Bump the npm_and_yarn group across 2 directories with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the /src/webapi directory:

Package	From	To
mongoose	8.5.2	8.9.5
nodemailer	6.9.14	7.0.7
@babel/helpers	7.25.6	7.28.4
brace-expansion	1.1.11	1.1.12
cross-spawn	7.0.3	7.0.6
on-headers	1.0.2	1.1.0

Bumps the npm_and_yarn group with 9 updates in the /src/webapp directory:

Package	From	To
express	4.19.2	4.21.2
@babel/helpers	7.25.0	7.28.4
brace-expansion	1.1.11	1.1.12
cross-spawn	7.0.3	7.0.6
on-headers	1.0.2	1.1.0
form-data	3.0.1	3.0.4
http-proxy-middleware	2.0.6	2.0.9
nanoid	3.3.7	3.3.11
rollup	2.79.1	2.79.2

Updates mongoose from 8.5.2 to 8.9.5

Release notes

Sourced from mongoose's releases.

8.9.5 / 2025-01-13

• fix: disallow nested $where in populate match
• fix(schema): handle bitwise operators on Int32 #15176 #15170

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
• docs: fix <code> in header ids #15159
• docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
• types: make BufferToBinary avoid Document instances #15123 #15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
• types(schema): add missing removeIndex #15134
• types: add cleanIndexes() to IndexManager interface #15127
• docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
• types: add UUID to RefType #15115 #15101
• docs: remove link to Mongoose 5.x docs from dropdown #15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107

8.9.1 / 2024-12-16

• fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092
• fix(model): handle discriminators in castObject() #15096 #15075
• fix(schema): throw error if duplicate index definition using unique in schema path and subsequent .index() call #15093 #15056
• fix: mark documents that are populated using hydratedPopulatedDocs option as populated in top-level doc #15080 #15048
• fix(document+schema): improve error message for get() on invalid path #15098 #15071
• docs: remove more callback doc references & some small other changes #15095

8.9.0 / 2024-12-13

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.9.5 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061
• fix(schema): handle bitwise operators on Int32 #15176 #15170

7.8.4 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

6.13.6 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXVI
• fix(model): make Model.validate() static correctly cast document arrays #15169 #15164
• fix(model): allow passing validateBeforeSave option to bulkSave() to skip validation #15161 #15156
• fix(schema): allow multiple self-referencing discriminator schemas using Schema.prototype.discriminator #15142 #15120
• types: avoid BufferToBinary<> wiping lean types when passed to generic functions #15160 #15158
• docs: fix <code> in header ids #15159
• docs: fix header in field-level-encryption.md #15137 damieng

8.9.3 / 2024-12-30

• fix(schema): make duplicate index error a warning for now to prevent blocking upgrading #15135 #15112 #15109
• fix(model): handle document array paths set to non-array values in Model.castObject() #15124 #15075
• fix(document): avoid using childSchemas.path for compatibility with pre-Mongoose-8.8 schemas #15131 #15071
• fix(model): avoid throwing unnecessary error if updateOne() returns null in save() #15126
• perf(cursor): clear the stack every time if using populate with batchSize to avoid stack overflows with large docs #15136 #10449
• types: make BufferToBinary avoid Document instances #15123 #15122
• types(model+query): avoid stripping out virtuals when calling populate with paths generic #15132 #15111
• types(schema): add missing removeIndex #15134
• types: add cleanIndexes() to IndexManager interface #15127
• docs: move search endpoint to netlify #15119

8.9.2 / 2024-12-19

• fix(schema): avoid throwing duplicate index error if index spec keys have different order or index has a custom name #15112 #15109
• fix(map): clean modified subpaths when overwriting values in map of subdocs #15114 #15108
• fix(aggregate): pull session from transaction local storage for aggregation cursors #15094 IchirokuXVI
• types: correctly handle union types in BufferToBinary and related helpers #15103 #15102 #15057
• types: add UUID to RefType #15115 #15101
• docs: remove link to Mongoose 5.x docs from dropdown #15116
• docs(connection+document+model): remove remaining references to remove(), clarify that deleteOne() does not execute until then() or exec() #15113 #15107

8.9.1 / 2024-12-16

• fix(connection): remove heartbeat check in load balanced mode #15089 #15042 #14812
• fix(discriminator): gather childSchemas when creating discriminator to ensure $getAllSubdocs() can properly get all subdocs #15099 #15088 #15092

... (truncated)

Commits

• 5af0a10 chore: release 8.9.5
• a42d8f5 Merge branch '7.x'
• 73e81ab chore: release 7.8.4
• 4fe9a90 Merge branch '6.x' into 7.x
• e59e342 chore: release 6.13.6
• 64a9f97 fix: disallow nested $where in populate match
• fa33717 Merge pull request #15176 from Automattic/vkarpov15/gh-15170
• 0728602 test: make test cast non-boolean value
• 0cad0d7 fix(schema): handle bitwise operators on Int32
• 39886fb docs: quick changelog formatting fix
• Additional commits viewable in compare view

Updates nodemailer from 6.9.14 to 7.0.7

Release notes

Sourced from nodemailer's releases.

v7.0.7

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

7.0.6 (2025-08-27)

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

v7.0.5

7.0.5 (2025-07-07)

Bug Fixes

• updated well known delivery service list (fa2724b)

v7.0.4

7.0.4 (2025-06-29)

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

v7.0.3

7.0.3 (2025-05-08)

Bug Fixes

• attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

v7.0.2

7.0.2 (2025-05-04)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

7.0.6 (2025-08-27)

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

7.0.5 (2025-07-07)

Bug Fixes

• updated well known delivery service list (fa2724b)

7.0.4 (2025-06-29)

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

7.0.3 (2025-05-08)

Bug Fixes

• attachments: Set the default transfer encoding for message/rfc822 attachments as '7bit' (007d5f3)

7.0.2 (2025-05-04)

Bug Fixes

• ses: Fixed structured from header (faa9a5e)

7.0.1 (2025-05-04)

Bug Fixes

• ses: Use formatted FromEmailAddress for SES emails (821cd09)

... (truncated)

Commits

• 9357a71 chore(master): release 7.0.7 [skip-ci] (#1761)
• df13b74 fix(linter): Updated eslint and created prettier formatting task
• 62629a0 Updated tests for addressparser
• 1150d99 fix(addressparser): Fixed addressparser handling of quoted nested email addre...
• 3b8982c fix: resolve linter errors in DNS cache tests
• 0240d67 fix(dns): add memory leak prevention for DNS cache
• ea0fc5a fix: refresh expired DNS cache on error (#1759)
• 430ca75 chore(master): release 7.0.6 [skip-ci] (#1753)
• e3e700c Bumped deps
• f322c38 replaced escaped single quotes with unescaped ones
• Additional commits viewable in compare view

Updates @babel/helpers from 7.25.6 to 7.28.4

Release notes

Sourced from @​babel/helpers's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

• babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types
  • #17493 Update Jest to v30.1.1 (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17455 chore: Clean up transform-regenerator (@​liuxingbaoyu)
• babel-core
  • #17474 Switch to @​jridgewell/remapping (@​mrginglymus)

Committers: 5

• Babel Bot (@​babel-bot)
• Bill Collins (@​mrginglymus)
• Glenn Willen (@​gwillen)
• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

• babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types
  • #17493 Update Jest to v30.1.1 (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17455 chore: Clean up transform-regenerator (@​liuxingbaoyu)
• babel-core
  • #17474 Switch to @​jridgewell/remapping (@​mrginglymus)

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

... (truncated)

Commits

• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• fdbf1b3 fix: finally causes unexpected return value (#17366)
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates path-to-regexp from 0.1.10 to 8.3.0

Release notes

Sourced from path-to-regexp's releases.

8.3.0

Changed

• Add custom error class (#398) 2a7f2a4
• Allow plain objects for TokenData (#391) 687a9bb
• Escape text should escape backslash (#390) a4a8552
• Improved error messages and stack size (#363) a6bdf40

Other

• Minifying the parser
  • PR (#401) 9df2448
  • PR (#395) 4a91505
  • Shaving some bytes d63f44b
  • Remove optional operator 973d15c

pillarjs/path-to-regexp@v8.2.0...v8.3.0

8.2.0

Fixed

• Allowing path-to-regexp to run on older browsers by targeting ES2015
  • Target ES2015 5969033
    • Also saved 0.22kb (10%!) by removing the private class field down level
  • Remove s flag from regexp 51dbd45

pillarjs/path-to-regexp@v8.1.0...v8.2.0

v8.1.0

Added

• Adds pathToRegexp method back for generating a regex
• Adds stringify method for converting TokenData into a path string

pillarjs/path-to-regexp@v8.0.0...v8.1.0

Simpler API

Heads up! This is a fairly large change (again) and I need to apologize in advance. If I foresaw what this version would have ended up being I would not have released version 7. A longer blog post and explanation will be incoming this week, but the pivot has been due to work on Express.js v5 and this will the finalized syntax used in Express moving forward.

Edit: The post is out - https://blakeembrey.com/posts/2024-09-web-redos/

Added

• Adds key names to wildcards using *name syntax, aligns with : behavior but using an asterisk instead

Changed

• Removes group suffixes of ?, +, and * - only optional exists moving forward (use wildcards for +, {*foo} for *)
• Parameter names follow JS identifier rules and allow unicode characters

... (truncated)

Changelog

Sourced from path-to-regexp's changelog.

Moved to GitHub Releases

3.0.0 / 2019-01-13

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

2.4.0 / 2018-08-26

• Support start option to disable anchoring from beginning of the string

2.3.0 / 2018-08-20

• Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

2.2.1 / 2018-04-24

• Allow empty string with end: false to match both relative and absolute paths

2.2.0 / 2018-03-06

• Pass token as second argument to encode option (e.g. encode(value, token))

2.1.0 / 2017-10-20

• Handle non-ending paths where the final character is a delimiter
  • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

2.0.0 / 2017-08-23

• New option! Ability to set endsWith to match paths like /test?query=string up to the query string
• New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
• Remove isarray dependency
• Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
• Remove overloaded keys argument that accepted options
• Remove keys list attached to the RegExp output
• Remove asterisk functionality (it's a real pain to properly encode)
• Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

1.7.0 / 2016-11-08

• Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

1.6.0 / 2016-10-03

• Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
• Allow a delimiter option to be passed in with parse
• Updated TypeScript definition with Keys and Options updated

1.5.3 / 2016-06-15

... (truncated)

Commits

• c4f5b3f 8.3.0
• 6587c81 Move parameter name errors up in docs (#402)
• 9df2448 Remove more bytes from parser (#401)
• 012a54a Bump actions/checkout from 4 to 5 (#403)
• 9385f7d Remove engines from package (#399)
• 2a7f2a4 Add custom error class (#398)
• 265a2a7 100% test coverage (#396)
• 4a91505 Reduce bytes in parse function (#395)
• 687a9bb Allow plain objects for TokenData (#391)
• a4a8552 Escape text should escape backslash (#390)
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by