chore(deps): bump qs, express and @cypress/request in /frontend by dependabot[bot] · Pull Request #3842 · CrowdDotDev/crowd.dev

dependabot · 2026-02-12T22:24:19Z

Bumps qs to 6.14.2 and updates ancestor dependencies qs, express and @cypress/request. These dependencies need to be updated together.

Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

Commits

bdcf0c7 v6.14.2
294db90 [readme] document that addQueryPrefix does not add ? to empty output
5c308e5 [readme] clarify parseArrays and arrayLimit documentation
6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
1b9a8b4 [actions] fix rebase workflow permissions
2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: qs@6.14.0 (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates @cypress/request from 3.0.8 to 3.0.10

Release notes

Sourced from @cypress/request's releases.

v3.0.10

3.0.10 (2026-01-05)

Bug Fixes

release cypress-io/request#97 (#102) (e783d90)

v3.0.9

3.0.9 (2025-07-24)

Bug Fixes

update patch version of form-data to address new critical Snyk vulnerability (a2f3199)

Commits

e783d90 fix: release cypress-io/request#97 (#102)
e3d6845 chore: fix approval/release job (#100)
cea7bc6 chore: fix broken circle context (#99)
a5253c3 Merge pull request #97 from hmaesta/master
6cc9dde commig yarn.lock
d0c69d2 chore(deps): allow qs patch versions
72bbc6b chore(deps): update qs to v6.14.1
e02f5cb chore: use npm credentials context (#95)
3cffd53 Merge pull request #88 from ahayes91/update-form-data
7c424d5 chore: fix lint issue
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Primarily dependency and lockfile updates with no application code changes; main risk is unexpected behavior differences in updated transitive HTTP/server tooling used by dev/test dependencies.

Overview
Updates frontend dependency qs to 6.14.2 and refreshes package-lock.json accordingly.

Lockfile changes also pull in newer express (4.19.2 → 4.22.1) and @cypress/request (3.0.8 → 3.0.10) plus related transitive bumps (e.g., body-parser, cookie, send, serve-static, finalhandler) and metadata tweaks (licenses/funding flags, dev/optional markers).

^{Written by Cursor Bugbot for commit 4d8a6ad. This will update automatically on new commits. Configure here.}

Bumps [qs](https://github.com/ljharb/qs) to 6.14.2 and updates ancestor dependencies [qs](https://github.com/ljharb/qs), [express](https://github.com/expressjs/express) and [@cypress/request](https://github.com/cypress-io/request). These dependencies need to be updated together. Updates `qs` from 6.14.1 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.14.2) Updates `express` from 4.19.2 to 4.22.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md) - [Commits](expressjs/express@4.19.2...v4.22.1) Updates `@cypress/request` from 3.0.8 to 3.0.10 - [Release notes](https://github.com/cypress-io/request/releases) - [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md) - [Commits](cypress-io/request@v3.0.8...v3.0.10) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.2 dependency-type: direct:production - dependency-name: express dependency-version: 4.22.1 dependency-type: indirect - dependency-name: "@cypress/request" dependency-version: 3.0.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-02-12T22:24:29Z

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

feat: add user authentication (CM-123)
feat: add user authentication (IN-123)

Projects:

CM: Community Data Platform
IN: Insights

Please add a Jira issue key to your PR title.

github-actions · 2026-02-12T22:24:34Z

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

feat: add user authentication (CM-123)
feat: add user authentication (IN-123)

Projects:

CM: Community Data Platform
IN: Insights

Please add a Jira issue key to your PR title.

github-actions · 2026-02-12T22:24:45Z

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

feat: add user authentication (CM-123)
feat: add user authentication (IN-123)

Projects:

CM: Community Data Platform
IN: Insights

Please add a Jira issue key to your PR title.

github-actions · 2026-02-23T12:19:00Z

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

feat: add user authentication (CM-123)
feat: add user authentication (IN-123)

Projects:

CM: Community Data Platform
IN: Insights

Please add a Jira issue key to your PR title.

dependabot · 2026-02-23T12:19:54Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

github-actions · 2026-02-23T12:20:05Z

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

feat: add user authentication (CM-123)
feat: add user authentication (IN-123)

Projects:

CM: Community Data Platform
IN: Insights

Please add a Jira issue key to your PR title.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 12, 2026

dependabot bot closed this Feb 23, 2026

dependabot bot deleted the dependabot/npm_and_yarn/frontend/multi-518149999f branch February 23, 2026 12:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

chore(deps): bump qs, express and @cypress/request in /frontend#3842

chore(deps): bump qs, express and @cypress/request in /frontend#3842
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/multi-518149999f

dependabot bot commented on behalf of github Feb 12, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

dependabot bot commented on behalf of github Feb 23, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Comments

Conversation

dependabot bot commented on behalf of github Feb 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

6.14.2

v4.22.1

What's Changed

4.22.0

Important: Security

What's Changed

4.21.2

What's Changed

4.21.1

What's Changed

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

v3.0.10

3.0.10 (2026-01-05)

Bug Fixes

v3.0.9

3.0.9 (2025-07-24)

Bug Fixes

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 12, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

dependabot bot commented on behalf of github Feb 23, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Feb 12, 2026 •

edited

Loading