Skip to content

deps(deps): bump the production-dependencies group with 6 updates #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps(deps): bump the production-dependencies group with 6 updates #11

wants to merge 1 commit into from
+428 −270

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Oct 13, 2025
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the production-dependencies group with 6 updates:

Package From To
bcryptjs 2.4.3 3.0.2
express 4.21.2 5.1.0
express-rate-limit 7.5.1 8.1.0
helmet 7.2.0 8.1.0
joi 17.13.3 18.0.1
nano 10.1.4 11.0.2

Updates bcryptjs from 2.4.3 to 3.0.2

Release notes

Sourced from bcryptjs's releases.

v3.0.2

Bug fixes

  • Use upstream fix to emit interop helpers (28e510389374f5736c447395443d4a6687325048)

v3.0.1

Bug fixes

  • Separate ESM and UMD type definitions (e7055caf0c723cbcf8bc3f0784b8c30ee332380f)

v3.0.0

Breaking changes

  • Modernize project structure (2f45985738604c743c4b8cc8464e3e7d3e04c73d) The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
  • Generate 2b hashes by default (d36bfb42fa642b6d6986a84ce106a7110e5824db) This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.

Features

  • Add helper to check for password input length (d5656b39e2e368c87724a312e4e454456a4e5d1b)

Other

  • Update publish workflow (2a9bea9e276e6be04dbd403f9695937788b3b10a)
  • Add note on using the ESM variant in the browser (e09eb9afb14170069aaea19631b763307ee7b480)
  • Update types (58333a1533dd53838e2697628f84b98d54a5c079)
  • Merge lint and test workflows (2e3b17659e8856696acfe3015631ce2989eb3084)
  • Fix tests (ec02e8a0ada7a8f6c71a91df164db8c25bbbb7b4)
  • Update legacy fallback to handle crypto dependency (9db275fa10b1b40da4a6844480d7f8ae8df27fb8)
  • Update lint workflow title (ac70ac57c2f99ad5639eddf54578e5fdd07b9c4c)
  • Adapt crypto module usage for ESM environments (574d690d4972bcebbd5ca07880a62abab9ae3c0b)
  • Format with prettier (e7465479282d8155852ce88d6407eccb14adc106)
  • Rename default branch to 'main' (548559d032d7dd5ac3e4e16d7afd87b36ebe96ca)
  • Update description to mention TypeScript support (4977df0849eaf8cad5b0d0b543fe452432a2d761)
  • Add stale action for issues and PRs (a84d4e45487df0972d8781feafa477d5db4c1dbd)
  • Fix typo (c8c9c01799bbc13092fcbb20cfab4d9015d14c61)
  • Fix Node.js version in CI (1b54cc48d4120b50e1d9058e5a67f326102fd744)

Backlog from v2

  • Added externs to .npmignore (#124) (7e2e93af99df2952253f9cf32db29aefa8f272f7) The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
  • Make sure the bin script uses LF (684fac6814a81d974c805a15e22fd69922c7ca6e)
  • Post-merge; Clean up a bit (b09f7f266a7015456b7b36deeb026dc636f64542)
  • Improve safeStringCompare using xor (#77) (648482a5395bef074ad34e52759fede957a89397)
  • Added bin entry (49a1d1ab46d22ac02659cb787ded08d644f79cb5)
Commits
  • 28e5103 fix: Use upstream fix to emit interop helpers
  • e7055ca fix: Separate ESM and UMD type definitions
  • 2a9bea9 Update publish workflow
  • d5656b3 Add helper to check for password input length
  • e09eb9a Add note on using the ESM variant in the browser
  • 58333a1 Update types
  • 2e3b176 Merge lint and test workflows
  • ec02e8a Fix tests
  • 9db275f Update legacy fallback to handle crypto dependency
  • ac70ac5 Update lint workflow title
  • Additional commits viewable in compare view

Updates express from 4.21.2 to 5.1.0

Release notes

Sourced from express's releases.

v5.1.0

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0

... (truncated)

Commits

Updates express-rate-limit from 7.5.1 to 8.1.0

Release notes

Sourced from express-rate-limit's releases.

v8.1.0

You can view the changelog here.

v8.0.1

You can view the changelog here.

v8.0.0

You can view the changelog here.

Commits
  • 6061935 8.1.0
  • 2f2ed4d Add validation check for Forwarded header (#549)
  • d0e7c85 chore(deps-dev): bump the all group across 1 directory with 5 updates (#554)
  • 66aa1b0 test: check for renamed Request in types (#543)
  • 658c201 Document windowMs limit for MemoryStore and warn on invalid values (#550)
  • aa3b291 fix: include RateLimit-Reset header when resetSeconds is 0 (#553)
  • 1eca1a4 Update CI workflow to include pull_request trigger
  • ec8a6f9 chore: migrate biome config for current version
  • 207100e chore(deps-dev): bump the all group with 4 updates (#548)
  • 471076d chore(deps-dev): bump the all group with 4 updates (#547)
  • Additional commits viewable in compare view

Updates helmet from 7.2.0 to 8.1.0

Changelog

Sourced from helmet's changelog.

8.1.0 - 2025-03-17

Changed

  • Content-Security-Policy gives a better error when a directive value, like self, should be quoted. See #482

8.0.0 - 2024-09-28

Changed

  • Breaking: Strict-Transport-Security now has a max-age of 365 days, up from 180
  • Breaking: Content-Security-Policy middleware now throws an error if a directive should have quotes but does not, such as self instead of 'self'. See #454
  • Breaking: Content-Security-Policy's getDefaultDirectives now returns a deep copy. This only affects users who were mutating the result
  • Breaking: Strict-Transport-Security now throws an error when "includeSubDomains" option is misspelled. This was previously a warning

Removed

  • Breaking: Drop support for Node 16 and 17. Node 18+ is now required
Commits
  • 57e1b39 8.1.0
  • c8efbe3 Update changelog for 8.1.0 release
  • 3396804 Add 8.0.0 release date to changelog
  • 52dd8eb Content-Security-Policy: better error when value should be quoted
  • 4af4777 Use built-in test runner (instead of Jest)
  • ba10272 Organize imports
  • e0f1387 Update devDependencies to latest versions
  • 842393c Check types during npm test, run in parallel
  • 77fbe3a Strict-Transport-Security: fix documentation for default max-age
  • 632e629 Update license year for 2025
  • Additional commits viewable in compare view

Updates joi from 17.13.3 to 18.0.1

Commits

Updates nano from 10.1.4 to 11.0.2

Release notes

Sourced from nano's releases.

11.0.2

Added headers to TypeScript definition of the object that can be supplied when instantiating Nano.

11.0.1

Fix up response object so that Bun (and Node) users get sensible error messages. Thanks @​digitalextremist

11.0.0

  • Replaces axios with the Node.js's built-in fetch for HTTP requests. 🕸️
  • Replaces nock and jest with Node.js's build in testing framework. 🧪
  • Removes support for callbacks. 📞
  • Nano becomes a zero-dependency library. 👏
  • Desiged for Node.js 20 and above (if you are still running older versions of Node then stick with Nano 10)

The vast majority of the API stays the same but there are some breaking changes. See Nano v10 to v11 Migration Guide.

Some background.

fetch

Originally Nano was built on top of the request library which was later deprecated. At this point I reworked it to use axios instead. This PR eliminates axios and other axios-related dependencies and instead uses the new kid on the block: the fetch API.

The fetch feature has found widespread adoption in web browsers as a means of handling outbound HTTP requests. It has found its way into Node.js as a global function and is marked as an experimental feature in Node 18/19 and is mainstream in Node 20 and beyond.

Node.js's fetch capability is powered by the undici package which is bundled with Node.js and in turn uses Node's low-level network libraries instead of being based on the higher-level http/https built-in modules. It purports to be significantly faster (according to its own benchmarks) than traffic routed through http/https modules, as is the case with other HTTP libraries like axios & request.

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps(deps): bump the production-dependencies group with 6 updates
095e962 
Bumps the production-dependencies group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [bcryptjs](https://github.com/dcodeIO/bcrypt.js) | `2.4.3` | `3.0.2` |
| [express](https://github.com/expressjs/express) | `4.21.2` | `5.1.0` |
| [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `7.5.1` | `8.1.0` |
| [helmet](https://github.com/helmetjs/helmet) | `7.2.0` | `8.1.0` |
| [joi](https://github.com/hapijs/joi) | `17.13.3` | `18.0.1` |
| [nano](https://github.com/apache/couchdb-nano) | `10.1.4` | `11.0.2` |


Updates `bcryptjs` from 2.4.3 to 3.0.2
- [Release notes](https://github.com/dcodeIO/bcrypt.js/releases)
- [Commits](dcodeIO/bcrypt.js@2.4.3...v3.0.2)

Updates `express` from 4.21.2 to 5.1.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.21.2...v5.1.0)

Updates `express-rate-limit` from 7.5.1 to 8.1.0
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v7.5.1...v8.1.0)

Updates `helmet` from 7.2.0 to 8.1.0
- [Changelog](https://github.com/helmetjs/helmet/blob/main/CHANGELOG.md)
- [Commits](helmetjs/helmet@v7.2.0...v8.1.0)

Updates `joi` from 17.13.3 to 18.0.1
- [Commits](hapijs/joi@v17.13.3...v18.0.1)

Updates `nano` from 10.1.4 to 11.0.2
- [Release notes](https://github.com/apache/couchdb-nano/releases)
- [Commits](apache/couchdb-nano@v10.1.4...v11.0.2)

---
updated-dependencies:
- dependency-name: bcryptjs
  dependency-version: 3.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express-rate-limit
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: helmet
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: joi
  dependency-version: 18.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: nano
  dependency-version: 11.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Oct 13, 2025

Assignees

The following users could not be added as assignees: notefinity-app. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants