Bump the npm_and_yarn group across 1 directory with 13 updates

[dependabot[bot]]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
ansi-regex	5.0.0	5.0.1
ansi-regex	4.1.0	5.0.1
browserify-sign	4.2.1	4.2.3
d3-color	1.4.1	3.1.0
d3-scale	3.3.0	4.0.2
d3-scale-chromatic	2.0.0	3.1.0
d3-transition	2.0.0	3.0.1
recharts	1.8.6	2.12.7
express	4.18.2	4.19.2
follow-redirects	1.15.2	1.15.6
node-forge	0.10.0	1.3.1
webpack-dev-server	3.11.3	5.0.4
path-parse	1.0.6	1.0.7

Updates ansi-regex from 5.0.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

• Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

Commits

• a9babce 5.0.1
• 4657833 fix incorrect format
• c3c0b3f Fix potential ReDoS (#37)
• 178363b Move to GitHub Actions (#35)
• 0755e66 Add @​Qix- to funding.yml
• See full diff in compare view

Updates ansi-regex from 4.1.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

• Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

Commits

• a9babce 5.0.1
• 4657833 fix incorrect format
• c3c0b3f Fix potential ReDoS (#37)
• 178363b Move to GitHub Actions (#35)
• 0755e66 Add @​Qix- to funding.yml
• See full diff in compare view

Updates browserify-sign from 4.2.1 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](https://github.com/browserify/browserify-sign/commit/f427270ac11dc6be29f87d7afb046c16376a5a9c)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

Commits

• bf2c3ec v4.2.3
• 9247adf [patch] widen support to 0.12
• f427270 [Deps] update `parse-asn1
• 87f3a35 [Dev Deps] update aud, npmignore, tape
• fb261ce [Deps] update elliptic
• 4d0ee49 [patch] drop minimum node support to v1
• 9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
• 168e16f [Deps] pin elliptic due to a breaking change
• 37a4758 [actions] remove redundant finisher
• 4af5a90 v4.2.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates d3-color from 1.4.1 to 3.1.0

Release notes

Sourced from d3-color's releases.

v3.1.0

• Add rgb.clamp and hsl.clamp. #102
• Add color.formatHex8. #103
• Fix color.formatHsl to clamp values to the expected range. #83
• Fix catastrophic backtracking when parsing colors. #89 #97 #99 #100 SNYK-JS-D3COLOR-1076592

v3.0.1

• Make build reproducible.

v3.0.0

• Adopt type: module.

This package now requires Node.js 12 or higher. For more, please read Sindre Sorhus’s FAQ.

v2.0.0

This release adopts ES2015 language features such as for-of and drops support for older browsers, including IE. If you need to support pre-ES2015 environments, you should stick with d3-color 1.x or use a transpiler.

Commits

• 7a1573e 3.1.0
• 75c19c4 update LICENSE
• ef94e01 update dependencies
• 5e9f757 method shorthand
• e4bc34e formatHex8 (#103)
• ac660c6 {rgb,hsl}.clamp() (#102)
• 70e3a04 clamp HSL format (#101)
• 994d8fd avoid backtracking (#100)
• 7d61bbe 3.0.1
• 93bc4ff related d3/d33; extract copyrights from LICENSE
• Additional commits viewable in compare view

Updates d3-scale from 3.3.0 to 4.0.2

Release notes

Sourced from d3-scale's releases.

v4.0.2

• Default the base-10 log tick format to ~s instead of .0e. #255

v4.0.1

• Fix log.ticks to return exact values for integer bases. #253
• Fix log.tickFormat to trim trailing zeroes by default if no precision is specified. #254

v4.0.0

• Adopt type: module. #246
• Adopt InternMap for ordinal scale domains. #235
• Update dependencies.
• Make build reproducible.

This package now requires Node.js 12 or higher. For more, please read Sindre Sorhus’s FAQ.

Commits

• 83555bd 4.0.2
• cfc7d51 update dependencies
• 13491ee default base 10 log ticks to ~s (#255)
• 0561e75 4.0.1
• 925dd3a upgrade dependencies
• f0180a8 simpler exact ticks
• 9f745d0 exact log ticks (#253)
• 8fd6d25 implicit trim for log ticks (#254)
• 3281b77 Update README.md (#252)
• 07e8aac update README
• Additional commits viewable in compare view

Updates d3-scale-chromatic from 2.0.0 to 3.1.0

Release notes

Sourced from d3-scale-chromatic's releases.

v3.1.0

• Add d3.schemeObservable10. #51

v3.0.0

• Adopt type: module.
• Update dependencies.
• Make build reproducible.

This package now requires Node.js 12 or higher. For more, please read Sindre Sorhus’s FAQ.

Commits

• 2c52792 update LICENSE
• 0496bc4 3.1.0
• 81d50e2 upgrade dependencies
• 14c9b25 Add schemeObservable10 (#51)
• 109cfa3 restructure README (#49)
• 2aa3ad2 3.0.0
• 8fc14d0 Adopt type=module (#37)
• See full diff in compare view

Updates d3-transition from 2.0.0 to 3.0.1

Release notes

Sourced from d3-transition's releases.

v3.0.1

• Fix d3-selection peerDependency range.

v3.0.0

• Adopt type: module.
• Add transition.selectChild.
• Add transition.selectChildren.
• Update dependencies.
• Make build reproducible.

This package now requires Node.js 12 or higher. For more, please read Sindre Sorhus’s FAQ.

Commits

• c4c94c4 3.0.1
• c7a42c6 update dependencies
• cb1fc2d push on prepublishOnly
• 5caa287 fix d3-selection peerDependency
• 98e84f0 3.0.0
• aa44264 Update README
• 692f025 fix #121; add transition.selectChild[ren]
• 1ac7984 Precise sideEffects. (#115)
• d1a518c Adopt type=module (#123)
• abe6511 Merge pull request #122 from inokawa/patch-1
• Additional commits viewable in compare view

Updates recharts from 1.8.6 to 2.12.7

Release notes

Sourced from recharts's releases.

v2.12.7

Whats changed

Fix

• Area: re-add calculated area points to the areaDot callback props when it is a function. This was accidentally removed in v2.3. Fixes #4480
• Brush: guard against undefined property access error when an ariaLabel is not specified. Follow up from recharts/recharts#2093

Full Changelog: https://github.com/recharts/recharts/compare/v2.12.6...v2.12.7

v2.12.6

What's Changed

Fix

• Tooltip: fix glitch where Tooltip always rendered in the top left even if animation was disabled by @​HHongSeungWoo in recharts/recharts#4425 fixes recharts/recharts#4424

Chore

• CI/Build fix: Added proper .js suffixes to main module and jsnext:main paths in package.json by @​dobosalparbc in recharts/recharts#4431 fixes recharts/recharts#2858

Full Changelog: https://github.com/recharts/recharts/compare/v2.12.5...v2.12.6

v2.12.5

Small fixes while working on v3 continued...

What's Changed

Feat

• BarChart: support percentage (of chart) for barSize. Helps set size of bar when there are few datapoints Fixes #3640 by @​graup in recharts/recharts#4407

Fix

Address recharts/recharts#4382

A recent release of @types/react broke some builds because they removed certain (unused) events from common event handler attributes. recharts was unknowingly enumerating keys of SVGProps in the Layer component with the old types and causing a type error on tsc with skipLibCheck: false

• typescript - Layer: use SVGAttributes instead of SVGProps in forwardRef components by @​ckifer in recharts/recharts#4413
• typescript - Pie: fix Pie ref which was cast to HTMLElement when the ref is actually referring to SVGGElement. This gave false information to whoever is using ref on the Pie component

Full Changelog: https://github.com/recharts/recharts/compare/v2.12.4...v2.12.5

v2.12.4

What's Changed

Small fixes while working on v3 continued...

... (truncated)

Changelog

Sourced from recharts's changelog.

⚠️ Next versions change notes are available only on the GitHub Releases page ⚠️

2.2.0 (Dec 8, 2022)

feat

• Support keyboard navigation in pie chart (#2923)
• Allow reversing the tooltip direction (#3056)

fix

• fix rounding leading to hairline gaps (#3075)
• fix: do not override zero brush end index (#3076)
• fix: allow dragging brush when the mouse is outside (#3072)
• fix: add label type to line props (#3068)
• Ensure LabelList generic extends Data interface (#2954)

2.1.16 (Oct 29, 2022)

fix

• Fix incorrect date in CHAGELOG (#3016)
• Let formatter function run even when value is falsy (#3026)
• Fix(Sankey): update tooltip active state by trigger type(hover/click) (#3021)
• Fix Area's baseValue prop (#3013)

2.1.15 (Oct 12, 2022)

fix

• Fix scroll on hover
• DefaultTooltipContent.tsx Solving type error for entry.value and entry.name

chore

• Revert D3 version

2.1.14 (Sep 7, 2022)

fix

• Add inactiveShape prop to Pie component (#2900)
• Revert "chore: move type deps into devDependencies (#2843)" (#2942)
• Fix typing of default tooltip formatter (#2924)
• Take letter-spacing and font-size into consideration while rendering ticks (#2898)
• Add formatter function type to tooltip props (#2916)
• doc: Update CHANGELOG.md about d3 7.x (#2919)

2.1.13 (Jul 26, 2022)

fix

• set animate flag before chart data update (#2911)
• Error bar domain fix (#2863)
• fix: fix "recharts@… doesn't provide prop-types, requested by react-smooth" warning (#2895)

chore

... (truncated)

Commits

• 2074e2e 2.12.7
• 1e9e032 fix: guard against accidental undefined access in Brush
• 239b3ae fix(area-dot): regressionon in parameters passed to custom area dot
• 22064ed 2.12.6
• 504518d Added js suffix to main module and jsnext:main paths in package json (#4431)
• a705024 fix: The box size of the Tooltip is 0 at the first rendering of TooltipBoundi...
• bdad6ec 2.12.5
• ed95633 fix(layer-types): use SVGAttributes instead of SVGProps in forwardRef compone...
• 3d2e8b9 feat(BarChart): support percentage for barSize. Fixes #3640 (#4407)
• 981eb8f 2.12.4
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates follow-redirects from 1.15.2 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates node-forge from 0.10.0 to 1.3.1

Changelog

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

• RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

• Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
• HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24771
  • GHSA ID: GHSA-cfm4-qjh2-4765
• HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24772
  • GHSA ID: GHSA-x4jg-mjrx-434g
• MEDIUM: Leniency in checking type octet.
  • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  • CVE ID: CVE-2022-24773
  • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

• [asn1] Add fallback to pretty print invalid UTF8 data.
• [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
• [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

Commits

• a0a4a42 Release 1.3.1.
• a33830f Update changelog.
• 740954d Allow optional DigestAlgorithm parameters.
• 56f4316 Allow DigestInfo.DigestAlgorith.parameters to be optional
• cbf0bd5 Start 1.3.1-0.
• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• Additional commits viewable in compare view

Updates webpack-dev-server from 3.11.3 to 5.0.4

Release notes

Sourced from webpack-dev-server's releases.

v5.0.4

5.0.4 (2024-03-19)

Bug Fixes

• security: bump webpack-dev-middleware (#5112) (aab576a)

v5.0.3

5.0.3 (2024-03-12)

Bug Fixes

• types: proxy (#5101) (6e1aed3)

v5.0.2

5.0.2 (2024-02-16)

Bug Fixes

• types (#5057) (da2c24d)

v5.0.1

5.0.1 (2024-02-13)

Bug Fixes

• avoid using eval in client (#5045) (7681477)
• overlay and require-trusted-types-for (#5046) (e115436)

v5.0.0

5.0.0 (2024-02-12)

Migration Guide and Changes.

v4.15.2

4.15.2 (2024-03-20)

Bug Fixes

• security: bump webpack-dev-middleware (4116209)

v4.15.1

4.15.1 (2023-06-09)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.0.4 (2024-03-19)

Bug Fixes

• security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

• types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

• types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

• avoid using eval in client (#5045) (7681477)
• overlay and require-trusted-types-for (#5046) (e115436)

5.0.0 (2024-02-12)

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

• replace :: with localhost before openBrowser() (#4856) (874c44b)
• types: compatibility with @types/ws (#4899) (34bcec2)

4.15.0 (2023-05-07)

Features

• overlay displays unhandled promise rejection (#4849) (d1dd430)

4.14.0 (2023-05-06)

... (truncated)

Commits

• 64a1860 chore(release): 5.0.4
• aab576a fix(security): bump webpack-dev-middleware (#5112)
• fb6f22a chore(deps-dev): bump @​commitlint/config-conventional (#5104)
• ba9dfb6 chore(deps-dev): bump @​commitlint/cli from 19.0.3 to 19.1.0 (#5103)
• 08cab58 chore(release): 5.0.3
• 37f4760 chore(deps-dev): bump @​types/node from 20.11.25 to 20.11.26 (#5102)
• 6e1aed3 fix(types): proxy (#5101)
• 8ea7cb8 chore(deps): bump open from 10.0.4 to 10.1.0 (#5100)
• c6a3586 chore(deps-dev): bump puppeteer from 22.4.0 to 22.4.1 (#5099)
• 2201442 chore(deps): update (#5096)
• Additional commits viewable in compare view

Updates path-parse from 1.0.6 to 1.0.7

Commits

• See full diff in compare view

Updates webpack-dev-middleware from 3.7.3 to 7.2.1

Release notes

Sourced from webpack-dev-middleware's releases.

v7.2.1

7.2.1 (2024-04-02)

Bug Fixes

• avoid extra log

v7.2.0

7.2.0 (2024-03-29)

Features

• hapi support (b3f9126)
• koa support (#1792) (458c17c)
• support ETag header generation (#1797) (b759181)
• support Last-Modified header generation (#1798) (18e5683)

v7.1.1

7.1.1 (2024-03-21)

Bug Fixes

• ContentLength incorrectly set for empty files (#1785) (0f3e25e)
• improve perf (#1777) (5b47c92)
• types: make types better (#1786) (e4d183e)

v7.1.0

7.1.0 (2024-03-19)

Features

• prefer to use fs.createReadStream over fs.readFileSync to read files (ab533de)

Bug Fixes

• cleaup stream and handle errors (#1769) (1258fdd)
• security: do not allow to read files above (#1771) (e10008c)

v7.0.0

7.0.0 (2023-12-26)

⚠ BREAKING CHANGES

• minimum supported Node.js version is 18.12.0 (#1694)

... (truncated)

Changelog

Sourced from webpack-dev-middleware's changelog.

7.2.1 (2024-04-02)

Bug Fixes

• avoid extra log