Bump the npm_and_yarn group across 1 directory with 28 updates #1

dependabot · 2025-03-31T18:55:09Z

Bumps the npm_and_yarn group with 25 updates in the / directory:

Package	From	To
axios	`0.18.1`	`0.30.0`
bootstrap	`4.3.1`	`5.0.0`
crypto-js	`3.1.9-1`	`4.2.0`
elliptic	`6.5.1`	`6.6.1`
gh-pages	`1.2.0`	`5.0.0`
jquery	`3.4.1`	`3.5.0`
lodash	`4.17.15`	`4.17.21`
moment	`2.24.0`	`2.29.4`
qs	`6.9.0`	`6.9.7`
semver	`6.0.0`	`6.3.1`
@babel/helpers	`7.7.0`	`7.27.0`
@babel/traverse	`7.7.2`	`7.27.0`
browserify-sign	`4.0.4`	`4.2.3`
decode-uri-component	`0.2.0`	`0.2.2`
eventsource	`1.0.7`	`1.1.2`
express	`4.17.1`	`4.21.2`
fsevents	`1.2.9`	`1.2.13`
get-func-name	`2.0.0`	`2.0.2`
lodash-es	`4.17.15`	`4.17.21`
socket.io-parser	`3.3.0`	`3.3.4`
tree-kill	`1.2.1`	`1.2.2`
ua-parser-js	`0.7.20`	`0.7.40`
urijs	`1.19.2`	`1.19.11`
url-parse	`1.4.7`	`1.5.10`
word-wrap	`1.2.3`	`1.2.5`

Updates axios from 0.18.1 to 0.30.0

Release notes

Sourced from axios's releases.

Release v0.30.0

Release notes:

Bug Fixes

fix: modify log while request is aborted by @mori5321 in axios/axios#4917

fix: update CHANGELOG.md for v0.x by @TehZarathustra in axios/axios#6271

fix: modify upgrade guide for 0.28.1's breaking change by @nafeger in axios/axios#6787

fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @thatguyinabeanie in axios/axios#6829

fix: add allowAbsoluteUrls type by @thatguyinabeanie in axios/axios#6849

Contributors to this release

@mori5321 made their first contribution in axios/axios#4917

@TehZarathustra made their first contribution in axios/axios#6271

@nafeger made their first contribution in axios/axios#6787

@thatguyinabeanie made their first contribution in axios/axios#6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Release notes:

Bug Fixes

fix(backport): backport security fixes in commits #6167 and #6163 to v0.x by @Sean-Powell in axios/axios#6402

fix: omit nulls in params by @Willshaw in axios/axios#6394

fix(backport): fix paramsSerializer function validation by @solonzhu in axios/axios#6361

fix: Regular Expression Denial of Service (ReDoS) by @qiongshusheng in axios/axios#6708

Contributors to this release

@Sean-Powell made their first contribution in axios/axios#6402

@Willshaw made their first contribution in axios/axios#6394

@solonzhu made their first contribution in axios/axios#6361

@qiongshusheng made their first contribution in axios/axios#6708

Release v0.28.1

Release notes:

Release notes:

Bug Fixes

fix(backport): custom params serializer support (#6263)

fix(backport): uncaught ReferenceError req is not defined (#6307)

Release v0.28.0

Release notes:

Bug Fixes

fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)

Fixing content-type header repeated #4745

... (truncated)

Changelog

Sourced from axios's changelog.

0.30.0 (2025-03-26)

Release notes:

Bug Fixes

fix: modify log while request is aborted (#4917)

fix: update CHANGELOG.md for v0.x (#6271)

fix: modify upgrade guide for 0.28.1's breaking change (#6787)

fix: backport allowAbsoluteUrls vulnerability fix to v0.x (#6829)

fix: add allowAbsoluteUrls type (#6849)

0.29.0 (2024-11-21)

Release notes:

Bug Fixes

fix(backport): backport security fixes in commits #6167 and #6163 (#6402)

fix: omit nulls in params (#6394)

fix(backport): fix paramsSerializer function validation (#6361)

fix: regular expression denial of service (ReDoS) (#6708)

0.28.1 (2024-03-24)

Release notes:

Bug Fixes

fix(backport): custom params serializer support (#6263)

fix(backport): uncaught ReferenceError req is not defined (#6307)

0.28.0 (2024-02-12)

Release notes:

Bug Fixes

fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#6091)

Backports from v1.x:

Allow null indexes on formSerializer and paramsSerializer v0.x (#4961)

Fixing content-type header repeated (#4745)

Fixed timeout error message for HTTP (#4738)

Added axios.formToJSON method (#4735)

URL params serializer (#4734)

Fixed toFormData Blob issue on node>v17 (#4728)

Adding types for progress event callbacks (#4675)

Fixed max body length defaults (#4731)

... (truncated)

Commits

6e922e4 chore: added build artifacts
a06ed1e chore: added pre-release artifacts
c010622 feat: add type for allowAbsoluteUrls (#6849)
02c3c69 fix: backport allowAbsoluteUrls vuln fix to v0.x (#6829)
8603e67 docs: modify upgrade guide for 0.28.1's breaking change (#6787)
f0642ee fix(docs): update CHANGELOG.md for v0.x (#6271)
0630c32 fix: modify log while request is aborted (#4917)
7750b8c chore(release): prep release v0.29.0
4840cb2 fix: regular expression denial of service issues (#6708)
2e36cdb fix(backport): fix paramsSerializer function validation (#6361)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jasonsaayman, a new releaser for axios since your current version.

Updates bootstrap from 4.3.1 to 5.0.0

Release notes

Sourced from bootstrap's releases.

v5.0.0

Highlights

#32155: Updated make-col() mixin to generate equal columns when no size is specified #32763: Added new color-scheme() mixin #33389: Dropdown menus now have option become clickable #33453: Added new docs footer #33548: Offcanvas header components are now vertically aligned #33549: Added offcanvas-top modifier #33634: Added support for .dropdown-items wrapped in <li>s #33626: Fix v5 regressions in tab dropdown functionality

🚀 Features

#32763: Add color-scheme mixin

#33389: Dropdown — Add option to make the dropdown menu clickable

#33549: Add offcanvas-top modifier

🎨 CSS

#32155: Add equal column mixin

#32763: Add color-scheme mixin

#33292: Make accordion icon rotation more natural

#33411: Fix validation feedback icon in select multiple

#33478: Make .nav-link color consistent when using buttons

#33482: Dropdown — Apply positioning only when Popper is not used

#33548: Vertically align offcanvas header components

#33549: Add offcanvas-top modifier

#33550: Spinner alignment changes

#33598: Hide validation icons from multiple selects

#33600: Have $form-check-input-border's default derive from $black

#33607: Reduce color-scheme complexity

#33642: use :read-only css selector instead [readonly] for consistency

#33658: fix: use list-group variable instead of alert

#33736: accordion: fix border-top on Firefox

☕️ JavaScript

#32439: Decouple BackDrop from modal

#33245: Decouple Modal's scrollbar functionality

#33249: Simplify Modal Config

#33250: Simplify ScrollSpy config

#33310: fix: make EventHandler better handle mouseenter/mouseleave events

#33389: Dropdown — Add option to make the dropdown menu clickable

#33429: Remove element event listeners through base component

#33451: Add missing things in hide method of dropdown

#33456: Use our isDisabled util on dropdown

#33466: Refactor dropdown's hide functionality

#33479: Fix dropdown escape propagation

#33496: Use cached noop function

... (truncated)

Commits

bf09367 Release v5.0.0 (#33647)
48ae5a7 Rewrite migration guide (#33834)
f086572 refactor(docs): Added form file input variables (#33833)
1a54286 Fix doc typo and Bootstrap Icons link (#33832)
e2df73f Update migration guide for some v5 changes (#33829)
1e6356a Neutralise more words from placeholder text (#33731)
6633845 Bump eslint-config-xo from 0.35.0 to 0.36.0 (#33646)
cb38744 Tweak toast docs (#33810)
c2ff225 Bump rollup from 2.46.0 to 2.47.0 (#33818)
c090ea2 Bump @babel/preset-env from 7.14.0 to 7.14.1 (#33819)
Additional commits viewable in compare view

Updates crypto-js from 3.1.9-1 to 4.2.0

Commits

808f499 Merge branch 'release/4.2.0'
d5af3ae Update release notes.
9496e07 Bump version.
421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
d1f4f4d Update grunt.
c755289 Discontinued
1da3dab Discontinued
4dcaa7a Merge pull request #380 from Alanscut/dev
762feb2 chore: rename BF to Blowfish
fb81418 feat: blowfish support
Additional commits viewable in compare view

Updates elliptic from 6.5.1 to 6.6.1

Commits

9b77436 6.6.1
04cb6f5 Merge commit from fork
b8a7edd 6.6.0
34c8534 fix: signature verification due to leading zeros
3e46a48 6.5.7
accb61e lib: DER signature decoding correction
03e06e1 6.5.6
7ac5360 Merge commit from fork
7570078 6.5.5
206da2e lib: lint
Additional commits viewable in compare view

Updates gh-pages from 1.2.0 to 5.0.0

Release notes

Sourced from gh-pages's releases.

v5.0.0

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

What's Changed

Assorted updates by @tschaub in tschaub/gh-pages#452

Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. by @Nezteb in tschaub/gh-pages#445

Bump actions/checkout from 2 to 3 by @dependabot in tschaub/gh-pages#453

Bump actions/setup-node from 1 to 3 by @dependabot in tschaub/gh-pages#455

Bump email-addresses from 3.0.1 to 5.0.0 by @dependabot in tschaub/gh-pages#454

Bump async from 2.6.4 to 3.2.4 by @dependabot in tschaub/gh-pages#459

Remove quotation marks by @Vicropht in tschaub/gh-pages#438

New Contributors

@Nezteb made their first contribution in tschaub/gh-pages#445

@Vicropht made their first contribution in tschaub/gh-pages#438

Full Changelog: tschaub/gh-pages@v4.0.0...v5.0.0

v4.0.0

This release doesn't include any breaking changes, but due to updated development dependencies, tests are no longer run on Node 10.

What's Changed

Bump minimist from 1.2.5 to 1.2.6 by @dependabot in tschaub/gh-pages#423

Bump async from 2.6.1 to 2.6.4 by @dependabot in tschaub/gh-pages#427

Bump path-parse from 1.0.6 to 1.0.7 by @dependabot in tschaub/gh-pages#431

Bump ansi-regex from 3.0.0 to 3.0.1 by @dependabot in tschaub/gh-pages#430

Updated dev dependencies and formatting by @tschaub in tschaub/gh-pages#432

Full Changelog: tschaub/gh-pages@v3.2.3...v4.0.0

v3.2.3

#398 - Update glob-parent (@tschaub)

#395 - Switch from filenamify-url to filenamify (@tw0517tw)

v3.0.0

Breaking changes:

None really. But tests are no longer run on Node < 10. Development dependencies were updated to address security warnings, and this meant tests could no longer be run on Node 6 or 8. If you still use these Node versions, you may still be able to use this library, but be warned that tests are no longer run on these versions.

All changes:

#357 - Dev dependency updates (@tschaub)

#333 - Update readme with command line options (@Victoire44)

#356 - Test as a GitHub action (@tschaub)

#355 - feat(beforeAdd): allow custom script before git add (@Xiphe)

#336 - Fix remove not working properly (@sunghwan2789)

#328 - Update .travis.yml (@XhmikosR)

... (truncated)

Changelog

Sourced from gh-pages's changelog.

v5.0.0

Potentially breaking change: the publish method now always returns a promise. Previously, it did not return a promise in some error cases. This should not impact most users.

Updates to the development dependencies required a minimum Node version of 14 for the tests. The library should still work on Node 12, but tests are no longer run in CI for version 12. A future major version of the library may drop support for version 12 altogether.

#438 - Remove quotation marks (@Vicropht)

#459 - Bump async from 2.6.4 to 3.2.4 (@tschaub)

#454 - Bump email-addresses from 3.0.1 to 5.0.0 (@tschaub)

#455 - Bump actions/setup-node from 1 to 3 (@tschaub)

#453 - Bump actions/checkout from 2 to 3 (@tschaub)

#445 - Update README to clarify project site configuration requirements with tools like CRA, webpack, Vite, etc. (@Nezteb)

#452 - Assorted updates (@tschaub)

v4.0.0

This release doesn't include any breaking changes, but due to updated development dependencies, tests are no longer run on Node 10.

#432 - Updated dev dependencies and formatting (@tschaub)

#430 - Bump ansi-regex from 3.0.0 to 3.0.1 (@tschaub)

#431 - Bump path-parse from 1.0.6 to 1.0.7 (@tschaub)

#427 - Bump async from 2.6.1 to 2.6.4 (@tschaub)

#423 - Bump minimist from 1.2.5 to 1.2.6 (@tschaub)

v3.2.3

#398 - Update glob-parent (@tschaub)

#395 - Switch from filenamify-url to filenamify (@tw0517tw)

v3.2.2

#396 - Revert "security(deps): bump filenamify-url to 2.1.1" (@tschaub)

v3.2.1

#393 - security(deps): bump filenamify-url to 2.1.1 (@AviVahl)

v3.2.0

This release updates a few development dependencies and adds a bit of documentation.

#391 - Update dev dependencies (@tschaub)

#375 - Add note about domain problem (@demee)

#390 - Fix little typo in the README (@cizordj)

#388 - Bump hosted-git-info from 2.8.8 to 2.8.9 (@tschaub)

#387 - Bump y18n from 4.0.0 to 4.0.3 (@tschaub)

#378 - Add GitHub Actions tips to readme.md (@mickelsonmichael)

#386 - Bump lodash from 4.17.14 to 4.17.21 (@tschaub)

... (truncated)

Commits

f729b97 5.0.0
51534c7 Log changes
ace063b Merge pull request #438 from Vicropht/patch-1
58e54be Merge pull request #459 from tschaub/dependabot/npm_and_yarn/async-3.2.4
2189df3 Bump async from 2.6.4 to 3.2.4
051846e Merge pull request #454 from tschaub/dependabot/npm_and_yarn/email-addresses-...
5c91c67 Merge pull request #455 from tschaub/dependabot/github_actions/actions/setup-...
fe0ad83 Merge pull request #453 from tschaub/dependabot/github_actions/actions/checko...
b89287d Merge pull request #445 from Nezteb/patch-1
e890bd1 Bump email-addresses from 3.0.1 to 5.0.0
Additional commits viewable in compare view

Updates jquery from 3.4.1 to 3.5.0

Release notes

Sourced from jquery's releases.

jQuery 3.5.0 Released!

See the blog post: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ and the upgrade guide: https://jquery.com/upgrade-guide/3.5/

NOTE: Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022). Please follow the blog post & the upgrade guide for more details.

Commits

7a0a850 3.5.0
8570a08 Release: Update AUTHORS.txt
da3dd85 Ajax: Do not execute scripts for unsuccessful HTTP responses
065143c Ajax: Overwrite s.contentType with content-type header value, if any
1a4f10d Tests: Blacklist one focusin test in IE
9e15d6b Event: Use only one focusin/out handler per matching window & document
966a709 Manipulation: Skip the select wrapper for <option> outside of IE 9
1d61fd9 Manipulation: Make jQuery.htmlPrefilter an identity function
04bf577 Selector: Update Sizzle from 2.3.4 to 2.3.5
7506c9c Build: Resolve Travis config warnings
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mgol, a new releaser for jquery since your current version.

Updates lodash from 4.17.15 to 4.17.21

Commits

f299b52 Bump to v4.17.21
c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
3469357 Prevent command injection through _.template's variable option
ded9bc6 Bump to v4.17.20.
63150ef Documentation fixes.
00f0f62 test.js: Remove trailing comma.
846e434 Temporarily use a custom fork of lodash-cli.
5d046f3 Re-enable Travis tests on 4.17 branch.
aa816b3 Remove /npm-package.
d7fbc52 Bump to v4.17.19
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates moment from 2.24.0 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

Release Jul 6, 2022

#6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

Release Apr 17, 2022

#5995 [bugfix] Remove const usage

#5990 misc: fix advisory link

2.29.2 See full changelog

Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

Release June 18, 2020

Added Turkmen locale, other locale improvements, slight TypeScript fixes

2.26.0 See full changelog

Release May 19, 2020

... (truncated)

Commits

000ac18 Build 2.24.4
f2006b6 Bump version to 2.24.4
536ad0c Update changelog for 2.29.4
9a3b589 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
6374fd8 Merge branch 'master' into develop
b4e6153 Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"
7aebb16 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
57c9062 Build 2.29.3
aaf50b6 Fixup release complaints
26f4aef Bump version to 2.29.3
Additional commits viewable in compare view

Updates qs from 6.9.0 to 6.9.7

Changelog

Sourced from qs's changelog.

6.9.7

[Fix] parse: ignore __proto__ keys (#428)

[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)

[Robustness] stringify: avoid relying on a global undefined (#427)

[readme] remove travis badge; add github actions/codecov badges; update URLs

[Docs] add note and links for coercing primitive values (#408)

[Tests] clean up stringify tests slightly

[meta] fix README.md (#399)

Revert "[meta] ignore eclint transitive audit warning"

[actions] backport actions from main

[Dev Deps] backport updates from main

6.9.6

[Fix] restore dist dir; mistakenly removed in d4f6c32

6.9.5

[Fix] stringify: do not encode parens for RFC1738

[Fix] stringify: fix arrayFormat comma with empty array/objects (#350)

[Refactor] format: remove util.assign call

[meta] add "Allow Edits" workflow; update rebase workflow

[actions] switch Automatic Rebase workflow to pull_request_target event

[Tests] stringify: add tests for #378

[Tests] migrate tests to Github Actions

[Tests] run nyc on all tests; use tape runner

[Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

6.9.4

[Fix] stringify: when arrayFormat is comma, respect serializeDate (#364)

[Refactor] stringify: reduce branching (part of #350)

[Refactor] move maybeMap to utils

[Dev Deps] update browserify, tape

6.9.3

[Fix] proper comma parsing of URL-encoded commas (#361)

[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

6.9.2

[Fix] parse: Fix parsing array from object with comma true (#359)

[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)

[meta] ignore eclint transitive audit warning

[meta] fix indentation in package.json

[meta] add tidelift marketing copy

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, has-symbols, tape, mkdirp, iconv-lite

[actions] add automatic rebasing / merge commit blocking

6.9.1

[Fix] parse: with comma true, handle field that holds an array of arrays (#335)

[Fix] parse: with comma true, do not split non-string values (#334)

[meta] add funding field

[Dev Deps] update eslint, @ljharb/eslint-config

... (truncated)

Commits

4cd0032 v6.9.7
e799ba5 [Fix] parse: ignore __proto__ keys (#428)
02ca358 [Robustness] stringify: avoid relying on a global undefined (#427)
4a17709 [Fix] stringify: avoid encoding arrayformat comma when `encodeValuesOnly = ...
c0e13e9 [readme] remove travis badge; add github actions/codecov badges; update URLs
4113a5f [Tests] clean up stringify tests slightly
749a584 [Docs] add note and links for coercing primitive values (#408)
cce2082 [meta] fix README.md (#399)
c44f0c5 Revert "[meta] ignore eclint transitive audit warning"
e6cfd8b [actions] backport actions from main
Additional commits viewable in compare view

Updates semver from 6.0.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

928e56d #591 better handling of whitespace (#591) (@lukekarrys, @joaomoreno, @nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

928e56d #591 better handling of whitespace (#591) (@lukekarrys, @joaomoreno, @nicolo-ribaudo)

6.2.0

Coerce numbers to strings when passed to semver.coerce()

Add rtl option to coerce from right to left

6.1.3

Handle X-ranges properly in includePrerelease mode

6.1.2

Do not throw when testing invalid version strings

6.1.1

Add options support for semver.coerce()

Handle undefined version passed to Range.test

6.1.0

Add semver.compareBuild function

Support * in semver.intersects

6.0

Fix intersects logic.

This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

Add minVersion method

5.6

Move boolean loose param to an options object, with backwards-compatibility protection.

Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

44d27bc chore: release 6.3.1
928e56d fix: better handling of whitespace (#591)
39f6326 chore: @npmcli/template-oss@4.16.0
0eeceec 6.3.0
2779d96 Expose the token enum on the exports
9f5f615 changelog
ce6190e 6.2.0
24af461 Add test coverage for bin file
388ec1c Add rtl option to coerce from right to left
d062593 coerce(number) will coerce to a string
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates @babel/helpers from 7.7.0 to 7.27.0

Release notes

Sourced from @babel/helpers's releases.

v7.27.0 (2025-03-24)

Thanks @ishchhabra and @vovkasm for your first PRs!

👓 Spec Compliance

babel-generator, babel-parser

#16977 Default importAttributesKeyword to with (@JLHwung)

🚀 New Feature

babel-helper-create-class-features-plugin, babel-traverse, babel-types

#17169 Allow traverseFast to exit early (@liuxingbaoyu)

babel-parser, babel-types

#17110 Add ImportAttributes to Standardized and move its parser test fixtures (@JLHwung)

babel-generator

#17100 fix(babel-generator): add named export of generate function (@vovkasm)

babel-parser, babel-template

#17149 Add allowYieldOutsideFunction to parser (@liuxingbaoyu)

babel-plugin-transform-typescript, babel-traverse

#17102 feat: Add upToScope parameter to hasBinding (@liuxingbaoyu)

babel-parser

#17082 Support ESTree AccessorProperty (@JLHwung)

babel-types

#17162 feat(babel-types): Add support for BigInt literal conversion in valueToNode (@ishchhabra)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16816 fix: Class reference in type throws error (@liuxingbaoyu)

babel-traverse

#17170 fix: Reset child scopes when scope.crawl() (@liuxingbaoyu)

babel-helpers, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17118 Fix: align behaviour to tsc rewriteRelativeImportExtensions (@JLHwung)

babel-cli

#17182 fix: @babel/cli generates duplicate inline source maps (@liuxingbaoyu)

babel-plugin-transform-named-capturing-groups-regex, babel-types

#17175 Generate computed proto key (@JLHwung)

🏃‍♀️ Performance

babel-types

#16870 perf: Improve builders of @babel/types (@liuxingbaoyu)

babel-helper-create-regexp-features-plugin

#17176 fix: improve duplicate named groups check (@JLHwungDescription has been truncated

Bumps the npm_and_yarn group with 25 updates in the / directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `0.18.1` | `0.30.0` | | [bootstrap](https://github.com/twbs/bootstrap) | `4.3.1` | `5.0.0` | | [crypto-js](https://github.com/brix/crypto-js) | `3.1.9-1` | `4.2.0` | | [elliptic](https://github.com/indutny/elliptic) | `6.5.1` | `6.6.1` | | [gh-pages](https://github.com/tschaub/gh-pages) | `1.2.0` | `5.0.0` | | [jquery](https://github.com/jquery/jquery) | `3.4.1` | `3.5.0` | | [lodash](https://github.com/lodash/lodash) | `4.17.15` | `4.17.21` | | [moment](https://github.com/moment/moment) | `2.24.0` | `2.29.4` | | [qs](https://github.com/ljharb/qs) | `6.9.0` | `6.9.7` | | [semver](https://github.com/npm/node-semver) | `6.0.0` | `6.3.1` | | [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) | `7.7.0` | `7.27.0` | | [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) | `7.7.2` | `7.27.0` | | [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.0.4` | `4.2.3` | | [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) | `0.2.0` | `0.2.2` | | [eventsource](https://github.com/EventSource/eventsource) | `1.0.7` | `1.1.2` | | [express](https://github.com/expressjs/express) | `4.17.1` | `4.21.2` | | [fsevents](https://github.com/fsevents/fsevents) | `1.2.9` | `1.2.13` | | [get-func-name](https://github.com/chaijs/get-func-name) | `2.0.0` | `2.0.2` | | [lodash-es](https://github.com/lodash/lodash) | `4.17.15` | `4.17.21` | | [socket.io-parser](https://github.com/Automattic/socket.io-parser) | `3.3.0` | `3.3.4` | | [tree-kill](https://github.com/pkrumins/node-tree-kill) | `1.2.1` | `1.2.2` | | [ua-parser-js](https://github.com/faisalman/ua-parser-js) | `0.7.20` | `0.7.40` | | [urijs](https://github.com/medialize/URI.js) | `1.19.2` | `1.19.11` | | [url-parse](https://github.com/unshiftio/url-parse) | `1.4.7` | `1.5.10` | | [word-wrap](https://github.com/jonschlinkert/word-wrap) | `1.2.3` | `1.2.5` | Updates `axios` from 0.18.1 to 0.30.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v0.30.0/CHANGELOG.md) - [Commits](axios/axios@v0.18.1...v0.30.0) Updates `bootstrap` from 4.3.1 to 5.0.0 - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v4.3.1...v5.0.0) Updates `crypto-js` from 3.1.9-1 to 4.2.0 - [Commits](brix/crypto-js@3.1.9-1...4.2.0) Updates `elliptic` from 6.5.1 to 6.6.1 - [Commits](indutny/elliptic@v6.5.1...v6.6.1) Updates `gh-pages` from 1.2.0 to 5.0.0 - [Release notes](https://github.com/tschaub/gh-pages/releases) - [Changelog](https://github.com/tschaub/gh-pages/blob/main/changelog.md) - [Commits](tschaub/gh-pages@v1.2.0...v5.0.0) Updates `jquery` from 3.4.1 to 3.5.0 - [Release notes](https://github.com/jquery/jquery/releases) - [Changelog](https://github.com/jquery/jquery/blob/main/changelog.md) - [Commits](jquery/jquery@3.4.1...3.5.0) Updates `lodash` from 4.17.15 to 4.17.21 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.21) Updates `moment` from 2.24.0 to 2.29.4 - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](moment/moment@2.24.0...2.29.4) Updates `qs` from 6.9.0 to 6.9.7 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.9.0...v6.9.7) Updates `semver` from 6.0.0 to 6.3.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md) - [Commits](npm/node-semver@v6.0.0...v6.3.1) Updates `@babel/helpers` from 7.7.0 to 7.27.0 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.27.0/packages/babel-helpers) Updates `@babel/traverse` from 7.7.2 to 7.27.0 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.27.0/packages/babel-traverse) Updates `browserify-sign` from 4.0.4 to 4.2.3 - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.0.4...v4.2.3) Updates `decode-uri-component` from 0.2.0 to 0.2.2 - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) Updates `eventsource` from 1.0.7 to 1.1.2 - [Release notes](https://github.com/EventSource/eventsource/releases) - [Changelog](https://github.com/EventSource/eventsource/blob/main/CHANGELOG.md) - [Commits](EventSource/eventsource@v1.0.7...v1.1.2) Updates `express` from 4.17.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](expressjs/express@4.17.1...4.21.2) Updates `fsevents` from 1.2.9 to 1.2.13 - [Release notes](https://github.com/fsevents/fsevents/releases) - [Commits](fsevents/fsevents@v1.2.9...v1.2.13) Updates `get-func-name` from 2.0.0 to 2.0.2 - [Release notes](https://github.com/chaijs/get-func-name/releases) - [Commits](https://github.com/chaijs/get-func-name/commits/v2.0.2) Updates `lodash-es` from 4.17.15 to 4.17.21 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.21) Updates `path-to-regexp` from 0.1.7 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.12) Updates `send` from 0.17.1 to 0.19.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.17.1...0.19.0) Updates `serve-static` from 1.14.1 to 1.16.2 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/v1.16.2/HISTORY.md) - [Commits](expressjs/serve-static@v1.14.1...v1.16.2) Updates `socket.io-parser` from 3.3.0 to 3.3.4 - [Release notes](https://github.com/Automattic/socket.io-parser/releases) - [Changelog](https://github.com/socketio/socket.io-parser/blob/3.3.4/CHANGELOG.md) - [Commits](socketio/socket.io-parser@3.3.0...3.3.4) Updates `tree-kill` from 1.2.1 to 1.2.2 - [Release notes](https://github.com/pkrumins/node-tree-kill/releases) - [Commits](pkrumins/node-tree-kill@v1.2.1...v1.2.2) Updates `ua-parser-js` from 0.7.20 to 0.7.40 - [Release notes](https://github.com/faisalman/ua-parser-js/releases) - [Changelog](https://github.com/faisalman/ua-parser-js/blob/master/CHANGELOG.md) - [Commits](faisalman/ua-parser-js@0.7.20...0.7.40) Updates `urijs` from 1.19.2 to 1.19.11 - [Release notes](https://github.com/medialize/URI.js/releases) - [Changelog](https://github.com/medialize/URI.js/blob/gh-pages/CHANGELOG.md) - [Commits](medialize/URI.js@v1.19.2...v1.19.11) Updates `url-parse` from 1.4.7 to 1.5.10 - [Commits](unshiftio/url-parse@1.4.7...1.5.10) Updates `word-wrap` from 1.2.3 to 1.2.5 - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.5) --- updated-dependencies: - dependency-name: axios dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: bootstrap dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: crypto-js dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: elliptic dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: gh-pages dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: jquery dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: lodash dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: moment dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: qs dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: semver dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@babel/helpers" dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/traverse" dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: browserify-sign dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: decode-uri-component dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: eventsource dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fsevents dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: get-func-name dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash-es dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: socket.io-parser dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tree-kill dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ua-parser-js dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: urijs dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: url-parse dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: word-wrap dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>

socket-security · 2025-03-31T18:55:42Z

Report too large to display inline

View full report↗︎

socket-security · 2025-03-31T18:55:44Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/[email protected]	CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0, < 1.2.6 Patched version: 1.2.6	`yarn.lock`	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL) Affected versions: < 1.4.1 Patched version: 1.4.1	`yarn.lock`	⚠︎
Critical CVE	npm/[email protected]	CVE: GHSA-r6rj-9ch6-g264 Prototype pollution in Merge-deep (CRITICAL) Affected versions: < 3.0.3 Patched version: 3.0.3	`yarn.lock`	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 31, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 1 directory with 28 updates #1

Bump the npm_and_yarn group across 1 directory with 28 updates #1

Uh oh!

dependabot bot commented on behalf of github Mar 31, 2025

Uh oh!

socket-security bot commented Mar 31, 2025

Uh oh!

socket-security bot commented Mar 31, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Bump the npm_and_yarn group across 1 directory with 28 updates #1

Are you sure you want to change the base?

Bump the npm_and_yarn group across 1 directory with 28 updates #1

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 31, 2025

Release v0.30.0

Release notes:

Bug Fixes

Contributors to this release

v0.29.0

Release notes:

Bug Fixes

Contributors to this release

Release v0.28.1

Release notes:

Release notes:

Bug Fixes

Release v0.28.0

Release notes:

Bug Fixes

Backports from v1.x:

0.30.0 (2025-03-26)

Release notes:

Bug Fixes

0.29.0 (2024-11-21)

Release notes:

Bug Fixes

0.28.1 (2024-03-24)

Release notes:

Bug Fixes

0.28.0 (2024-02-12)

Release notes:

Bug Fixes

Backports from v1.x:

v5.0.0

Highlights

🚀 Features

🎨 CSS

☕️ JavaScript

v5.0.0

What's Changed

New Contributors

v4.0.0

What's Changed

v3.2.3

v3.0.0

v5.0.0

v4.0.0

v3.2.3

v3.2.2

v3.2.1

v3.2.0

jQuery 3.5.0 Released!

2.29.4

2.29.3 Full changelog

2.29.2 See full changelog

2.29.1 See full changelog

2.29.0 See full changelog

2.28.0 See full changelog

2.27.0 See full changelog

2.26.0 See full changelog

6.9.7

6.9.6

6.9.5

6.9.4

6.9.3

6.9.2

6.9.1

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

6.3.1 (2023-07-10)

Bug Fixes

6.2.0

6.1.3

6.1.2

6.1.1

6.1.0

6.0