Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot[bot]]

Bumps the npm_and_yarn group with 10 updates in the /backstage directory:

Package	From	To
@backstage/backend-common	0.19.8	0.19.10
express	4.18.2	4.19.2
@adobe/css-tools	4.3.1	4.3.3
@octokit/webhooks	10.9.1	10.9.2
browserify-sign	4.2.1	4.2.3
follow-redirects	1.15.3	1.15.6
ip	2.0.0	2.0.1
jose	4.15.4	4.15.5
undici	5.26.5	5.28.3
webpack-dev-middleware	5.3.3	5.3.4

Updates @backstage/backend-common from 0.19.8 to 0.19.10

Changelog

Sourced from @​backstage/backend-common's changelog.

@​backstage/backend-common

0.21.5

Patch Changes

• 81a995f: Updated dependency aws-sdk-client-mock to ^4.0.0.
• Updated dependencies
  • @​backstage/backend-app-api@​0.6.1
  • @​backstage/integration-aws-node@​0.1.11
  • @​backstage/plugin-auth-node@​0.4.10
  • @​backstage/backend-dev-utils@​0.1.4
  • @​backstage/backend-plugin-api@​0.6.15
  • @​backstage/cli-common@​0.1.13
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.7.0
  • @​backstage/errors@​1.2.4
  • @​backstage/integration@​1.9.1
  • @​backstage/types@​1.1.1

0.21.4

Patch Changes

• 7422430: Resolve the basePath before constructing the target path

• 999224f: Bump dependency minimatch to v9

• e0b997c: Fix issue where resolveSafeChildPath path would incorrectly resolve when operating on a symlink

• 9802004: Added the UserInfoApi as both an optional input and as an output for createLegacyAuthAdapters

• 2af5354: Bump dependency jose to v5

• ff40ada: Updated dependency mysql2 to ^3.0.0.

• 0fb419b: Updated dependency uuid to ^9.0.0. Updated dependency @types/uuid to ^9.0.0.

• 568881f: Updated dependency yauzl to ^3.0.0.

• 4a3d434: Added a createLegacyAuthAdapters function that can be used as a compatibility adapter for backend plugins who want to start using the new auth and httpAuth services that were created as part of BEP-0003.

  See the Auth Service Migration tutorial for more information on the usage of this adapter.

• Updated dependencies

  • @​backstage/integration@​1.9.1
  • @​backstage/plugin-auth-node@​0.4.9
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/backend-plugin-api@​0.6.14
  • @​backstage/backend-app-api@​0.6.0
  • @​backstage/config-loader@​1.7.0
  • @​backstage/backend-dev-utils@​0.1.4
  • @​backstage/cli-common@​0.1.13
  • @​backstage/integration-aws-node@​0.1.10
  • @​backstage/types@​1.1.1

... (truncated)

Commits

• See full diff in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: https://github.com/expressjs/express/compare/4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: https://github.com/expressjs/express/compare/4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: https://github.com/expressjs/express/compare/4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates @adobe/css-tools from 4.3.1 to 4.3.3

Changelog

Sourced from @​adobe/css-tools's changelog.

4.3.3 / 2024-01-24

• Update export property #271

4.3.2 / 2023-11-28

• Fix redos vulnerability with specific crafted css string - CVE-2023-48631
• Fix Problem parsing with :is() and nested :nth-child() #211

Commits

• See full diff in compare view

Updates @backstage/backend-app-api from 0.5.7 to 0.5.14

Changelog

Sourced from @​backstage/backend-app-api's changelog.

@​backstage/backend-app-api

0.6.1

Patch Changes

• de1f45d: Temporarily revert the rate limiting
• Updated dependencies
  • @​backstage/backend-common@​0.21.5
  • @​backstage/plugin-auth-node@​0.4.10
  • @​backstage/backend-tasks@​0.5.20
  • @​backstage/plugin-permission-node@​0.7.26
  • @​backstage/backend-plugin-api@​0.6.15
  • @​backstage/cli-common@​0.1.13
  • @​backstage/cli-node@​0.2.4
  • @​backstage/config@​1.2.0
  • @​backstage/config-loader@​1.7.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1

0.6.0

Minor Changes

• 4a3d434: BREAKING: For users that have migrated to the new backend system, incoming requests will now be rejected if they are not properly authenticated (e.g. with a Backstage bearer token or a backend token). Please see the Auth Service Migration tutorial for more information on how to circumvent this behavior in the short term and how to properly leverage it in the longer term.

  Added service factories for the new auth, httpAuth, and userInfo services that were created as part of BEP-0003.

Patch Changes

• 999224f: Bump dependency minimatch to v9
• 81e0120: Fixed an issue where configuration schema for the purpose of redacting secrets from logs was not being read correctly.
• 15fda44: Provide some sane defaults for WinstonLogger.create making some of the arguments optional
• 0502d82: Updated the permissionsServiceFactory to forward the AuthService to the implementation.
• 9d91128: Add the possibility to disable watching files in the new backend system
• a5d341e: Adds an initial rate-limiting implementation so that any incoming requests that have a 'none' principal are rate-limited automatically.
• 9802004: Made the DefaultUserInfoService claims check stricter
• f235ca7: Make sure to not filter out schemas in createConfigSecretEnumerator
• af5f7a6: The experimental feature discovery service exported at the /alpha sub-path will no longer attempt to load packages that are not Backstage backend packages.
• Updated dependencies
  • @​backstage/backend-common@​0.21.4
  • @​backstage/plugin-auth-node@​0.4.9
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/backend-plugin-api@​0.6.14
  • @​backstage/config-loader@​1.7.0
  • @​backstage/backend-tasks@​0.5.19
  • @​backstage/plugin-permission-node@​0.7.25
  • @​backstage/cli-node@​0.2.4
  • @​backstage/cli-common@​0.1.13

... (truncated)

Commits

• See full diff in compare view

Updates @octokit/webhooks from 10.9.1 to 10.9.2

Release notes

Sourced from @​octokit/webhooks's releases.

v10.9.2

10.9.2 (2023-11-14)

Bug Fixes

• Handle verify error (#916) (2618438), closes #915 #914

Commits

• 09ca15c Update release.yml
• 2618438 fix: Handle verify error (#916)
• See full diff in compare view

Updates browserify-sign from 4.2.1 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](https://github.com/browserify/browserify-sign/commit/f427270ac11dc6be29f87d7afb046c16376a5a9c)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

Commits

• bf2c3ec v4.2.3
• 9247adf [patch] widen support to 0.12
• f427270 [Deps] update `parse-asn1
• 87f3a35 [Dev Deps] update aud, npmignore, tape
• fb261ce [Deps] update elliptic
• 4d0ee49 [patch] drop minimum node support to v1
• 9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
• 168e16f [Deps] pin elliptic due to a breaking change
• 37a4758 [actions] remove redundant finisher
• 4af5a90 v4.2.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates follow-redirects from 1.15.3 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates ip from 2.0.0 to 2.0.1

Commits

• 3b0994a 2.0.1
• 32f468f lib: fixed CVE-2023-42282 and added unit test
• See full diff in compare view

Updates jose from 4.15.4 to 4.15.5

Release notes

Sourced from jose's releases.

v4.15.5

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88), fixes CVE-2024-28176

Changelog

Sourced from jose's changelog.

4.15.5 (2024-03-07)

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88)

Commits

• 765aafd chore(release): 4.15.5
• b36e45e test: add export check to x509 pem import tests
• e839ecb test: stop testing JWE RSA1_5 Algorithm
• 1b91d88 fix: add a maxOutputLength option to zlib inflate
• 9ca2b24 build: remove release action
• f3035d8 chore: cleanup after release
• See full diff in compare view

Updates undici from 5.26.5 to 5.28.3

Release notes

Sourced from undici's releases.

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3

v5.28.2

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in nodejs/undici#2470
• fix: remove node: prefix by @​tsctx in nodejs/undici#2471
• perf: avoid Headers initialization by @​tsctx in nodejs/undici#2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in nodejs/undici#2466
• fix: Add null type to signal in RequestInit by @​gebsh in nodejs/undici#2455
• fix: correctly handle data URL with hashes. by @​tsctx in nodejs/undici#2475
• fix: check response for timinginfo allow flag by @​ToshB in nodejs/undici#2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in nodejs/undici#2478
• refactor: better integrity check by @​tsctx in nodejs/undici#2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in nodejs/undici#2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in nodejs/undici#2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in nodejs/undici#2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in nodejs/undici#2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in nodejs/undici#2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in nodejs/undici#2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in nodejs/undici#2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in nodejs/undici#2302

New Contributors

• @​bugb made their first contribution in nodejs/undici#2470
• @​gebsh made their first contribution in nodejs/undici#2455
• @​ToshB made their first contribution in nodejs/undici#2477
• @​MzUgM made their first contribution in nodejs/undici#2478
• @​matt-way made their first contribution in nodejs/undici#2473

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2

v5.28.1

What's Changed

• perf: Improve normalizeMethod by @​tsctx in nodejs/undici#2456
• fix: dispatch error handling by @​ronag in nodejs/undici#2459
• perf(request): optimize if headers are given by @​tsctx in nodejs/undici#2454

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.0...v5.28.1

v5.28.0

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in nodejs/undici#2398

... (truncated)

Commits

• e71cb4c Bumped v5.28.3
• 20c65b8 Fix tests for Node.js v20.11.0 (#2618)
• 8ec52cd Fix tests for Node.js v21 (#2609)
• d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
• 9a14e5f Bumped v5.28.2
• fcdfe87 build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#2302)
• 169c157 build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)
• 9788177 build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 (#2392)
• 1f6d159 build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 (#2395)
• a393a86 build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 (#2396)
• Additional commits viewable in compare view

Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/back-stack/showcase/network/alerts).