chore(deps): bump the npm_and_yarn group across 3 directories with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: braces and micromatch.
Bumps the npm_and_yarn group with 4 updates in the /infra directory: braces, micromatch, @babel/traverse and tar.
Bumps the npm_and_yarn group with 12 updates in the /web directory:

Package	From	To
braces	3.0.2	3.0.3
micromatch	4.0.5	4.0.8
@babel/traverse	7.22.8	7.25.7
dompurify	2.4.6	2.5.4
sanitize-html	2.11.0	2.12.1
@adobe/css-tools	4.3.1	4.4.0
ejs	3.1.9	3.1.10
express	4.18.2	4.21.1
follow-redirects	1.15.2	1.15.9
rollup	2.79.1	2.79.2
webpack-dev-middleware	5.3.3	5.3.4
webpack	5.88.1	5.95.0

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates @babel/traverse from 7.22.8 to 7.25.7

Release notes

Sourced from @​babel/traverse's releases.

v7.25.7 (2024-10-02)

Thanks @​DylanPiercey and @​YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@​JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@​DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@​nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@​nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@​nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@​nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@​liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@​nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@​JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@​nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@​liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @​babel/types builders (@​liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@​nicolo-ribaudo)

Committers: 8

• Babel Bot (@​babel-bot)
• Dylan Piercey (@​DylanPiercey)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)
• fisker Cheung (@​fisker)
• hwook (@​YuHyeonWook)

v7.25.6 (2024-08-29)

Thanks @​j4k0xb for your first PR!

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.25.7 (2024-10-02)

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@​JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@​DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@​nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@​nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@​nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@​nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@​liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@​nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@​JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@​nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@​liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @​babel/types builders (@​liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@​nicolo-ribaudo)

v7.25.6 (2024-08-29)

🐛 Bug Fix

• babel-generator
  • #16783 Properly print inner comments in TS array types (@​nicolo-ribaudo)
  • #16775 fix: jsx whitespace is not properly preserved when retainLines (@​liuxingbaoyu)
• babel-traverse
  • #16727 fix: path.getAssignmentIdentifiers may be undefined (@​liuxingbaoyu)
• babel-parser
  • #16761 fix: improve static canFollowModifier checks (@​JLHwung)
• babel-helpers, babel-plugin-transform-optional-chaining, babel-runtime-corejs3
  • #16769 Only wrap functions in superPropertyGet helper (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-named-capturing-groups-regex, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16780 Do not enforce printing space between ( and comments (@​nicolo-ribaudo)

... (truncated)

Commits

• 2533cfb v7.25.7
• 611d958 [babel 8] Create TSClassImplements|TSInterfaceHeritage nodes (#16731)
• 506bf91 Remove BABEL_TYPES_8_BREAKING flag and enable it by default (#16817)
• 9e14f7d chore: Enable more lint rules (#16827)
• e69a7e5 fix: issue with node path keys updated on unrelated paths (#16814)
• 7467c9d [Babel 8] Remove some Scope methods (#16705)
• 0a55713 [Babel 8] Remove DecimalLiteral AST (#16807)
• 69d65f1 [babel 8] Require Node.js ^18.20.0 || ^20.17.0 || >=22.8.0 (#16800)
• 2f72b97 v7.25.6
• faceae9 fix: path.getAssignmentIdentifiers may be undefined (#16727)
• Additional commits viewable in compare view

Updates tar from 6.1.15 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

• Add support for brotli compression
• Add maxDepth option to prevent extraction into excessively deep folders.

6.1

• remove dead link to benchmarks (#313) (@​yetzt)
• add examples/explanation of using tar.t (@​isaacs)
• ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates @babel/traverse from 7.22.8 to 7.25.7

Release notes

Sourced from @​babel/traverse's releases.

v7.25.7 (2024-10-02)

Thanks @​DylanPiercey and @​YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@​JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@​DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@​nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@​nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@​nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@​nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@​liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@​nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@​JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@​nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@​liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @​babel/types builders (@​liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@​nicolo-ribaudo)

Committers: 8

• Babel Bot (@​babel-bot)
• Dylan Piercey (@​DylanPiercey)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)
• fisker Cheung (@​fisker)
• hwook (@​YuHyeonWook)

v7.25.6 (2024-08-29)

Thanks @​j4k0xb for your first PR!

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.25.7 (2024-10-02)

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@​JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@​DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@​nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@​nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@​nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@​nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@​liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@​nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@​JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@​nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@​liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @​babel/types builders (@​liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@​nicolo-ribaudo)

v7.25.6 (2024-08-29)

🐛 Bug Fix

• babel-generator
  • #16783 Properly print inner comments in TS array types (@​nicolo-ribaudo)
  • #16775 fix: jsx whitespace is not properly preserved when retainLines (@​liuxingbaoyu)
• babel-traverse
  • #16727 fix: path.getAssignmentIdentifiers may be undefined (@​liuxingbaoyu)
• babel-parser
  • #16761 fix: improve static canFollowModifier checks (@​JLHwung)
• babel-helpers, babel-plugin-transform-optional-chaining, babel-runtime-corejs3
  • #16769 Only wrap functions in superPropertyGet helper (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-named-capturing-groups-regex, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16780 Do not enforce printing space between ( and comments (@​nicolo-ribaudo)

... (truncated)

Commits

• 2533cfb v7.25.7
• 611d958 [babel 8] Create TSClassImplements|TSInterfaceHeritage nodes (#16731)
• 506bf91 Remove BABEL_TYPES_8_BREAKING flag and enable it by default (#16817)
• 9e14f7d chore: Enable more lint rules (#16827)
• e69a7e5 fix: issue with node path keys updated on unrelated paths (#16814)
• 7467c9d [Babel 8] Remove some Scope methods (#16705)
• 0a55713 [Babel 8] Remove DecimalLiteral AST (#16807)
• 69d65f1 [babel 8] Require Node.js ^18.20.0 || ^20.17.0 || >=22.8.0 (#16800)
• 2f72b97 v7.25.6
• faceae9 fix: path.getAssignmentIdentifiers may be undefined (#16727)
• Additional commits viewable in compare view

Updates dompurify from 2.4.6 to 2.5.4

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.4

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

DOMPurify 2.5.3

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

DOMPurify 2.5.2

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

DOMPurify 2.5.1

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 2.5.0

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

DOMPurify 2.4.9

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

DOMPurify 2.4.8

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

DOMPurify 2.4.7

• Fixed a licensing issue spotted and reported by @​george-thomas-hill

Commits

• 10c1261 docs: Updated README ever so slightly
• 1c92880 test: Fixed two more tests for MSIE11 and Edge 18
• 1401208 test: Fixed more tests for MSIE and Edge 18
• 2c6410a test: Fixed several new tests for MSIE11 and Edge 18
• 2c9bca9 test: Changed github config to include MSIE tests for 2.x
• b188787 chore: Preparing 2.5.4 release
• 707b3d6 fix: Added a better for for the MSIE iNaN issue
• 62fe3be test: Attempting to get MSIE 11 back into the browser test array
• f3a9710 fix: Fixed an issue with MSIE and no support for Number.isNaN
• e1ddfc7 Merge branch '2.x' of github.com:cure53/DOMPurify into 2.x
• Additional commits viewable in compare view

Updates sanitize-html from 2.11.0 to 2.12.1

Changelog

Sourced from sanitize-html's changelog.

2.12.1 (2024-02-22)

• Do not parse sourcemaps in post-css. This fixes a vulnerability in which information about the existence or non-existence of files on a server could be disclosed via properly crafted HTML input when the style attribute is allowed by the configuration. Thanks to the Snyk Security team for the disclosure and to Dylan Armstrong for the fix.

2.12.0 (2024-02-21)

• Introduced the allowedEmptyAttributes option, enabling explicit specification of empty string values for select attributes, with the default attribute set to alt. Thanks to Na for the contribution.

• Clarified the use of SVGs with a new test and changes to documentation. Thanks to Gauav Kumar for the contribution.

• Do not process source maps when processing style tags with PostCSS.

Commits

• 4a7d7dd Merge pull request #654 from apostrophecms/release-2.12.1
• f8e02be release 2.12.1
• c5dbdf7 Merge pull request #650 from dylanarmstrong/fix/ignore-source-maps
• 5a5a74e Merge pull request #652 from apostrophecms/add-thanks-to-changelog
• ee71ff0 Add community contribution thanks you
• a226fe7 Merge pull request #651 from apostrophecms/release-2.12.0
• ff18600 release 2.12.0
• 1e2294c test: added test for postcss map
• c376501 doc: update changelog
• 075499d fix: ignore source maps when processing with postcss
• Additional commits viewable in compare view

Updates @adobe/css-tools from 4.3.1 to 4.4.0

Changelog

Sourced from @​adobe/css-tools's changelog.

4.4.0 / 2024-06-05

• add support for @​starting-style #319

4.3.3 / 2024-01-24

• Update export property #271

4.3.2 / 2023-11-28

• Fix redos vulnerability with specific crafted css string - CVE-2023-48631
• Fix Problem parsing with :is() and nested :nth-child() #211

Commits

• See full diff in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.21.1

Release notes

Sourced from express's releases.

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (pre...

  Description has been truncated