Skip to content

Bump the npm_and_yarn group across 1 directory with 20 updates#1871

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-346488f36d
Open

Bump the npm_and_yarn group across 1 directory with 20 updates#1871
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-346488f36d

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Dec 6, 2025
edited
Loading

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package From To
webpack-dev-server 4.13.3 5.2.1
@babel/helpers 7.21.5 7.28.4
brace-expansion 1.1.11 1.1.12
browserify-sign 4.2.1 4.2.5
cipher-base 1.0.4 1.0.7
cross-spawn 6.0.5 6.0.6
elliptic 6.5.4 6.6.1
express 4.18.2 4.22.1
follow-redirects 1.15.2 1.15.11
form-data 3.0.1 3.0.4
min-document 2.19.0 2.19.2
nanoid 3.3.4 3.3.11
node-forge 1.3.1 1.3.3
pbkdf2 3.1.2 3.1.5
react-devtools-core 4.27.1 4.28.5
serve-static 1.15.0 1.16.2
sha.js 2.4.11 2.4.12
store2 2.14.2 2.14.4
ws 6.2.2 6.2.3

Updates webpack-dev-server from 4.13.3 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

  • added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

  • speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

  • added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

  • speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits
  • 0d22a08 chore(release): 5.2.1
  • 6045b1e chore(deps): update (#5444)
  • ffd0b86 fix: take the first network found instead of the last one, this restores the ...
  • 9ea7b08 ci: update dependency-review-action (#5442)
  • 5c9378b Merge commit from fork
  • d2575ad Merge commit from fork
  • 8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
  • 5a39c70 ci: update codecov/codecov-action to v5 (#5406)
  • 55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
  • 09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
  • Additional commits viewable in compare view

Updates @babel/helpers from 7.21.5 to 7.28.4

Release notes

Sourced from @​babel/helpers's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

Committers: 5

v7.28.3 (2025-08-14)

πŸ‘“ Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

πŸ› Bug Fix

πŸ’… Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

πŸ“ Documentation

🏠 Internal

πŸ”¬ Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

Committers: 5

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

v7.28.3 (2025-08-14)

πŸ‘“ Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

πŸ› Bug Fix

πŸ’… Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

πŸ“ Documentation

🏠 Internal

πŸ”¬ Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

v7.28.2 (2025-07-24)

πŸ› Bug Fix

  • babel-types
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

v7.28.1 (2025-07-12)

πŸ› Bug Fix

  • babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

πŸ“ Documentation

... (truncated)

Commits

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

  • pkg: publish on tag 1.x c460dbd
  • fmt ccb8ac6
  • Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

Updates browserify-sign from 4.2.1 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

  • [Tests] clean up tests and convert console info skips to tape skips 37b083c
  • [Fix] restore node 0.10 support faade86
  • [Deps] update parse-asn1 5a0f159
  • [actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

  • [actions] split out node 10-20, and 20+ 17920d9
  • [meta] remove files field 6d5b280
  • [Deps] update bn.js, browserify-rsa, elliptic 31be0c2
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982
  • [Tests] replace aud with npm audit d44b24d
  • [Dev Deps] add missing peer dep ab975f4
  • [Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

v4.2.2 - 2023-10-25

Fixed

Commits

  • Only apps should have lockfiles 09a8995
  • [eslint] switch to eslint 83fe463
  • [meta] add npmignore and auto-changelog 4418183
  • [meta] fix package.json indentation 9ac5a5e
  • [Tests] migrate from travis to github actions d845d85
  • [Fix] sign: throw on unsupported padding scheme 8767739
  • [Fix] properly check the upper bound for DSA signatures 85994cd
  • [Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits
  • d3a7458 v4.2.5
  • 37b083c [Tests] clean up tests and convert console info skips to tape skips
  • faade86 [Fix] restore node 0.10 support
  • 5a0f159 [Deps] update parse-asn1
  • 106be97 [actions] drop unsupported nodes from CI
  • 9c37172 v4.2.4
  • 6d5b280 [meta] remove files field
  • 17920d9 [actions] split out node 10-20, and 20+
  • 31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
  • ab975f4 [Dev Deps] add missing peer dep
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.


Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

  • [Refactor] use to-buffer fd1e5ee
  • [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

  • [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

  • [Tests] standard -> eslint, make test dir, etc ae02fd6
  • [Tests] migrate from travis to GHA 66387d7
  • [meta] fix package.json indentation 5c02918
  • [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
  • [meta] add auto-changelog 88dc806
  • [meta] add npmignore and safe-publish-latest 7a137d7
  • Only apps should have lockfiles 42528f2
  • [Deps] update inherits, safe-buffer 0e7a2d9
  • [meta] add missing engines.node f2dc13e
Commits
  • 0056718 v1.0.7
  • fd1e5ee [Refactor] use to-buffer
  • 08ba803 [Dev Deps] update @ljharb/eslint-config
  • f5249f9 v1.0.6
  • b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
  • f03cebf v1.0.5
  • 88dc806 [meta] add auto-changelog
  • 7a137d7 [meta] add npmignore and safe-publish-latest
  • 5c02918 [meta] fix package.json indentation
  • 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.


Updates cross-spawn from 6.0.5 to 6.0.6

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

Commits

Updates elliptic from 6.5.4 to 6.6.1

Commits

Updates express from 4.18.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates follow-redirects from 1.15.2 to 1.15.11

Commits
  • 21ef28a Release version 1.15.11 of the npm package.
  • 7c88135 Roll back tree shaking.
  • 6e389ba Release version 1.15.10 of the npm package.
  • 5bc496e Shake me up before you go-go.
  • 694d6b4 Bump minimist from 1.2.5 to 1.2.8
  • e4e55c7 Release version 1.15.9 of the npm package.
  • 31a1abf Attempt much more gentle detection.
  • d2aaa97 Fix url field.
  • 62558f0 Release version 1.15.8 of the npm package.
  • a8d1cee Return subtlety.
  • Additional commits viewable in compare view

Updates form-data from 3.0.1 to 3.0.4

Release notes

Sourced from form-data's releases.

v3.0.2

Fixes

  • npmignore temporary build files (#532)
  • move util.isArray to Array.isArray (#564)

Tests

  • migrate from travis to GHA
Changelog

Sourced from form-data's changelog.

v3.0.4 - 2025-07-16

Fixed

Commits

  • [eslint] update linting config f5e7eb0
  • [meta] add auto-changelog d2eb290
  • [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 e8c574c
  • [Fix] Switch to using crypto random for boundary values c6ced61
  • [Refactor] use hasown 1a78b5d
  • [Fix] validate boundary type in setBoundary() method 70bbaa0
  • [Tests] add tests to check the behavior of getBoundary with non-strings b22a64e
  • [meta] actually ensure the readme backup isn’t published 0150851
  • [meta] remove local commit hooks fc42bb9
  • [Dev Deps] remove unused deps a14d09e
  • [meta] fix scripts to use prepublishOnly 11d9f73
  • [meta] fix readme capitalization fc38b48

v3.0.3 - 2025-02-14

Merged

Fixed

Commits

  • [Refactor] use Object.prototype.hasOwnProperty.call 7fecefe
  • [Dev Deps] update @types/node, browserify, coveralls, cross-spawn, eslint, formidable, in-publish, pkgfiles, pre-commit, puppeteer, request, tape, typescript 8261fcb
  • Only apps should have lockfiles b82f590
  • [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl e5df7f2
  • [Deps] update mime-types 5a5bafe

v3.0.2 - 2024-10-10

Merged

Commits

  • [Tests] migrate from travis to GHA 8fdb3bc
  • [eslint] clean up ignores 3217b3d
  • fix: move util.isArray to Array.isArray (#564) edb555a
Commits
  • 9c82fcd v3.0.4
  • e8c574c [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
  • c6ced61 [Fix] Switch to using crypto random for boundary values
  • 0150851 [meta] actually ensure the readme backup isn’t published
  • fc38b48 [meta] fix readme capitalization
  • d2eb290 [meta] add auto-changelog
  • fc42bb9 [meta] remove local commit hooks
  • a14d09e [Dev Deps] remove unused deps
  • 002b9b0 [Fix] append: avoid a crash on nullish values
  • 70bbaa0 [Fix] validate boundary type in setBoundary() method
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.


Updates http-proxy-middleware from 2.0.6 to 2.0.9

Release notes

Sourced from http-proxy-middlew...

Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Dec 6, 2025
This was referenced Dec 6, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@leotm
Copy link
Copy Markdown
Owner

leotm commented Dec 6, 2025

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Dec 6, 2025

Looks like this PR is already up-to-date with master! If you'd still like to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@leotm
Copy link
Copy Markdown
Owner

leotm commented Dec 6, 2025

@dependabot recreate

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-346488f36d branch from 2344dc1 to e5bbc9c Compare December 6, 2025 19:04
@socket-security
Copy link
Copy Markdown

socket-security bot commented Dec 6, 2025
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

leotm
leotm reviewed Dec 6, 2025
View reviewed changes
Copy link
Copy Markdown
Owner

@leotm leotm left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Run yarn && yarn setup
➀ YN0000: Yarn detected that the current workflow is executed from a public pull request. For safety the hardened mode has been enabled.
➀ YN0000: It will prevent malicious lockfile manipulations, in exchange for a slower install time. You can opt-out if necessary; check our documentation for more details.

➀ YN0000: · Yarn 4.12.0
➀ YN0000: β”Œ Resolution step
Resolution step
➀ YN0000: β”” Completed in 11s 727ms
➀ YN0000: β”Œ Post-resolution validation
Post-resolution validation
➀ YN0028: -"@types/ws@npm:^8.5.10, @types/ws@npm:^8.5.3":
➀ YN0028: +"@types/ws@npm:8.18.1, @types/ws@npm:^8.5.10, @types/ws@npm:^8.5.3":
➀ YN0028: +    "@types/ws": "npm:8.18.1"
➀ YN0028: The lockfile would have been modified by this install, which is explicitly forbidden.
➀ YN0000: β”” Completed
➀ YN0000: · Failed with errors in 11s 862ms
Error: Process completed with exit code 1.

Yarn 4.12.0 correct, lockfile diff cause likely Node version mismatch

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#about-dependabot-on-github-actions-runners

Note

Dependabot on GitHub Actions relies on the ubuntu-latest label to select the appropriate runner. To ensure Dependabot runs on GitHub-hosted runners, you should not use the label ubuntu-latest for self-hosted runners.

Dependabot group PRs don't respect /.node-version

react-native-template-new-architecture/.node-version

Line 1 in 4625323

19.9.0

nor package.json>engines if exists

add uses: actions/setup-node@<hash> steps to relevant CI .yml's

however individual (non-grouped) dependabot PRs seemed fine w/o this

      # - uses: actions/setup-node@v4
        # with:
          # node-version: 19
          # cache: yarn

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-346488f36d branch from e5bbc9c to 403e119 Compare December 7, 2025 19:24
@socket-security
Copy link
Copy Markdown

socket-security bot commented Dec 7, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedwebpack-dev-server@​4.13.3 ⏡ 5.2.197100 +1310086100

View full report

@dependabot
Bump the npm_and_yarn group across 1 directory with 20 updates
7da8638 
Bumps the npm_and_yarn group with 19 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `4.13.3` | `5.2.1` |
| [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.21.5` | `7.28.4` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` |
| [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.2.1` | `4.2.5` |
| [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` |
| [cross-spawn](https://github.com/moxystudio/node-cross-spawn) | `6.0.5` | `6.0.6` |
| [elliptic](https://github.com/indutny/elliptic) | `6.5.4` | `6.6.1` |
| [express](https://github.com/expressjs/express) | `4.18.2` | `4.22.1` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.2` | `1.15.11` |
| [form-data](https://github.com/form-data/form-data) | `3.0.1` | `3.0.4` |
| [min-document](https://github.com/Raynos/min-document) | `2.19.0` | `2.19.2` |
| [nanoid](https://github.com/ai/nanoid) | `3.3.4` | `3.3.11` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.3.3` |
| [pbkdf2](https://github.com/browserify/pbkdf2) | `3.1.2` | `3.1.5` |
| [react-devtools-core](https://github.com/facebook/react/tree/HEAD/packages/react-devtools-core) | `4.27.1` | `4.28.5` |
| [serve-static](https://github.com/expressjs/serve-static) | `1.15.0` | `1.16.2` |
| [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` |
| [store2](https://github.com/nbubna/store) | `2.14.2` | `2.14.4` |
| [ws](https://github.com/websockets/ws) | `6.2.2` | `6.2.3` |



Updates `webpack-dev-server` from 4.13.3 to 5.2.1
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v4.13.3...v5.2.1)

Updates `@babel/helpers` from 7.21.5 to 7.28.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.4/packages/babel-helpers)

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `browserify-sign` from 4.2.1 to 4.2.5
- [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md)
- [Commits](browserify/browserify-sign@v4.2.1...v4.2.5)

Updates `cipher-base` from 1.0.4 to 1.0.7
- [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md)
- [Commits](browserify/cipher-base@v1.0.4...v1.0.7)

Updates `cross-spawn` from 6.0.5 to 6.0.6
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/v6.0.6/CHANGELOG.md)
- [Commits](moxystudio/node-cross-spawn@v6.0.5...v6.0.6)

Updates `elliptic` from 6.5.4 to 6.6.1
- [Commits](indutny/elliptic@v6.5.4...v6.6.1)

Updates `express` from 4.18.2 to 4.22.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md)
- [Commits](expressjs/express@4.18.2...v4.22.1)

Updates `follow-redirects` from 1.15.2 to 1.15.11
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.2...v1.15.11)

Updates `form-data` from 3.0.1 to 3.0.4
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v3.0.1...v3.0.4)

Updates `http-proxy-middleware` from 2.0.6 to 2.0.9
- [Release notes](https://github.com/chimurai/http-proxy-middleware/releases)
- [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md)
- [Commits](chimurai/http-proxy-middleware@v2.0.6...v2.0.9)

Updates `min-document` from 2.19.0 to 2.19.2
- [Commits](Raynos/min-document@v2.19.0...v2.19.2)

Updates `nanoid` from 3.3.4 to 3.3.11
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.3.4...3.3.11)

Updates `node-forge` from 1.3.1 to 1.3.3
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.3.3)

Updates `pbkdf2` from 3.1.2 to 3.1.5
- [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md)
- [Commits](browserify/pbkdf2@v3.1.2...v3.1.5)

Updates `react-devtools-core` from 4.27.1 to 4.28.5
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/HEAD/packages/react-devtools-core)

Updates `serve-static` from 1.15.0 to 1.16.2
- [Release notes](https://github.com/expressjs/serve-static/releases)
- [Changelog](https://github.com/expressjs/serve-static/blob/v1.16.2/HISTORY.md)
- [Commits](expressjs/serve-static@v1.15.0...v1.16.2)

Updates `sha.js` from 2.4.11 to 2.4.12
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](browserify/sha.js@v2.4.11...v2.4.12)

Updates `store2` from 2.14.2 to 2.14.4
- [Commits](nbubna/store@2.14.2...2.14.4)

Updates `ws` from 6.2.2 to 6.2.3
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@6.2.2...6.2.3)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 5.2.1
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: "@babel/helpers"
  dependency-version: 7.28.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: browserify-sign
  dependency-version: 4.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cipher-base
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cross-spawn
  dependency-version: 6.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: elliptic
  dependency-version: 6.6.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-version: 4.22.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.15.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 3.0.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: http-proxy-middleware
  dependency-version: 2.0.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: min-document
  dependency-version: 2.19.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: nanoid
  dependency-version: 3.3.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-forge
  dependency-version: 1.3.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: pbkdf2
  dependency-version: 3.1.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: react-devtools-core
  dependency-version: 4.28.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: serve-static
  dependency-version: 1.16.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: store2
  dependency-version: 2.14.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 6.2.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-346488f36d branch from 403e119 to 7da8638 Compare December 7, 2025 20:49
@leotm leotm force-pushed the master branch 5 times, most recently from 3351c06 to 5414885 Compare February 5, 2026 15:28
@leotm leotm force-pushed the master branch 4 times, most recently from bd15b3d to e13caf2 Compare March 3, 2026 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leotm leotm leotm left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@leotm