Bump the npm_and_yarn group across 2 directories with 13 updates by dependabot[bot] · Pull Request #1 · goisneto/TizenTube-Poisoned

dependabot · 2026-03-29T18:50:49Z

Bumps the npm_and_yarn group with 3 updates in the /mods directory: rollup, picomatch and serialize-javascript.
Bumps the npm_and_yarn group with 6 updates in the /service directory:

Package	From	To
rollup	`4.18.1`	`4.60.0`
picomatch	`2.3.1`	`2.3.2`
express	`4.19.2`	`4.22.0`
brace-expansion	`2.0.1`	`2.0.3`
brace-expansion	`1.1.11`	`1.1.13`
minimatch	`5.1.6`	`5.1.9`
minimatch	`3.1.2`	`3.1.5`
minimatch	`9.0.5`	`9.0.9`
glob	`10.4.5`	`10.5.0`

Updates rollup from 3.29.5 to 3.30.0

Release notes

Sourced from rollup's releases.

v3.30.0

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

Changelog

Sourced from rollup's changelog.

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

Commits

d91d5e1 3.30.0
9677409 Update release script for backports
c8cf1f9 Validate bundle stays within output dir (#6276)
See full diff in compare view

Updates picomatch from 4.0.3 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates serialize-javascript from 6.0.2 to 7.0.5

Release notes

Sourced from serialize-javascript's releases.

v7.0.5

Fixes

Improve robustness and validation for array-like object serialization.

Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

What's Changed

release: v7.0.4 by @okuryu in yahoo/serialize-javascript#211

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0

build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb

yahoo/serialize-javascript@v7.0.2...v7.0.3

v7.0.2

What's Changed

ci: bump GitHub Actions to latest versions by @okuryu in yahoo/serialize-javascript#203

ci: setup trusted publishing workflow by @okuryu in yahoo/serialize-javascript#204

release: v7.0.2 by @okuryu in yahoo/serialize-javascript#205

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

What's Changed

Add warning about using this package to send arbitrary data to worker threads by @valadaptive in yahoo/serialize-javascript#200

security: sanitize function bodies by @redonkulus in yahoo/serialize-javascript#199

docs: tweak README by @okuryu in yahoo/serialize-javascript#201

release: v7.0.1 by @okuryu in yahoo/serialize-javascript#202

New Contributors

@redonkulus made their first contribution in yahoo/serialize-javascript#199

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Breaking Changes

requires Node.js v20+

What's Changed

Bump mocha from 10.2.0 to 10.4.0 by @dependabot[bot] in yahoo/serialize-javascript#178

... (truncated)

Commits

df3f1c1 release: v7.0.5
f147e90 Merge commit from fork
eec32e0 release: v7.0.4
d505715 7.0.3
2e609d0 fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207)
42b7cdb build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206)
44f544b release: v7.0.2 (#205)
bba0ddd ci: setup trusted publishing workflow (#204)
235f6ea ci: bump GitHub Actions to latest versions (#203)
f7fff15 release: v7.0.1 (#202)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serialize-javascript since your current version.

Updates rollup from 4.18.1 to 4.60.0

Release notes

Sourced from rollup's releases.

v3.30.0

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

Changelog

Sourced from rollup's changelog.

3.30.0

2026-02-22

Features

Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

#6276: Validate bundle stays within output dir (@lukastaegert)

Commits

d91d5e1 3.30.0
9677409 Update release script for backports
c8cf1f9 Validate bundle stays within output dir (#6276)
See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

Fix for CVE-2026-33671

Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

Commits

e5474fc Publish 4.0.4
4516eb5 Merge commit from fork
5eceecd Merge commit from fork
0db7dd7 Run benchmark again against latest minimatch version (#161)
9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
2661f23 fix typo in globstars.js test name (#138)
1798b07 docs: fix makeRe example (#143)
9d76bc5 chore: undocument removed options (#146)
e4d718b Remove unused time-require (#160)
38dffeb chore(deps): pin dependencies (#158)
Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

finalhandler@1.3.1 by @wesleytodd in expressjs/express#5954

fix(deps): serve-static@1.16.2 by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: qs@6.14.0 (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
3a5edfa fix(ci): updated github actions ci workflow (#6323)
52d9781 fix(test): add test for method routes without paths #5955
Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

deps: qs@~6.14.0

deps: use tilde notation for dependencies

deps: http-errors@~2.0.1

deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

7db202c 1.20.4 (#672)
d8f8adb ci: add CodeQL (SAST) (#670)
6d133c1 chore: remove SECURITY.md (#669)
fcd1535 deps: use tilde notation and update certain dependencies (#668)
ec5fa29 deps: qs@~6.14.0 (#664)
ffb95c1 ci: restore CI for 1.x branch (#665)
48a5f07 ci: add support for Node.js v23 (#553)
f20f6ad Remove redundant depth check (#538)
1752951 1.20.3
39744cf chore: linter (#534)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates brace-expansion from 2.0.1 to 2.0.3

Release notes

Sourced from brace-expansion's releases.

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

73b5459 2.0.3
311ac0d Backport fix for GHSA-f886-m6hf-6m8v to v2 (#96)
a3efcee 2.0.2
14f1d91 pkg: publish on tag 2.x
ed7780a fmt
36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

73b5459 2.0.3
311ac0d Backport fix for GHSA-f886-m6hf-6m8v to v2 (#96)
a3efcee 2.0.2
14f1d91 pkg: publish on tag 2.x
ed7780a fmt
36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
See full diff in compare view

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

Allow leading dot for domain (#174)

Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec

Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

perf: parse cookies ~10% faster (#144 by @kurtextrem and #170)

fix: narrow the validation of cookies to match RFC6265 (#167 by @bewinsnw)

fix: add main to package.json for rspack (#166 by @proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

d19eaa1 0.7.2
bc38ffd Fix object assignment of hasOwnProperty (#177)
cf4658f 0.7.1
6a8b8f5 Allow leading dot for domain (#174)
58015c0 Remove more code and perf wins (#172)
ab057d6 0.7.0
5f02ca8 Migrate history to GitHub releases
a5d591c Migrate history to GitHub releases
51968f9 Skip isNaN
9e7ca51 perf(parse): cache length, return early (#144)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates minimatch from 5.1.6 to 5.1.9

Commits

4419b6e 5.1.9
383ce59 docs: add warning about ReDoS
b02ef18 fix partial matching of globstar patterns
e92ae29 5.1.8
79e4447 limit recursion for **, improve perf considerably
85ec0ff lockfile update
647146e lock node version to 14
85646c8 5.1.7
977c2d8 update CI matrix and actions
421ad12 update test expectations for coalesced consecutive stars
Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

4419b6e 5.1.9
383ce59 docs: add warning about ReDoS
b02ef18 fix partial matching of globstar patterns
e92ae29 5.1.8
79e4447 limit recursion for **, improve perf considerably
85ec0ff lockfile update
647146e lock node version to 14
85646c8 5.1.7
977c2d8 update CI matrix and actions
421ad12 update test expectations for coalesced consecutive stars
Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

4419b6e 5.1.9
383ce59 docs: add warning about ReDoS
b02ef18 fix partial matching of globstar patterns
e92ae29 5.1.8
79e4447 limit recursion for **, improve perf considerably
85ec0ff lockfile update
647146e lock node version to 14
85646c8 5.1.7
977c2d8 update CI matrix and actions
421ad12 update test expectations for coalesced consecutive stars
Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

56774ef 10.5.0
1e4e297 bin: Do not expose filenames to shell expansion
See full diff in compare view

Updates path-to-regexp from 0.1.7 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Fix backtracking (again)

Fixed

Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

Add backtrack protection to parameters 29b96b4

This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

Fix CVE-2026-4867 (GHSA-37ch-88jc-xwx2)

Commits

9fd0c87 0.1.13 (#425)
7ccf02c fix: CVE-2026-4867
640e694 0.1.12
f01c26a Merge commit from fork
0c71192 0.1.11
8f09549 Add error on bad input values
c827fce 0.1.10
29b96b4 Add backtrack protection to parameters
ac4c234 Update repo url (#314)
bdb6635 0.1.9
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.

Updates qs from 6.11.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

[New] parse: add throwOnParameterLimitExceeded option (#517)

[Refactor] parse: use utils.combine more

[patch] parse: add explicit throwOnLimitExceeded default

[actions] use shared action; re-add finishers

[meta] Fix changelog formatting bug

[Deps] update side-channel

[Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols

[Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

[Robustness] avoid .push, use void

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] replace runkit CI badge with shields.io check-runs badge

[actions] fix rebase workflow permissions

6.13.1

[Fix] stringify: avoid a crash when a filter key is null

[Fix] utils.merge: functions should not be stringified into keys

[Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset

[Fix] stringify: ensure a non-string filter does not crash

[Refactor] use __proto__ syntax instead of Object.create for null objects

[Refactor] misc cleanup

... (truncated)

Commits

bdcf0c7 v6.14.2
294db90 [readme] document that addQueryPrefix does not add ? to empty output
5c308e5 [readme] clarify parseArrays and arrayLimit documentation
6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
1b9a8b4 [actions] fix rebase workflow permissions
2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
Additional commits viewable in compare view

Updates send from 0.18.0 to 0.19.2

Release notes

Sourced from send's releases.

0.19.2

What's Changed

deps: use tilde notation and update certain dependencies by @Phillip9587 in pillarjs/send#279

Release: 0.19.2 by @UlisesGascon in pillarjs/send#280

Full Changelog: pillarjs/send@0.19.1...0.19.2

0.19.1

What's Changed

fix(deps): encodeurl@~2.0.0 by @wesleytodd in pillarjs/send#240

Description has been truncated

Bumps the npm_and_yarn group with 3 updates in the /mods directory: [rollup](https://github.com/rollup/rollup), [picomatch](https://github.com/micromatch/picomatch) and [serialize-javascript](https://github.com/yahoo/serialize-javascript). Bumps the npm_and_yarn group with 6 updates in the /service directory: | Package | From | To | | --- | --- | --- | | [rollup](https://github.com/rollup/rollup) | `4.18.1` | `4.60.0` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [express](https://github.com/expressjs/express) | `4.19.2` | `4.22.0` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `2.0.1` | `2.0.3` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.13` | | [minimatch](https://github.com/isaacs/minimatch) | `5.1.6` | `5.1.9` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [minimatch](https://github.com/isaacs/minimatch) | `9.0.5` | `9.0.9` | | [glob](https://github.com/isaacs/node-glob) | `10.4.5` | `10.5.0` | Updates `rollup` from 3.29.5 to 3.30.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.5...v3.30.0) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `serialize-javascript` from 6.0.2 to 7.0.5 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.5) Updates `rollup` from 4.18.1 to 4.60.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/v3.30.0/CHANGELOG.md) - [Commits](rollup/rollup@v3.29.5...v3.30.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `express` from 4.19.2 to 4.22.0 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md) - [Commits](expressjs/express@4.19.2...4.22.0) Updates `body-parser` from 1.20.2 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.4) Updates `brace-expansion` from 2.0.1 to 2.0.3 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.3) Updates `brace-expansion` from 1.1.11 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.1...v2.0.3) Updates `cookie` from 0.6.0 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.6.0...v0.7.2) Updates `minimatch` from 5.1.6 to 5.1.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v5.1.6...v5.1.9) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v5.1.6...v5.1.9) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v5.1.6...v5.1.9) Updates `glob` from 10.4.5 to 10.5.0 - [Changelog](https://github.com/isaacs/node-glob/blob/main/changelog.md) - [Commits](isaacs/node-glob@v10.4.5...v10.5.0) Updates `path-to-regexp` from 0.1.7 to 0.1.13 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md) - [Commits](pillarjs/path-to-regexp@v0.1.7...v.0.1.13) Updates `qs` from 6.11.0 to 6.14.2 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.11.0...v6.14.2) Updates `send` from 0.18.0 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.2) Updates `serve-static` from 1.15.0 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.3) --- updated-dependencies: - dependency-name: rollup dependency-version: 3.30.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-version: 4.22.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 2.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 5.1.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: glob dependency-version: 10.5.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: path-to-regexp dependency-version: 0.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 2 directories with 13 updates#1

Bump the npm_and_yarn group across 2 directories with 13 updates#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/mods/npm_and_yarn-c2a45b4372

dependabot Bot commented on behalf of github Mar 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Mar 29, 2026

v3.30.0

3.30.0

Features

Pull Requests

3.30.0

Features

Pull Requests

4.0.4

What's Changed

v7.0.5

Fixes

v7.0.4

What's Changed

v7.0.3

v7.0.2

What's Changed

v7.0.1

What's Changed

New Contributors

v7.0.0

Breaking Changes

What's Changed

v3.30.0

3.30.0

Features

Pull Requests

3.30.0

Features

Pull Requests

4.0.4

What's Changed

4.22.0

Important: Security

What's Changed

4.21.2

What's Changed

4.21.1

What's Changed

4.21.0

What's Changed

New Contributors

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

1.20.4

What's Changed

1.20.3

What's Changed

Important

Other changes

New Contributors

1.20.4 / 2025-12-01

1.20.3 / 2024-09-10

v2.0.2

v2.0.2

v0.7.2

0.7.1

0.7.0

0.1.13

Important

Fix backtracking (again)

Error on bad input

Backtrack protection

Support non-lookahead regex output

Support named matching groups in RegExp

0.1.13 / 2026-03-26

6.14.2

6.14.1

6.14.0

6.13.3

6.13.2

6.13.1

0.19.2

What's Changed

0.19.1

Support named matching groups in `RegExp`