chore(deps): bump the npm-prod group in /cloud-function with 4 updates

[dependabot]

Bumps the npm-prod group in /cloud-function with 4 updates: @google-cloud/functions-framework, @sentry/google-cloud-serverless, cookie and express.

Updates @google-cloud/functions-framework from 4.0.0 to 4.0.1

Release notes

Sourced from @​google-cloud/functions-framework's releases.

v4.0.1

4.0.1 (2025-11-20)

Bug Fixes

• add release-assets.githubusercontent.com to allowed domains (#713) (4cd1b2b)
• update microsoft/api-extractor to 7.55.0 (#712) (8e565c8)

Changelog

Sourced from @​google-cloud/functions-framework's changelog.

4.0.1 (2025-11-20)

Bug Fixes

• add release-assets.githubusercontent.com to allowed domains (#713) (4cd1b2b)
• update microsoft/api-extractor to 7.55.0 (#712) (8e565c8)

Commits

• 34e75c8 chore(main): release 4.0.1 (#714)
• 8390d9c chore(deps): update body-parser to v2 and fix tests (#716)
• 1488662 chore: update dependency express to v5 (#715)
• f1ff02b chore(deps): update actions/checkout action to v5 (#707)
• 3165c3b chore(deps): update dependency cloudevents to v10 (#702)
• c04114c chore(deps): update dependency node to v24 (#698)
• e93beb0 chore(deps): bump form-data from 4.0.1 to 4.0.4 (#699)
• 8b1577d chore(deps): update all non-major dependencies (#701)
• 14ce6c1 chore(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#710)
• 6cdeef5 chore(deps): update actions/setup-node action to v6 (#708)
• Additional commits viewable in compare view

Updates @sentry/google-cloud-serverless from 10.25.0 to 10.29.0

Release notes

Sourced from @​sentry/google-cloud-serverless's releases.

10.29.0

Important Changes

• feat(solid|solidstart): Bump accepted @​solidjs/router range (#18395)

We expanded the supported version range for @solidjs/router to include 0.14.x and 0.15.x versions.

Other Changes

• fix(logs): Add support for msg in pino integration (#18389)
• fix(node): Include system message in anthropic-ai messages span (#18332)
• fix(tracing): Add missing attributes in vercel-ai spans (#18333)

• chore(tanstackstart-react): clean up re-exported types (#18393)
• ref(core): Avoid looking up openai integration options (#17695)
• test(nuxt): Relax captured unhandled error assertion (#18397)
• test(tanstackstart-react): Set up E2E test application (#18358)

Bundle size 📦

Path	Size
@​sentry/browser	24.22 KB
@​sentry/browser - with treeshaking flags	22.76 KB
@​sentry/browser (incl. Tracing)	40.57 KB
@​sentry/browser (incl. Tracing, Profiling)	45.05 KB
@​sentry/browser (incl. Tracing, Replay)	78.08 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.05 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	82.65 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	94.61 KB
@​sentry/browser (incl. Feedback)	40.51 KB
@​sentry/browser (incl. sendFeedback)	28.8 KB
@​sentry/browser (incl. FeedbackAsync)	33.66 KB
@​sentry/react	25.9 KB
@​sentry/react (incl. Tracing)	42.72 KB
@​sentry/vue	28.56 KB
@​sentry/vue (incl. Tracing)	42.32 KB
@​sentry/svelte	24.24 KB
CDN Bundle	26.57 KB
CDN Bundle (incl. Tracing)	41.22 KB
CDN Bundle (incl. Tracing, Replay)	76.9 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	82.23 KB
CDN Bundle - uncompressed	78.09 KB
CDN Bundle (incl. Tracing) - uncompressed	122.4 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	235.71 KB

... (truncated)

Changelog

Sourced from @​sentry/google-cloud-serverless's changelog.

10.29.0

Important Changes

• feat(solid|solidstart): Bump accepted @​solidjs/router range (#18395)

We expanded the supported version range for @solidjs/router to include 0.14.x and 0.15.x versions.

Other Changes

• fix(logs): Add support for msg in pino integration (#18389)
• fix(node): Include system message in anthropic-ai messages span (#18332)
• fix(tracing): Add missing attributes in vercel-ai spans (#18333)

• chore(tanstackstart-react): clean up re-exported types (#18393)
• ref(core): Avoid looking up openai integration options (#17695)
• test(nuxt): Relax captured unhandled error assertion (#18397)
• test(tanstackstart-react): Set up E2E test application (#18358)

10.28.0

Important Changes

• feat(core): Make matcher parameter optional in makeMultiplexedTransport (#10798)

The matcher parameter in makeMultiplexedTransport is now optional with a sensible default. This makes it much easier to use the multiplexed transport for sending events to multiple DSNs based on runtime configuration.

Before:

import { makeFetchTransport, makeMultiplexedTransport } from '@sentry/browser';
const EXTRA_KEY = 'ROUTE_TO';
const transport = makeMultiplexedTransport(makeFetchTransport, args => {
const event = args.getEvent();
if (event?.extra?.[EXTRA_KEY] && Array.isArray(event.extra[EXTRA_KEY])) {
return event.extra[EXTRA_KEY];
}
return [];
});
Sentry.init({
transport,
// ... other options
</tr></table>

... (truncated)

Commits

• 3529d46 release: 10.29.0
• 7b3b613 Merge pull request #18407 from getsentry/prepare-release/10.29.0
• 477f6ad meta(changelog): Update changelog for 10.29.0
• cf5c4ba Merge pull request #18406 from getsentry/manual-master-sync-dev
• 3c5d47f Merge branch 'develop' into manual-master-sync-dev
• 862f415 test(nuxt): Relax captured unhandled error assertion (#18397)
• b6eb205 fix(node): Include system message in anthropic-ai messages span (#18332)
• 65f5006 fix(tracing): Add missing attributes in vercel-ai spans (#18333)
• df4c541 feat(solid|solidstart): Bump accepted @​solidjs/router range (#18395)
• f961771 ref(core): Avoid looking up openai integration options (#17695)
• Additional commits viewable in compare view

Updates cookie from 1.0.2 to 1.1.1

Release notes

Sourced from cookie's releases.

v1.1.1

Fixed

• Overwrite value in passed in options (#253) c66147c
  • When value was provided in serialize(key, value, { value }) the value in options was used instead of the value passed as an argument

---

jshttp/cookie@v1.1.0...v1.1.1

v1.1.0

Added:

• Add stringifyCookie and parseSetCookie methods (#244, #214)
• Rename existing methods for clarity (old method names remain for backward compatibility)
  • parse → parseCookie
  • serialize → stringifySetCookie
• Add side effects field (#245) 00b0327

---

jshttp/cookie@v1.0.2...v1.1.0

Commits

• 1b89eec 1.1.1
• c66147c Overwrite value in passed in options (#253)
• 09cec9f 1.1.0
• 05ebd34 Add tests for parsing top sites (#249)
• 6214eaf Add benchmark for parseSetCookie (#247)
• 71798d7 Fix skip over of boolean attributes (#248)
• 9e41cf1 build(deps): bump the npm_and_yarn group across 1 directory with 4 updates (#...
• 6fea506 Add parse method for set-cookie (#244)
• 00b0327 Add side effects field (#245)
• 94586de feat: remove dependabot from repo (#242)
• Additional commits viewable in compare view

Updates express from 4.21.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for [email protected] by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: [email protected] by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: [email protected]

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: [email protected] (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
express	[>= 5.a, < 6]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @mdn-bot.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[mdn-bot]

@dependabot squash and merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot squash and merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.

[dependabot]

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

[caugner]

Type check is failing, because @google-cloud/functions-framework bumped express from v4 to v5 in the v4.0.1 patch release, see: GoogleCloudPlatform/functions-framework-nodejs#715 (comment)

[caugner]

@dependabot ignore @google-cloud/functions-framework patch version

[dependabot]

OK, I won't notify you about version 4.0.1 of @google-cloud/functions-framework again, unless you unignore it.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.