Bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
body-parser	1.19.0	1.20.3
express	4.17.1	4.21.1
crypto-js	3.1.9-1	4.2.0
debug	4.1.1	4.3.7
marked	0.7.0	4.0.10
pug	2.0.4	3.0.3
redis	2.8.0	3.1.1
simple-git	1.132.0	3.16.0

Updates body-parser from 1.19.0 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: qs@6.12.3 (#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.17.1 to 4.21.1

Release notes

Sourced from express's releases.

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695

... (truncated)

Changelog

Sourced from express's changelog.

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

... (truncated)

Commits

• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• 77ada90 Deprecate "back" magic string in redirects (#5935)
• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to serve-static@0.16.0
• 9ebe5d5 feat: upgrade to send@0.19.0 (#5928)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates crypto-js from 3.1.9-1 to 4.2.0

Commits

• 808f499 Merge branch 'release/4.2.0'
• d5af3ae Update release notes.
• 9496e07 Bump version.
• 421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
• d1f4f4d Update grunt.
• c755289 Discontinued
• 1da3dab Discontinued
• 4dcaa7a Merge pull request #380 from Alanscut/dev
• 762feb2 chore: rename BF to Blowfish
• fb81418 feat: blowfish support
• Additional commits viewable in compare view

Updates debug from 4.1.1 to 4.3.7

Release notes

Sourced from debug's releases.

4.3.7

What's Changed

• Upgrade ms to version 2.1.3 by @​realityking in debug-js/debug#819

Full Changelog: debug-js/debug@4.3.6...4.3.7

4.3.6

What's Changed

• Avoid using deprecated RegExp.$1 by @​bluwy in debug-js/debug#969

New Contributors

• @​bluwy made their first contribution in debug-js/debug#969

Full Changelog: debug-js/debug@4.3.5...4.3.6

4.3.5

Patch

• cac39b1c5b018b0fe93a53a05f084eee543d17f5 Fix/debug depth (#926)

Thank you @​calvintwr for the fix.

4.3.4

What's Changed

• Add section about configuring JS console to show debug messages by @​gitname in debug-js/debug#866
• Replace deprecated String.prototype.substr() by @​CommanderRoot in debug-js/debug#876

New Contributors

• @​gitname made their first contribution in debug-js/debug#866
• @​CommanderRoot made their first contribution in debug-js/debug#876

Full Changelog: debug-js/debug@4.3.3...4.3.4

4.3.3

Patch Release 4.3.3

This is a documentation-only release. Further, the repository was transferred. Please see notes below.

• Migrates repository from https://github.com/visionmedia/debug to https://github.com/debug-js/debug. Please see notes below as to why this change was made.
• Updates repository maintainership information
• Updates the copyright (no license terms change has been made)
• Removes accidental epizeuxis (#828)
• Adds README section regarding usage in child procs (#850)

Thank you to @​taylor1791 and @​kristofkalocsai for their contributions.

---

Repository Migration Information

... (truncated)

Commits

• bc60914 4.3.7
• c63e96e Upgrade ms to version 2.1.3 (#819)
• 382864a remove archaic badges from readme
• c33b464 4.3.6
• 7956a45 Avoid using deprecated RegExp.$1
• 5464bdd 4.3.5
• f244ada update authorship contact info
• cac39b1 Fix/debug depth (#926)
• f66cb2d remove .github folder (and the outdated issue templates)
• d161662 Update ISSUE_TEMPLATE.md
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by qix, a new releaser for debug since your current version.

Updates marked from 0.7.0 to 4.0.10

Release notes

Sourced from marked's releases.

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

• security: fix redos vulnerabilities (8f80657)

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

• retain line breaks in tokens properly (#2341) (a9696e2)

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

• spaces on a newline after a table (#2319) (f82ea2c)

v4.0.7

4.0.7 (2021-12-09)

Bug Fixes

• Fix every third list item broken (#2318) (346b162), closes #2314

v4.0.6

4.0.6 (2021-12-02)

Bug Fixes

• speed up parsing long lists (#2302) (e0005d8)

v4.0.5

4.0.5 (2021-11-25)

Bug Fixes

• table after paragraph without blank line (#2298) (5714212)

v4.0.4

4.0.4 (2021-11-19)

... (truncated)

Commits

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @​babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• Additional commits viewable in compare view

Updates pug from 2.0.4 to 3.0.3

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

pug-code-gen@3.0.2

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug@3.0.2

Bug Fixes

• Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

pug-code-gen@3.0.1

Bug Fixes

• Update with to resolve core-js deprecation notice (#3259)

pug-runtime@3.0.1

Bug Fixes

• Properly handle non-string values when rethrowing errors (#3269)

pug@3.0.1

Bug Fixes

• Sanitise the pretty option (#3314)

  If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug-attrs@3.0.0

Breaking Changes

• Drop support for node 6 and 8 (#3243)

pug-code-gen@3.0.0

Breaking Changes

• Drop support for node 6 and 8 (#3243)

... (truncated)

Commits

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• d4b7f60 Properly handle errors originating from included files when compileDebug is e...
• d6f0615 fix capture groups for "each" statements (#3274)
• 73ea7cf fix: keep lexer plugins inside tag interpolation (#3296)
• 29a53c5 fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)
• 60b1b15 chore: update supported versions (#3315)
• 991e78f fix: sanitise and escape the pretty option (#3314)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pug-bot, a new releaser for pug since your current version.

Updates redis from 2.8.0 to 3.1.1

Changelog

Sourced from redis's changelog.

v3.1.1

Enhancements

• Upgrade node and dependencies

Fixes

• Fix a potential exponential regex in monitor mode

v3.1.0 - 31 Mar, 2021

Enhancements

• Upgrade node and dependencies and redis-commands to support Redis 6
• Add support for Redis 6 auth pass [user]

v3.0.0 - 09 Feb, 2020

This version is mainly a release to distribute all the unreleased changes on master since 2017 and additionally removes a lot of old deprecated features and old internals in preparation for an upcoming modernization refactor (v4).

Breaking Changes

• Dropped support for Node.js < 6
• Dropped support for hiredis (no longer required)
• Removed previously deprecated drain event
• Removed previously deprecated idle event
• Removed previously deprecated parser option
• Removed previously deprecated max_delay option
• Removed previously deprecated max_attempts option
• Removed previously deprecated socket_no_delay option

Bug Fixes

• Removed development files from published package (#1370)
• Duplicate function now allows db param to be passed (#1311)

Features

• Upgraded to latest redis-commands package
• Upgraded to latest redis-parser package, v3.0.0, which brings performance improvements
• Replaced double-ended-queue with denque, which brings performance improvements
• Add timestamps to debug traces
• Add socket_initial_delay option for socket.setKeepAlive (#1396)
• Add support for rediss protocol in url (#1282)

Commits

• fc28860 Bump version to 3.1.1 (#1597)
• 2d11b6d fix #1569 - improve monitor_regex (#1595)
• 7e77de8 Add Chat (#1594)
• 5d3e995 Merge branch 'master' of https://github.com/NodeRedis/node-redis
• b797cf2 add user to README.md
• 79f34c2 Bump version to 3.1.0 (#1590)
• 7fdc54e fix for 428e1c8a7b2322c2650294638cb1663ac5692728 - fix auth retry when redis ...
• 09f0fe8 "fix" tests
• 428e1c8 Add support for Redis 6 auth pass [user] (#1508)
• bb208d0 Add codeclimate badge (#1572)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by leibale, a new releaser for redis since your current version.

Updates simple-git from 1.132.0 to 3.16.0

Release notes

Sourced from simple-git's releases.

simple-git@3.16.0

Minor Changes

• 97fde2c: Support the use of -B in place of the default -b in checkout methods
• 0a623e5: Adds vulnerability detection to prevent use of --upload-pack and --receive-pack without explicitly opting in.

Patch Changes

• ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @​stsewd for the suggestion.

simple-git@3.15.1

Patch Changes

• de570ac: Resolves an issue whereby non-strings can be passed into the config switch detector.

simple-git@3.15.0

Minor Changes

• 7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the new allowUnsafeProtocolOverride property having been enabled.

Patch Changes

• 7746480: - Upgrade repo dependencies - lerna and jest
  • Include node@19 in the test matrix

simple-git@3.14.1

Patch Changes

• 5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style 1.11.GIT)

simple-git@3.14.0

Minor Changes

• 19029fc: Create the abort plugin to allow cancelling all pending and future tasks.
• 4259b26: Add .version to return git version information, including whether the git binary is installed.

simple-git@3.13.0

Minor Changes

• 87b0d75: Increase the level of deprecation notices for use of simple-git/promise, which will be fully removed in the next major
• d0dceda: Allow supplying just one of to/from in the options supplied to git.log

Patch Changes

• 6b3e05c: Use shared test utilities bundle in simple-git tests, to enable consistent testing across packages in the future

simple-git@3.12.0

Minor Changes

• bfd652b: Add a new configuration option to enable trimming white-space from the response to git.raw

... (truncated)

Changelog

Sourced from simple-git's changelog.

3.16.0

Minor Changes

• 97fde2c: Support the use of -B in place of the default -b in checkout methods
• 0a623e5: Adds vulnerability detection to prevent use of --upload-pack and --receive-pack without explicitly opting in.

Patch Changes

• ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @​stsewd for the suggestion.

3.15.1

Patch Changes

• de570ac: Resolves an issue whereby non-strings can be passed into the config switch detector.

3.15.0

Minor Changes

• 7746480: Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the new allowUnsafeProtocolOverride property having been enabled.

Patch Changes

• 7746480: - Upgrade repo dependencies - lerna and jest
  • Include node@19 in the test matrix

3.14.1

Patch Changes

• 5a2e7e4: Add version parsing support for non-numeric patches (including "built from source" style 1.11.GIT)

3.14.0

Minor Changes

• 19029fc: Create the abort plugin to allow cancelling all pending and future tasks.
• 4259b26: Add .version to return git version information, including whether the git binary is installed.

3.13.0

Minor Changes

• 87b0d75: Increase the level of deprecation notices for use of simple-git/promise, which will be fully removed in the next major
• d0dceda: Allow supplying just one of to/from in the options supplied to git.log

Patch Changes

... (truncated)

Commits

• 1a12952 Version Packages
• ec97a39 Block unsafe pack (push --exec) (#882)
• 0a623e5 Feat/unsafe pack (#881)
• 97fde2c Add support for using the -B modifier instead of the default -b when usin...
• edfd459 Update readme.md
• c9fc61f Version Packages
• de570ac Fix/non strings (#867)
• d4764bf Version Packages
• 7746480 Chore: bump lerna, jest and create prettier workflow (#862)
• 6b3c631 Create the unsafe plugin to configure how simple-git treats known potenti...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[doperiddle]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)