chore: bump the npm_and_yarn group across 1 directory with 21 updates #3

dependabot · 2025-08-22T04:06:26Z

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
axios	`1.8.4`	`1.9.0`
@adobe/css-tools	`4.3.1`	`4.4.4`
@babel/helpers	`7.17.8`	`7.28.3`
@babel/runtime	`7.22.5`	`7.28.3`
@cypress/request	`2.88.10`	`2.88.12`
base-x	`3.0.9`	`3.0.11`
braces	`3.0.2`	`3.0.3`
cipher-base	`1.0.4`	`1.0.6`
ejs	`3.1.8`	`3.1.10`
express	`4.17.3`	`4.21.2`
http-proxy-middleware	`2.0.7`	`2.0.9`
micromatch	`4.0.5`	`4.0.8`
pbkdf2	`3.1.2`	`3.1.3`
rollup	`2.70.1`	`2.79.2`
sha.js	`2.4.11`	`2.4.12`
undici	`5.28.5`	`5.29.0`
webpack-dev-middleware	`5.3.1`	`5.3.4`
webpack	`5.76.1`	`5.101.3`

Updates axios from 1.8.4 to 1.9.0

Release notes

Sourced from axios's releases.

Release v1.9.0

Release notes:

Bug Fixes

core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)

fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)

headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)

headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)

http: send minimal end multipart boundary (#6661) (987d2e2)

types: fix autocomplete for adapter config (#6855) (e61a893)

Features

AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

Contributors to this release

Dmitriy Mozgovoy

Jay

Willian Agostini

George Cheng

FatahChan

Ionuț G. Stan

Changelog

Sourced from axios's changelog.

1.9.0 (2025-04-24)

Bug Fixes

core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)

fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)

headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)

headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)

http: send minimal end multipart boundary (#6661) (987d2e2)

types: fix autocomplete for adapter config (#6855) (e61a893)

Features

AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

Contributors to this release

Dmitriy Mozgovoy

Jay

Willian Agostini

George Cheng

FatahChan

Ionuț G. Stan

Commits

cdcfd21 chore(release): v1.9.0 (#6891)
987d2e2 fix(http): send minimal end multipart boundary (#6661)
f112edf chore(ci): add PR files guard action; (#6890)
61de4c0 chore(ci): update github actions; (#6889)
c3aba3d chore(ci): add labeler github action; (#6888)
f7a3b5e fix(headers): fixed support for setting multiple header values from an iterat...
e61a893 fix(types): fix autocomplete for adapter config (#6855)
6c5d4cd fix(core): fix the Axios constructor implementation to treat the config argum...
dfe8411 fix(fetch): fixed ERR_NETWORK mapping for Safari browsers; (#6767)
d4f7df4 fix(headers): fix getSetCookie by using 'get' method for caseless access; (...
Additional commits viewable in compare view

Updates @adobe/css-tools from 4.3.1 to 4.4.4

Changelog

Sourced from @adobe/css-tools's changelog.

[4.4.4] - 2025-07-22

Changed

Switch from yarn to npm for package management

Switch from eslint to biome for code formatting and linting

Reformat codebase to comply with biome recommendations

Switch from webpack to rollup for bundling

Fixed

Fix module exports to ensure proper compatibility with bundlers

Add validation check to prevent future export issues

[4.4.3] - 2025-05-15

Security

Fix polynomial regular expression vulnerability on uncontrolled data

Refactor code to enable GitHub security static analysis

Performance

Improve parsing performance with minor optimizations

Replace regex patterns with string search (indexOf-based) for better performance

Added

Add new utility functions with comprehensive unit tests

Add improved formatting for CSS Grid template areas (#283 by @jogibear9988)

Fixed

Fix TypeScript error with ConstructorParameters in Parcel bundler (#444)

[4.4.2] - 2025-02-12

Fixed

Fix regular expression for parsing quoted values in parentheses

[4.4.0] - 2024-06-05

Added

Add support for CSS @starting-style at-rule (#319)

[4.3.3] - 2024-01-24

Changed

Update package export configuration (#271)

[4.3.2] - 2023-11-28

Security

Fix ReDoS vulnerability with crafted CSS strings - CVE-2023-48631

Fixed

... (truncated)

Commits

See full diff in compare view

Updates @babel/helpers from 7.17.8 to 7.28.3

Release notes

Sourced from @babel/helpers's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

🐛 Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

💅 Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

📝 Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

🏠 Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

🔬 Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jam Balaya (@JamBalaya56562)

Nicolò Ribaudo (@nicolo-ribaudo)

easrng (@easrng)

v7.28.2 (2025-07-24)

Thanks @souhailaS for your first PR!

🐛 Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Nicolò Ribaudo (@nicolo-ribaudo)

SOUHAILA SERBOUT (@souhailaS)

@liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @babel/helpers's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

🐛 Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

💅 Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

📝 Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

🏠 Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

🔬 Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

#17426 fix: regenerator correctly handles throw outside of try (@liuxingbaoyu)

📝 Documentation

babel-types

#17422 Add missing FunctionParameter docs (@JLHwung)

↩️ Revert

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types

#17432 Do not mark OptionalMemberExpresion as LVal (@JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

babel-node

#17147 Support top level await in node repl (@liuxingbaoyu)

babel-types

... (truncated)

Commits

ef155f5 v7.28.3
741cbd2 chore: fix various typos across codebase (#17476)
cac0ff4 v7.28.2
f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
baa4cb8 v7.27.6
fdbf1b3 fix: finally causes unexpected return value (#17366)
7d06930 v7.27.4
5b9468d Reduce regenerator size more (#17287)
cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
49c0dbb Fix iterator compatibility of regeneratorValues (#17335)
Additional commits viewable in compare view

Updates @babel/runtime from 7.22.5 to 7.28.3

Release notes

Sourced from @babel/runtime's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

🐛 Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

💅 Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

📝 Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

🏠 Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

🔬 Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jam Balaya (@JamBalaya56562)

Nicolò Ribaudo (@nicolo-ribaudo)

easrng (@easrng)

v7.28.2 (2025-07-24)

Thanks @souhailaS for your first PR!

🐛 Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Nicolò Ribaudo (@nicolo-ribaudo)

SOUHAILA SERBOUT (@souhailaS)

@liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @babel/runtime's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

#17443 [static blocks] Do not inject new static fields after static code (@nicolo-ribaudo)

🐛 Bug Fix

babel-parser

#17465 fix(parser/typescript): parse import("./a", {with:{},}) (@easrng)

#17478 fix(parser): stop subscript parsing on async arrow (@JLHwung)

💅 Polish

babel-plugin-transform-regenerator, babel-plugin-transform-runtime

#17363 Do not save last yield in call in temp var (@nicolo-ribaudo)

📝 Documentation

#17448 move eslint-{parser,plugin} docs to the website (@JLHwung)

🏠 Internal

#17454 Enable type checking for scripts and babel-worker.cjs (@JLHwung)

🔬 Output optimization

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

#17444 Optimize do expression output (@JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

babel-types

#17445 [babel 7] Make operator param in t.tsTypeOperator optional (@nicolo-ribaudo)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17441 fix: regeneratorDefine compatibility with es5 strict mode (@liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

#17426 fix: regenerator correctly handles throw outside of try (@liuxingbaoyu)

📝 Documentation

babel-types

#17422 Add missing FunctionParameter docs (@JLHwung)

↩️ Revert

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types

#17432 Do not mark OptionalMemberExpresion as LVal (@JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

babel-node

#17147 Support top level await in node repl (@liuxingbaoyu)

babel-types

... (truncated)

Commits

ef155f5 v7.28.3
cac0ff4 v7.28.2
f68ac51 chore: Avoid CITGM errors (#17382)
baa4cb8 v7.27.6
7d06930 v7.27.4
5b9468d Reduce regenerator size more (#17287)
cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
da5e371 v7.27.3
eebd3a0 v7.27.1
Additional commits viewable in compare view

Updates @cypress/request from 2.88.10 to 2.88.12

Release notes

Sourced from @cypress/request's releases.

v2.88.12

2.88.12 (2023-08-01)

Bug Fixes

request: update tough-cookie dep (0664780)

v2.88.11

2.88.11 (2023-01-11)

Bug Fixes

Remove badges no longer used or relevant (#19) (24a977e)

Commits

0664780 fix(request): update tough-cookie dep
30def80 Merge pull request #39 from cypress-io/jordanpowell88/update-pkg-version
6b79405 update package version
bfbb95f Merge pull request #32 from BreakBB/fix-cve-2023-26136
a67e132 pin 18.16
825485a revert back to yarn but v 18
3bce354 update workflow to use npm
4ceb20b Merge branch 'master' into fix-cve-2023-26136
228831e Merge pull request #38 from cypress-io/benm/github-workflows-update
f6ee03f chore: add in workflows for github. update workflow actions
Additional commits viewable in compare view

Updates base-x from 3.0.9 to 3.0.11

Commits

043a888 3.0.11
2705ddd [backport 3.x] Prohibit char codes that would overflow the BASE_MAP
3d43c0e 3.0.10
0a35446 Improve decoding performance
See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates cipher-base from 1.0.4 to 1.0.6

Changelog

Sourced from cipher-base's changelog.

v1.0.6 - 2024-11-26

Commits

[Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

[Tests] standard -> eslint, make test dir, etc ae02fd6

[Tests] migrate from travis to GHA 66387d7

[meta] fix package.json indentation 5c02918

[Fix] return valid values on multi-byte-wide TypedArray input 8fd1364

[meta] add auto-changelog 88dc806

[meta] add npmignore and safe-publish-latest 7a137d7

Only apps should have lockfiles 42528f2

[Deps] update inherits, safe-buffer 0e7a2d9

[meta] add missing engines.node f2dc13e

Commits

f5249f9 v1.0.6
b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
f03cebf v1.0.5
88dc806 [meta] add auto-changelog
7a137d7 [meta] add npmignore and safe-publish-latest
5c02918 [meta] fix package.json indentation
8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
66387d7 [Tests] migrate from travis to GHA
f2dc13e [meta] add missing engines.node
0e7a2d9 [Deps] update inherits, safe-buffer
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates ejs from 3.1.8 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

Commits

d3f807d Version 3.1.10
9ee26dd Mocha TDD
e469741 Basic pollution protection
715e950 Merge pull request #756 from Jeffrey-mu/main
cabe314 Include advanced usage examples
29b076c Added header
11503c7 Merge branch 'main' of github.com:mde/ejs into main
7690404 Added security banner to README
f47d7ae Update SECURITY.md
828cea1 Update SECURITY.md
Additional commits viewable in compare view

Updates express from 4.17.3 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

finalhandler@1.3.1 by @wesleytodd in expressjs/express#5954

fix(deps): serve-static@1.16.2 by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

1faf228 4.21.2
2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
59fc270 deps: path-to-regexp@0.1.11 (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): cookie@0.7.1
7e562c6 4.21.0
1bcde96 fix(deps): qs@6.13.0 (#5946)
7d36477 fix(deps): serve-static@1.16.2 (#5951)
40d2d8f fix(deps): finalhandler@1.3.1
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates http-proxy-middleware from 2.0.7 to 2.0.9

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.9

What's Changed

fix(fixRequestBody): check readableLength by @chimurai in chimurai/http-proxy-middleware#1097

chore(package): v2.0.9 by @chimurai in chimurai/http-proxy-middleware#1099

Full Changelog: chimurai/http-proxy-middleware@v2.0.8...v2.0.9

v2.0.8

What's Changed

fix(fixRequestBody): prevent multiple .write() calls by @chimurai in chimurai/http-proxy-middleware#1090

fix(fixRequestBody): handle invalid request by @chimurai in chimurai/http-proxy-middleware#1091

chore(package): v2.0.8 by @chimurai in chimurai/http-proxy-middleware#1094

Full Changelog: chimurai/http-proxy-middleware@v2.0.7...v2.0.8

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.9

fix(fixRequestBody): check readableLength

v2.0.8

fix(fixRequestBody): prevent multiple .write() calls

fix(fixRequestBody): handle invalid request

Commits

617a7c9 chore(package): v2.0.9 (#1099)
d22d587 fix(fixRequestBody): check readableLength (#1097)
d03d51b chore(package): v2.0.8 (#1094)
c50dd06 fix(fixRequestBody): handle invalid request (#1091)
76a9d8d fix(fixRequestBody): prevent multiple .write() calls (#1090)
See full diff in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

this is basically v4.0.5, with some README updates

it is vulnerable to CVE-2024-4067

Updated braces to v3.0.3 to avoid CVE-2024-4068

does NOT break API compatibility<...
Description has been truncated

Bumps the npm_and_yarn group with 18 updates in the / directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `1.8.4` | `1.9.0` | | [@adobe/css-tools](https://github.com/adobe/css-tools) | `4.3.1` | `4.4.4` | | [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.17.8` | `7.28.3` | | [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) | `7.22.5` | `7.28.3` | | [@cypress/request](https://github.com/cypress-io/request) | `2.88.10` | `2.88.12` | | [base-x](https://github.com/cryptocoinjs/base-x) | `3.0.9` | `3.0.11` | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | | [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.6` | | [ejs](https://github.com/mde/ejs) | `3.1.8` | `3.1.10` | | [express](https://github.com/expressjs/express) | `4.17.3` | `4.21.2` | | [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) | `2.0.7` | `2.0.9` | | [micromatch](https://github.com/micromatch/micromatch) | `4.0.5` | `4.0.8` | | [pbkdf2](https://github.com/crypto-browserify/pbkdf2) | `3.1.2` | `3.1.3` | | [rollup](https://github.com/rollup/rollup) | `2.70.1` | `2.79.2` | | [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` | | [undici](https://github.com/nodejs/undici) | `5.28.5` | `5.29.0` | | [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) | `5.3.1` | `5.3.4` | | [webpack](https://github.com/webpack/webpack) | `5.76.1` | `5.101.3` | Updates `axios` from 1.8.4 to 1.9.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.8.4...v1.9.0) Updates `@adobe/css-tools` from 4.3.1 to 4.4.4 - [Changelog](https://github.com/adobe/css-tools/blob/main/docs/CHANGELOG.md) - [Commits](https://github.com/adobe/css-tools/commits) Updates `@babel/helpers` from 7.17.8 to 7.28.3 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.28.3/packages/babel-helpers) Updates `@babel/runtime` from 7.22.5 to 7.28.3 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.28.3/packages/babel-runtime) Updates `@cypress/request` from 2.88.10 to 2.88.12 - [Release notes](https://github.com/cypress-io/request/releases) - [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md) - [Commits](cypress-io/request@v2.88.10...v2.88.12) Updates `base-x` from 3.0.9 to 3.0.11 - [Commits](cryptocoinjs/base-x@v3.0.9...v3.0.11) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `cipher-base` from 1.0.4 to 1.0.6 - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.6) Updates `ejs` from 3.1.8 to 3.1.10 - [Release notes](https://github.com/mde/ejs/releases) - [Commits](mde/ejs@v3.1.8...v3.1.10) Updates `express` from 4.17.3 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](expressjs/express@4.17.3...4.21.2) Updates `http-proxy-middleware` from 2.0.7 to 2.0.9 - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.7...v2.0.9) Updates `micromatch` from 4.0.5 to 4.0.8 - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](micromatch/micromatch@4.0.5...4.0.8) Updates `path-to-regexp` from 0.1.7 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.12) Updates `pbkdf2` from 3.1.2 to 3.1.3 - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.3) Updates `rollup` from 2.70.1 to 2.79.2 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v2.70.1...v2.79.2) Updates `send` from 0.17.2 to 0.19.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.17.2...0.19.0) Updates `serve-static` from 1.14.2 to 1.16.2 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/v1.16.2/HISTORY.md) - [Commits](expressjs/serve-static@v1.14.2...v1.16.2) Updates `sha.js` from 2.4.11 to 2.4.12 - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) Updates `undici` from 5.28.5 to 5.29.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.5...v5.29.0) Updates `webpack-dev-middleware` from 5.3.1 to 5.3.4 - [Release notes](https://github.com/webpack/webpack-dev-middleware/releases) - [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md) - [Commits](webpack/webpack-dev-middleware@v5.3.1...v5.3.4) Updates `webpack` from 5.76.1 to 5.101.3 - [Release notes](https://github.com/webpack/webpack/releases) - [Commits](webpack/webpack@v5.76.1...v5.101.3) --- updated-dependencies: - dependency-name: axios dependency-version: 1.9.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@adobe/css-tools" dependency-version: 4.4.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/helpers" dependency-version: 7.28.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/runtime" dependency-version: 7.28.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@cypress/request" dependency-version: 2.88.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: base-x dependency-version: 3.0.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cipher-base dependency-version: 1.0.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ejs dependency-version: 3.1.10 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.21.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: http-proxy-middleware dependency-version: 2.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: micromatch dependency-version: 4.0.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 0.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: pbkdf2 dependency-version: 3.1.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 2.79.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: webpack-dev-middleware dependency-version: 5.3.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.101.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Aug 22, 2025

dependabot bot mentioned this pull request Aug 22, 2025

chore: bump the npm_and_yarn group across 1 directory with 20 updates #2

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bump the npm_and_yarn group across 1 directory with 21 updates #3

chore: bump the npm_and_yarn group across 1 directory with 21 updates #3

Uh oh!

dependabot bot commented on behalf of github Aug 22, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

chore: bump the npm_and_yarn group across 1 directory with 21 updates #3

Are you sure you want to change the base?

chore: bump the npm_and_yarn group across 1 directory with 21 updates #3

Uh oh!

Conversation

dependabot bot commented on behalf of github Aug 22, 2025

Release v1.9.0

Release notes:

Bug Fixes

Features

Contributors to this release

1.9.0 (2025-04-24)

Bug Fixes

Features

Contributors to this release

[4.4.4] - 2025-07-22

Changed

Fixed

[4.4.3] - 2025-05-15

Security

Performance

Added

Fixed

[4.4.2] - 2025-02-12

Fixed

[4.4.0] - 2024-06-05

Added

[4.3.3] - 2024-01-24

Changed

[4.3.2] - 2023-11-28

Security

Fixed

v7.28.3 (2025-08-14)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏠 Internal

🔬 Output optimization

Committers: 5

v7.28.2 (2025-07-24)

🐛 Bug Fix

Committers: 4

v7.28.1 (2025-07-12)

v7.28.3 (2025-08-14)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏠 Internal

🔬 Output optimization

v7.28.2 (2025-07-24)

🐛 Bug Fix

v7.28.1 (2025-07-12)

🐛 Bug Fix

📝 Documentation

↩️ Revert

v7.28.0 (2025-07-02)

🚀 New Feature

v7.28.3 (2025-08-14)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏠 Internal

🔬 Output optimization

Committers: 5

v7.28.2 (2025-07-24)

🐛 Bug Fix

Committers: 4

v7.28.1 (2025-07-12)

v7.28.3 (2025-08-14)

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

📝 Documentation

🏠 Internal

🔬 Output optimization

v7.28.2 (2025-07-24)

🐛 Bug Fix