Bump the production-dependencies group across 1 directory with 2 updates #192

dependabot · 2025-04-04T05:29:24Z

Bumps the production-dependencies group with 2 updates in the /backend directory: express and @types/express.

Updates express from 4.21.2 to 5.1.0

Release notes

v5.1.0

What's Changed

Update captains by @UlisesGascon in expressjs/express#6027

build: Node.js 23.0 by @bjohansebas in expressjs/express#6075

Add funding field (v5) by @bjohansebas in expressjs/express#6064

✅ add discarded middleware test by @ctcpip in expressjs/express#5819

update homepage link http to https by @bjohansebas in expressjs/express#5920

Improve readme by @bjohansebas in expressjs/express#5994

Add bjohansebas as repo captain for expressjs.com by @crandmck in expressjs/express#6058

Remove Object.setPrototypeOf polyfill by @Phillip9587 in expressjs/express#6081

fix(buffer): use node:buffer instead of safe-buffer by @bhavya3024 in expressjs/express#6071

docs: Add DCO by @UlisesGascon in expressjs/express#6048

cleanup: remove promise support check from tests by @Phillip9587 in expressjs/express#6148

Use loop for acceptParams by @blakeembrey in expressjs/express#6066

Improve documentation step in release process by @bjohansebas in expressjs/express#6150

cleanup: remove unnecessary require for global Buffer by @Phillip9587 in expressjs/express#6146

cleanup: remove AsyncLocalStorage check by @Phillip9587 in expressjs/express#6147

update history.md for acceptParams change by @jonchurch in expressjs/express#6177

docs: add @rxmarbles to the triage team by @UlisesGascon in expressjs/express#6151

refactor: improve readability by @sazk07 in expressjs/express#6173

docs: clarify the security process in the triage role by @bjohansebas in expressjs/express#6217

chore: replace methods dependency with standard library by @jonkoops in expressjs/express#6196

Remove utils-merge dependency - use spread syntax instead by @Phillip9587 in expressjs/express#6091

fix(securite): fix vulnerabilities by @Abdel-Monaam-Aouini in expressjs/express#6211

refactor: prefix built-in node module imports by @slagiewka in expressjs/express#6236

fix: remove download size badges by @wesleytodd in expressjs/express#6266

Remove unused depd dependency by @jonkoops in expressjs/express#6197

fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @hamirmahal in expressjs/express#6256

Add support for OSSF scorecard reporting by @UlisesGascon in expressjs/express#5431

docs: add @Phillip9587 to the triage team by @bjohansebas in expressjs/express#6276

fix: added a missing semicolon in css styles in examples/auth by @pr4j3sh in expressjs/express#6297

docs: include team email in the security policy by @UlisesGascon in expressjs/express#6278

refactor: simplify normalizeTypes function by @Ayoub-Mabrouk in expressjs/express#6097

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6314

ci: fix npm install --include typo by @Phillip9587 in expressjs/express#6324

ci: updated scorecard actions by @Phillip9587 in expressjs/express#6322

build(deps): use carat notation for dependency versions by @dpopp07 in expressjs/express#6317

chore(deps): update debug to ^4.4.0 by @Phillip9587 in expressjs/express#6313

docs: retroactively note 5.0.0-beta.1 api change in history file by @dpopp07 in expressjs/express#6333

feat(deps): body-parser@^2.1.0 by @wesleytodd in expressjs/express#6332

feat(deps): router@^2.1.0 by @wesleytodd in expressjs/express#6331

Update repo captains by @UlisesGascon in expressjs/express#6234

deps: upgrade nyc by @agungjati in expressjs/express#6122

fix (deps): update deps by @wesleytodd in expressjs/express#6337

response: add support for ETag option in res.sendFile by @juanarbol in expressjs/express#6073

Update multiple links to use https instead of http by @Phillip9587 in expressjs/express#6338

Extend res.links() to allow adding multiple links with the same rel #2729 by @andvea in expressjs/express#4885

docs: update emeritus triagers by @UlisesGascon in expressjs/express#6345

docs: update guidance for triager nominations by @bjohansebas in expressjs/express#6349

docs: clarify guidelines for becoming a committer by @bjohansebas in expressjs/express#6364

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

Add support for Uint8Array in res.send()

Add support for ETag option in res.sendFile()

Add support for multiple links with the same rel in res.links()

Add funding field to package.json

perf: use loop for acceptParams

refactor: prefix built-in node module imports

deps: remove setprototypeof

deps: remove safe-buffer

deps: remove utils-merge

deps: remove methods

deps: remove depd

deps: debug@^4.4.0

deps: body-parser@^2.2.0

deps: router@^2.2.0

deps: content-type@^1.0.5

deps: finalhandler@^2.1.0

deps: qs@^6.14.0

deps: [email protected]

deps: [email protected]

5.0.1 / 2024-10-08

Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

remove:

path-is-absolute dependency - use path.isAbsolute instead

breaking:

res.status() accepts only integers, and input must be greater than 99 and less than 1000

will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range

will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs

deps: [email protected]

res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.

change:

res.clearCookie will ignore user provided maxAge and expires options

deps: cookie-signature@^1.2.1

deps: [email protected]

deps: merge-descriptors@^2.0.0

deps: serve-static@^2.1.0

deps: [email protected]

deps: accepts@^2.0.0

deps: mime-types@^3.0.0

application/javascript => text/javascript

deps: type-is@^2.0.0

deps: content-disposition@^1.0.0

... (truncated)

Commits

cd7d439 5.1.0
4c4f3ea fix(deps): serve-static@^2.2.0 (#6418)
cb4c56e fix(docs): remove @mertcanaltin from Triagers (#6408)
7b44e1d ci: use full SHAs for github action versions
eb6d125 deps: router@^2.2.0 (#6417)
f1a2dc8 deps: type-is@^2.0.1 (#6420)
6b51e8e deps: body-parser@^2.2.0 (#6419)
1f311c5 build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 (#6399)
9e97144 feat(deps): [email protected] (#6373)
29d0980 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#6397)
Additional commits viewable in compare view

Updates @types/express from 4.17.21 to 5.0.1

Commits

See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

github-actions · 2025-04-04T05:29:44Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

npm/@types/express

5.0.1

🟢 6.9

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/@types/express-serve-static-core

5.0.6

🟢 6.9

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/accepts

2.0.0

🟢 4.5

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 7	7 out of 9 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	⚠️ 2	Found 7/29 approved changesets -- score normalized to 2
Contributors	🟢 10	project has 11 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 3	3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/body-parser

2.2.0

🟢 7.2

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
CI-Tests	🟢 10	26 out of 26 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 8	found 5 unreviewed changesets out of 30 -- score normalized to 8
Contributors	🟢 10	33 different organizations found -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	26 commit(s) out of 30 and 5 issue activity out of 30 found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	no published package detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
SAST	🟢 8	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	no vulnerabilities detected

npm/content-disposition

1.0.0

🟢 5.8

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 7	11 out of 14 merged PRs checked by a CI test -- score normalized to 7
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 4	Found 12/29 approved changesets -- score normalized to 4
Contributors	🟢 10	project has 7 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 7	5 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 7
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/cookie-signature

1.2.2

🟢 3.3

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ -1	No tokens found
Dangerous-Workflow	⚠️ -1	no workflows found
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ -1	no dependencies found
Code-Review	⚠️ 2	Found 4/17 approved changesets -- score normalized to 2
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/express

5.1.0

🟢 8.7

Details

Check	Score	Reason
Dependency-Update-Tool	🟢 10	update tool detected
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Code-Review	🟢 9	Found 26/27 approved changesets -- score normalized to 9
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Maintained	🟢 10	30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 9	SAST tool detected but not run on all commits
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
CI-Tests	🟢 9	28 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors	🟢 10	project has 119 contributing companies or organizations

npm/finalhandler

2.1.0

🟢 7.8

Details

Check	Score	Reason
Code-Review	🟢 8	Found 23/27 approved changesets -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
Dependency-Update-Tool	🟢 10	update tool detected
Maintained	🟢 10	19 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	🟢 7	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Contributors	🟢 10	project has 17 contributing companies or organizations
CI-Tests	🟢 8	22 out of 25 merged PRs checked by a CI test -- score normalized to 8

npm/fresh

2.0.0

🟢 4.3

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	⚠️ 1	Found 4/25 approved changesets -- score normalized to 1
Maintained	⚠️ 0	1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Security-Policy	🟢 10	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/is-promise

4.0.0

🟢 5

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 3	Found 10/30 approved changesets -- score normalized to 3
Dangerous-Workflow	⚠️ -1	no workflows found
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ -1	No tokens found
Pinned-Dependencies	⚠️ -1	no dependencies found
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/media-typer

1.1.0

🟢 4.2

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Code-Review	⚠️ 0	Found 2/30 approved changesets -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/merge-descriptors

2.0.0

🟢 4.1

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Code-Review	⚠️ 0	Found 0/30 approved changesets -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
SAST	⚠️ 0	no SAST tool detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches

npm/mime-db

1.54.0

🟢 4.5

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 5	6 out of 12 merged PRs checked by a CI test -- score normalized to 5
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 3	Found 11/29 approved changesets -- score normalized to 3
Contributors	🟢 10	project has 18 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 7	5 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 7
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 1	dependency not pinned by hash detected -- score normalized to 1
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 4	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/mime-types

3.0.1

🟢 5.1

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 9	9 out of 10 merged PRs checked by a CI test -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 3	Found 9/26 approved changesets -- score normalized to 3
Contributors	🟢 10	project has 24 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 9	3 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 9
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/negotiator

1.0.0

🟢 4.2

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	⚠️ 2	Found 5/25 approved changesets -- score normalized to 2
Packaging	⚠️ -1	packaging workflow not detected
Maintained	⚠️ 0	0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 10	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/path-to-regexp

8.2.0

🟢 5.4

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 10	4 out of 4 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	⚠️ 1	found 26 unreviewed changesets out of 30 -- score normalized to 1
Contributors	🟢 10	27 different organizations found -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 5	3 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 5
Packaging	⚠️ -1	no published package detected
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 7	3 existing vulnerabilities detected

npm/qs

6.14.0

🟢 5.7

Details

Check	Score	Reason
Maintained	🟢 10	9 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 3/30 approved changesets -- score normalized to 1
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
CII-Best-Practices	🟢 5	badge detected: Passing
License	🟢 10	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	🟢 9	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/raw-body

3.0.0

🟢 4.2

Details

Check	Score	Reason
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 2/17 approved changesets -- score normalized to 1
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/router

2.2.0

🟢 6.5

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 9	25 out of 26 merged PRs checked by a CI test -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 9	Found 25/27 approved changesets -- score normalized to 9
Contributors	🟢 10	project has 18 contributing companies or organizations
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	13 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	0 existing vulnerabilities detected

npm/send

1.2.0

🟢 5.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 10	14 out of 14 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 6	found 6 unreviewed changesets out of 17 -- score normalized to 6
Contributors	🟢 10	29 different organizations found -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 6	7 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 6
Packaging	⚠️ -1	no published package detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	no vulnerabilities detected

npm/serve-static

2.2.0

🟢 6.7

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
CI-Tests	🟢 9	15 out of 16 merged PRs checked by a CI test -- score normalized to 9
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Code-Review	🟢 6	found 7 unreviewed changesets out of 19 -- score normalized to 6
Contributors	🟢 10	16 different organizations found -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Dependency-Update-Tool	⚠️ 0	no update tool detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Maintained	🟢 10	10 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	no published package detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
SAST	🟢 7	SAST tool detected but not run on all commits
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Vulnerabilities	🟢 10	no vulnerabilities detected

npm/type-is

2.0.1

🟢 4.9

Details

Check	Score	Reason
Binary-Artifacts	🟢 10	no binaries found in the repo
Maintained	🟢 5	5 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Code-Review	🟢 3	Found 8/24 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

npm/@types/express

^5.0.1

🟢 6.9

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 8	Found 25/30 approved changesets -- score normalized to 8
Packaging	⚠️ -1	packaging workflow not detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
License	🟢 9	license file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
Fuzzing	⚠️ 0	project is not fuzzed

npm/express

^5.1.0

🟢 8.7

Details

Check	Score	Reason
Dependency-Update-Tool	🟢 10	update tool detected
Packaging	⚠️ -1	packaging workflow not detected
Security-Policy	🟢 10	security policy file detected
Code-Review	🟢 9	Found 26/27 approved changesets -- score normalized to 9
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Maintained	🟢 10	30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies	🟢 6	dependency not pinned by hash detected -- score normalized to 6
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
SAST	🟢 9	SAST tool detected but not run on all commits
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
CI-Tests	🟢 9	28 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors	🟢 10	project has 119 contributing companies or organizations

Scanned Files

backend/package-lock.json
backend/package.json

Bumps the production-dependencies group with 2 updates in the /backend directory: [express](https://github.com/expressjs/express) and [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express). Updates `express` from 4.21.2 to 5.1.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.21.2...v5.1.0) Updates `@types/express` from 4.17.21 to 5.0.1 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) --- updated-dependencies: - dependency-name: express dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: production-dependencies - dependency-name: "@types/express" dependency-version: 5.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: production-dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot · 2025-04-07T20:59:10Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 4, 2025

dependabot bot force-pushed the dependabot/npm_and_yarn/backend/production-dependencies-3b838d39d3 branch from 8f135da to aa7d02d Compare April 4, 2025 05:34

dependabot bot closed this Apr 7, 2025

dependabot bot deleted the dependabot/npm_and_yarn/backend/production-dependencies-3b838d39d3 branch April 7, 2025 20:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the production-dependencies group across 1 directory with 2 updates #192

Bump the production-dependencies group across 1 directory with 2 updates #192

Uh oh!

dependabot bot commented on behalf of github Apr 4, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Apr 4, 2025 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Apr 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Bump the production-dependencies group across 1 directory with 2 updates #192

Bump the production-dependencies group across 1 directory with 2 updates #192

Uh oh!

Conversation

dependabot bot commented on behalf of github Apr 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v5.1.0

What's Changed

5.1.0 / 2025-03-31

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

Uh oh!

github-actions bot commented Apr 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

dependabot bot commented on behalf of github Apr 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Apr 4, 2025 •

edited

Loading

github-actions bot commented Apr 4, 2025 •

edited

Loading