chore(deps): bump the npm_and_yarn group across 3 directories with 14 updates by dependabot[bot] · Pull Request #1283 · writer/writer-framework

dependabot · 2026-04-07T01:38:29Z

Bumps the npm_and_yarn group with 4 updates in the / directory: ajv, vega, vite and express.
Bumps the npm_and_yarn group with 1 update in the /src/ui directory: vite.
Bumps the npm_and_yarn group with 1 update in the /tests/e2e directory: express.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

feat: allow tree-shaking by adding "sideEffects": false to package.json by @josdejong in ajv-validator/ajv#2480

fix: #2482 Infinity and NaN serialise to null by @jasoniangreen in ajv-validator/ajv#2487

fix: small grammatical error in managing-schemas.md by @monteiro-renato in ajv-validator/ajv#2508

fix: typos in schema-language.md by @monteiro-renato in ajv-validator/ajv#2507

fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @epoberezkin in ajv-validator/ajv#2586

New Contributors

@josdejong made their first contribution in ajv-validator/ajv#2480

@monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

142ce84 8.18.0
720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
82735a1 fix: typos in schema-language.md (#2507)
b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
See full diff in compare view

Updates vega from 5.30.0 to 5.32.0

Release notes

Sourced from vega's releases.

v5.32.0

Changes since v5.31.0

vega-expression

Add base64 string encoder/decoder to vega-expression and vega-interpreter (via #4009). (Thanks @hydrosquall!)

vega-typings

Add Typescript Types for vega-loader (via #4000). (Thanks @hydrosquall!)

docs

Correct data year citation in dorling-cartogram example (via #4006). (Thanks @dsmedia!)

Update typo in vega.timeFloor description (via #4010). (Thanks @hydrosquall!)

Add Security Advisory Policy for Vega (via #4008). (Thanks @hydrosquall!)

Replace redirect url in expressions.md (via #3996). (Thanks @dangotbanned!)

correct queries to query in crossfilter.md (via #4005). (Thanks @danmarshall!)

v5.31.0

changes since v5.30.0

vega-utils

use Object.hasOwn instead of Object.prototype.hasOwnProperty (via #3951). (Thanks @domoritz!)

vega-parser

Add discrete legend type (via #3957). (Thanks @hydrosquall!)

vega-functions

Add sort function to vega-functions (and vega-interpreter) (via #3973). (Thanks @hydrosquall!)

vega-selections

Add field predicate types to selectionTest (via #3675). (Thanks @jonathanzong!)

monorepo

Replace flights-5k.json external reference (via #3999). (Thanks @dwootton!)

docs

Update packed bubble example (via #3955). (Thanks @PBI-David!)

Correct typo in production rules documentation (via #3958). (Thanks @shanebruggeman!)

Update README.md to fix broken link to current roadmap (via #3979). (Thanks @cahogan & @joelostblom!)

Commits

c46889d chore: update vega-cli to v5.32.0 (#4015)
2fe2e63 chore: v5.32.0 (#4014)
81ed011 chore: remove extra space in test name
6026887 fix: correct data year citation in dorling-cartogram example (#4006)
a3af49e feat: Add base64 string encoder/decoder to vega-expression and `vega-interp...
cd88cc8 fix(docs): Update typo in vega.timeFloor description (#4010)
694560c Merge commit from fork
560aeec docs: Add Security Advisory Policy for vega (#4008)
0b6a114 feat(vega-typings): add Typescript Types for vega-loader (#4000)
b83b8e5 docs: Replace redirect url in expressions.md (#3996)
Additional commits viewable in compare view

Updates vite from 5.2.8 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163

fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

6.4.1 (2025-10-20)

fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969) (1114b5d), closes #20968 #20969

6.4.0 (2025-10-15)

feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

fix: apply fs.strict check to HTML files (#20736) (0ab19ea), closes #20736

fix: upgrade sirv to 3.0.2 (#20735) (e11d240), closes #20735

test: detect ts support via process.features (#20544) (7d99229), closes #20544

6.3.5 (2025-05-05)

fix(ssr): handle uninitialized export access as undefined (#19959) (fd38d07), closes #19959

6.3.4 (2025-04-30)

fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965

fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940

refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

fix: ignore malformed uris in tranform middleware (#19853) (e4d5201), closes #19853

... (truncated)

Commits

6b3fad0 release: v6.4.2
ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
5487f4f release: v6.4.1
1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
f12697c release: v6.4.0
ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
0e173d8 release: v6.3.7
c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
3f337c5 release: v6.3.6
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.

Updates express from 4.19.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

finalhandler@1.3.1 by @wesleytodd in expressjs/express#5954

fix(deps): serve-static@1.16.2 by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: qs@6.14.0 (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
3a5edfa fix(ci): updated github actions ci workflow (#6323)
52d9781 fix(test): add test for method routes without paths #5955
Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

deps: qs@~6.14.0

deps: use tilde notation for dependencies

deps: http-errors@~2.0.1

deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

7db202c 1.20.4 (#672)
d8f8adb ci: add CodeQL (SAST) (#670)
6d133c1 chore: remove SECURITY.md (#669)
fcd1535 deps: use tilde notation and update certain dependencies (#668)
ec5fa29 deps: qs@~6.14.0 (#664)
ffb95c1 ci: restore CI for 1.x branch (#665)
48a5f07 ci: add support for Node.js v23 (#553)
f20f6ad Remove redundant depth check (#538)
1752951 1.20.3
39744cf chore: linter (#534)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

Allow leading dot for domain (#174)

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

perf: parse cookies ~10% faster (#144 by @kurtextrem and #170)

fix: narrow the validation of cookies to match RFC6265 (#167 by @bewinsnw)

fix: add main to package.json for rspack (#166 by @proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

d19eaa1 0.7.2
bc38ffd Fix object assignment of hasOwnProperty (#177)
cf4658f 0.7.1
6a8b8f5 Allow leading dot for domain (#174)
58015c0 Remove more code and perf wins (#172)
ab057d6 0.7.0
5f02ca8 Migrate history to GitHub releases
a5d591c Migrate history to GitHub releases
51968f9 Skip isNaN
9e7ca51 perf(parse): cache length, return early (#144)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates nanoid from 3.3.7 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

Fixed React Native support.

3.3.10

Fixed React Native support (by @steida).

3.3.9

Reduced npm package size.

3.3.8

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

Commits

37289ce Release 3.3.11 version
23690b7 Fix CI
c147962 Fix RN support
a83734e Move to manually ESM/CJS dual package
bb12e8a Release 3.3.10 version
8f44264 Fix Expo support
adf9b0c Release 3.3.9 version
1c6f088 Remove dev file from npm package
3044cd5 Release 3.3.8 version
4fe3495 Update size limit
Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Fix backtracking (again)

Fixed

Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

Add backtrack protection to parameters 29b96b4

This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

Commits

9fd0c87 0.1.13 (#425)
7ccf02c fix: CVE-2026-4867
640e694 0.1.12
f01c26a Merge commit from fork
0c71192 0.1.11
8f09549 Add error on bad input values
c827fce 0.1.10
29b96b4 Add backtrack protection to parameters
ac4c234 Update repo url (#314)
bdb6635 0.1.9
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.

Updates qs from 6.11.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

[New] parse: add throwOnParameterLimitExceeded option (#517)

[Refactor] parse: use utils.combine more

[patch] parse: add explicit throwOnLimitExceeded default

[actions] use shared action; re-add finishers

[meta] Fix changelog formatting bug

[Deps] update side-channel

[Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

[Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

[Robustness] avoid .push, use void

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] replace runkit CI badge with shields.io check-runs badge

[actions] fix rebase workflow permissions

6.13.1

[Fix] stringify: avoid a crash when a filter key is null

[Fix] utils.merge: functions should not be stringified into keys

[Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset

[Fix] stringify: ensure a non-string filter does not crash

[Refactor] use __proto__ syntax instead of Object.create for null objects

[Refactor] misc cleanup

... (truncated)

Commits

bdcf0c7 v6.14.2
294db90 [readme] document that addQueryPrefix does not add ? to empty output
5c308e5 [readme] clarify parseArrays and arrayLimit documentation
6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
1b9a8b4 [actions] fix rebase workflow permissions
2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
Additional commits viewable in compare view

Updates rollup from 4.14.0 to 4.60.1

Release notes

Sourced from rollup's releases.

v4.60.1

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

#6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)

#6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

#6322: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6323: chore(deps): lock file maintenance (@renovate[bot])

#6324: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

v4.60.0

4.60.0

2026-03-22

Features

Support source phase imports as long as they are external (#6279)

Pull Requests

#6279: feat: external only Source Phase imports support (@guybedford, @lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

#6281: fix(deps): update minor/patch updates (@renovate[bot], @lukastaegert)

#6282: chore(deps): update github artifact actions (major) (@renovate[bot], @lukastaegert)

#6283: chore(deps): update dependency nyc to v18 (@renovate[bot], @lukastaegert)

#6284: fix(deps): update swc monorepo (major) (@renovate[bot])

#6285: chore(deps): lock file maintenance (@renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.1

2026-03-30

Bug Fixes

Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

#6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) (@littlegrayss, @TrickyPi)

#6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)

#6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)

… updates Bumps the npm_and_yarn group with 4 updates in the / directory: [ajv](https://github.com/ajv-validator/ajv), [vega](https://github.com/vega/vega), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [express](https://github.com/expressjs/express). Bumps the npm_and_yarn group with 1 update in the /src/ui directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Bumps the npm_and_yarn group with 1 update in the /tests/e2e directory: [express](https://github.com/expressjs/express). Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `vega` from 5.30.0 to 5.32.0 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.30.0...v5.32.0) Updates `vite` from 5.2.8 to 6.4.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `express` from 4.19.2 to 4.22.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md) - [Commits](expressjs/express@4.19.2...4.22.0) Updates `body-parser` from 1.20.2 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.4) Updates `cookie` from 0.6.0 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.6.0...v0.7.2) Updates `nanoid` from 3.3.7 to 3.3.11 - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.3.7...3.3.11) Updates `path-to-regexp` from 0.1.7 to 0.1.13 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v.0.1.13) Updates `qs` from 6.11.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.11.0...v6.14.2) Updates `rollup` from 4.14.0 to 4.60.1 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.14.0...v4.60.1) Updates `send` from 0.18.0 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.2) Updates `serve-static` from 1.15.0 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.3) Updates `vega-functions` from 5.15.0 to 5.17.0 - [Release notes](https://github.com/vega/vega/releases) - [Commits](vega/vega@v5.15.0...v5.17.0) Updates `vega-selections` from 5.4.2 to 5.6.3 - [Release notes](https://github.com/vega/vega/releases) - [Commits](https://github.com/vega/vega/commits) Updates `vite` from 5.4.21 to 8.0.5 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) Updates `express` from 4.19.2 to 4.22.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md) - [Commits](expressjs/express@4.19.2...4.22.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.18.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vega dependency-version: 5.32.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 6.4.2 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: nanoid dependency-version: 3.3.11 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 0.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-functions dependency-version: 5.17.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vega-selections dependency-version: 5.6.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 8.0.5 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.0 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

hackerone-code · 2026-04-07T01:38:39Z

⚠️ This pull request was not sent to the HackerOne Code network because the author name contains "dependabot".

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 7, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 3 directories with 14 updates#1283

chore(deps): bump the npm_and_yarn group across 3 directories with 14 updates#1283
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/npm_and_yarn/npm_and_yarn-1df2d93826

dependabot Bot commented on behalf of github Apr 7, 2026

Uh oh!

hackerone-code Bot commented Apr 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 7, 2026

v8.18.0

What's Changed

New Contributors

v5.32.0

v5.31.0

v6.4.2

v6.4.1

v6.4.0

v6.3.7

v6.3.6

v5.4.21

v5.4.20

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

6.3.7 (2025-10-14)

6.3.6 (2025-09-08)

6.3.5 (2025-05-05)

6.3.4 (2025-04-30)

6.3.3 (2025-04-24)

4.22.0

Important: Security

What's Changed

4.21.2

What's Changed

4.21.1

What's Changed

4.21.0

What's Changed

New Contributors

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

1.20.4

What's Changed

1.20.3

What's Changed

Important

Other changes

New Contributors

1.20.4 / 2025-12-01

1.20.3 / 2024-09-10

v0.7.2

0.7.1

0.7.0

3.3.11

3.3.10

3.3.9

3.3.11

3.3.10

3.3.9

3.3.8

0.1.13

Important

Fix backtracking (again)

Error on bad input

Backtrack protection

Support non-lookahead regex output

Support named matching groups in RegExp

0.1.13 / 2026-03-26

6.14.2

6.14.1

6.14.0

6.13.3

6.13.2

6.13.1

v4.60.1

4.60.1

Bug Fixes

Pull Requests

v4.60.0

4.60.0

Features

Pull Requests

v4.59.1

4.59.1

Support named matching groups in `RegExp`