chore(deps): bump the npm_and_yarn group across 3 directories with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /examples/create-react-app directory:

Package	From	To
cookie	0.6.0	0.7.1
express	4.21.0	4.21.1
http-proxy-middleware	2.0.6	2.0.7
micromatch	4.0.5	4.0.8
next	14.2.3	15.0.1
rollup	2.79.1	2.79.2
webpack	5.89.0	5.95.0

Bumps the npm_and_yarn group with 8 updates in the /examples/create-react-app-refresh-token directory:

Package	From	To
semver	6.3.1	7.5.4
core-js-compat	3.25.0	3.38.1
body-parser	1.20.2	1.20.3
express	4.19.2	4.21.1
braces	3.0.2	3.0.3
http-proxy-middleware	2.0.6	2.0.7
micromatch	4.0.5	4.0.8
webpack	5.94.0	5.95.0

Bumps the npm_and_yarn group with 5 updates in the /examples/create-react-app-typescript directory:

Package	From	To
cookie	0.6.0	0.7.1
express	4.20.0	4.21.1
http-proxy-middleware	2.0.6	2.0.7
rollup	2.79.1	2.79.2
webpack	5.94.0	5.95.0

Updates cookie from 0.6.0 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• d6f39b0 Fix tests for old node
• 6bb701f Remove failing scorecard
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates express from 4.21.0 to 4.21.1

Release notes

Sourced from express's releases.

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

Changelog

Sourced from express's changelog.

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

Commits

• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• See full diff in compare view

Updates express from 4.21.0 to 4.21.1

Release notes

Sourced from express's releases.

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

Changelog

Sourced from express's changelog.

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

Commits

• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• See full diff in compare view

Updates http-proxy-middleware from 2.0.6 to 2.0.7

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.7

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7

v2.0.7-beta.1

Full Changelog: chimurai/http-proxy-middleware@v2.0.7-beta.0...v2.0.7-beta.1

v2.0.7-beta.0

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7-beta.0

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.7

• ci(github actions): add publish.yml
• fix(filter): handle errors

Commits

• 1e92339 ci(github-actions): fix npm tag
• 90afb7c chore(package): v2.0.7
• 0b4274e fix(filter): handle errors
• 1bd6dd5 ci(github actions): add publish.yml
• See full diff in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates next from 14.2.3 to 15.0.1

Release notes

Sourced from next's releases.

v15.0.1

Core Changes

• Reland "[dynamicIO] warn for disallowed dynamic in dev": #71567
• next-upgrade: prompt (un)install only when there's a change: #71308
• chore(next-codemod): remove @next/font from optional Next.js packages to install: #71563
• [dynamicIO] Avoid triggering memory leak false positive with makeHangingPromise: #71576
• Avoid triggering memory leak false positive with makeHangingPromise: #71579
• Upgrade React from 65a56d0e-20241020 to 69d4b800-20241021: #71568
• avoid logging stacks for internal errors: #71575
• Avoid server action endpoint function indirection: #71572
• fix: handle terminal color in chrome console: #71581
• [dynamicIO] Update prerender to use Fizz prerender: #71580
• misc(next-upgrade): reuse process.cwd() value: #71558
• [dynamicIO]: dev navigations should show disallowed dynamic errors: #71595
• next-lint: Use ESLint v9 by default: #71371
• fix: prevent router errors from being logged on the client: #71583
• fix: next package resolving in dev overlay: #71632
• Improve type coverage of setup-dev-bundler: #71443
• fix(turbo-tasks): Implement ValueDebugFormat for ResolvedVc: #71173
• Add --turbopack CLI flag: #71657
• [dynamicIO] detect metadata boundaries in dev using server component stacks: #71666

Example Changes

• chore: Update with-supabase to be compatible with Nextjs 15: #71631
• Update Sanity example to next v15: #71640

Misc Changes

• docs(ppr): remove v14 mention for ppr: #71498
• docs: fix upgrade codemod command: #71578
• Turbopack: Always use blob: URLs for assets in middleware: #71471
• fix: metadata image route Windows path escaping: #71615
• fix: third-parties package peer dependency: #71620
• Fix module_resolution: "nodenext" with mjs or cjs: #71635
• react-sync: Automatically update peer dependencies in libraries: #71636
• chore(docs): fix typo in image.mdx docs: #71647
• docs: remove the canary note on instrumentation: #71649
• test: fix async api tests: #71652
• Enable source maps for pnpm debug: #71653
• codemod(turbopack): Rewrite more Vc fields in structs as ResolvedVc: #71172

Credits

Huge thanks to @​gnoff, @​devjiwonchoi, @​samcx, @​ztanner, @​unstubbable, @​huozhi, @​mischnic, @​lubieowoce, @​eps1lon, @​ivasilov, @​styfle, @​bgw, @​stipsan, and @​timneutkens for helping!

v15.0.1-canary.3

Core Changes

... (truncated)

Commits

• 914d0f3 v15.0.1
• b075951 v15.0.1-canary.3
• a7a7b19 [dynamicIO] detect metadata boundaries in dev using server component stacks (...
• cfa003c Add --turbopack CLI flag (#71657)
• 9bd38dd codemod(turbopack): Rewrite more Vc fields in structs as ResolvedVc (#71172)
• cfd816d Update Sanity example to next v15 (#71640)
• ce41f6b Enable source maps for pnpm debug (#71653)
• 8275078 test: fix async api tests (#71652)
• 95720f4 fix(turbo-tasks): Implement ValueDebugFormat for ResolvedVc (#71173)
• e06cd47 docs: remove the canary note on instrumentation (#71649)
• Additional commits viewable in compare view

Updates rollup from 2.79.1 to 2.79.2

Changelog

Sourced from rollup's changelog.

rollup changelog

4.24.0

2024-10-02

Features

• Support preserving and transpiling JSX syntax (#5668)

Pull Requests

• #5668: Introduce JSX support (@​lukastaegert, @​Martin-Idel, @​felixhuttmann, @​AlexDroll, @​tiptr)

4.23.0

2024-10-01

Features

• Collect all emitted names and originalFileNames for assets (#5686)

Pull Requests

• #5686: Add names and originalFileNames to assets (@​lukastaegert)

4.22.5

2024-09-27

Bug Fixes

• Allow parsing of certain unicode characters again (#5674)

Pull Requests

• #5674: Fix panic with unicode characters (@​sapphi-red, @​lukastaegert)
• #5675: chore(deps): update dependency rollup to v4.22.4 [security] (@​renovate[bot])
• #5680: chore(deps): update dependency @​rollup/plugin-commonjs to v28 (@​renovate[bot], @​lukastaegert)
• #5681: chore(deps): update dependency @​rollup/plugin-replace to v6 (@​renovate[bot])
• #5682: chore(deps): update dependency @​rollup/plugin-typescript to v12 (@​renovate[bot])
• #5684: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Updates webpack from 5.89.0 to 5.95.0

Release notes

Sourced from webpack's releases.

v5.95.0

Bug Fixes

• Fixed hanging when attempting to read a symlink-like file that it can't read
• Handle default for import context element dependency
• Merge duplicate chunks call after split chunks
• Generate correctly code for dynamically importing the same file twice and destructuring
• Use content hash as [base] and [name] for extracted DataURI's
• Distinguish module and import in module-import for externals import's
• [Types] Make EnvironmentPlugin default values types less strict
• [Types] Typescript 5.6 compatibility

New Features

• Add new optimization.avoidEntryIife option (true by default for the production mode)
• Pass output.hash* options to loader context

Performance

• Avoid unneeded re-visit in build chunk graph

v5.94.0

Bug Fixes

• Added runtime condition for harmony reexport checked
• Handle properly data/http/https protocols in source maps
• Make bigint optimistic when browserslist not found
• Move @​types/eslint-scope to dev deps
• Related in asset stats is now always an array when no related found
• Handle ASI for export declarations
• Mangle destruction incorrect with export named default properly
• Fixed unexpected asi generation with sequence expression
• Fixed a lot of types

New Features

• Added new external type "module-import"
• Support webpackIgnore for new URL() construction
• [CSS] @import pathinfo support

Security

• Fixed DOM clobbering in auto public path

v5.93.0

Bug Fixes

• Generate correct relative path to runtime chunks
• Makes DefinePlugin quieter under default log level
• Fixed mangle destructuring default in namespace import

... (truncated)

Commits

• e20fd63 chore(release): 5.95.0
• 4866b0d feat: added new optimization.entryIife option
• d90f692 fix: merge duplicate chunks after split chunks
• 90dec30 fix(externals): distinguish “module” and “import” in “module-import”
• c1a0a46 fix(externals): distinguish “module” and “import” in “module-import”
• 14d8fa8 fix: all tests cases
• dae16ad feat: pass output.hash* options to loader context
• 75d185d feat: pass output.hash* options to loader context
• 46e0b9c test: update
• 8e62f9f test
• Additional commits viewable in compare view

Updates semver from 6.3.1 to 7.5.4

Release notes

Sourced from semver's releases.

v7.5.4

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

v7.5.3

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@​lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@​mbtools)

v7.5.2

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@​lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@​lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@​lukekarrys)

v7.5.1

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@​tjenkinson)

v7.5.0

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@​lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@​wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@​tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@​macno)

v7.4.0

7.4.0 (2023-04-10)

... (truncated)

Changelog

Sourced from semver's changelog.

7.5.4 (2023-07-07)

Bug Fixes

• cc6fde2 #588 trim each range set before parsing (@​lukekarrys)
• 99d8287 #583 correctly parse long build ids as valid (#583) (@​lukekarrys)

7.5.3 (2023-06-22)

Bug Fixes

• abdd93d #571 set max lengths in regex for numeric and build identifiers (#571) (@​lukekarrys)

Documentation

• bf53dd8 #569 add example for > comparator (#569) (@​mbtools)

7.5.2 (2023-06-15)

Bug Fixes

• 58c791f #566 diff when detecting major change from prerelease (#566) (@​lukekarrys)
• 5c8efbc #565 preserve build in raw after inc (#565) (@​lukekarrys)
• 717534e #564 better handling of whitespace (#564) (@​lukekarrys)

7.5.1 (2023-05-12)

Bug Fixes

• d30d25a #559 show type on invalid semver error (#559) (@​tjenkinson)

7.5.0 (2023-04-17)

Features

• 503a4e5 #548 allow identifierBase to be false (#548) (@​lsvalina)

Bug Fixes

• e219bb4 #552 throw on bad version with correct error message (#552) (@​wraithgar)
• fc2f3df #546 incorrect results from diff sometimes with prerelease versions (#546) (@​tjenkinson)
• 2781767 #547 avoid re-instantiating SemVer during diff compare (#547) (@​macno)

7.4.0 (2023-04-10)

Features

• 113f513 #532 identifierBase parameter for .inc (#532) (@​wraithgar, @​b-bly)
• 48d8f8f #530 export new RELEASE_TYPES constant (@​hcharley)

... (truncated)

Commits

• 36cd334 chore: release 7.5.4
• 8456d87 chore: postinstall for dependabot template-oss PR
• dde1f00 chore: postinstall for dependabot template-oss PR
• dffcd1b chore: bump @​npmcli/template-oss from 4.16.0 to 4.17.0
• d619f66 chore: postinstall for dependabot template-oss PR
• 3bc4247 chore: bump @​npmcli/template-oss from 4.15.1 to 4.16.0
• cc6fde2 fix: trim each range set before parsing
• 99d8287 fix: correctly parse long build ids as valid (#583)
• 4f0f6b1 chore: fix arguments in whitespace test (#574)
• 6bd1a37 chore: remove duplicate test in semver class (#575)
• Additional commits viewable in compare view

Updates core-js-compat from 3.25.0 to 3.38.1

Changelog

Sourced from core-js-compat's changelog.

3.38.1 - 2024.08.20

• Changes v3.38.0...v3.38.1
• Fixed some cases of URLSearchParams percent decoding, #1357, #1361, thanks @​slowcheetah
• Some stylistic changes and minor optimizations
• Compat data improvements:
  • Iterator helpers proposal methods marked as shipped from FF131
  • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from Bun 1.1.23
  • RegExp.escape marked as shipped from Bun 1.1.22
  • Promise.try marked as shipped from Bun 1.1.22
  • Uint8Array to / from base64 and hex proposal methods marked as shipped from Bun 1.1.22
  • Added Hermes 0.13 compat data, similar to React Native 0.75 Hermes
  • Added Opera Android 84 compat data mapping

3.38.0 - 2024.08.05

• Changes v3.37.1...v3.38.0
• RegExp.escape proposal:
  • Built-ins:
    • RegExp.escape
  • Moved to stage 3, June 2024 and July 2024 TC39 meetings
  • Updated the way of escaping, regex-escaping/77
  • Throw an error on non-strings, regex-escaping/58
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Promise.try proposal:
  • Built-ins:
    • Promise.try
  • Moved to stage 3, June 2024 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Uint8Array to / from base64 and hex stage 3 proposal:
  • Built-ins:
    • Uint8Array.fromBase64
    • Uint8Array.fromHex
    • Uint8Array.prototype.setFromBase64
    • Uint8Array.prototype.setFromHex
    • Uint8Array.prototype.toBase64
    • Uint8Array.prototype.toHex
  • Added Uint8Array.prototype.{ setFromBase64, setFromHex } methods
  • Added Uint8Array.fromBase64 and Uint8Array.prototype.setFromBase64 lastChunkHandling option, proposal-arraybuffer-base64/33
  • Added Uint8Array.prototype.toBase64 omitPadding option, proposal-arraybuffer-base64/60
  • Added throwing a TypeError on arrays backed by detached buffers
  • Unconditional forced replacement changed to feature detection
• Fixed RegExp named capture groups polyfill in combination with non-capturing groups, #1352, thanks @​Ulop
• Improved some cases of environment detection
• Uses process.getBuiltinModule for getting built-in NodeJS modules where it's available
• Uses https instead of http in URL constructor feature detection to avoid extra notifications from some overly vigilant security scanners, #1345
• Some minor optimizations
• Updated browserslist in core-js-compat dependencies that fixes an upstream issue with incorrect interpretation of some browserslist queries, #1344, browserslist/829, browserslist/836
• Compat data improvements:
  • Added Safari 18.0 compat data:
    • Fixed Object.groupBy and Map.groupBy to work for non-objects
    • Fixed throwing a RangeError if Set methods are called on an object with negative size property

... (truncated)

Commits

• d1e7889 v3.38.1
• 58dcf6c add Hermes 0.13 compat data
• 9cc1d63 use git+ in pkg.repository.url of all packages
• 7149529 fix Bun version
• 299d242 mark Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } as s...
• b35e68e enable sonar/inconsistent-function-call
• 3b6527b update Opera Android 84 compat data mapping
• 8733fa8 mark shipped in Bun 1.1.22 features
• d1c732e Iterator helpers proposal marked as shipped from FF131
• 4a322bf v3.38.0
• Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to [email protected] by @​wesleytodd in expressjs/body-parser#527
• deps: [email protected] by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: [email protected]
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: [email protected] (#521)
• 9478591 fix: pin to [email protected]
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.19.2 to 4.21.1

Release notes

Sourced from express's releases.

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

Changelog

Sourced from express's changelog.

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

Commits

• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cookie from 0.6.0 to 0.7.1

Release notes

Sourced from cookie's releases.

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and