• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Sourced from next-auth's releases.

[email protected]

What's Changed

• fix: functions that return promises must be async by @​thomaslindstrom in nextauthjs/next-auth#12105
• fix: support AUTH_SECRET for compat with npx auth secret by @​balazsorban44 in nextauthjs/next-auth@490a033

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.10

[email protected]

What's Changed

• chore(docs): fix typo in WorkOS documentation by @​outofgamut in nextauthjs/next-auth#11959
• chore(v4): add neon sponsor by @​ndom91 in nextauthjs/next-auth#12008
• cookie package upgraded by @​talyuk in nextauthjs/next-auth#12046
• Allow Next.js v15 peer dependency by @​thomaslindstrom in nextauthjs/next-auth#12098
• await dynamic APIs as per Next.js 15 changes by @​balazsorban44 in nextauthjs/next-auth@4d143c5

New Contributors

• @​outofgamut made their first contribution in nextauthjs/next-auth#11959
• @​talyuk made their first contribution in nextauthjs/next-auth#12046
• @​thomaslindstrom made their first contribution in nextauthjs/next-auth#12098

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.9

• 6bca388 chore(release): bump version [skip ci]
• c46fd4f chore(deps): allow react v19 as peer deps (#12352)
• 3dfe5d5 chore: Update docusaurus.config.js
• 0447db0 chore(v4): add sent.dm sponsor (#12172)
• 5a5859a docs: Update options.md
• 5ad7fb4 docs: Update options.md
• c7ea50d chore(release): bump version [skip ci]
• 490a033 fix: support AUTH_SECRET for compat with npx auth secret
• 1e6be72 fix: functions that return promises must be async (#12105)
• ddab3cc chore(release): bump version [skip ci]
• Additional commits viewable in compare view

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Sourced from next's releases.

v15.2.0

Core Changes

• Fix unstable_allowDynamic when used with pnpm: #73732
• [dynamicIO] use new heuristic to track whether server render is dynamic: #73751
• Fix receiveExpiredTags not always called: #73759
• error-overlay: Rename "Error" to "Issue": #72817
• remove redundant segment collection call: #73773
• Metadata resolvers can be fetched synchronously: #73771
• Turbopack: migrate client references to single-graph-traversal: #73322
• next-codemod: update gitignore file for parity for yarn recommendations: #71963
• feat: error code: #73332
• Detach next-error-code-swc-plugin from workspace: #73806
• [CI] Prominent error message for check_error_codes: #73807
• [Segment Cache] Add PPR header to segment prefetch: #73756
• fix: path escaping issue on windows: #73843
• Rename variables in LayoutRouter for clarity: #73826
• [Segment Cache] Skip prefetched segments on server: #73626
• [Segment Cache] No data on tree prefetch if no PPR: #73767
• Remove segmentPath from RSC payload: #73827
• build: better error if fetching AMP validator fails: #73851
• Escape the '.' in '.json' when making static data routes.: #73850
• fix(next@15): use the asset prefix when loading a CSS in App Router: #72095
• Exclude .test. files from using error code plugin: #73868
• Refactor telemetry API: #73865
• Add additional error classes and error codes: #73862
• refactor: collectAppPageSegments: #73908
• cleanup unnecessary map in dev server: #73745
• Retry manifest file loading only in dev mode: #73900
• Turbopack: ignore empty NEXT_TURBOPACK_TRACING var: #73903
• Ignore RSC fetch errors after hard navigation: #73975
• Fix error code check in windows: #73981
• Separate viewport and metadata in rsc and cache: #73867
• Add feature flag for new dev overlay: #73977
• Restore RSC fetch error handling after navigating back: #73985
• refactor: make locales array immutable: #74037
• fix: skip rendering dynamic root segment routes: #74039
• refactor: cache lowercasing all the locales: #74038
• Add SRI support for Node.js Runtime : #73891
• Separate bots detection utils: #74000
• docs: remove a duplicated word in redirect code comment: #74043
• examples: update gitignore files for parity for yarn recommendations: #71956
• chore: update turbopack document path in the warning message: #72597
• Clean up react-dev-overlay before fork: #74016
• chore(next/image): improve imgopt api bypass detection for unsupported images: #73909
• [Segment Cache] Add CacheStatus.Empty: #73667
• chore: move static paths utils into own folder: #73928
• Delete unused GroupedStackFrames.tsx: #74028
• [Segment Cache] Move cache key creation to client : #73853
• feat: added partial shell generation using root params: #73816

... (truncated)

• b0416fb v15.2.0
• 166369d v15.2.0-canary.77
• 2c57888 [dev-overlay]: allow disabled state to be dismissable (#76572)
• c919f09 examples: fix supabase example for v15 (#76567)
• 991c32a [dev-overlay] rephrase docs button title as link to related docs (#76571)
• aaebca9 Updated remove-console example to utilize the app router. (#76543)
• 8dd0b56 docs(errors): update suppressHydrationWarning section (#76521)
• c505a4c exclude AppDevOverlayErrorBoundary from prod build (#76568)
• 91684ee Remove rewrite query params from request URL when deployed to Vercel (#76548)
• dbeeb02 [dev-overlay] change button to lowercase except leading letter (#76565)
• Additional commits viewable in compare view

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Sourced from next's releases.

v15.2.0

Core Changes

• Fix unstable_allowDynamic when used with pnpm: #73732
• [dynamicIO] use new heuristic to track whether server render is dynamic: #73751
• Fix receiveExpiredTags not always called: #73759
• error-overlay: Rename "Error" to "Issue": #72817
• remove redundant segment collection call: #73773
• Metadata resolvers can be fetched synchronously: #73771
• Turbopack: migrate client references to single-graph-traversal: #73322
• next-codemod: update gitignore file for parity for yarn recommendations: #71963
• feat: error code: #73332
• Detach next-error-code-swc-plugin from workspace: #73806
• [CI] Prominent error message for check_error_codes: #73807
• [Segment Cache] Add PPR header to segment prefetch: #73756
• fix: path escaping issue on windows: #73843
• Rename variables in LayoutRouter for clarity: #73826
• [Segment Cache] Skip prefetched segments on server: #73626
• [Segment Cache] No data on tree prefetch if no PPR: #73767
• Remove segmentPath from RSC payload: #73827
• build: better error if fetching AMP validator fails: #73851
• Escape the '.' in '.json' when making static data routes.: #73850
• fix(next@15): use the asset prefix when loading a CSS in App Router: #72095
• Exclude .test. files from using error code plugin: #73868
• Refactor telemetry API: #73865
• Add additional error classes and error codes: #73862
• refactor: collectAppPageSegments: #73908
• cleanup unnecessary map in dev server: #73745
• Retry manifest file loading only in dev mode: #73900
• Turbopack: ignore empty NEXT_TURBOPACK_TRACING var: #73903
• Ignore RSC fetch errors after hard navigation: #73975
• Fix error code check in windows: #73981
• Separate viewport and metadata in rsc and cache: #73867
• Add feature flag for new dev overlay: #73977
• Restore RSC fetch error handling after navigating back: #73985
• refactor: make locales array immutable: #74037
• fix: skip rendering dynamic root segment routes: #74039
• refactor: cache lowercasing all the locales: #74038
• Add SRI support for Node.js Runtime : #73891
• Separate bots detection utils: #74000
• docs: remove a duplicated word in redirect code comment: #74043
• examples: update gitignore files for parity for yarn recommendations: #71956
• chore: update turbopack document path in the warning message: #72597
• Clean up react-dev-overlay before fork: #74016
• chore(next/image): improve imgopt api bypass detection for unsupported images: #73909
• [Segment Cache] Add CacheStatus.Empty: #73667
• chore: move static paths utils into own folder: #73928
• Delete unused GroupedStackFrames.tsx: #74028
• [Segment Cache] Move cache key creation to client : #73853
• feat: added partial shell generation using root params: #73816

... (truncated)

• b0416fb v15.2.0
• 166369d v15.2.0-canary.77
• 2c57888 [dev-overlay]: allow disabled state to be dismissable (#76572)
• c919f09 examples: fix supabase example for v15 (#76567)
• 991c32a [dev-overlay] rephrase docs button title as link to related docs (#76571)
• aaebca9 Updated remove-console example to utilize the app router. (#76543)
• 8dd0b56 docs(errors): update suppressHydrationWarning section (#76521)
• c505a4c exclude AppDevOverlayErrorBoundary from prod build (#76568)
• 91684ee Remove rewrite query params from request URL when deployed to Vercel (#76548)
• dbeeb02 [dev-overlay] change button to lowercase except leading letter (#76565)
• Additional commits viewable in compare view

Sourced from pug's releases.

[email protected]

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

[email protected]

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• See full diff in compare view

Sourced from dompurify's releases.

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

DOMPurify 3.1.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

DOMPurify 3.1.6

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
• Updated several development dependencies

DOMPurify 3.1.5

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

DOMPurify 3.1.4

• Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
• Added several new popover attributes to allow-list, thanks @​Gigabyte5671
• Fixed the tests and adjusted the test runner to cover all branches

... (truncated)

• ec29e65 Merge pull request #1062 from cure53/main
• 1c1b183 chore: Preparing 3.2.4 release
• d18ffcb fix: Changed the template literal regex to avoid a config-dependent bypass
• 0d64d2b Merge pull request #1060 from yehuya/initializeTestImprovements
• 9ad7933 tests: DOMPurify custom window tests improvements
• 72760ca Merge pull request #1059 from yehuya/fixMissingWindowElement
• bc72d44 Fix tests
• 363a89d fix: handle undefined Element in DOMPurify initialization
• f41b45d Update LICENSE
• b25bf26 Update README.md
• Additional commits viewable in compare view

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• Additional commits viewable in compare view

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Sourced from katex's releases.

v0.16.21

0.16.21 (2025-01-17)

Bug Fixes

• escape \htmlData attribute name (