feat(deps): bump the production-patch-minor group across 4 directories with 16 updates

[dependabot]

Bumps the production-patch-minor group with 15 updates in the / directory:

Package	From	To
dotenv	16.4.5	16.6.1
msw	2.6.6	2.14.5
@ai-sdk/provider	0.0.11	0.0.26
@apm-js-collab/code-transformer	0.12.0	0.13.0
@next/env	14.2.3	14.2.35
@vercel/functions	1.0.2	1.6.0
ajv	8.17.1	8.20.0
cors	2.8.5	2.8.6
esbuild	0.27.0	0.28.0
express	4.21.2	4.22.1
http-errors	2.0.0	2.0.1
minimatch	9.0.3	9.0.9
source-map	0.7.4	0.7.6
zod-to-json-schema	3.22.5	3.25.2
ai	3.2.16	3.4.33

Bumps the production-patch-minor group with 1 update in the /integrations/browser-js directory: braintrust.
Bumps the production-patch-minor group with 2 updates in the /integrations/vercel-ai-sdk directory: @ai-sdk/provider and ai.
Bumps the production-patch-minor group with 13 updates in the /js directory:

Package	From	To
dotenv	16.4.5	16.6.1
@ai-sdk/provider	0.0.11	0.0.26
@apm-js-collab/code-transformer	0.12.0	0.13.0
@next/env	14.2.3	14.2.35
@vercel/functions	1.0.2	1.6.0
ajv	8.17.1	8.20.0
cors	2.8.5	2.8.6
esbuild	0.27.0	0.28.0
express	4.21.2	4.22.1
http-errors	2.0.0	2.0.1
minimatch	9.0.3	9.0.9
source-map	0.7.4	0.7.6
zod-to-json-schema	3.22.5	3.25.2

Updates dotenv from 16.4.5 to 16.6.1

Changelog

Sourced from dotenv's changelog.

16.6.1 (2025-06-27)

Changed

• Default quiet to true – hiding the runtime log message (#874)
• NOTICE: 17.0.0 will be released with quiet defaulting to false. Use config({ quiet: true }) to suppress.
• And check out the new dotenvx. As coding workflows evolve and agents increasingly handle secrets, encrypted .env files offer a much safer way to deploy both agents and code together with secure secrets. Simply switch require('dotenv').config() for require('@dotenvx/dotenvx').config().

16.6.0 (2025-06-26)

Added

• Default log helpful message [dotenv@16.6.0] injecting env (1) from .env (#870)
• Use { quiet: true } to suppress
• Aligns dotenv more closely with dotenvx.

16.5.0 (2025-04-07)

Added

• 🎉 Added new sponsor Graphite - the AI developer productivity platform helping teams on GitHub ship higher quality software, faster.

[!TIP] Become a sponsor

The dotenvx README is viewed thousands of times DAILY on GitHub and NPM. Sponsoring dotenv is a great way to get in front of developers and give back to the developer community at the same time.

Changed

• Remove _log method. Use _debug #862

16.4.7 (2024-12-03)

Changed

• Ignore .tap folder when publishing. (oops, sorry about that everyone. - @​motdotla) #848

16.4.6 (2024-12-02)

Changed

• Clean up stale dev dependencies #847
• Various README updates clarifying usage and alternative solutions using dotenvx

Commits

• 076ba3b 16.6.1
• 8867fe0 changelog 🪵
• 424c32d Merge pull request #874 from motdotla/default-quiet-to-true
• 5270faf changelog 🪵
• 86ce001 force failure of path.relative in test
• e6799e6 add tests
• ec72534 add to test coverage
• c886084 send coverage to text as well
• a791032 add test
• fa67c02 test quiet: false
• Additional commits viewable in compare view

Updates msw from 2.6.6 to 2.14.5

Release notes

Sourced from msw's releases.

v2.14.5 (2026-05-08)

Bug Fixes

• ws: remove all frame listeners on client closure (#2739) (91a5d4131ceae9250acc40e0fa44b3c64f030d3e) @​kettanaito

v2.14.4 (2026-05-07)

Bug Fixes

• add finalize API for handler cleanup (#2738) (a288f5452970da6537ff31fce6b7f99eb620e563) @​kettanaito

v2.14.3 (2026-05-04)

Bug Fixes

• prevent frame abort listener leak (#2737) (c4567d2a398fb3315cebea4b66e9b79022ad569c) @​kettanaito

v2.14.2 (2026-04-29)

Bug Fixes

• export the NetworkApi type (#2734) (f0c03214b59f906ca8e92e3f0bb5d08fdf7d6f5e) @​kettanaito

v2.14.1 (2026-04-29)

Bug Fixes

• export default handler controllers (#2733) (f8dc874a236a4bd376c23cce9dd55ed59b8279e2) @​kettanaito

v2.14.0 (2026-04-29)

Features

• support ws.onUpgrade for handling connection upgrades (#2732) (e00e4d693db34884a316f659b8dcfb507cd79dce) @​kettanaito

Bug Fixes

• do not clone user-provided responses (#2731) (6953307c8061626d31a3651e69d47c885c0e4b76) @​kettanaito
• HttpResponse: forward cookies only when response is used (#2728) (30668e68f403535636bfb8dc12c64299d9c1c6e6) @​kettanaito

v2.13.6 (2026-04-24)

Bug Fixes

• WebSocketHandler: add public test() method (#2727) (3da7048e05fae80fe3410e3af86f6c3dd3cfaead) @​kettanaito

v2.13.5 (2026-04-23)

Bug Fixes

... (truncated)

Commits

• c07e09b chore(release): v2.14.5
• 91a5d41 fix(ws): remove all frame listeners on client closure (#2739)
• d697485 chore(release): v2.14.4
• a288f54 fix: add finalize API for handler cleanup (#2738)
• de18888 chore(release): v2.14.3
• c4567d2 fix: prevent frame abort listener leak (#2737)
• 4bc4a5c chore(release): v2.14.2
• f0c0321 fix: export the NetworkApi type (#2734)
• 52dca1e chore(release): v2.14.1
• f8dc874 fix: export default handler controllers (#2733)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for msw since your current version.

Install script changes

This version modifies postinstall script that runs during installation. Review the package contents before updating.

Updates @ai-sdk/provider from 0.0.11 to 0.0.26

Changelog

Sourced from @​ai-sdk/provider's changelog.

0.0.26

Patch Changes

• aa98cdb: chore: more flexible dependency versioning
• 1486128: feat: add supportsUrl to language model specification
• 7b937c5: feat (provider-utils): improve id generator robustness
• 3b1b69a: feat: provider-defined tools
• 811a317: feat (ai/core): multi-part tool results (incl. images)

0.0.25

Patch Changes

• b9b0d7b: feat (ai): access raw request body

0.0.24

Patch Changes

• d595d0d: feat (ai/core): file content parts

0.0.23

Patch Changes

• 03313cd: feat (ai): expose response id, response model, response timestamp in telemetry and api
• 3be7c1c: fix (provider/anthropic): support prompt caching on assistant messages

0.0.22

Patch Changes

• 26515cb: feat (ai/provider): introduce ProviderV1 specification

0.0.21

Patch Changes

• f2c025e: feat (ai/core): prompt validation

0.0.20

Patch Changes

• 6ac355e: feat (provider/anthropic): add cache control support

0.0.19

Patch Changes

... (truncated)

Commits

• f7dce25 Version Packages (#3347)
• 811a317 feat (ai/core): multi-part tool results (incl. images) (#3362)
• 1486128 feat (provider/google): support file URLs without downloads (#3355)
• 3b1b69a feat: provider-defined tools (#3353)
• aa98cdb chore: more flexible dependency versioning (#3341)
• 7b937c5 feat (provider-utils): improve id generator robustness (#3340)
• a2fbb04 Version Packages (#3332)
• b9b0d7b feat (ai): access raw request body (#3328)
• 988707c feat (ai/core): automatically download files from urls (#3145)
• cb649e8 Version Packages (#3140)
• Additional commits viewable in compare view

Updates @apm-js-collab/code-transformer from 0.12.0 to 0.13.0

Release notes

Sourced from @​apm-js-collab/code-transformer's releases.

code-transformer: v0.13.0

0.13.0 (2026-04-29)

Features

• add return kind option to support iterators (#67) (4e77ee5)

Bug Fixes

• Updated transformer to prevent instrumenting a non-existent method on a class (#59) (661eb1a)

Changelog

Sourced from @​apm-js-collab/code-transformer's changelog.

0.13.0 (2026-04-29)

Features

• Add return kind option to support iterators (#67) (4e77ee5)
• Add auto function kind for dynamic return value mechanisms (#64) (0a67e16)
• Convert ArrowFunctionExpression to FunctionExpression in traceFunction (#60) (d8290b5)

Bug Fixes

• Fix incorrect function type breaking arg length and generators (#70) (24f2e4c)

Commits

• c498739 chore: release v0.13.0 (#61)
• 506010d ci: Added a workflow to validate that the PR title is using a conventional co...
• 4e77ee5 feat: add return kind option to support iterators (#67)
• 24f2e4c fix incorrect function type breaking arg length and generators (#70)
• a075ce1 update instance method test to use another file for subclass (#65)
• d89f8d0 add documentation for callback and auto function kinds (#66)
• dfe5199 Revert "fix: Updated transformer to prevent instrumenting a non-existent meth...
• 0a67e16 add auto function kind for dynamic return value mechanisms (#64)
• d8290b5 convert ArrowFunctionExpression to FunctionExpression in traceFunction (#60)
• 661eb1a fix: Updated transformer to prevent instrumenting a non-existent method on a ...
• See full diff in compare view

Updates @next/env from 14.2.3 to 14.2.35

Commits

• 7b940d9 v14.2.35
• f307368 v14.2.34
• 5a97b40 v14.2.33
• 89ee561 v14.2.32
• 55f7662 v14.2.31
• 243072b v14.2.30
• ca92115 v14.2.29
• e65628a v14.2.28
• 43f10b8 v14.2.27
• 10a042c v14.2.26
• Additional commits viewable in compare view

Updates @vercel/functions from 1.0.2 to 1.6.0

Changelog

Sourced from @​vercel/functions's changelog.

1.6.0

Minor Changes

• Add middleware-related helper functions (#12938)

1.5.2

Patch Changes

• [vercel/functions] add geolocation.postalCode (#12753)

1.5.1

Patch Changes

• [@​vercel/functions] update headers doc (#12649)

1.5.0

Minor Changes

• ipAddress: accept headers as input (#12429)

1.4.2

Patch Changes

• [functions] decode city name (#12234)

1.4.1

Patch Changes

• Package files in the root folder (#11982)

1.4.0

Minor Changes

• Added OIDC Token utility functions (#11701)

1.3.0

Minor Changes

• [functions] add getEnv method. (#11783)

1.2.0

... (truncated)

Commits

• 1e98464 Version Packages (#12851)
• a1266a8 [react-router] Add initial @vercel/react-router package (#12903)
• 3b5b731 Update @vercel/functions generated docs (#12812)
• 247fb5a [edge] use @vercel/functions (#12758)
• 8cf0f1a Version Packages (#12756)
• 2cace21 [vercel/functions] add geolocation.postalCode (#12753)
• b051248 Version Packages (#12648)
• 03825ff [@​vercel/functions] update headers doc (#12649)
• fdee7f0 [docs] point @vercel/functions docs to vercel.com (#12431)
• 37293e5 Version Packages (#12424)
• Additional commits viewable in compare view

Updates ajv from 8.17.1 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• Additional commits viewable in compare view

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

• Build: Node.js@12.16 and Node.js.13.12 by @​smondal in expressjs/cors#189
• Update README.md for origin function callback parameters by @​dstudzinski in expressjs/cors#180
• Suggest passing false for disallowed domains, not erroring by @​shackpank in expressjs/cors#175
• Changed the term whitelist to allowlist in Documentation by @​jkasun in expressjs/cors#200
• Fix typo in README by @​alex-grover in expressjs/cors#207
• Added new link & website in the README by @​manjunath00 in expressjs/cors#269
• Fix functions call with extra parameter by @​LuisEGR in expressjs/cors#245
• 🐛 Fix readme status badge by @​homersimpsons in expressjs/cors#306
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cors#321
• ci: fix errors in ci github action for node 8 by @​inigomarquinez in expressjs/cors#322
• test: improved test robustness by @​Alex-GF in expressjs/cors#320
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/cors#341
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/cors#340
• docs: remove broken link to demo site by @​dpopp07 in expressjs/cors#344
• OSSF Scorecard recommendations by @​UlisesGascon in expressjs/cors#350
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @​dependabot[bot] in expressjs/cors#351
• build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/cors#353
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/cors#354
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @​dependabot[bot] in expressjs/cors#355
• build(deps-dev): bump express from 4.17.1 to 4.21.2 by @​dependabot[bot] in expressjs/cors#356
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @​dependabot[bot] in expressjs/cors#352
• build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @​dependabot[bot] in expressjs/cors#358
• update the docs for per request config by @​jonchurch in expressjs/cors#338
• (fix): readme updated for #271 origin option for * by @​dhananjaysa92 in expressjs/cors#289
• ci: upgrade Node versions by @​UlisesGascon in expressjs/cors#359
• chore: add funding to package.json by @​bjohansebas in expressjs/cors#363
• build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @​dependabot[bot] in expressjs/cors#371
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/cors#370
• docs: Cleanup README by @​efekrskl in expressjs/cors#374
• chore: add node v25 by @​imangas in expressjs/cors#375
• Extend CI test matrix by @​imangas in expressjs/cors#376
• docs: simplify code examples with header comments by @​jonchurch in expressjs/cors#386
• docs: tweak intro, add note w/ browser enforcement, FAQ by @​jonchurch in expressjs/cors#385
• chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @​Phillip9587 in expressjs/cors#388
• Release: 2.8.6 by @​UlisesGascon in expressjs/cors#390

New Contributors

• @​smondal made their first contribution in expressjs/cors#189
• @​dstudzinski made their first contribution in expressjs/cors#180
• @​shackpank made their first contribution in expressjs/cors#175
• @​jkasun made their first contribution in expressjs/cors#200
• @​alex-grover made their first contribution in expressjs/cors#207
• @​manjunath00 made their first contribution in expressjs/cors#269
• @​LuisEGR made their first contribution in expressjs/cors#245
• @​homersimpsons made their first contribution in expressjs/cors#306
• @​inigomarquinez made their first contribution in expressjs/cors#321
• @​Alex-GF made their first contribution in expressjs/cors#320
• @​carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

Commits

• f00a8c1 2.8.6 (#390)
• 848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
• cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
• bbf62a5 docs: simplify code examples with header comments (#386)
• f442e77 Extend CI test matrix (#376)
• d5cf6cd ci: add support for node@25 (#375)
• 7e6f7ee docs: revamp content (#374)
• b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
• f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
• 9a9a760 chore: add funding to package.json (#363)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates esbuild from 0.27.0 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }

... (truncated)

Commits

• 6a794df publish 0.28.0 to npm
• 64ee0ea fix #4435: support with { type: text } imports
• ef65aee fix sort order in snapshots_packagejson.txt
• 1a26a8e try to fix test-old-ts, also shuffle CI tasks
• 556ce6c use '' instead of null to omit build hashes
• 8e675a8 ci: allow missing binary hashes for tests
• 7067763 Reapply "update go 1.25.7 => 1.26.1"
• 39473a9 fix #4343: integrity check for binary download
• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• Additional commits viewable in compare view

Updates express from 4.21.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Updates http-errors from 2.0.0 to 2.0.1

Release notes

Sourced from http-errors's releases.

v2.0.1

What's Changed

• Add support for OSSF scorecard reporting by @​carpasse in jshttp/http-errors#107
• refactor: improve toClassName function readability and JSDoc completeness by @​Ayoub-Mabrouk in jshttp/http-errors#112
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in jshttp/http-errors#113
• Add test for extending native errors w/o altering prototype by @​jonchurch in jshttp/http-errors#106
• remove --bail from test script by @​jonchurch in jshttp/http-errors#114
• [StepSecurity] Apply security best practices by Description has been truncated

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml