Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /backstage directory:

Package	From	To
@backstage/plugin-catalog-backend	1.14.0	1.26.0
@backstage/plugin-techdocs-backend	1.8.0	1.10.13
express	4.19.2	4.20.0
dompurify	2.4.7	2.5.7
micromatch	4.0.5	4.0.8
rollup	2.79.1	2.79.2
webpack	5.94.0	5.95.0

Updates @backstage/plugin-catalog-backend from 1.14.0 to 1.26.0

Release notes

Sourced from @​backstage/plugin-catalog-backend's releases.

v1.26.0

See docs/releases/v1.26.0-changelog.md for more information.

v1.26.0-next.1

See docs/releases/v1.26.0-next.1-changelog.md for more information.

v1.26.0-next.0

See docs/releases/v1.26.0-next.0-changelog.md for more information.

v1.25.2

This release fixes an issue where requests for the public http routes for the events-backend were authenticated causing 401 errors.

v1.25.1

This release fixes an bug where the kubernetes plugin would crash reading credentials from undefined.

v1.25.0

These are the release notes for the v1.25.0 release of Backstage. This is an unscheduled release that replaces what would’ve otherwise been the v1.25.0-next.1 release, due to a problem with the patch releases for 1.24.0. The next main line release will still be released on April 16th as scheduled, but will now instead be 1.26.0.

A huge thanks to the whole team of maintainers and contributors as well as the amazing Backstage Community for the hard work in getting this release developed and done.

Highlights

Auth service fixes

A number of fixes have been made to various plugins related to the new auth system:

Rate limiting has been disabled as it was a bit too aggressive and didn’t interact well with proxies. Fixes an issue in the TechDocs CLI related to cookie auth Fixes an integration issue of the new auth services in the Jenkins backend plugin Fixed an issue in the scaffolder were credentials weren’t forwarded correctly to the action context. Fixed an issue where the proxy backend blocked unauthenticated requests.

Catalog

The catalog backend can now be extended with additional permissions through new addPermissions methods of the CatalogBuilder and catalogPermissionExtensionPoint. The paginated catalog table now saves the search text in the query parameters and debounces the server requests.

Security Fixes

This release does not contain any security fixes.

Upgrade path

We recommend that you keep your Backstage project up to date with this latest release. For more guidance on how to upgrade, check out the documentation for keeping Backstage updated.

Links and References

Below you can find a list of links and references to help you learn about and start using this new release.

• Backstage official website, documentation, and getting started guide

... (truncated)

Changelog

Sourced from @​backstage/plugin-catalog-backend's changelog.

1.26.0

Minor Changes

• 74acf06: Add dependencyOf prop to catalog model for Component kind to enable building relationship graphs with both directions using dependsOn and dependencyOf.
• 78475c3: Allow offset mode paging in entity list provider
• bd35cdb: The analyze-location endpoint is now protected by the catalog.location.analyze permission. The validate-entity endpoint is now protected by the catalog.entity.validate permission.

Patch Changes

• 1882cfe: Moved getEntities ordering to utilize database instead of having it inside catalog client

  Please note that the latest version of @backstage/catalog-client will not order the entities in the same way as before. This is because the ordering is now done in the database query instead of in the client. If you rely on the ordering of the entities, you may need to update your backend plugin or code to handle this change.

• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.

• c2b63ab: Updated dependency supertest to ^7.0.0.

• 53cce86: Fixed an issue with the by-query call, where ordering by a field that does not exist on all entities led to not all results being returned

• Updated dependencies

  • @​backstage/backend-common@​0.25.0
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-catalog@​0.2.2
  • @​backstage/plugin-permission-node@​0.8.3
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/backend-openapi-utils@​0.1.18
  • @​backstage/plugin-events-node@​0.4.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/types@​1.1.1
  • @​backstage/plugin-permission-common@​0.8.1

1.26.0-next.2

Minor Changes

• 78475c3: Allow offset mode paging in entity list provider

Patch Changes

• c2b63ab: Updated dependency supertest to ^7.0.0.
• Updated dependencies
  • @​backstage/backend-common@​0.25.0-next.2
  • @​backstage/backend-plugin-api@​1.0.0-next.2
  • @​backstage/catalog-client@​1.7.0-next.1
  • @​backstage/integration@​1.15.0-next.0
  • @​backstage/backend-openapi-utils@​0.1.18-next.2

... (truncated)

Commits

• 0e48f5a Version Packages
• d5a1fe1 chore: change most of plugins to use LoggerService
• 036b9b3 Version Packages (next)
• c6635e5 Merge pull request #23022 from RoadieHQ/quiter-logs
• 366cf07 Version Packages (next)
• 51e3f70 Merge pull request #23084 from aramissennyeydd/openapi-tooling/schemathesis
• bb89236 Version Packages
• 04655bb Generate Release
• 714df5b Generate Release
• 9c7fb30 Patch from PR #23789
• Additional commits viewable in compare view

Updates @backstage/plugin-techdocs-backend from 1.8.0 to 1.10.13

Changelog

Sourced from @​backstage/plugin-techdocs-backend's changelog.

1.10.13

Patch Changes

• 086c32d: Dedicated token for techdocs cache sync
• 5b679ac: The createRouter and its related types has been marked as deprecared. This backend should instead be initialized using the new backend system.
• d425fc4: Modules, plugins, and services are now BackendFeature, not a function that returns a feature.
• c2b63ab: Updated dependency supertest to ^7.0.0.
• 5edd344: Refactor to use injected catalog client in the new backend system
• Updated dependencies
  • @​backstage/backend-common@​0.25.0
  • @​backstage/plugin-techdocs-node@​1.12.11
  • @​backstage/backend-plugin-api@​1.0.0
  • @​backstage/catalog-model@​1.7.0
  • @​backstage/catalog-client@​1.7.0
  • @​backstage/plugin-search-backend-module-techdocs@​0.2.2
  • @​backstage/plugin-catalog-common@​1.1.0
  • @​backstage/plugin-catalog-node@​1.13.0
  • @​backstage/integration@​1.15.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-techdocs-common@​0.1.0

1.10.13-next.2

Patch Changes

• c2b63ab: Updated dependency supertest to ^7.0.0.
• Updated dependencies
  • @​backstage/backend-common@​0.25.0-next.2
  • @​backstage/backend-plugin-api@​1.0.0-next.2
  • @​backstage/catalog-client@​1.7.0-next.1
  • @​backstage/plugin-techdocs-node@​1.12.11-next.2
  • @​backstage/integration@​1.15.0-next.0
  • @​backstage/catalog-model@​1.6.0
  • @​backstage/config@​1.2.0
  • @​backstage/errors@​1.2.4
  • @​backstage/plugin-catalog-common@​1.0.26
  • @​backstage/plugin-catalog-node@​1.12.7-next.2
  • @​backstage/plugin-permission-common@​0.8.1
  • @​backstage/plugin-search-backend-module-techdocs@​0.2.2-next.2
  • @​backstage/plugin-techdocs-common@​0.1.0

1.10.13-next.1

Patch Changes

• 5edd344: Refactor to use injected catalog client in the new backend system
• Updated dependencies

... (truncated)

Commits

• See full diff in compare view

Updates express from 4.19.2 to 4.20.0

Release notes

Sourced from express's releases.

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639
• add support Node.js@22 in the CI by @​mertcanaltin in expressjs/express#5627
• doc: add table of contents, tc/triager lists to readme by @​mertcanaltin in expressjs/express#5619
• List and sort all projects, add captains by @​blakeembrey in expressjs/express#5653
• docs: add @​UlisesGascon as captain for cookie-parser by @​UlisesGascon in expressjs/express#5666
• ✨ bring back query tests for node 21 by @​ctcpip in expressjs/express#5690
• [v4] Deprecate res.clearCookie accepting options.maxAge and options.expires by @​jonchurch in expressjs/express#5672
• skip QUERY tests for Node 21 only, still not supported by @​jonchurch in expressjs/express#5695
• 📝 update people, add ctcpip to TC by @​ctcpip in expressjs/express#5683
• remove minor version pinning from ci by @​jonchurch in expressjs/express#5722
• Fix link variable use in attribution section of CODE OF CONDUCT by @​IamLizu in expressjs/express#5762
• Replace Appveyor windows testing with GHA by @​jonchurch in expressjs/express#5599
• Add OSSF Scorecard badge by @​UlisesGascon in expressjs/express#5436
• update scorecard link by @​bjohansebas in expressjs/express#5814
• Nominate @​IamLizu to the triage team by @​UlisesGascon in expressjs/express#5836
• deps: [email protected] by @​blakeembrey in expressjs/express#5603
• docs: specify new instructions for question and discuss by @​IamLizu in expressjs/express#5835
• 4.x: Upgrade merge-descriptors dependency by @​RobinTail in expressjs/express#5781
• [email protected] by @​blakeembrey in expressjs/express#5902

New Contributors

• @​marco-ippolito made their first contribution in expressjs/express#5565
• @​inigomarquinez made their first contribution in expressjs/express#5590
• @​mertcanaltin made their first contribution in expressjs/express#5627
• @​ctcpip made their first contribution in expressjs/express#5690
• @​bjohansebas made their first contribution in expressjs/express#5814

Full Changelog: expressjs/express@4.19.1...4.20.0

Changelog

Sourced from express's changelog.

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

• 21df421 4.20.0
• 4c9ddc1 feat: upgrade to [email protected]
• 9ebe5d5 feat: upgrade to [email protected] (#5928)
• ec4a01b feat: upgrade to [email protected] (#5926)
• 54271f6 fix: don't render redirect values in anchor href
• 125bb74 [email protected] (#5902)
• 2a980ad [email protected] (#5781)
• a3e7e05 docs: specify new instructions for question and discuss
• c5addb9 deps: [email protected] (#5603)
• e35380a docs: add @​IamLizu to the triage team (#5836)
• Additional commits viewable in compare view

Updates axios from 0.21.4 to 0.27.2

Release notes

Sourced from axios's releases.

v0.27.2

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

v0.27.1

Fixes and Functionality:

• Removed import of url module in browser build due to huge size overhead and builds being broken (#4594)
• Bumped follow-redirects to ^1.14.9 (#4615)

v0.27.0

Breaking changes:

• New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData (#3757)
• Removed functionality that removed the the Content-Type request header when passing FormData (#3785)
• (*) Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole (#3645)
• Separated responsibility for FormData instantiation between transformRequest and toFormData (#4470)
• (*) Improved and fixed multiple issues with FormData support (#4448)

QOL and DevX improvements:

• Added a multipart/form-data testing playground allowing contributors to debug changes easily (#4465)

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#4515) & (#4516)
• Bumped follow-redirects to ^1.14.9 (#4562)

Internal and Tests:

• Updated dev dependencies to latest version

Documentation:

• Fixing incorrect link in changelog (#4551)

Notes:

• (*) Please read these pull requests before updating, these changes are very impactful and far reaching.

v0.26.1

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#4220)

v0.26.0

Fixes and Functionality:

• Fixed The timeoutErrorMessage property in config not work with Node.js (#3581)
• Added errors to be displayed when the query parsing process itself fails (#3961)
• Fix/remove url required (#4426)
• Update follow-redirects dependency due to Vulnerability (#4462)
• Bump karma from 6.3.11 to 6.3.14 (#4461)
• Bump follow-redirects from 1.14.7 to 1.14.8 (#4473)

v0.25.0

Breaking changes:

... (truncated)

Changelog

Sourced from axios's changelog.

0.27.2 (April 27, 2022)

Fixes and Functionality:

• Fixed FormData posting in browser environment by reverting #3785 (#4640)
• Enhanced protocol parsing implementation (#4639)
• Fixed bundle size

0.27.1 (April 26, 2022)

Fixes and Functionality:

• Removed import of url module in browser build due to huge size overhead and builds being broken (#4594)
• Bumped follow-redirects to ^1.14.9 (#4615)

0.27.0 (April 25, 2022)

Breaking changes:

• New toFormData helper function that allows the implementor to pass an object and allow axios to convert it to FormData (#3757)
• Removed functionality that removed the the Content-Type request header when passing FormData (#3785)
• (*) Refactored error handling implementing AxiosError as a constructor, this is a large change to error handling on the whole (#3645)
• Separated responsibility for FormData instantiation between transformRequest and toFormData (#4470)
• (*) Improved and fixed multiple issues with FormData support (#4448)

QOL and DevX improvements:

• Added a multipart/form-data testing playground allowing contributors to debug changes easily (#4465)

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#4515) & (#4516)
• Bumped follow-redirects to ^1.14.9 (#4562)

Internal and Tests:

• Updated dev dependencies to latest version

Documentation:

• Fixing incorrect link in changelog (#4551)

Notes:

• (*) Please read these pull requests before updating, these changes are very impactful and far reaching.

0.26.1 (March 9, 2022)

Fixes and Functionality:

• Refactored project file structure to avoid circular imports (#4220)

0.26.0 (February 13, 2022)

Fixes and Functionality:

• Fixed The timeoutErrorMessage property in config not work with Node.js (#3581)
• Added errors to be displayed when the query parsing process itself fails (#3961)
• Fix/remove url required (#4426)
• Update follow-redirects dependency due to Vulnerability (#4462)

... (truncated)

Commits

• bc733fe Releasing v0.27.2
• b9e9fb4 Enhanced protocol parsing implementation to fix #4633; (#4639)
• 76432c1 Fixed FormData posting in browser environment by reverting #3785; (#4640)
• 82fd15f Combined build process and cleaned it up a bit
• 1d82af1 Fixing issues with bundle sizes
• bcb166e Fixed incorrect date in changelog
• 838f53b Merge branch 'master' of github.com:axios/axios
• cb9c534 Releasing v0.27.1
• 91d21fc Releasing v0.72.1
• 167cb8b Remove eslint-g package as this seems have been added in error
• Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to [email protected] by @​wesleytodd in expressjs/body-parser#527
• deps: [email protected] by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates dompurify from 2.4.7 to 2.5.7

Release notes

Sourced from dompurify's releases.

DOMPurify 2.5.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa

DOMPurify 2.5.6

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Updated several development dependencies

DOMPurify 2.5.5

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

DOMPurify 2.5.4

• Fixed a bug with latest isNaN checks affecting MSIE, thanks @​tulach
• Fixed the tests for MSIE and fixed related test-runner

DOMPurify 2.5.3

• Fixed several mXSS variations found by and thanks to @​kevin-mizu & @​Ry0taK
• Added better configurability for comment scrubbing default behavior
• Added better hardening against Prototype Pollution attacks, thanks @​kevin-mizu
• Fixed some smaller issues in README and other documentation

DOMPurify 2.5.2

• Addressed and fixed a mXSS variation found by @​kevin-mizu
• Addressed and fixed a mXSS variation found by Adam Kues of Assetnote
• Updated tests for older Safari and Chrome versions

DOMPurify 2.5.1

• Fixed an mXSS sanitizer bypass reported by @​icesfont
• Added new code to track element nesting depth
• Added new code to enforce a maximum nesting depth of 255
• Added coverage tests and necessary clobbering protections

Note that this is a security release and should be upgraded to immediately. Please also note that further releases may follow as the underlying vulnerability is apparently new and further variations may be discovered.

DOMPurify 2.5.0

• Added new setting SAFE_FOR_XML to enable better control over comment scrubbing
• Updated the LICENSE file to show the accurate year number
• Updated several build and test dependencies

DOMPurify 2.4.9

• Fixed another conditional bypass caused by Processing Instructions, thanks @​Ry0taK
• Fixed the regex for HTML Custom Element detection, thanks @​AlekseySolovey3T

DOMPurify 2.4.8

• Fixed two possible bypasses when sanitizing an XML document and later using it in HTML, thanks @​Slonser

Commits

• 71683cb chore: Preparing 2.5.7 release
• d78f241 chore: Preparing 2.5.6 release
• 38e8410 fix: Added changes to 2.x regarding attribute value checks
• 9a7cd98 See #961
• de2545c chore: Preparing 2.5.5 release
• f1e27e6 chore: Also removed depth counter logic from 2.x branch for now
• 10c1261 docs: Updated README ever so slightly
• 1c92880 test: Fixed two more tests for MSIE11 and Edge 18
• 1401208 test: Fixed more tests for MSIE and Edge 18
• 2c6410a test: Fixed several new tests for MSIE11 and Edge 18
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.10

Release notes

Sourced from path-to-regexp's releases.

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• 114f62d Add support for named matching groups (#301)
• See full diff in compare view

Updates rollup from 2.79.1 to 2.79.2

Changelog

Sourced from rollup's changelog.

rollup changelog

4.23.0

2024-10-01

Features

• Collect all emitted names and originalFileNames for assets (#5686)

Pull Requests

• #5686: Add names and originalFileNames to assets (@​lukastaegert)

4.22.5

2024-09-27

Bug Fixes

• Allow parsing of certain unicode characters again (#5674)

Pull Requests

• #5674: Fix panic with unicode characters (@​sapphi-red, @​lukastaegert)
• #5675: chore(deps): update dependency rollup to v4.22.4 [security] (@​renovate[bot])
• #5680: chore(deps): update dependency @​rollup/plugin-commonjs to v28 (@​renovate[bot], @​lukastaegert)
• #5681: chore(deps): update dependency @​rollup/plugin-replace to v6 (@​renovate[bot])
• #5682: chore(deps): update dependency @​rollup/plugin-typescript to v12 (@​renovate[bot])
• #5684: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5670: refactor: Use object.prototype to check for reserved properties (@​YuHyeonWook)
• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.3

2024-09-21

Bug Fixes

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Updates serve-static from 1.15.0 to 1.16.0

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

Changelog

Sourced from serve-static's changelog.

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates webpack from 5.94.0 to 5.95.0

Release notes

Sourced from webpack's releases.

v5.95.0

Bug Fixes

• Fixed hanging when attempting to read a symlink-like file that it can't read
• Handle default for import context element dependency
• Merge duplicate chunks call after split chunks
• Generate correctly code for dynamically importing the same file twice and destructuring
• Use content hash as [base] and [name] for extracted DataURI's
• Distinguish module and import in module-import for externals import's
• [Types] Make EnvironmentPlugin default values types less strict
• [Types] Typescript 5.6 compatibility

New Features

• Add new optimization.avoidEntryIife option (true by default for the production mode)
• Pass output.hash* options to loader context

Performance

• Avoid unneeded re-visit in build chunk graph

Commits

• e20fd63 chore(release): 5.95.0
• 4866b0d feat: added new optimization.entryIife option
• d90f692 fix: merge duplicate chunks after split chunks
• 90dec30 fix(externals): distinguish “module” and “import” in “module-import”
• c1a0a46 fix(externals): distinguish “module” and “import” in “module-import”
• 14d8fa8 fix: all tests cases
• dae16ad feat: pass output.hash* options to loader context
• 75d185d feat: pass output.hash* options to loader context
• 46e0b9c test: update
• 8e62f9f test
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge t...

Description has been truncated