chore(deps): bump the npm_and_yarn group across 3 directories with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
mysql2	2.1.0	3.9.7
debug	4.3.1	4.3.2
express	4.16.4	4.19.2
plotly.js	1.48.3	2.25.2
acorn	5.7.3	5.7.4
ejs	3.1.9	3.1.10
es5-ext	0.10.50	0.10.64
ip	1.1.5	1.1.9
json5	1.0.1	1.0.2
minimatch	3.0.4	3.1.2
mixin-deep	1.3.1	1.3.2
moment	2.26.0	2.30.1
node-fetch	2.6.0	2.7.0
qs	6.5.2	6.5.3
underscore	1.9.1	1.13.6
webpack-dev-middleware	6.1.1	6.1.3
word-wrap	1.2.3	1.2.5
y18n	4.0.0	4.0.3

Bumps the npm_and_yarn group with 1 update in the /docs/recipes/docker-server directory: mysql2.
Bumps the npm_and_yarn group with 1 update in the /packages/server directory: plotly.js.

Updates mysql2 from 2.1.0 to 3.9.7

Release notes

Sourced from mysql2's releases.

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

• SSL: separate each certificate into an individual item #2542 (63f1055)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
  • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• security: improve results object creation (#2574) (4a964a3)
  • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

v3.9.2

3.9.2 (2024-02-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

• docs: improve the contribution guidelines (#2552) (8a818ce)
• security: improve results object creation (#2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

Bug Fixes

• stream: premature close when it is paused (#2416) (7c6bc64)
• types: expose TypeCast types (#2425) (336a7f1)

3.9.1 (2024-01-29)

... (truncated)

Commits

• 2d3cad8 chore(master): release 3.9.7 (#2609)
• 7d4b098 fix(security): sanitize timezone parameter value to prevent code injection (#...
• 2efd6ab build(deps): bump lucide-react from 0.371.0 to 0.372.0 in /website (#2606)
• e3391ed build(deps): bump lucide-react from 0.368.0 to 0.371.0 in /website (#2604)
• 4f58caa chore(master): release 3.9.6 (#2603)
• 705835d fix: binary parser sometimes reads out of packet bounds when results contain ...
• 2129818 chore(master): release 3.9.5 (#2600)
• f7c60d0 fix: revert breaking change in results creation (#2591)
• 7f5b395 build(deps-dev): bump @​typescript-eslint/eslint-plugin in /website (#2596)
• a770052 build(deps-dev): bump @​typescript-eslint/parser in /website (#2595)
• Additional commits viewable in compare view

Updates debug from 4.3.1 to 4.3.2

Release notes

Sourced from debug's releases.

4.3.2

Patch release 4.3.2

• Caches enabled statuses on a per-logger basis to speed up .enabled checks (#799)

Thank you @​omg!

Commits

• e47f96d 4.3.2
• 1e9d38c cache enabled status per-logger (#799)
• See full diff in compare view

Updates express from 4.16.4 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• deps: qs@6.11.0

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates plotly.js from 1.48.3 to 2.25.2

Release notes

Sourced from plotly.js's releases.

v2.25.2

Changed

• Update Croatian translations in hr locale [#6690], with thanks to @​Mkranj for the contribution!

Fixed

• Fix potential prototype pollution in plot API calls [#6703, 6704]

v2.25.1

Fixed

• Fix clearing legend using react (regression introduced in 2.25.0) [#6695]

v2.25.0

Added

• Add "Equal Earth" projection to geo subplots [#6670], with thanks to @​apparebit for the contribution!
• Add options to include legends for shapes and newshape [#6653]
• Add Plotly.deleteActiveShape command [#6679]

Fixed

• Fix contour plot colorscale domain (take account of zmin, zmax, cmin and cmax) [#6625], with thanks to @​lvlte for the contribution!
• Fix text markers on non-mapbox styled maps [#6652], with thanks to @​baurt for the contribution!
• Fix unhide isolated traces in multi legend cases (regression introduced in 2.24.3) [#6684]

v2.24.3

Fixed

• Fix double clicking one item in a legend hides traces in other legends [#6655]
• Fix double click pie slices when having multiple legends [#6657]
• Fix per legend group and traceorder defaults when having multiple legends [#6664]

v2.24.2

Fixed

• Fix legend groups toggle (regression introduced in 2.22.0) #6639
• Fix waterfall hovertemplate not showing delta on totals similar #6635

v2.24.1

Fixed

• Fix minimal copying of arrays in minExtend function (regression introduced in 2.24.0) #6632

v2.24.0

Added

• add pattern to pie, funnelarea, sunburst, icicle and treemap traces [#6601, #6619, #6622, #6626, #6627, #6628, #6629], with thanks to @​thierryVergult for the contribution!

Fixed

• Fix to prevent accessing undefined (hoverText.hoverLabels) in case all currently shown markers have hoverinfo: "none" (regression introduced in 2.6.0) #6614,

... (truncated)

Changelog

Sourced from plotly.js's changelog.

[2.25.2] -- 2023-08-11

Changed

• Update Croatian translations in hr locale [#6690], with thanks to @​Mkranj for the contribution!

Fixed

• Fix potential prototype pollution in plot API calls [#6703, 6704]

[2.25.1] -- 2023-08-02

Fixed

• Fix clearing legend using react (regression introduced in 2.25.0) [#6695]

[2.25.0] -- 2023-07-25

Added

• Add "Equal Earth" projection to geo subplots [#6670], with thanks to @​apparebit for the contribution!
• Add options to include legends for shapes and newshape [#6653]
• Add Plotly.deleteActiveShape command [#6679]

Fixed

• Fix contour plot colorscale domain (take account of zmin, zmax, cmin and cmax) [#6625], with thanks to @​lvlte for the contribution!
• Fix text markers on non-mapbox styled maps [#6652], with thanks to @​baurt for the contribution!
• Fix unhide isolated traces in multi legend cases (regression introduced in 2.24.3) [#6684]

[2.24.3] -- 2023-07-05

Fixed

• Fix double clicking one item in a legend hides traces in other legends [#6655]
• Fix double click pie slices when having multiple legends [#6657]
• Fix per legend group and traceorder defaults when having multiple legends [#6664]

[2.24.2] -- 2023-06-09

Fixed

• Fix legend groups toggle (regression introduced in 2.22.0) #6639
• Fix waterfall hovertemplate not showing delta on totals similar #6635

[2.24.1] -- 2023-06-07

Fixed

... (truncated)

Commits

• e824199 2.25.2
• 920a50e update readme and changelog for v2.25.2
• 27932d6 Merge pull request #6705 from plotly/reduce-flakiness
• 0249840 Merge pull request #6704 from plotly/nestedProperty-proto
• a4a69d5 reduce flakiness on CI
• a860a32 Merge pull request #6690 from Mkranj/croatian_translation
• 5cfbd6e add test
• 2bec998 guard against polluting proto in nestedProperty
• 5efd2a1 Merge pull request #6703 from plotly/expandObjectPaths-proto
• e1e3175 fix delay in test
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by archmoj, a new releaser for plotly.js since your current version.

Updates acorn from 5.7.3 to 5.7.4

Commits

• 6370e90 Mark version 5.7.4
• fbc15b1 More rigorously check surrogate pairs in regexp validator
• See full diff in compare view

Updates bl from 1.2.2 to 2.2.1

Release notes

Sourced from bl's releases.

v2.2.1

Fix unintialized memory access

v2.2.0

• Add indexOf docs #60
• fix empty shallowSlice return #65

v2.1.2

• use ES3 only #62

v2.1.1

• Use native indexOf whenever possible #61

v2.1.0

• Added indexOf #59

v2.0.1

• Use require('readable-stream').Duplex #56

v2.0.0

• Added support for readUIntLE and companions #55

Commits

• 8cb93f4 Bumped v2.2.1
• dacc4ac Fix unintialized memory access
• b6284a8 Bumped v2.2.0.
• 538a988 Merge pull request #60 from reconbot/reconbot/indexof-readme
• 635b6ce Merge pull request #65 from reconbot/reconbot/empty-slice
• 9b80b00 fix: empty shallowSlice return
• 055a3ff Merge pull request #63 from nwoltman/patch-1
• c768eb8 Use Buffer.from() in the documentation
• 270e5f5 Bumped v2.1.2
• 91cbaf9 Merge pull request #62 from jhaenchen/DontUseES2015Const
• Additional commits viewable in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates es5-ext from 0.10.50 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

---

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

---

Comparison since last release

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

---

Comparison since last release

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

---

Comparison since last release

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

---

... (truncated)

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

0.10.59 (2022-03-17)

Maintenance Improvements

• Improve manifest wording (#122) (eb7ae59)
• Update data in manifest (3d2935a)

0.10.58 (2022-03-11)

... (truncated)

Commits

• f76b03d chore: Release v0.10.64
• 2881acd chore: Bump dependencies
• c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
• 16f2b72 docs: Fix date in the changelog
• de4e03c chore: Release v0.10.63
• 3fd53b7 chore: Upgrade lint-staged to v13
• bf8ed79 chore: Ensure postinstall script does not crash on Windows
• 2cbbb07 chore: Bump dependencies
• 22d0416 chore: Bump LICENSE year
• a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
• Additional commits viewable in compare view

Updates ip from 1.1.5 to 1.1.9

Commits

• 1ecbf2f 1.1.9
• 6a3ada9 lib: fixed CVE-2023-42282 and added unit test
• 5dc3b2f 1.1.8
• 8e6f28b lib: even better node 6 support
• 088c9e5 1.1.7
• 1a4ca35 lib: add back support for Node.js 6
• af82ef4 1.1.6
• dba19f6 package: exclude test folder from publishing
• 7cd7f30 ci: use github workflows
• 4de50ae lib: node 18 support
• See full diff in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• See full diff in compare view

Updates minimatch from 3.0.4 to 3.1.2

Commits

• 699c459 3.1.2
• 2f2b5ff fix: trim pattern
• 25d7c0d 3.1.1
• 55dda29 fix: treat nocase:true as always having magic
• 5e1fb8d 3.1.0
• f8145c5 Add 'allowWindowsEscape' option
• 570e8b1 add publishConfig for v3 publishes
• 5b7cd33 3.0.6
• 20b4b56 [fix] revert all breaking syntax changes
• 2ff0388 document, expose, and test 'partial:true' option
• Additional commits viewable in compare view

Updates minimist from 0.0.5 to 0.0.8

Changelog

Sourced from minimist's changelog.

v0.0.8 - 2014-02-20

Commits

• return '' if flag is string and empty fa63ed4
• handle joined single letters 66c248f

v0.0.7 - 2014-02-08

Commits

• another swap of .test for .match d1da408

v0.0.6 - 2014-02-08

Commits

• use .test() instead of .match() to not crash on non-string values in the arguments array 7e0d1ad

Commits

• 3754568 0.0.8
• 66c248f handle joined single letters
• fa63ed4 return '' if flag is string and empty
• cd46bf9 0.0.7
• d1da408 another swap of .test for .match
• 8ef0bdf 0.0.6
• 7e0d1ad use .test() instead of .match() to not crash on non-string values in the argu...
• See full diff in compare view

Updates mixin-deep from 1.3.1 to 1.3.2

Commits

• 754f0c2 1.3.2
• 90ee1fa ensure keys are valid when mixing in values
• See full diff in compare view

Maintainer changes

This version was pushed to npm by doowb, a new releaser for mixin-deep since your current version.

Updates moment from 2.26.0 to 2.30.1

Changelog

Sourced from moment's changelog.

2.30.1

• Release Dec 27, 2023
• Revert moment/moment#5827, because it's breaking a lot of TS code.

2.30.0 Full changelog

• Release Dec 26, 2023

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

• Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

• Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

• Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

... (truncated)

Commits

• 485d9a7 Build 2.30.1
• e048b09 Bump version to 2.30.1
• f9f2d58 Update changelog for 2.30.1
• a52ffb2 Revert "Merge pull request #5827 from BobZombie:feature/fix_d.ts"
• ddd6809 Build 2.30.0
• be64d00 Bump version to 2.30.0
• ad41179 Update changelog for 2.30.0
• 63fe479 [misc] Make code ES6 compatible
• 0f0195f Revert "Merge pull request #5599 from Alanscut:issue_4985"
• 15b82f5 Revert "Merge pull request #5597 from Alanscut:issue-5596"
• Additional commits viewable in compare view

Updates node-fetch from 2.6.0 to 2.7.0

Release notes

Sourced from node-fetch's releases.

v2.7.0

2.7.0 (2023-08-23)

Features

• AbortError (#1744) (9b9d458)

v2.6.13

2.6.13 (2023-08-18)

Bug Fixes

• Remove the default connection close header (#1765) (65ae25a), closes #1735 #1473 #1736

v2.6.12

2.6.12 (2023-06-29)

Bug Fixes

• socket variable testing for undefined (#1726) (8bc3a7c)

v2.6.11

2.6.11 (2023-05-09)

Reverts

• Revert "fix: handle bom in text and json (#1739)" (#1741) (afb36f6), closes #1739 #1741

v2.6.10

2.6.10 (2023-05-08)

Bug Fixes

• handle bom in text and json (#1739) (