Bump the npm_and_yarn group across 1 directory with 21 updates #3

dependabot · 2024-03-18T03:45:20Z

Bumps the npm_and_yarn group with 17 updates in the / directory:

Package	From	To
moment	`2.24.0`	`2.29.4`
@babel/traverse	`7.7.4`	`7.24.0`
async	`2.6.3`	`2.6.4`
browserify-sign	`4.0.4`	`4.2.3`
decode-uri-component	`0.2.0`	`0.2.2`
eventsource	`1.0.7`	`1.1.2`
follow-redirects	`1.5.10`	`1.15.6`
bundlesize	`0.18.0`	`0.18.2`
jsdom	`11.12.0`	`16.7.0`
react-scripts	`3.4.0`	`5.0.1`
lodash-es	`4.17.15`	`4.17.21`
minimatch	`3.0.4`	`3.0.8`
minimist	`1.2.5`	`1.2.8`
handlebars	`4.5.3`	`4.7.8`
qs	`6.5.2`	`6.5.3`
shell-quote	`1.7.2`	`1.8.1`
ua-parser-js	`0.7.20`	`0.7.37`

Updates moment from 2.24.0 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

Release Jul 6, 2022

#6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

Release Apr 17, 2022

#5995 [bugfix] Remove const usage

#5990 misc: fix advisory link

2.29.2 See full changelog

Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

Release June 18, 2020

Added Turkmen locale, other locale improvements, slight TypeScript fixes

2.26.0 See full changelog

Release May 19, 2020

... (truncated)

Commits

000ac18 Build 2.24.4
f2006b6 Bump version to 2.24.4
536ad0c Update changelog for 2.29.4
9a3b589 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
6374fd8 Merge branch 'master' into develop
b4e6153 Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"
7aebb16 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
57c9062 Build 2.29.3
aaf50b6 Fixup release complaints
26f4aef Bump version to 2.29.3
Additional commits viewable in compare view

Updates @babel/traverse from 7.7.4 to 7.24.0

Release notes

Sourced from @babel/traverse's releases.

v7.24.0 (2024-02-28)

Thanks @ajihyf for your first PR!

Release post with summary and highlights: https://babeljs.io/7.24.0

🚀 New Feature

babel-standalone

#11696 Export babel tooling packages in @babel/standalone (@ajihyf)

babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties

#16267 Implement noUninitializedPrivateFieldAccess assumption (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16242 Support decorator 2023-11 normative updates (@JLHwung)

babel-preset-flow

#16309 [babel 7] Allow setting ignoreExtensions in Flow preset (@nicolo-ribaudo)

#16284 Add experimental_useHermesParser option in preset-flow (@liuxingbaoyu)

babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone

#16172 Add transform support for JSON modules imports (@nicolo-ribaudo)

babel-plugin-transform-runtime

#16241 Add back moduleName option to @babel/plugin-transform-runtime (@nicolo-ribaudo)

babel-parser, babel-types

#16277 Allow import attributes for TSImportType (@sosukesuzuki)

🐛 Bug Fix

babel-plugin-proposal-do-expressions, babel-traverse

#16305 fix: avoid popContext on unvisited node paths (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object

#16312 Fix class private properties when privateFieldsAsSymbols (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods

#16307 Fix the support of arguments in private get/set method (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators

#16287 Reduce decorator static property size (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16281 Fix evaluation order of decorators with cached receiver (@nicolo-ribaudo)

#16279 Fix decorator this memoization (@JLHwung)

#16266 Preserve static on decorated private accessor (@nicolo-ribaudo)

#16258 fix: handle decorated async private method and generator (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env

#16275 Fix class private properties when privateFieldsAsProperties (@liuxingbaoyu)

babel-helpers

#16268 Do not consider arguments in a helper as a global reference (@nicolo-ribaudo)

babel-helpers, babel-plugin-proposal-decorators

#16270 Handle symbol key class elements decoration (@JLHwung)

#16265 Do not define access.get for public setter decorators (@nicolo-ribaudo)

💅 Polish

babel-core, babel-helper-create-class-features-plugin, babel-preset-env

#12428 Suggest using BABEL_SHOW_CONFIG_FOR for config problems (@nicolo-ribaudo)

🏠 Internal

... (truncated)

Changelog

Sourced from @babel/traverse's changelog.

v7.24.0 (2024-02-28)

🚀 New Feature

babel-standalone

#11696 Export babel tooling packages in @babel/standalone (@ajihyf)

babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties

#16267 Implement noUninitializedPrivateFieldAccess assumption (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16242 Support decorator 2023-11 normative updates (@JLHwung)

babel-preset-flow

#16309 [babel 7] Allow setting ignoreExtensions in Flow preset (@nicolo-ribaudo)

#16284 Add experimental_useHermesParser option in preset-flow (@liuxingbaoyu)

babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone

#16172 Add transform support for JSON modules imports (@nicolo-ribaudo)

babel-plugin-transform-runtime

#16241 Add back moduleName option to @babel/plugin-transform-runtime (@nicolo-ribaudo)

babel-parser, babel-types

#16277 Allow import attributes for TSImportType (@sosukesuzuki)

🐛 Bug Fix

babel-plugin-proposal-do-expressions, babel-traverse

#16305 fix: avoid popContext on unvisited node paths (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object

#16312 Fix class private properties when privateFieldsAsSymbols (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods

#16307 Fix the support of arguments in private get/set method (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators

#16287 Reduce decorator static property size (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16281 Fix evaluation order of decorators with cached receiver (@nicolo-ribaudo)

#16279 Fix decorator this memoization (@JLHwung)

#16266 Preserve static on decorated private accessor (@nicolo-ribaudo)

#16258 fix: handle decorated async private method and generator (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env

#16275 Fix class private properties when privateFieldsAsProperties (@liuxingbaoyu)

babel-helpers

#16268 Do not consider arguments in a helper as a global reference (@nicolo-ribaudo)

babel-helpers, babel-plugin-proposal-decorators

#16270 Handle symbol key class elements decoration (@JLHwung)

#16265 Do not define access.get for public setter decorators (@nicolo-ribaudo)

💅 Polish

babel-core, babel-helper-create-class-features-plugin, babel-preset-env

#12428 Suggest using BABEL_SHOW_CONFIG_FOR for config problems (@nicolo-ribaudo)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16278 Continue writing output.js when exec.js throws (@liuxingbaoyu)

🔬 Output optimization

... (truncated)

Commits

ce59160 v7.24.0
bd5abd5 fix: avoid popContext on unvisited node paths (#16305)
08a057c Use Object.hasOwn when available (#16248)
a0dd614 v7.23.9
1200542 fix: Don't throw in getTypeAnnotation when using TS+inference (#15383)
e428a6d v7.23.7
d292822 fix: Crash when removing without Program (#16191)
d02c1f7 v7.23.6
cce807f Bump debug to ^4.3.1 (#16164)
8479012 v7.23.5
Additional commits viewable in compare view

Updates async from 2.6.3 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

Fix potential prototype pollution exploit (#1828)

Commits

c6bdaca Version 2.6.4
8870da9 Update built files
4df6754 update changelog
8f7f903 Fix prototype pollution vulnerability (#1828)
See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates browserify-sign from 4.0.4 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

[patch] widen support to 0.12 9247adf

[patch] drop minimum node support to v1 4d0ee49

[Dev Deps] update aud, npmignore, tape 87f3a35

[actions] remove redundant finisher 37a4758

[Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12

[Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)

[Deps] update elliptic fb261ce

[Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

[Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

Only apps should have lockfiles 09a8995

[eslint] switch to eslint 83fe463

[meta] add npmignore and auto-changelog 4418183

[meta] fix package.json indentation 9ac5a5e

[Tests] migrate from travis to github actions d845d85

[Fix] sign: throw on unsupported padding scheme 8767739

[Fix] properly check the upper bound for DSA signatures 85994cd

[Tests] handle openSSL not supporting a scheme f5f17c2

[Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb

[Dev Deps] update nyc, standard, tape cc5350b

[Tests] always run coverage; downgrade nyc 75ce1d5

[meta] add safe-publish-latest dcf49ce

[Tests] add npm run posttest 75dd8fd

[Dev Deps] update tape 3aec038

[Tests] skip unsupported schemes 703c83e

[Tests] node < 6 lacks array includes 3aa43cf

[Dev Deps] fix eslint range 98d4e0d

v4.2.1 - 2020-08-04

Merged

bump elliptic [#58](https://github.com/crypto-browserify/browserify-sign/issues/58)

v4.2.0 - 2020-05-18

Merged

switch to safe buffer [#53](https://github.com/crypto-browserify/browserify-sign/issues/53)

... (truncated)

Commits

bf2c3ec v4.2.3
9247adf [patch] widen support to 0.12
f427270 [Deps] update `parse-asn1
87f3a35 [Dev Deps] update aud, npmignore, tape
fb261ce [Deps] update elliptic
4d0ee49 [patch] drop minimum node support to v1
9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
168e16f [Deps] pin elliptic due to a breaking change
37a4758 [actions] remove redundant finisher
4af5a90 v4.2.2
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

Switch to GitHub workflows 76abc93

Fix issue where decode throws - fixes #6 746ca5d

Update license (#1) 486d7e2

Tidelift tasks a650457

Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

a0eea46 0.2.2
980e0bf Prevent overwriting previously decoded tokens
3c8a373 0.2.1
76abc93 Switch to GitHub workflows
746ca5d Fix issue where decode throws - fixes #6
486d7e2 Update license (#1)
a650457 Tidelift tasks
66e1c28 Meta tweaks
See full diff in compare view

Updates eventsource from 1.0.7 to 1.1.2

Changelog

Sourced from eventsource's changelog.

1.1.2

Inline origin resolution, drops original dependency (#281 Espen Hovlandsdal)

1.1.1

Do not include authorization and cookie headers on redirect to different origin (#273 Espen Hovlandsdal)

1.1.0

Improve performance for large messages across many chunks (#130 Trent Willis)

Add createConnection option for http or https requests (#120 Vasily Lavrov)

Support HTTP 302 redirects (#116 Ryan Bonte)

Prevent sequential errors from attempting multiple reconnections (#125 David Patty)

Add new to correct test (#111 Stéphane Alnet)

Fix reconnections attempts now happen more than once (#136 Icy Fish)

Commits

0a8b85b 1.1.2
f99ae66 docs: update history for 1.1.2
06c9721 chore: rebuild polyfill
9494642 fix: inline origin resolution, drop original dependency (#281)
aa7a408 1.1.1
56d489e chore: rebuild polyfill
4a951e5 docs: update history for 1.1.1
f9f6416 fix: strip sensitive headers on redirect to different origin
9dd0687 1.1.0
49497ba Update history for 1.1.0 (#146)
Additional commits viewable in compare view

Updates follow-redirects from 1.5.10 to 1.15.6

Commits

35a517c Release version 1.15.6 of the npm package.
c4f847f Drop Proxy-Authorization across hosts.
8526b4a Use GitHub for disclosure.
b1677ce Release version 1.15.5 of the npm package.
d8914f7 Preserve fragment in responseUrl.
6585820 Release version 1.15.4 of the npm package.
7a6567e Disallow bracketed hostnames.
05629af Prefer native URL instead of deprecated url.parse.
1cba8e8 Prefer native URL instead of legacy url.resolve.
72bc2a4 Simplify _processResponse error handling.
Additional commits viewable in compare view

Updates bundlesize from 0.18.0 to 0.18.2

Release notes

Sourced from bundlesize's releases.

0.18.2 - Security patches

siddharthkp/bundlesize#382

Commits

0ad21b3 patch update
79e296b upgrade axios, github-build dependencies (#382)
6de086e patch release
51305d1 upgrade insecure dependencies
b00fbac Travis CI: Node.js 8 is end of life (#368)
f250e1c README: preact uses compressed-size-action (#366)
bd3852e Update FUNDING.yml
fb1731e (docs): fixed small error (#362)
58e93a3 Update README.md (#360)
0f241c8 Fixed broken link in github token missing warning (#352)
Additional commits viewable in compare view

Updates jsdom from 11.12.0 to 16.7.0

Release notes

Sourced from jsdom's releases.

Version 16.7.0

Added AbortSignal.abort(). (ninevra)

Added dummy x and y properties to the return value of getBoundingClientRect(). (eiko)

Implemented wrapping for textareaEl.value if the wrap="" attribute is specified. (ninevra)

Changed newline normalization in <textarea>s according to recent HTML Standard updates. (ninevra)

Fixed some bad cascade computation in getComputedStyle(). (romain-trotard)

Version 16.6.0

Added parentNode.replaceChildren(). (@ninevra)

Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (@mbest)

Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Thanks go to @tobyhinloopen, @andrewaylett, and especially @vegardbb, for completing this months-long effort!

Version 16.5.3

Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.

Version 16.5.2

Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)

Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".

Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.

Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)

Fixed parsing to ensure that <svg>\<template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace \<template> element.

Fixed domParser.parseFromString() to treat <noscript> elements appropriately.

Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.

Fixed legendEl.form to return the correct result based on its parent <fieldset>.

Fixed optionEl.text to exclude <script> descendants.

Fixed radio buttons and checkboxes to not fire input and change events when disconnected.

Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.

Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)

On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)

Version 16.5.1

Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)

Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.

Version 16.5.0

Added window.queueMicrotask().

Added window.event.

Added inputEvent.inputType. (diegohaz)

Removed ondragexit from Window and friends, per a spec update.

Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)

Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.

Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)

Fixed the new File() constructor to no longer convert / to :, per a pending spec update.

Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.

Fixed <input type=checkbox> and <input type=radio> to be mutable even when disabled, per a spec update.

Fixed XMLHttpRequest to not fire a redundant final progress event if a progress event was previously fired with the same loaded value. This would usually occur with small files.

Fixed XMLHttpRequest to expose the Content-Length header on cross-origin responses.

Fixed xhr.response to return null for failures that occur during the middle of the download.

Fixed edge cases around passing callback functions or event handlers. (ExE-Boss)

Fixed edge cases around the properties of proxy-like objects such as localStorage or dataset. (ExE-Boss)

... (truncated)

Changelog

Sourced from jsdom's changelog.

16.7.0

Added AbortSignal.abort(). (ninevra)

Added dummy x and y properties to the return value of getBoundingClientRect(). (eiko)

Implemented wrapping for textareaEl.value if the wrap="" attribute is specified. (ninevra)

Changed newline normalization in <textarea>s according to recent HTML Standard updates. (ninevra)

Fixed some bad cascade computation in getComputedStyle(). (romain-trotard)

16.6.0

Added parentNode.replaceChildren(). (ninevra)

Fixed jsdom's handling of when code running inside the jsdom throws null or undefined as an exception. (mbest)

Removed the dependency on the deprecated request package, in the process fixing several issues with the XMLHttpRequest implementation around header processing. Special thanks to vegardbb for completing this months-long effort!

16.5.3

Fixed infinite recursion when using MutationObservers to observe elements inside a MutationObserver callback.

16.5.2

Fixed Access-Control-Allow-Headers: * to work with XMLHttpRequest. (silviot)

Fixed xhr.response to strip any leading BOM when xhr.responseType is "json".

Fixed new Text() and new Comment() constructors to properly set the resulting node's ownerDocument.

Fixed customElements.whenDefined() to resolve its returned promise with the custom element constructor, per recent spec updates. (ExE-Boss)

Fixed parsing to ensure that <svg>\<template></template></svg> does not throw an exception, but instead correctly produces a SVG-namespace \<template> element.

Fixed domParser.parseFromString() to treat <noscript> elements appropriately.

Fixed form control validity checking when the control was outside the <form> element and instead associated using the form="" attribute.

Fixed legendEl.form to return the correct result based on its parent <fieldset>.

Fixed optionEl.text to exclude <script> descendants.

Fixed radio buttons and checkboxes to not fire input and change events when disconnected.

Fixed inputEl.indeterminate to reset to its previous value when canceling a click event on a checkbox or radio button.

Fixed the behavior of event handler attributes (e.g. onclick="...code...") when there were global variables named element or formOwner. (ExE-Boss)

On Node.js v14.6.0+ where WeakRefs are available, fixed NodeIterator to no longer stop working when more than ten NodeIterator instances are created, and to use less memory due to inactive NodeIterators sticking around. (ExE-Boss)

16.5.1

Fixed a regression that broke customElements.get() in v16.5.0. (fdesforges)

Fixed window.event to have a setter which overwrites the window.event property with the given value, per the specification. This fixes an issue where after upgrading to jsdom v16.5.0 you would no longer be able to set a global variable named event in the jsdom context.

16.5.0

Added window.queueMicrotask().

Added window.event.

Added inputEvent.inputType. (diegohaz)

Removed ondragexit from Window and friends, per a spec update.

Fixed the URL of about:blank iframes. Previously it was getting set to the parent's URL. (SimonMueller)

Fixed the loading of subresources from the filesystem when they had non-ASCII filenames.

Fixed the hidden="" attribute to cause display: none per the user-agent stylesheet. (ph-fritsche)

Fixed the new File() constructor to no longer convert / to :, per a pending spec update.

Fixed mutation observer callbacks to be called with the MutationObserver instance as their this value.

... (truncated)

Commits

1aa3cbc Version 16.7.0
df1f551 Don't run WebSocketStream tests
eb105b2 Fix browser tests by enabling SharedArrayBuffer
0dedfc0 Fix some bad cascade computation in getComputedStyle()
8021a56 Fix "configuation" typo (#3213)
a7febe3 Fix typo in level2/html.js (#3222)
c9896c0 Return x, y properties from Element.getBoundingClientRect (#3187)
346ea98 Update web-platform tests (#3203)
364c77d Bump to ws 7.4.6
93ba6a0 We are now on Matrix (#3207)
Additional commits viewable in compare view

Updates react-scripts from 3.4.0 to 5.0.1

Changelog

Sourced from react-scripts's changelog.

3.4.4 (2020-10-20)

v3.4.4 release bumps resolve-url-loader to a version for which npm audit does not report a vulnerability. Note that this vulnerability did not affect Create React App projects, so this change is only necessary to satisfy auditing tools.

Migrating from 3.4.3 to 3.4.4

Inside any created project that has not been ejected, run:
npm install --save --save-exact [email protected]
or
yarn add --exact [email protected]
3.4.3 (2020-08-12)

v3.4.3 release bumps terser-webpack-plugin to a version for which npm audit does not report a vulnerability. Note that this vulnerability did not affect Create React App projects, so this change is only necessary to satisfy auditing tools.

Migrating from 3.4.2 to 3.4.3

Inside any created project that has not been ejected, run:
npm install --save --save-exact [email protected]
or
yarn add --exact [email protected]
3.4.2 (2020-08-11)

v3.4.2 release bumps webpack-dev-server to a version for which npm audit does not report a vulnerability. Note that this vulnerability did not affect Create React App projects, so this change is only necessary to satisfy auditing tools.

Migrating from 3.4.1 to 3.4.2

Inside any created project that has not been ejected, run:
npm install --save --save-exact [email protected]
or

... (truncated)

Commits

19fa58d Publish
9802941 fix: webpack noise printed only if error or warning (#12245)
2eef1d0 Update templates to use React 18 createRoot (#12220)
221e511 Publish
5614c87 Add support for Tailwind (#11717)
20edab4 fix(webpackDevServer): disable overlay for warnings (#11413)
3afbbc0 Update all dependencies (#11624)
f5467d5 feat(eslint-config-react-app): support ESLint 8.x (#11375)
c7627ce Update webpack and dev server (#11646)
544befe Update package.json (#11597)
Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (

Bumps the npm_and_yarn group with 17 updates in the / directory: | Package | From | To | | --- | --- | --- | | [moment](https://github.com/moment/moment) | `2.24.0` | `2.29.4` | | [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) | `7.7.4` | `7.24.0` | | [async](https://github.com/caolan/async) | `2.6.3` | `2.6.4` | | [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.0.4` | `4.2.3` | | [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) | `0.2.0` | `0.2.2` | | [eventsource](https://github.com/EventSource/eventsource) | `1.0.7` | `1.1.2` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.5.10` | `1.15.6` | | [bundlesize](https://github.com/siddharthkp/bundlesize) | `0.18.0` | `0.18.2` | | [jsdom](https://github.com/jsdom/jsdom) | `11.12.0` | `16.7.0` | | [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts) | `3.4.0` | `5.0.1` | | [lodash-es](https://github.com/lodash/lodash) | `4.17.15` | `4.17.21` | | [minimatch](https://github.com/isaacs/minimatch) | `3.0.4` | `3.0.8` | | [minimist](https://github.com/minimistjs/minimist) | `1.2.5` | `1.2.8` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.5.3` | `4.7.8` | | [qs](https://github.com/ljharb/qs) | `6.5.2` | `6.5.3` | | [shell-quote](https://github.com/ljharb/shell-quote) | `1.7.2` | `1.8.1` | | [ua-parser-js](https://github.com/faisalman/ua-parser-js) | `0.7.20` | `0.7.37` | Updates `moment` from 2.24.0 to 2.29.4 - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.24.0...2.29.4) Updates `@babel/traverse` from 7.7.4 to 7.24.0 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.24.0/packages/babel-traverse) Updates `async` from 2.6.3 to 2.6.4 - [Release notes](https://github.com/caolan/async/releases) - [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md) - [Commits](caolan/async@v2.6.3...v2.6.4) Updates `browserify-sign` from 4.0.4 to 4.2.3 - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.0.4...v4.2.3) Updates `decode-uri-component` from 0.2.0 to 0.2.2 - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) Updates `eventsource` from 1.0.7 to 1.1.2 - [Changelog](https://github.com/EventSource/eventsource/blob/master/HISTORY.md) - [Commits](EventSource/eventsource@v1.0.7...v1.1.2) Updates `follow-redirects` from 1.5.10 to 1.15.6 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.5.10...v1.15.6) Updates `bundlesize` from 0.18.0 to 0.18.2 - [Release notes](https://github.com/siddharthkp/bundlesize/releases) - [Commits](siddharthkp/bundlesize@v0.18.0...v0.18.2) Updates `jsdom` from 11.12.0 to 16.7.0 - [Release notes](https://github.com/jsdom/jsdom/releases) - [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md) - [Commits](jsdom/jsdom@11.12.0...16.7.0) Updates `react-scripts` from 3.4.0 to 5.0.1 - [Release notes](https://github.com/facebook/create-react-app/releases) - [Changelog](https://github.com/facebook/create-react-app/blob/main/CHANGELOG-3.x.md) - [Commits](https://github.com/facebook/create-react-app/commits/[email protected]/packages/react-scripts) Updates `json5` from 1.0.1 to 1.0.2 - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](json5/json5@v1.0.1...v1.0.2) Updates `loader-utils` from 1.2.3 to 2.0.4 - [Release notes](https://github.com/webpack/loader-utils/releases) - [Changelog](https://github.com/webpack/loader-utils/blob/v2.0.4/CHANGELOG.md) - [Commits](webpack/loader-utils@v1.2.3...v2.0.4) Updates `lodash-es` from 4.17.15 to 4.17.21 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.21) Updates `minimatch` from 3.0.4 to 3.0.8 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.4...v3.0.8) Updates `minimist` from 1.2.5 to 1.2.8 - [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md) - [Commits](minimistjs/minimist@v1.2.5...v1.2.8) Updates `handlebars` from 4.5.3 to 4.7.8 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.8/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.5.3...v4.7.8) Updates `node-forge` from 0.9.0 to 1.3.1 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@0.9.0...v1.3.1) Updates `postcss` from 7.0.18 to 7.0.39 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/7.0.39/CHANGELOG.md) - [Commits](postcss/postcss@7.0.18...7.0.39) Updates `qs` from 6.5.2 to 6.5.3 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.5.2...v6.5.3) Updates `shell-quote` from 1.7.2 to 1.8.1 - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.7.2...v1.8.1) Updates `ua-parser-js` from 0.7.20 to 0.7.37 - [Release notes](https://github.com/faisalman/ua-parser-js/releases) - [Changelog](https://github.com/faisalman/ua-parser-js/blob/master/CHANGELOG.md) - [Commits](faisalman/ua-parser-js@0.7.20...0.7.37) --- updated-dependencies: - dependency-name: moment dependency-type: direct:production dependency-group: npm_and_yarn-security-group - dependency-name: "@babel/traverse" dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: async dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: browserify-sign dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: decode-uri-component dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: eventsource dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: follow-redirects dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: bundlesize dependency-type: direct:development dependency-group: npm_and_yarn-security-group - dependency-name: jsdom dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: react-scripts dependency-type: direct:development dependency-group: npm_and_yarn-security-group - dependency-name: json5 dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: loader-utils dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: lodash-es dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: minimatch dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: minimist dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: handlebars dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: node-forge dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: postcss dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: qs dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: shell-quote dependency-type: indirect dependency-group: npm_and_yarn-security-group - dependency-name: ua-parser-js dependency-type: indirect dependency-group: npm_and_yarn-security-group ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Mar 18, 2024

dependabot bot mentioned this pull request Mar 18, 2024

Bump the npm_and_yarn group across 1 directory with 19 updates #2

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 21 updates #3

Bump the npm_and_yarn group across 1 directory with 21 updates #3

dependabot bot commented on behalf of github Mar 18, 2024

Bump the npm_and_yarn group across 1 directory with 21 updates #3

Are you sure you want to change the base?

Bump the npm_and_yarn group across 1 directory with 21 updates #3

Conversation

dependabot bot commented on behalf of github Mar 18, 2024

2.29.4

2.29.3 Full changelog

2.29.2 See full changelog

2.29.1 See full changelog

2.29.0 See full changelog

2.28.0 See full changelog

2.27.0 See full changelog

2.26.0 See full changelog

v7.24.0 (2024-02-28)

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

v7.24.0 (2024-02-28)

🚀 New Feature

🐛 Bug Fix

💅 Polish

🏠 Internal

🔬 Output optimization

v2.6.4

v4.2.3 - 2024-03-05

Commits

v4.2.2 - 2023-10-25

Fixed

Commits

v4.2.1 - 2020-08-04

Merged

v4.2.0 - 2020-05-18

Merged

v0.2.2

v0.2.1

1.1.2

1.1.1

1.1.0

0.18.2 - Security patches

Version 16.7.0

Version 16.6.0

Version 16.5.3

Version 16.5.2

Version 16.5.1

Version 16.5.0

16.7.0

16.6.0

16.5.3

16.5.2

16.5.1

16.5.0

3.4.4 (2020-10-20)

Migrating from 3.4.3 to 3.4.4

3.4.3 (2020-08-12)

Migrating from 3.4.2 to 3.4.3

3.4.2 (2020-08-11)

Migrating from 3.4.1 to 3.4.2

v1.0.2

Unreleased [code, diff]

v2.2.3 [code, diff]

v2.2.2 [code, diff]