build(deps): bump the npm_and_yarn group across 3 directories with 29 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /pkg/ui directory: minimist, @babel/runtime, lodash and esbuild.
Bumps the npm_and_yarn group with 2 updates in the /pkg/ui/workspaces/cluster-ui directory: semver and esbuild.
Bumps the npm_and_yarn group with 2 updates in the /pkg/ui/workspaces/db-console directory: express and webpack-dev-server.

Updates minimist from 1.2.0 to 1.2.6

Changelog

Sourced from minimist's changelog.

v1.2.6 - 2022-03-21

Commits

• test from prototype pollution PR bc8ecee
• isConstructorOrProto adapted from PR c2b9819
• security notice for additional prototype pollution issue ef88b93

v1.2.5 - 2020-03-12

v1.2.4 - 2020-03-11

Commits

• security notice 4cf1354
• additional test for constructor prototype pollution 1043d21

v1.2.3 - 2020-03-10

Commits

• more failing proto pollution tests 13c01a5
• even more aggressive checks for protocol pollution 38a4d1c

v1.2.2 - 2020-03-10

Commits

• failing test for protocol pollution 0efed03
• cleanup 67d3722
• console.dir -> console.log 47acf72
• don't assign onto proto 63e7ed0

v1.2.1 - 2020-03-10

Merged

• move the opts['--'] example back where it belongs [#63](https://github.com/minimistjs/minimist/issues/63)

Commits

• add test 6be5dae
• fix bad boolean regexp ac3fc79

Commits

• 7efb22a 1.2.6
• ef88b93 security notice for additional prototype pollution issue
• c2b9819 isConstructorOrProto adapted from PR
• bc8ecee test from prototype pollution PR
• aeb3e27 1.2.5
• 278677b 1.2.4
• 4cf1354 security notice
• 1043d21 additional test for constructor prototype pollution
• 6457d74 1.2.3
• 38a4d1c even more aggressive checks for protocol pollution
• Additional commits viewable in compare view

Updates semver from 5.3.0 to 5.7.2

Release notes

Sourced from semver's releases.

v7.5.4

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

Changelog

Sourced from semver's changelog.

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

Commits

• 36cd334 chore: release 7.5.4
• 8456d87 chore: postinstall for dependabot template-oss PR
• dde1f00 chore: postinstall for dependabot template-oss PR
• dffcd1b chore: bump @​npmcli/template-oss from 4.16.0 to 4.17.0
• d619f66 chore: postinstall for dependabot template-oss PR
• 3bc4247 chore: bump @​npmcli/template-oss from 4.15.1 to 4.16.0
• cc6fde2 fix: trim each range set before parsing
• 99d8287 fix: correctly parse long build ids as valid (#583)
• 4f0f6b1 chore: fix arguments in whitespace test (#574)
• 6bd1a37 chore: remove duplicate test in semver class (#575)
• See full diff in compare view

Updates @babel/runtime from 7.12.13 to 7.27.6

Release notes

Sourced from @​babel/runtime's releases.

v7.27.6 (2025-06-05)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17366 fix: finally causes unexpected return value (@​liuxingbaoyu)
• babel-generator, babel-parser, babel-types
  • #17357 Ensure syntactic ordering when visiting array-type AST nodes (@​JLHwung)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Ingvar Stepanyan (@​RReverser)
• @​liuxingbaoyu

v7.27.5 (2025-06-03)

Thanks @​NullVoxPopuli for your first PR!

🐛 Bug Fix

• babel-plugin-transform-regenerator
  • #17359 fix: Unexpected infinite loop with regenerator for try (@​liuxingbaoyu)
• Other
  • #17349 Map ESLint's sourceType: commonjs to script (@​JLHwung)

💅 Polish

• babel-parser
  • #17333 Improve using declaration errors (@​JLHwung)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• @​NullVoxPopuli
• @​liuxingbaoyu

v7.27.4 (2025-05-30)

👓 Spec Compliance

• babel-parser, babel-plugin-proposal-explicit-resource-management
  • #17323 Disallow using in bare case statement (@​JLHwung)

💅 Polish

• babel-parser
  • #17311 Improve parseExpression error messages (@​JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17287 Reduce regenerator size more (@​liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs3
  • #17334 Use shorter method names for regenerator context (@​nicolo-ribaudo)
  • #17268 Reduce regenerator helper size (@​liuxingbaoyu)
• babel-core, babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-standalone

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.27.6 (2025-06-05)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17366 fix: finally causes unexpected return value (@​liuxingbaoyu)
• babel-generator, babel-parser, babel-types
  • #17357 Ensure syntactic ordering when visiting array-type AST nodes (@​JLHwung)

v7.27.5 (2025-06-03)

🐛 Bug Fix

• babel-plugin-transform-regenerator
  • #17359 fix: Unexpected infinite loop with regenerator for try (@​liuxingbaoyu)
• Other
  • #17349 Map ESLint's sourceType: commonjs to script (@​JLHwung)

💅 Polish

• babel-parser
  • #17333 Improve using declaration errors (@​JLHwung)

v7.27.4 (2025-05-30)

👓 Spec Compliance

• babel-parser, babel-plugin-proposal-explicit-resource-management
  • #17323 Disallow using in bare case statement (@​JLHwung)

💅 Polish

• babel-parser
  • #17311 Improve parseExpression error messages (@​JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17287 Reduce regenerator size more (@​liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs3
  • #17334 Use shorter method names for regenerator context (@​nicolo-ribaudo)
  • #17268 Reduce regenerator helper size (@​liuxingbaoyu)
• babel-core, babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-destructuring, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-standalone
  • #17238 Split regeneratorRuntime into multiple helpers (@​nicolo-ribaudo)

v7.27.3 (2025-05-27)

🐛 Bug Fix

• babel-generator
  • #17324 Improve multiline comments handling in yield/await expression (@​JLHwung)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17328 Correctly set .displayName on GeneratorFunction (@​nicolo-ribaudo)
• babel-plugin-proposal-explicit-resource-management
  • #17319 fix: handle shadowed binding in for using of body (@​JLHwung)
  • #17317 fix: support named evaluation for using declaration (@​JLHwung)
• babel-plugin-proposal-decorators, babel-types
  • #17321 fix(converter): Remove abstract modifiers in class declaration to expression conversion (@​magic-akari)
• babel-helper-module-transforms, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-umd
  • #17257 Preserve class id when transforming using declarations with exported class (@​JLHwung)

... (truncated)

Commits

• baa4cb8 v7.27.6
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
• da5e371 v7.27.3
• eebd3a0 v7.27.1
• 296cdc5 Remove unused regenerator-runtime dep in @babel/runtime (#17263)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• 5c350ea v7.27.0
• Additional commits viewable in compare view

Updates immer from 9.0.3 to 9.0.21

Release notes

Sourced from immer's releases.

v9.0.21

9.0.21 (2023-03-23)

Bug Fixes

• ensure type exports is first in package.json export declaration (#1018) (b6ccd0f)

v9.0.20

9.0.20 (2023-03-23)

Bug Fixes

• patching maps failed when using number keys (#1025) (dd83e2e)

v9.0.19

9.0.19 (2023-01-27)

Bug Fixes

• don't freeze drafts returned from produce if they were passed in as draft (#917) (46867f8)
• produce results should never be frozen when returned from nested produces, to prevent 'hiding' drafts. Fixes #935 (a810960)
• release and publish from 'main' rather than 'master' branch (82acc40)
• revert earlier fix (#990) for recursive types (#1014) (3eeb331)
• Upgrade Github actions to Node 16 attempt 1 (9d4ea93)
• Upgrade Github actions to Node 16 attempt 2 (082eecd)

v9.0.18

9.0.18 (2023-01-15)

Bug Fixes

• Preserve insertion order of Sets, fixes #819 (#976) (b3eeb69)
• unnecessarily recursive Draft type (#990) (b9eae1d)

v9.0.17

9.0.17 (2023-01-02)

Bug Fixes

• special case NaN in setter (#912) (5721bb7)

v9.0.16

9.0.16 (2022-10-22)

... (truncated)

Commits

• 7c15339 chore(deps): bump loader-utils from 2.0.0 to 2.0.4 in /website (#1026)
• f07ec9d chore(deps): bump @​sideway/formula from 3.0.0 to 3.0.1 in /website (#1027)
• b6ccd0f fix: ensure type exports is first in package.json export declaration (#1018)
• 385837d chore(deps): bump http-cache-semantics from 4.1.0 to 4.1.1 in /website (#1017)
• e1696b7 chore(deps): bump webpack from 5.75.0 to 5.76.1 in /website (#1024)
• dd83e2e fix: patching maps failed when using number keys (#1025)
• 082eecd fix: Upgrade Github actions to Node 16 attempt 2
• 9d4ea93 fix: Upgrade Github actions to Node 16 attempt 1
• 82acc40 fix: release and publish from 'main' rather than 'master' branch
• 3eeb331 fix: revert earlier fix (#990) for recursive types (#1014)
• Additional commits viewable in compare view

Updates lodash from 4.17.20 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• See full diff in compare view

Updates uplot from 1.6.19 to 1.6.32

Release notes

Sourced from uplot's releases.

1.6.32

leeoniya/uPlot@1.6.31...1.6.32

1.6.31

leeoniya/uPlot@1.6.30...1.6.31

1.6.30

leeoniya/uPlot@1.6.29...1.6.30

1.6.29

leeoniya/uPlot@1.6.28...1.6.29

1.6.28

leeoniya/uPlot@1.6.27...1.6.28

1.6.27

leeoniya/uPlot@1.6.26...1.6.27

1.6.26

leeoniya/uPlot@1.6.25...1.6.26

1.6.25

leeoniya/uPlot@1.6.24...1.6.25

1.6.24

leeoniya/uPlot@1.6.23...1.6.24

this release implements the ability to set custom legend value(s) when the plot is un-hovered (leeoniya/uPlot#644).

as a consequence, it will now call any user-supplied series.value or series.values legend callbacks with value=null and dataIdx=null whenever the mouse cursor leaves the plotting area. previously, uPlot did not invoke these callbacks during mouseleave and simply put -- into the legend values.

therefore, if you neglected to handle null values in these user-supplied callbacks, your code may need to be updated.

1.6.23

leeoniya/uPlot@1.6.22...1.6.23

1.6.22

leeoniya/uPlot@1.6.21...1.6.22

1.6.21

leeoniya/uPlot@1.6.20...1.6.21

1.6.20

leeoniya/uPlot@1.6.19...1.6.20

Commits

• e995b06 1.6.32
• 4ae749b revert "type": "module"
• 39e77ec fix numeric legend labels. (regressed in b24436d)
• 39b9cf9 time: false in focus-cursor demo
• 21f5307 fix dependent scales
• dbca51c alignAt -> alignTo
• 5bba0d7 sync cursor on unlock. close #921.
• 23c8bba don't snap mouse position to edges on non-mousemove sync events. (#921)
• 7ad0111 revert, use different approach
• 7df6851 demo of hover/cursor snapping. close #972.
• Additional commits viewable in compare view

Updates esbuild from 0.14.43 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates express from 4.15.2 to 4.21.2

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: path-to-regexp@0.1.8 by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• path-to-regexp@0.1.10 by @​blakeembrey in expressjs/express#5902

New Contributors

• @​marco-ippolito made their first contribution in expressjs/express#5565
• @​inigomarquinez made their first contribution in expressjs/express#5590
• @​mertcanaltin made their first contribution in expressjs/express#5627
• @​ctcpip made their first contribution in expressjs/express#5690
• @​bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

... (truncated)

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1

... (truncated)

Commits

• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (#5928)
• ec4a01b feat: upgrade to body-parser@1.20.3 (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 path-to-regexp@0.1.10 (#5902)
• 2a980ad merge-descriptors@1.0.3 (#5781)
• a3e7e05 docs: specify new instructions for question and discuss
• c5addb9 deps: path-to-regexp@0.1.8 (#5603)
• e35380a docs: add @​IamLizu to the triage team (#5836)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates webpack-dev-server from 3.10.1 to 3.11.3

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)
• ipv6 output (#5270) (