Bump the npm_and_yarn group across 1 directory with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
@backstage/plugin-app-backend	0.3.57	0.3.75
@backstage/plugin-catalog-backend	1.16.2	1.26.0
@backstage/plugin-techdocs-backend	1.9.2	1.10.13
express	4.19.2	4.20.0
braces	3.0.2	3.0.3
dompurify	2.4.7	2.5.7
dset	3.1.3	3.1.4
elliptic	6.5.4	6.5.7
micromatch	4.0.5	4.0.8
rollup	2.79.1	2.79.2
webpack	5.90.1	5.95.0

Updates @backstage/plugin-app-backend from 0.3.57 to 0.3.75

Changelog

Sourced from @​backstage/plugin-app-backend's changelog.

@​backstage/plugin-app-backend

0.3.76-next.1

Patch Changes

• 2c4ee26: Fixed unexpected behaviour where configuration supplied with APP_CONFIG_* environment variables where not filtered by the configuration schema.
• Updated dependencies
  • @​backstage/plugin-auth-node@​0.5.3-next.1
  • @​backstage/backend-plugin-api@​1.0.1-next.1
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.9.1
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.26-next.1

0.3.75-next.0

Patch Changes

• 094eaa3: Remove references to in-repo backend-common
• Updated dependencies
  • @​backstage/plugin-auth-node@​0.5.3-next.0
  • @​backstage/backend-plugin-api@​1.0.1-next.0
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.9.1
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-app-node@​0.1.26-next.0

0.3.74

Patch Changes

• 72a8c7b: Return HTTP status 400 rather than 500 when receiving an unknown POST request.

• d3f79d1: Fixing dependency metadata with the new @backstage/plugin-app package

• 590fb2d: BREAKING: The app backend now supports the new index.html.tmpl output from @backstage/cli. If available, the index.html will be templated at runtime with the current configuration of the app backend.

  This is marked as a breaking change because you must now supply the app build-time configuration to the backend. This change also affects the public path behavior, where it is no longer necessary to build the app with the correct public path upfront. You now only need to supply a correct app.baseUrl to the app backend plugin at runtime.

  An effect that this change has is that the index.html will now contain and present the frontend configuration in an easily readable way, which can aid in debugging. This data was always available in the frontend, but it was injected and hidden in the static bundle.

  This templating behavior is enabled by default, but it can be disabled by setting the app.disableConfigInjection configuration option to true.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/plugin-auth-node@​0.5.2

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-catalog-backend from 1.16.2 to 1.26.0

Release notes

Sourced from @​backstage/plugin-catalog-backend's releases.

v1.26.0

See docs/releases/v1.26.0-changelog.md for more information.

v1.26.0-next.1

See docs/releases/v1.26.0-next.1-changelog.md for more information.

v1.26.0-next.0

See docs/releases/v1.26.0-next.0-changelog.md for more information.

v1.25.2

This release fixes an issue where requests for the public http routes for the events-backend were authenticated causing 401 errors.

v1.25.1

This release fixes an bug where the kubernetes plugin would crash reading credentials from undefined.

v1.25.0

These are the release notes for the v1.25.0 release of Backstage. This is an unscheduled release that replaces what would’ve otherwise been the v1.25.0-next.1 release, due to a problem with the patch releases for 1.24.0. The next main line release will still be released on April 16th as scheduled, but will now instead be 1.26.0.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

Auth service fixes

A number of fixes have been made to various plugins related to the new auth system:

Rate limiting has been disabled as it was a bit too aggressive and didn’t interact well with proxies. Fixes an issue in the TechDocs CLI related to cookie auth Fixes an integration issue of the new auth services in the Jenkins backend plugin Fixed an issue in the scaffolder were credentials weren’t forwarded correctly to the action context. Fixed an issue where the proxy backend blocked unauthenticated requests.

Catalog

The catalog backend can now be extended with additional permissions through new addPermissions methods of the CatalogBuilder and catalogPermissionExtensionPoint. The paginated catalog table now saves the search text in the query parameters and debounces the server requests.

Security Fixes

This release does not contain any security fixes.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Links and References

Below you can find a list of links and references to help you learn about and start using this new release.

• Backstage official website, documentation, and getting started guide

... (truncated)

Changelog

Sourced from @​backstage/plugin-catalog-backend's changelog.

1.26.0

Minor Changes

• 74acf06: Add dependencyOf prop to catalog model for Component kind to enable building relationship graphs with both directions using dependsOn and dependencyOf.
• 78475c3: Allow offset mode paging in entity list provider
• bd35cdb: The analyze-location endpoint is now protected by the catalog.location.analyze permission. The validate-entity endpoint is now protected by the catalog.entity.validate permission.

Patch Changes

• 1882cfe: Moved getEntities ordering to utilize database instead of having it inside catalog client

  Please note that the latest version of @backstage/catalog-client will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• 53cce86: Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-catalog@​0.2.2
  • @​backstage/plugin-permission-node@​0.8.3
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/backend-openapi-utils@​0.1.18
  • @​backstage/plugin-events-node@​0.4.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-permission-common@​0.8.1

1.26.0-next.2

Minor Changes

• 78475c3: Allow offset mode paging in entity list provider

Patch Changes

• c2b63ab: Updated dependency supertest to ^7.0.0.
• Updated dependencies
  • @​backstage/backend-common@​0.25.0-next.2
  • @​backstage/backend-plugin-api@​1.0.0-next.2
  • @​backstage/catalog-client@​1.7.0-next.1
  • @​backstage/integration@​1.15.0-next.0
  • @​backstage/backend-openapi-utils@​0.1.18-next.2

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-techdocs-backend from 1.9.2 to 1.10.13

Changelog

Sourced from @​backstage/plugin-techdocs-backend's changelog.

1.10.13

Patch Changes

• 086c32d: Dedicated token for techdocs cache sync
• 5b679ac: The createRouter and its related types has been marked as deprecared. This backend should instead be initialized using the new backend system.
• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.
• c2b63ab: Updated dependency supertest to ^7.0.0.
• 5edd344: Refactor to use injected catalog client in the new backend system
• Updated dependencies
  • @​backstage/backend-common@​0.25.0
  • @​backstage/plugin-techdocs-node@​1.12.11
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-techdocs@​0.2.2
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-techdocs-common@​0.1.0

1.10.13-next.2

Patch Changes

• c2b63ab: Updated dependency supertest to ^7.0.0.
• Updated dependencies
  • @​backstage/backend-common@​0.25.0-next.2
  • @​backstage/backend-plugin-api@​1.0.0-next.2
  • @​backstage/catalog-client@​1.7.0-next.1
  • @​backstage/plugin-techdocs-node@​1.12.11-next.2
  • @​backstage/integration@​1.15.0-next.0
  • @​backstage/catalog-model@​1.6.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/plugin-catalog-common@​1.0.26
  • @​backstage/plugin-catalog-node@​1.12.7-next.2
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-search-backend-module-techdocs@​0.2.2-next.2
  • @​backstage/plugin-techdocs-common@​0.1.0

1.10.13-next.1

Patch Changes

• 5edd344: Refactor to use injected catalog client in the new backend system
• Updated dependencies

... (truncated)

Commits

• See full diff in compare view

Updates express from 4.19.2 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• [email protected] by @​blakeembrey in expressjs/express#5902

New Contributors

• @​marco-ippolito made their first contribution in expressjs/express#5565
• @​inigomarquinez made their first contribution in expressjs/express#5590
• @​mertcanaltin made their first contribution in expressjs/express#5627
• @​ctcpip made their first contribution in expressjs/express#5690
• @​bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for question and discuss
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @​IamLizu to the triage team (#5836)
• Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to [email protected] by @​wesleytodd in expressjs/body-parser#527
• deps: [email protected] by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates dompurify from 2.4.7 to 2.5.7

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

DOMPurify 2.5.6

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Updated several development dependencies

DOMPurify 2.5.5

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

DOMPurify 2.5.4

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

DOMPurify 2.5.3

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

DOMPurify 2.5.2

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

DOMPurify 2.5.1

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 2.5.0

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

DOMPurify 2.4.9

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

DOMPurify 2.4.8

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

Commits

• 71683cb chore: Preparing 2.5.7 release
• d78f241 chore: Preparing 2.5.6 release
• 38e8410 fix: Added changes to 2.x regarding attribute value checks
• 9a7cd98 See #961
• de2545c chore: Preparing 2.5.5 release
• f1e27e6 chore: Also removed depth counter logic from 2.x branch for now
• 10c1261 docs: Updated README ever so slightly
• 1c92880 test: Fixed two more tests for MSIE11 and Edge 18
• 1401208 test: Fixed more tests for MSIE and Edge 18
• 2c6410a test: Fixed several new tests for MSIE11 and Edge 18
• Additional commits viewable in compare view

Updates dset from 3.1.3 to 3.1.4

Commits

• 05b1ec0 3.1.4
• 16d6154 fix: prevent proto assignment via implicit string
• See full diff in compare view

Updates elliptic from 6.5.4 to 6.5.7

Commits

• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• 0a78e03 [Fix] restore node < 4 compat
• See full diff in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.10

Release notes

Sourced from path-to-regexp's releases.

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• 114f62d Add support for named matching groups (#301)
• See full diff in compare view

Updates rollup from 2.79.1 to 2.79.2

Changelog

Sourced from rollup's changelog.

rollup changelog

4.24.0

2024-10-02

Features

• Support preserving and transpiling JSX syntax (#5668)

Pull Requests

• #5668: Introduce JSX support (@​lukastaegert, @​Martin-Idel, @​felixhuttmann, @​AlexDroll, @​tiptr)

4.23.0

2024-10-01

Features

• Collect all emitted names and originalFileNames for assets (#5686)

Pull Requests

• #5686: Add names and originalFileNames to assets (@​lukastaegert)

4.22.5

2024-09-27

Bug Fixes

• Allow parsing of certain unicode characters again (#5674)

Pull Requests

• #5674: Fix panic with unicode characters (@​sapphi-red, @​lukastaegert)
• #5675: chore(deps): update dependency rollup to v4.22.4 [security] (@​renovate[bot])
• #5680: chore(deps): update dependency @​rollup/plugin-commonjs to v28 (@​renovate[bot], @​lukastaegert)
• #5681: chore(deps): update dependency @​rollup/plugin-replace to v6 (@​renovate[bot])
• #5682: chore(deps): update dependency @​rollup/plugin-typescript to v12 (@​renovate[bot])
• #5684: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Updates serve-static from 1.15.0 to 1.16.0

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

Changelog

Sourced from serve-static's changelog.

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates webpack from 5.90.1 to 5.95.0

Release notes

Sourced from webpack's releases.

v5.95.0

Bug Fixes

• Fixed hanging when attempting to read a symlink-like file that it can't read
• Handle default for import context element dependency
• Merge duplicate chunks call after split chunks
• Generate correctly code for dynamically importing the same file twice and destructuring
• Use content hash as [base] and [name] for extracted DataURI's
• Distinguish module and import in module-import for externals import's
• [Types] Make EnvironmentPlugin default values types less strict
• [Types] Typescript 5.6 compatibility

New Features

• Add new optimization.avoidEntryIife option (true by default for the production mode)
• Pass output.hash* options to loader context

Performance

• Avoid unneeded re-visit in build chunk graph

v5.94.0

Bug Fixes

• Added runtime condition for harmony reexport checked
• Handle properly data/http/https protocols in source maps
• Make bigint optimistic when browserslist not found
• Move @​types/eslint-scope to dev deps
• Related in asset stats is now always an array when no related found
• Handle ASI for export declarations
• Mangle destruction incorrect with export named default properly
• Fixed unexpected asi generation with sequence expression
• Fixed a lot of types

New Features

• Added new external type "module-import"
• Support webpackIgnore for new URL() construction
• [CSS] @import pathinfo support

Security

• Fixed DOM clobbering in auto public path

v5.93.0

Bug Fixes

• Generate correct relative path to runtime chunks
• Makes DefinePlugin quieter under default log level
• Fixed mangle destructuring default in namespace import

... (truncated)

Commits

• e20fd63 chore(release): 5.95.0
• 4866b0d feat: added new optimization.entryIife option
• d90f692 fix: merge duplicate chunks after split chunks
• 90dec30 fix(externals): distinguish “module” and “import” in “module-import”
• c1a0a46 fix(externals): distinguish “module” and “import” in “module-import”
• 14d8fa8 fix: all tests cases
• dae16ad feat: pass output.hash* options to loader context
• 75d185d feat: pass output.hash* options to loader context
• 46e0b9c test: update
• 8e62f9f test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[NewerKey]

Updates will help solve some of the security issues raised for the repository in the security alerts.