chore(deps): bump the npm_and_yarn group across 1 directory with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 17 updates in the / directory:

Package	From	To
axios	0.21.1	0.28.0
crypto-js	4.0.0	4.2.0
express	4.17.1	4.19.2
mongoose	5.9.25	5.13.20
validator	13.6.0	13.7.0
json5	1.0.1	1.0.2
minimist	1.2.0	1.2.8
extract-zip	1.6.7	1.7.0
mkdirp	0.5.1	0.5.6
mocha	3.5.3	10.4.0
@babel/traverse	7.11.0	7.24.1
semver	5.7.0	5.7.2
fsevents	1.2.9	1.2.13
json-schema	0.2.3	0.4.0
jsprim	1.4.1	1.4.2
lodash	4.17.19	4.17.21
qs	6.5.2	6.5.3

Updates axios from 0.21.1 to 0.28.0

Release notes

Sourced from axios's releases.

Release v0.28.0

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated #4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#4735)
• URL params serializer (#4734)
• Fixed toFormData Blob issue on node>v17 #4728
• Adding types for progress event callbacks #4675
• Fixed max body length defaults #4731
• Added data URL support for node.js (#4725)
• Added isCancel type assert (#4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#4721)
• Add string[] to AxiosRequestHeaders type (#4322)
• Allow type definition for axios instance methods (#4224)
• Fixed AxiosError stack capturing; (#4718)
• Fixed AxiosError status code type; (#4717)
• Adding Canceler parameters config and request (#4711)
• fix(types): allow to specify partial default headers for instance creation (#4185)
• Added blob to the list of protocols supported by the browser (#4678)
• Fixing Z_BUF_ERROR when no content (#4701)
• Fixed race condition on immediate requests cancellation (#4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance axios/axios#4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
• Fix TS definition for AxiosRequestTransformer (#4201)
• Use type alias instead of interface for AxiosPromise (#4505)
• Include request and config when creating a CanceledError instance (#4659)
• Added generic TS types for the exposed toFormData helper (#4668)
• Optimized the code that checks cancellation (#4587)
• Replaced webpack with rollup (#4596)
• Added stack trace to AxiosError (#4624)
• Updated AxiosError.config to be optional in the type definition (#4665)
• Removed incorrect argument for NetworkError constructor (#4656)

v0.27.2

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

v0.27.1

Fixes and Functionality:

• Removed import of url module in browser build due to huge size overhead and builds being broken (#4594)
• Bumped follow-redirects to ^1.14.9 (#4615)

... (truncated)

Changelog

Sourced from axios's changelog.

0.28.0 (2024-02-12)

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• Fixing content-type header repeated #4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#4735)
• URL params serializer (#4734)
• Fixed toFormData Blob issue on node>v17 #4728
• Adding types for progress event callbacks #4675
• Fixed max body length defaults #4731
• Added data URL support for node.js (#4725)
• Added isCancel type assert (#4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#4721)
• Add string[] to AxiosRequestHeaders type (#4322)
• Allow type definition for axios instance methods (#4224)
• Fixed AxiosError stack capturing; (#4718)
• Fixed AxiosError status code type; (#4717)
• Adding Canceler parameters config and request (#4711)
• fix(types): allow to specify partial default headers for instance creation (#4185)
• Added blob to the list of protocols supported by the browser (#4678)
• Fixing Z_BUF_ERROR when no content (#4701)
• Fixed race condition on immediate requests cancellation (#4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance axios/axios#4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#4229)
• Fix TS definition for AxiosRequestTransformer (#4201)
• Use type alias instead of interface for AxiosPromise (#4505)
• Include request and config when creating a CanceledError instance (#4659)
• Added generic TS types for the exposed toFormData helper (#4668)
• Optimized the code that checks cancellation (#4587)
• Replaced webpack with rollup (#4596)
• Added stack trace to AxiosError (#4624)
• Updated AxiosError.config to be optional in the type definition (#4665)
• Removed incorrect argument for NetworkError constructor (#4656)

0.27.2 (April 27, 2022)

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

0.27.1 (April 26, 2022)

... (truncated)

Commits

• 3b7635a [Release] v0.28.0 (#6211)
• 27c0076 feat(backport): added ability for paramsSerializer to handle function; (#6227)
• 80c3d74 chore(ci): backported publish action; (#6224)
• 2755df5 fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to ...
• 880b42e docs: Fix a typo in README
• c4bf0a4 Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)
• 1e2679f fix: [Types] Type of header in AxiosRequestConfig / for Axios.create is incor...
• 80b546c fix: loosing request header (#4858) (#4871)
• 6acb5ef feat: brower platform add data protocol. (#4814)
• bbb2264 fix(typing): axios response headers can be undefined (#4813)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.

Updates crypto-js from 4.0.0 to 4.2.0

Commits

• 808f499 Merge branch 'release/4.2.0'
• d5af3ae Update release notes.
• 9496e07 Bump version.
• 421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
• d1f4f4d Update grunt.
• c755289 Discontinued
• 1da3dab Discontinued
• 4dcaa7a Merge pull request #380 from Alanscut/dev
• 762feb2 chore: rename BF to Blowfish
• fb81418 feat: blowfish support
• Additional commits viewable in compare view

Updates express from 4.17.1 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• deps: qs@6.11.0

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates mongoose from 5.9.25 to 5.13.20

Changelog

Sourced from mongoose's changelog.

8.2.3 / 2024-03-21

• fix(schema): avoid returning string 'nested' as schematype #14453 #14443 #14435
• types(schema): add missing search index types #14449 noseworthy
• types: improve the typing of FilterQuery type to prevent it from only getting typed to any #14436 #14398 #14397

8.2.2 / 2024-03-15

• fix(model): improve update minimizing to only minimize top-level properties in the update #14437 #14420 #13782
• fix: add Null check in case schema.options['type'][0] is undefined #14431 Atharv-Bobde
• types: consistently infer array of objects in schema as a DocumentArray #14430 #14367
• types: add TypeScript interface for the new PipelineStage - Vector Search - solving issue #14428 #14429 jkorach
• types: add pre and post function types on Query class #14433 #14432 IICarst
• types(model): make bulkWrite() types more flexible to account for casting #14423
• docs: update version support documentation for mongoose 5 & 6 #14427 hasezoey

7.6.10 / 2024-03-13

• docs(model): add extra note about lean option for insertMany() skipping casting #14415
• docs(mongoose): add options.overwriteModel details to mongoose.model() docs #14422

8.2.1 / 2024-03-04

• fix(document): make $clone avoid converting subdocs into POJOs #14395 #14353
• fix(connection): avoid unhandled error on createConnection() if on('error') handler registered #14390 #14377
• fix(schema): avoid applying default write concern to operations that are in a transaction #14391 #11382
• types(querycursor): correct cursor async iterator type with populate() support #14384 #14374
• types: missing typescript details on options params of updateMany, updateOne, etc. #14382 #14379 #14378 FaizBShah sderrow
• types: allow Record as valid query select argument #14371 sderrow

6.12.7 / 2024-03-01

• perf(model): make insertMany() lean option skip hydrating Mongoose docs #14376 #14372
• perf(document+schema): small optimizations to make init() faster #14383 #14113
• fix(connection): don't modify passed options object to openUri() #14370 #13376 #13335
• fix(ChangeStream): bubble up resumeTokenChanged changeStream event #14355 #14349 3150

7.6.9 / 2024-02-26

• fix(document): handle embedded recursive discriminators on nested path defined using Schema.prototype.discriminator #14256 #14245
• types(model): correct return type for findByIdAndDelete() #14233 #14190
• docs(connections): add note about using asPromise() with createConnection() for error handling #14364 #14266
• docs(model+query+findoneandupdate): add more details about overwriteDiscriminatorKey option to docs #14264 #14246

<<<<<<< HEAD 8.2.0 / 2024-02-22

• feat(model): add recompileSchema() function to models to allow applying schema changes after compiling #14306 #14296
• feat: add middleware for bulkWrite() and createCollection() #14358 #14263 #7893
• feat(model): add hydratedPopulatedDocs option to make hydrate recursively hydrate populated docs #14352 #4727

... (truncated)

Commits

• 0f3997a chore: release 5.13.20
• f1efabf fix: avoid prototype pollution on init
• 98e0762 chore: release 5.13.19
• 7e36d21 chore: release 5.13.18
• 6759c60 undo accidental changes and actually pin @​types/json-schema
• 4ed4a89 chore: pin version of @​types/json-schema because of install issues on node v4...
• 9a9536d Merge pull request #13535 from lorand-horvath/patch-12
• 26424d5 5.x - bump mongodb driver to 3.7.4
• 4b8b0a9 add versionNumber to 5.x
• 1bc07ec chore: release 5.13.17
• Additional commits viewable in compare view

Updates validator from 13.6.0 to 13.7.0

Release notes

Sourced from validator's releases.

13.7.0

13.7.0

New Features

• #1706 isISO4217, currency code validator @​jpaya17

Fixes and Enhancements

• #1647 isFQDN: add allow_wildcard option @​fasenderos
• #1654 isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time @​jmacmahon
• #1658 maintenance: increase code coverage @​tux-tn
• #1669 IBAN export list of country codes that implement IBAN @​dror-heller @​fedeci
• #1676 isBoolean: add loose option @​brybrophy
• #1697 maintenance: fix npm installation error @​rubiin
• #1708 isISO31661Alpha3: perf @​jpaya17
• #1711 isDate: allow users to strictly validate dates with . as delimiter @​flymans
• #1715 isCreditCard: fix for Union Pay cards @​shreyassai123
• #1718 isEmail: replace all dots in GMail length validation @​DasDingGehtNicht
• #1721 isURL: add allow_fragments and allow_query_components @​cowboy-bebug
• #1724 isISO31661Alpha2: perf @​jpaya17
• #1730 isMagnetURI @​tux-tn
• #1738 trim: remove regex to prevent ReDOS attack @​tux-tn
• #1747 maintenance: run scripts in parallel for build and clean @​sachinraja
• #1748 isURL: higher priority to whitelist @​deepanshu2506
• #1751 isURL: allow url with colon and no port @​MatteoPierro
• #1777 isUUID: fix for null version argument @​theteladras
• #1799 isFQDN: check more special chars @​MatteoPierro
• #1833 isURL: allow URL with an empty user @​MiguelSavignano
• #1835 unescape: fixed bug where intermediate string contains escaped @​Marcholio
• #1836 contains: can check that string contains seed multiple times @​Marcholio
• #1844 docs: add CDN instructions @​luiscobits
• #1848 isUUID: add support for validation of v1 and v2 @​theteladras
• #1941 isEmail: add host_blacklist option @​fedeci

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #1716 hi-IN @​MiKr13
  • #1837 fi-FI @​Marcholio

• isPassportNumber:

  • #1656 ID @​rubiin
  • #1714 CN @​anirudhgiri
  • #1809 PL @​Ronqn
  • #1810 RU @​Theta-Dev

• isPostalCode:

  • #1788 LK @​nimanthadilz

... (truncated)

Changelog

Sourced from validator's changelog.

13.7.0

New Features

• #1706 isISO4217, currency code validator @​jpaya17

Fixes and Enhancements

• #1647 isFQDN: add allow_wildcard option @​fasenderos
• #1654 isRFC3339: Disallow prepended and appended strings to RFC 3339 date-time @​jmacmahon
• #1658 maintenance: increase code coverage @​tux-tn
• #1669 IBAN export list of country codes that implement IBAN @​dror-heller @​fedeci
• #1676 isBoolean: add loose option @​brybrophy
• #1697 maintenance: fix npm installation error @​rubiin
• #1708 isISO31661Alpha3: perf @​jpaya17
• #1711 isDate: allow users to strictly validate dates with . as delimiter @​flymans
• #1715 isCreditCard: fix for Union Pay cards @​shreyassai123
• #1718 isEmail: replace all dots in GMail length validation @​DasDingGehtNicht
• #1721 isURL: add allow_fragments and allow_query_components @​cowboy-bebug
• #1724 isISO31661Alpha2: perf @​jpaya17
• #1730 isMagnetURI @​tux-tn
• #1738 rtrim: remove regex to prevent ReDOS attack @​tux-tn
• #1747 maintenance: run scripts in parallel for build and clean @​sachinraja
• #1748 isURL: higher priority to whitelist @​deepanshu2506
• #1751 isURL: allow url with colon and no port @​MatteoPierro
• #1777 isUUID: fix for null version argument @​theteladras
• #1799 isFQDN: check more special chars @​MatteoPierro
• #1833 isURL: allow URL with an empty user @​MiguelSavignano
• #1835 unescape: fixed bug where intermediate string contains escaped @​Marcholio
• #1836 contains: can check that string contains seed multiple times @​Marcholio
• #1844 docs: add CDN instructions @​luiscobits
• #1848 isUUID: add support for validation of v1 and v2 @​theteladras
• #1941 isEmail: add host_blacklist option @​fedeci

New and Improved Locales

• isAlpha, isAlphanumeric:

  • #1716 hi-IN @​MiKr13
  • #1837 fi-FI @​Marcholio

• isPassportNumber:

  • #1656 ID @​rubiin
  • #1714 CN @​anirudhgiri
  • #1809 PL @​Ronqn
  • #1810 RU @​Theta-Dev

• isPostalCode:

  • #1788 LK @​nimanthadilz

• isIdentityCard:

... (truncated)

Commits

• 47ee5ad 13.7.0
• 496fc8b fix(rtrim): remove regex to prevent ReDOS attack (#1738)
• 45901ec Merge pull request #1851 from validatorjs/chore/fix-merge-conflicts
• 83cb7f8 chore: merge conflict clean-up
• f17e220 feat(isMobilePhone): add El Salvador es-SV locale
• 5b06703 feat(isMobilePhone): add Palestine ar-PS locale
• a3faa83 feat(isMobilePhone): add Botswana en-BW locale
• 26605f9 feat(isMobilePhone): add Turkmenistan tk-TM
• 0e5d5d4 feat(isMobilePhone): add Guyana en-GY locale
• f7ff349 feat(isMobilePhone): add Frech Polynesia fr-PF locale
• Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• See full diff in compare view

Updates minimist from 1.2.0 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0....

  Description has been truncated

[dependabot]

Superseded by #101.