Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates in the / directory:

Package	From	To
postcss	8.4.35	8.4.36
braces	3.0.2	3.0.3
webpack-cli	3.3.12	5.1.4
express	4.18.3	4.19.2
json5	0.5.1	2.2.3
find-babel-config	1.2.0	1.2.2
follow-redirects	1.15.5	1.15.6
ws	7.5.9	7.5.10
webpack-dev-middleware	5.3.3	5.3.4
xmldom	0.5.0	removed
svg-spritemap-webpack-plugin	3.9.1	4.5.1

Updates postcss from 8.4.35 to 8.4.36

Release notes

Sourced from postcss's releases.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

Changelog

Sourced from postcss's changelog.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

Commits

• e5ad939 Release 8.4.36 version
• 1325896 Use new feature to prevent errors on broken map
• 25354bd Move to ESLint flat config
• f060b06 Update CI
• 646d610 Update dependencies
• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates webpack-cli from 3.3.12 to 5.1.4

Release notes

Sourced from webpack-cli's releases.

v5.1.4

5.1.4 (2023-06-07)

Bug Fixes

• multi compiler progress output (f659624)

v5.1.3

5.1.3 (2023-06-04)

Bug Fixes

• regression for custom configurations (#3834) (bb4f8eb)

v5.1.2

5.1.2 (2023-06-04)

Bug Fixes

• improve check for custom webpack and webpack-dev-server package existance (0931ab6)
• improve help for some flags (f468614)
• improved support for .cts and .mts extensions (a77daf2)

v5.1.1

5.1.1 (2023-05-09)

Bug Fixes

• false positive warning when --watch used (#3783) (c0436ba)

v5.1.0

5.1.0 (2023-05-07)

Features

• shareable webpack configs using extends (#3738) (d04d0b9)

Performance Improvements

• simplify logic, reduce extra loops and perf (#3767) (6afe1d3)

v5.0.2

5.0.2 (2023-04-21)

Bug Fixes

• error message for missing default export in configuration (#3685) (e0a4a09)
• perf: reduced startup time (3b79059)

v5.0.1

... (truncated)

Changelog

Sourced from webpack-cli's changelog.

5.1.4 (2023-06-07)

Bug Fixes

• multi compiler progress output (f659624)

5.1.3 (2023-06-04)

Bug Fixes

• regression for custom configurations (#3834) (bb4f8eb)

5.1.2 (2023-06-04)

Bug Fixes

• improve check for custom webpack and webpack-dev-server package existance (0931ab6)
• improve help for some flags (f468614)
• improved support for .cts and .mts extensions (a77daf2)

5.1.1 (2023-05-09)

Bug Fixes

• false positive warning when --watch used (#3783) (c0436ba)

5.1.0 (2023-05-07)

Features

• shareable webpack configs using extends (#3738) (d04d0b9)

Performance Improvements

• simplify logic, reduce extra loops and perf (#3767) (6afe1d3)

5.0.2 (2023-04-21)

Bug Fixes

• error message for missing default export in configuration (#3685) (e0a4a09)
• perf: reduced startup time (3b79059)

5.0.1 (2022-12-05)

Bug Fixes

• make define-process-env-node-env alias node-env (#3514) (346a518)

5.0.0 (2022-11-17)

... (truncated)

Commits

• e07f0e5 chore(release): publish new version
• 0345c6f chore(deps-dev): bump @​typescript-eslint/parser from 5.59.8 to 5.59.9 (#3839)
• f659624 fix: multi compiler progress output
• 0d1ff01 chore(deps-dev): bump webpack from 5.85.0 to 5.85.1 (#3837)
• a7ec146 chore(deps-dev): bump @​typescript-eslint/eslint-plugin (#3838)
• 9464635 chore(deps-dev): bump eslint from 8.41.0 to 8.42.0 (#3835)
• cf1796f docs: update changelog
• 7899c39 chore(release): publish new version
• bb4f8eb fix: regression for custom configurations (#3834)
• 14b9c18 docs: update changelog
• Additional commits viewable in compare view

Updates express from 4.18.3 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates json5 from 0.5.1 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1

• New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
• Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
• Fix: Spelling mistakes have been fixed. (#196)

v2.1.0

• New: The index.mjs and index.min.mjs browser builds in the dist directory support ES6 modules. (#187)

v2.0.1

• Fix: The browser builds in the dist directory support ES5. (#182)

v2.0.0

• Major: JSON5 officially supports Node.js v6 and later. Support for Node.js v4 has been dropped. Since Node.js v6 supports ES5 features, the code has been rewritten in native ES5, and the dependence on Babel has been eliminated.

• New: Support for Unicode 10 has been added.

• New: The test framework has been migrated from Mocha to Tap.

• New: The browser build at dist/index.js is no longer minified by default. A minified version is available at dist/index.min.js. (#181)

• Fix: The warning has been made clearer when line and paragraph separators are

... (truncated)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1 [code, [diff][d2.1.1]]

... (truncated)

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays
• edde30a Readme: slight tweak to intro
• 97286f8 Improve example in readme
• Additional commits viewable in compare view

Updates find-babel-config from 1.2.0 to 1.2.2

Changelog

Sourced from find-babel-config's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.1.1 (2024-04-17)

Bug Fixes

• Add node16 support back (#76) (97c759a)

2.1.0 (2024-04-17)

2.0.0 (2023-01-09)

⚠ BREAKING CHANGES

• The order of config file lookup is ".babelrc, .babelrc.js, babel.config.js, babel.config.json, package.json"
• Node 16 is the minimum supported version

Bug Fixes

• Fix order of config file lookup to be the same in sync and async functions (#38) (4fde4bb)

• Update dependencies (#37) (4198a93)

Commits

• See full diff in compare view

Updates follow-redirects from 1.15.5 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• See full diff in compare view

Updates ws from 7.5.9 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

• Backported e55e5106 to the 7.x release line (22c28763).

Commits

• d962d70 [dist] 7.5.10
• 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
• See full diff in compare view

Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• See full diff in compare view

Removes xmldom

Updates svg-spritemap-webpack-plugin from 3.9.1 to 4.5.1

Release notes

Sourced from svg-spritemap-webpack-plugin's releases.

v4.5.1

Fixed

• Several vulnerabilities in transitive dependencies (#215)

v4.5.0

Added

• A performance improvement that ensures the regeneration of the spritemap only happens when one of the source sprites is updated (#197)

v4.4.2

Fixed

• Issues with glob patterns for input files on Windows due to changes in glob@8; patterns must now use forward slashes as path separators (#195, #196)

v4.4.1

Fixed

• Generated spritemap SVG not being added to the chunk files correctly (#194)
• Patterns pointing directly to input files resulting in errors while running in watch mode (#192)

v4.4.0

Added

• A new output.svg.attributes option to allow specifying attributes that should be added to the root SVG element of the generated spritemap (#183), thanks to @​jgerigmeyer

v4.3.3

Fixed

• Values for [hash] and [contenthash] in output filename not getting updated properly in watch mode

v4.3.2

Fixed

• Specified default SVGO plugins were overwriting internal settings.

v4.3.1

Fixed

• Non-default SVGO plugins were not being initialized properly.

v4.3.0

Added

• Support for SVGO 2.4.0 in which the plugin system was overhauled.

Fixed

• Security/audit warning for dependency [email protected] (CVE-2021-32796)

v4.2.0

Added

• A new input.allowDuplicates option to allow files with duplicate names in the spritemap which is useful when combining this new option with the sprite.idify option (#172), thanks to @​Huntedpix

v4.1.0

Added

• The ability to specify an empty string for the sprite.prefix option (#169), thanks to @​domq

v4.0.3

Fixed

... (truncated)

Commits

• 5a30a15 4.5.1
• 6d01fe3 Updated vulnerable transitive dependencies using npm audit fix
• c0f2d3d Bump @​babel/traverse from 7.18.5 to 7.23.2
• 404cf7e Bump json5 from 2.2.0 to 2.2.3
• f5ea0b1 Bump webpack from 5.73.0 to 5.76.0
• c80a862 Bump @​sideway/formula from 3.0.0 to 3.0.1
• 1ce5cbb Bump @​xmldom/xmldom from 0.8.3 to 0.8.4
• b6ac013 Bump loader-utils from 3.2.0 to 3.2.1
• c1f5e30 Bump @​xmldom/xmldom from 0.8.2 to 0.8.3
• b87c80d Bump terser from 5.7.2 to 5.14.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.