Bump the npm_and_yarn group across 1 directory with 17 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
marked	0.3.5	4.0.10
mongodb	2.2.36	3.1.13
underscore	1.9.1	1.13.7
debug	3.2.6	3.2.7
brace-expansion	1.1.11	1.1.12
js-yaml	3.5.5	3.14.1
dot-prop	4.2.0	4.2.1
qs	6.5.2	6.5.3
qs	6.3.2	6.3.3
mixin-deep	1.3.1	1.3.2
y18n	3.2.1	3.2.2
set-value	2.0.0	2.0.1
websocket-extensions	0.1.3	0.1.4

Updates marked from 0.3.5 to 4.0.10

Release notes

Sourced from marked's releases.

v4.0.10

4.0.10 (2022-01-13)

Bug Fixes

• security: fix redos vulnerabilities (8f80657)

v4.0.9

4.0.9 (2022-01-06)

Bug Fixes

• retain line breaks in tokens properly (#2341) (a9696e2)

v4.0.8

4.0.8 (2021-12-19)

Bug Fixes

• spaces on a newline after a table (#2319) (f82ea2c)

v4.0.7

4.0.7 (2021-12-09)

Bug Fixes

• Fix every third list item broken (#2318) (346b162), closes #2314

v4.0.6

4.0.6 (2021-12-02)

Bug Fixes

• speed up parsing long lists (#2302) (e0005d8)

v4.0.5

4.0.5 (2021-11-25)

Bug Fixes

• table after paragraph without blank line (#2298) (5714212)

v4.0.4

4.0.4 (2021-11-19)

... (truncated)

Commits

• ae01170 chore(release): 4.0.10 [skip ci]
• fceda57 🗜️ build [skip ci]
• 8f80657 fix(security): fix redos vulnerabilities
• c4a3ccd Merge pull request from GHSA-rrrm-qjm4-v8hf
• d7212a6 chore(deps-dev): Bump jasmine from 4.0.0 to 4.0.1 (#2352)
• 5a84db5 chore(deps-dev): Bump rollup from 2.62.0 to 2.63.0 (#2350)
• 2bc67a5 chore(deps-dev): Bump markdown-it from 12.3.0 to 12.3.2 (#2351)
• 98996b8 chore(deps-dev): Bump @​babel/preset-env from 7.16.5 to 7.16.7 (#2353)
• ebc2c95 chore(deps-dev): Bump highlight.js from 11.3.1 to 11.4.0 (#2354)
• e5171a9 chore(release): 4.0.9 [skip ci]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by tonybrix, a new releaser for marked since your current version.

Updates mongodb from 2.2.36 to 3.1.13

Changelog

Sourced from mongodb's changelog.

3.1.13 (2019-01-23)

Bug Fixes

• restore ability to webpack by removing makeLazyLoader (050267d)
• bulk: honor ignoreUndefined in initializeUnorderedBulkOp (e806be4)
• changeStream: properly handle changeStream event mid-close (#1902) (5ad9fa9)
• db_ops: ensure we async resolve errors in createCollection (210c71d)

3.1.12 (2019-01-16)

Features

• core: update to mongodb-core v3.1.11 (9bef6e7)

3.1.11 (2019-01-15)

Bug Fixes

• bulk: fix error propagation in empty bulk.execute (a3adb3f)
• bulk: make sure that any error in bulk write is propagated (bedc2d2)
• bulk: properly calculate batch size for bulk writes (aafe71b)
• operations: do not call require in a hot path (ff82ff4)

3.1.10 (2018-11-16)

Bug Fixes

• auth: remember to default to admin database (c7dec28)

Features

• core: update to mongodb-core v3.1.9 (bd3355b)

... (truncated)

Commits

• c6f417e chore(release): 3.1.13
• 210c71d fix(db_ops): ensure we async resolve errors in createCollection
• 5ad9fa9 fix(changeStream): properly handle changeStream event mid-close (#1902)
• e806be4 fix(bulk): honor ignoreUndefined in initializeUnorderedBulkOp
• 050267d fix(*): restore ability to webpack by removing makeLazyLoader
• 6e896f4 docs: adding aggregation, createIndex, and runCommand examples
• cb3cd12 chore(release): 3.1.12
• 508d685 Revert "chore(release): 3.2.0"
• e7619aa chore(release): 3.2.0
• d0dc228 chore(travis): include forgotten stage info for sharded builds
• Additional commits viewable in compare view

Updates underscore from 1.9.1 to 1.13.7

Commits

• d2e7e61 Update autogenerated files for 1.13.7
• b1d4f23 Add a change log entry for 1.13.7
• 473970a Bump the copyright years
• a1cbb48 Bump the version to 1.13.7
• 1205eb5 Merge pull request #2996 from elkcityhazard/feature/theme-toggle
• bd3468b even more css formatting
• dd23fd0 formatting, filter, darker darkmode
• 184aae5 unncessary prefers-color-scheme: light removal
• 55720c0 minimal dark mode implementation
• de20b6f incorporated stylesheet that was already available
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jgonggrijp, a new releaser for underscore since your current version.

Updates debug from 3.2.6 to 3.2.7

Commits

• 3383260 3.2.7
• 4e21502 fix regression
• See full diff in compare view

Maintainer changes

This version was pushed to npm by qix, a new releaser for debug since your current version.

Updates bl from 1.0.3 to 1.1.2

Commits

• ea42021 1.1.2
• 950e9db minor formatting tweaks, name functions
• 62a0499 1.1.1
• cbb1429 unwrap bl children when passed to append() & support bl in constructor
• c72ba4e 1.1.0
• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates js-yaml from 3.5.5 to 3.14.1

Changelog

Sourced from js-yaml's changelog.

[3.14.1] - 2020-12-07

Security

• Fix possible code execution in (already unsafe) .load() (in &anchor).

[3.14.0] - 2020-05-22

Changed

• Support safe/loadAll(input, options) variant of call.
• CI: drop outdated nodejs versions.
• Dev deps bump.

Fixed

• Quote = in plain scalars #519.
• Check the node type for !<?> tag in case user manually specifies it.
• Verify that there are no null-bytes in input.
• Fix wrong quote position when writing condensed flow, #526.

[3.13.1] - 2019-04-05

Security

• Fix possible code execution in (already unsafe) .load(), #480.

[3.13.0] - 2019-03-20

Security

• Security fix: safeLoad() can hang when arrays with nested refs used as key. Now throws exception for nested arrays. #475.

[3.12.2] - 2019-02-26

Fixed

• Fix noArrayIndent option for root level, #468.

[3.12.1] - 2019-01-05

Added

• Added noArrayIndent option, #432.

[3.12.0] - 2018-06-02

Changed

• Support arrow functions without a block statement, #421.

[3.11.0] - 2018-03-05

Added

• Add arrow functions suport for !!js/function.

Fixed

• Fix dump in bin/octal/hex formats for negative integers, #399.

... (truncated)

Commits

• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• 34e5072 3.14.0 released
• 7b25c83 Browser files rebuild
• 6f73473 Dev deps bump
• 0c29349 Travis-CI: drop old nodejs versions
• 10be97e fix(loader): Add support for safe/loadAll(input, options)
• d6983dd Fix issue #526: wrong quote position writing condensed flow (#527)
• 93fbf7d fix issue 526 (wrong quote position writing condensed flow)
• Additional commits viewable in compare view

Updates tough-cookie from 2.2.2 to 2.3.1

Commits

• c11a2d1 2.3.1
• 4c0a3ad Merge pull request #69 from SalesforceEng/restore-back-compat
• b24c17f Restore backwards compatibility to node 0.8
• 5d15579 2.3.0
• 6156272 Merge pull request #68 from SalesforceEng/fix-too-many-semicolons
• e4fc2e0 Reduce parse time for many semicolons.
• ce76918 Test on 4.4 until Travis supports --lts
• 72820be Support 4.0 (minimum), lts, and stable
• 43dc0d6 Merge pull request #65 from ide/patch-1
• 1fbeb07 Add links to 3rd party stores to the README
• See full diff in compare view

Maintainer changes

This version was pushed to npm by jstash, a new releaser for tough-cookie since your current version.

Updates dot-prop from 4.2.0 to 4.2.1

Release notes

Sourced from dot-prop's releases.

v4.2.1

• Backport sindresorhus/dot-prop@3039c8c to the v4.x release line.

Commits

• c914124 feat: patch 4.2.0 with fixes for CVE-2020-8116
• See full diff in compare view

Updates minimatch from 0.3.0 to 3.0.2

Changelog

Sourced from minimatch's changelog.

change log

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

7.0

• Preprocess patterns to simplify complicated patterns and reduce out .. pattern portions where possible. Note that this means a pattern like a/b/../* will be equivalent to a/*, and will not match the string a/b/../c. If this causes problems, it can be addressed in a patch release by resolving .. portions in the test string.

6.2

... (truncated)

Commits

• 81edb7c v3.0.2
• 6944abf Handle extremely long and terrible patterns more gracefully
• 8ac560e v3.0.1
• 4f3a8bc update tap
• 9cf2d88 Remove mentions of cache from readme
• 7df236f Use svg instead of png to get better image quality
• 361f803 Fixes spelling mistake from "instanting" to "instantiating"
• ea0c690 update travis
• 270dbea v3.0.0
• 668a1f4 Don't package browser version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for minimatch since your current version.

Updates qs from 6.5.2 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
• f814a7f [Dev Deps] backport from main
• Additional commits viewable in compare view

Updates qs from 6.3.2 to 6.3.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
• f814a7f [Dev Deps] backport from main
• Additional commits viewable in compare view

Updates hawk from 1.0.0 to 3.1.3

Commits

• 2f0b93b cleanup
• 8a955a3 3.1.3
• bef99ae Merge pull request #171 from remy/fix/ddos-on-3dotx
• bb5cf9c Clean linting on client.js
• 3fd1e20 Add tests for DoS via header
• ccebde4 Fix minor DoS attack on long headers or uris.
• 66dd8f9 3.1.2
• 10daa13 Cleanup for #148
• 5e72fa2 Merge pull request #148 from LeviticusMB/parseUri-fix
• 9feb3f4 Rewrite parseUri to handle unusual but valid URI characters.
• Additional commits viewable in compare view

Updates hoek from 0.9.1 to 2.16.3

Commits

• 20f36e8 2.16.3
• 14113f7 dont fail when getOwnPropertyDescriptor returns undefined, closes #162
• 59e62cf 2.16.2
• a09325d allow empty keys, closes #161
• b5a5755 2.16.1
• e40c16a cleanup for #148
• 008ac4e 2.16.0
• 4db71b6 Merge pull request #159 from Marsup/empty-reach
• 17456e3 Allow reach to work with falsy values (empty str)
• 131fce0 2.15.0
• Additional commits viewable in compare view

Updates mixin-deep from 1.3.1 to 1.3.2

Commits

• 754f0c2 1.3.2
• 90ee1fa ensure keys are valid when mixing in values
• See full diff in compare view

Maintainer changes

This version was pushed to npm by doowb, a new releaser for mixin-deep since your current version.

Updates y18n from 3.2.1 to 3.2.2

Release notes

Sourced from y18n's releases.

y18n y18n-v4.0.3

Bug Fixes

• release: 4.x.x should not enforce Node 10 (#126) (1e21a53)

y18n y18n-v4.0.2

Bug Fixes

• security: ensure entry exists for backport (#120) (b22c0df)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for y18n since your current version.

Updates set-value from 2.0.0 to 2.0.1

Commits

• bb0f038 2.0.1
• cb12f14 ensure only valid keys are used
• See full diff in compare view

Maintainer changes

This version was pushed to npm by doowb, a new releaser for set-value since your current version.

Updates websocket-extensions from 0.1.3 to 0.1.4

Changelog

Sourced from websocket-extensions's changelog.

0.1.4 / 2020-06-02

• Remove a ReDoS vulnerability in the header parser (CVE-2020-7662, reported by Robert McLaughlin)
• Change license from MIT to Apache 2.0

Commits

• 5ea0b42 Bump version to 0.1.4
• 29496f6 Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser
• 4a76c75 Add Node versions 13 and 14 on Travis
• 44a677a Formatting change: {...} should have spaces inside the braces
• f6c50ab Let npm reformat package.json
• 2d211f3 Change markdown formatting of docs.
• 0b62083 Update Travis target versions.
• 729a465 Switch license to Apache 2.0.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	grunt-cli@​1.2.0 ⏵ 1.4.3
	grunt-retire@​0.3.12 ⏵ 1.0.9	-5		+1	+2
	grunt@​1.0.3 ⏵ 1.6.1	+1	+26
	helmet@​2.3.0 ⏵ 8.1.0	+2		+1	+1
	body-parser@​1.18.3 ⏵ 1.20.3		+15	+1
	express@​4.16.4 ⏵ 4.21.2		+8
	marked@​0.3.5 ⏵ 4.0.10		+31	-2	-2	-19
	mocha@​2.5.3 ⏵ 11.7.4	-1		+21	+1
	mongodb@​2.2.36 ⏵ 3.1.13	+1	+15
	cypress@​3.3.1 ⏵ 15.4.0	+9		+19	+5

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud