Skip to content

Bump the npm_and_yarn group across 1 directory with 12 updates#66

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-7ebfb0dc99
Open

Bump the npm_and_yarn group across 1 directory with 12 updates#66
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-7ebfb0dc99

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Mar 12, 2026
edited
Loading

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package From To
@okta/oidc-middleware 4.5.1 5.0.0
jsonwebtoken 8.5.1 9.0.0
redis 2.8.0 5.11.0
json5 0.5.1 2.2.3
cookie 0.4.0 0.7.2
node-fetch 1.7.3 2.7.0
on-headers 1.0.2 1.1.0
tmp 0.0.33 removed

Updates @okta/oidc-middleware from 4.5.1 to 5.0.0

Release notes

Sourced from @​okta/oidc-middleware's releases.

5.0.0

Breaking Changes

  • #54 Requires Node >= 12.19.0. Update production dependencies:
    • openid-client@5.1.9 (was 3.12.2)
Changelog

Sourced from @​okta/oidc-middleware's changelog.

5.0.0

Breaking Changes

  • # Requires Node >= 12.19.0. Update production dependencies:
    • openid-client@5.1.9 (was 3.12.2)

4.6

-#53 Fix: prevents open redirects

Commits
  • 50c093b chore(deps): upgrade vulnerable dependencies (#54)
  • 5d10b3c Prevent open redirects (#53)
  • fe24bfc chore: Update dependencies
  • ebafab4 chore: dev dependency upgrades
  • 113e1a3 chore: updates github issue template
  • a9b6ad2 Merge remote-tracking branch 'origin/4.5' into sw-backport-4.5.1
  • 94852df Releng: Revving up to version(s) 4.6.0 for artifact(s) None
  • See full diff in compare view

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

  • Removed support for Node versions 11 and below.
  • The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
  • RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
  • Key types must be valid for the signing / verification algorithm

Security fixes

  • security: fixes Arbitrary File Write via verify function - CVE-2022-23529
  • security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
  • security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
  • security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539
Commits
  • e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
  • 5eaedbf chore(ci): remove github test actions job (#861)
  • cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
  • ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
  • 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
  • 7e6a86b Upload OpsLevel YAML (#849)
  • 74d5719 docs: update references vercel/ms references (#770)
  • d71e383 docs: document "invalid token" error
  • 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
  • a46097e docs: make decode impossible to discover before verify
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.


Updates redis from 2.8.0 to 5.11.0

Release notes

Sourced from redis's releases.

redis@5.11.0

5.11.0 Release Changelog

🌟 Highlights

Smart Client Handoffs for Enterprise OSS API (Pending a Redis Enterprise version release)

This release introduces support for Redis Enterprise Cluster maintenance notifications via SMIGRATING/SMIGRATED push notifications. The client now automatically handles slot migrations by:

  • Relaxing timeouts during migration (SMIGRATING) to prevent false failures
  • Automatic slot handoff when completed (SMIGRATED)
  • Enabling seamless operations during Redis Enterprise maintenance windows

Redis 8.6 Support

This release adds support for Redis 8.6 features:

  • XADD idempotency options (IDMPAUTO, IDMP, and policy) - Prevent duplicate entries by tracking producer and message IDs
  • XCFGSET command - Configure per-stream idempotency parameters (IDMP_DURATION, IDMP_MAXSIZE)
  • XINFO STREAM enhancements - New idempotency tracking fields (idmp-duration, idmp-maxsize, pids-tracked, iids-tracked, iids-added, iids-duplicates)
  • HOTKEYS command family (START, STOP, GET, RESET) - Track and identify hot keys by CPU time and network bytes

🚀 New Features

🐛 Bug Fixes

📚 Documentation & Testing

New Contributors

... (truncated)

Changelog

Sourced from redis's changelog.

Changelog

v4.0.2 - 13 Jan, 2022

Fixes

  • Fix v4 commands in legacy mode (#1820)
  • Fix EXISTS command reply (#1819)
  • Fix handler for "redis:invalidate" messages (#1798)
  • Fix "SEPARATOR" typo in RediSearch (#1823)

Enhancements

  • First release of @node-redis/bloom
  • Add support for Buffers
  • Enhance ASK and MOVED errors handler

v4.0.1 - 13 Dec, 2021

Fixes

  • Fix NOAUTH error when using authentication & database (#1681)
  • Allow to .quit() in PubSub mode (#1766)
  • Add an option to configure name on a client (#1758)
  • Lowercase commands (client.hset) in legacyMode
  • Fix PubSub resubscribe (#1764)
  • Fix RedisSocketOptions type (#1741)

Enhancements

  • Add support for numbers and Buffers in HSET (#1738 #1739)
  • Export RedisClientType, RedisClusterType and some more types (#1673)
  • First release of @node-redis/time-series

v4.0.0 - 24 Nov, 2021

This version is a major change and refactor, adding modern JavaScript capabilities and multiple breaking changes. See the migration guide for tips on how to upgrade.

Breaking Changes

  • All functions return Promises by default
  • Dropped support for Node.js 10.x, the minimum supported Node.js version is now 12.x
  • createClient takes new and different arguments
  • The prefix, rename_commands configuration options to createClient have been removed
  • The enable_offline_queue configuration option is removed, executing commands on a closed client (without calling .connect() or after calling .disconnect()) will reject immediately
  • Login credentials are no longer saved when using .auth() directly

Features

  • Added support for Promises

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by dmaier-redislabs, a new releaser for redis since your current version.


Updates json5 from 0.5.1 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

v2.2.0

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2

  • Fix: Bump minimist to v1.2.5. (#222)

v2.1.1

  • New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
  • Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
  • Fix: Spelling mistakes have been fixed. (#196)

v2.1.0

  • New: The index.mjs and index.min.mjs browser builds in the dist directory support ES6 modules. (#187)

v2.0.1

  • Fix: The browser builds in the dist directory support ES5. (#182)

v2.0.0

  • Major: JSON5 officially supports Node.js v6 and later. Support for Node.js v4 has been dropped. Since Node.js v6 supports ES5 features, the code has been rewritten in native ES5, and the dependence on Babel has been eliminated.

  • New: Support for Unicode 10 has been added.

  • New: The test framework has been migrated from Mocha to Tap.

  • New: The browser build at dist/index.js is no longer minified by default. A minified version is available at dist/index.min.js. (#181)

  • Fix: The warning has been made clearer when line and paragraph separators are

... (truncated)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

  • Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

  • Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

v2.2.0 [code, diff]

  • New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

  • Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

  • Fix: Bump minimist to v1.2.5. (#222)

v2.1.1 [code, [diff][d2.1.1]]

... (truncated)

Commits
  • c3a7524 2.2.3
  • 94fd06d docs: update CHANGELOG for v2.2.3
  • 3b8cebf docs(security): use GitHub security advisories
  • f0fd9e1 docs: publish a security policy
  • 6a91a05 docs(template): bug -> bug report
  • 14f8cb1 2.2.2
  • 10cc7ca docs: update CHANGELOG for v2.2.2
  • 7774c10 fix: add proto to objects and arrays
  • edde30a Readme: slight tweak to intro
  • 97286f8 Improve example in readme
  • Additional commits viewable in compare view

Updates cookie from 0.4.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

  • Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

  • Add partitioned option

0.5.0

  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse

0.4.2

  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

0.4.1

  • Fix maxAge option to reject invalid values
Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates node-fetch from 1.7.3 to 2.7.0

Release notes

Sourced from node-fetch's releases.

v2.7.0

2.7.0 (2023-08-23)

Features

v2.6.13

2.6.13 (2023-08-18)

Bug Fixes

v2.6.12

2.6.12 (2023-06-29)

Bug Fixes

v2.6.11

2.6.11 (2023-05-09)

Reverts

v2.6.10

2.6.10 (2023-05-08)

Bug Fixes

v2.6.9

2.6.9 (2023-01-30)

Bug Fixes

v2.6.8

2.6.8 (2023-01-13)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by node-fetch-bot, a new releaser for node-fetch since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates yargs-parser from 9.0.2 to 11.1.1

Changelog

Sourced from yargs-parser's changelog.

11.1.1 (2018-11-19)

Bug Fixes

  • ensure empty string is added into argv._ (#140) (79cda98)

Reverts

  • make requiresArg work in conjunction with arrays (#136) (f4a3063)

11.1.0 (2018-11-10)

Bug Fixes

Features

  • add halt-at-non-option configuration option (#130) (a849fce)

11.0.0 (2018-10-06)

Bug Fixes

  • flatten-duplicate-arrays:false for more than 2 arrays (#128) (2bc395f)
  • hyphenated flags combined with dot notation broke parsing (#131) (dc788da)
  • make requiresArg work in conjunction with arrays (#136) (77ae1d4)

Chores

Features

  • also add camelCase array options (#125) (08c0117)
  • array.type can now be provided, supporting coercion (#132) (4b8cfce)

... (truncated)

Commits
  • ee122f8 chore(release): 11.1.1
  • 79cda98 fix: ensure empty string is added into argv._ (#140)
  • 1c5d556 test: add test for config object priority (#149)
  • f4a3063 revert: make requiresArg work in conjunction with arrays (#136)
  • 1eb726b chore(release): 11.1.0
  • f94e536 chore: switch to Travis for Windows tests (#147)
  • a849fce feat: add halt-at-non-option configuration option (#130)
  • ee56e31 fix: handling of one char alias (#139)
  • 68dd3a1 chore(release): 11.0.0
  • 4b8cfce feat: array.type can now be provided, supporting coercion (#132)
  • Additional commits viewable in compare view

Updates jose from 1.28.2 to 4.15.9

Release notes

Sourced from jose's releases.

v4.15.9

Fixes

  • add sideEffects:false to nested ESM package.json files (17eef5f)

v4.15.7

Fixes

  • add a workerd package.json target (e36d69e)

v4.15.5

Fixes

v4.15.4

Fixes

v4.15.3

This release contains only Node.js CITGM related test updates.

Fixes nodejs/citgm#1011

v4.15.2

Fixes

  • build: add a node target for jose-browser-runtime releases (abb63d0)

v4.15.1

Fixes

  • resolve missing types for the cryptoRuntime const (1627965)

v4.15.0

Features

  • export the used crypto runtime as a constant (0681dda)

v4.14.6

Fixes

  • build: publish bundle and umd files with jose-browser-runtime module (62fcbcc), closes #571

v4.14.5

Refactor

  • catch type error when decoding base64url signature (#569) (935e920)
  • catch type errors when decoding various base64url strings (9024e87)

... (truncated)

Changelog

Sourced from jose's changelog.

4.15.9 (2024-07-03)

4.15.8 (2024-07-03)

Fixes

  • add sideEffects:false to nested ESM package.json files (17eef5f)

4.15.7 (2024-06-18)

4.15.6 (2024-06-18)

Fixes

  • add a workerd package.json target (e36d69e)

4.15.5 (2024-03-07)

Fixes

  • add a maxOutputLength option to zlib inflate (1b91d88)

4.15.4 (2023-10-14)

Fixes

4.15.3 (2023-10-11)

4.15.2 (2023-10-04)

Fixes

  • build: add a node target for jose-browser-runtime releases (abb63d0)

4.15.1 (2023-10-02)

Fixes

  • resolve missing types for the cryptoRuntime const (1627965)

4.15.0 (2023-10-02)

... (truncated)

Commits
  • 051a18e chore(release): 4.15.9
  • 13b10dd chore(release): 4.15.8
  • 17eef5f fix: add sideEffects:false to nested ESM package.json files
  • 5084808 chore(release): 4.15.7
  • 122c939 chore(release): 4.15.6
  • e36d69e fix: add a workerd package.json target
  • 765aafd chore(release): 4.15.5
  • b36e45e test: add export check to x509 pem import tests
  • e839ecb test: stop testing JWE RSA1_5 Algorithm
  • 1b91d88 fix: add a maxOutputLength option to zlib inflate
  • Additional commits viewable in compare view

Updates tough-cookie from 2.5.0 to 6.0.0

Release notes

Sourced from tough-cookie's releases.

v6.0.0

Summary

Breaking Changes

  • Localhost connections over http will now be considered secure by default. For more information, see the README documentation and API Docs for how to configure this feature.

Other Notable Changes

  • Dual publishing of ESM+CJS

What's Changed

New Contributors

Full Changelog: salesforce/tough-cookie@v5.1.2...v6.0.0

v5.1.2

What's Changed

Full Changelog: salesforce/tough-cookie@v5.1.1...v5.1.2

... (truncated)

Commits
  • 62be1e4 Prepare v6 (#538)
  • 5e2cf1c Support publishing of both ESM and CJS (#536)
  • d0c0ee8 Bump the dev-dependencies group with 8 updates (#537)
  • 98c7726 6.0.0-rc.1 (#535)
  • c024d1d Reverts the check on the Secure attribute when setting a cookie (#534)
  • 6d729f9 Bump the dev-dependencies group with 12 updates (#531)
  • eb872bf chore(deps): bump tldts in the production-dependencies group (#532)
  • e0a859d Bump tldts from 7.0.8 to 7.0.9 in the production-dependencies group (#530)
  • 25e3e46 Create CONTRIBUTING.md (#526)
  • 27582e8 Bump tldts from 7.0.5 to 7.0.8 in the production-dependencies group (#524)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ccasey, a new releaser for tough-cookie since your current version.


Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

What's Changed

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 12, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7ebfb0dc99 branch from 49ece6e to eb10582 Compare March 16, 2026 11:55
@dependabot
Bump the npm_and_yarn group across 1 directory with 12 updates
bd9ca73 
Bumps the npm_and_yarn group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@okta/oidc-middleware](https://github.com/okta/okta-oidc-middleware) | `4.5.1` | `5.0.0` |
| [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) | `8.5.1` | `9.0.0` |
| [redis](https://github.com/redis/node-redis) | `2.8.0` | `5.11.0` |
| [json5](https://github.com/json5/json5) | `0.5.1` | `2.2.3` |
| [cookie](https://github.com/jshttp/cookie) | `0.4.0` | `0.7.2` |
| [node-fetch](https://github.com/node-fetch/node-fetch) | `1.7.3` | `2.7.0` |
| [on-headers](https://github.com/jshttp/on-headers) | `1.0.2` | `1.1.0` |
| [tmp](https://github.com/raszi/node-tmp) | `0.0.33` | `removed` |



Updates `@okta/oidc-middleware` from 4.5.1 to 5.0.0
- [Release notes](https://github.com/okta/okta-oidc-middleware/releases)
- [Changelog](https://github.com/okta/okta-oidc-middleware/blob/master/CHANGELOG.md)
- [Commits](okta/okta-oidc-middleware@okta-oidc-middleware-4.5.1...okta-oidc-middleware-5.0.0)

Updates `jsonwebtoken` from 8.5.1 to 9.0.0
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0)

Updates `redis` from 2.8.0 to 5.11.0
- [Release notes](https://github.com/redis/node-redis/releases)
- [Changelog](https://github.com/redis/node-redis/blob/master/CHANGELOG.md)
- [Commits](https://github.com/redis/node-redis/compare/v.2.8.0...redis@5.11.0)

Updates `json5` from 0.5.1 to 2.2.3
- [Release notes](https://github.com/json5/json5/releases)
- [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md)
- [Commits](json5/json5@v0.5.1...v2.2.3)

Updates `cookie` from 0.4.0 to 0.7.2
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Commits](jshttp/cookie@v0.4.0...v0.7.2)

Updates `node-fetch` from 1.7.3 to 2.7.0
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](node-fetch/node-fetch@1.7.3...v2.7.0)

Updates `yargs-parser` from 9.0.2 to 11.1.1
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/v11.1.1/CHANGELOG.md)
- [Commits](yargs/yargs-parser@v9.0.2...v11.1.1)

Updates `jose` from 1.28.2 to 4.15.9
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/v4.15.9/CHANGELOG.md)
- [Commits](panva/jose@v1.28.2...v4.15.9)

Updates `tough-cookie` from 2.5.0 to 6.0.0
- [Release notes](https://github.com/salesforce/tough-cookie/releases)
- [Changelog](https://github.com/salesforce/tough-cookie/blob/master/CHANGELOG.md)
- [Commits](salesforce/tough-cookie@v2.5.0...v6.0.0)

Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](jshttp/on-headers@v1.0.2...v1.1.0)

Updates `passport` from 0.4.1 to 0.7.0
- [Changelog](https://github.com/jaredhanson/passport/blob/master/CHANGELOG.md)
- [Commits](jaredhanson/passport@v0.4.1...v0.7.0)

Removes `tmp`

---
updated-dependencies:
- dependency-name: "@okta/oidc-middleware"
  dependency-version: 5.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: jsonwebtoken
  dependency-version: 9.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: redis
  dependency-version: 5.11.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: json5
  dependency-version: 2.2.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cookie
  dependency-version: 0.7.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-fetch
  dependency-version: 2.7.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-version: 11.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: jose
  dependency-version: 4.15.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tough-cookie
  dependency-version: 6.0.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: on-headers
  dependency-version: 1.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: passport
  dependency-version: 0.7.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tmp
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-7ebfb0dc99 branch from eb10582 to bd9ca73 Compare March 17, 2026 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants