build(deps): bump the core-runtime group with 5 updates

[dependabot]

Bumps the core-runtime group with 5 updates:

Package	From	To
axios	1.7.2	1.13.2
express	4.19.2	4.22.1
http-proxy-middleware	3.0.3	3.0.5
react-router-dom	6.24.1	6.30.3
styled-components	6.1.11	6.3.6

Updates axios from 1.7.2 to 1.13.2

Release notes

Sourced from axios's releases.

Release v1.13.2

Release notes:

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

Release v1.13.1

Release notes:

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

Release v1.13.0

Release notes:

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma

... (truncated)

Changelog

Sourced from axios's changelog.

1.13.2 (2025-11-04)

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

1.13.1 (2025-10-28)

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

1.13.0 (2025-10-27)

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge

... (truncated)

Commits

• 08b84b5 chore(release): v1.13.2 (#7207)
• 8d37233 fix(http): fix 'socket hang up' bug for keep-alive requests when using timeou...
• 12c314b perf(http): fix early loop exit; (#7202)
• f6d79e7 chore(sponsor): update sponsor block (#7203)
• 0588880 fix(http): use default export for http2 module to support stubs; (#7196)
• 1ef8e72 chore(release): v1.13.1 (#7194)
• bcd5581 fix(http): fixed a regression that caused the data stream to be interrupted f...
• c9b3371 chore: enhance styling and responsiveness in client.html (#7173)
• 9ead04d [Release] v1.13.0 (#7189)
• d000fbf fix(http2): fix possible race condition when handling http2 stream on almost ...
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates http-proxy-middleware from 3.0.3 to 3.0.5

Release notes

Sourced from http-proxy-middleware's releases.

v3.0.5

What's Changed

• fix(fixRequestBody): check readableLength by @​chimurai in chimurai/http-proxy-middleware#1096
• chore(package): v3.0.5 by @​chimurai in chimurai/http-proxy-middleware#1098

Full Changelog: chimurai/http-proxy-middleware@v3.0.4...v3.0.5

v3.0.4

What's Changed

• chore(package): bump dev dependencies by @​chimurai in chimurai/http-proxy-middleware#1045
• chore(package): update yarn.lock by @​chimurai in chimurai/http-proxy-middleware#1046
• docs(readme): fix example code syntax error by @​17hz in chimurai/http-proxy-middleware#1014
• chore(package): bump express to v4.21.1 by @​chimurai in chimurai/http-proxy-middleware#1047
• chore(examples): update yarn.lock by @​chimurai in chimurai/http-proxy-middleware#1048
• chore(package): bump dev deps by @​chimurai in chimurai/http-proxy-middleware#1059
• chore(package): bump dev dependencies by @​chimurai in chimurai/http-proxy-middleware#1060
• chore(package): bump dev dependencies by @​chimurai in chimurai/http-proxy-middleware#1074
• ci(github-actions): pipeline improvements by @​chimurai in chimurai/http-proxy-middleware#1082
• feat(types): export Plugin type by @​oktapodia in chimurai/http-proxy-middleware#1071
• fix(fixRequestBody): support multipart/form-data by @​JS-mark in chimurai/http-proxy-middleware#896
• chore(package.json): bump dev deps by @​chimurai in chimurai/http-proxy-middleware#1083
• ci(package): patch http-proxy by @​chimurai in chimurai/http-proxy-middleware#1084
• ci(pkg-pr-new): publish package for testing purposes by @​chimurai in chimurai/http-proxy-middleware#1085
• build(patch-package): run patch-package in 'development' only by @​chimurai in chimurai/http-proxy-middleware#1086
• chore(examples): update next deps by @​chimurai in chimurai/http-proxy-middleware#1087
• ci(github-actions): update spellcheck config by @​chimurai in chimurai/http-proxy-middleware#1088
• fix(websocket): handle errors in handleUpgrade by @​nwalters512 in chimurai/http-proxy-middleware#823
• fix(fixRequestBody): prevent multiple .write() calls by @​chimurai in chimurai/http-proxy-middleware#1089
• fix(fixRequestBody): handle invalid request by @​chimurai in chimurai/http-proxy-middleware#1092
• docs(CHANGELOG): update changelog by @​chimurai in chimurai/http-proxy-middleware#1093
• chore(package): v3.0.4 by @​chimurai in chimurai/http-proxy-middleware#1095

New Contributors

• @​17hz made their first contribution in chimurai/http-proxy-middleware#1014
• @​oktapodia made their first contribution in chimurai/http-proxy-middleware#1071
• @​JS-mark made their first contribution in chimurai/http-proxy-middleware#896
• @​nwalters512 made their first contribution in chimurai/http-proxy-middleware#823

Full Changelog: chimurai/http-proxy-middleware@v3.0.3...v3.0.4

Changelog

Sourced from http-proxy-middleware's changelog.

v3.0.5

• fix(fixRequestBody): check readableLength (#1096)

v3.0.4

• fix(fixRequestBody): handle invalid request (#1092)
• fix(fixRequestBody): prevent multiple .write() calls (#1089)
• fix(websocket): handle errors in handleUpgrade (#823)
• ci(package): patch http-proxy (#1084)
• fix(fixRequestBody): support multipart/form-data (#896)
• feat(types): export Plugin type (#1071)

Commits

• d3851ed chore(package): v3.0.5 (#1098)
• 1bdccbe fix(fixRequestBody): check readableLength (#1096)
• 01934d3 chore(package): v3.0.4 (#1095)
• 3364c0a docs(CHANGELOG): update changelog (#1093)
• bd3c124 fix(fixRequestBody): handle invalid request (#1092)
• 0209760 fix(fixRequestBody): prevent multiple .write() calls (#1089)
• fd0f568 fix(websocket): handle errors in handleUpgrade (#823)
• e94087e ci(github-actions): update spellcheck config (#1088)
• 397748a chore(examples): update next deps (#1087)
• 6fb6032 build(patch-package): run patch-package in 'development' only (#1086)
• Additional commits viewable in compare view

Updates react-router-dom from 6.24.1 to 6.30.3

Release notes

Sourced from react-router-dom's releases.

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.15
  • react-router-dom@6.4.0-pre.15

Changelog

Sourced from react-router-dom's changelog.

v6.30.3

Date: 2026-01-07

Security Notice

This release addresses 1 security vulnerability:

• XSS via Open Redirects

Patch Changes

• Validate redirect locations (#14707)

Full Changelog: v6.30.2...v6.30.3

v6.30.2

Date: 2025-11-13

Security Notice

This release addresses 1 security vulnerability:

• Unexpected external redirect via untrusted paths

Patch Changes

• Normalize double-slashes in resolvePath (#14537)

Full Changelog: v6.30.1...v6.30.2

v6.30.1

Date: 2025-05-20

Patch Changes

• Partially revert optimization added in 6.29.0 to reduce calls to matchRoutes because it surfaced other issues (#13623)
• Stop logging invalid warning when v7_relativeSplatPath is set to false (#13502)

Full Changelog: v6.30.0...v6.30.1

v6.30.0

Date: 2025-02-27

Minor Changes

• Add fetcherKey as a parameter to patchRoutesOnNavigation (#13109)

... (truncated)

Commits

• c662ca3 chore: Update version for release (#14713)
• 98ad691 chore: Update version for release (pre-v6) (#14710)
• 26b5d45 chore: Update version for release (#14541)
• 919f8a8 chore: Update version for release (pre-v6) (#14540)
• 3f2400e chore: Update version for release (#13647)
• 25a264d chore: Update version for release (pre-v6) (#13638)
• e4ba522 chore: Update version for release (#13128)
• f0bc784 chore: Update version for release (pre-v6) (#13111)
• d9ed824 Fix up changelogs
• cc8b8ce chore: Update version for release (#12911)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router-dom since your current version.

Updates styled-components from 6.1.11 to 6.3.6

Release notes

Sourced from styled-components's releases.

styled-components@6.3.6

Patch Changes

• 189bc17: Fix url() CSS function values being incorrectly stripped when using unquoted URLs containing // (e.g., url(https://example.com)). The // in protocol URLs like https://, http://, file://, and protocol-relative URLs was incorrectly being treated as a JavaScript-style line comment.

styled-components@6.3.5

Patch Changes

• 7ff7002: Fix: Line comments (//) in multiline CSS declarations no longer cause parsing errors (fixes #5613)

  JS-style line comments (//) placed after multiline declarations like calc() were not being properly stripped, causing CSS parsing issues. Comments are now correctly removed anywhere in the CSS while preserving valid syntax.

  Example that now works:

  const Box = styled.div`
    max-height: calc(100px + 200px + 300px); // This comment no longer breaks parsing
    background-color: green;
  `;

• 7ff7002: Fix: Contain invalid CSS syntax to just the affected line

  In styled-components v6, invalid CSS syntax (like unbalanced braces) could cause all subsequent styles to be ignored. This fix ensures that malformed CSS only affects the specific declaration, not subsequent valid styles.

  Example that now works:

  const Circle = styled.div`
    width: 100px;
    line-height: ${() => '14px}'}; // ⛔️ This malformed line is dropped
    background-color: green; // ✅ Now preserved (was ignored in v6)
  `;

styled-components@6.3.4

Patch Changes

• 8e8c282: Fixed createGlobalStyle to not use useLayoutEffect on the server, which was causing a warning and broken styles in v6.3.x. The check typeof React.useLayoutEffect === 'function' is not reliable for detecting server vs client environments in React 18+, so we now use the __SERVER__ build constant instead.

styled-components@6.3.3

Patch Changes

• 6e4d1e7: fix: suppress false "created dynamically" warnings in React Server Components

  The dynamic creation warning check now properly detects RSC environments and skips validation when IS_RSC is true. This eliminates false warnings for module-level styled components in server components, which were incorrectly flagged due to RSC's different module evaluation context. Module-level styled components in RSC files no longer trigger warnings since they cannot be created inside render functions by definition.

styled-components@6.3.2

Patch Changes

... (truncated)

Commits

• a1e3789 Version Packages (#5642)
• 189bc17 [WIP] Fix url() css function removal in styled-components (#5639)
• 816720a chore: remove discord
• f64f1fe Version Packages (#5636)
• 7ff7002 Fix syntax error in styled-components v6 handling (#5635)
• 68d12c9 Version Packages
• 8e8c282 fix: use SERVER build constant instead of useLayoutEffect check in create...
• b0831e8 Update contact information for reporting incidents
• d01de7b Version Packages
• 415e578 style: run formatter
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for styled-components since your current version.

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.