Skip to content

Comments

chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d5e0907a94
Open

chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d5e0907a94

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Aug 24, 2025

Bumps the npm_and_yarn group with 3 updates in the / directory: body-parser, express and node-fetch.
Bumps the npm_and_yarn group with 1 update in the /packages/import directory: node-fetch.

Updates body-parser from 1.20.3 to 2.0.0

Release notes

Sourced from body-parser's releases.

2.0.0

What's Changed

Important

  • add brotli support #406
  • Breaking Change: Node.js 18 is the minimum supported version

Details

New Contributors

Full Changelog: expressjs/body-parser@1.20.2...2.0.0

2.0.0-beta.2

This incorporates all changes after 1.19.1 up to 1.20.2.

  • Remove deprecated bodyParser() combination middleware
  • deps: debug@3.1.0
    • Add DEBUG_HIDE_DATE environment variable
    • Change timer to per-namespace instead of global
    • Change non-TTY date format
    • Remove DEBUG_FD environment variable support
    • Support 256 namespace colors
  • deps: iconv-lite@0.5.2
    • Add encoding cp720
    • Add encoding UTF-32
  • deps: raw-body@3.0.0-beta.1

2.0.0-beta.1

  • req.body is no longer always initialized to {}

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.0.0 / 2024-09-10

  • Propagate changes from 1.20.3
  • add brotli support #406
  • Breaking Change: Node.js 18 is the minimum supported version

2.0.0-beta.2 / 2023-02-23

This incorporates all changes after 1.19.1 up to 1.20.2.

  • Remove deprecated bodyParser() combination middleware
  • deps: debug@3.1.0
    • Add DEBUG_HIDE_DATE environment variable
    • Change timer to per-namespace instead of global
    • Change non-TTY date format
    • Remove DEBUG_FD environment variable support
    • Support 256 namespace colors
  • deps: iconv-lite@0.5.2
    • Add encoding cp720
    • Add encoding UTF-32
  • deps: raw-body@3.0.0-beta.1

2.0.0-beta.1 / 2021-12-17

  • Drop support for Node.js 0.8
  • req.body is no longer always initialized to {}
    • it is left undefined unless a body is parsed
  • urlencoded parser now defaults extended to false
  • Use on-finished to determine when body read
Commits
  • 9e06a79 2.0.0
  • 9232c77 Merge branch 'master' into 2.x
  • afd0f39 feat: add option to customize the depth with a default value of 32
  • 07ce14d Added support for brotli ('br') content-encoding (#406)
  • 6cea6bd urlencoded: Support iso-8859-1, utf8 sentinel, and numeric entities (#326)
  • 35b50b5 fix(deps): raw-body@^3.0.0 (#529)
  • 7eb00cd Also use the qs module for the simple parser (#387)
  • ddf9b75 feat!: remove node less than 18 from ci
  • fccaf48 2.0.0-beta.2
  • b53363c docs: add missing history entry
  • Additional commits viewable in compare view

Updates express from 4.21.2 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

  • Node.js version support: Dropped support for Node.js versions before v18.
  • Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
  • Promise support: Middleware can now return rejected promises, caught by the router as errors.
  • body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
  • Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0
  • deps: finalhandler@^2.0.0
  • deps: fresh@^2.0.0
  • deps: body-parser@^2.0.1
  • deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

  • change:
    • Default "query parser" setting to 'simple'
    • Requires Node.js 4+
    • Use mime-types for file to content type mapping
  • deps: array-flatten@3.0.0
  • deps: body-parser@2.0.0-beta.1
    • req.body is no longer always initialized to {}

... (truncated)

Commits

Updates node-fetch from 2.6.1 to 2.6.7

Release notes

Sourced from node-fetch's releases.

v2.6.7

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.6...v2.6.7

v2.6.6

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.5...v2.6.6

v2.6.2

fixed main path in package.json

Commits
  • 1ef4b56 backport of #1449 (#1453)
  • 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
  • f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (...
  • b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
  • 18193c5 fix v2.6.3 that did not sending query params (#1301)
  • ace7536 fix: properly encode url with unicode characters (#1291)
  • 152214c Fix(package.json): Corrected main file path in package.json (#1274)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by endless, a new releaser for node-fetch since your current version.


Updates node-fetch from 2.6.1 to 2.6.7

Release notes

Sourced from node-fetch's releases.

v2.6.7

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.6...v2.6.7

v2.6.6

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.5...v2.6.6

v2.6.2

fixed main path in package.json

Commits
  • 1ef4b56 backport of #1449 (#1453)
  • 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
  • f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (...
  • b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
  • 18193c5 fix v2.6.3 that did not sending query params (#1301)
  • ace7536 fix: properly encode url with unicode characters (#1291)
  • 152214c Fix(package.json): Corrected main file path in package.json (#1274)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by endless, a new releaser for node-fetch since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the npm_and_yarn group across 2 directories with 3 …
898713b 
…updates

Bumps the npm_and_yarn group with 3 updates in the / directory: [body-parser](https://github.com/expressjs/body-parser), [express](https://github.com/expressjs/express) and [node-fetch](https://github.com/node-fetch/node-fetch).
Bumps the npm_and_yarn group with 1 update in the /packages/import directory: [node-fetch](https://github.com/node-fetch/node-fetch).


Updates `body-parser` from 1.20.3 to 2.0.0
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.20.3...2.0.0)

Updates `express` from 4.21.2 to 5.0.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.21.2...v5.0.0)

Updates `node-fetch` from 2.6.1 to 2.6.7
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](node-fetch/node-fetch@v2.6.1...v2.6.7)

Updates `node-fetch` from 2.6.1 to 2.6.7
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](node-fetch/node-fetch@v2.6.1...v2.6.7)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-version: 2.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-version: 5.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: node-fetch
  dependency-version: 2.6.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: node-fetch
  dependency-version: 2.6.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants