Bump the npm_and_yarn group in /api-expressjs-vm with 11 updates

[dependabot]

Bumps the npm_and_yarn group in /api-expressjs-vm with 11 updates:

Package	From	To
express	4.17.2	4.19.2
semver	5.7.1	5.7.2
async	2.6.3	2.6.4
axios	0.21.4	removed
pm2	4.5.6	5.4.2
braces	3.0.2	3.0.3
degenerator	2.2.0	5.0.1
follow-redirects	1.14.7	1.15.6
pac-resolver	4.2.0	7.0.1
qs	6.9.6	6.11.0
ws	7.2.5	7.5.10

Updates express from 4.17.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: [email protected] and [email protected] by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add [email protected] by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates semver from 5.7.1 to 5.7.2

Release notes

Sourced from semver's releases.

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

• Add version coercion capabilities

5.4

• Add intersection checking

5.3

• Add minSatisfying method

5.2

• Add prerelease(v) that returns prerelease components

5.1

• Add Backus-Naur for ranges
• Remove excessively cute inspection methods

5.0

• Remove AMD/Browserified build artifacts
• Fix ltr and gtr when using the * range
• Fix for range * with a prerelease identifier

Commits

• f8cc313 chore: release 5.7.2
• 2f8fd41 fix: better handling of whitespace (#585)
• deb5ad5 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates async from 2.6.3 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Removes axios

Updates pm2 from 4.5.6 to 5.4.2

Release notes

Sourced from pm2's releases.

v5.4.2

• Unitech/pm2#5833
• keymetrics/pm2-io-apm#301

5.4.1

Update websocket dependency in pm2/agent submodule

5.4.0

• drop old uuid sub dependency
• #5782 add autostart true||false feature by @​ultimate-tester
• update modules

5.3.1

• Fix terminal width when condensed Unitech/pm2@cac8393
• Auto run tsx/ts files with bun binary instead of ts-node Unitech/pm2@f122aab
• #5686 Switch from Travis CI to Github Actions
• #5680 Fixed reserved keyword for ES6 Strict Mode when Bundling @​juaneth
• #5683 update badges
• #5684 auto switch light and dark mode logos
• #5678 Bugfix/deploy ecosystem filename extension / esm module default ecosystem config name @​TeleMediaCC
• #5660 Fix matching logic for logs from namespace when lines = 0 @​bawjensen
• fix "vulnerabilities" in axios module

5.3.0

• fix: replace non-working condition that blocks flush from clearing the logs #5533 @​Sailboat265
• fix: ESM script loader #5524 @​BlueWater86

5.2.2

• fix cluster error avoiding process restart (#5396)
• ensure increment_var value is a number (#5435)
• update dependencies
• add node latest to travis testing

5.2.0

• replace node-cron by croner (#5183 #5035)
• upgrade mocha deps
• fix pm2 report when daemon not running
• remove semver check for legacy node.js versions
• update node version in setup.deb.sh by using lts (#5201) + openrc
• replace legacy util._extend by Object.assign (#5239)
• add missing start options types (#5242)
• recursive detection of package.json (#5267)
• make tarball module uninstall cross-platform (#5269)
• Fix unnecessary "ENOENT" console.error when serving a spa (#5272)
• fix: used env variable instead of hardcode datetime format (#5277)
• copyright update (#5278)
• fix: remove constants import from VersionCheck (not needed) (#5279)
• Reduce async import (#5280)

5.1.2

... (truncated)

Changelog

Sourced from pm2's changelog.

5.4.1

• @​pm2/io DeprecationWarning: The util._extend API is deprecated keymetrics/pm2-io-apm#301 @​egoroof

5.4.0

• #5782 add autostart true||false feature by @​ultimate-tester
• fix UUID deprecation
• updates modules

5.3.1

• #5686 Switch from Travis CI to Github Actions
• #5680 Fixed reserved keyword for ES6 Strict Mode when Bundling @​juaneth
• #5683 update badges
• #5684 auto switch light and dark mode logos
• #5678 Bugfix/deploy ecosystem filename extension / esm module default ecosystem config name @​TeleMediaCC
• #5660 Fix matching logic for logs from namespace when lines = 0 @​bawjensen
• fix "vulnerabilities" in axios module

5.3.0

• fix: replace non-working condition that blocks flush from clearing the logs #5533 @​Sailboat265
• fix: ESM script loader #5524 @​BlueWater86

5.2.2

• fix: correct pm2 ls display when there is a (very) long process id (@​dko-slapdash)
• typo: corrections

5.2.1

• fix cluster error avoiding process restart (#5396)
• ensure increment_var value is a number (#5435)
• update dependencies
• add node latest to travis testing

5.2.0

• replace node-cron by croner (#5183 #5035)
• upgrade mocha deps
• fix pm2 report when daemon not running
• remove semver check for legacy node.js versions
• update node version in setup.deb.sh by using lts (#5201) + openrc
• replace legacy util._extend by Object.assign (#5239)
• add missing start options types (#5242)
• recursive detection of package.json (#5267)
• make tarball module uninstall cross-platform (#5269)
• Fix unnecessary "ENOENT" console.error when serving a spa (#5272)

... (truncated)

Commits

• de0bbad [email protected]
• 5c50ed4 [email protected]
• f8e312e Merge pull request #5833 from we-fork/fix-env-output
• cef628d fx
• 87612eb [email protected]
• 49c2824 fix: env output in pm2-describe
• 5e0eb40 [email protected]
• 098b344 [email protected]
• 8eab965 fx
• 0713061 fix
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates degenerator from 2.2.0 to 5.0.1

Release notes

Sourced from degenerator's releases.

[email protected]

Patch Changes

• a7d4fe5: Update escodegen dependency

[email protected]

Major Changes

• f1f3220: Use quickjs-emscripten instead of vm2 to execute PAC file code

[email protected]

Patch Changes

• 7008a93: Update dependencies to fix ReDoS vulnerability

[email protected]

Patch Changes

• 8e92eb8: Update vm2 dependency to v3.9.19

[email protected]

Patch Changes

• 9326064: Use util.types.isRegExp() to fix deprecation warning

[email protected]

Patch Changes

• 7674748: Update @types/node to v14.18.45

Changelog

Sourced from degenerator's changelog.

5.0.1

Patch Changes

• a7d4fe5: Update escodegen dependency

5.0.0

Major Changes

• f1f3220: Use quickjs-emscripten instead of vm2 to execute PAC file code

4.0.4

Patch Changes

• 7008a93: Update dependencies to fix ReDoS vulnerability

4.0.3

Patch Changes

• 8e92eb8: Update vm2 dependency to v3.9.19

4.0.2

Patch Changes

• 9326064: Use util.types.isRegExp() to fix deprecation warning

4.0.1

Patch Changes

• 7674748: Update @types/node to v14.18.45

4.0.0

Major Changes

• d99a7c8: Major version bump for all packages

Patch Changes

• c169ced: Convert mocha tests to jest for all packages

Commits

• d5cdaa1 Version Packages (#227)
• a7d4fe5 [degenerator] Update escodegen (#226)
• 9235192 Version Packages (#225)
• 833f0e9 Remove commented console.logs
• f1f3220 Use quickjs-emscripten instead of vm2 to execute PAC file code (#224)
• 08c4625 Version Packages (#209)
• 7008a93 Update dependencies to fix ReDoS vulnerability
• 6e78b01 Version Packages (#202)
• 8e92eb8 [degenerator] Update vm2 dependency to v3.9.19
• ca68bbd Version Packages (#163)
• Additional commits viewable in compare view

Updates follow-redirects from 1.14.7 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates pac-resolver from 4.2.0 to 7.0.1

Release notes

Sourced from pac-resolver's releases.

[email protected]

Patch Changes

• a954da3: fix GHSA-78xj-cgh5-2h22 vulnerability

[email protected]

Major Changes

• f1f3220: Use quickjs-emscripten instead of vm2 to execute PAC file code

Patch Changes

• Updated dependencies [f1f3220]
  • [email protected]

[email protected]

Patch Changes

• 0fe8b72: Update dependencies
• Updated dependencies [7008a93]
  • [email protected]

[email protected]

Patch Changes

• 7674748: Update @types/node to v14.18.45
• Updated dependencies [7674748]
  • [email protected]

Changelog

Sourced from pac-resolver's changelog.

7.0.1

Patch Changes

• a954da3: fix GHSA-78xj-cgh5-2h22 vulnerability

7.0.0

Major Changes

• f1f3220: Use quickjs-emscripten instead of vm2 to execute PAC file code

Patch Changes

• Updated dependencies [f1f3220]
  • [email protected]

6.0.2

Patch Changes

• 0fe8b72: Update dependencies
• Updated dependencies [7008a93]
  • [email protected]

6.0.1

Patch Changes

• 7674748: Update @types/node to v14.18.45
• Updated dependencies [7674748]
  • [email protected]

6.0.0

Major Changes

• d99a7c8: Major version bump for all packages

Patch Changes

• c169ced: Convert mocha tests to jest for all packages
• Updated dependencies [c169ced]
• Updated dependencies [d99a7c8]
  • [email protected]

Commits

• See full diff in compare view

Updates qs from 6.9.6 to 6.11.0

Changelog

Sourced from qs's changelog.

6.11.0

• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
• [readme] fix version badge

6.10.5

• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

6.10.4

• [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
• [meta] use npmignore to autogenerate an npmignore file
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

6.10.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [actions] reuse common workflows
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

6.10.2

• [Fix] stringify: actually fix cyclic references (#426)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [actions] update codecov uploader
• [actions] update workflows
• [Tests] clean up stringify tests slightly
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

6.10.1

• [Fix] stringify: avoid exception on repeated object values (#402)

6.10.0

• [New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
• [New] parse: add allowSparse option for collapsing arrays with missing indices (#312)
• [meta] fix README.md (#399)
• [meta] only run npm run dist in publish, not install
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
• [Tests] fix tests on node v0.6
• [Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
• [Tests] Revert "[meta] ignore eclint transitive audit warning"

6.9.7

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [Tests] clean up stringify tests slightly
• [meta] fix README.md (#399)
• Revert "[meta] ignore eclint transitive audit warning"

... (truncated)

Commits

• 56763c1 v6.11.0
• ddd3e29 [readme] fix version badge
• c313472 [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option
• 95bc018 v6.10.5
• 0e903c0 [Fix] stringify: with arrayFormat: comma, properly include an explicit `[...
• ba9703c v6.10.4
• 4e44019 [Fix] stringify: with arrayFormat: comma, include an explicit [] on a s...
• 113b990 [Dev Deps] update object-inspect
• c77f38f [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, tape
• 2cf45b2 [meta] use npmignore to autogenerate an npmignore file
• Additional commits viewable in compare view

Updates ws from 7.2.5 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

• Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

• Backported 0fdcc0af to the 7.x release line (2758ed35).
• Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

• Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

• Backported b8186dd1 to the 7.x release line (73dec34b).
• Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

• Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

• Backported 6a72da3e to the 7.x release line (76087fbf).
• Backported 869c9892 to the 7.x release line (27997933).

7.5.3

Bug fixes

• The WebSocketServer constructor now throws an error if more than one of the noServer, server, and port options are specefied (66e58d27).
• Fixed a bug where a 'close' event was emitted by a WebSocketServer before the internal HTTP/S server was actually closed (5a587304).
• Fixed a bug that allowed WebSocket connections to be established after WebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

... (truncated)

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 8a78f87 [dist] 7.5.9
• 0435e6e [security] Fix same host check for ws+unix: redirects
• 4271f07 [dist] 7.5.8
• dc1781b [security] Drop sensitive headers when following insecure redirects
• 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
• a370613 [dist] 7.5.7
• 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
• 8ecd890 [dist] 7.5.6
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml