Bump the npm_and_yarn group across 1 directory with 28 updates

[dependabot]

Bumps the npm_and_yarn group with 15 updates in the /site/web/app/themes/sage directory:

Package	From	To
bootstrap	4.0.0	5.0.0
jquery	3.3.1	3.5.0
webpack-dev-middleware	2.0.4	5.3.4
atob	1.1.3	2.1.2
browserify-sign	4.0.4	4.2.5
cipher-base	1.0.4	1.0.7
cookie	0.3.1	0.7.2
fsevents	1.1.2	1.2.13
fstream	1.0.11	1.0.12
hoek	2.16.3	removed
macaddress	0.2.8	0.2.9
minimist	0.0.8	1.2.8
postcss	5.2.17	8.5.6
randomatic	1.1.7	3.1.1
tmp	0.0.31	removed

Updates bootstrap from 4.0.0 to 5.0.0

Release notes

Sourced from bootstrap's releases.

v5.0.0

Highlights

#32155: Updated make-col() mixin to generate equal columns when no size is specified #32763: Added new color-scheme() mixin #33389: Dropdown menus now have option become clickable #33453: Added new docs footer #33548: Offcanvas header components are now vertically aligned #33549: Added offcanvas-top modifier #33634: Added support for .dropdown-items wrapped in <li>s #33626: Fix v5 regressions in tab dropdown functionality

🚀 Features

• #32763: Add color-scheme mixin
• #33389: Dropdown — Add option to make the dropdown menu clickable
• #33549: Add offcanvas-top modifier

🎨 CSS

• #32155: Add equal column mixin
• #32763: Add color-scheme mixin
• #33292: Make accordion icon rotation more natural
• #33411: Fix validation feedback icon in select multiple
• #33478: Make .nav-link color consistent when using buttons
• #33482: Dropdown — Apply positioning only when Popper is not used
• #33548: Vertically align offcanvas header components
• #33549: Add offcanvas-top modifier
• #33550: Spinner alignment changes
• #33598: Hide validation icons from multiple selects
• #33600: Have $form-check-input-border's default derive from $black
• #33607: Reduce color-scheme complexity
• #33642: use :read-only css selector instead [readonly] for consistency
• #33658: fix: use list-group variable instead of alert
• #33736: accordion: fix border-top on Firefox

☕️ JavaScript

• #32439: Decouple BackDrop from modal
• #33245: Decouple Modal's scrollbar functionality
• #33249: Simplify Modal Config
• #33250: Simplify ScrollSpy config
• #33310: fix: make EventHandler better handle mouseenter/mouseleave events
• #33389: Dropdown — Add option to make the dropdown menu clickable
• #33429: Remove element event listeners through base component
• #33451: Add missing things in hide method of dropdown
• #33456: Use our isDisabled util on dropdown
• #33466: Refactor dropdown's hide functionality
• #33479: Fix dropdown escape propagation
• #33496: Use cached noop function

... (truncated)

Commits

• bf09367 Release v5.0.0 (#33647)
• 48ae5a7 Rewrite migration guide (#33834)
• f086572 refactor(docs): Added form file input variables (#33833)
• 1a54286 Fix doc typo and Bootstrap Icons link (#33832)
• e2df73f Update migration guide for some v5 changes (#33829)
• 1e6356a Neutralise more words from placeholder text (#33731)
• 6633845 Bump eslint-config-xo from 0.35.0 to 0.36.0 (#33646)
• cb38744 Tweak toast docs (#33810)
• c2ff225 Bump rollup from 2.46.0 to 2.47.0 (#33818)
• c090ea2 Bump @​babel/preset-env from 7.14.0 to 7.14.1 (#33819)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mdo, a new releaser for bootstrap since your current version.

Updates jquery from 3.3.1 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits

• 7a0a850 3.5.0
• 8570a08 Release: Update AUTHORS.txt
• da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
• 065143c Ajax: Overwrite s.contentType with content-type header value, if any
• 1a4f10d Tests: Blacklist one focusin test in IE
• 9e15d6b Event: Use only one focusin/out handler per matching window & document
• 966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
• 1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
• 04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
• 7506c9c Build: Resolve Travis config warnings
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.

Updates webpack-dev-middleware from 2.0.4 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

v5.3.3

5.3.3 (2022-05-18)

Bug Fixes

• types for Request and Response (#1271) (eeb8aa8)

v5.3.2

5.3.2 (2022-05-17)

Bug Fixes

• node types (#1195) (d68ab36)
• compatibility with Node.js 18

v5.3.1

5.3.1 (2022-02-01)

Bug Fixes

• types (#1187) (0f82e1d)

v5.3.0

5.3.0 (2021-12-16)

Features

• added types (a2fa77f)
• removed cjs wrapper (#1146) (b6d53d3)

v5.2.2

5.2.2 (2021-11-17)

Chore

• update schema-utils package to 4.0.0 version

... (truncated)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

5.3.3 (2022-05-18)

Bug Fixes

• types for Request and Response (#1271) (eeb8aa8)

5.3.2 (2022-05-17)

Bug Fixes

• node types (#1195) (d68ab36)

5.3.1 (2022-02-01)

Bug Fixes

• types (#1187) (0f82e1d)

5.3.0 (2021-12-16)

Features

• added types (a2fa77f)
• removed cjs wrapper (#1146) (b6d53d3)

5.2.2 (2021-11-17)

Chore

• update schema-utils package to 4.0.0 version

5.2.1 (2021-09-25)

• internal release, no visible changes and features

5.2.0 (2021-09-24)

... (truncated)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• f3c62b8 chore(release): 5.3.3
• eeb8aa8 fix: types for Request and Response (#1271)
• 1a45388 chore(release): 5.3.2
• b8fb945 chore(deps): memfs force update (#1269)
• f88067d chore: update deps and ci (#1260)
• 7186318 chore(deps-dev): bump @​commitlint/cli
• 57c50ef ci: update checkout, setup-node, and codecov actions (#1267)
• 840146a chore(deps-dev): bump @​babel/preset-env
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack-dev-middleware since your current version.

Updates atob from 1.1.3 to 2.1.2

Commits

• See full diff in compare view

Updates browserify-sign from 4.0.4 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

• [Tests] clean up tests and convert console info skips to tape skips 37b083c
• [Fix] restore node 0.10 support faade86
• [Deps] update parse-asn1 5a0f159
• [actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

• [actions] split out node 10-20, and 20+ 17920d9
• [meta] remove files field 6d5b280
• [Deps] update bn.js, browserify-rsa, elliptic 31be0c2
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982
• [Tests] replace aud with npm audit d44b24d
• [Dev Deps] add missing peer dep ab975f4
• [Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits

• d3a7458 v4.2.5
• 37b083c [Tests] clean up tests and convert console info skips to tape skips
• faade86 [Fix] restore node 0.10 support
• 5a0f159 [Deps] update parse-asn1
• 106be97 [actions] drop unsupported nodes from CI
• 9c37172 v4.2.4
• 6d5b280 [meta] remove files field
• 17920d9 [actions] split out node 10-20, and 20+
• 31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
• ab975f4 [Dev Deps] add missing peer dep
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

• [Refactor] use to-buffer fd1e5ee
• [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• 0056718 v1.0.7
• fd1e5ee [Refactor] use to-buffer
• 08ba803 [Dev Deps] update @ljharb/eslint-config
• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates cookie from 0.3.1 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

0.4.2

• pref: read value only when assigning in parse
• pref: remove unnecessary regexp in parse

0.4.1

• Fix maxAge option to reject invalid values

0.4.0

• Add SameSite=None support

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates eazy-logger from 3.0.2 to 4.1.0

Commits

• a2e0ddc 4.1.0
• 5a4da5d Merge branch 'L-four-master'
• a8baa6f Reslove CVE-2024-57075 with and add a test.
• 0d0f106 4.0.1
• c332d9c chalk as dep
• ae4c862 4.0.0
• b8c266e just chalk
• 80dfac4 3.1.0
• efe424f deps: tfunk
• See full diff in compare view

Updates fsevents from 1.1.2 to 1.2.13

Release notes

Sourced from fsevents's releases.

Release v1.2.13

Only build on Mac-OSX

Release v1.2.11

Removing node-pre-gyp so that building fsevents becomes easier and enabled without the download of binaries.

The credentials to the AWS store have been lost. Releasing to AWS is both insecure and no longer possible due to the lost credentials.

Intermediate Release

No release notes provided.

Release v1.2.9 - Node v12 compatibility

No release notes provided.

Release Pre-NAPI v1.2.8

No release notes provided.

Version Bump (bundle node-pre-gyp)

No release notes provided.

Prebuilt v11.x

No release notes provided.

v1.2.3

• Added node v10 for pre-built binaries
• C++ tuning to fix potential SIGILL and cyclic dependency (#204)

v1.2.2

Fixed node-pre-gyp bundling issue

v1.2.1

[unpublished because of errors during publish process]

v1.2.0

• BREAKING: End support for Node v0.12. If you are using Node v0.12 please pin your fsevents dependencies to v1.1.3. Not bumping semver major for this release was a compromise solution discussed in #199 and #201.
  • Node v0.10 should continue to work with local compilation for now, but hosted pre-built binaries will no longer be provided. If this is a constraint for you, please pin to an earlier version.
• Fixed security vulnerability warnings by updating node-pre-gyp to ^0.9.0
• Compatibility updates for nan v2.9.0

v1.1.3

• Added node v9 for pre-built binaries
• Fixed bug related to using --no-bin-links option on install
• Updated node-pre-gyp to latest version (0.6.39)

Commits

• 844a05d Version Bump
• f393f2a Only build fsevents on macOS (#322)
• 6a281a7 [publish binary]
• acc2bce [publish binary]
• f532b6e [publish binary]
• 4c6a1c0 Add node 13 to travis matrix.
• 92e40aa Release 1.2.12.
• 909af26 Release v1.2.11
• 7074adb Release v1.2.10
• 0a052f6 Node.js v12 support for v1.x (#274)
• Additional commits viewable in compare view

Updates fstream from 1.0.11 to 1.0.12

Commits

• 4235459 1.0.12
• 6a77d2f Clobber a Link if it's in the way of a File
• See full diff in compare view

Removes hoek

Updates lodash from 3.10.1 to 4.17.21

Release notes

Sourced from lodash's releases.

4.0.0

lodash v4.0.0

2015 was big year! Lodash became the most depended on npm package, passed 1 billion downloads, & its v3 release saw massive adoption!

The year was also one of collaboration, as discussions began on merging Lodash & Underscore. Much of Lodash v4 is proofing out the ideas from those discussions. Lodash v4 would not be possible without the collaboration & contributions of the Underscore core team. In the spirit of merging our teams have blended with several members contributing to both libraries.

For 2016 & lodash v4.0.0 we wanted to cut loose, push forward, & take things up a notch!

Modern only

With v4 we’re breaking free from old projects, old environments, & dropping old IE < 9 support!

4 kB Core

Lodash’s kitchen-sink size will continue to grow as new methods & functionality are added. However, we now offer a 4 kB (gzipped) core build that’s compatible with Backbone v1.2.4 for folks who want Lodash without lugging around the kitchen sink.

More ES6

We’ve continued to embrace ES6 with methods like _.isSymbol, added support for cloning & comparing array buffers, maps, sets, & symbols, converting iterators to arrays, & iterable _(…).

In addition, we’ve published an es-build & pulled babel-plugin-lodash into core to make tree-shaking a breeze.

More Modular

Pop quiz! 📣

What category path does the bindAll method belong to? Is it

A) require('lodash/function/bindAll') B) require('lodash/utility/bindAll') C) require('lodash/util/bindAll')

Don’t know? Well, with v4 it doesn’t matter because now module paths are as simple as

var bindAll = require('lodash/bindAll');

We’ve also reduced module complexity making it easier to create smaller bundles. This has helped Lodash adoption with libraries like Async & Redux!

1st Class FP

With v3 we introduced lodash-fp. We learned a lot & with v4 we decided to pull it into core.

Now you can get immutable, auto-curried, iteratee-first, data-last methods as simply as

var _ = require('lodash/fp');
var object = { 'a': 1 };
</tr></table> 

... (truncated)

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates macaddress from 0.2.8 to 0.2.9

Release notes

Sourced from macaddress's releases.

v0.2.9

• Fixes an arbitrary command execution vulnerability (scravy/node-macaddress#16)
• Adds support for freebsd
• Fixes a few typos

Commits

• 3379146 Added note about vulnerability
• 4d311a5 Set version 0.2.9
• b83e3f8 Merge pull request #11 from TheBeastOfCaerbannog/master
• 68ecfae Added explicit LICENSE file recognizable by github
• e3e76d5 Support for freebsd as per pull #16
• 6ab7a11 Merge pull request #13 from roebuk/master
• 4d10ca6 Merge pull request #17 from dekoding/patch-1
• 358fd59 Merge pull request #20 from flypapertech/fixCommandInjection
• 214ad00 Run travis against osx and linux, travis doesn't do windows
• 7b0a488 Fix for Node 0.8 thru 0.10
• Additional commits viewable in compare view

Updates minimist from 0.0.8 to 1.2.8

Changelog

Sourced from minimist's changelog.

v1.2.8 - 2023-02-09

Merged

• [Fix] Fix long option followed by single dash [#17](https://github.com/minimistjs/minimist/issues/17)
• [Tests] Remove duplicate test [#12](https://github.com/minimistjs/minimist/issues/12)
• [Fix] opt.string works with multiple aliases [#10](https://github.com/minimistjs/minimist/issues/10)

Fixed

• [Fix] Fix long option followed by single dash (#17) [#15](https://github.com/minimistjs/minimist/issues/15)
• [Tests] Remove duplicate test (#12) [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] Fix long option followed by single dash [#15](https://github.com/minimistjs/minimist/issues/15)
• [Fix] opt.string works with multiple aliases (#10) [#9](https://github.com/minimistjs/minimist/issues/9)
• [Fix] Fix handling of short option with non-trivial equals [#5](https://github.com/minimistjs/minimist/issues/5)
• [Tests] Remove duplicate test [#8](https://github.com/minimistjs/minimist/issues/8)
• [Fix] opt.string works with multiple aliases [#9](https://github.com/minimistjs/minimist/issues/9)

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

v1.2.7 - 2022-10-10

Commits

... (truncated)

Commits

• 6901ee2 v1.2.8
• a026794 Merge tag 'v0.2.3'
• c0b2661 v0.2.3
• 63b8fee [Fix] Fix long option followed by single dash (#17)
• 72239e6 [Tests] Remove duplicate test (#12)
• 34b0f1c [eslint] fix indentation
• 3226afa [Dev Deps] add missing npmignore dev dep
• 098873c [Dev Deps] update @ljharb/eslint-config, aud
• 9ec4d27 [Fix] Fix long option followed by single dash
• ba92fe6 [actions] Avoid 0.6 tests due to build failures
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for minimist since your current version.

Updates pbkdf2 from 3.0.12 to 3.0.14

Changelog

Sourced from pbkdf2's changelog.

v3.0.14 - 2017-09-08

Merged

• use the local implementations if crypto.bpkdf2Sync [#72](https://github.com/browserify/pbkdf2/issues/72)

Commits

• use the local implementations if either crypto.bpkdf2Sync doesn't exist OR it doesn't contain the marker string 9132b7a

v3.0.13 - 2017-08-02

Merged

• fail better when node version loaded in browser [#71](https://github.com/browserify/pbkdf2/issues/71)
• remove unnecessary r, T values [#68](https://github.com/browserify/pbkdf2/issues/68)

Commits

• tests: add dkLen < and > c3d2998
• align definitions with assignment, formatting 5c50528
• li...

  Description has been truncated