntjs/grunt) | `1.0.3` | `1.6.1` | | [grunt-cli](https://github.com/gruntjs/grunt-cli) | `1.3.2` | `1.4.3` | | [grunt-mocha-test](https://github.com/pghalliday/grunt-mocha-test) | `0.12.7` | `0.13.3` | | [jshint](https://github.com/jshint/jshint) | `2.12.0` | `2.13.6` | | [nodemon](https://github.com/remy/nodemon) | `1.19.1` | `1.19.4` | | [zaproxy](https://github.com/zaproxy/zap-api-nodejs) | `0.2.0` | `0.3.0` | Updates `body-parser` from 1.18.3 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.18.3...1.20.4) Updates `csurf` from 1.9.0 to 1.11.0 - [Release notes](https://github.com/expressjs/csurf/releases) - [Changelog](https://github.com/expressjs/csurf/blob/master/HISTORY.md) - [Commits](expressjs/csurf@1.9.0...1.11.0) Updates `dont-sniff-mimetype` from 1.0.0 to 1.1.0 - [Changelog](https://github.com/helmetjs/dont-sniff-mimetype/blob/v1.1.0/CHANGELOG.md) - [Commits](helmetjs/dont-sniff-mimetype@v1.0.0...v1.1.0) Updates `express` from 4.16.4 to 4.22.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md) - [Commits](expressjs/express@4.16.4...v4.22.1) Updates `express-session` from 1.15.6 to 1.18.2 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.15.6...v1.18.2) Updates `marked` from 0.3.5 to 0.8.2 - [Release notes](https://github.com/markedjs/marked/releases) - [Commits](markedjs/marked@v0.3.5...v0.8.2) Updates `needle` from 2.2.4 to 2.9.1 - [Release notes](https://github.com/tomas/needle/releases) - [Commits](https://github.com/tomas/needle/commits) Updates `serve-favicon` from 2.5.0 to 2.5.1 - [Release notes](https://github.com/expressjs/serve-favicon/releases) - [Changelog](https://github.com/expressjs/serve-favicon/blob/master/HISTORY.md) - [Commits](expressjs/serve-favicon@2.5.0...2.5.1) Updates `underscore` from 1.9.1 to 1.13.7 - [Commits](jashkenas/underscore@1.9.1...1.13.7) Updates `async` from 2.6.1 to 2.6.4 - [Release notes](https://github.com/caolan/async/releases) - [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md) - [Commits](caolan/async@v2.6.1...v2.6.4) Updates `cross-env` from 7.0.2 to 7.0.3 - [Release notes](https://github.com/kentcdodds/cross-env/releases) - [Changelog](https://github.com/kentcdodds/cross-env/blob/main/CHANGELOG.md) - [Commits](kentcdodds/cross-env@v7.0.2...v7.0.3) Updates `cypress` from 3.3.1 to 3.8.3 - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](https://github.com/cypress-io/cypress/compare/@cypress/vite-dev-server-v3.3.1...v3.8.3) Updates `grunt` from 1.0.3 to 1.6.1 - [Release notes](https://github.com/gruntjs/grunt/releases) - [Changelog](https://github.com/gruntjs/grunt/blob/main/CHANGELOG) - [Commits](gruntjs/grunt@v1.0.3...v1.6.1) Updates `grunt-cli` from 1.3.2 to 1.4.3 - [Release notes](https://github.com/gruntjs/grunt-cli/releases) - [Changelog](https://github.com/gruntjs/grunt-cli/blob/main/CHANGELOG.md) - [Commits](gruntjs/grunt-cli@v1.3.2...v1.4.3) Updates `grunt-mocha-test` from 0.12.7 to 0.13.3 - [Commits](pghalliday/grunt-mocha-test@0.12.7...0.13.3) Updates `jshint` from 2.12.0 to 2.13.6 - [Release notes](https://github.com/jshint/jshint/releases) - [Changelog](https://github.com/jshint/jshint/blob/main/CHANGELOG.md) - [Commits](jshint/jshint@2.12.0...2.13.6) Updates `nodemon` from 1.19.1 to 1.19.4 - [Release notes](https://github.com/remy/nodemon/releases) - [Commits](remy/nodemon@v1.19.1...v1.19.4) Updates `zaproxy` from 0.2.0 to 0.3.0 - [Changelog](https://github.com/zaproxy/zap-api-nodejs/blob/main/CHANGELOG.md) - [Commits](https://github.com/zaproxy/zap-api-nodejs/commits) --- updated-dependencies: - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: csurf dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: dont-sniff-mimetype dependency-version: 1.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: express dependency-version: 4.22.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: express-session dependency-version: 1.18.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: marked dependency-version: 0.8.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: needle dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: serve-favicon dependency-version: 2.5.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: underscore dependency-version: 1.13.7 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: async dependency-version: 2.6.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: cross-env dependency-version: 7.0.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: cypress dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: grunt dependency-version: 1.6.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: grunt-cli dependency-version: 1.4.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: grunt-mocha-test dependency-version: 0.13.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: jshint dependency-version: 2.13.6 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: nodemon dependency-version: 1.19.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: zaproxy dependency-version: 0.3.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2025-12-06T02:38:18Z

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot · 2025-12-08T12:54:35Z

Looks like these dependencies are no longer a dependency, so this is no longer needed.

dependabot Bot closed this Dec 8, 2025

dependabot Bot deleted the dependabot/npm_and_yarn/NodeGoat/npm-minor-patch-a9b7a17f9d branch December 8, 2025 12:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps(nodegoat): bump the npm-minor-patch group in /NodeGoat with 18 updates#8

deps(nodegoat): bump the npm-minor-patch group in /NodeGoat with 18 updates#8
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/NodeGoat/npm-minor-patch-a9b7a17f9d

dependabot Bot commented on behalf of github Dec 6, 2025 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github Dec 6, 2025

Uh oh!

dependabot Bot commented on behalf of github Dec 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Dec 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

1.20.4

What's Changed

1.20.3

What's Changed

Important

Other changes

New Contributors

1.20.2

1.20.1

1.20.4 / 2025-12-01

1.20.3 / 2024-09-10

1.20.2 / 2023-02-21

1.20.1 / 2022-10-06

1.20.0 / 2022-04-02

1.19.2 / 2022-02-15

1.11.0

1.10.0

1.11.0 / 2020-01-18

1.10.0 / 2019-04-22

1.1.0 - 2019-05-11

Added

Changed

v4.22.1

What's Changed

4.22.0

Important: Security

What's Changed

4.21.2

What's Changed

4.21.1

What's Changed

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

v1.18.2

What's Changed

New Contributors

1.18.1

What's Changed

New Contributors

1.18.0

1.18.2 / 2025-07-17

1.18.1 / 2024-10-08

1.18.0 / 2024-01-28

1.17.3 / 2022-05-11

1.17.2 / 2021-05-19

1.17.1 / 2020-04-16

v2.9.0

What's Changed

New Contributors

v2.8.0

What's Changed

v2.7.0

What's Changed

New Contributors

v2.6.0

What's Changed

2.5.1

What's Changed

New Contributors

2.5.1 / 2025-06-10

v2.6.4

v2.6.3

v2.6.2

Uh oh!

dependabot Bot commented on behalf of github Dec 6, 2025

Labels

Uh oh!

dependabot Bot commented on behalf of github Dec 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

dependabot Bot commented on behalf of github Dec 6, 2025 •

edited

Loading