build(deps): bump the npm_and_yarn group across 1 directory with 28 updates by dependabot[bot] · Pull Request #16 · ConductionNL/themes

dependabot · 2026-06-20T11:55:18Z

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
dompurify	`2.3.3`	`3.4.11`
@babel/plugin-transform-modules-systemjs	`7.14.5`	`7.29.7`
@tootallnate/once	`1.1.2`	`removed`
body-parser	`1.19.0`	`1.20.5`
qs	`6.5.2`	`6.15.2`
cipher-base	`1.0.4`	`1.0.7`
postcss	`8.3.6`	`8.5.15`
lodash	`4.17.21`	`4.18.1`
markdown-it	`12.2.0`	`14.2.0`
min-document	`2.19.0`	`2.19.2`
shell-quote	`1.7.2`	`1.8.4`
store2	`2.12.0`	`2.14.4`

Updates dompurify from 2.3.3 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

Fixed an issue with a leaky config for hooks via setConfig, thanks @trace37labs

Bumped vulnerable development dependencies to arrive at plain 0 with npm audit

Updated the osv-scanner suppression list as no vulnerable dependencies are left for now

Updated up the linting tool-chain and removed now-redundant lint directives

Updated the documentation is several spots, README, wiki, etc.

Bumped several dependencies where possible

DOMPurify 3.4.10

Refactored codebase for clarity: extracted the public type declarations into types.ts

Decomposed the three largest sanitizer functions into focused helpers

Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path

Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML

Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode

Reduced CI cost by running the full three-engine browser suite once per PR

Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo

Documented the bench and test:happydom scripts in the README

Completed the Attack Classes & Bypass History wiki page

Bumped several dependencies where possible

DOMPurify 3.4.9

Further improved the handling of Trusted Types config options, thanks @offset

Further improved the handling of IN_PLACE sanitization, thanks @mozfreddyb

Added more test coverage for IN_PLACE and Trusted Types related usage

Bumped several dependencies where possible

Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

Cleaned up the repository root, renamed some and removed unneeded files

Fixed an issue with handling of Trusted Types policies, thanks @fulstadev

Fixed the node iterator for better template scrubbing, thanks @IamLeandrooooo

Included formerly missing LICENSE-MPL in published npm package, thanks @asamuzaK

Bumped several dependencies where possible

DOMPurify 3.4.7

Hardened the handling of Shadow Roots when using IN_PLACE, thanks @GameZoneHacker

Removed a problem leading to permanent hook pollution, thanks @offset

Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @offset & @Bankde

Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @offset & @Bankde

Added more test coverage for IN_PLACE and general DOM Clobbering attacks

Bumped several dependencies where possible

DOMPurify 3.4.5

Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits

0cae518 release: 3.4.11 (#1494)
6ee5716 release: 3.4.10 (#1478)
5210247 release: 3.4.9 (#1459)
bcdd828 release: 3.4.8 (#1439)
ca30f07 release: 3.4.7 (#1414)
bb7739e release: 3.4.6 (#1394)
011b0c7 release: 3.4.5 (#1382)
5817ad9 release: 3.4.4 (#1374)
520edb0 release: 3.4.3 (#1352)
6f67fd3 Sync/3.4.2 (#1322)
Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @babel/plugin-transform-modules-systemjs from 7.14.5 to 7.29.7

Release notes

Sourced from @babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

babel-generator

#18014 Catchup source map position in preserveFormat (@nicolo-ribaudo)

babel-core

#18001 [7.x packport]Improve input source map handling (@JLHwung)

babel-core, babel-generator

#17998 Preserve original identifier names from input sourcemaps (#17992) (@Andarist)

Committers: 3

Huáng Jùnliàng (@JLHwung)

Mateusz Burzyński (@Andarist)

Nicolò Ribaudo (@nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

babel-preset-env

Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

babel-plugin-transform-modules-systemjs

#17974 [7.x backport]fix(systemjs): improve module string name support (@JLHwung)

Committers: 1

Huáng Jùnliàng (@JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

babel-parser

#17923 Support flow extends bound (@JLHwung)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#17931 fix(decorators): replace super within all removed static elements (@JLHwung)

babel-register

#17915 Fix thread synchronization issues in @babel/register (@liuxingbaoyu)

babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

#17788 Add bugfix plugin for Safari array rest destructuring bug (@JLHwung)

💅 Polish

babel-parser

... (truncated)

Commits

4fba754 v7.29.7
a458f66 v7.29.4
32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
aa8394e v7.29.0
0053db6 Update polyfill packages (#17727)
61647ae v7.28.5
a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
eebd3a0 v7.27.1
317e332 Enforce node protocol import (#17207)
fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @babel/plugin-transform-modules-systemjs since your current version.

Removes @tootallnate/once

Updates body-parser from 1.19.0 to 1.20.5

Release notes

Sourced from body-parser's releases.

v1.20.5

What's Changed

The reason for this release is a fix to the extended urlencoded parser returning objects instead of arrays for large array inputs (> 100) on qs@6.14.2+. (expressjs/body-parser#716)

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#692

fix: correct off-by-one error in parameterCount by @abhu85 in expressjs/body-parser#716

deps(qs): bump qs to 6.15.1 by @jonchurch in expressjs/body-parser#722

Release: 1.20.5 by @jonchurch in expressjs/body-parser#721

New Contributors

@abhu85 made their first contribution in expressjs/body-parser#716

Special thanks to triager @krzysdz for keeping this on our radar and effectively triaging the specific issue!

Full Changelog: expressjs/body-parser@1.20.4...1.20.5

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.5 / 2026-04-24

refactor(json): simplify strict mode error string construction

fix: extended urlencoded parsing of arrays with >100 elements (#716)

deps: qs@~6.15.1

1.20.4 / 2025-12-01

deps: qs@~6.14.0

deps: use tilde notation for dependencies

deps: http-errors@~2.0.1

deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

Fix strict json error message on Node.js 19+

deps: content-type@~1.0.5

perf: skip value escaping when unnecessary

deps: raw-body@2.5.2

1.20.1 / 2022-10-06

deps: qs@6.11.0

perf: remove unnecessary object clone

1.20.0 / 2022-04-02

Fix error message for json parse whitespace in strict

Fix internal error when inflated body exceeds limit

Prevent loss of async hooks context

Prevent hanging when request already read

deps: depd@2.0.0

Replace internal eval usage with Function constructor

Use instance methods on process to check for listeners

deps: http-errors@2.0.0

deps: depd@2.0.0

deps: statuses@2.0.1

deps: on-finished@2.4.1

deps: qs@6.10.3

... (truncated)

Commits

0defdbe release(patch): 1.20.5
cd0e7a0 deps(qs): bump qs to 6.15.1
6f24d7e fix: correct off-by-one error in parameterCount (#716)
b849bd5 deps: qs@~6.14.1 (#690)
2c55e2f refactor(json): simplify strict mode error string construction (#692)
7db202c 1.20.4 (#672)
d8f8adb ci: add CodeQL (SAST) (#670)
6d133c1 chore: remove SECURITY.md (#669)
fcd1535 deps: use tilde notation and update certain dependencies (#668)
ec5fa29 deps: qs@~6.14.0 (#664)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for body-parser since your current version.

Updates qs from 6.5.2 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder

[Fix] stringify: use configured delimiter after charsetSentinel (#555)

[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)

[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)

[Fix] parse: handle nested bracket groups and add regression tests (#530)

[readme] fix grammar (#550)

[Dev Deps] update @ljharb/eslint-config

[Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters

[Deps] update @ljharb/eslint-config

[Dev Deps] update @ljharb/eslint-config, iconv-lite

[Tests] increase coverage

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

[New] parse: add throwOnParameterLimitExceeded option (#517)

[Refactor] parse: use utils.combine more

[patch] parse: add explicit throwOnLimitExceeded default

[actions] use shared action; re-add finishers

[meta] Fix changelog formatting bug

[Deps] update side-channel

[Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

... (truncated)

Commits

9aca407 v6.15.2
5e33d33 [Dev Deps] update @ljharb/eslint-config
21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
96755ab [readme] fix grammar
a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
3f5e1c5 v6.15.1
Additional commits viewable in compare view

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

[Refactor] use to-buffer fd1e5ee

[Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

[Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

[Tests] standard -> eslint, make test dir, etc ae02fd6

[Tests] migrate from travis to GHA 66387d7

[meta] fix package.json indentation 5c02918

[Fix] return valid values on multi-byte-wide TypedArray input 8fd1364

[meta] add auto-changelog 88dc806

[meta] add npmignore and safe-publish-latest 7a137d7

Only apps should have lockfiles 42528f2

[Deps] update inherits, safe-buffer 0e7a2d9

[meta] add missing engines.node f2dc13e

Commits

0056718 v1.0.7
fd1e5ee [Refactor] use to-buffer
08ba803 [Dev Deps] update @ljharb/eslint-config
f5249f9 v1.0.6
b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
f03cebf v1.0.5
88dc806 [meta] add auto-changelog
7a137d7 [meta] add npmignore and safe-publish-latest
5c02918 [meta] fix package.json indentation
8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates cookie from 0.4.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

Allow leading dot for domain (#174)

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

perf: parse cookies ~10% faster (#144 by @kurtextrem and #170)

fix: narrow the validation of cookies to match RFC6265 (#167 by @bewinsnw)

fix: add main to package.json for rspack (#166 by @proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

Add partitioned option

0.5.0

Add priority option

Fix expires option to reject invalid dates

pref: improve default decode speed

pref: remove slow string split in parse

0.4.2

pref: read value only when assigning in parse

pref: remove unnecessary regexp in parse

0.4.1

Fix maxAge option to reject invalid values

Commits

d19eaa1 0.7.2
bc38ffd Fix object assignment of hasOwnProperty (#177)
cf4658f 0.7.1
6a8b8f5 Allow leading dot for domain (#174)
58015c0 Remove more code and perf wins (#172)
ab057d6 0.7.0
5f02ca8 Migrate history to GitHub releases
a5d591c Migrate history to GitHub releases
51968f9 Skip isNaN
9e7ca51 perf(parse): cache length, return early (#144)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates postcss from 8.3.6 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

Fixed declaration parsing performance (by @homanp).

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.15

Fixed declaration parsing performance (by @homanp).

8.5.14

Fixed custom syntax regression (by @43081j).

8.5.13

Fixed postcss-scss commend regression.

8.5.12

Fixed reading any file via user-generated CSS.

Added opts.unsafeMap to disable checks.

8.5.11

Fixed nested brackets parsing performance (by @offset).

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

8.5.9

Speed up source map encoding paring in case of the error.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

... (truncated)

Commits

eae46db Release 8.5.15 version
79508ff Update CI actions
b128e21 Speed up declaration parsing by avoiding creating new array on each token
9825dca Fix code format
55789c8 Update dependencies
84fbbe9 Install older pnpm action for old Node.js
9f860bd Revert pnpm action for old Node.js
0877198 Update CI actions
b2d1a33 Fix linter warnings
0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
Additional commits viewable in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

9b77436 6.6.1
04cb6f5 Merge commit from fork
b8a7edd 6.6.0
34c8534 fix: signature verification due to leading zeros
3e46a48 6.5.7
accb61e lib: DER signature decoding correction
03e06e1 6.5.6
7ac5360 Merge commit from fork
7570078 6.5.5
206da2e lib: lint
Additional commits viewable in compare view

Updates express from 4.17.1 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)

This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.

deps: qs@~6.15.1

deps: body-parser@~1.20.5

New Contributors

@suuuuuuminnnnnn made their first contribution in expressjs/express#7021

@SAY-5 made their first contribution in expressjs/express#7181

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)

This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.

deps: qs@~6.15.1

deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

... (truncated)

Commits

df0abc9 4.22.2
836d366 4.x update qs to 6.15.1, body-parser 1.20.5 (#7224)
8d09bfe fix: restore array parsing for req.query repeated keys (#7181)
d39e8ad deps: body-parser@~1.20.4 (#7021)
efe85d9 deps: qs@^6.14.1 (#6972)
f62378e 📝 add note to history
12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates flatted from 3.2.2 to 3.4.2

Commits

3bf0909 3.4.2
885ddcc fix CWE-1321
0bdba70 added flatted-view to the benchmark
2a02dce 3.4.1
fba4e8f Merge pull request #89 from WebReflection/python-fix
5fe8648 added "when in Rome" also a test for PHP
53517ad some minor improvement
b3e2a0c Fixing recursion issue in Python too
c4b46db Add SECURITY.md for security policy and reporting
f86d071 Create dependabot.yml for version updates
Additional commits viewable in compare view

Updates follow-redirects from 1.14.2 to 1.16.0

Commits

0c23a22 Release version 1.16.0 of the npm package.
844c4d3 Add sensitiveHeaders option.
5e8b8d0 ci: add Node.js 24.x to the CI matrix
7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
86dc1f8 Sanitizing input.
21ef28a Release version 1.15.11 of the npm package.
7c88135 Roll back tree shaking.
6e389ba Release version 1.15.10 of the npm package.
5bc496e Shake me up before you go-go.
694d6b4 Bump minimist from 1.2.5 to 1.2.8
Additional commits viewable in compare view

Updates form-data from 2.3.3 to 4.0.5

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

[Tests] Switch to newer v8 prediction library; enable node 24 testing

…pdates Bumps the npm_and_yarn group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [dompurify](https://github.com/cure53/DOMPurify) | `2.3.3` | `3.4.11` | | [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.14.5` | `7.29.7` | | [@tootallnate/once](https://github.com/TooTallNate/once) | `1.1.2` | `removed` | | [body-parser](https://github.com/expressjs/body-parser) | `1.19.0` | `1.20.5` | | [qs](https://github.com/ljharb/qs) | `6.5.2` | `6.15.2` | | [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` | | [postcss](https://github.com/postcss/postcss) | `8.3.6` | `8.5.15` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `12.2.0` | `14.2.0` | | [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.7.2` | `1.8.4` | | [store2](https://github.com/nbubna/store) | `2.12.0` | `2.14.4` | Updates `dompurify` from 2.3.3 to 3.4.11 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@2.3.3...3.4.11) Updates `@babel/plugin-transform-modules-systemjs` from 7.14.5 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-plugin-transform-modules-systemjs) Removes `@tootallnate/once` Updates `body-parser` from 1.19.0 to 1.20.5 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/1.20.5/HISTORY.md) - [Commits](expressjs/body-parser@1.19.0...1.20.5) Updates `qs` from 6.5.2 to 6.15.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.5.2...v6.15.2) Updates `cipher-base` from 1.0.4 to 1.0.7 - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.7) Updates `cookie` from 0.4.0 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.4.0...v0.7.2) Updates `postcss` from 8.3.6 to 8.5.15 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.3.6...8.5.15) Updates `elliptic` from 6.5.4 to 6.6.1 - [Commits](indutny/elliptic@v6.5.4...v6.6.1) Updates `express` from 4.17.1 to 4.22.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md) - [Commits](expressjs/express@4.17.1...v4.22.2) Updates `flatted` from 3.2.2 to 3.4.2 - [Commits](WebReflection/flatted@v3.2.2...v3.4.2) Updates `follow-redirects` from 1.14.2 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.14.2...v1.16.0) Updates `form-data` from 2.3.3 to 4.0.5 - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](https://github.com/form-data/form-data/commits/v4.0.5) Updates `handlebars` from 4.7.7 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.7...v4.7.9) Updates `lodash` from 4.17.21 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.18.1) Updates `markdown-it` from 12.2.0 to 14.2.0 - [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md) - [Commits](markdown-it/markdown-it@12.2.0...14.2.0) Updates `min-document` from 2.19.0 to 2.19.2 - [Commits](Raynos/min-document@v2.19.0...v2.19.2) Updates `tar` from 4.4.19 to 7.5.11 - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v4.4.19...v7.5.11) Updates `pbkdf2` from 3.1.2 to 3.1.6 - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.6) Updates `picomatch` from 2.3.0 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.0...2.3.2) Updates `send` from 0.17.1 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.17.1...0.19.2) Updates `serve-static` from 1.14.1 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.14.1...v1.16.3) Updates `sha.js` from 2.4.11 to 2.4.12 - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) Updates `shell-quote` from 1.7.2 to 1.8.4 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.7.2...v1.8.4) Updates `store2` from 2.12.0 to 2.14.4 - [Commits](nbubna/store@2.12.0...2.14.4) Updates `uuid` from 3.4.0 to 8.3.2 - [Release notes](https://github.com/uuidjs/uuid/releases) - [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md) - [Commits](uuidjs/uuid@v3.4.0...v8.3.2) Updates `tmp` from 0.0.33 to 0.2.6 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.0.33...v0.2.6) Updates `ws` from 6.2.2 to 8.21.0 - [Release notes](https://github.com/websockets/ws/releases) - [Commits](websockets/ws@6.2.2...8.21.0) --- updated-dependencies: - dependency-name: dompurify dependency-version: 3.4.11 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: "@babel/plugin-transform-modules-systemjs" dependency-version: 7.29.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@tootallnate/once" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cipher-base dependency-version: 1.0.7 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.15 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: elliptic dependency-version: 6.6.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: form-data dependency-version: 4.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: markdown-it dependency-version: 14.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: min-document dependency-version: 2.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: 7.5.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: pbkdf2 dependency-version: 3.1.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: store2 dependency-version: 2.14.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: uuid dependency-version: 8.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: 0.2.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ws dependency-version: 8.21.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 1 directory with 28 updates#16

build(deps): bump the npm_and_yarn group across 1 directory with 28 updates#16
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-04bbedc3e6

dependabot Bot commented on behalf of github Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 20, 2026

DOMPurify 3.4.11

DOMPurify 3.4.10

DOMPurify 3.4.9

DOMPurify 3.4.8

DOMPurify 3.4.7

DOMPurify 3.4.6

DOMPurify 3.4.5

v7.29.7 (2026-05-25)

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

v7.29.4 (2026-05-05)

🐛 Bug Fix

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

v1.20.5

What's Changed

New Contributors

1.20.4

What's Changed

1.20.3

What's Changed

Important

Other changes

1.20.5 / 2026-04-24

1.20.4 / 2025-12-01

1.20.3 / 2024-09-10

1.20.2 / 2023-02-21

1.20.1 / 2022-10-06

1.20.0 / 2022-04-02

6.15.2

6.15.1

6.15.0

6.14.2

6.14.1

6.14.0

v1.0.7 - 2025-09-24

Commits

v1.0.6 - 2024-11-26

Commits

v1.0.5 - 2024-11-17

Commits

v0.7.2

0.7.1

0.7.0

0.6.0

0.5.0

0.4.2

0.4.1

8.5.15

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8

8.5.7

8.5.6

8.5.5

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

8.5.15

8.5.14

8.5.13

8.5.12

8.5.11

8.5.10

8.5.9

8.5.8