chore(deps): bump the production-dependencies group across 1 directory with 3 updates

[dependabot]

Bumps the production-dependencies group with 3 updates in the / directory: express, express-rate-limit and redis.

Updates express from 4.22.1 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @​UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @​dependabot[bot] in expressjs/express#6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @​Ayoub-Mabrouk in expressjs/express#6137
• increased code coverage of utils.js file by @​ashish3011 in expressjs/express#6386
• chore: remove duplicate word by @​dufucun in expressjs/express#6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @​dependabot[bot] in expressjs/express#6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/express#6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/express#6496
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6504
• ci: update codeql config by @​Phillip9587 in expressjs/express#6488
• chore: wider range for query test skip by @​jonchurch in expressjs/express#6512
• chore: fix typos in test by @​noritaka1166 in expressjs/express#6535
• ci: disable credential persistence for checkout actions by @​mertssmnoglu in expressjs/express#6522
• ci: allow manual triggering of workflow by @​shivarm in expressjs/express#6515
• test: add coverage for app.listen() variants by @​kgarg1 in expressjs/express#6476
• docs: move documentation and charters to the discussions and .github … by @​bjohansebas in expressjs/express#6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/express#6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/express#6548
• chore: enforce explicit Buffer import and add lint rule by @​shivarm in expressjs/express#6525
• chore: use node protocol for querystring by @​shivarm in expressjs/express#6520
• chore: fix typo by @​mountdisk in expressjs/express#6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/express#6618
• add deprecation warnings for redirect arguments undefined by @​bjohansebas in expressjs/express#6405
• ci: run CI when the markdown changes by @​bjohansebas in expressjs/express#6632
• doc: fix CONTRIBUTING link by @​jonchurch in expressjs/express#6653
• doc: update contributing guidelines and code of conduct links by @​ShubhamOulkar in expressjs/express#6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @​dependabot[bot] in expressjs/express#6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @​dependabot[bot] in expressjs/express#6678
• lint: add --fix flag to automatic fix linting issue by @​shivarm in expressjs/express#6644
• chore: ignore yarn.lock file and update example by @​shivarm in expressjs/express#6588
• lib: use req.socket over deprecated req.connection by @​bjohansebas in expressjs/express#6705
• doc: update express app example by @​shivarm in expressjs/express#6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/express#6675
• Remove history.md from being packaged on publish by @​sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0

... (truncated)

Commits

• dbac741 5.2.1
• 697547c Revert "sec: security patch for CVE-2024-51999"
• 4007ad1 Release: 5.2.0 (#6920)
• 2f64f68 sec: security patch for CVE-2024-51999
• ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• 8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• 30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• 758d435 deps: body-parser@^2.2.1 (#6922)
• 77bcd52 docs: update emeritus triagers (#6890)
• f33caf1 Nominate to @​efekrskl for triage team (#6888)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.3.2 to 8.4.0

Release notes

Sourced from express-rate-limit's releases.

v8.4.0

You can view the changelog here.

Commits

• f3b7929 8.4.0
• 789e4cb docs: logger option & v8.4.0 changelog
• 86eca43 test: bump request timeout from 10ms to 50ms in flakey skipFailedRequests test
• 2bb343c resolve Jest timeout for server-based tests (#617)
• See full diff in compare view

Updates redis from 5.11.0 to 5.12.1

Release notes

Sourced from redis's releases.

redis@5.12.0

✨ What's Changed

🚀 Features

• feat: expose sendCommand on multi for all clients by @​nkaradzhov in redis/node-redis#3181
• feat(sentinel): add sSubscribe/sUnsubscribe methods to Sentinel client by @​nkaradzhov in redis/node-redis#3178

🐛 Fixes

• fix(search): correct INDEXMISSING placement by @​nkaradzhov in redis/node-redis#3179
• Pool fixes by @​nkaradzhov in redis/node-redis#3182
• fix(search): use @redis/client dist imports in CREATE command by @​PavelPashov in redis/node-redis#3187
• fix(sentinel): preserve root seeds for outage recovery by @​nkaradzhov in redis/node-redis#3188
• fix: fallthrough bug in transformDoubleReply by @​rhymincymon in redis/node-redis#3213

🔭 Observability (OTEL + Diagnostics)

Node Redis now ships with first-class observability via OpenTelemetry metrics and Node.js diagnostics_channel. Initialize OpenTelemetry before creating clients (OpenTelemetry.init({ metrics: { enabled: true } })) and you can plug Redis client telemetry into your existing OTel SDK/exporter pipeline.

This enables visibility into command latency, connection lifecycle, resiliency/errors, Pub/Sub traffic, streaming behavior, and client-side caching activity. On top of metrics, diagnostics channels provide a more abstract, higher-level way to track runtime behavior through low-overhead event streams (commands, batches, connection events, maintenance notifications, pub/sub, cache, and pool wait timing), so APM tools or custom subscribers can observe the system without changing application code.

• add OpenTelemetry metrics instrumentation by @​PavelPashov in redis/node-redis#3110
• feat: implement diagnostic channels for observability by @​logaretm in redis/node-redis#3195

🧪 Tests & CI

• test(scho oss): add smigrating checks for new connections by @​nkaradzhov in redis/node-redis#3186
• Add self-report metrics step to CI workflow by @​bobymicroby in redis/node-redis#3199
• Add run tests action by @​dariaguy in redis/node-redis#3221

📚 Docs

• improve sentinel docs by @​cutiepoka in redis/node-redis#3189
• docs: clarify DUMP/RESTORE binary payload usage by @​nkaradzhov in redis/node-redis#3201
• fix(docs): configure typedoc entry points for monorepo by @​nkaradzhov in redis/node-redis#3220

🙌 New Contributors

• @​cutiepoka made their first contribution in redis/node-redis#3189
• @​rhymincymon made their first contribution in redis/node-redis#3213
• @​logaretm made their first contribution in redis/node-redis#3195
• @​dariaguy made their first contribution in redis/node-redis#3221

Full Changelog: https://github.com/redis/node-redis/compare/redis@5.11.0...redis@5.12.0

Commits

• 5cdad1b Release redis@5.12.1
• 6a44726 Release entraid@5.12.1
• 9f930f9 Release time-series@5.12.1
• de70920 Release search@5.12.1
• 9e7767c Release json@5.12.1
• 02cfd5a Release bloom@5.12.1
• 838c28d Release client@5.12.1
• 789d6d5 fix: decouple OTel public types from @​opentelemetry/api (#3228)
• 07aff33 Release redis@5.12.0
• b91d88f Release entraid@5.12.0
• Additional commits viewable in compare view

[salishforge]

@dependabot rebase

[salishforge]

@dependabot rebase