chore(deps): bump the npm_and_yarn group across 1 directory with 31 updates

[dependabot]

Bumps the npm_and_yarn group with 25 updates in the / directory:

Package	From	To
axios	0.21.1	0.28.0
crypto-js	4.0.0	4.2.0
express	4.17.1	4.19.2
moment	2.27.0	2.29.4
mongoose	5.9.25	5.13.20
validator	13.6.0	13.7.0
json5	1.0.1	1.0.2
minimist	1.2.0	1.2.8
extract-zip	1.6.7	1.7.0
mkdirp	0.5.1	0.5.6
mocha	3.5.3	10.4.0
@babel/traverse	7.11.0	7.24.7
ajv	6.10.2	6.12.6
async	3.2.0	3.2.5
braces	3.0.2	3.0.3
nodemon	1.19.2	3.1.3
cookiejar	2.1.2	2.1.4
minimatch	3.0.4	3.1.2
jpeg-js	0.3.6	0.4.4
get-pixels	3.3.2	3.3.3
json-schema	0.2.3	0.4.0
jsprim	1.4.1	1.4.2
lodash	4.17.19	4.17.21
qs	6.5.2	6.5.3
ws	6.2.1	6.2.2

Updates axios from 0.21.1 to 0.28.0

Release notes

Sourced from axios's releases.

Release v0.28.0

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated #4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#4735)
• URL params serializer (#4734)
• Fixed toFormData Blob issue on node>v17 #4728
• Adding types for progress event callbacks #4675
• Fixed max body length defaults #4731
• Added data URL support for node.js (#4725)
• Added isCancel type assert (#4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#4721)
• Add string[] to AxiosRequestHeaders type (#4322)
• Allow type definition for axios instance methods (#4224)
• Fixed AxiosError stack capturing; (#4718)
• Fixed AxiosError status code type; (#4717)
• Adding Canceler parameters config and request (#4711)
• fix(types): allow to specify partial default headers for instance creation (#4185)
• Added blob to the list of protocols supported by the browser (#4678)
• Fixing Z_BUF_ERROR when no content (#4701)
• Fixed race condition on immediate requests cancellation (#4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance axios/axios#4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
• Fix TS definition for AxiosRequestTransformer (#4201)
• Use type alias instead of interface for AxiosPromise (#4505)
• Include request and config when creating a CanceledError instance (#4659)
• Added generic TS types for the exposed toFormData helper (#4668)
• Optimized the code that checks cancellation (#4587)
• Replaced webpack with rollup (#4596)
• Added stack trace to AxiosError (#4624)
• Updated AxiosError.config to be optional in the type definition (#4665)
• Removed incorrect argument for NetworkError constructor (#4656)

v0.27.2

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

v0.27.1

Fixes and Functionality:

• Removed import of url module in browser build due to huge size overhead and builds being broken (#4594)
• Bumped follow-redirects to ^1.14.9 (#4615)

... (truncated)

Changelog

Sourced from axios's changelog.

0.28.0 (2024-02-12)

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated #4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#4735)
• URL params serializer (#4734)
• Fixed toFormData Blob issue on node>v17 #4728
• Adding types for progress event callbacks #4675
• Fixed max body length defaults #4731
• Added data URL support for node.js (#4725)
• Added isCancel type assert (#4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#4721)
• Add string[] to AxiosRequestHeaders type (#4322)
• Allow type definition for axios instance methods (#4224)
• Fixed AxiosError stack capturing; (#4718)
• Fixed AxiosError status code type; (#4717)
• Adding Canceler parameters config and request (#4711)
• fix(types): allow to specify partial default headers for instance creation (#4185)
• Added blob to the list of protocols supported by the browser (#4678)
• Fixing Z_BUF_ERROR when no content (#4701)
• Fixed race condition on immediate requests cancellation (#4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance axios/axios#4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
• Fix TS definition for AxiosRequestTransformer (#4201)
• Use type alias instead of interface for AxiosPromise (#4505)
• Include request and config when creating a CanceledError instance (#4659)
• Added generic TS types for the exposed toFormData helper (#4668)
• Optimized the code that checks cancellation (#4587)
• Replaced webpack with rollup (#4596)
• Added stack trace to AxiosError (#4624)
• Updated AxiosError.config to be optional in the type definition (#4665)
• Removed incorrect argument for NetworkError constructor (#4656)

0.27.2 (April 27, 2022)

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

0.27.1 (April 26, 2022)

... (truncated)

Commits

• 3b7635a [Release] v0.28.0 (#6211)
• 27c0076 feat(backport): added ability for paramsSerializer to handle function; (#6227)
• 80c3d74 chore(ci): backported publish action; (#6224)
• 2755df5 fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to ...
• 880b42e docs: Fix a typo in README
• c4bf0a4 Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• 1e2679f fix: [Types] Type of header in AxiosRequestConfig / for Axios.create is incor...
• 80b546c fix: loosing request header (#4858) (#4871)
• 6acb5ef feat: brower platform add data protocol. (#4814)
• bbb2264 fix(typing): axios response headers can be undefined (#4813)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.

Updates crypto-js from 4.0.0 to 4.2.0

Commits

• 808f499 Merge branch 'release/4.2.0'
• d5af3ae Update release notes.
• 9496e07 Bump version.
• 421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
• d1f4f4d Update grunt.
• c755289 Discontinued
• 1da3dab Discontinued
• 4dcaa7a Merge pull request #380 from Alanscut/dev
• 762feb2 chore: rename BF to Blowfish
• fb81418 feat: blowfish support
• Additional commits viewable in compare view

Updates express from 4.17.1 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: [email protected] and [email protected] by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add [email protected] by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: [email protected]
  • deps: [email protected]
  • perf: remove unnecessary object clone
• deps: [email protected]

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates moment from 2.27.0 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

• Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

• Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

• Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

Commits

• 000ac18 Build 2.24.4
• f2006b6 Bump version to 2.24.4
• 536ad0c Update changelog for 2.29.4
• 9a3b589 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 6374fd8 Merge branch 'master' into develop
• b4e6153 Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"
• 7aebb16 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 57c9062 Build 2.29.3
• aaf50b6 Fixup release complaints
• 26f4aef Bump version to 2.29.3
• Additional commits viewable in compare view

Updates mongoose from 5.9.25 to 5.13.20

Changelog

Sourced from mongoose's changelog.

8.4.1 / 2024-05-31

• fix: pass options to clone instead of get in applyVirtuals #14606 #14543 andrews05
• fix(document): fire pre validate hooks on 5 level deep single nested subdoc when modifying after save() #14604 #14591
• fix: ensure buildBulkWriteOperations target shard if shardKey is set #14622 #14621 matlpriceshape
• types: pass DocType down to subdocuments so HydratedSingleSubdocument and HydratedArraySubdocument toObject() returns correct type #14612 #14601

7.6.12 / 2024-05-21

• fix(array): avoid converting to $set when calling pull() on an element in the middle of the array #14531 #14502
• fix: bump mongodb driver to 5.9.2 #14561 lorand-horvath
• fix(update): cast array of strings underneath doc array with array filters #14605 #14595

8.4.0 / 2024-05-17

• feat: upgrade mongodb -> 6.6.2 #14584
• feat: add transactionAsyncLocalStorage option to opt in to automatically setting session on all transactions #14583 #13889
• feat: handle initially null driver when instantiating Mongoose for Rollup support #14577 #12335
• feat(mongoose): export omitUndefined() helper #14582 #14569
• feat: add Model.listSearchIndexes() #14519 #14450
• feat(connection): add listDatabases() function #14506 #9048
• feat(schema): add schema-level readConcern option to apply default readConcern for all queries #14579 #14511
• fix(error): remove model property from CastError to avoid printing all model properties to console #14568 #14529
• fix(model): make bulkWrite() and insertMany() throw if throwOnValidationError set and all ops invalid #14587 #14572
• fix(document): ensure transform function passed to toObject() options applies to subdocs #14600 #14589
• types: add inferRawDocType helper #13900 #13772
• types(document): make document _id type default to unknown instead of any #14541

8.3.5 / 2024-05-15

• fix(query): shallow clone $or, $and if merging onto empty query filter #14580 #14567
• types(model+query): pass TInstanceMethods to QueryWithHelpers so populated docs have methods #14581 #14574
• docs(typescript): clarify that setting THydratedDocumentType on schemas is necessary for correct method context #14575 #14573

8.3.4 / 2024-05-06

• perf(document): avoid cloning options using spread operator for perf reasons #14565 #14394
• fix(query): apply translateAliases before casting to avoid strictMode error when using aliases #14562 #14521
• fix(model): consistent top-level timestamps option for bulkWrite operations #14546 #14536
• docs(connections): improve description of connection creation patterns #14564 #14528

8.3.3 / 2024-04-29

• perf(document): add fast path for applying non-nested virtuals to JSON #14543
• fix: make hydrate() recursively hydrate virtual populate docs if hydratedPopulatedDocs is set #14533 #14503
• fix: improve timestamps option handling in bulkWrite #14546 #14536 sderrow
• fix(model): make recompileSchema() overwrite existing document array discriminators #14527
• types(schema): correctly infer Array #14534 #14367
• types(query+populate): apply populate overrides to doc toObject() result #14525 #14441

... (truncated)

Commits

• 0f3997a chore: release 5.13.20
• f1efabf fix: avoid prototype pollution on init
• 98e0762 chore: release 5.13.19
• 7e36d21 chore: release 5.13.18
• 6759c60 undo accidental changes and actually pin @​types/json-schema
• 4ed4a89 chore: pin version of @​types/json-schema because of install issues on node v4...
• 9a9536d Merge pull request #13535 from lorand-horvath/patch-12
• 26424d5 5.x - bump mongodb driver to 3.7.4
• 4b8b0a9 add versionNumber to 5.x
• 1bc07ec chore: release 5.13.17
• Additional commits viewable in compare view

Updates validator from 13.6.0 to 13.7.0

Release notes

Sourced from validator's releases.

13.7.0

13.7.0

New Features

• #1706 isISO4217, currency code validator @​jpaya17

Fixes and Enhancements

• #1647 isFQDN: add allow_wildcard option @​fasenderos
• #1654 isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time @​jmacmahon
• #1658 maintenance: increase code coverage @​tux-tn
• #1669 IBAN export list of country codes that implement IBAN @​dror-heller @​fedeci
• #1676 isBoolean: add loose option @​brybrophy
• #1697 maintenance: fix npm installation error @​rubiin
• #1708 isISO31661Alpha3: perf @​jpaya17
• #1711 isDate: allow users to strictly validate dates with . as delimiter @​flymans
• #1715 isCreditCard: fix for Union Pay cards @​shreyassai123
• #1718 isEmail: replace all dots in GMail length validation @​DasDingGehtNicht
• #1721 isURL: add allow_fragments and allow_query_components @​cowboy-bebug
• #1724 isISO31661Alpha2: perf @​jpaya17
• #1730 isMagnetURI @​tux-tn
• #1738 trim: remove regex to prevent ReDOS attack @​tux-tn
• #1747 maintenance: run scripts in parallel for build and clean @​sachinraja
• #1748 isURL: higher priority to whitelist @​deepanshu2506
• #1751 isURL: allow url with colon and no port @​MatteoPierro
• #1777 isUUID: fix for null version argument @​theteladras
• #1799 isFQDN: check more special chars @​MatteoPierro
• #1833 isURL: allow URL with an empty user @​MiguelSavignano
• #1835 unescape: fixed bug where intermediate string contains escaped @​Marcholio
• #1836 contains: can check that string contains seed multiple times @​Marcholio
• #1844 docs: add CDN instructions @​luiscobits
• #1848 isUUID: add support for validation of v1 and v2 @​theteladras
• #1941 isEmail: add host_blacklist option @​fedeci

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #1716 hi-IN @​MiKr13
  • #1837 fi-FI @​Marcholio

• isPassportNumber:

  • #1656 ID @​rubiin
  • #1714 CN @​anirudhgiri
  • #1809 PL @​Ronqn
  • #1810 RU @​Theta-Dev

• isPostalCode:

  • #1788 LK @​nimanthadilz

... (truncated)

Changelog

Sourced from validator's changelog.

13.7.0

New Features

• #1706 isISO4217, currency code validator @​jpaya17

Fixes and Enhancements

• #1647 isFQDN: add allow_wildcard option @​fasenderos
• #1654 isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time @​jmacmahon
• #1658 maintenance: increase code coverage @​tux-tn
• #1669 IBAN export list of country codes that implement IBAN @​dror-heller @​fedeci
• #1676 isBoolean: add loose option @​brybrophy
• #1697 maintenance: fix npm installation error @​rubiin
• #1708 isISO31661Alpha3: perf @​jpaya17
• #1711 isDate: allow users to strictly validate dates with . as delimiter @​flymans
• #1715 isCreditCard: fix for Union Pay cards @​shreyassai123
• #1718 isEmail: replace all dots in GMail length validation @​DasDingGehtNicht
• #1721 isURL: add allow_fragments and allow_query_components @​cowboy-bebug
• #1724 isISO31661Alpha2: perf @​jpaya17
• #1730 isMagnetURI @​tux-tn
• #1738 rtrim: remove regex to prevent ReDOS attack @​tux-tn
• #1747 maintenance: run scripts in parallel for build and clean @​sachinraja
• #1748 isURL: higher priority to whitelist @​deepanshu2506
• #1751 isURL: allow url with colon and no port @​MatteoPierro
• #1777 isUUID: fix for null version argument @​theteladras
• #1799 isFQDN: check more special chars @​MatteoPierro
• #1833 isURL: allow URL with an empty user @​MiguelSavignano
• #1835 unescape: fixed bug where intermediate string contains escaped @​Marcholio
• #1836 contains: can check that string contains seed multiple times @​Marcholio
• #1844 docs: add CDN instructions @​luiscobits
• #1848 isUUID: add support for validation of v1 and v2 @​theteladras
• #1941 isEmail: add host_blacklist option @​fedeci

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #1716 hi-IN @​MiKr13
  • #1837 fi-FI @​Marcholio

• isPassportNumber:

  • #1656 ID @​rubiin
  • #1714 CN @​anirudhgiri
  • #1809 PL @​Ronqn
  • #1810 RU @​Theta-Dev

• isPostalCode:

  • #1788 LK @​nimanthadilz

• isIdentityCard:

... (truncated)

Commits

• 47ee5ad 13.7.0
• 496fc8b fix(rtrim): remove regex to prevent ReDOS attack (#1738)
• 45901ec Merge pull request #1851 from validatorjs/chore/fix-merge-conflicts
• 83cb7f8 chore: merge conflict clean-up
• f17e220 feat(isMobilePhone): add El Salvador es-SV locale
• 5b06703 feat(isMobilePhone): add Palestine ar-PS locale
• a3faa83 feat(isMobilePhone): add Botswana en-BW locale
• 26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
• 0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
• f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
• Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• See full diff in compare view

Updates minimist from 1.2.0 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [esli...

  Description has been truncated

[dependabot]

Superseded by #105.