Commit graph

402 commits

Author SHA1 Message Date
Prakash
ad8295c3d5
Merge branch 'main' into restore/pr-6284 2026-07-01 13:21:36 +05:30
Mikael Finstad
cd34c9cf4f
upgrade @types/cors and @types/morgan (#6360)
see #6297

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-06-28 01:39:06 +02:00
prakash
5585a796af
Merge remote-tracking branch 'origin/main' into restore/pr-6284 2026-06-20 01:37:42 +05:30
Prakash
bd8d51b02d
@uppy/aws-s3: add support for tempCredentials in s3mini (#6110)
- added `getCredentials` callback in `S3Config`
- simplified signer test util ( `sigv4-signer.js` ) and moved to
`src/signer.ts`
- all tests run in a new non root minio user ( required for sts ) ,
which gets created before the tests start see `tests/s3-client/setup.js`
- tests added for sts , using `@aws-sdk/client-sts` for getting creds.
- credential caching inspired from the current implementation in
`@aws-s3` plugin , see `#getTemporarySecurityCredentials` inside
`@uppy/aws-s3/src/index.ts`

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-06-17 13:54:47 +05:30
Prakash
981fcedd71
@uppy/upgrade devdeps v3 (#6319)
AI disclaimer: AI used
  
  ## Changes
  - **vite 7 → 8** 
- **@vitejs/plugin-react 4 → 6** (peer-requires vite ^8; drops Babel for
oxc)
- **@tailwindcss/vite 4.1 → 4.3** (first 4.x with a vite ^8 peer range)
- `examples/react/vitest.config.ts`: add `resolve.dedupe: ['react',
'react-dom']` : reason explained in comments
2026-06-03 15:39:24 +05:30
Prakash
675b48fa14
@uppy/upgrade devdeps v2 (#6318)
AI disclaimer : AI used

## Changes
- **jsdom 26 → 29** across all packages' devDependencies —
**except`@uppy/aws-s3`** (left at 26; that plugin is being rewritten and
its deps are handled on the rewrite branch).
- **`@uppy/xhr-upload` unit tests migrated from nock to MSW**, and
`nock` dropped from its devDependencies.
  ## Why the test migration was needed
jsdom **28** overhauled resource loading so `XMLHttpRequest` now goes
through jsdom's internal (undici-based) fetch instead of Node's `http`
module ([jsdom 28 release
notes](https://github.com/jsdom/jsdom/releases/tag/28.0.0)).
nock intercepts at the Node `http` / `http.ClientRequest` layer ([nock
README](https://github.com/nock/nock)), so it can no longer see uppy's
upload requests — the mocked responses never arrive and the tests time
out. (This is the long-standing nock + jsdom XHR incompatibility:
[nock#518](https://github.com/nock/nock/issues/518).)

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-03 15:30:55 +05:30
Prakash
1427add64a
@uppy/upgrade-devdeps-v1 (#6317)
Part of the dev-dependency major-version upgrades. These required code
changes so they're split out from the no-code-change batch (#6315).

**AI Disclaimer** : AI Used

- **glob 8 → 13** — `@uppy/locales` scripts: the callback API was
removed, so `getPaths()` uses the promise form and `test.mjs` uses the
named `globSync`.
- **npm-packlist 5 → 11** — `upload-to-cdn.js`: v7+ takes an
`@npmcli/arborist` tree instead of `{ path }`; loads the tree and passes
it to `packlist()`. Adds `@npmcli/arborist` as a devDependency.
- **nock 13 → 14** (`@uppy/companion`) — the v14 @mswjs/interceptors
rewrite crashed the SSRF tests in `http-agent.test.ts`; nock
interception is now kept off by default and only activated for the one
test that mocks a host.
- **@types/use-sync-external-store 0 → 1** — `@uppy/react`: v1's exports
map only exposes extensionless subpaths, so imports use
`use-sync-external-store/shim` and `/with-selector` (runtime supports
both).
2026-06-03 14:38:14 +05:30
Prakash
d7aaab7ad1
@uppy: upgrade dev deps (#6315)
addresses #6297

I'll raise another PR which would include deps which require code
changes
2026-06-02 10:48:58 +08:00
Prakash
7ea7530997
upgrade playwright (#6316)
fixes the timeout which we're facing in "CI / Test" in the past few days
which gets stuck at "Install Playwright Browsers"


https://github.com/transloadit/uppy/actions/runs/26646754991/job/78534314307?pr=6315

tested on my local fork
2026-06-01 18:08:22 +05:30
Prakash
c3c7cef4ed
@uppy: upgrade deps (#6307)
will do a separte PR for changes which would require code changes so
it's easier to review , didn't upgrade any deps for `@uppy/aws-s3` since
we'll merge the rewrite so I think we should do that upgrade in the
rewrite branch before merging.

update : Dependency upgrades which required code changes were raised
separately

- #6309 
- #6310

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-05-29 18:58:42 +05:30
Prakash
ef370da2b3
Revert "@uppy/tus: don't abort errored request" (#6313)
Reverts transloadit/uppy#6312
2026-05-29 18:48:40 +05:30
Prakash
51acfe9e6c
@uppy/tus: don't abort errored request (#6312)
this fixes #6287 , another similar attempted fix which didn't got merged
: #5683

in #5683 we discussed a more longer term solution but IMO that would be
a breaking change as it would change the event contract

AI Disclaimer : AI Used 

This fix is Manually Tested across **Chrome and Firefox**
2026-05-29 18:42:58 +05:30
Prakash
5519b84409
@uppy: upgrade biome and more improvements (#6244)
- This PR upgrades `biome` from `2.0.5` -> `2.1.2` and adds two new
rules
-
[noUnusedImports](https://biomejs.dev/linter/rules/no-unused-private-class-members)
( we already had suppressions for this rule in code, but the rule itself
was never enabled in the config )
-
[noUnusedPrivateClassMembers](https://biomejs.dev/linter/rules/no-unused-private-class-members/)
- remove stale suppressions. 
- remove stale code.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 12:28:03 +08:00
Prakash
9143d41bc2
@uppy/companion: upgrade dev deps (#6300)
all the dev deps upgraded excepts for these : 

  - `@types/cors: 2.8.6`
  - `@types/jsonwebtoken: 8.3.7`
  - `@types/morgan: 1.7.37`
  - `@types/node: ^20.19.0`
  - `nock: ^13.1.3`
  
upgrading these to their latest major either breaks the test suite or
requires us to do code changes on our end.
  
  #6297

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 12:26:42 +08:00
Mikael Finstad
3c537e2780
Companion upgrade deps (#6305)
recreates #6296

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-21 12:07:05 +08:00
Prakash
d9d44ce5e5
upgrade to express v5 (#6304)
exact copy of #6175 

- I will point the uppy deps upgrade pr to this PR's branch
- no other changes needed in this branch as #6175 was reviewed and all
the comments were resolved

this should be the order of merge : 

1. #6300
2. uppy deps upgrade ( yet to be raised ) 
3. merge this to main
4. merge biome changes #6244 

@mifi let me know if you think otherwise.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-21 11:14:23 +08:00
Prakash
d9742ba4e4
Revert "Upgrade to express 5" (#6303)
Reverts transloadit/uppy#6175
2026-05-21 02:36:00 +05:30
Mikael Finstad
489d76717c
Upgrade to express 5 (#6175)
closes #6157

https://expressjs.com/en/guide/migrating-5.html

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-20 21:06:46 +05:30
Mikael Finstad
5efc32a2e7
remove angular eslint (#6164)
closes #6161

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-05-18 20:35:10 +08:00
Prakash
12de077e6d
remove @uppy/instagram (#6257)
closes #5455 , this PR removes all Instagram support from both the
client and Companion server.

Removed:
- Instagram from @uppy/remote-sources (src, package.json, keywords)
- Instagram export from uppy bundle (bundle.ts, index.ts, package.json)
- Companion Instagram OAuth provider (provider/index.js, grant.js)
- Companion standalone helper Instagram env vars (helper.js,
env_example)
- All Companion Instagram tests (providers.test.js,
provider-manager.test.js, fixtures/index.js, mockserver.js)
2026-05-13 14:42:10 +05:30
Kevin van Zonneveld
e99a17f1fe
companion: port to TypeScript (#6179)
Supersedes #6178.

This branch keeps the exact same final content as #6178, but splits
history for reviewability:

1. `chore(companion): rename source and test files from .js to .ts`
(pure `git mv`, no content changes)
2. `feat(companion): port Companion to TypeScript` (actual
content/type/schema/build updates)

Validation note:
- Final tree is byte-for-byte identical to `ts-companion`
(`7b5b16a298690b0492de4cc4fab744f998b45570`).

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-05-04 20:50:43 +08:00
Prakash
a86c6240f4
@uppy: upgrade esbuild from "^0.25.0" -> "^0.27.0" (#6235)
this should fix CI error in bundlers workflow , more context :
https://transloadit.slack.com/archives/C0FMW9PSB/p1773989607853769?thread_ts=1773336079.954969&cid=C0FMW9PSB
2026-03-20 18:09:06 +05:30
Prakash
ddae349193
@uppy/examples: mock tus endpoint for react, vue and svelte tests (#6215)
this fixes #6176

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
2026-03-11 14:05:24 +08:00
Merlijn Vos
23cbd4a05a
@uppy/xhr-upload: add browser tests (#6169)
Good to have actual browser tests for this uploader.
2026-02-19 15:10:17 +01:00
dependabot[bot]
63c56c9d1d
build(deps-dev): bump tar from 7.5.7 to 7.5.8 (#6185)
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6b8eba0ef3"><code>6b8eba0</code></a>
7.5.8</li>
<li><a
href="2cb1120bce"><code>2cb1120</code></a>
fix(unpack): improve UnpackSync symlink error &quot;into&quot; path
accuracy</li>
<li><a
href="d18e4e1f84"><code>d18e4e1</code></a>
fix: do not write linkpaths through symlinks</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<details>
<summary>Install script changes</summary>
<p>This version adds <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tar&package-manager=npm_and_yarn&previous-version=7.5.7&new-version=7.5.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-19 10:02:39 +01:00
Prakash
4652dc6a4a
upgrade aws-sdk in @uppy/companion (#6180)
this fixes  #6167 

AI summary :

**The Bug: S3 Multipart Upload Fails with InvalidPart**

**What happened**
When uploading large files (200MB+) from Google Drive → Companion → S3
using multipart upload, the upload would reach ~96-100% and then fail
with S3's `InvalidPart` error on `CompleteMultipartUpload`.

*Root cause*
_A version mismatch between two AWS SDK packages caused by yarn dedupe._

Commit `3c3034b40` ("Dedupe dependencies #6085") ran `yarn dedupe`.
Companion had `@aws-sdk/client-s3` and `@aws-sdk/lib-storage` both at
`"^3.338.0"`, which previously both resolved to `3.600.0`. But the
`@uppy/transloadit` package elsewhere in the monorepo had
`"@aws-sdk/client-s3": "^3.891.0"`. Dedupe merged the resolutions —
`client-s3` jumped to `3.896.0` while `lib-storage` stayed at `3.600.0`.

*Why the mismatch matters*
AWS SDK `client-s3@3.896.0` introduced a _breaking behavioral change_ in
its checksum middleware:
• *Old (3.600.0):* Default checksum = MD5, no auto-injection.
`UploadPart` requests sent _no checksum header_.
• *New (3.896.0):* Default checksum = CRC32,
`requestChecksumCalculation` defaults to `"WHEN_SUPPORTED"`. The
middleware _auto-injects `x-amz-checksum-crc32`_ on every `UploadPart`
request.

The old `lib-storage@3.600.0` didn't know about this new behavior. It
called `CreateMultipartUpload` _without_ setting `ChecksumAlgorithm`.
Then `client-s3@3.896.0` added CRC32 checksums to each `UploadPart`. S3
saw parts with checksums that weren't declared at creation time →
rejected with `InvalidPart` at `CompleteMultipartUpload`.

*How the fixes work*

_Option A — `requestChecksumCalculation: 'WHEN_REQUIRED'`_ (workaround):
Tells the new `client-s3` to only add checksums when S3 requires them
(which it doesn't for `UploadPart`). This restores the old behavior — no
checksum headers, no mismatch.

_Option B — Upgrade all AWS SDK packages to `^3.986.0`_ (proper fix):
The new `lib-storage@3.986.0` is _aware_ of the CRC32 checksum behavior.
When it detects `requestChecksumCalculation = "WHEN_SUPPORTED"`, it
explicitly sets `ChecksumAlgorithm: "CRC32"` on the
`CreateMultipartUpload` call. Now S3 expects CRC32 checksums on the
parts, the parts have CRC32 checksums → everything is consistent →
upload succeeds.

*TL;DR*
`yarn dedupe` upgraded `client-s3` but not `lib-storage`. The new
`client-s3` started adding CRC32 checksums to parts, but the old
`lib-storage` didn't declare CRC32 at multipart creation time. S3
rejected the mismatch. Fix: upgrade both packages together so they agree
on checksum behavior.
2026-02-13 18:03:55 +05:30
dependabot[bot]
41d7268af8
build(deps): bump next from 15.5.9 to 16.1.5 (#6160)
Bumps [next](https://github.com/vercel/next.js) from 15.5.9 to 16.1.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v16.1.5</h2>
<p>Please refer the following changelogs for more information about this
security release:</p>
<p><a
href="https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472">https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472</a>
<a
href="https://vercel.com/changelog/summary-of-cve-2026-23864">https://vercel.com/changelog/summary-of-cve-2026-23864</a></p>
<h2>v16.1.4</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Only filter next config if experimental flag is enabled (<a
href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v16.1.3</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Fix linked list bug in LRU deleteFromLru (<a
href="https://redirect.github.com/vercel/next.js/issues/88652">#88652</a>)</li>
<li>Fix relative same host redirects in node middleware (<a
href="https://redirect.github.com/vercel/next.js/issues/88253">#88253</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/acdlite"><code>@​acdlite</code></a> and <a
href="https://github.com/ijjk"><code>@​ijjk</code></a> for helping!</p>
<h2>v16.1.2</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Turbopack: Update to swc_core v50.2.3 (<a
href="https://redirect.github.com/vercel/next.js/issues/87841">#87841</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/88296">#88296</a>)
<ul>
<li>Fixes a crash when processing mdx files with multibyte characters.
(<a
href="https://redirect.github.com/vercel/next.js/issues/87713">#87713</a>)</li>
</ul>
</li>
<li>Turbopack: <a
href="https://microsoft.github.io/mimalloc/">mimalloc</a> upgrade and
enabling it on musl (<a
href="https://redirect.github.com/vercel/next.js/issues/88503">#88503</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/87815">#87815</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/88426">#88426</a>)
<ul>
<li>Fixes <a
href="https://redirect.github.com/vercel/next.js/pull/88426">a
significant performance issue</a> on musl-based Linux distributions
(e.g. Alpine in Docker) related to musl's allocator.</li>
<li>Other platforms have always used mimalloc, but we previously did not
use mimalloc on musl because of compilation issues that have since been
resolved.</li>
</ul>
</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v16.1.1</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="acba4a6b9f"><code>acba4a6</code></a>
v16.1.5</li>
<li><a
href="e1d1fc6525"><code>e1d1fc6</code></a>
Add maximum size limit for postponed body parsing (<a
href="https://redirect.github.com/vercel/next.js/issues/88175">#88175</a>)</li>
<li><a
href="500ec83743"><code>500ec83</code></a>
fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (<a
href="https://redirect.github.com/vercel/next.js/issues/88588">#88588</a>)</li>
<li><a
href="1caaca3cdb"><code>1caaca3</code></a>
feat(next/image)!: add <code>images.maximumResponseBody</code> config
(<a
href="https://redirect.github.com/vercel/next.js/issues/88183">#88183</a>)</li>
<li><a
href="522ed840be"><code>522ed84</code></a>
Sync DoS mitigations for React Flight</li>
<li><a
href="8cad197c76"><code>8cad197</code></a>
[backport][cna] Ensure created app is not considered the workspace root
in pn...</li>
<li><a
href="27186615d7"><code>2718661</code></a>
Backport/docs fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/89031">#89031</a>)</li>
<li><a
href="53336250b3"><code>5333625</code></a>
Backport/docs fixes 16.1.5 (<a
href="https://redirect.github.com/vercel/next.js/issues/88916">#88916</a>)</li>
<li><a
href="60de6c2114"><code>60de6c2</code></a>
v16.1.4</li>
<li><a
href="5f75d22b80"><code>5f75d22</code></a>
backport: Only filter next config if experimental flag is enabled (<a
href="https://redirect.github.com/vercel/next.js/issues/88733">#88733</a>)
(#...</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/compare/v15.5.9...v16.1.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.9&new-version=16.1.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-05 15:53:42 +01:00
dependabot[bot]
24632aea47
build(deps-dev): bump tar from 7.5.5 to 7.5.7 (#6158)
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.5 to 7.5.7.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4a37eb9a1c"><code>4a37eb9</code></a>
7.5.7</li>
<li><a
href="f4a7aa9bc3"><code>f4a7aa9</code></a>
fix: properly sanitize hard links containing ..</li>
<li><a
href="394ece6ad8"><code>394ece6</code></a>
7.5.6</li>
<li><a
href="7d4cc17c76"><code>7d4cc17</code></a>
fix race puting a Link ahead of its target File</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.5...v7.5.7">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tar&package-manager=npm_and_yarn&previous-version=7.5.5&new-version=7.5.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-02 22:12:55 +08:00
Merlijn Vos
850c1cb1c5
Add useImageEditor (#6122)
- Create image editor abstraction in `@uppy/components`
- Refactor `Editor` (Preact) and `ImageEditor` (Uppy plugin) to put all
methods in the Uppy plugin class so they can be reused by the headless
abstraction
- Create framework hooks for React, Vue, Svelte
- Update all examples to showcase the new hook
- Symlink the `cropper.scss` (just regular CSS) from
`@uppy/image-editor` into `@uppy/components`, update `build:css` in all
framework packages to copy that file too into their own `dist/` output.
- cropper-js needs basic CSS to do the rotations and stuff which would
be very tedious to write yourself so we ship that CSS file to consumers
too so they can just import it.
- Fix memory leak where we created the image on each render inside the
original Preact plugin UI

```ts
import type { UppyFile } from '@uppy/core'
import { useImageEditor } from '@uppy/react'

interface ImageEditorProps {
  file: UppyFile<any, any>
  close: () => void
}

export function ImageEditor({ file, close }: ImageEditorProps) {
  const {
    state,
    getImageProps,
    getSaveButtonProps,
    getCancelButtonProps,
    getRotateButtonProps,
    getFlipHorizontalButtonProps,
    getZoomButtonProps,
    getCropSquareButtonProps,
    getCropLandscapeButtonProps,
    getCropPortraitButtonProps,
    getResetButtonProps,
    getRotationSliderProps,
  } = useImageEditor({ file })

  return (
    <div className="p-4 max-w-2xl w-full">
      <div className="flex justify-between items-center mb-4">
        <h2 className="text-xl font-bold">Edit Image</h2>
        <button
          type="button"
          onClick={close}
          className="text-gray-500 hover:text-gray-700"
        >
          ✕
        </button>
      </div>

      <div className="mb-4">
        {/* biome-ignore lint/a11y/useAltText: alt is provided by getImageProps() */}
        <img
          className="w-full max-h-[400px] rounded-lg border-2"
          {...getImageProps()}
        />
      </div>

      <div className="mb-4">
        <label className="block text-sm font-medium mb-2">
          Fine Rotation: {state.angle}°
          <input className="w-full mt-1" {...getRotationSliderProps()} />
        </label>
      </div>

      <div className="flex gap-2 flex-wrap mb-4">
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getRotateButtonProps(-90)}
        >
          ↶ -90°
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getRotateButtonProps(90)}
        >
          ↷ +90°
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getFlipHorizontalButtonProps()}
        >
          ⇆ Flip
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getZoomButtonProps(0.1)}
        >
          + Zoom
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getZoomButtonProps(-0.1)}
        >
          - Zoom
        </button>
      </div>

      <div className="flex gap-2 flex-wrap mb-4">
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getCropSquareButtonProps()}
        >
          1:1
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getCropLandscapeButtonProps()}
        >
          16:9
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getCropPortraitButtonProps()}
        >
          9:16
        </button>
        <button
          className="bg-gray-200 px-3 py-1 rounded disabled:opacity-50"
          {...getResetButtonProps()}
        >
          Reset
        </button>
      </div>

      <div className="flex gap-4 justify-end">
        <button
          className="bg-gray-500 text-white px-4 py-2 rounded-md"
          {...getCancelButtonProps({ onClick: close })}
        >
          Cancel
        </button>
        <button
          className="bg-green-500 text-white px-4 py-2 rounded-md disabled:opacity-50 disabled:bg-green-300"
          {...getSaveButtonProps({ onClick: close })}
        >
          Save
        </button>
      </div>
    </div>
  )
}

export default ImageEditor

```


https://github.com/user-attachments/assets/4b0a99cc-8489-41a2-aa3b-ce88110025bf

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2026-01-29 11:13:12 +01:00
dependabot[bot]
09bf6857a1
build(deps): bump lodash from 4.17.21 to 4.17.23 (#6152)
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to
4.17.23.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="dec55b7a3b"><code>dec55b7</code></a>
Bump main to v4.17.23 (<a
href="https://redirect.github.com/lodash/lodash/issues/6088">#6088</a>)</li>
<li><a
href="19c9251b36"><code>19c9251</code></a>
fix: setCacheHas JSDoc return type should be boolean (<a
href="https://redirect.github.com/lodash/lodash/issues/6071">#6071</a>)</li>
<li><a
href="b5e672995a"><code>b5e6729</code></a>
jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (<a
href="https://redirect.github.com/lodash/lodash/issues/6062">#6062</a>)</li>
<li><a
href="edadd45214"><code>edadd45</code></a>
Prevent prototype pollution on baseUnset function</li>
<li><a
href="4879a7a7d0"><code>4879a7a</code></a>
doc: fix autoLink function, conversion of source links (<a
href="https://redirect.github.com/lodash/lodash/issues/6056">#6056</a>)</li>
<li><a
href="9648f692b0"><code>9648f69</code></a>
chore: remove <code>yarn.lock</code> file (<a
href="https://redirect.github.com/lodash/lodash/issues/6053">#6053</a>)</li>
<li><a
href="dfa407db0b"><code>dfa407d</code></a>
ci: remove legacy configuration files (<a
href="https://redirect.github.com/lodash/lodash/issues/6052">#6052</a>)</li>
<li><a
href="156e1965ae"><code>156e196</code></a>
feat: add renovate setup (<a
href="https://redirect.github.com/lodash/lodash/issues/6039">#6039</a>)</li>
<li><a
href="933e1061b8"><code>933e106</code></a>
ci: add pipeline for Bun (<a
href="https://redirect.github.com/lodash/lodash/issues/6023">#6023</a>)</li>
<li><a
href="072a807ff7"><code>072a807</code></a>
docs: update links related to Open JS Foundation (<a
href="https://redirect.github.com/lodash/lodash/issues/5968">#5968</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.21...4.17.23">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=lodash&package-manager=npm_and_yarn&previous-version=4.17.21&new-version=4.17.23)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-26 15:01:18 +01:00
dependabot[bot]
877b2f8607
build(deps-dev): bump tar from 7.5.3 to 7.5.4 (#6149)
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.3 to 7.5.4.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="911c886bb1"><code>911c886</code></a>
7.5.4</li>
<li><a
href="3b1abfae65"><code>3b1abfa</code></a>
normalize out unicode ligatures</li>
<li><a
href="a43478c5c5"><code>a43478c</code></a>
remove some unused files</li>
<li><a
href="970c58f6d3"><code>970c58f</code></a>
update deps</li>
<li><a
href="bb21974894"><code>bb21974</code></a>
update changelog</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.3...v7.5.4">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tar&package-manager=npm_and_yarn&previous-version=7.5.3&new-version=7.5.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-21 10:21:13 +01:00
Merlijn Vos
efda84cc23
@uppy/transloadit: use lighter types package (#6147)
We don't need to drag in the entire SDK just for types.
2026-01-19 11:18:43 +01:00
dependabot[bot]
ce39081512
build(deps-dev): bump tar from 6.2.1 to 7.5.3 (#6146)
Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.1 to 7.5.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md">tar's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>7.5</h2>
<ul>
<li>Added <code>zstd</code> compression support.</li>
</ul>
<h2>7.4</h2>
<ul>
<li>Deprecate <code>onentry</code> in favor of <code>onReadEntry</code>
for clarity.</li>
</ul>
<h2>7.3</h2>
<ul>
<li>Add <code>onWriteEntry</code> option</li>
</ul>
<h2>7.2</h2>
<ul>
<li>DRY the command definitions into a single <code>makeCommand</code>
method,
and update the type signatures to more appropriately infer the
return type from the options and arguments provided.</li>
</ul>
<h2>7.1</h2>
<ul>
<li>Update minipass to v7.1.0</li>
<li>Update the type definitions of <code>write()</code> and
<code>end()</code> methods on
<code>Unpack</code> and <code>Parser</code> classes to be compatible
with the
NodeJS.WritableStream type in the latest versions of
<code>@types/node</code>.</li>
</ul>
<h2>7.0</h2>
<ul>
<li>Drop support for node &lt;18</li>
<li>Rewrite in TypeScript, provide ESM and CommonJS hybrid
interface</li>
<li>Add tree-shake friendly exports, like
<code>import('tar/create')</code>
and <code>import('tar/read-entry')</code> to get individual functions or
classes.</li>
<li>Add <code>chmod</code> option that defaults to false, and deprecate
<code>noChmod</code>. That is, reverse the default option regarding
explicitly setting file system modes to match tar entry
settings.</li>
<li>Add <code>processUmask</code> option to avoid having to call
<code>process.umask()</code> when <code>chmod: true</code> (or
<code>noChmod: false</code>) is
set.</li>
</ul>
<h2>6.2</h2>
<ul>
<li>Add support for brotli compression</li>
<li>Add <code>maxDepth</code> option to prevent extraction into
excessively
deep folders.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="03138441b2"><code>0313844</code></a>
7.5.3</li>
<li><a
href="340eb285b6"><code>340eb28</code></a>
fix: sanitize absolute linkpaths properly</li>
<li><a
href="8bb83f7e51"><code>8bb83f7</code></a>
update deps</li>
<li><a
href="1c4aedd28a"><code>1c4aedd</code></a>
Fix typo in onWriteEntry documentation</li>
<li><a
href="d9ea73a9b3"><code>d9ea73a</code></a>
7.5.2</li>
<li><a
href="5e1a8e6386"><code>5e1a8e6</code></a>
Fix sync tar.list when file size reduces while reading</li>
<li><a
href="0fbeaeddf5"><code>0fbeaed</code></a>
formatting</li>
<li><a
href="2dbacfe339"><code>2dbacfe</code></a>
add types for make-tar util</li>
<li><a
href="c5865d3120"><code>c5865d3</code></a>
remove unused taprc file</li>
<li><a
href="bdb38096af"><code>bdb3809</code></a>
header: only read from ustar block if not specified in Pax</li>
<li>Additional commits viewable in <a
href="https://github.com/isaacs/node-tar/compare/v6.2.1...v7.5.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tar&package-manager=npm_and_yarn&previous-version=6.2.1&new-version=7.5.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-17 14:41:06 +01:00
dependabot[bot]
b3d9ef5cce
build(deps-dev): bump @sveltejs/kit from 2.20.7 to 2.49.5 (#6143)
Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.20.7 to 2.49.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@​sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2><code>@​sveltejs/kit</code><a
href="https://github.com/2"><code>@​2</code></a>.49.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>fix: suppress <code>state_referenced_locally</code> warnings in
<code>.svelte-kit/generated/root.svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15013">#15013</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@​sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2>2.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2>2.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2>2.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2>2.49.1</h2>
<h3>Patch Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="80ffb53382"><code>80ffb53</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15162">#15162</a>)</li>
<li><a
href="8ed8155215"><code>8ed8155</code></a>
Merge commit from fork</li>
<li><a
href="d9ae9b00b1"><code>d9ae9b0</code></a>
Merge commit from fork</li>
<li><a
href="ec4596a066"><code>ec4596a</code></a>
chore: Upgrade devalue (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15172">#15172</a>)</li>
<li><a
href="81cd545dd7"><code>81cd545</code></a>
fix: avoid overriding Vite default <code>base</code> when running Vitest
4 (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14866">#14866</a>)</li>
<li><a
href="6cf9491ccd"><code>6cf9491</code></a>
chore: remove unused is_http_method helper and method set to (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15152">#15152</a>)</li>
<li><a
href="3305022433"><code>3305022</code></a>
Revert &quot;breaking: remove <code>buttonProps</code> from experimental
remote form function...</li>
<li><a
href="4f9870dd9d"><code>4f9870d</code></a>
breaking: remove <code>buttonProps</code> from experimental remote form
functions (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14622">#14622</a>)</li>
<li><a
href="c8e4017c3c"><code>c8e4017</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15129">#15129</a>)</li>
<li><a
href="50bf727f59"><code>50bf727</code></a>
chore: fix prettier ignoring source code in with build in the name (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15133">#15133</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.49.5/packages/kit">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for <code>@​sveltejs/kit</code> since your
current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@sveltejs/kit&package-manager=npm_and_yarn&previous-version=2.20.7&new-version=2.49.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-16 10:46:30 +01:00
Merlijn Vos
ca9214d67b
Upgrade yarn (#6133) 2026-01-12 11:39:20 +01:00
Merlijn Vos
e6e1466ac8
Fix useless security warnings (#6132)
We are not vulnerable but we keep getting warning about it so let's
updrade deps regardless
2026-01-12 11:16:15 +01:00
dependabot[bot]
3c159b1740
build(deps): bump @angular/compiler from 19.2.17 to 19.2.18 (#6128)
Bumps
[@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler)
from 19.2.17 to 19.2.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@​angular/compiler</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.18</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c"><img
src="https://img.shields.io/badge/26cdc53d9c-fix-green" alt="fix -
26cdc53d9c" /></a></td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@​angular/compiler</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.18 (2026-01-07)</h1>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c">26cdc53d9c</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.0.7 (2026-01-07)</h1>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="8e808740c9">8e808740c9</a></td>
<td>fix</td>
<td>better types for a few expression AST nodes</td>
</tr>
<tr>
<td><a
href="63b1cdcf70">63b1cdcf70</a></td>
<td>fix</td>
<td>produce accurate span for typeof and void expressions</td>
</tr>
<tr>
<td><a
href="3c3ae0cb64">3c3ae0cb64</a></td>
<td>fix</td>
<td>provide location information for literal map keys</td>
</tr>
<tr>
<td><a
href="523dbaf1c3">523dbaf1c3</a></td>
<td>fix</td>
<td>stop ThisReceiver inheritance from ImplicitReceiver</td>
</tr>
</tbody>
</table>
<h3>compiler-cli</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="4d9c4567ed">4d9c4567ed</a></td>
<td>fix</td>
<td>ensure component import diagnostics are reported within the
<code>imports</code> expression</td>
</tr>
<tr>
<td><a
href="cd405685af">cd405685af</a></td>
<td>fix</td>
<td>fix up spelling of diagnostic</td>
</tr>
<tr>
<td><a
href="778460fcca">778460fcca</a></td>
<td>fix</td>
<td>support qualified names in <code>typeof</code> type references</td>
</tr>
</tbody>
</table>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c74674eb0">7c74674eb0</a></td>
<td>fix</td>
<td>avoid leaking view data in animations</td>
</tr>
<tr>
<td><a
href="0edbee4550">0edbee4550</a></td>
<td>fix</td>
<td>explicitly cast signal node value to String</td>
</tr>
<tr>
<td><a
href="f9c29572d2">f9c29572d2</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<h3>forms</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="e3fba182f9">e3fba182f9</a></td>
<td>feat</td>
<td>add <code>[formField]</code> directive</td>
</tr>
<tr>
<td><a
href="561772b152">561772b152</a></td>
<td>fix</td>
<td>allow custom controls to require <code>dirty</code> input</td>
</tr>
<tr>
<td><a
href="f0fb1d8581">f0fb1d8581</a></td>
<td>fix</td>
<td>allow custom controls to require <code>hidden</code> input</td>
</tr>
<tr>
<td><a
href="ec110f170b">ec110f170b</a></td>
<td>fix</td>
<td>allow custom controls to require <code>pending</code> input</td>
</tr>
<tr>
<td><a
href="ae1dc16bb0">ae1dc16bb0</a></td>
<td>fix</td>
<td>clean up abort listener after timeout</td>
</tr>
<tr>
<td><a
href="9748b0d5da">9748b0d5da</a></td>
<td>fix</td>
<td>support custom controls with non signal-based models</td>
</tr>
<tr>
<td><a
href="6bd22df987">6bd22df987</a></td>
<td>fix</td>
<td>Support readonly arrays in signal forms</td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="41cd4a6af8">41cd4a6af8</a></td>
<td>fix</td>
<td>Fix RouterLink href not updating with
<code>queryParamsHandling</code></td>
</tr>
<tr>
<td><a
href="5e9e09aee0">5e9e09aee0</a></td>
<td>fix</td>
<td>handle errors from view transition <code>updateCallbackDone</code>
promise</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.4 (2025-12-17)</h1>
<h2>Breaking Changes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26cdc53d9c"><code>26cdc53</code></a>
fix(core): sanitize sensitive attributes on SVG script elements</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/v19.2.18/packages/compiler">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/compiler&package-manager=npm_and_yarn&previous-version=19.2.17&new-version=19.2.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-12 11:13:45 +01:00
dependabot[bot]
71e8a56127
build(deps): bump @angular/core from 19.2.17 to 19.2.18 (#6129)
Bumps
[@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core)
from 19.2.17 to 19.2.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@​angular/core</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.18</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c"><img
src="https://img.shields.io/badge/26cdc53d9c-fix-green" alt="fix -
26cdc53d9c" /></a></td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@​angular/core</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.18 (2026-01-07)</h1>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c">26cdc53d9c</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.0.7 (2026-01-07)</h1>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="8e808740c9">8e808740c9</a></td>
<td>fix</td>
<td>better types for a few expression AST nodes</td>
</tr>
<tr>
<td><a
href="63b1cdcf70">63b1cdcf70</a></td>
<td>fix</td>
<td>produce accurate span for typeof and void expressions</td>
</tr>
<tr>
<td><a
href="3c3ae0cb64">3c3ae0cb64</a></td>
<td>fix</td>
<td>provide location information for literal map keys</td>
</tr>
<tr>
<td><a
href="523dbaf1c3">523dbaf1c3</a></td>
<td>fix</td>
<td>stop ThisReceiver inheritance from ImplicitReceiver</td>
</tr>
</tbody>
</table>
<h3>compiler-cli</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="4d9c4567ed">4d9c4567ed</a></td>
<td>fix</td>
<td>ensure component import diagnostics are reported within the
<code>imports</code> expression</td>
</tr>
<tr>
<td><a
href="cd405685af">cd405685af</a></td>
<td>fix</td>
<td>fix up spelling of diagnostic</td>
</tr>
<tr>
<td><a
href="778460fcca">778460fcca</a></td>
<td>fix</td>
<td>support qualified names in <code>typeof</code> type references</td>
</tr>
</tbody>
</table>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c74674eb0">7c74674eb0</a></td>
<td>fix</td>
<td>avoid leaking view data in animations</td>
</tr>
<tr>
<td><a
href="0edbee4550">0edbee4550</a></td>
<td>fix</td>
<td>explicitly cast signal node value to String</td>
</tr>
<tr>
<td><a
href="f9c29572d2">f9c29572d2</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<h3>forms</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="e3fba182f9">e3fba182f9</a></td>
<td>feat</td>
<td>add <code>[formField]</code> directive</td>
</tr>
<tr>
<td><a
href="561772b152">561772b152</a></td>
<td>fix</td>
<td>allow custom controls to require <code>dirty</code> input</td>
</tr>
<tr>
<td><a
href="f0fb1d8581">f0fb1d8581</a></td>
<td>fix</td>
<td>allow custom controls to require <code>hidden</code> input</td>
</tr>
<tr>
<td><a
href="ec110f170b">ec110f170b</a></td>
<td>fix</td>
<td>allow custom controls to require <code>pending</code> input</td>
</tr>
<tr>
<td><a
href="ae1dc16bb0">ae1dc16bb0</a></td>
<td>fix</td>
<td>clean up abort listener after timeout</td>
</tr>
<tr>
<td><a
href="9748b0d5da">9748b0d5da</a></td>
<td>fix</td>
<td>support custom controls with non signal-based models</td>
</tr>
<tr>
<td><a
href="6bd22df987">6bd22df987</a></td>
<td>fix</td>
<td>Support readonly arrays in signal forms</td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="41cd4a6af8">41cd4a6af8</a></td>
<td>fix</td>
<td>Fix RouterLink href not updating with
<code>queryParamsHandling</code></td>
</tr>
<tr>
<td><a
href="5e9e09aee0">5e9e09aee0</a></td>
<td>fix</td>
<td>handle errors from view transition <code>updateCallbackDone</code>
promise</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.4 (2025-12-17)</h1>
<h2>Breaking Changes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26cdc53d9c"><code>26cdc53</code></a>
fix(core): sanitize sensitive attributes on SVG script elements</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/v19.2.18/packages/core">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/core&package-manager=npm_and_yarn&previous-version=19.2.17&new-version=19.2.18)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-12 10:59:23 +01:00
dependabot[bot]
20fce4cc34
build(deps): bump react-router from 7.8.2 to 7.12.0 (#6127)
Bumps
[react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router)
from 7.8.2 to 7.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/remix-run/react-router/releases">react-router's
releases</a>.</em></p>
<blockquote>
<h2>v7.12.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120</a></p>
<h2>v7.11.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110</a></p>
<h2>v7.10.1</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101</a></p>
<h2>v7.10.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100</a></p>
<h2>v7.9.6</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796</a></p>
<h2>v7.9.5</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795</a></p>
<h2>v7.9.4</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794</a></p>
<h2>v7.9.3</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p>
<h2>v7.9.2</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p>
<h2>v7.9.1</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791</a></p>
<h2>v7.9.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's
changelog</a>.</em></p>
<blockquote>
<h2>7.12.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>Add additional layer of CSRF protection by rejecting submissions to
UI routes from external origins. If you need to permit access to
specific external origins, you can specify them in the
<code>react-router.config.ts</code> config
<code>allowedActionOrigins</code> field. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14708">#14708</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Fix <code>generatePath</code> when used with suffixed params (i.e.,
&quot;/books/:id.json&quot;) (<a
href="https://redirect.github.com/remix-run/react-router/pull/14269">#14269</a>)</p>
</li>
<li>
<p>Export <code>UNSAFE_createMemoryHistory</code> and
<code>UNSAFE_createHashHistory</code> alongside
<code>UNSAFE_createBrowserHistory</code> for consistency. These are not
intended to be used for new apps but intended to help apps usiong
<code>unstable_HistoryRouter</code> migrate from v6-&gt;v7 so they can
adopt the newer APIs. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14663">#14663</a>)</p>
</li>
<li>
<p>Escape HTML in scroll restoration keys (<a
href="https://redirect.github.com/remix-run/react-router/pull/14705">#14705</a>)</p>
</li>
<li>
<p>Validate redirect locations (<a
href="https://redirect.github.com/remix-run/react-router/pull/14706">#14706</a>)</p>
</li>
<li>
<p>[UNSTABLE] Pass <code>&lt;Scripts nonce&gt;</code> value through to
the underlying <code>importmap</code> <code>script</code> tag when using
<code>future.unstable_subResourceIntegrity</code> (<a
href="https://redirect.github.com/remix-run/react-router/pull/14675">#14675</a>)</p>
</li>
<li>
<p>[UNSTABLE] Add a new
<code>future.unstable_trailingSlashAwareDataRequests</code> flag to
provide consistent behavior of <code>request.pathname</code> inside
<code>middleware</code>, <code>loader</code>, and <code>action</code>
functions on document and data requests when a trailing slash is present
in the browser URL. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14644">#14644</a>)</p>
<p>Currently, your HTTP and <code>request</code> pathnames would be as
follows for <code>/a/b/c</code> and <code>/a/b/c/</code></p>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c</code></td>
<td><code>/a/b/c</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> </td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c/</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c/</code></td>
<td><code>/a/b/c/</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> ⚠️</td>
</tr>
</tbody>
</table>
<p>With this flag enabled, these pathnames will be made consistent
though a new <code>_.data</code> format for client-side
<code>.data</code> requests:</p>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c</code></td>
<td><code>/a/b/c</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> </td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c/</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c/</code></td>
<td><code>/a/b/c/</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c/_.data</code> ⬅️</td>
<td><code>/a/b/c/</code> </td>
</tr>
</tbody>
</table>
<p>This a bug fix but we are putting it behind an opt-in flag because it
has the potential to be a &quot;breaking bug fix&quot; if you are
relying on the URL format for any other application or caching
logic.</p>
<p>Enabling this flag also changes the format of client side
<code>.data</code> requests from <code>/_root.data</code> to
<code>/_.data</code> when navigating to <code>/</code> to align with the
new format. This does not impact the <code>request</code> pathname which
is still <code>/</code> in all cases.</p>
</li>
<li>
<p>Preserve <code>clientLoader.hydrate=true</code> when using
<code>&lt;HydratedRouter unstable_instrumentations&gt;</code> (<a
href="https://redirect.github.com/remix-run/react-router/pull/14674">#14674</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26653a6bcb"><code>26653a6</code></a>
chore: Update version for release (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14712">#14712</a>)</li>
<li><a
href="7ac2346873"><code>7ac2346</code></a>
chore: Update version for release (pre) (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14709">#14709</a>)</li>
<li><a
href="75b1ef5086"><code>75b1ef5</code></a>
Add origin checks for UI route submissions (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14708">#14708</a>)</li>
<li><a
href="c05ef936fd"><code>c05ef93</code></a>
Validate redirect locations (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14706">#14706</a>)</li>
<li><a
href="c89c32c562"><code>c89c32c</code></a>
Escape HTML in scroll restoration keys (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14705">#14705</a>)</li>
<li><a
href="cbcbf3091b"><code>cbcbf30</code></a>
fix: pass nonce to importmap script when using subResourceIntegrity (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14675">#14675</a>)</li>
<li><a
href="30f6c1d814"><code>30f6c1d</code></a>
fix(react-router): handle parameters with static suffixes in
generatePath (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/1">#1</a>...</li>
<li><a
href="7f140e098e"><code>7f140e0</code></a>
Handle data requests with trailing slash consistently (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14644">#14644</a>)</li>
<li><a
href="1954af6374"><code>1954af6</code></a>
Preserve hydrate property on client loaders during instrumentation (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14674">#14674</a>)</li>
<li><a
href="5ce5cd4ebf"><code>5ce5cd4</code></a>
chore: format</li>
<li>Additional commits viewable in <a
href="https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for react-router since your current
version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=react-router&package-manager=npm_and_yarn&previous-version=7.8.2&new-version=7.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-09 09:09:39 +01:00
dependabot[bot]
fd8f54f542
build(deps): bump preact from 10.26.9 to 10.26.10 (#6123)
Bumps [preact](https://github.com/preactjs/preact) from 10.26.9 to
10.26.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/preactjs/preact/releases">preact's
releases</a>.</em></p>
<blockquote>
<h2>10.26.10</h2>
<h2>Fixes</h2>
<ul>
<li>Enforce strict equality for VNode object constructors</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e6f88b0842"><code>e6f88b0</code></a>
10.26.10</li>
<li><a
href="c373f23c48"><code>c373f23</code></a>
10.26 strict equality (<a
href="https://redirect.github.com/preactjs/preact/issues/4988">#4988</a>)</li>
<li><a
href="d008a1a242"><code>d008a1a</code></a>
10.26.x</li>
<li>See full diff in <a
href="https://github.com/preactjs/preact/compare/10.26.9...10.26.10">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=preact&package-manager=npm_and_yarn&previous-version=10.26.9&new-version=10.26.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-08 12:00:59 +01:00
dependabot[bot]
101fd8ca84
build(deps): bump next from 15.5.7 to 15.5.9 (#6104)
Bumps [next](https://github.com/vercel/next.js) from 15.5.7 to 15.5.9.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v15.5.9</h2>
<p>Please see the <a
href="https://nextjs.org/blog/security-update-2025-12-11">Next.js
Security Update</a> for information about this security patch.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c5de33e93c"><code>c5de33e</code></a>
v15.5.9</li>
<li><a
href="dd233994ae"><code>dd23399</code></a>
Backport <a
href="https://redirect.github.com/facebook/react/issues/35351">facebook/react#35351</a>
for 15.5.8 (<a
href="https://redirect.github.com/vercel/next.js/issues/87086">#87086</a>)</li>
<li><a
href="7526cd6f24"><code>7526cd6</code></a>
v15.5.8</li>
<li><a
href="1e9ec4133a"><code>1e9ec41</code></a>
Update React Version (<a
href="https://redirect.github.com/vercel/next.js/issues/41">#41</a>)</li>
<li><a
href="16141e5df9"><code>16141e5</code></a>
Update React Version (<a
href="https://redirect.github.com/vercel/next.js/issues/30">#30</a>)</li>
<li><a
href="e01e589e18"><code>e01e589</code></a>
Backport Next.js changes to v15.5.8 (<a
href="https://redirect.github.com/vercel/next.js/issues/23">#23</a>)</li>
<li><a
href="b2706db1e6"><code>b2706db</code></a>
lock binaries</li>
<li>See full diff in <a
href="https://github.com/vercel/next.js/compare/v15.5.7...v15.5.9">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.7&new-version=15.5.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-12 09:38:32 +01:00
Merlijn Vos
943ed7ad56
Upgrade playwright in all packages (#6086)
To resolve security advisories. Should be merged after #6085 

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Upgrades Playwright to 1.57.0 across examples and packages, updating
corresponding yarn.lock entries.
> 
> - **Dependencies**:
> - Bump `playwright` to `1.57.0` in `examples/react/package.json`,
`examples/sveltekit/package.json`, `examples/vue/package.json`,
`packages/@uppy/dashboard/package.json`, and
`packages/@uppy/url/package.json`.
> - Update `yarn.lock` to `playwright@1.57.0` and
`playwright-core@1.57.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fa35f7b7ea. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-05 10:27:58 +01:00
dependabot[bot]
78d0c28079
build(deps): bump jws from 3.2.2 to 3.2.3 (#6091)
Bumps [jws](https://github.com/brianloveswords/node-jws) from 3.2.2 to
3.2.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/brianloveswords/node-jws/releases">jws's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.3</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, addressing a compatibility issue for
Node &gt;= 25.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's
changelog</a>.</em></p>
<blockquote>
<h2>[3.2.3]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for
Node &gt;= 25.</li>
</ul>
<h2>[3.0.0]</h2>
<h3>Changed</h3>
<ul>
<li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an
<code>algorithm</code> parameter, and
<code>jws.createVerify</code> requires an <code>algorithm</code> option.
The <code>&quot;alg&quot;</code> field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by <code>jwt.verify</code>.
See
<a
href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a>
for details.</li>
</ul>
<h2><a
href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a>
- 2015-01-30</h2>
<h3>Changed</h3>
<ul>
<li>
<p><strong>BREAKING</strong>: Default payload encoding changed from
<code>binary</code> to
<code>utf8</code>. <code>utf8</code> is a is a more sensible default
than <code>binary</code> because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<!-- raw HTML omitted --><a
href="6b6de48">6b6de48</a><!--
raw HTML omitted -->)</p>
</li>
<li>
<p>Code reorganization, thanks <a
href="https://github.com/fearphage"><code>@​fearphage</code></a>! (<!--
raw HTML omitted --><a
href="7880050">7880050</a><!--
raw HTML omitted -->)</p>
</li>
</ul>
<h3>Added</h3>
<ul>
<li>Option in all relevant methods for <code>encoding</code>. For those
few users
that might be depending on a <code>binary</code> encoding of the
messages, this
is for them. (<!-- raw HTML omitted --><a
href="6b6de48">6b6de48</a><!--
raw HTML omitted -->)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4f6e73f24d"><code>4f6e73f</code></a>
Merge commit from fork</li>
<li><a
href="bd0fea57f3"><code>bd0fea5</code></a>
version 3.2.3</li>
<li><a
href="7c3b4b4110"><code>7c3b4b4</code></a>
Enhance tests for HMAC streaming sign and verify</li>
<li><a
href="a9b8ed999d"><code>a9b8ed9</code></a>
Improve secretOrKey initialization in VerifyStream</li>
<li><a
href="6707fde62c"><code>6707fde</code></a>
Improve secret handling in SignStream</li>
<li>See full diff in <a
href="https://github.com/brianloveswords/node-jws/compare/v3.2.2...v3.2.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a
new releaser for jws since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jws&package-manager=npm_and_yarn&previous-version=3.2.2&new-version=3.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-05 10:24:58 +01:00
Merlijn Vos
3c3034b408
Dedupe dependencies (#6085)
With `yarn dedupe`. New type error surfaced due to new types getting
loaded.


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Dedupes dependencies and updates code: aligns S3 presign tests with
checksum behavior, narrows HMAC key type, tweaks AudioOscilloscope
buffer typing, and simplifies Tus success logging.
> 
> - **AWS S3**:
> - Tests: add `requestChecksumCalculation` (from
`@aws-sdk/middleware-flexible-checksums`) to `S3Client` options to match
presign behavior.
> - Impl: change `generateHmacKey` signature to accept `string |
ArrayBuffer` (remove `Uint8Array`).
> - **Audio**:
> - `AudioOscilloscope`: change `dataArray` type to
`Uint8Array<ArrayBuffer>`.
> - **Tus**:
> - Simplify success log to `Download <url>` (remove file name
extraction).
> - **Dependencies**:
>   - Deduplicate/upgrade various packages in lockfile.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5b95865a7c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-05 10:22:11 +01:00
dependabot[bot]
e4558362b8
build(deps): bump next from 15.5.2 to 15.5.7 (#6088)
Bumps [next](https://github.com/vercel/next.js) from 15.5.2 to 15.5.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v15.5.7</h2>
<p>Please see <a
href="https://nextjs.org/blog/CVE-2025-66478">CVE-2025-66478</a> for
additional details about this release.</p>
<h2>v15.5.6</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Turbopack: don't define process.cwd() in node_modules <a
href="https://redirect.github.com/vercel/next.js/issues/83452">#83452</a></li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v15.5.5</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Split code-frame into separate compiled package (<a
href="https://redirect.github.com/vercel/next.js/issues/84238">#84238</a>)</li>
<li>Add deprecation warning to Runtime config (<a
href="https://redirect.github.com/vercel/next.js/issues/84650">#84650</a>)</li>
<li>fix: unstable_cache should perform blocking revalidation during ISR
revalidation (<a
href="https://redirect.github.com/vercel/next.js/issues/84716">#84716</a>)</li>
<li>feat: <code>experimental.middlewareClientMaxBodySize</code> body
cloning limit (<a
href="https://redirect.github.com/vercel/next.js/issues/84722">#84722</a>)</li>
<li>fix: missing next/link types with typedRoutes (<a
href="https://redirect.github.com/vercel/next.js/issues/84779">#84779</a>)</li>
</ul>
<h3>Misc Changes</h3>
<ul>
<li>docs: early October improvements and fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/84334">#84334</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/devjiwonchoi"><code>@​devjiwonchoi</code></a>,
<a href="https://github.com/ztanner"><code>@​ztanner</code></a>, and <a
href="https://github.com/icyJoseph"><code>@​icyJoseph</code></a> for
helping!</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3eaf68b09b"><code>3eaf68b</code></a>
v15.5.7</li>
<li><a
href="8367ce592a"><code>8367ce5</code></a>
update version script</li>
<li><a
href="9115040008"><code>9115040</code></a>
Update React Version for Next.js 15.5.7 (<a
href="https://redirect.github.com/vercel/next.js/issues/10">#10</a>)</li>
<li><a
href="96f699902a"><code>96f6999</code></a>
update tag</li>
<li><a
href="55ef0e3ebc"><code>55ef0e3</code></a>
v15.5.6</li>
<li><a
href="92bbbb1bec"><code>92bbbb1</code></a>
Backport: don't define <code>process.cwd()</code> in node_modules (<a
href="https://redirect.github.com/vercel/next.js/issues/84957">#84957</a>)</li>
<li><a
href="f895b72762"><code>f895b72</code></a>
Fix url-imports test on 15-5 (<a
href="https://redirect.github.com/vercel/next.js/issues/84966">#84966</a>)</li>
<li><a
href="81f530db26"><code>81f530d</code></a>
v15.5.5</li>
<li><a
href="9abbc0e9eb"><code>9abbc0e</code></a>
[backport] fix: missing <code>next/link</code> types with
<code>typedRoutes</code> (<a
href="https://redirect.github.com/vercel/next.js/issues/82814">#82814</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/84779">#84779</a>)</li>
<li><a
href="121e1b566f"><code>121e1b5</code></a>
[backport] docs: early October improvements and fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/84334">#84334</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/compare/v15.5.2...v15.5.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.2&new-version=15.5.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-04 10:20:54 +01:00
Merlijn Vos
5684efa64e
Introduce @uppy/image-generator (#6056)
Closes #5378 

- Introduce `@uppy/image-generator`, a new plugin to generate images
based on a prompt via Transloadit
- until we have "golden templates" the idea is to just send
[steps](https://transloadit.com/docs/topics/templates/#overruling-templates-at-runtime)
- because we must send steps and since we must use signature
authentication for security, which is signed based on the params we
send, we can't reuse the `assemblyOptions` the consumers is already
passing to `@uppy/transloadit` (if they use that uploaders, not needed).
- Remove `SearchInput` (this component was trying to be too many things,
all with conditional boolean props, which is bad practise) in favor of
`useSearchForm` and reuse this hook in two new components `SearchView`
and `FilterInput`
- Reuse all the styles from `SearchProviderView`. This deviates from the
design in #5378. It felt too inconsistent to me to do another UI here
again. For the initial version, I think it's best to stay consistent and
then redesign with search providers taken into account too.
- Because the service is so slow, I went a bit further with the loading
state to show funny messages that rotate while loading mostly because
users will start thinking it is broken after 5 seconds while it fact we
are still loading. But open to ideas here.

This unfortunately means the integration for the consumer is not as lean
and pretty as you would hope. On the upside, it does give them complete
freedom.

```ts
.use(ImageGenerator, {
  assemblyOptions: async (prompt) => {
    const res = await fetch(`/assembly-options?prompt=${encodeURIComponent(prompt)}`)
    return res.json()
  }
})
```

on the consumer's server:

```ts
import crypto from 'node:crypto'

const utcDateString = (ms) => {
  return new Date(ms)
    .toISOString()
    .replace(/-/g, '/')
    .replace(/T/, ' ')
    .replace(/\.\d+Z$/, '+00:00')
}

// expire 1 hour from now (this must be milliseconds)
const expires = utcDateString(Date.now() + 1 * 60 * 60 * 1000)
const authKey = 'YOUR_TRANSLOADIT_KEY'
const authSecret = 'YOUR_TRANSLOADIT_SECRET'

const params = JSON.stringify({
  auth: {
    key: authKey,
    expires,
  },
  // can not contain any more steps, the only step must be /image/generate
  steps: {
    generated_image: { // can be named different
      robot: '/image/generate',
      result: true, // mandatory
      aspect_ratio: '2:3', // up to them
      model: 'flux-1.1-pro-ultra', // up to them
      prompt, // mandatory
      num_outputs: 2, // up to them
    },
  },
})
const signatureBytes = crypto.createHmac('sha384', authSecret).update(Buffer.from(params, 'utf-8'))
// The final signature needs the hash name in front, so
// the hashing algorithm can be updated in a backwards-compatible
// way when old algorithms become insecure.
const signature = `sha384:${signatureBytes.digest('hex')}`

// respond with { params, signature } JSON to the client
```


https://github.com/user-attachments/assets/9217e457-b38b-48ac-81f0-37a417309e98



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds AI image generation plugin using Transloadit, exports low-level
Transloadit APIs, and replaces SearchInput with new
FilterInput/SearchView + useSearchForm across provider views.
> 
> - **New plugin: `@uppy/image-generator`**
> - UI plugin to generate images from a prompt via Transloadit
(`src/index.tsx`, styles, locale, build configs).
> - Integrated into dev Dashboard and included in `uppy` bundle and
global styles.
> - **Provider Views refactor**
> - Remove `SearchInput`; introduce `useSearchForm`, `SearchView`, and
`FilterInput` components.
> - Update `ProviderView`, `SearchProviderView`, and `Webdav` to use new
components; export them from `@uppy/provider-views`.
> - **Transloadit updates**
> - Export `Assembly`, `AssemblyError`, and `Client` from
`@uppy/transloadit`.
>   - Minor internal change: normalize `assemblyOptions.fields`.
> - **Locales**
> - Add strings for image generation and minor additions (e.g.,
`chooseFiles`).
>   - Ensure locales build depends on `@uppy/image-generator`.
> - **Build config**
> - Turborepo: add `uppy#build:css` and hook `image-generator` into
locales build.
> - **Changesets**
> - `@uppy/image-generator` major; `@uppy/transloadit` minor;
`@uppy/locales` and `uppy` minor; `@uppy/provider-views` and
`@uppy/webdav` patch.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4b1b729069. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
2025-12-03 11:59:52 +01:00
Merlijn Vos
93ef1ba0e7
Resolve all angular yarn warnings (#6080)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Aligns Angular dependencies (including compiler-cli and animations) to
^19.2.17 in examples/angular and packages/@uppy/angular.
> 
> - **Dependencies**:
>   - `examples/angular/package.json`:
> - Bump `@angular/common`, `core`, `forms`, `platform-browser`,
`platform-browser-dynamic`, `router`, and `@angular/compiler-cli` to
`^19.2.17`.
>   - `packages/@uppy/angular/package.json`:
> - Bump `@angular/animations`, `common`, `compiler`, `core`, `forms`,
`platform-browser`, `platform-browser-dynamic`, `router` to `^19.2.17`.
>     - Update dev dependency `@angular/compiler-cli` to `^19.2.17`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
1af50119f0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-03 10:54:21 +01:00
dependabot[bot]
28c27e875c
build(deps): bump validator from 13.15.20 to 13.15.22 (#6082)
Bumps [validator](https://github.com/validatorjs/validator.js) from
13.15.20 to 13.15.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/releases">validator's
releases</a>.</em></p>
<blockquote>
<h2>13.15.22</h2>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">#2622</a>
<code>isURL</code>: fix regression with hostnames with ports <a
href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">#2616</a>
<code>isLength</code>: improve handling Unicode variation selectors <a
href="https://github.com/koral"><code>@​koral</code></a>--</li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2621">#2621</a>
<a href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
</ul>
</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/mbtools"><code>@​mbtools</code></a> made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">validatorjs/validator.js#2622</a></li>
<li><a href="https://github.com/koral"><code>@​koral</code></a>-- made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">validatorjs/validator.js#2616</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22">https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md">validator's
changelog</a>.</em></p>
<blockquote>
<h1>13.15.22</h1>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">#2622</a>
<code>isURL</code>: fix regression with hostnames with ports <a
href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">#2616</a>
<code>isLength</code>: improve handling Unicode variation selectors <a
href="https://github.com/koral"><code>@​koral</code></a>--</li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2621">#2621</a>
<a href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f2b5c17dbe"><code>f2b5c17</code></a>
maintenance: 2511 release (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2627">#2627</a>)</li>
<li><a
href="d457ecaf55"><code>d457eca</code></a>
fix(isLength): correctly handle Unicode variation selectors (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2616">#2616</a>)</li>
<li><a
href="f2e3633f22"><code>f2e3633</code></a>
docs: add install instructions to contibution guide (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2621">#2621</a>)</li>
<li><a
href="cf401458b8"><code>cf40145</code></a>
fix: URL validation for hostnames with ports (no protocol) (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2622">#2622</a>)</li>
<li><a
href="4af61243ba"><code>4af6124</code></a>
maintenance: 2510 release (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2585">#2585</a>)</li>
<li>See full diff in <a
href="https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~wikirik">wikirik</a>, a new releaser for
validator since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=validator&package-manager=npm_and_yarn&previous-version=13.15.20&new-version=13.15.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-03 10:50:49 +01:00
dependabot[bot]
5b680f2f05
build(deps): bump body-parser from 1.20.3 to 1.20.4 (#6070)
Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.3 to 1.20.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>v2.2.1</h2>
<h2>Important: Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2025-13466">CVE-2025-13466</a>
(<a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>ci: add dependabot by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/593">expressjs/body-parser#593</a></li>
<li>ci: use full SHAs for github action versions by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/594">expressjs/body-parser#594</a></li>
<li>deps: type-is@^2.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/599">expressjs/body-parser#599</a></li>
<li>build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/609">expressjs/body-parser#609</a></li>
<li>build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/610">expressjs/body-parser#610</a></li>
<li>build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/611">expressjs/body-parser#611</a></li>
<li>build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/613">expressjs/body-parser#613</a></li>
<li>build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/612">expressjs/body-parser#612</a></li>
<li>ci: add codeql github workflows scanning by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/614">expressjs/body-parser#614</a></li>
<li>ci: update CodeQL config to ignore the test directory by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/615">expressjs/body-parser#615</a></li>
<li>build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/620">expressjs/body-parser#620</a></li>
<li>build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/619">expressjs/body-parser#619</a></li>
<li>chore(deps): unpin devDependencies by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/616">expressjs/body-parser#616</a></li>
<li>ci: add node.js 24 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/621">expressjs/body-parser#621</a></li>
<li>build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/623">expressjs/body-parser#623</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/624">expressjs/body-parser#624</a></li>
<li>chore: add funding to package.json by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/617">expressjs/body-parser#617</a></li>
<li>build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/625">expressjs/body-parser#625</a></li>
<li>build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/630">expressjs/body-parser#630</a></li>
<li>refactor: move common request validation to read function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/600">expressjs/body-parser#600</a></li>
<li>deps: bump iconv-lite by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/631">expressjs/body-parser#631</a></li>
<li>doc: pull beta changelog forward into 2.0.0 by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/629">expressjs/body-parser#629</a></li>
<li>refactor: optimize raw and text parsers with shared passthrough
function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/634">expressjs/body-parser#634</a></li>
<li>build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/640">expressjs/body-parser#640</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/639">expressjs/body-parser#639</a></li>
<li>build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/636">expressjs/body-parser#636</a></li>
<li>build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/637">expressjs/body-parser#637</a></li>
<li>build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/638">expressjs/body-parser#638</a></li>
<li>deps: raw-body@^3.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/641">expressjs/body-parser#641</a></li>
<li>deps: debug@^4.4.3 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/642">expressjs/body-parser#642</a></li>
<li>docs: add iconv-lite 0.7.0 changes to history entry by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/645">expressjs/body-parser#645</a></li>
<li>ci: add node.js 25 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/650">expressjs/body-parser#650</a></li>
<li>perf: move read options outside parser middlewares by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/648">expressjs/body-parser#648</a></li>
<li>test(json): add RFC 7159 whitespace edge cases by <a
href="https://github.com/Ayoub-Mabrouk"><code>@​Ayoub-Mabrouk</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/653">expressjs/body-parser#653</a></li>
<li>test: add test for urlencoded invalid defaultCharset by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/643">expressjs/body-parser#643</a></li>
<li>build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/657">expressjs/body-parser#657</a></li>
<li>build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/656">expressjs/body-parser#656</a></li>
<li>build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/655">expressjs/body-parser#655</a></li>
<li>build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/654">expressjs/body-parser#654</a></li>
<li>ci: also test on first supported node.js version by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/646">expressjs/body-parser#646</a></li>
<li>chore: switch badges from badgen.net to shields.io by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/661">expressjs/body-parser#661</a></li>
<li>Remove history.md from being packaged on publish by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/660">expressjs/body-parser#660</a></li>
<li>Release: 2.2.1 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/659">expressjs/body-parser#659</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>2.2.1 / 2025-11-24</h1>
<ul>
<li>Security fix for <a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a></li>
<li>deps:
<ul>
<li>type-is@^2.0.1</li>
<li>iconv-lite@^0.7.0
<ul>
<li>Handle split surrogate pairs when encoding UTF-8</li>
<li>Avoid false positives in <code>encodingExists</code> by using
prototype-less objects</li>
</ul>
</li>
<li>raw-body@^3.0.1</li>
<li>debug@^4.4.3</li>
</ul>
</li>
</ul>
<h1>2.2.0 / 2025-03-27</h1>
<ul>
<li>refactor: normalize common options for all parsers</li>
<li>deps:
<ul>
<li>iconv-lite@^0.6.3</li>
</ul>
</li>
</ul>
<h1>2.1.0 / 2025-02-10</h1>
<ul>
<li>deps:
<ul>
<li>type-is@^2.0.0</li>
<li>debug@^4.4.0</li>
<li>Removed destroy</li>
</ul>
</li>
<li>refactor: prefix built-in node module imports</li>
<li>use the node require cache instead of custom caching</li>
</ul>
<h1>2.0.2 / 2024-10-31</h1>
<ul>
<li>remove <code>unpipe</code> package and use native
<code>unpipe()</code> method</li>
</ul>
<h1>2.0.1 / 2024-09-10</h1>
<ul>
<li>Restore expected behavior <code>extended</code> to
<code>false</code></li>
</ul>
<h1>2.0.0 / 2024-09-10</h1>
<h2>Breaking Changes</h2>
<ul>
<li>Node.js 18 is the minimum supported version</li>
<li><code>req.body</code> is no longer always initialized to
<code>{}</code>
<ul>
<li>it is left <code>undefined</code> unless a body is parsed</li>
</ul>
</li>
<li>Remove deprecated <code>bodyParser()</code> combination
middleware</li>
<li><del><code>urlencoded</code> parser now defaults
<code>extended</code> to <code>false</code></del> as released, this is
not the case, fixed in 2.0.1</li>
<li><code>urlencoded</code> simple parser now uses <code>qs</code>
module instead of <code>querystring</code> module</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d96b63da8d"><code>d96b63d</code></a>
2.2.1 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/659">#659</a>)</li>
<li><a
href="b204886a67"><code>b204886</code></a>
sec: security patch for CVE-2025-13466</li>
<li><a
href="e20e3512e0"><code>e20e351</code></a>
feat: remove <code>history.md</code> from being packaged on publish (<a
href="https://redirect.github.com/expressjs/body-parser/issues/660">#660</a>)</li>
<li><a
href="0d7ce71c84"><code>0d7ce71</code></a>
docs: switch badges from badgen.net to shields.io (<a
href="https://redirect.github.com/expressjs/body-parser/issues/661">#661</a>)</li>
<li><a
href="168afff347"><code>168afff</code></a>
ci: also test on first supported node.js version (<a
href="https://redirect.github.com/expressjs/body-parser/issues/646">#646</a>)</li>
<li><a
href="e539a7121d"><code>e539a71</code></a>
build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/654">#654</a>)</li>
<li><a
href="939161277a"><code>9391612</code></a>
build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/655">#655</a>)</li>
<li><a
href="57baafb3bb"><code>57baafb</code></a>
build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/656">#656</a>)</li>
<li><a
href="a6a088e088"><code>a6a088e</code></a>
build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/657">#657</a>)</li>
<li><a
href="10a114d55d"><code>10a114d</code></a>
test: add test for urlencoded invalid defaultCharset (<a
href="https://redirect.github.com/expressjs/body-parser/issues/643">#643</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/expressjs/body-parser/compare/1.20.3...v2.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.3&new-version=2.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-02 09:55:11 +01:00
dependabot[bot]
39b82fd231
build(deps): bump express from 4.19.2 to 4.22.0 (#6079)
Bumps [express](https://github.com/expressjs/express) from 4.19.2 to
4.22.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/releases">express's
releases</a>.</em></p>
<blockquote>
<h2>4.22.0</h2>
<h2>Important: Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2024-51999">CVE-2024-51999</a>
(<a
href="https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Refactor: improve readability by <a
href="https://github.com/sazk07"><code>@​sazk07</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6190">expressjs/express#6190</a></li>
<li>ci: add support for Node.js@23.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6080">expressjs/express#6080</a></li>
<li>Method functions with no path should error by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5957">expressjs/express#5957</a></li>
<li>ci: updated github actions ci workflow by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6323">expressjs/express#6323</a></li>
<li>ci: reorder <code>npm i</code> steps to fix ci for older node
versions by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6336">expressjs/express#6336</a></li>
<li>Backport: ci: add node.js 24 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6506">expressjs/express#6506</a></li>
<li>chore(4.x): wider range for query test skip by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6513">expressjs/express#6513</a></li>
<li>use tilde notation for certain dependencies by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6905">expressjs/express#6905</a></li>
<li>deps: qs@6.14.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6909">expressjs/express#6909</a></li>
<li>deps: use tilde notation for <code>qs</code> by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6919">expressjs/express#6919</a></li>
<li>Release: 4.22.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6921">expressjs/express#6921</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.2...4.22.0">https://github.com/expressjs/express/compare/4.21.2...4.22.0</a></p>
<h2>4.21.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add funding field (v4) by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6065">expressjs/express#6065</a></li>
<li>deps: path-to-regexp@0.1.11 by <a
href="https://github.com/blakeembrey"><code>@​blakeembrey</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/5956">expressjs/express#5956</a></li>
<li>deps: bump path-to-regexp@0.1.12 by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6209">expressjs/express#6209</a></li>
<li>Release: 4.21.2 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6094">expressjs/express#6094</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.1...4.21.2">https://github.com/expressjs/express/compare/4.21.1...4.21.2</a></p>
<h2>4.21.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Backport a fix for CVE-2024-47764 to the 4.x branch by <a
href="https://github.com/joshbuker"><code>@​joshbuker</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6029">expressjs/express#6029</a></li>
<li>Release: 4.21.1 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6031">expressjs/express#6031</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.0...4.21.1">https://github.com/expressjs/express/compare/4.21.0...4.21.1</a></p>
<h2>4.21.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Deprecate <code>&quot;back&quot;</code> magic string in redirects by
<a href="https://github.com/blakeembrey"><code>@​blakeembrey</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/5935">expressjs/express#5935</a></li>
<li>finalhandler@1.3.1 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5954">expressjs/express#5954</a></li>
<li>fix(deps): serve-static@1.16.2 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5951">expressjs/express#5951</a></li>
<li>Upgraded dependency qs to 6.13.0 to match qs in body-parser by <a
href="https://github.com/agadzinski93"><code>@​agadzinski93</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/5946">expressjs/express#5946</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/agadzinski93"><code>@​agadzinski93</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/express/pull/5946">expressjs/express#5946</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/blob/4.22.0/History.md">express's
changelog</a>.</em></p>
<blockquote>
<h1>4.22.0 / 2025-12-01</h1>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2024-51999">CVE-2024-51999</a>
(<a
href="https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li>
<li>deps: use tilde notation for dependencies</li>
<li>deps: qs@6.14.0</li>
</ul>
<h1>4.21.2 / 2024-11-06</h1>
<ul>
<li>deps: path-to-regexp@0.1.12
<ul>
<li>Fix backtracking protection</li>
</ul>
</li>
<li>deps: path-to-regexp@0.1.11
<ul>
<li>Throws an error on invalid path values</li>
</ul>
</li>
</ul>
<h1>4.21.1 / 2024-10-08</h1>
<ul>
<li>Backported a fix for <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-47764">CVE-2024-47764</a></li>
</ul>
<h1>4.21.0 / 2024-09-11</h1>
<ul>
<li>Deprecate <code>res.location(&quot;back&quot;)</code> and
<code>res.redirect(&quot;back&quot;)</code> magic string</li>
<li>deps: serve-static@1.16.2
<ul>
<li>includes send@0.19.0</li>
</ul>
</li>
<li>deps: finalhandler@1.3.1</li>
<li>deps: qs@6.13.0</li>
</ul>
<h1>4.20.0 / 2024-09-10</h1>
<ul>
<li>deps: serve-static@0.16.0
<ul>
<li>Remove link renderization in html while redirecting</li>
</ul>
</li>
<li>deps: send@0.19.0
<ul>
<li>Remove link renderization in html while redirecting</li>
</ul>
</li>
<li>deps: body-parser@0.6.0
<ul>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li>IMPORTANT: The default <code>depth</code> level for parsing
URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>)</li>
</ul>
</li>
<li>Remove link renderization in html while using
<code>res.redirect</code></li>
<li>deps: path-to-regexp@0.1.10
<ul>
<li>Adds support for named matching groups in the routes using a
regex</li>
<li>Adds backtracking protection to parameters without regexes
defined</li>
</ul>
</li>
<li>deps: encodeurl@~2.0.0
<ul>
<li>Removes encoding of <code>\</code>, <code>|</code>, and
<code>^</code> to align better with URL spec</li>
</ul>
</li>
<li>Deprecate passing <code>options.maxAge</code> and
<code>options.expires</code> to <code>res.clearCookie</code>
<ul>
<li>Will be ignored in v5, clearCookie will set a cookie with an expires
in the past to instruct clients to delete the cookie</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="49744abd11"><code>49744ab</code></a>
4.22.0 (<a
href="https://redirect.github.com/expressjs/express/issues/6921">#6921</a>)</li>
<li><a
href="6e97452f60"><code>6e97452</code></a>
sec: security patch for CVE-2024-51999</li>
<li><a
href="6a23d34d65"><code>6a23d34</code></a>
deps: use tilde notation for <code>qs</code> (<a
href="https://redirect.github.com/expressjs/express/issues/6919">#6919</a>)</li>
<li><a
href="8c12cdf93b"><code>8c12cdf</code></a>
deps: qs@6.14.0 (<a
href="https://redirect.github.com/expressjs/express/issues/6909">#6909</a>)</li>
<li><a
href="7fea74fcf0"><code>7fea74f</code></a>
deps: use tilde notation for certain dependencies (<a
href="https://redirect.github.com/expressjs/express/issues/6905">#6905</a>)</li>
<li><a
href="dac7a0475a"><code>dac7a04</code></a>
chore: wider range for query test skip (<a
href="https://redirect.github.com/expressjs/express/issues/6513">#6513</a>)</li>
<li><a
href="997919b488"><code>997919b</code></a>
ci: add node.js 24 to test matrix (<a
href="https://redirect.github.com/expressjs/express/issues/6506">#6506</a>)</li>
<li><a
href="36fb59c6c7"><code>36fb59c</code></a>
fix(ci): reorder <code>npm i</code> steps to fix ci for older node
versions (<a
href="https://redirect.github.com/expressjs/express/issues/6336">#6336</a>)</li>
<li><a
href="3a5edfaff0"><code>3a5edfa</code></a>
fix(ci): updated github actions ci workflow (<a
href="https://redirect.github.com/expressjs/express/issues/6323">#6323</a>)</li>
<li><a
href="52d978119a"><code>52d9781</code></a>
fix(test): add test for method routes without paths <a
href="https://redirect.github.com/expressjs/express/issues/5955">#5955</a></li>
<li>Additional commits viewable in <a
href="https://github.com/expressjs/express/compare/4.19.2...4.22.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=express&package-manager=npm_and_yarn&previous-version=4.19.2&new-version=4.22.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-02 09:46:06 +01:00