Update Mend: high confidence minor and patch dependency updates #10

mend-ghe-proxy · 2024-02-23T07:44:53Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
async (source)	`2.6.1` -> `2.6.4`
body-parser	`1.18.3` -> `1.20.2`
cross-env	`7.0.2` -> `7.0.3`
event-source-polyfill	`1.0.26` -> `1.0.31`
express (source)	`4.16.4` -> `4.18.2`
express-session	`1.15.6` -> `1.18.0`
grunt (source)	`1.0.3` -> `1.6.1`
grunt-cli	`1.3.2` -> `1.4.3`
helmet (source)	`6.0.1` -> `6.2.0`
mocha (source)	`10.2.0` -> `10.3.0`
nodemon (source)	`2.0.21` -> `2.0.22`
underscore (source)	`1.9.1` -> `1.13.6`

Release Notes

caolan/async (async)

expressjs/body-parser (body-parser)

`v1.20.2`

Compare Source

===================

Fix strict json error message on Node.js 19+
deps: content-type@~1.0.5
- perf: skip value escaping when unnecessary
deps: raw-body@2.5.2

`v1.20.1`

Compare Source

===================

deps: qs@6.11.0
perf: remove unnecessary object clone

`v1.20.0`

Compare Source

===================

Fix error message for json parse whitespace in strict
Fix internal error when inflated body exceeds limit
Prevent loss of async hooks context
Prevent hanging when request already read
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: http-errors@2.0.0
- deps: depd@2.0.0
- deps: statuses@2.0.1
deps: on-finished@2.4.1
deps: qs@6.10.3
deps: raw-body@2.5.1
- deps: http-errors@2.0.0

`v1.19.2`

Compare Source

===================

deps: bytes@3.1.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
deps: raw-body@2.4.3
- deps: bytes@3.1.2

`v1.19.1`

Compare Source

===================

deps: bytes@3.1.1
deps: http-errors@1.8.1
- deps: inherits@2.0.4
- deps: toidentifier@1.0.1
- deps: setprototypeof@1.2.0
deps: qs@6.9.6
deps: raw-body@2.4.2
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
deps: safe-buffer@5.2.1
deps: type-is@~1.6.18

`v1.19.0`

Compare Source

===================

deps: bytes@3.1.0
- Add petabyte (pb) support
deps: http-errors@1.7.2
- Set constructor name when possible
- deps: setprototypeof@1.1.1
- deps: statuses@'>= 1.5.0 < 2'
deps: iconv-lite@0.4.24
- Added encoding MIK
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: raw-body@2.4.0
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
deps: type-is@~1.6.17
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

kentcdodds/cross-env (cross-env)

`v7.0.3`

Compare Source

Bug Fixes

add maintenance mode notice (fe80c84)

Yaffle/EventSource (event-source-polyfill)

`v1.0.31`

Compare Source

`v1.0.30`

Compare Source

`v1.0.29`

Compare Source

`v1.0.28`

Compare Source

expressjs/express (express)

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: body-parser@1.20.1
- deps: qs@6.11.0
- perf: remove unnecessary object clone
deps: qs@6.11.0

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: body-parser@1.20.0
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
deps: cookie@0.5.0
- Add priority option
- Fix expires option to reject invalid dates
deps: depd@2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: finalhandler@1.2.0
- Remove set content headers that break response
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: on-finished@2.4.1
- Prevent loss of async hooks context
deps: qs@6.10.3
deps: send@0.18.0
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: depd@2.0.0
- deps: destroy@1.2.0
- deps: http-errors@2.0.0
- deps: on-finished@2.4.1
- deps: statuses@2.0.1
deps: serve-static@1.15.0
- deps: send@0.18.0
deps: statuses@2.0.1
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: negotiator@0.6.3
deps: body-parser@1.19.2
- deps: bytes@3.1.2
- deps: qs@6.9.7
- deps: raw-body@2.4.3
deps: cookie@0.4.2
deps: qs@6.9.7
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: body-parser@1.19.1
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
deps: content-disposition@0.5.4
- deps: safe-buffer@5.2.1
deps: cookie@0.4.1
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: forwarded@0.2.0
- deps: ipaddr.js@1.9.1
deps: qs@6.9.6
deps: safe-buffer@5.2.1
deps: send@0.17.2
- deps: http-errors@1.8.1
- deps: ms@2.1.3
- pref: ignore empty http tokens
deps: serve-static@1.14.2
- deps: send@0.17.2
deps: setprototypeof@1.2.0

`v4.17.1`

Compare Source

===================

Revert "Improve error message for null/undefined to res.status"

`v4.17.0`

Compare Source

===================

Add express.raw to parse bodies into Buffer
Add express.text to parse bodies into string
Improve error message for non-strings to res.sendFile
Improve error message for null/undefined to res.status
Support multiple hosts in X-Forwarded-Host
deps: accepts@~1.3.7
deps: body-parser@1.19.0
- Add encoding MIK
- Add petabyte (pb) support
- Fix parsing array brackets after index
- deps: bytes@3.1.0
- deps: http-errors@1.7.2
- deps: iconv-lite@0.4.24
- deps: qs@6.7.0
- deps: raw-body@2.4.0
- deps: type-is@~1.6.17
deps: content-disposition@0.5.3
deps: cookie@0.4.0
- Add SameSite=None support
deps: finalhandler@~1.1.2
- Set stricter Content-Security-Policy header
- deps: parseurl@~1.3.3
- deps: statuses@~1.5.0
deps: parseurl@~1.3.3
deps: proxy-addr@~2.0.5
- deps: ipaddr.js@1.9.0
deps: qs@6.7.0
- Fix parsing array brackets after index
deps: range-parser@~1.2.1
deps: send@0.17.1
- Set stricter CSP header in redirect & error responses
- deps: http-errors@~1.7.2
- deps: mime@1.6.0
- deps: ms@2.1.1
- deps: range-parser@~1.2.1
- deps: statuses@~1.5.0
- perf: remove redundant path.normalize call
deps: serve-static@1.14.1
- Set stricter CSP header in redirect response
- deps: parseurl@~1.3.3
- deps: send@0.17.1
deps: setprototypeof@1.1.1
deps: statuses@~1.5.0
- Add 103 Early Hints
deps: type-is@~1.6.18
- deps: mime-types@~2.1.24
- perf: prevent internal throw on invalid type

expressjs/session (express-session)

`v1.18.0`

Compare Source

===================

Add debug log for pathname mismatch
Add partitioned to cookie options
Add priority to cookie options
Fix handling errors from setting cookie
Support any type in secret that crypto.createHmac supports
deps: cookie@0.6.0
- Fix expires option to reject invalid dates
- perf: improve default decode speed
- perf: remove slow string split in parse
deps: cookie-signature@1.0.7

`v1.17.3`

Compare Source

===================

Fix resaving already-saved new session at end of request
deps: cookie@0.4.2

`v1.17.2`

Compare Source

===================

Fix res.end patch to always commit headers
deps: cookie@0.4.1
deps: safe-buffer@5.2.1

`v1.17.1`

Compare Source

===================

Fix internal method wrapping error on failed reloads

`v1.17.0`

Compare Source

===================

deps: cookie@0.4.0
- Add SameSite=None support
deps: safe-buffer@5.2.0

`v1.16.2`

Compare Source

===================

Fix restoring cookie.originalMaxAge when store returns Date
deps: parseurl@~1.3.3

`v1.16.1`

Compare Source

===================

Fix error passing data option to Cookie constructor
Fix uncaught error from bad session data

`v1.16.0`

Compare Source

===================

Catch invalid cookie.maxAge value earlier
Deprecate setting cookie.maxAge to a Date object
Fix issue where resave: false may not save altered sessions
Remove utils-merge dependency
Use safe-buffer for improved Buffer API
Use Set-Cookie as cookie header name for compatibility
deps: depd@~2.0.0
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
- perf: remove argument reassignment
deps: on-headers@~1.0.2
- Fix res.writeHead patch missing return value

gruntjs/grunt (grunt)

`v1.6.1`

Compare Source

Changelog updates 72f6f03
Merge pull request #1755 from gruntjs/rm-dep 8d4c183
Add recursive 1c7d483
Merge pull request #1756 from gruntjs/downgrade-glob 2d4fd38
Downgrade glob 902db7c
Fix syntax 494f243
remove mkdirp b01389e
remove dep on rimraf and mkdirp 0072510

`v1.6.0`

Compare Source

Merge pull request #1750 from gruntjs/dep-update-jan28 2805dc3
README updates 3f1e423
Bump to 16 8fd096d
Update more deps 42c5f95
Bump eslint and node version 1d88050

`v1.5.3`

Compare Source

Merge pull request #1745 from gruntjs/fix-copy-op 572d79b
Patch up race condition in symlink copying. 58016ff
Merge pull request #1746 from JamieSlome/patch-1 0749e1d
Create SECURITY.md 69b7c50

`v1.5.2`

Compare Source

Update Changelog 7f15fd5
Merge pull request #1743 from gruntjs/cleanup-link b0ec6e1
Clean up link handling 433f91b

`v1.5.1`

Compare Source

Merge pull request #1742 from gruntjs/update-symlink-test ad22608
Fix symlink test 0652305

`v1.5.0`

Compare Source

Updated changelog b2b2c2b
Merge pull request #1740 from gruntjs/update-deps-22-10 3eda6ae
Update testing matrix 47d32de
More updates 2e9161c
Remove console log 04b960e
Update dependencies, tests... aad3d45
Merge pull request #1736 from justlep/main fdc7056
support .cjs extension e35fe54

`v1.4.1`

Compare Source

Update Changelog e7625e5
Merge pull request #1731 from gruntjs/update-options 5d67e34
Fix ci install d13bf88
Switch to Actions 08896ae
Update grunt-known-options eee0673
Add note about a breaking change 1b6e288

`v1.4.0`

Compare Source

Merge pull request #1728 from gruntjs/update-deps-changelog 63b2e89
Update changelog and util dep 106ed17
Merge pull request #1727 from gruntjs/update-deps-apr 49de70b
Update CLI and nodeunit 47cf8b6
Merge pull request #1722 from gruntjs/update-through e86db1c
Update deps 4952368

`v1.3.0`

Compare Source

Merge pull request #1720 from gruntjs/update-changelog-deps faab6be
Update Changelog and legacy-util dependency 520fedb
Merge pull request #1719 from gruntjs/yaml-refactor 7e669ac
Switch to use safeLoad for loading YML files via file.readYAML. e350cea
Merge pull request #1718 from gruntjs/legacy-log-bumo 7125f49
Bump legacy-log 00d5907

`v1.2.1`

Compare Source

Changelog update ae11839
Merge pull request #1715 from sibiraj-s/remove-path-is-absolute 9d23cb6
Remove path-is-absolute dependency e789b1f

`v1.2.0`

Compare Source

Allow usage of grunt plugins that are located in any location that
is visible to Node.js and NPM, instead of node_modules directly
inside package that have a dev dependency to these pluginhttps://github.com/gruntjs/grunt/pull/1677nt/pull/1677)
Removed coffeescript from dependencies. To ease transition, if
coffeescript is still around, Grunt will attempt to load it.
If it is not, and the user loads a CoffeeScript file,
Grunt will print a useful error indicating that the
coffeescript package should be installed as a dev dependency.
This is considerably more user-friendly than dropping the require entirely,
but doing so is feasible with the latest grunt-cli as users
may simply use grunt --require https://github.com/gruntjs/grunt/pull/1675thub.com/Remove coffeescript from dependencies. gruntjs/grunt#1675)
Exposes Grunt Option keys for ease of use.
(https://github.com/gruntjs/grunt/pull/15701570)
Avoiding infinite loop on very long command names.
(https://github.com/gruntjs/grunt/pull/16971697)

`v1.1.0`

Compare Source

Update to mkdirp ~1.0.3
Only support versions of Node >= 8

`v1.0.4`

Compare Source

gruntjs/grunt-cli (grunt-cli)

`v1.4.3`

Compare Source

Fix preload option (#147) 07f3b0d
Revert liftoff (#144) 4d691e2
Revert liftoff changes due to https://github.com/gruntjs/grunt/issues/1725 (#143) e820858

`v1.4.2`

Compare Source

Revert liftoff (#144) 4d691e2
Revert liftoff changes due to https://github.com/gruntjs/grunt/issues/1725 (#143) e820858

`v1.4.1`

Compare Source

Revert liftoff changes due to https://github.com/gruntjs/grunt/issues/1725 (#143) e820858

`v1.4.0`

Compare Source

Update changelog bbc4400
Ignore package-lock 3fa5bf6
Update deps, switch to actions (#141) c271173
Bump deps, required node version and ci (#137) 84ebcb8

helmetjs/helmet (helmet)

`v6.2.0`

Compare Source

Expose header names (e.g., strictTransportSecurity for the Strict-Transport-Security header, instead of hsts)
Rework documentation

`v6.1.5`

Compare Source

Fixed

Fixed yet another issue with TypeScript exports. See #420

`v6.1.4`

Compare Source

Fixed

Fix another issue with TypeScript default exports. See #418

`v6.1.3`

Compare Source

Fixed

Fix issue with TypeScript default exports. See #417

`v6.1.2`

Compare Source

Fixed

Retored main to package to help with some build tools

`v6.1.1`

Compare Source

Fixed

Fixed missing package metadata

`v6.1.0`

Compare Source

Changed

Improve support for various TypeScript setups, including "nodenext". See #405

mochajs/mocha (mocha)

`v10.3.0`

Compare Source

This is a stable release equivalent to 10.30.0-prerelease.

remy/nodemon (nodemon)

`v2.0.22`

Compare Source

Bug Fixes

remove ts mapping if loader present (f7816e4), closes #2083

jashkenas/underscore (underscore)

`v1.13.6`

Compare Source

`v1.13.5`

Compare Source

`v1.13.4`

Compare Source

`v1.13.3`

Compare Source

`v1.13.2`

Compare Source

`v1.13.1`

Compare Source

`v1.13.0`

Compare Source

`v1.12.1`

Compare Source

`v1.12.0`

Compare Source

`v1.11.0`

Compare Source

`v1.10.2`

Compare Source

`v1.10.1`

Compare Source

`v1.10.0`

Compare Source

`v1.9.2`

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

Update Mend: high confidence minor and patch dependency updates

d3520d7

mend-ghe-proxy bot force-pushed the whitesource-remediate/mend-high-confidence-minor-and-patch-dependency-updates branch from 983b4ee to d3520d7 Compare February 23, 2024 07:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update Mend: high confidence minor and patch dependency updates #10

Update Mend: high confidence minor and patch dependency updates #10

mend-ghe-proxy bot commented Feb 23, 2024

Update Mend: high confidence minor and patch dependency updates #10

Are you sure you want to change the base?

Update Mend: high confidence minor and patch dependency updates #10

Conversation

mend-ghe-proxy bot commented Feb 23, 2024

Release Notes

Bug Fixes

Fixed

Fixed

Fixed

Fixed

Fixed

Changed

Bug Fixes

Configuration