Mirrors/uppy
1
0
Fork 0
mirror of https://github.com/transloadit/uppy.git synced 2026-01-23 02:25:07 +00:00
Code Issues Projects Releases Wiki Activity
10465 commits 11 branches 4436 tags 447 MiB
Commit graph

364 commits

Author SHA1 Message Date
dependabot[bot]
20fce4cc34
build(deps): bump react-router from 7.8.2 to 7.12.0 (#6127) 
Bumps
[react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router)
from 7.8.2 to 7.12.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/remix-run/react-router/releases">react-router's
releases</a>.</em></p>
<blockquote>
<h2>v7.12.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120</a></p>
<h2>v7.11.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110</a></p>
<h2>v7.10.1</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101</a></p>
<h2>v7.10.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100</a></p>
<h2>v7.9.6</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796</a></p>
<h2>v7.9.5</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795</a></p>
<h2>v7.9.4</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794</a></p>
<h2>v7.9.3</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793</a></p>
<h2>v7.9.2</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792</a></p>
<h2>v7.9.1</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791</a></p>
<h2>v7.9.0</h2>
<p>See the changelog for release notes: <a
href="https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790">https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md">react-router's
changelog</a>.</em></p>
<blockquote>
<h2>7.12.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>Add additional layer of CSRF protection by rejecting submissions to
UI routes from external origins. If you need to permit access to
specific external origins, you can specify them in the
<code>react-router.config.ts</code> config
<code>allowedActionOrigins</code> field. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14708">#14708</a>)</li>
</ul>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Fix <code>generatePath</code> when used with suffixed params (i.e.,
&quot;/books/:id.json&quot;) (<a
href="https://redirect.github.com/remix-run/react-router/pull/14269">#14269</a>)</p>
</li>
<li>
<p>Export <code>UNSAFE_createMemoryHistory</code> and
<code>UNSAFE_createHashHistory</code> alongside
<code>UNSAFE_createBrowserHistory</code> for consistency. These are not
intended to be used for new apps but intended to help apps usiong
<code>unstable_HistoryRouter</code> migrate from v6-&gt;v7 so they can
adopt the newer APIs. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14663">#14663</a>)</p>
</li>
<li>
<p>Escape HTML in scroll restoration keys (<a
href="https://redirect.github.com/remix-run/react-router/pull/14705">#14705</a>)</p>
</li>
<li>
<p>Validate redirect locations (<a
href="https://redirect.github.com/remix-run/react-router/pull/14706">#14706</a>)</p>
</li>
<li>
<p>[UNSTABLE] Pass <code>&lt;Scripts nonce&gt;</code> value through to
the underlying <code>importmap</code> <code>script</code> tag when using
<code>future.unstable_subResourceIntegrity</code> (<a
href="https://redirect.github.com/remix-run/react-router/pull/14675">#14675</a>)</p>
</li>
<li>
<p>[UNSTABLE] Add a new
<code>future.unstable_trailingSlashAwareDataRequests</code> flag to
provide consistent behavior of <code>request.pathname</code> inside
<code>middleware</code>, <code>loader</code>, and <code>action</code>
functions on document and data requests when a trailing slash is present
in the browser URL. (<a
href="https://redirect.github.com/remix-run/react-router/pull/14644">#14644</a>)</p>
<p>Currently, your HTTP and <code>request</code> pathnames would be as
follows for <code>/a/b/c</code> and <code>/a/b/c/</code></p>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c</code></td>
<td><code>/a/b/c</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> </td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c/</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c/</code></td>
<td><code>/a/b/c/</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> ⚠️</td>
</tr>
</tbody>
</table>
<p>With this flag enabled, these pathnames will be made consistent
though a new <code>_.data</code> format for client-side
<code>.data</code> requests:</p>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c</code></td>
<td><code>/a/b/c</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c.data</code></td>
<td><code>/a/b/c</code> </td>
</tr>
</tbody>
</table>
<table>
<thead>
<tr>
<th>URL <code>/a/b/c/</code></th>
<th><strong>HTTP pathname</strong></th>
<th><strong><code>request</code> pathname`</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>Document</strong></td>
<td><code>/a/b/c/</code></td>
<td><code>/a/b/c/</code> </td>
</tr>
<tr>
<td><strong>Data</strong></td>
<td><code>/a/b/c/_.data</code> ⬅️</td>
<td><code>/a/b/c/</code> </td>
</tr>
</tbody>
</table>
<p>This a bug fix but we are putting it behind an opt-in flag because it
has the potential to be a &quot;breaking bug fix&quot; if you are
relying on the URL format for any other application or caching
logic.</p>
<p>Enabling this flag also changes the format of client side
<code>.data</code> requests from <code>/_root.data</code> to
<code>/_.data</code> when navigating to <code>/</code> to align with the
new format. This does not impact the <code>request</code> pathname which
is still <code>/</code> in all cases.</p>
</li>
<li>
<p>Preserve <code>clientLoader.hydrate=true</code> when using
<code>&lt;HydratedRouter unstable_instrumentations&gt;</code> (<a
href="https://redirect.github.com/remix-run/react-router/pull/14674">#14674</a>)</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26653a6bcb"><code>26653a6</code></a>
chore: Update version for release (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14712">#14712</a>)</li>
<li><a
href="7ac2346873"><code>7ac2346</code></a>
chore: Update version for release (pre) (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14709">#14709</a>)</li>
<li><a
href="75b1ef5086"><code>75b1ef5</code></a>
Add origin checks for UI route submissions (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14708">#14708</a>)</li>
<li><a
href="c05ef936fd"><code>c05ef93</code></a>
Validate redirect locations (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14706">#14706</a>)</li>
<li><a
href="c89c32c562"><code>c89c32c</code></a>
Escape HTML in scroll restoration keys (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14705">#14705</a>)</li>
<li><a
href="cbcbf3091b"><code>cbcbf30</code></a>
fix: pass nonce to importmap script when using subResourceIntegrity (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14675">#14675</a>)</li>
<li><a
href="30f6c1d814"><code>30f6c1d</code></a>
fix(react-router): handle parameters with static suffixes in
generatePath (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/1">#1</a>...</li>
<li><a
href="7f140e098e"><code>7f140e0</code></a>
Handle data requests with trailing slash consistently (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14644">#14644</a>)</li>
<li><a
href="1954af6374"><code>1954af6</code></a>
Preserve hydrate property on client loaders during instrumentation (<a
href="https://github.com/remix-run/react-router/tree/HEAD/packages/react-router/issues/14674">#14674</a>)</li>
<li><a
href="5ce5cd4ebf"><code>5ce5cd4</code></a>
chore: format</li>
<li>Additional commits viewable in <a
href="https://github.com/remix-run/react-router/commits/react-router@7.12.0/packages/react-router">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for react-router since your current
version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=react-router&package-manager=npm_and_yarn&previous-version=7.8.2&new-version=7.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-09 09:09:39 +01:00
dependabot[bot]
fd8f54f542
build(deps): bump preact from 10.26.9 to 10.26.10 (#6123) 
Bumps [preact](https://github.com/preactjs/preact) from 10.26.9 to
10.26.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/preactjs/preact/releases">preact's
releases</a>.</em></p>
<blockquote>
<h2>10.26.10</h2>
<h2>Fixes</h2>
<ul>
<li>Enforce strict equality for VNode object constructors</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e6f88b0842"><code>e6f88b0</code></a>
10.26.10</li>
<li><a
href="c373f23c48"><code>c373f23</code></a>
10.26 strict equality (<a
href="https://redirect.github.com/preactjs/preact/issues/4988">#4988</a>)</li>
<li><a
href="d008a1a242"><code>d008a1a</code></a>
10.26.x</li>
<li>See full diff in <a
href="https://github.com/preactjs/preact/compare/10.26.9...10.26.10">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=preact&package-manager=npm_and_yarn&previous-version=10.26.9&new-version=10.26.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-08 12:00:59 +01:00
dependabot[bot]
101fd8ca84
build(deps): bump next from 15.5.7 to 15.5.9 (#6104) 
Bumps [next](https://github.com/vercel/next.js) from 15.5.7 to 15.5.9.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v15.5.9</h2>
<p>Please see the <a
href="https://nextjs.org/blog/security-update-2025-12-11">Next.js
Security Update</a> for information about this security patch.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c5de33e93c"><code>c5de33e</code></a>
v15.5.9</li>
<li><a
href="dd233994ae"><code>dd23399</code></a>
Backport <a
href="https://redirect.github.com/facebook/react/issues/35351">facebook/react#35351</a>
for 15.5.8 (<a
href="https://redirect.github.com/vercel/next.js/issues/87086">#87086</a>)</li>
<li><a
href="7526cd6f24"><code>7526cd6</code></a>
v15.5.8</li>
<li><a
href="1e9ec4133a"><code>1e9ec41</code></a>
Update React Version (<a
href="https://redirect.github.com/vercel/next.js/issues/41">#41</a>)</li>
<li><a
href="16141e5df9"><code>16141e5</code></a>
Update React Version (<a
href="https://redirect.github.com/vercel/next.js/issues/30">#30</a>)</li>
<li><a
href="e01e589e18"><code>e01e589</code></a>
Backport Next.js changes to v15.5.8 (<a
href="https://redirect.github.com/vercel/next.js/issues/23">#23</a>)</li>
<li><a
href="b2706db1e6"><code>b2706db</code></a>
lock binaries</li>
<li>See full diff in <a
href="https://github.com/vercel/next.js/compare/v15.5.7...v15.5.9">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.7&new-version=15.5.9)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-12 09:38:32 +01:00
Merlijn Vos
943ed7ad56
Upgrade playwright in all packages (#6086) 
To resolve security advisories. Should be merged after #6085 

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Upgrades Playwright to 1.57.0 across examples and packages, updating
corresponding yarn.lock entries.
> 
> - **Dependencies**:
> - Bump `playwright` to `1.57.0` in `examples/react/package.json`,
`examples/sveltekit/package.json`, `examples/vue/package.json`,
`packages/@uppy/dashboard/package.json`, and
`packages/@uppy/url/package.json`.
> - Update `yarn.lock` to `playwright@1.57.0` and
`playwright-core@1.57.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fa35f7b7ea. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
 2025-12-05 10:27:58 +01:00
dependabot[bot]
78d0c28079
build(deps): bump jws from 3.2.2 to 3.2.3 (#6091) 
Bumps [jws](https://github.com/brianloveswords/node-jws) from 3.2.2 to
3.2.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/brianloveswords/node-jws/releases">jws's
releases</a>.</em></p>
<blockquote>
<h2>v3.2.3</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, addressing a compatibility issue for
Node &gt;= 25.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/auth0/node-jws/blob/master/CHANGELOG.md">jws's
changelog</a>.</em></p>
<blockquote>
<h2>[3.2.3]</h2>
<h3>Changed</h3>
<ul>
<li>Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now
require
that a non empty secret is provided (via opts.secret, opts.privateKey or
opts.key)
when using HMAC algorithms.</li>
<li>Upgrading JWA version to 1.4.2, adressing a compatibility issue for
Node &gt;= 25.</li>
</ul>
<h2>[3.0.0]</h2>
<h3>Changed</h3>
<ul>
<li><strong>BREAKING</strong>: <code>jwt.verify</code> now requires an
<code>algorithm</code> parameter, and
<code>jws.createVerify</code> requires an <code>algorithm</code> option.
The <code>&quot;alg&quot;</code> field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by <code>jwt.verify</code>.
See
<a
href="https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/">https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/</a>
for details.</li>
</ul>
<h2><a
href="https://github.com/brianloveswords/node-jws/compare/v1.0.1...v2.0.0">2.0.0</a>
- 2015-01-30</h2>
<h3>Changed</h3>
<ul>
<li>
<p><strong>BREAKING</strong>: Default payload encoding changed from
<code>binary</code> to
<code>utf8</code>. <code>utf8</code> is a is a more sensible default
than <code>binary</code> because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<!-- raw HTML omitted --><a
href="6b6de48">6b6de48</a><!--
raw HTML omitted -->)</p>
</li>
<li>
<p>Code reorganization, thanks <a
href="https://github.com/fearphage"><code>@​fearphage</code></a>! (<!--
raw HTML omitted --><a
href="7880050">7880050</a><!--
raw HTML omitted -->)</p>
</li>
</ul>
<h3>Added</h3>
<ul>
<li>Option in all relevant methods for <code>encoding</code>. For those
few users
that might be depending on a <code>binary</code> encoding of the
messages, this
is for them. (<!-- raw HTML omitted --><a
href="6b6de48">6b6de48</a><!--
raw HTML omitted -->)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4f6e73f24d"><code>4f6e73f</code></a>
Merge commit from fork</li>
<li><a
href="bd0fea57f3"><code>bd0fea5</code></a>
version 3.2.3</li>
<li><a
href="7c3b4b4110"><code>7c3b4b4</code></a>
Enhance tests for HMAC streaming sign and verify</li>
<li><a
href="a9b8ed999d"><code>a9b8ed9</code></a>
Improve secretOrKey initialization in VerifyStream</li>
<li><a
href="6707fde62c"><code>6707fde</code></a>
Improve secret handling in SignStream</li>
<li>See full diff in <a
href="https://github.com/brianloveswords/node-jws/compare/v3.2.2...v3.2.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~julien.wollscheid">julien.wollscheid</a>, a
new releaser for jws since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jws&package-manager=npm_and_yarn&previous-version=3.2.2&new-version=3.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-05 10:24:58 +01:00
Merlijn Vos
3c3034b408
Dedupe dependencies (#6085) 
With `yarn dedupe`. New type error surfaced due to new types getting
loaded.


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Dedupes dependencies and updates code: aligns S3 presign tests with
checksum behavior, narrows HMAC key type, tweaks AudioOscilloscope
buffer typing, and simplifies Tus success logging.
> 
> - **AWS S3**:
> - Tests: add `requestChecksumCalculation` (from
`@aws-sdk/middleware-flexible-checksums`) to `S3Client` options to match
presign behavior.
> - Impl: change `generateHmacKey` signature to accept `string |
ArrayBuffer` (remove `Uint8Array`).
> - **Audio**:
> - `AudioOscilloscope`: change `dataArray` type to
`Uint8Array<ArrayBuffer>`.
> - **Tus**:
> - Simplify success log to `Download <url>` (remove file name
extraction).
> - **Dependencies**:
>   - Deduplicate/upgrade various packages in lockfile.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5b95865a7c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
 2025-12-05 10:22:11 +01:00
dependabot[bot]
e4558362b8
build(deps): bump next from 15.5.2 to 15.5.7 (#6088) 
Bumps [next](https://github.com/vercel/next.js) from 15.5.2 to 15.5.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v15.5.7</h2>
<p>Please see <a
href="https://nextjs.org/blog/CVE-2025-66478">CVE-2025-66478</a> for
additional details about this release.</p>
<h2>v15.5.6</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Turbopack: don't define process.cwd() in node_modules <a
href="https://redirect.github.com/vercel/next.js/issues/83452">#83452</a></li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/mischnic"><code>@​mischnic</code></a> for
helping!</p>
<h2>v15.5.5</h2>
<blockquote>
<p>[!NOTE]<br />
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>Split code-frame into separate compiled package (<a
href="https://redirect.github.com/vercel/next.js/issues/84238">#84238</a>)</li>
<li>Add deprecation warning to Runtime config (<a
href="https://redirect.github.com/vercel/next.js/issues/84650">#84650</a>)</li>
<li>fix: unstable_cache should perform blocking revalidation during ISR
revalidation (<a
href="https://redirect.github.com/vercel/next.js/issues/84716">#84716</a>)</li>
<li>feat: <code>experimental.middlewareClientMaxBodySize</code> body
cloning limit (<a
href="https://redirect.github.com/vercel/next.js/issues/84722">#84722</a>)</li>
<li>fix: missing next/link types with typedRoutes (<a
href="https://redirect.github.com/vercel/next.js/issues/84779">#84779</a>)</li>
</ul>
<h3>Misc Changes</h3>
<ul>
<li>docs: early October improvements and fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/84334">#84334</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/devjiwonchoi"><code>@​devjiwonchoi</code></a>,
<a href="https://github.com/ztanner"><code>@​ztanner</code></a>, and <a
href="https://github.com/icyJoseph"><code>@​icyJoseph</code></a> for
helping!</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3eaf68b09b"><code>3eaf68b</code></a>
v15.5.7</li>
<li><a
href="8367ce592a"><code>8367ce5</code></a>
update version script</li>
<li><a
href="9115040008"><code>9115040</code></a>
Update React Version for Next.js 15.5.7 (<a
href="https://redirect.github.com/vercel/next.js/issues/10">#10</a>)</li>
<li><a
href="96f699902a"><code>96f6999</code></a>
update tag</li>
<li><a
href="55ef0e3ebc"><code>55ef0e3</code></a>
v15.5.6</li>
<li><a
href="92bbbb1bec"><code>92bbbb1</code></a>
Backport: don't define <code>process.cwd()</code> in node_modules (<a
href="https://redirect.github.com/vercel/next.js/issues/84957">#84957</a>)</li>
<li><a
href="f895b72762"><code>f895b72</code></a>
Fix url-imports test on 15-5 (<a
href="https://redirect.github.com/vercel/next.js/issues/84966">#84966</a>)</li>
<li><a
href="81f530db26"><code>81f530d</code></a>
v15.5.5</li>
<li><a
href="9abbc0e9eb"><code>9abbc0e</code></a>
[backport] fix: missing <code>next/link</code> types with
<code>typedRoutes</code> (<a
href="https://redirect.github.com/vercel/next.js/issues/82814">#82814</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/84779">#84779</a>)</li>
<li><a
href="121e1b566f"><code>121e1b5</code></a>
[backport] docs: early October improvements and fixes (<a
href="https://redirect.github.com/vercel/next.js/issues/84334">#84334</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/compare/v15.5.2...v15.5.7">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=next&package-manager=npm_and_yarn&previous-version=15.5.2&new-version=15.5.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-04 10:20:54 +01:00
Merlijn Vos
5684efa64e
Introduce @uppy/image-generator (#6056) 
Closes #5378 

- Introduce `@uppy/image-generator`, a new plugin to generate images
based on a prompt via Transloadit
- until we have "golden templates" the idea is to just send
[steps](https://transloadit.com/docs/topics/templates/#overruling-templates-at-runtime)
- because we must send steps and since we must use signature
authentication for security, which is signed based on the params we
send, we can't reuse the `assemblyOptions` the consumers is already
passing to `@uppy/transloadit` (if they use that uploaders, not needed).
- Remove `SearchInput` (this component was trying to be too many things,
all with conditional boolean props, which is bad practise) in favor of
`useSearchForm` and reuse this hook in two new components `SearchView`
and `FilterInput`
- Reuse all the styles from `SearchProviderView`. This deviates from the
design in #5378. It felt too inconsistent to me to do another UI here
again. For the initial version, I think it's best to stay consistent and
then redesign with search providers taken into account too.
- Because the service is so slow, I went a bit further with the loading
state to show funny messages that rotate while loading mostly because
users will start thinking it is broken after 5 seconds while it fact we
are still loading. But open to ideas here.

This unfortunately means the integration for the consumer is not as lean
and pretty as you would hope. On the upside, it does give them complete
freedom.

```ts
.use(ImageGenerator, {
  assemblyOptions: async (prompt) => {
    const res = await fetch(`/assembly-options?prompt=${encodeURIComponent(prompt)}`)
    return res.json()
  }
})
```

on the consumer's server:

```ts
import crypto from 'node:crypto'

const utcDateString = (ms) => {
  return new Date(ms)
    .toISOString()
    .replace(/-/g, '/')
    .replace(/T/, ' ')
    .replace(/\.\d+Z$/, '+00:00')
}

// expire 1 hour from now (this must be milliseconds)
const expires = utcDateString(Date.now() + 1 * 60 * 60 * 1000)
const authKey = 'YOUR_TRANSLOADIT_KEY'
const authSecret = 'YOUR_TRANSLOADIT_SECRET'

const params = JSON.stringify({
  auth: {
    key: authKey,
    expires,
  },
  // can not contain any more steps, the only step must be /image/generate
  steps: {
    generated_image: { // can be named different
      robot: '/image/generate',
      result: true, // mandatory
      aspect_ratio: '2:3', // up to them
      model: 'flux-1.1-pro-ultra', // up to them
      prompt, // mandatory
      num_outputs: 2, // up to them
    },
  },
})
const signatureBytes = crypto.createHmac('sha384', authSecret).update(Buffer.from(params, 'utf-8'))
// The final signature needs the hash name in front, so
// the hashing algorithm can be updated in a backwards-compatible
// way when old algorithms become insecure.
const signature = `sha384:${signatureBytes.digest('hex')}`

// respond with { params, signature } JSON to the client
```


https://github.com/user-attachments/assets/9217e457-b38b-48ac-81f0-37a417309e98



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds AI image generation plugin using Transloadit, exports low-level
Transloadit APIs, and replaces SearchInput with new
FilterInput/SearchView + useSearchForm across provider views.
> 
> - **New plugin: `@uppy/image-generator`**
> - UI plugin to generate images from a prompt via Transloadit
(`src/index.tsx`, styles, locale, build configs).
> - Integrated into dev Dashboard and included in `uppy` bundle and
global styles.
> - **Provider Views refactor**
> - Remove `SearchInput`; introduce `useSearchForm`, `SearchView`, and
`FilterInput` components.
> - Update `ProviderView`, `SearchProviderView`, and `Webdav` to use new
components; export them from `@uppy/provider-views`.
> - **Transloadit updates**
> - Export `Assembly`, `AssemblyError`, and `Client` from
`@uppy/transloadit`.
>   - Minor internal change: normalize `assemblyOptions.fields`.
> - **Locales**
> - Add strings for image generation and minor additions (e.g.,
`chooseFiles`).
>   - Ensure locales build depends on `@uppy/image-generator`.
> - **Build config**
> - Turborepo: add `uppy#build:css` and hook `image-generator` into
locales build.
> - **Changesets**
> - `@uppy/image-generator` major; `@uppy/transloadit` minor;
`@uppy/locales` and `uppy` minor; `@uppy/provider-views` and
`@uppy/webdav` patch.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4b1b729069. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
 2025-12-03 11:59:52 +01:00
Merlijn Vos
93ef1ba0e7
Resolve all angular yarn warnings (#6080) 
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Aligns Angular dependencies (including compiler-cli and animations) to
^19.2.17 in examples/angular and packages/@uppy/angular.
> 
> - **Dependencies**:
>   - `examples/angular/package.json`:
> - Bump `@angular/common`, `core`, `forms`, `platform-browser`,
`platform-browser-dynamic`, `router`, and `@angular/compiler-cli` to
`^19.2.17`.
>   - `packages/@uppy/angular/package.json`:
> - Bump `@angular/animations`, `common`, `compiler`, `core`, `forms`,
`platform-browser`, `platform-browser-dynamic`, `router` to `^19.2.17`.
>     - Update dev dependency `@angular/compiler-cli` to `^19.2.17`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
1af50119f0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
 2025-12-03 10:54:21 +01:00
dependabot[bot]
28c27e875c
build(deps): bump validator from 13.15.20 to 13.15.22 (#6082) 
Bumps [validator](https://github.com/validatorjs/validator.js) from
13.15.20 to 13.15.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/releases">validator's
releases</a>.</em></p>
<blockquote>
<h2>13.15.22</h2>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">#2622</a>
<code>isURL</code>: fix regression with hostnames with ports <a
href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">#2616</a>
<code>isLength</code>: improve handling Unicode variation selectors <a
href="https://github.com/koral"><code>@​koral</code></a>--</li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2621">#2621</a>
<a href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
</ul>
</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/mbtools"><code>@​mbtools</code></a> made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">validatorjs/validator.js#2622</a></li>
<li><a href="https://github.com/koral"><code>@​koral</code></a>-- made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">validatorjs/validator.js#2616</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22">https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md">validator's
changelog</a>.</em></p>
<blockquote>
<h1>13.15.22</h1>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2622">#2622</a>
<code>isURL</code>: fix regression with hostnames with ports <a
href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2616">#2616</a>
<code>isLength</code>: improve handling Unicode variation selectors <a
href="https://github.com/koral"><code>@​koral</code></a>--</li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2621">#2621</a>
<a href="https://github.com/mbtools"><code>@​mbtools</code></a></li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f2b5c17dbe"><code>f2b5c17</code></a>
maintenance: 2511 release (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2627">#2627</a>)</li>
<li><a
href="d457ecaf55"><code>d457eca</code></a>
fix(isLength): correctly handle Unicode variation selectors (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2616">#2616</a>)</li>
<li><a
href="f2e3633f22"><code>f2e3633</code></a>
docs: add install instructions to contibution guide (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2621">#2621</a>)</li>
<li><a
href="cf401458b8"><code>cf40145</code></a>
fix: URL validation for hostnames with ports (no protocol) (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2622">#2622</a>)</li>
<li><a
href="4af61243ba"><code>4af6124</code></a>
maintenance: 2510 release (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2585">#2585</a>)</li>
<li>See full diff in <a
href="https://github.com/validatorjs/validator.js/compare/13.15.20...13.15.22">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~wikirik">wikirik</a>, a new releaser for
validator since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=validator&package-manager=npm_and_yarn&previous-version=13.15.20&new-version=13.15.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-03 10:50:49 +01:00
dependabot[bot]
5b680f2f05
build(deps): bump body-parser from 1.20.3 to 1.20.4 (#6070) 
Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.3 to 1.20.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>v2.2.1</h2>
<h2>Important: Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2025-13466">CVE-2025-13466</a>
(<a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>ci: add dependabot by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/593">expressjs/body-parser#593</a></li>
<li>ci: use full SHAs for github action versions by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/594">expressjs/body-parser#594</a></li>
<li>deps: type-is@^2.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/599">expressjs/body-parser#599</a></li>
<li>build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/609">expressjs/body-parser#609</a></li>
<li>build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/610">expressjs/body-parser#610</a></li>
<li>build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/611">expressjs/body-parser#611</a></li>
<li>build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/613">expressjs/body-parser#613</a></li>
<li>build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/612">expressjs/body-parser#612</a></li>
<li>ci: add codeql github workflows scanning by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/614">expressjs/body-parser#614</a></li>
<li>ci: update CodeQL config to ignore the test directory by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/615">expressjs/body-parser#615</a></li>
<li>build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/620">expressjs/body-parser#620</a></li>
<li>build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/619">expressjs/body-parser#619</a></li>
<li>chore(deps): unpin devDependencies by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/616">expressjs/body-parser#616</a></li>
<li>ci: add node.js 24 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/621">expressjs/body-parser#621</a></li>
<li>build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/623">expressjs/body-parser#623</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/624">expressjs/body-parser#624</a></li>
<li>chore: add funding to package.json by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/617">expressjs/body-parser#617</a></li>
<li>build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/625">expressjs/body-parser#625</a></li>
<li>build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/630">expressjs/body-parser#630</a></li>
<li>refactor: move common request validation to read function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/600">expressjs/body-parser#600</a></li>
<li>deps: bump iconv-lite by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/631">expressjs/body-parser#631</a></li>
<li>doc: pull beta changelog forward into 2.0.0 by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/629">expressjs/body-parser#629</a></li>
<li>refactor: optimize raw and text parsers with shared passthrough
function by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/634">expressjs/body-parser#634</a></li>
<li>build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/640">expressjs/body-parser#640</a></li>
<li>build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/639">expressjs/body-parser#639</a></li>
<li>build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/636">expressjs/body-parser#636</a></li>
<li>build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/637">expressjs/body-parser#637</a></li>
<li>build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/638">expressjs/body-parser#638</a></li>
<li>deps: raw-body@^3.0.1 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/641">expressjs/body-parser#641</a></li>
<li>deps: debug@^4.4.3 by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/642">expressjs/body-parser#642</a></li>
<li>docs: add iconv-lite 0.7.0 changes to history entry by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/645">expressjs/body-parser#645</a></li>
<li>ci: add node.js 25 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/650">expressjs/body-parser#650</a></li>
<li>perf: move read options outside parser middlewares by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/648">expressjs/body-parser#648</a></li>
<li>test(json): add RFC 7159 whitespace edge cases by <a
href="https://github.com/Ayoub-Mabrouk"><code>@​Ayoub-Mabrouk</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/653">expressjs/body-parser#653</a></li>
<li>test: add test for urlencoded invalid defaultCharset by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/643">expressjs/body-parser#643</a></li>
<li>build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by
<a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/657">expressjs/body-parser#657</a></li>
<li>build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/656">expressjs/body-parser#656</a></li>
<li>build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/655">expressjs/body-parser#655</a></li>
<li>build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/654">expressjs/body-parser#654</a></li>
<li>ci: also test on first supported node.js version by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/646">expressjs/body-parser#646</a></li>
<li>chore: switch badges from badgen.net to shields.io by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/661">expressjs/body-parser#661</a></li>
<li>Remove history.md from being packaged on publish by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/660">expressjs/body-parser#660</a></li>
<li>Release: 2.2.1 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/659">expressjs/body-parser#659</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>2.2.1 / 2025-11-24</h1>
<ul>
<li>Security fix for <a
href="https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4">GHSA-wqch-xfxh-vrr4</a></li>
<li>deps:
<ul>
<li>type-is@^2.0.1</li>
<li>iconv-lite@^0.7.0
<ul>
<li>Handle split surrogate pairs when encoding UTF-8</li>
<li>Avoid false positives in <code>encodingExists</code> by using
prototype-less objects</li>
</ul>
</li>
<li>raw-body@^3.0.1</li>
<li>debug@^4.4.3</li>
</ul>
</li>
</ul>
<h1>2.2.0 / 2025-03-27</h1>
<ul>
<li>refactor: normalize common options for all parsers</li>
<li>deps:
<ul>
<li>iconv-lite@^0.6.3</li>
</ul>
</li>
</ul>
<h1>2.1.0 / 2025-02-10</h1>
<ul>
<li>deps:
<ul>
<li>type-is@^2.0.0</li>
<li>debug@^4.4.0</li>
<li>Removed destroy</li>
</ul>
</li>
<li>refactor: prefix built-in node module imports</li>
<li>use the node require cache instead of custom caching</li>
</ul>
<h1>2.0.2 / 2024-10-31</h1>
<ul>
<li>remove <code>unpipe</code> package and use native
<code>unpipe()</code> method</li>
</ul>
<h1>2.0.1 / 2024-09-10</h1>
<ul>
<li>Restore expected behavior <code>extended</code> to
<code>false</code></li>
</ul>
<h1>2.0.0 / 2024-09-10</h1>
<h2>Breaking Changes</h2>
<ul>
<li>Node.js 18 is the minimum supported version</li>
<li><code>req.body</code> is no longer always initialized to
<code>{}</code>
<ul>
<li>it is left <code>undefined</code> unless a body is parsed</li>
</ul>
</li>
<li>Remove deprecated <code>bodyParser()</code> combination
middleware</li>
<li><del><code>urlencoded</code> parser now defaults
<code>extended</code> to <code>false</code></del> as released, this is
not the case, fixed in 2.0.1</li>
<li><code>urlencoded</code> simple parser now uses <code>qs</code>
module instead of <code>querystring</code> module</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="d96b63da8d"><code>d96b63d</code></a>
2.2.1 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/659">#659</a>)</li>
<li><a
href="b204886a67"><code>b204886</code></a>
sec: security patch for CVE-2025-13466</li>
<li><a
href="e20e3512e0"><code>e20e351</code></a>
feat: remove <code>history.md</code> from being packaged on publish (<a
href="https://redirect.github.com/expressjs/body-parser/issues/660">#660</a>)</li>
<li><a
href="0d7ce71c84"><code>0d7ce71</code></a>
docs: switch badges from badgen.net to shields.io (<a
href="https://redirect.github.com/expressjs/body-parser/issues/661">#661</a>)</li>
<li><a
href="168afff347"><code>168afff</code></a>
ci: also test on first supported node.js version (<a
href="https://redirect.github.com/expressjs/body-parser/issues/646">#646</a>)</li>
<li><a
href="e539a7121d"><code>e539a71</code></a>
build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/654">#654</a>)</li>
<li><a
href="939161277a"><code>9391612</code></a>
build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/655">#655</a>)</li>
<li><a
href="57baafb3bb"><code>57baafb</code></a>
build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/656">#656</a>)</li>
<li><a
href="a6a088e088"><code>a6a088e</code></a>
build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/657">#657</a>)</li>
<li><a
href="10a114d55d"><code>10a114d</code></a>
test: add test for urlencoded invalid defaultCharset (<a
href="https://redirect.github.com/expressjs/body-parser/issues/643">#643</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/expressjs/body-parser/compare/1.20.3...v2.2.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.3&new-version=2.2.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:55:11 +01:00
dependabot[bot]
39b82fd231
build(deps): bump express from 4.19.2 to 4.22.0 (#6079) 
Bumps [express](https://github.com/expressjs/express) from 4.19.2 to
4.22.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/releases">express's
releases</a>.</em></p>
<blockquote>
<h2>4.22.0</h2>
<h2>Important: Security</h2>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2024-51999">CVE-2024-51999</a>
(<a
href="https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Refactor: improve readability by <a
href="https://github.com/sazk07"><code>@​sazk07</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6190">expressjs/express#6190</a></li>
<li>ci: add support for Node.js@23.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6080">expressjs/express#6080</a></li>
<li>Method functions with no path should error by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5957">expressjs/express#5957</a></li>
<li>ci: updated github actions ci workflow by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6323">expressjs/express#6323</a></li>
<li>ci: reorder <code>npm i</code> steps to fix ci for older node
versions by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6336">expressjs/express#6336</a></li>
<li>Backport: ci: add node.js 24 to test matrix by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6506">expressjs/express#6506</a></li>
<li>chore(4.x): wider range for query test skip by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6513">expressjs/express#6513</a></li>
<li>use tilde notation for certain dependencies by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6905">expressjs/express#6905</a></li>
<li>deps: qs@6.14.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6909">expressjs/express#6909</a></li>
<li>deps: use tilde notation for <code>qs</code> by <a
href="https://github.com/Phillip9587"><code>@​Phillip9587</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6919">expressjs/express#6919</a></li>
<li>Release: 4.22.0 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6921">expressjs/express#6921</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.2...4.22.0">https://github.com/expressjs/express/compare/4.21.2...4.22.0</a></p>
<h2>4.21.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add funding field (v4) by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/6065">expressjs/express#6065</a></li>
<li>deps: path-to-regexp@0.1.11 by <a
href="https://github.com/blakeembrey"><code>@​blakeembrey</code></a> in
<a
href="https://redirect.github.com/expressjs/express/pull/5956">expressjs/express#5956</a></li>
<li>deps: bump path-to-regexp@0.1.12 by <a
href="https://github.com/jonchurch"><code>@​jonchurch</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6209">expressjs/express#6209</a></li>
<li>Release: 4.21.2 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6094">expressjs/express#6094</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.1...4.21.2">https://github.com/expressjs/express/compare/4.21.1...4.21.2</a></p>
<h2>4.21.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Backport a fix for CVE-2024-47764 to the 4.x branch by <a
href="https://github.com/joshbuker"><code>@​joshbuker</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/6029">expressjs/express#6029</a></li>
<li>Release: 4.21.1 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/6031">expressjs/express#6031</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/express/compare/4.21.0...4.21.1">https://github.com/expressjs/express/compare/4.21.0...4.21.1</a></p>
<h2>4.21.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Deprecate <code>&quot;back&quot;</code> magic string in redirects by
<a href="https://github.com/blakeembrey"><code>@​blakeembrey</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/5935">expressjs/express#5935</a></li>
<li>finalhandler@1.3.1 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5954">expressjs/express#5954</a></li>
<li>fix(deps): serve-static@1.16.2 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/express/pull/5951">expressjs/express#5951</a></li>
<li>Upgraded dependency qs to 6.13.0 to match qs in body-parser by <a
href="https://github.com/agadzinski93"><code>@​agadzinski93</code></a>
in <a
href="https://redirect.github.com/expressjs/express/pull/5946">expressjs/express#5946</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/agadzinski93"><code>@​agadzinski93</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/express/pull/5946">expressjs/express#5946</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/express/blob/4.22.0/History.md">express's
changelog</a>.</em></p>
<blockquote>
<h1>4.22.0 / 2025-12-01</h1>
<ul>
<li>Security fix for <a
href="https://www.cve.org/CVERecord?id=CVE-2024-51999">CVE-2024-51999</a>
(<a
href="https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6">GHSA-pj86-cfqh-vqx6</a>)</li>
<li>deps: use tilde notation for dependencies</li>
<li>deps: qs@6.14.0</li>
</ul>
<h1>4.21.2 / 2024-11-06</h1>
<ul>
<li>deps: path-to-regexp@0.1.12
<ul>
<li>Fix backtracking protection</li>
</ul>
</li>
<li>deps: path-to-regexp@0.1.11
<ul>
<li>Throws an error on invalid path values</li>
</ul>
</li>
</ul>
<h1>4.21.1 / 2024-10-08</h1>
<ul>
<li>Backported a fix for <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-47764">CVE-2024-47764</a></li>
</ul>
<h1>4.21.0 / 2024-09-11</h1>
<ul>
<li>Deprecate <code>res.location(&quot;back&quot;)</code> and
<code>res.redirect(&quot;back&quot;)</code> magic string</li>
<li>deps: serve-static@1.16.2
<ul>
<li>includes send@0.19.0</li>
</ul>
</li>
<li>deps: finalhandler@1.3.1</li>
<li>deps: qs@6.13.0</li>
</ul>
<h1>4.20.0 / 2024-09-10</h1>
<ul>
<li>deps: serve-static@0.16.0
<ul>
<li>Remove link renderization in html while redirecting</li>
</ul>
</li>
<li>deps: send@0.19.0
<ul>
<li>Remove link renderization in html while redirecting</li>
</ul>
</li>
<li>deps: body-parser@0.6.0
<ul>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li>IMPORTANT: The default <code>depth</code> level for parsing
URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>)</li>
</ul>
</li>
<li>Remove link renderization in html while using
<code>res.redirect</code></li>
<li>deps: path-to-regexp@0.1.10
<ul>
<li>Adds support for named matching groups in the routes using a
regex</li>
<li>Adds backtracking protection to parameters without regexes
defined</li>
</ul>
</li>
<li>deps: encodeurl@~2.0.0
<ul>
<li>Removes encoding of <code>\</code>, <code>|</code>, and
<code>^</code> to align better with URL spec</li>
</ul>
</li>
<li>Deprecate passing <code>options.maxAge</code> and
<code>options.expires</code> to <code>res.clearCookie</code>
<ul>
<li>Will be ignored in v5, clearCookie will set a cookie with an expires
in the past to instruct clients to delete the cookie</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="49744abd11"><code>49744ab</code></a>
4.22.0 (<a
href="https://redirect.github.com/expressjs/express/issues/6921">#6921</a>)</li>
<li><a
href="6e97452f60"><code>6e97452</code></a>
sec: security patch for CVE-2024-51999</li>
<li><a
href="6a23d34d65"><code>6a23d34</code></a>
deps: use tilde notation for <code>qs</code> (<a
href="https://redirect.github.com/expressjs/express/issues/6919">#6919</a>)</li>
<li><a
href="8c12cdf93b"><code>8c12cdf</code></a>
deps: qs@6.14.0 (<a
href="https://redirect.github.com/expressjs/express/issues/6909">#6909</a>)</li>
<li><a
href="7fea74fcf0"><code>7fea74f</code></a>
deps: use tilde notation for certain dependencies (<a
href="https://redirect.github.com/expressjs/express/issues/6905">#6905</a>)</li>
<li><a
href="dac7a0475a"><code>dac7a04</code></a>
chore: wider range for query test skip (<a
href="https://redirect.github.com/expressjs/express/issues/6513">#6513</a>)</li>
<li><a
href="997919b488"><code>997919b</code></a>
ci: add node.js 24 to test matrix (<a
href="https://redirect.github.com/expressjs/express/issues/6506">#6506</a>)</li>
<li><a
href="36fb59c6c7"><code>36fb59c</code></a>
fix(ci): reorder <code>npm i</code> steps to fix ci for older node
versions (<a
href="https://redirect.github.com/expressjs/express/issues/6336">#6336</a>)</li>
<li><a
href="3a5edfaff0"><code>3a5edfa</code></a>
fix(ci): updated github actions ci workflow (<a
href="https://redirect.github.com/expressjs/express/issues/6323">#6323</a>)</li>
<li><a
href="52d978119a"><code>52d9781</code></a>
fix(test): add test for method routes without paths <a
href="https://redirect.github.com/expressjs/express/issues/5955">#5955</a></li>
<li>Additional commits viewable in <a
href="https://github.com/expressjs/express/compare/4.19.2...4.22.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=express&package-manager=npm_and_yarn&previous-version=4.19.2&new-version=4.22.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:46:06 +01:00
dependabot[bot]
21a8f1a467
build(deps): bump @angular/common from 19.2.14 to 19.2.16 (#6072) 
Bumps
[@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common)
from 19.2.14 to 19.2.16.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@​angular/common</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.16</h2>
<h3>http</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="05fe6686a9"><img
src="https://img.shields.io/badge/05fe6686a9-fix-green" alt="fix -
05fe6686a9" /></a></td>
<td>prevent XSRF token leakage to protocol-relative URLs</td>
</tr>
</tbody>
</table>
<h2>19.2.15</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="70d0639bc1"><img
src="https://img.shields.io/badge/70d0639bc1-fix-green" alt="fix -
70d0639bc1" /></a></td>
<td>introduce <code>BootstrapContext</code> for improved server
bootstrapping (<a
href="https://github.com/angular/angular/tree/HEAD/packages/common/issues/63639">#63639</a>)</td>
</tr>
</tbody>
</table>
<h2>Breaking Changes</h2>
<h3>core</h3>
<ul>
<li>
<p>The server-side bootstrapping process has been changed to eliminate
the reliance on a global platform injector.</p>
<p>Before:</p>
<pre lang="ts"><code>const bootstrap = () =&gt;
bootstrapApplication(AppComponent, config);
</code></pre>
<p>After:</p>
<pre lang="ts"><code>const bootstrap = (context: BootstrapContext) =&gt;
  bootstrapApplication(AppComponent, config, context);
</code></pre>
<p>A schematic is provided to automatically update
<code>main.server.ts</code> files to pass the
<code>BootstrapContext</code> to the <code>bootstrapApplication</code>
call.</p>
<p>In addition, <code>getPlatform()</code> and
<code>destroyPlatform()</code> will now return <code>null</code> and be
a no-op respectively when running in a server environment.</p>
</li>
</ul>
<p>For more information please see: <a
href="https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7">https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@​angular/common</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.16 (2025-11-26)</h1>
<h3>http</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="05fe6686a9">05fe6686a9</a></td>
<td>fix</td>
<td>prevent XSRF token leakage to protocol-relative URLs</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.0 (2025-11-25)</h1>
<h3>platform-browser</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="ec9dc94cee">ec9dc94cee</a></td>
<td>feat</td>
<td>add <code>context</code> to <code>createApplication</code></td>
</tr>
<tr>
<td><a
href="ab67988d2e">ab67988d2e</a></td>
<td>feat</td>
<td>resolve JIT resources in <code>createApplication</code></td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="a03c82564d">a03c82564d</a></td>
<td>feat</td>
<td>Add scroll behavior controls on router navigation</td>
</tr>
<tr>
<td><a
href="c25d749d85">c25d749d85</a></td>
<td>feat</td>
<td>Execute RunGuardsAndResolvers function in injection context</td>
</tr>
<tr>
<td><a
href="c84d372778">c84d372778</a></td>
<td>feat</td>
<td>Support wildcard params with segments trailing (<a
href="https://redirect.github.com/angular/angular/pull/64737">#64737</a>)</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>20.3.14 (2025-11-25)</h1>
<h3>http</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="0276479e7d">0276479e7d</a></td>
<td>fix</td>
<td>prevent XSRF token leakage to protocol-relative URLs</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.0.1 (2025-11-25)</h1>
<h3>compiler-cli</h3>
<p>| Commit | Type | Description |</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="05fe6686a9"><code>05fe668</code></a>
fix(http): prevent XSRF token leakage to protocol-relative URLs</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/19.2.16/packages/common">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/common&package-manager=npm_and_yarn&previous-version=19.2.14&new-version=19.2.16)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:45:53 +01:00
dependabot[bot]
d2637e4d3b
build(deps): bump validator from 13.12.0 to 13.15.20 (#6041) 
Bumps [validator](https://github.com/validatorjs/validator.js) from
13.12.0 to 13.15.20.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/releases">validator's
releases</a>.</em></p>
<blockquote>
<h2>13.15.20</h2>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2556">#2556</a>
<code>isMobilePhone</code>: add <code>ar-QA</code> locale <a
href="https://github.com/WardKhaddour"><code>@​WardKhaddour</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2576">#2576</a>
<code>isAlpha</code>/<code>isAlphanuneric</code>: add Indic locales
(<code>ta-IN</code>, <code>te-IN</code>, <code>kn-IN</code>,
<code>ml-IN</code>, <code>gu-IN</code>, <code>pa-IN</code>,
<code>or-IN</code>) <a
href="https://github.com/avadootharajesh"><code>@​avadootharajesh</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2574">#2574</a>
<code>isBase64</code>: improve padding regex <a
href="https://github.com/KrayzeeKev"><code>@​KrayzeeKev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2584">#2584</a>
<code>isVAT</code>: improve <code>FR</code> locale <a
href="https://github.com/iamAmer"><code>@​iamAmer</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2608">#2608</a>
<code>isURL</code>: improve protocol detection. Resolves CVE-2025-56200
<a href="https://github.com/theofidry"><code>@​theofidry</code></a></li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2563">#2563</a>
<a href="https://github.com/stoneLeaf"><code>@​stoneLeaf</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2581">#2581</a>
<a
href="https://github.com/camillobruni"><code>@​camillobruni</code></a></li>
</ul>
</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/stoneLeaf"><code>@​stoneLeaf</code></a>
made their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2563">validatorjs/validator.js#2563</a></li>
<li><a
href="https://github.com/WardKhaddour"><code>@​WardKhaddour</code></a>
made their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2556">validatorjs/validator.js#2556</a></li>
<li><a
href="https://github.com/avadootharajesh"><code>@​avadootharajesh</code></a>
made their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2576">validatorjs/validator.js#2576</a></li>
<li><a
href="https://github.com/KrayzeeKev"><code>@​KrayzeeKev</code></a> made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2574">validatorjs/validator.js#2574</a></li>
<li><a href="https://github.com/iamAmer"><code>@​iamAmer</code></a> made
their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2584">validatorjs/validator.js#2584</a></li>
<li><a
href="https://github.com/camillobruni"><code>@​camillobruni</code></a>
made their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2581">validatorjs/validator.js#2581</a></li>
<li><a href="https://github.com/theofidry"><code>@​theofidry</code></a>
made their first contribution in <a
href="https://redirect.github.com/validatorjs/validator.js/pull/2608">validatorjs/validator.js#2608</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/validatorjs/validator.js/compare/13.15.15...13.15.20">https://github.com/validatorjs/validator.js/compare/13.15.15...13.15.20</a></p>
<h2>13.15.15</h2>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><code>isMobilePhone</code>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2514">#2514</a>
improve <code>el-CY</code> locale <a
href="https://github.com/rezk2ll"><code>@​rezk2ll</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2512">#2512</a>
improve <code>pt-AO</code> locale <a
href="https://github.com/renaldodev"><code>@​renaldodev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2502">#2502</a>
improve <code>ar-OM</code> locale <a
href="https://github.com/tomcastro"><code>@​tomcastro</code></a></li>
</ul>
</li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2089">#2089</a>
<code>isIP</code>: allow usage of option object <a
href="https://github.com/pixelbucket-dev"><code>@​pixelbucket-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2526">#2526</a>
<code>isPassportNumber</code>: improve <code>CA</code> locale <a
href="https://github.com/evanbechtol"><code>@​evanbechtol</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2491">#2491</a>
<code>isBase64</code>: improve validation based on RFC4648 <a
href="https://github.com/aseyfpour"><code>@​aseyfpour</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2479">#2479</a>
<code>isPostalCode</code>: improve <code>FR</code> locale <a
href="https://github.com/Rajput-Balram"><code>@​Rajput-Balram</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2088">#2088</a>
<code>isBefore</code>: allow usage of option object <a
href="https://github.com/pixelbucket-dev"><code>@​pixelbucket-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2346">#2346</a>
<code>isRgbColor</code>: allow second digit in rgba alpha value <a
href="https://github.com/controlol"><code>@​controlol</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2453">#2453</a>
<code>isIP</code>: improve IPv6 regex <a
href="https://github.com/ShreySinha02"><code>@​ShreySinha02</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2052">#2052</a>
<code>isPostalCode</code>: add <code>PK</code> locale <a
href="https://github.com/mateeni-dev"><code>@​mateeni-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2529">#2529</a>
<code>isPostalCode</code>: improve <code>TW</code> locale <a
href="https://github.com/Crocsx"><code>@​Crocsx</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2550">#2550</a>
<code>isPassportNumber</code>: improve <code>US</code> locale <a
href="https://github.com/yitzchak-schechter"><code>@​yitzchak-schechter</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2553">#2553</a>
<code>isUUID</code>: add <code>loose</code> option <a
href="https://github.com/bc-m"><code>@​bc-m</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2551">#2551</a>
<code>isPostalCode</code>: add <code>BD</code> locale <a
href="https://github.com/tanvirrb"><code>@​tanvirrb</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2555">#2555</a>
<code>isLicensePlate</code>: improve <code>pt-PT</code> locale <a
href="https://github.com/castrosu"><code>@​castrosu</code></a></li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2372">#2372</a>
<a
href="https://github.com/EmersonRabelo"><code>@​EmersonRabelo</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2538">#2538</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2539">#2539</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2540">#2540</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2549">#2549</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2537">#2537</a>
<a href="https://github.com/sgress454"><code>@​sgress454</code></a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md">validator's
changelog</a>.</em></p>
<blockquote>
<h1>13.15.20</h1>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2556">#2556</a>
<code>isMobilePhone</code>: add <code>ar-QA</code> locale <a
href="https://github.com/WardKhaddour"><code>@​WardKhaddour</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2576">#2576</a>
<code>isAlpha</code>/<code>isAlphanuneric</code>: add Indic locales
(<code>ta-IN</code>, <code>te-IN</code>, <code>kn-IN</code>,
<code>ml-IN</code>, <code>gu-IN</code>, <code>pa-IN</code>,
<code>or-IN</code>) <a
href="https://github.com/avadootharajesh"><code>@​avadootharajesh</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2574">#2574</a>
<code>isBase64</code>: improve padding regex <a
href="https://github.com/KrayzeeKev"><code>@​KrayzeeKev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2584">#2584</a>
<code>isVAT</code>: improve <code>FR</code> locale <a
href="https://github.com/iamAmer"><code>@​iamAmer</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2608">#2608</a>
<code>isURL</code>: improve protocol detection. Resolves CVE-2025-56200
<a href="https://github.com/theofidry"><code>@​theofidry</code></a></li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2563">#2563</a>
<a href="https://github.com/stoneLeaf"><code>@​stoneLeaf</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2581">#2581</a>
<a
href="https://github.com/camillobruni"><code>@​camillobruni</code></a></li>
</ul>
</li>
</ul>
<h1>13.15.15</h1>
<h3>Fixes, New Locales and Enhancements</h3>
<ul>
<li><code>isMobilePhone</code>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2514">#2514</a>
improve <code>el-CY</code> locale <a
href="https://github.com/rezk2ll"><code>@​rezk2ll</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2512">#2512</a>
improve <code>pt-AO</code> locale <a
href="https://github.com/renaldodev"><code>@​renaldodev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2502">#2502</a>
improve <code>ar-OM</code> locale <a
href="https://github.com/tomcastro"><code>@​tomcastro</code></a></li>
</ul>
</li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2089">#2089</a>
<code>isIP</code>: allow usage of option object <a
href="https://github.com/pixelbucket-dev"><code>@​pixelbucket-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2526">#2526</a>
<code>isPassportNumber</code>: improve <code>CA</code> locale <a
href="https://github.com/evanbechtol"><code>@​evanbechtol</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2491">#2491</a>
<code>isBase64</code>: improve validation based on RFC4648 <a
href="https://github.com/aseyfpour"><code>@​aseyfpour</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2479">#2479</a>
<code>isPostalCode</code>: improve <code>FR</code> locale <a
href="https://github.com/Rajput-Balram"><code>@​Rajput-Balram</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2088">#2088</a>
<code>isBefore</code>: allow usage of option object <a
href="https://github.com/pixelbucket-dev"><code>@​pixelbucket-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2346">#2346</a>
<code>isRgbColor</code>: allow second digit in rgba alpha value <a
href="https://github.com/controlol"><code>@​controlol</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2453">#2453</a>
<code>isIP</code>: improve IPv6 regex <a
href="https://github.com/ShreySinha02"><code>@​ShreySinha02</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2052">#2052</a>
<code>isPostalCode</code>: add <code>PK</code> locale <a
href="https://github.com/mateeni-dev"><code>@​mateeni-dev</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2529">#2529</a>
<code>isPostalCode</code>: improve <code>TW</code> locale <a
href="https://github.com/Crocsx"><code>@​Crocsx</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2550">#2550</a>
<code>isPassportNumber</code>: improve <code>US</code> locale <a
href="https://github.com/yitzchak-schechter"><code>@​yitzchak-schechter</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2553">#2553</a>
<code>isUUID</code>: add <code>loose</code> option <a
href="https://github.com/bc-m"><code>@​bc-m</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2551">#2551</a>
<code>isPostalCode</code>: add <code>BD</code> locale <a
href="https://github.com/tanvirrb"><code>@​tanvirrb</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2555">#2555</a>
<code>isLicensePlate</code>: improve <code>pt-PT</code> locale <a
href="https://github.com/castrosu"><code>@​castrosu</code></a></li>
<li><strong>Doc fixes and others:</strong>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2372">#2372</a>
<a
href="https://github.com/EmersonRabelo"><code>@​EmersonRabelo</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2538">#2538</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2539">#2539</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2540">#2540</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2549">#2549</a>
<a href="https://github.com/WikiRik"><code>@​WikiRik</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2537">#2537</a>
<a href="https://github.com/sgress454"><code>@​sgress454</code></a></li>
</ul>
</li>
</ul>
<h1>13.15.0</h1>
<h3>New Features / Validators</h3>
<ul>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2399">#2399</a>
<code>isISO31661Numeric</code> <a
href="https://github.com/RobinvanderVliet"><code>@​RobinvanderVliet</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2294">#2294</a>
<code>isULID</code> <a
href="https://github.com/arafatkn"><code>@​arafatkn</code></a></li>
<li><a
href="https://redirect.github.com/validatorjs/validator.js/pull/2215">#2215</a>
<code>isISO15924</code> <a
href="https://github.com/xDivisionByZerox"><code>@​xDivisionByZerox</code></a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="30d4fe02c1"><code>30d4fe0</code></a>
13.15.20</li>
<li><a
href="cbef5088f0"><code>cbef508</code></a>
fix(isURL): improve protocol detection. Resolves CVE-2025-56200 (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2608">#2608</a>)</li>
<li><a
href="6f436be369"><code>6f436be</code></a>
Fix typo in validators.test.js (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2581">#2581</a>)</li>
<li><a
href="3c857088d5"><code>3c85708</code></a>
Fix: correct French VAT (FR) validation regex and add tests (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2584">#2584</a>)</li>
<li><a
href="eee525cd11"><code>eee525c</code></a>
<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2491">#2491</a>
<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2573">#2573</a>
Simplify isBase64 to prevent stack overflow (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2574">#2574</a>)</li>
<li><a
href="abcc8ecb85"><code>abcc8ec</code></a>
feat(isAlpha, isAlphanumeric): add support for Indic locales (ta-IN,
te-IN, k...</li>
<li><a
href="72573b3d1d"><code>72573b3</code></a>
Add Qatar phone number validation (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2556">#2556</a>)</li>
<li><a
href="243f6c5fe4"><code>243f6c5</code></a>
docs(isMACAddress): improve ambiguous option description (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2563">#2563</a>)</li>
<li><a
href="3847c6f901"><code>3847c6f</code></a>
maintenance: 2505 release (<a
href="https://redirect.github.com/validatorjs/validator.js/issues/2560">#2560</a>)</li>
<li><a
href="9e503840d7"><code>9e50384</code></a>
feat(isLicensePlate): Updated isLicensePlate to accept real pt-PT
license pla...</li>
<li>Additional commits viewable in <a
href="https://github.com/validatorjs/validator.js/compare/13.12.0...13.15.20">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=validator&package-manager=npm_and_yarn&previous-version=13.12.0&new-version=13.15.20)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:33:32 +01:00
dependabot[bot]
80addccf39
build(deps): bump js-yaml from 3.14.1 to 3.14.2 (#6067) 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to
3.14.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's
changelog</a>.</em></p>
<blockquote>
<h2>[3.14.2] - 2025-11-15</h2>
<h3>Security</h3>
<ul>
<li>Backported v4.1.1 fix to v3</li>
</ul>
<h2>[4.1.1] - 2025-11-12</h2>
<h3>Security</h3>
<ul>
<li>Fix prototype pollution issue in yaml merge (&lt;&lt;)
operator.</li>
</ul>
<h2>[4.1.0] - 2021-04-15</h2>
<h3>Added</h3>
<ul>
<li>Types are now exported as <code>yaml.types.XXX</code>.</li>
<li>Every type now has <code>options</code> property with original
arguments kept as they were
(see <code>yaml.types.int.options</code> as an example).</li>
</ul>
<h3>Changed</h3>
<ul>
<li><code>Schema.extend()</code> now keeps old type order in case of
conflicts
(e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as
<code>abcd</code> instead of <code>cbad</code>).</li>
</ul>
<h2>[4.0.0] - 2021-01-03</h2>
<h3>Changed</h3>
<ul>
<li>Check <a
href="https://github.com/nodeca/js-yaml/blob/master/migrate_v3_to_v4.md">migration
guide</a> to see details for all breaking changes.</li>
<li>Breaking: &quot;unsafe&quot; tags <code>!!js/function</code>,
<code>!!js/regexp</code>, <code>!!js/undefined</code> are
moved to <a
href="https://github.com/nodeca/js-yaml-js-types">js-yaml-js-types</a>
package.</li>
<li>Breaking: removed <code>safe*</code> functions. Use
<code>load</code>, <code>loadAll</code>, <code>dump</code>
instead which are all now safe by default.</li>
<li><code>yaml.DEFAULT_SAFE_SCHEMA</code> and
<code>yaml.DEFAULT_FULL_SCHEMA</code> are removed, use
<code>yaml.DEFAULT_SCHEMA</code> instead.</li>
<li><code>yaml.Schema.create(schema, tags)</code> is removed, use
<code>schema.extend(tags)</code> instead.</li>
<li><code>!!binary</code> now always mapped to <code>Uint8Array</code>
on load.</li>
<li>Reduced nesting of <code>/lib</code> folder.</li>
<li>Parse numbers according to YAML 1.2 instead of YAML 1.1
(<code>01234</code> is now decimal,
<code>0o1234</code> is octal, <code>1:23</code> is parsed as string
instead of base60).</li>
<li><code>dump()</code> no longer quotes <code>:</code>, <code>[</code>,
<code>]</code>, <code>(</code>, <code>)</code> except when necessary, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/470">#470</a>,
<a
href="https://redirect.github.com/nodeca/js-yaml/issues/557">#557</a>.</li>
<li>Line and column in exceptions are now formatted as
<code>(X:Y)</code> instead of
<code>at line X, column Y</code> (also present in compact format), <a
href="https://redirect.github.com/nodeca/js-yaml/issues/332">#332</a>.</li>
<li>Code snippet created in exceptions now contains multiple lines with
line numbers.</li>
<li><code>dump()</code> now serializes <code>undefined</code> as
<code>null</code> in collections and removes keys with
<code>undefined</code> in mappings, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/571">#571</a>.</li>
<li><code>dump()</code> with <code>skipInvalid=true</code> now
serializes invalid items in collections as null.</li>
<li>Custom tags starting with <code>!</code> are now dumped as
<code>!tag</code> instead of <code>!&lt;!tag&gt;</code>, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/576">#576</a>.</li>
<li>Custom tags starting with <code>tag:yaml.org,2002:</code> are now
shorthanded using <code>!!</code>, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/258">#258</a>.</li>
</ul>
<h3>Added</h3>
<ul>
<li>Added <code>.mjs</code> (es modules) support.</li>
<li>Added <code>quotingType</code> and <code>forceQuotes</code> options
for dumper to configure
string literal style, <a
href="https://redirect.github.com/nodeca/js-yaml/issues/290">#290</a>,
<a
href="https://redirect.github.com/nodeca/js-yaml/issues/529">#529</a>.</li>
<li>Added <code>styles: { '!!null': 'empty' }</code> option for dumper
(serializes <code>{ foo: null }</code> as &quot;<code>foo:
</code>&quot;), <a
href="https://redirect.github.com/nodeca/js-yaml/issues/570">#570</a>.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9963d366df"><code>9963d36</code></a>
3.14.2 released</li>
<li><a
href="10d3c8e70a"><code>10d3c8e</code></a>
dist rebuild</li>
<li><a
href="5278870a17"><code>5278870</code></a>
fix prototype pollution in merge (&lt;&lt;) (<a
href="https://redirect.github.com/nodeca/js-yaml/issues/731">#731</a>)</li>
<li>See full diff in <a
href="https://github.com/nodeca/js-yaml/compare/3.14.1...3.14.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=js-yaml&package-manager=npm_and_yarn&previous-version=3.14.1&new-version=3.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:33:16 +01:00
dependabot[bot]
52704c6125
build(deps): bump node-forge from 1.3.1 to 1.3.2 (#6071) 
Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.1 to
1.3.2.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's
changelog</a>.</em></p>
<blockquote>
<h2>1.3.2 - 2025-11-25</h2>
<h3>Security</h3>
<ul>
<li><strong>HIGH</strong>: ASN.1 Validator Desynchronization
<ul>
<li>An Interpretation Conflict (CWE-436) vulnerability in node-forge
versions
1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1
structures to desynchronize schema validations, yielding a semantic
divergence that may bypass downstream cryptographic verifications and
security decisions.</li>
<li>Reported by Hunter Wodzenski.</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2025-12816">CVE-2025-12816</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq">GHSA-5gfm-wpxj-wjgq</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: ASN.1 Unbounded Recursion
<ul>
<li>An Uncontrolled Recursion (CWE-674) vulnerability in node-forge
versions
1.3.1 and below enables remote, unauthenticated attackers to craft deep
ASN.1 structures that trigger unbounded recursive parsing. This leads to
a
Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER
inputs.</li>
<li>Reported by Hunter Wodzenski.</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2025-66031">CVE-2025-66031</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27">GHSA-554w-wpv2-vw27</a></li>
</ul>
</li>
<li><strong>MODERATE</strong>: ASN.1 OID Integer Truncation
<ul>
<li>An Integer Overflow (CWE-190) vulnerability in node-forge versions
1.3.1
and below enables remote, unauthenticated attackers to craft ASN.1
structures containing OIDs with oversized arcs. These arcs may be
decoded
as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the
bypass of downstream OID-based security decisions.</li>
<li>Reported by Hunter Wodzenski.</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2025-66030">CVE-2025-66030</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g">GHSA-65ch-62r8-g69g</a></li>
</ul>
</li>
</ul>
<h3>Fixed</h3>
<ul>
<li>[asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12
MAC
verification bypass due to missing macData enforcement and improper
asn1.validate routine.</li>
<li>[asn1] Add <code>fromDer()</code> max recursion depth check.
<ul>
<li>Add a <code>asn1.maxDepth</code> global configurable maximum depth
of 256.</li>
<li>Add a <code>asn1.fromDer()</code> per-call <code>maxDepth</code>
option.</li>
<li><strong>NOTE</strong>: The default maximum is assumed to be higher
than needed for valid
data. If this assumption is false then this could be a breaking change.
Please file an issue if there are use cases that need a higher
maximum.</li>
<li><strong>NOTE</strong>: The per-call <code>maxDepth</code> parameter
has not been exposed up through
all of the API stack due to the complexities involved. Please file an
issue
if there are use cases that require this instead of changing the default
maximum.</li>
</ul>
</li>
<li>[asn1] Improve OID handling.
<ul>
<li>Error on parsed OID values larger than <code>2**32 - 1</code>.</li>
<li>Error on DER OID values larger than <code>2**53 - 1 </code>.</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="235ad3e70e"><code>235ad3e</code></a>
Release 1.3.2.</li>
<li><a
href="2598244117"><code>2598244</code></a>
Update changelog.</li>
<li><a
href="0032dd0be8"><code>0032dd0</code></a>
Fix typos.</li>
<li><a
href="d75e08d255"><code>d75e08d</code></a>
Run new security test.</li>
<li><a
href="a5ce91d03d"><code>a5ce91d</code></a>
Update changelog formatting.</li>
<li><a
href="4652de6ddd"><code>4652de6</code></a>
Cleanups.</li>
<li><a
href="eb932d94fb"><code>eb932d9</code></a>
Fix typo.</li>
<li><a
href="db6954ba4b"><code>db6954b</code></a>
Fix style.</li>
<li><a
href="afbf7d8e08"><code>afbf7d8</code></a>
Align error message style.</li>
<li><a
href="6607445859"><code>6607445</code></a>
Revert minor changes.</li>
<li>Additional commits viewable in <a
href="https://github.com/digitalbazaar/forge/compare/v1.3.1...v1.3.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=node-forge&package-manager=npm_and_yarn&previous-version=1.3.1&new-version=1.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:31:54 +01:00
dependabot[bot]
d3baf1b3a3
build(deps): bump @angular/compiler from 19.2.14 to 19.2.17 (#6078) 
Bumps
[@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler)
from 19.2.14 to 19.2.17.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@​angular/compiler</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.17</h2>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c42e2ebeb"><img
src="https://img.shields.io/badge/7c42e2ebeb-fix-green" alt="fix -
7c42e2ebeb" /></a></td>
<td>prevent XSS via SVG animation <code>attributeName</code> and
MathML/SVG URLs</td>
</tr>
</tbody>
</table>
<h2>19.2.16</h2>
<h3>http</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="05fe6686a9"><img
src="https://img.shields.io/badge/05fe6686a9-fix-green" alt="fix -
05fe6686a9" /></a></td>
<td>prevent XSRF token leakage to protocol-relative URLs</td>
</tr>
</tbody>
</table>
<h2>19.2.15</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="70d0639bc1"><img
src="https://img.shields.io/badge/70d0639bc1-fix-green" alt="fix -
70d0639bc1" /></a></td>
<td>introduce <code>BootstrapContext</code> for improved server
bootstrapping (<a
href="https://github.com/angular/angular/tree/HEAD/packages/compiler/issues/63639">#63639</a>)</td>
</tr>
</tbody>
</table>
<h2>Breaking Changes</h2>
<h3>core</h3>
<ul>
<li>
<p>The server-side bootstrapping process has been changed to eliminate
the reliance on a global platform injector.</p>
<p>Before:</p>
<pre lang="ts"><code>const bootstrap = () =&gt;
bootstrapApplication(AppComponent, config);
</code></pre>
<p>After:</p>
<pre lang="ts"><code>const bootstrap = (context: BootstrapContext) =&gt;
  bootstrapApplication(AppComponent, config, context);
</code></pre>
<p>A schematic is provided to automatically update
<code>main.server.ts</code> files to pass the
<code>BootstrapContext</code> to the <code>bootstrapApplication</code>
call.</p>
<p>In addition, <code>getPlatform()</code> and
<code>destroyPlatform()</code> will now return <code>null</code> and be
a no-op respectively when running in a server environment.</p>
</li>
</ul>
<p>For more information please see: <a
href="https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7">https://github.com/angular/angular/security/advisories/GHSA-68x2-mx4q-78m7</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@​angular/compiler</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.17 (2025-12-01)</h1>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c42e2ebeb">7c42e2ebeb</a></td>
<td>fix</td>
<td>prevent XSS via SVG animation <code>attributeName</code> and
MathML/SVG URLs</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>19.2.16 (2025-11-26)</h1>
<h3>http</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="05fe6686a9">05fe6686a9</a></td>
<td>fix</td>
<td>prevent XSRF token leakage to protocol-relative URLs</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.0 (2025-11-25)</h1>
<h3>platform-browser</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="ec9dc94cee">ec9dc94cee</a></td>
<td>feat</td>
<td>add <code>context</code> to <code>createApplication</code></td>
</tr>
<tr>
<td><a
href="ab67988d2e">ab67988d2e</a></td>
<td>feat</td>
<td>resolve JIT resources in <code>createApplication</code></td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="a03c82564d">a03c82564d</a></td>
<td>feat</td>
<td>Add scroll behavior controls on router navigation</td>
</tr>
<tr>
<td><a
href="c25d749d85">c25d749d85</a></td>
<td>feat</td>
<td>Execute RunGuardsAndResolvers function in injection context</td>
</tr>
<tr>
<td><a
href="c84d372778">c84d372778</a></td>
<td>feat</td>
<td>Support wildcard params with segments trailing (<a
href="https://redirect.github.com/angular/angular/pull/64737">#64737</a>)</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>20.3.14 (2025-11-25)</h1>
<h3>http</h3>
<p>| Commit | Type | Description |</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7c42e2ebeb"><code>7c42e2e</code></a>
fix(compiler): prevent XSS via SVG animation <code>attributeName</code>
and MathML/SVG URLs</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/19.2.17/packages/compiler">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@angular/compiler&package-manager=npm_and_yarn&previous-version=19.2.14&new-version=19.2.17)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-02 09:30:57 +01:00
Prakash
ec75d863ec
@uppy/provider-views: add e2e tests for Server side search (#6015) 
Tests added as discussed in
[slack_discussion](https://transloadit.slack.com/archives/C0FMW9PSB/p1759931999124149?thread_ts=1759700542.941939&cid=C0FMW9PSB)

directory structure mocked : 

```
root/ 
├── first/
│   ├── second/
│   │   ├── third/
│   │   │   ├── nested-target.pdf
│   │   │   └── new-file.pdf
│   │   ├── deep-file.txt
│   │   ├── target.pdf
│   │   └── workspace.pdf
│   └── intermediate.doc
├── workspace/
│   └── project/
│       └── code.js
└── readme.md

```

Some of the mocked responses in CompanionHandler.ts aren’t used in the
tests, but I’ve kept them to preserve the legitimacy of the above
directory structure.
 2025-11-07 16:50:57 +05:30
Merlijn Vos
46e339a150
@uppy/provider-views: add missing lodash dependency (#6045) 
Fixes #6039
 2025-10-30 09:59:36 +01:00
Merlijn Vos
72d2d68ea3
Fix various deps and peer deps in packages (#6030) 
**Fixes**

- `@uppy/components` incorrectly had a lot of packages in `dependencies`
while they should be `peerDependencies`. Also removed `remote-sources`
completely as this drags in a lot of plugins and we don't even need it
there.
- `@uppy/{react,vue,svelte}` now has to have the same `peerDependencies`
as `components` as the requirement has been moved up. We also mark them
as optional, they are only needed if you use a hook such as `useWebcam`
needing `@uppy/webcam`.
- Remove `companion-client` and `provider-views` from `transloadit`.
Those are never used by the package.
- Remove `@uppy/utils` from `@uppy/angular` and `@uppy/react`, we can
just use imports from `core`
- Place `@uppy/status-bar` back in peer deps. This is critical but
forgotten when status bar was put back inside frameworks.

**Implications**
- Moving peer deps to deps in `@uppy/components` now requires people to
install these dependencies. However, they kind of had to anyway before
as we require people to install the plugin on uppy (`.use(Webcam')`) if
you want to use `useWebcam` and if you try to import a dep you did not
install they would have gotten an error already.
- Note: this is not the same situation as with importing dashboard
component from @uppy/react which causes a runtime crash because
@uppy/dashboard is missing. In this case we only depend on _types_, so
we don't have this problem.
 2025-10-28 09:55:21 +01:00
dependabot[bot]
dbb5175572
build(deps-dev): bump vite from 7.1.5 to 7.1.11 (#6021) 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite)
from 7.1.5 to 7.1.11.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/releases">vite's
releases</a>.</em></p>
<blockquote>
<h2>v7.1.11</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.11/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v7.1.10</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.10/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v7.1.9</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.9/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v7.1.8</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.8/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v7.1.7</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
<h2>v7.1.6</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.1.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md">vite's
changelog</a>.</em></p>
<blockquote>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v7.1.10...v7.1.11">7.1.11</a>
(2025-10-20)<!-- raw HTML omitted --></h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>dev:</strong> trim trailing slash before
<code>server.fs.deny</code> check (<a
href="https://redirect.github.com/vitejs/vite/issues/20968">#20968</a>)
(<a
href="f479cc57c4">f479cc5</a>)</li>
</ul>
<h3>Miscellaneous Chores</h3>
<ul>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/20966">#20966</a>)
(<a
href="6fb41a260b">6fb41a2</a>)</li>
</ul>
<h3>Code Refactoring</h3>
<ul>
<li>use subpath imports for types module reference (<a
href="https://redirect.github.com/vitejs/vite/issues/20921">#20921</a>)
(<a
href="d0094af639">d0094af</a>)</li>
</ul>
<h3>Build System</h3>
<ul>
<li>remove cjs reference in files field (<a
href="https://redirect.github.com/vitejs/vite/issues/20945">#20945</a>)
(<a
href="ef411cee26">ef411ce</a>)</li>
<li>remove hash from built filenames (<a
href="https://redirect.github.com/vitejs/vite/issues/20946">#20946</a>)
(<a
href="a81730754d">a817307</a>)</li>
</ul>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v7.1.9...v7.1.10">7.1.10</a>
(2025-10-14)<!-- raw HTML omitted --></h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>css:</strong> avoid duplicate style for server rendered
stylesheet link and client inline style during dev (<a
href="https://redirect.github.com/vitejs/vite/issues/20767">#20767</a>)
(<a
href="3a92bc79b3">3a92bc7</a>)</li>
<li><strong>css:</strong> respect emitAssets when cssCodeSplit=false (<a
href="https://redirect.github.com/vitejs/vite/issues/20883">#20883</a>)
(<a
href="d3e7eeefa9">d3e7eee</a>)</li>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="879de86935">879de86</a>)</li>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/20894">#20894</a>)
(<a
href="3213f90ff0">3213f90</a>)</li>
<li><strong>dev:</strong> allow aliases starting with <code>//</code>
(<a
href="https://redirect.github.com/vitejs/vite/issues/20760">#20760</a>)
(<a
href="b95fa2aa75">b95fa2a</a>)</li>
<li><strong>dev:</strong> remove timestamp query consistently (<a
href="https://redirect.github.com/vitejs/vite/issues/20887">#20887</a>)
(<a
href="6537d15591">6537d15</a>)</li>
<li><strong>esbuild:</strong> inject esbuild helpers correctly for
esbuild 0.25.9+ (<a
href="https://redirect.github.com/vitejs/vite/issues/20906">#20906</a>)
(<a
href="446eb38632">446eb38</a>)</li>
<li>normalize path before calling <code>fileToBuiltUrl</code> (<a
href="https://redirect.github.com/vitejs/vite/issues/20898">#20898</a>)
(<a
href="73b6d243e0">73b6d24</a>)</li>
<li>preserve original sourcemap file field when combining sourcemaps (<a
href="https://redirect.github.com/vitejs/vite/issues/20926">#20926</a>)
(<a
href="c714776aa1">c714776</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li>correct <code>WebSocket</code> spelling (<a
href="https://redirect.github.com/vitejs/vite/issues/20890">#20890</a>)
(<a
href="29e98dc3ef">29e98dc</a>)</li>
</ul>
<h3>Miscellaneous Chores</h3>
<ul>
<li><strong>deps:</strong> update rolldown-related dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/20923">#20923</a>)
(<a
href="a5e3b064fa">a5e3b06</a>)</li>
</ul>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v7.1.8...v7.1.9">7.1.9</a>
(2025-10-03)<!-- raw HTML omitted --></h2>
<h3>Reverts</h3>
<ul>
<li><strong>server:</strong> drain stdin when not interactive (<a
href="https://redirect.github.com/vitejs/vite/issues/20885">#20885</a>)
(<a
href="12d72b0538">12d72b0</a>)</li>
</ul>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v7.1.7...v7.1.8">7.1.8</a>
(2025-10-02)<!-- raw HTML omitted --></h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>css:</strong> improve url escape characters handling (<a
href="https://redirect.github.com/vitejs/vite/issues/20847">#20847</a>)
(<a
href="24a61a3f54">24a61a3</a>)</li>
<li><strong>deps:</strong> update all non-major dependencies (<a
href="https://redirect.github.com/vitejs/vite/issues/20855">#20855</a>)
(<a
href="788a183afc">788a183</a>)</li>
<li><strong>deps:</strong> update artichokie to 0.4.2 (<a
href="https://redirect.github.com/vitejs/vite/issues/20864">#20864</a>)
(<a
href="e670799e12">e670799</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8b69c9e32c"><code>8b69c9e</code></a>
release: v7.1.11</li>
<li><a
href="f479cc57c4"><code>f479cc5</code></a>
fix(dev): trim trailing slash before <code>server.fs.deny</code> check
(<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20968">#20968</a>)</li>
<li><a
href="6fb41a260b"><code>6fb41a2</code></a>
chore(deps): update all non-major dependencies (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20966">#20966</a>)</li>
<li><a
href="a81730754d"><code>a817307</code></a>
build: remove hash from built filenames (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20946">#20946</a>)</li>
<li><a
href="ef411cee26"><code>ef411ce</code></a>
build: remove cjs reference in files field (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20945">#20945</a>)</li>
<li><a
href="d0094af639"><code>d0094af</code></a>
refactor: use subpath imports for types module reference (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20921">#20921</a>)</li>
<li><a
href="ed4a0dc913"><code>ed4a0dc</code></a>
release: v7.1.10</li>
<li><a
href="c714776aa1"><code>c714776</code></a>
fix: preserve original sourcemap file field when combining sourcemaps
(<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20926">#20926</a>)</li>
<li><a
href="446eb38632"><code>446eb38</code></a>
fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20906">#20906</a>)</li>
<li><a
href="879de86935"><code>879de86</code></a>
fix(deps): update all non-major dependencies</li>
<li>Additional commits viewable in <a
href="https://github.com/vitejs/vite/commits/v7.1.11/packages/vite">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vite&package-manager=npm_and_yarn&previous-version=7.1.5&new-version=7.1.11)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-21 10:07:47 +02:00
Mikael Finstad
0c16fe44b9
Golden retriever refactor and UppyFile type improvements (#5978) 
Probably best reviewed commit by commit.

I also split UppyFile into two intefaces distinguished by the `isRemote`
boolean:
- LocalUppyFile
- RemoteUppyFile

Also:
- Removed the TagFile type
- Don't re-upload completed files - fixes #5930
- Clean up stored files on `complete` event *only* if *all* files
succeeded (no failed files). this allows the user to retry failed files
if the browser & upload get interrupted - fixes #5927, closes #5955
- Only set `isGhost` for non-successful files. it doesn't make sense for
successfully uploaded files to be ghosted because they're already done.
#5930

fixes #6013

---------

Co-authored-by: Prakash <qxprakash@gmail.com>
 2025-10-17 23:17:40 +08:00
Nik Graf
9d2c7a997f
upgrade cookie-parser (#6005) 
cookie-parser 1.4.7 uses a version cookie that fixed this security issue
https://github.com/advisories/GHSA-pxg6-pf52-xh8x
 2025-10-09 19:27:29 +08:00
Murderlon
b05beda770
fixup! Use workspace:* for all packages in packages/uppy 2025-10-01 11:56:26 +02:00
Kevin van Zonneveld
6f764122a9
Re-use types from the Transloadit node-sdk (#5992) 
The schemas and types that we have in the Transloadit Node.js SDK v4 are
used in our API's system tests. We've also ran hundreds of thousands of
Assemblies through them, ever loosening them, until they all fit. This
means the schemas are fairly wide, but model the reality of our 15 year
old API. In the future we will make schema failures in the API fatal (as
already is the case with system tests), and we don't want to break
production traffic when we do. So we accept wider schemas than are
beautiful, and once the schemas control what is allowed in all places,
we gradually evolve the API and schemas towards being more pretty in
lockstep.

More on this in
https://transloadit.com/blog/2025/09/nodejs-sdk-v4/#our-approach-to-type-retrofitting

For uppy this means, we'll need a few more guards than we had with our
handrolled types, that actually assumed things that turned out to be not
true in all cases. Not all Assembly status responses have an id or a url
for one example. There are for instance particular errors (by Node,
Nginx, Haproxy) that would not return those. The added guards will
ensure we don't break deeply inside customer code.

This PR was completely written by gpt-5-codex, which means it was faster
and of higher quality than if I had handrolled it as a founder
unfamiliar with this codebase, but despite of that, please still review
my contribution with as much care as you would normally :)

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Co-authored-by: Merlijn Vos <merlijn@soverin.net>
 2025-09-30 19:15:39 +02:00
dependabot[bot]
3b4b7eb12a
build(deps): bump devalue from 5.1.1 to 5.3.2 (#5937) 
Bumps [devalue](https://github.com/sveltejs/devalue) from 5.1.1 to
5.3.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/devalue/releases">devalue's
releases</a>.</em></p>
<blockquote>
<h2>v5.3.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>0623a47: fix: disallow array method access when parsing</li>
<li>0623a47: fix: disallow <code>__proto__</code> properties on
objects</li>
</ul>
<h2>v5.3.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>ae904c5: fix: correctly differentiate between +0 and -0</li>
</ul>
<h2>v5.3.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>2896e7b: feat: support Temporal</li>
<li>fec694d: feat: support <code>URL</code> and
<code>URLSearchParams</code> objects</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md">devalue's
changelog</a>.</em></p>
<blockquote>
<h2>5.3.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>0623a47: fix: disallow array method access when parsing</li>
<li>0623a47: fix: disallow <code>__proto__</code> properties on
objects</li>
</ul>
<h2>5.3.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>ae904c5: fix: correctly differentiate between +0 and -0</li>
</ul>
<h2>5.3.0</h2>
<h3>Minor Changes</h3>
<ul>
<li>2896e7b: feat: support Temporal</li>
<li>fec694d: feat: support <code>URL</code> and
<code>URLSearchParams</code> objects</li>
</ul>
<h2>5.2.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>e46f4c8: fix: handle repeated array buffers and subarrays</li>
<li>2dfa504: fix: handle custom classes with null proto as pojo</li>
</ul>
<h2>5.2.0</h2>
<ul>
<li>Handle custom classes with null proto as pojo (<a
href="https://redirect.github.com/sveltejs/devalue/pull/95">#95</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="86a6a66d2c"><code>86a6a66</code></a>
Version Packages (<a
href="https://redirect.github.com/sveltejs/devalue/issues/109">#109</a>)</li>
<li><a
href="0623a47c95"><code>0623a47</code></a>
Merge commit from fork</li>
<li><a
href="02d20e8a79"><code>02d20e8</code></a>
Version Packages (<a
href="https://redirect.github.com/sveltejs/devalue/issues/108">#108</a>)</li>
<li><a
href="ae904c5b18"><code>ae904c5</code></a>
fix stringify not picking up negative zero if a normal zero has appeared
befo...</li>
<li><a
href="e95b87a6cc"><code>e95b87a</code></a>
fix pkg.repository</li>
<li><a
href="8300172d1d"><code>8300172</code></a>
fix changeset config</li>
<li><a
href="434d8aefb9"><code>434d8ae</code></a>
Version Packages (<a
href="https://redirect.github.com/sveltejs/devalue/issues/106">#106</a>)</li>
<li><a
href="67c8334b82"><code>67c8334</code></a>
mention support for URL/URLSearchParams/Temporal in README</li>
<li><a
href="fec694d87e"><code>fec694d</code></a>
feat: support URL and URLSearchParams (<a
href="https://redirect.github.com/sveltejs/devalue/issues/92">#92</a>)</li>
<li><a
href="2896e7bef2"><code>2896e7b</code></a>
Add support for Temporal objects (<a
href="https://redirect.github.com/sveltejs/devalue/issues/98">#98</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/devalue/compare/v5.1.1...v5.3.2">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~svelte-admin">svelte-admin</a>, a new
releaser for devalue since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=devalue&package-manager=npm_and_yarn&previous-version=5.1.1&new-version=5.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-09-22 14:47:33 +02:00
dependabot[bot]
b448e30686
build(deps): bump brace-expansion from 1.1.11 to 1.1.12 (#5820) 
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion)
from 1.1.11 to 1.1.12.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/juliangruber/brace-expansion/releases">brace-expansion's
releases</a>.</em></p>
<blockquote>
<h2>v1.1.12</h2>
<ul>
<li>pkg: publish on tag 1.x  c460dbd</li>
<li>fmt  ccb8ac6</li>
<li>Fix potential ReDoS Vulnerability or Inefficient Regular Expression
(<a
href="https://redirect.github.com/juliangruber/brace-expansion/issues/65">#65</a>)
c3c73c8</li>
</ul>
<hr />
<p><a
href="https://github.com/juliangruber/brace-expansion/compare/v1.1.11...v1.1.12">https://github.com/juliangruber/brace-expansion/compare/v1.1.11...v1.1.12</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="44f33b47c5"><code>44f33b4</code></a>
1.1.12</li>
<li><a
href="c460dbd68e"><code>c460dbd</code></a>
pkg: publish on tag 1.x</li>
<li><a
href="ccb8ac6d42"><code>ccb8ac6</code></a>
fmt</li>
<li><a
href="c3c73c8b08"><code>c3c73c8</code></a>
Fix potential ReDoS Vulnerability or Inefficient Regular Expression (<a
href="https://redirect.github.com/juliangruber/brace-expansion/issues/65">#65</a>)</li>
<li>See full diff in <a
href="https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=brace-expansion&package-manager=npm_and_yarn&previous-version=1.1.11&new-version=1.1.12)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

You can trigger a rebase of this PR by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

> **Note**
> Automatic rebases have been disabled on this pull request as it has
been open for over 30 days.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-09-22 14:47:14 +02:00
dependabot[bot]
08fc143c46
build(deps-dev): bump vite from 6.3.5 to 6.3.6 (#5972) 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite)
from 6.3.5 to 6.3.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/releases">vite's
releases</a>.</em></p>
<blockquote>
<h2>v6.3.6</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md">vite's
changelog</a>.</em></p>
<blockquote>
<h2><!-- raw HTML omitted -->6.3.6 (2025-09-08)<!-- raw HTML omitted
--></h2>
<ul>
<li>fix: apply <code>fs.strict</code> check to HTML files (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20736">#20736</a>)
(<a
href="0ab19ea9fc">0ab19ea</a>),
closes <a
href="https://redirect.github.com/vitejs/vite/issues/20736">#20736</a></li>
<li>fix: upgrade sirv to 3.0.2 (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20735">#20735</a>)
(<a
href="e11d24008b">e11d240</a>),
closes <a
href="https://redirect.github.com/vitejs/vite/issues/20735">#20735</a></li>
<li>test: detect ts support via <code>process.features</code> (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20544">#20544</a>)
(<a
href="7d9922972b">7d99229</a>),
closes <a
href="https://redirect.github.com/vitejs/vite/issues/20544">#20544</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3f337c5e24"><code>3f337c5</code></a>
release: v6.3.6</li>
<li><a
href="e11d24008b"><code>e11d240</code></a>
fix: upgrade sirv to 3.0.2 (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20735">#20735</a>)</li>
<li><a
href="0ab19ea9fc"><code>0ab19ea</code></a>
fix: apply <code>fs.strict</code> check to HTML files (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20736">#20736</a>)</li>
<li><a
href="7d9922972b"><code>7d99229</code></a>
test: detect ts support via <code>process.features</code> (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20544">#20544</a>)</li>
<li>See full diff in <a
href="https://github.com/vitejs/vite/commits/v6.3.6/packages/vite">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vite&package-manager=npm_and_yarn&previous-version=6.3.5&new-version=6.3.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-09-22 14:46:30 +02:00
Prakash
92a0a0d2b8
add back framework wrappers for @uppy/status-bar (#5948) 
- added `react` `vue` `svelte` `angular` framwork wrappers for
`@uppy/status-bar`
- `git add -f
packages/@uppy/angular/projects/uppy/angular/src/lib/components/status-bar/`
because
https://transloadit.slack.com/archives/C0FMW9PSB/p1755632185831369?thread_ts=1755526948.473969&cid=C0FMW9PSB
 2025-09-17 10:40:57 +02:00
Prakash
8cd3702104
Optmize Stackblitz install times (#5968) 
StackBlitz examples took **146+ seconds** to start due to heavy dev
dependencies

### Optimizations
 
- Eliminate heavy dev deps like `playwright (~200MB)` `@vitest/browser`
`vitest`
- Aggressive install flags: `--prefer-offline --reporter=silent
--ignore-scripts --no-optional`
- use pnpm 
- Results **React example: 146s → ~25s (83% faster)**
 2025-09-16 16:04:52 +02:00
dependabot[bot]
f5a3d37331
build(deps): bump form-data from 2.5.1 to 2.5.5 (#5913) 
Bumps [form-data](https://github.com/form-data/form-data) from 2.5.1 to
2.5.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/form-data/form-data/releases">form-data's
releases</a>.</em></p>
<blockquote>
<h2>v2.5.2</h2>
<h3>Fixes</h3>
<ul>
<li><code>Buffer.from</code> and <code>Buffer.alloc</code> require node
4+</li>
<li>npmignore temporary build files (<a
href="https://redirect.github.com/form-data/form-data/issues/532">#532</a>)</li>
<li>move util.isArray to Array.isArray (<a
href="https://redirect.github.com/form-data/form-data/issues/564">#564</a>)</li>
</ul>
<h3>Tests</h3>
<ul>
<li>migrate from travis to GHA</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/form-data/form-data/blob/v2.5.5/CHANGELOG.md">form-data's
changelog</a>.</em></p>
<blockquote>
<h2><a
href="https://github.com/form-data/form-data/compare/v2.5.4...v2.5.5">v2.5.5</a>
- 2025-07-18</h2>
<h3>Commits</h3>
<ul>
<li>[meta] actually ensure the readme backup isn’t published <a
href="10626c0a9b"><code>10626c0</code></a></li>
<li>[Fix] use proper dependency <a
href="026abe5c5c"><code>026abe5</code></a></li>
</ul>
<h2><a
href="https://github.com/form-data/form-data/compare/v2.5.3...v2.5.4">v2.5.4</a>
- 2025-07-17</h2>
<h3>Fixed</h3>
<ul>
<li>[Fix] <code>append</code>: avoid a crash on nullish values <a
href="https://redirect.github.com/form-data/form-data/issues/577"><code>[#577](https://github.com/form-data/form-data/issues/577)</code></a></li>
</ul>
<h3>Commits</h3>
<ul>
<li>[eslint] update linting config <a
href="8bf2492e05"><code>8bf2492</code></a></li>
<li>[meta] add <code>auto-changelog</code> <a
href="b5101ad3d5"><code>b5101ad</code></a></li>
<li>[Tests] handle predict-v8-randomness failures in node &lt; 17 and
node &gt; 23 <a
href="0e93122358"><code>0e93122</code></a></li>
<li>[Fix] Switch to using <code>crypto</code> random for boundary values
<a
href="b88316c94b"><code>b88316c</code></a></li>
<li>[Fix] validate boundary type in <code>setBoundary()</code> method <a
href="131ae5efa3"><code>131ae5e</code></a></li>
<li>[Tests] Switch to newer v8 prediction library; enable node 24
testing <a
href="c97cfbed9e"><code>c97cfbe</code></a></li>
<li>[Refactor] use <code>hasown</code> <a
href="97ac9c208b"><code>97ac9c2</code></a></li>
<li>[meta] remove local commit hooks <a
href="be99d4eea5"><code>be99d4e</code></a></li>
<li>[Dev Deps] remove unused deps <a
href="ddbc89b6d6"><code>ddbc89b</code></a></li>
<li>[meta] fix scripts to use prepublishOnly <a
href="e351a97e9f"><code>e351a97</code></a></li>
<li>[Dev Deps] remove unused script <a
href="8f23366484"><code>8f23366</code></a></li>
<li>[Dev Deps] add missing peer dep <a
href="02ff026fda"><code>02ff026</code></a></li>
<li>[meta] fix readme capitalization <a
href="2fd5f61ebf"><code>2fd5f61</code></a></li>
</ul>
<h2><a
href="https://github.com/form-data/form-data/compare/v2.5.2...v2.5.3">v2.5.3</a>
- 2025-02-14</h2>
<h3>Merged</h3>
<ul>
<li>[Fix] set <code>Symbol.toStringTag</code> when available <a
href="https://redirect.github.com/form-data/form-data/pull/573"><code>[#573](https://github.com/form-data/form-data/issues/573)</code></a></li>
</ul>
<h3>Fixed</h3>
<ul>
<li>[Fix] set <code>Symbol.toStringTag</code> when available (<a
href="https://redirect.github.com/form-data/form-data/issues/573">#573</a>)
<a
href="https://redirect.github.com/form-data/form-data/issues/396"><code>[#396](https://github.com/form-data/form-data/issues/396)</code></a></li>
</ul>
<h3>Commits</h3>
<ul>
<li>[Refactor] use <code>Object.prototype.hasOwnProperty.call</code> <a
href="6e682d4bd4"><code>6e682d4</code></a></li>
<li>[Dev Deps] update <code>@types/node</code>, <code>browserify</code>,
<code>coveralls</code>, <code>eslint</code>, <code>formidable</code>,
<code>in-publish</code>, <code>phantomjs-prebuilt</code>,
<code>pkgfiles</code>, <code>pre-commit</code>, <code>request</code>,
<code>tape</code>, <code>typescript</code> <a
href="819f6b7a54"><code>819f6b7</code></a></li>
<li>Only apps should have lockfiles <a
href="b170ee2b22"><code>b170ee2</code></a></li>
<li>[Deps] update <code>combined-stream</code>, <code>mime-types</code>
<a
href="6b1ca1dc73"><code>6b1ca1d</code></a></li>
<li>Bumped version 2.5.3 <a
href="9457283e1d"><code>9457283</code></a></li>
<li>[Dev Deps] pin <code>request</code> which via
<code>tough-cookie</code> ^2.4 depends on <code>psl</code> <a
href="9dbe192be3"><code>9dbe192</code></a></li>
</ul>
<h2><a
href="https://github.com/form-data/form-data/compare/v2.5.1...v2.5.2">v2.5.2</a>
- 2024-10-10</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="40de5a7420"><code>40de5a7</code></a>
v2.5.5</li>
<li><a
href="026abe5c5c"><code>026abe5</code></a>
[Fix] use proper dependency</li>
<li><a
href="10626c0a9b"><code>10626c0</code></a>
[meta] actually ensure the readme backup isn’t published</li>
<li><a
href="efe6c26931"><code>efe6c26</code></a>
v2.5.4</li>
<li><a
href="c97cfbed9e"><code>c97cfbe</code></a>
[Tests] Switch to newer v8 prediction library; enable node 24
testing</li>
<li><a
href="0e93122358"><code>0e93122</code></a>
[Tests] handle predict-v8-randomness failures in node &lt; 17 and node
&gt; 23</li>
<li><a
href="b88316c94b"><code>b88316c</code></a>
[Fix] Switch to using <code>crypto</code> random for boundary
values</li>
<li><a
href="b70869dad2"><code>b70869d</code></a>
[Fix] <code>append</code>: avoid a crash on nullish values</li>
<li><a
href="131ae5efa3"><code>131ae5e</code></a>
[Fix] validate boundary type in <code>setBoundary()</code> method</li>
<li><a
href="8bf2492e05"><code>8bf2492</code></a>
[eslint] update linting config</li>
<li>Additional commits viewable in <a
href="https://github.com/form-data/form-data/compare/v2.5.1...v2.5.5">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ljharb">ljharb</a>, a new releaser for
form-data since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=form-data&package-manager=npm_and_yarn&previous-version=2.5.1&new-version=2.5.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-09-10 22:37:03 +02:00
Prakash
567be4efab
@uppy/examples: Add new examples (#5942) 
Had to create a new PR since after the 5.0 merge, #5818 was throwing
errors.

## Examples Added

- **React Router v7**
- Uppy Dashboard with Tus, XHR, and Transloadit , tus server implemented
using react-router/express adapter , rest using regular resource routes
- This still doesn't have hot reloading in the dev server though , can
be added through nodemon

- **Next.js**
  - Uppy Dashboard with Tus, XHR, and Transloadit  

- **Angular**
  - Uppy Dashboard and Dashboard Modal with Tus
 2025-09-10 21:46:19 +05:30
dependabot[bot]
fc3e483fcb
build(deps-dev): bump vite from 7.0.6 to 7.0.7 (#5962) 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite)
from 7.0.6 to 7.0.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/releases">vite's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.7</h2>
<p>Please refer to <a
href="https://github.com/vitejs/vite/blob/v7.0.7/packages/vite/CHANGELOG.md">CHANGELOG.md</a>
for details.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/vitejs/vite/blob/v7.0.7/packages/vite/CHANGELOG.md">vite's
changelog</a>.</em></p>
<blockquote>
<h2><!-- raw HTML omitted --><a
href="https://github.com/vitejs/vite/compare/v7.0.6...v7.0.7">7.0.7</a>
(2025-09-08)<!-- raw HTML omitted --></h2>
<h3>Bug Fixes</h3>
<ul>
<li>apply <code>fs.strict</code> check to HTML files (<a
href="https://redirect.github.com/vitejs/vite/issues/20736">#20736</a>)
(<a
href="6f01ff4fe0">6f01ff4</a>)</li>
<li>upgrade sirv to 3.0.2 (<a
href="https://redirect.github.com/vitejs/vite/issues/20735">#20735</a>)
(<a
href="63e2a5d232">63e2a5d</a>)</li>
</ul>
<h3>Tests</h3>
<ul>
<li>detect ts support via <code>process.features</code> (<a
href="https://redirect.github.com/vitejs/vite/issues/20544">#20544</a>)
(<a
href="45fdb16581">45fdb16</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f88a1c0999"><code>f88a1c0</code></a>
release: v7.0.7</li>
<li><a
href="45fdb16581"><code>45fdb16</code></a>
test: detect ts support via <code>process.features</code> (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20544">#20544</a>)</li>
<li><a
href="63e2a5d232"><code>63e2a5d</code></a>
fix: upgrade sirv to 3.0.2 (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20735">#20735</a>)</li>
<li><a
href="6f01ff4fe0"><code>6f01ff4</code></a>
fix: apply <code>fs.strict</code> check to HTML files (<a
href="https://github.com/vitejs/vite/tree/HEAD/packages/vite/issues/20736">#20736</a>)</li>
<li>See full diff in <a
href="https://github.com/vitejs/vite/commits/v7.0.7/packages/vite">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=vite&package-manager=npm_and_yarn&previous-version=7.0.6&new-version=7.0.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-09-10 15:30:59 +02:00
Merlijn Vos
49522ec5cb
Remove preact/compat (#5935) 
We drag it in unneccesarily in the bundle and it can cause JSX clashes
in React apps with `"jsx": "preserve"` in their `tsconfig.json`
(https://github.com/preactjs/preact/issues/4908)

- Remove `@types/react` from companion (unused)
- Fix tsconfig's for @uppy/utils (build was fine, but editor diagnostics
weren't)
 2025-08-28 16:57:07 +02:00
Merlijn Vos
3290864cf3
Bring back StatusBar and DragDrop (#5931) 
While the frameworks have good alternatives now with new components and
hooks, Uppy is also popular in 'vanilla' JS setups without frameworks
using the CDN bundle. Consumers of this were left with no viable
alternative so it's sensible to bring back status bar and drag drop for
the CDN publish (at least until we also publish/document using hooks via
CDN). The framework packages don't really need this, as the alternatives
are viable there.

- Bring back `@uppy/status-bar` and `@uppy/drag-drop` from git tag
`4.18.1` (latest release before 5.0)
- Put exports maps on both packages
- Put both packages in the CDN bundle
- Version appropriately with changesets
- Override existing locale keys. Unfortunately now that status-bar was
merged into dashboard, the keys need to exist in both places but our
tooling was setup to error when the same keys are found. Now it just
overrides the existing key (to the same value in this case)
 2025-08-27 14:56:04 +02:00
Prakash
58e9025d07 Merge branch 'main' of https://github.com/transloadit/uppy into merge_v2 2025-08-21 20:40:23 +05:30
Murderlon
f221125b9a
Hopefully fix playwright in CI 2025-08-21 15:04:12 +02:00
Prakash
7765506138 update use external sync store , fix yarn warnings 2025-08-21 17:54:06 +05:30
Prakash
d82bbdbbfe lint fix 2025-08-21 14:34:12 +05:30
Prakash
5407915b2b successful merge 2025-08-21 14:21:27 +05:30
Prakash
6a33652458 Merge branch 'main' of https://github.com/transloadit/uppy into 5.0 2025-08-20 16:17:08 +05:30
Prakash
b88c386b28
Remove @uppy/react-native (#5904) 
- remove `@uppy/react-native` 
- remove `examples/react-native-expo`
 2025-08-19 16:18:10 +02:00
Prakash
e8692434d6
Merge @uppy/status-bar into @uppy/dashboard (#5825) 
This pull request removes the `@uppy/status-bar` plugin and integrates
it directly into the `@uppy/dashboard` plugin.

### Breakdown of the merge

- The `StatusBar` class was refactored from a `UIPlugin` into a Preact
Class component.
- The `locale` strings from status-bar were merged into dashboard's
locale file.
- The Dashboard plugin now integrates the `StatusBar` component
directly, controlling its visibility and passing down all props ( i.e.
options that were specific to StatusBar (like showProgressDetails).
- The standalone StatusBar wrappers for React , Vue , svelte , Angular
were removed.
- every reference to the @uppy/status-bar package from the monorepo
(including in package.json and tsconfig.json files).
- fixed failing tests and removed redundant tests.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Co-authored-by: Merlijn Vos <merlijn@soverin.net>
 2025-08-05 13:17:29 +02:00
Merlijn Vos
c4d97cd972
Fix publishing to CDN in release CI (#5877) 
- Output should be `uppy.css` not `styles.css`, as it was before
- Actually run the bundle script in `build`
- Bundled packages are in theory always fixed, they will never be
resolved differently once published, so reflecting that with
`workspace:*`. Hopefully this also triggers changesets to always release
`uppy` if any of its dependencies change (doesn't happen currently)
- Don't force override existing releases in CI
 2025-08-05 11:28:14 +02:00
Prakash
8b8ab01440
@uppy/angular: declare components as standalone & support 20.x (#5843) 
Closes #5759 
Closes #5833.

This PR: 

- Introduces updates in @uppy/angular that improve developer experience
(DX) and also address open issues

The @uppy/angular package underwent major updates in v0.80
([27492bc](27492bca8a)),
where we dropped support for NgModules in favor of standalone
components. This change aligns with the direction set by the Angular
team — starting from Angular v17, and becoming default in v19, all
components are standalone by default. This is now the recommended way to
build UI components in Angular.
 
However, the docs and examples have not yet been updated to reflect
this. That will be addressed in #5818.

Even though components are standalone by default starting from Angular
17+, it is still considered good practice to explicitly declare them as
standalone. This is also validated by the Angular LSP, which raises an
error when this declaration is missing.

<img width="1042" height="742" alt="image"
src="https://github.com/user-attachments/assets/1f557871-c302-4f02-9ded-ddf27c6175bd"
/>


Changes in this PR:

- Explicitly mark all components as standalone
- Fix demo components
- Add support for Angular 20

---------

Co-authored-by: Merlijn Vos <merlijn@soverin.net>
 2025-08-01 17:22:19 +02:00
Prakash
c5b51f6158
Add Export Maps (#5830) 
- added export maps to all the @uppy packages .
- imports remain unaffected except for peerDep packages in `@uppy/react`
`@uppy/svelte` and `@uppy/vue3`.
- export maps added for index files , css , and package.json. 
- Added side effects for all the packages.

---------

Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Co-authored-by: Merlijn Vos <merlijn@soverin.net>
 2025-07-31 17:22:57 +02:00
Murderlon
c71a8e756a
Improve yarn changesets patch 2025-07-31 16:56:58 +02:00
Merlijn Vos
e24b884cd4
Patch changesets to use yarn npm publish (#5853) 
Otherwise `workspace:^` is not resolved before publishing, crashing
installs.

## Alternatives

- Switch to pnpm
- Use another release tool. I haven't seen another one I'm satisfied
with. Changesets does exactly what we want, it just doesn't support yarn
(yet)...
 2025-07-30 18:07:27 +02:00
Mikael Finstad
acdc683d47
Refactor Companion to ESM (#5803) 
- convert cjs to esm
- refactor from jest to vitest

closes #3979

---------

Co-authored-by: Merlijn Vos <merlijn@soverin.net>
 2025-07-29 19:07:48 +02:00
Merlijn Vos
0e178aea68
Deduplicate dependencies & resolve all yarn warnings (#5848) 
- Deduplicate Vite versions, always use 7.x (except for sveltekit, which
does not allow 7 yet)
- Add missing dev deps
- Fix react-native requested deps versions
- Fix companion @types/node
- Fix "engines" in root package.json

No more yarn warnings 🎉
 2025-07-29 16:27:32 +02:00