build(deps): bump the npm_and_yarn group across 1 directories with 16 updates

[dependabot[bot]]

Bumps the npm_and_yarn group with 14 updates in the /. directory:

Package	From	To
dustjs-linkedin	2.5.0	3.0.0
express-fileupload	0.0.5	1.4.0
jquery	2.2.4	3.5.0
lodash	4.17.4	4.17.21
ms	0.7.3	2.0.0
snyk	1.278.1	1.1064.0
debug	4.1.1	4.3.4
express	4.12.4	4.18.2
qs	6.5.2	6.11.0
body-parser	1.9.0	1.20.2
handlebars	4.0.11	4.7.7
hbs	4.0.4	4.2.0
minimist	0.0.8	1.2.8
tap	11.1.5	18.7.0

Updates dustjs-linkedin from 2.5.0 to 3.0.0

Release notes

Sourced from dustjs-linkedin's releases.

v3.0.0

What's Changed

• Bump deps by @​sethkinast in linkedin/dustjs#734
• Prioritize resolution of .then by @​brianmhunt in linkedin/dustjs#736
• Don't use instanceof to determine if a Context is a Context by @​sethkinast in linkedin/dustjs#744
• place location provided by peg 0.9 onto the AST by @​jimmyhchan in linkedin/dustjs#706
• {?exists} and {^exists} now supports values from a promise by @​samuelms1 in linkedin/dustjs#753
• Decrease security vulnerabilities by upgrading cli dependency (#754 #748) by @​danactive in linkedin/dustjs#756
• fix: Security bug about prototype pollution by @​sumeetkakkar in linkedin/dustjs#805

New Contributors

• @​brianmhunt made their first contribution in linkedin/dustjs#736
• @​samuelms1 made their first contribution in linkedin/dustjs#753
• @​danactive made their first contribution in linkedin/dustjs#756
• @​sumeetkakkar made their first contribution in linkedin/dustjs#805

Full Changelog: https://github.com/linkedin/dustjs/compare/v2.7.2...v3.0.0

v2.7.2

Notable Changes

Filters

Dust filter functions previously took one argument, the string to filter. They now accept a second argument, which is the current context.

Helpers

Dust helpers can now return primitives.

Helpers act like references or sections depending on if they have a body. When they have no body, they act like a reference and look in params.filters for filters to use. When they have a body, they act like a section. You can return thenables and streams normally.

{@return value="" filters="|s" /} 
{@return value=""}{.} World{/return}

v2.7.1

Notable Changes

dust.config.cache

In previous versions, setting dust.config.cache to false would blow away the entire cache on every render. Now, setting it to false just prevents new templates from being added and cached templates from being used. Setting it back to true means that previously-cached templates will be ready to use.

dust.onLoad

We have added a callback(null, compiledTemplate) signature to dust.onLoad.

Calling the onLoad callback with a compiled template function will use this template to satisfy the load request. The template is not automatically registered under any name when passed to the callback, so the onLoad function should handle registration as it needs.

You can still call the callback with uncompiled template source and Dust will compile and store it, while respecting your dust.config.cache setting.

... (truncated)

Changelog

Sourced from dustjs-linkedin's changelog.

v3.0.0 (2021/10/20 22:56 +00:00)

• #805 fix: Security bug about prototype pollution (@​sumeetkakkar)

list (2016/12/08 20:15 +00:00)

• #756 Decrease security vulnerabilities by upgrading cli dependency (#754 #748) (@​danactive)
• #753 {?exists} and {^exists} resolve Promises and check if the result exists (#753) (@​samuelms1)

v2.7.4 (2016/09/13 02:52 +00:00)

• #744 Don't use instanceof to determine if a Context is a Context. Instead use a flag on the instance itself so it can survive object merges. (@​sethkinast)

v2.6.3 (2016/07/26 18:03 +00:00)

• #736 Prioritize resolution of .then (@​brianmhunt)
• #735 Prioritize .then on thenable functios (#735) (@​brianmhunt)
• #734 Bump deps (@​sethkinast)
• #703 Upgrade to peg.js 0.9 (@​sethkinast)
• #705 When rendering with a Context object, use the templateName provided by the template (@​sethkinast)
• #701 Fix stacktrace logging for IE8 (@​sethkinast)
• #700 At DEBUG loglevel, log the full stack trace on errors (@​r1b)
• #690 Update deps (@​sethkinast)
• #689 Make the AMD loader pass the template directly rather than communicating via the cache (@​aredridel)

v2.7.2 (2015/06/08 20:41 +00:00)

• #673 Pass the current context to filters (@​sethkinast)
• #676 If a Promise is resolved with an array, iterate over it instead of rendering the whole array at once.

Closes #674 (@​sethkinast)

• #647 Allow helpers to return primitives

Previously returning a primitive would crash rendering with no way to recover. You can still return a Chunk and do more complex work if you need to.

Helpers act like references or sections depending on if they have a body. When they have no body, they act like a reference and look in params.filters for filters to use. When they have a body, they act like a section. You can return thenables and streams normally.

{@​return value="" filters="|s" /} {@​return value=""}{.} World{/return}

Closes #645 (@​sethkinast)

• #664 Be slightly pickier about what Dust thinks a Stream is.

Closes #663 (@​sethkinast)

• #661 Add saucelabs integration (@​sethkinast)
• #658 Refactor testing frameworks

Closes #649 Closes #602 Closes #642 (@​sethkinast)

• #660 Grammar: s/char/character/ to avoid using a reserved name

Closes #659 (@​sethkinast)

v2.7.1 (2015/04/30 20:32 +00:00)

• #655 Update CommonJS example to make use of new onLoad behavior (@​sethkinast)
• #653 Fix array iteration when context is undefined (@​sethkinast)
• #641 Add a cb(null, compiledTemplate) signature to dust.onLoad

Calling the onLoad callback with a compiled template function will use this template to satisfy the load request. The template is not automatically registered under any name when passed to the callback, so the onLoad function should handle registration as it needs.

dust.cache behavior has been changed slightly. Before, setting it to false would blow away the entire cache on every render. Now, setting it to false just prevents new templates from being added and cached templates from being used, but if it's set to true again previously-cached templates will be ready to use. (@​sethkinast)

• #650 Pin jasmine@2.2.x for grunt-jasmine-nodejs (@​sethkinast)
• #646 Update AMD and CommonJS examples (@​sethkinast)
• #637 CommonJS example (@​sethkinast)
• #638 Preserve compiler backwards compatibility with pre-2.7 versions (@​sethkinast)
• #639 Fix failing test on Windows (@​sethkinast)

v2.7.0 (2015/04/17 23:23 +00:00)

• #636 Fix failing tests in IE8 (@​sethkinast)
• #633 Drop Node 0.8 (@​sethkinast)
• #635 Resolve dynamic partial names via original context (@​sethkinast)
• #631 Try to avoid creating Stacks with no content when possible (@​sethkinast)
• #613 Refactor template compilation

• dust.render and dust.stream now accept a compiled template function in addition to a template name.
• dust.compile no longer requires a template name, and will compile an anonymous template without one (so --name is no longer required for dustc either)
• dust.load is removed from the public API
• dust.renderSource is moved to the compiler, so it's only included in dust-full now (Fixes #412)
• dust.compileFn is moved to the compiler, so it's only included in dust-full now
• add dust.isTemplateFn
• add dust.config.cache = true, set to false to disable caching and load templates again every time (Fixes #451)
• add dust.config.cjs = false, set to true to compile templates as CommonJS modules
• add --cjs flag to dustc
• Move a bunch of exposed compiler stuff under dust.compiler (but leave it exposed until 2.8) (@​sethkinast)

• #624 dustc always creates templates with forward slashes (@​sethkinast)
• #617 Add chunk.stream to allow streamables in context (@​sethkinast)
• #610 clean up PEG grammar a little bit (@​sethkinast)
• #622 Fix behavior of Context#resolve when resolving a context function that returns a Chunk (@​sethkinast)

... (truncated)

Commits

• 2e8795c Release v3.0.0
• 6f98371 merge from 2.7
• db6d8b9 Merge pull request #805 from sumeetkakkar/fix/proto-pollution
• ddb6523 fix for prototype pollution vulnerability
• 822222e Release v2.7.5
• d0f955d Decrease security vulnerabilities by upgrading cli dependency (#754 #748)
• e0e25f7 Merge pull request #756 from danactive/master
• eeb1c17 Decrease security vulnerabilities by upgrading cli dependency (#754 #748)
• d485a72 {?exists} and {^exists} resolve Promises and check if the result exists (#753)
• 9a08207 Release v2.7.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by krakenjs, a new releaser for dustjs-linkedin since your current version.

Updates express-fileupload from 0.0.5 to 1.4.0

Release notes

Sourced from express-fileupload's releases.

v1.4.0

What's Changed

• Bump minimist from 1.2.5 to 1.2.6 by @​dependabot in richardgirges/express-fileupload#310
• Upgrade busboy version by @​duterte in richardgirges/express-fileupload#315

New Contributors

• @​dependabot made their first contribution in richardgirges/express-fileupload#310
• @​duterte made their first contribution in richardgirges/express-fileupload#315

Full Changelog: https://github.com/richardgirges/express-fileupload/compare/v1.3.1...v1.4.0

1.3.1

Updates

• Have promiseCallback make callbacks and promises behave the same (#302)
• Fix prototype pollution in utilities.js (#301)
• Switch to CircleCI (ddf553060a1041c1f36a696b1ae8b52d24083140)
• End support for Node versions < 12 (ab3d252a28c8eb1c003528fecc5e1ef38f8954c3)

1.2.1

Updates:

• (Fix) Stopped additional responses from being sent if a limit handler exists (#264)
• Unhandled promise rejection warning (#257)
• Changed example (#255)
• Passing a Buffer body will pollute req.body when used along with processNested (#291)

1.2.0

Bug Fixes

#241 Cleanup temporary files - @​nusu

1.1.10

Updates:

Additional prototype-pollution security fix when using processNested (#239)

1.1.9

Updates:

Second prototype pollution security vulnerability fix when using processNested (#236)

1.1.8

Updates:

Fixed prototype pollution security vulnerability when using processNested (#236)

1.1.7-alpha.4

Updates:

• Updated README.md thanks to @​tycrek , @​eartharoid, @​Code42Cate
• Some code refactoring to make it lighter and more readable.
• Updated dependencies.

Fixes:

• Fix empty file issue(#226)
• Fix temp file write timing issue(#184). Thanks to @​somewind

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by richardgirges, a new releaser for express-fileupload since your current version.

Updates jquery from 2.2.4 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits

• 7a0a850 3.5.0
• 8570a08 Release: Update AUTHORS.txt
• da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
• 065143c Ajax: Overwrite s.contentType with content-type header value, if any
• 1a4f10d Tests: Blacklist one focusin test in IE
• 9e15d6b Event: Use only one focusin/out handler per matching window & document
• 966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
• 1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
• 04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
• 7506c9c Build: Resolve Travis config warnings
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.

Updates lodash from 4.17.4 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates ms from 0.7.3 to 2.0.0

Release notes

Sourced from ms's releases.

2.0.0

Major Changes

• Limit str to 100 to avoid ReDoS of 0.3s: #89

Patches

• Ignored logs coming from npm: b1eaab752203e978492a4d540a7ae1d26e6306b1
• Bumped dependencies to the latest version: bcf57157678fd5afc691383145a35e116f9704d0
• Invalidated cache for slack badge: 94b995c1d6d5d13ec976a0c6849a3cca9b277e6b

Credits

Huge thanks to @​karenyavine for their help!

1.0.0

Major Changes

• Removed component specification: 1fbbe974cdcad96e592dcb65a7b2a8649f690420

Patches

• Test on LTS version of Node: c9b1fd319f0f9198d85ecf4ba83e46cc1216be04
• Removed XO: 94068ea6d518387670df277f740b1abada80ed48
• Use prettier and eslint: 57b3ef8e3423cae6254f94c5564a11b4492cff43
• Badge for XO removed: 389840b329436117741b2ef13a172725082695b9
• Removed browser testing: e818c3581aca3119c00d81901bfe8fe653bcfda4
• More suitable name for file containing tests: ee91f307a8dc3581ebdad614ec0533ddb3d8bf56

Commits

• 9b88d15 2.0.0
• 94b995c Invalidated cache for slack badge
• bcf5715 Bumped dependencies to the latest version
• b1eaab7 Ignored logs coming from npm
• caae298 Limit str to 100 to avoid ReDoS of 0.3s (#89)
• b83b36d chore(package): update eslint to version 3.19.0 (#88)
• 3f2a4d7 chore(package): update husky to version 0.13.3 (#86)
• 7daf984 1.0.0
• ee91f30 More suitable name for file containing tests
• e818c35 Removed browser testing
• Additional commits viewable in compare view

Updates snyk from 1.278.1 to 1.1064.0

Commits

• bd96e74 Merge pull request #4221 from snyk/fix/quote-args
• 80d97a9 fix: escape child process arguments
• c028b50 Merge pull request #4216 from snyk/feat/unmanaged-deps-severity-threshold
• cc329fd feat: support sev.threshold for unm.-deps
• 3daf5c7 Merge pull request #4214 from snyk/feat/base64-default
• 2df2037 Merge pull request #4219 from snyk/fix/gradle-use-lenient-config
• afc1ccb fix: use lenient config in gradle plugin
• 85bb57f Merge pull request #4215 from snyk/feat/upgrade-policy-engine-v0.12.2
• ef864be feat: upgrade snyk-iac-test to v0.37.0
• 369fe11 feat: base64 default for sast analysis
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by snyk-admin, a new releaser for snyk since your current version.

Updates debug from 4.1.1 to 4.3.4

Release notes

Sourced from debug's releases.

4.3.4

What's Changed

• Add section about configuring JS console to show debug messages by @​gitname in debug-js/debug#866
• Replace deprecated String.prototype.substr() by @​CommanderRoot in debug-js/debug#876

New Contributors

• @​gitname made their first contribution in debug-js/debug#866
• @​CommanderRoot made their first contribution in debug-js/debug#876

Full Changelog: https://github.com/debug-js/debug/compare/4.3.3...4.3.4

4.3.3

Patch Release 4.3.3

This is a documentation-only release. Further, the repository was transferred. Please see notes below.

• Migrates repository from https://github.com/visionmedia/debug to https://github.com/debug-js/debug. Please see notes below as to why this change was made.
• Updates repository maintainership information
• Updates the copyright (no license terms change has been made)
• Removes accidental epizeuxis (#828)
• Adds README section regarding usage in child procs (#850)

Thank you to @​taylor1791 and @​kristofkalocsai for their contributions.

---

Repository Migration Information

I've formatted this as a FAQ, please feel free to open an issue for any additional question and I'll add the response here.

Q: What impact will this have on me?

In most cases, you shouldn't notice any change.

The only exception I can think of is if you pull code directly from https://github.com/visionmedia/debug, e.g. via a "debug": "visionmedia/debug"-type version entry in your package.json - in which case, you should still be fine due to the automatic redirection Github sets up, but you should also update any references as soon as possible.

Q: What are the security implications of this change?

If you pull code directly from the old URL, you should update the URL to https://github.com/debug-js/debug as soon as possible. The old organization has many approved owners and thus a new repository could (in theory) be created at the old URL, circumventing Github's automatic redirect that is in place now and serving malicious code. I (@​qix-) also wouldn't have access to that repository, so while I don't think it would happen, it's still something to consider.

Even in such a case, however, the officially released package on npm (debug) would not be affected. That package is still very much under control (even more than it used to be).

Q: What should I do if I encounter an issue related to the migration?

Search the issues first to see if someone has already reported it, and then open a new issue if someone has not.

Q: Why was this done as a 'patch' release? Isn't this breaking?

No, it shouldn't be breaking. The package on npm shouldn't be affected (aside from this patch release) and any references to the old repository should automatically redirect.

Thus, according to all of the "APIs" (loosely put) involved, nothing should have broken.

... (truncated)

Commits

• da66c86 4.3.4
• 9b33412 replace deprecated String.prototype.substr() (#876)
• c0805cc add section about configuring JS console to show debug messages (#866)
• 043d3cd 4.3.3
• 4079aae update license and more maintainership information
• 19b36c0 update repository location + maintainership information
• f851b00 adds README section regarding usage in child procs (#850)
• d177f2b Remove accidental epizeuxis
• e47f96d 4.3.2
• 1e9d38c cache enabled status per-logger (#799)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by qix, a new releaser for debug since your current version.

Updates express from 4.12.4 to 4.18.2

Release notes

Sourced from express's releases.

4.18.2

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• deps: qs@6.11.0

4.18.1

• Fix hanging on large stack of sync routes

4.18.0

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: body-parser@1.20.0
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
• deps: cookie@0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: finalhandler@1.2.0
  • Remove set content headers that break response
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
  • Prevent loss of async hooks context
• deps: qs@6.10.3
• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1

... (truncated)

Changelog

Sourced from express's changelog.

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• deps: qs@6.11.0

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get
• Invoke default with same arguments as types in res.format
• Support proper 205 responses using res.send
• Use http-errors for res.format error
• deps: body-parser@1.20.0
  • Fix error message for json parse whitespace in strict
  • Fix internal error when inflated body exceeds limit
  • Prevent loss of async hooks context
  • Prevent hanging when request already read
  • deps: depd@2.0.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: qs@6.10.3
  • deps: raw-body@2.5.1
• deps: cookie@0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: finalhandler@1.2.0
  • Remove set content headers that break response
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
  • Prevent loss of async hooks context
• deps: qs@6.10.3
• deps: send@0.18.0

... (truncated)

Commits

• 8368dc1 4.18.2
• 61f4049 docs: replace Freenode with Libera Chat
• bb7907b build: Node.js@18.10
• f56ce73 build: supertest@6.3.0
• 24b3dc5 deps: qs@6.11.0
• 689d175 deps: body-parser@1.20.1
• 340be0f build: eslint@8.24.0
• 33e8dc3 docs: use Node.js name style
• 644f646 build: supertest@6.2.4
• ecd7572 build: Node.js@14.20
• Additional commits viewable in compare view

Updates xml2js from 0.4.19 to 0.4.23

Commits

• See full diff in compare view

Updates qs from 6.5.2 to 6.11.0

Changelog

Sourced from qs's changelog.

6.11.0

• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
• [readme] fix version badge

6.10.5

• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

6.10.4

• [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
• [meta] use npmignore to autogenerate an npmignore file
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

6.10.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [actions] reuse common workflows
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

6.10.2

• [Fix] stringify: actually fix cyclic references (#426)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [actions] update codecov uploader
• [actions] update workflows
• [Tests] clean up stringify tests slightly
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

6.10.1

• [Fix] stringify: avoid exception on repeated object values (#402)

6.10.0

• [New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
• [New] parse: add allowSparse option for collapsing arrays with missing indices (#312)
• [meta] fix README.md (#399)
• [meta] only run npm run dist in publish, not install
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
• [Tests] fix tests on node v0.6
• [Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
• [Tests] Revert "[meta] ignore eclint transitive audit warning"

6.9.7

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [Tests] clean up stringify tests slightly
• [meta] fix README.md (#399)
• Revert "[meta] ignore eclint transitive audit warning"

... (truncated)

Commits

• 56763c1 v6.11.0
• ddd3e29 [readme] fix version badge
• c313472 [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option
• 95bc018 v6.10.5
• 0e903c0 [Fix] stringify: with arrayFormat: comma, properly include an explicit `[...
• ba9703c v6.10.4
• 4e44019 [Fix] stringify: with arrayFormat: comma, include an explicit [] on a s...
• 113b990 [Dev Deps] update object-inspect
• c77f38f [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, tape
• 2cf45b2 [meta] use npmignore to autogenerate an npmignore file
• Additional commits viewable in compare view

Updates body-parser from 1.9.0 to 1.20.2

Release notes

Sourced from body-parser's releases.

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1

• deps: bytes@3.1.1
• deps: http-errors@1.8.1
  • deps: inherits@2.0.4
  • deps: toidentifier@1.0.1
  • deps: setprototypeof@1.2.0
• deps: qs@6.9.6
• deps: raw-body@2.4.2
  • deps: bytes@3.1.1
  • deps: http-errors@1.8.1
• deps: safe-buffer@5.2.1
• deps: type-is@~1.6.18

1.19.0

• deps: bytes@3.1.0
  • Add petabyte (pb) support
• deps: http-errors@1.7.2

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1 / 2021-12-10

• deps: bytes@3.1.1
• deps: http-errors@1.8.1
  • deps: inherits@2.0.4
  • deps: toidentifier@1.0.1
  • deps: setprototypeof@1.2.0
• deps: qs@6.9.6

... (truncated)

Commits

• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• 0385872 deps: raw-body@2.5.2
• 2c35b41 build: eslint@8.34.0
• f0646c2 build: Node.js@18.14
• f345fb1 build: Node.js@14.21
• 6842efc deps: content-type@~1.0.5
• 5af7315 build: eslint-plugin-promise@6.1.1
• 8e605b3 build: supertest@6.3.3
• cba6e77 build: mocha@10.2.0
• Additional commits viewable in compare view

Updates handlebars from 4.0.11 to 4.7.7

Changelog

Sourced from handlebars's changelog.

v4.7.7 - February 15th, 2021

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#1736) - b6d3de7
• fix: escape property names in compat mode (#1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

• #1672 - Switch cmd parser to latest minimist (@​dougwilson

Compatibility notes:

• Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

• Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

• Node.js < v6 is no longer supported Reverted in 4.7.6

Commits

v4.7.4 - April 1st, 2020

Chore/Housekeeping:

• dependabot[bot] commented 9 months ago

  This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.