build(deps): bump the npm_and_yarn group across 1 directory with 27 updates

[dependabot]

Bumps the npm_and_yarn group with 23 updates in the / directory:

Package	From	To
lodash	3.10.1	4.17.21
codecov	3.0.2	3.7.1
firebase	4.12.0	11.3.0
firebase-server	0.11.0	1.1.0
body-parser	1.18.2	1.20.3
express	4.16.2	4.21.2
qs	6.4.0	6.5.3
qs	6.5.1	6.5.3
qs	6.5.2	6.5.3
qs	6.2.1	6.5.3
browserify-sign	4.0.4	4.2.3
decode-uri-component	0.2.0	0.2.2
ejs	2.5.7	removed
webpack-bundle-analyzer	2.9.1	4.10.2
fsevents	1.1.3	1.2.13
json-schema	0.2.2	0.4.0
jsprim	1.4.1	1.4.2
jsprim	1.4.0	1.4.2
jsprim	1.3.0	1.4.2
handlebars	4.0.11	4.7.8
loader-utils	1.1.0	1.4.2
lodash.merge	4.6.0	4.6.2
y18n	3.2.1	3.2.2
parse-url	1.3.11	8.1.0
documentation	5.3.5	14.0.3
ua-parser-js	0.7.17	0.7.40
yargs-parser	7.0.0	removed
webpack	3.10.0	5.97.1

Updates lodash from 3.10.1 to 4.17.21

Release notes

Sourced from lodash's releases.

4.0.0

lodash v4.0.0

2015 was big year! Lodash became the most depended on npm package, passed 1 billion downloads, & its v3 release saw massive adoption!

The year was also one of collaboration, as discussions began on merging Lodash & Underscore. Much of Lodash v4 is proofing out the ideas from those discussions. Lodash v4 would not be possible without the collaboration & contributions of the Underscore core team. In the spirit of merging our teams have blended with several members contributing to both libraries.

For 2016 & lodash v4.0.0 we wanted to cut loose, push forward, & take things up a notch!

Modern only

With v4 we’re breaking free from old projects, old environments, & dropping old IE < 9 support!

4 kB Core

Lodash’s kitchen-sink size will continue to grow as new methods & functionality are added. However, we now offer a 4 kB (gzipped) core build that’s compatible with Backbone v1.2.4 for folks who want Lodash without lugging around the kitchen sink.

More ES6

We’ve continued to embrace ES6 with methods like _.isSymbol, added support for cloning & comparing array buffers, maps, sets, & symbols, converting iterators to arrays, & iterable _(…).

In addition, we’ve published an es-build & pulled babel-plugin-lodash into core to make tree-shaking a breeze.

More Modular

Pop quiz! 📣

What category path does the bindAll method belong to? Is it

A) require('lodash/function/bindAll') B) require('lodash/utility/bindAll') C) require('lodash/util/bindAll')

Don’t know? Well, with v4 it doesn’t matter because now module paths are as simple as

var bindAll = require('lodash/bindAll');

We’ve also reduced module complexity making it easier to create smaller bundles. This has helped Lodash adoption with libraries like Async & Redux!

1st Class FP

With v3 we introduced lodash-fp. We learned a lot & with v4 we decided to pull it into core.

Now you can get immutable, auto-curried, iteratee-first, data-last methods as simply as

var _ = require('lodash/fp');
var object = { 'a': 1 };
</tr></table> 

... (truncated)

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates codecov from 3.0.2 to 3.7.1

Release notes

Sourced from codecov's releases.

v3.6.4

Fix for Cirrus CI

v3.6.3

AWS Codebuild fixes + package updates

v3.6.2

command line args sanitised

v3.6.1

Fix for Semaphore

v3.6.0

AWS CodeBuild Semaphore v2

v3.3.0

Added pipe --pipe, -l

v3.1.0

Custom Yaml file Token from .codecov.yml

v3.0.4

Security fixes

v3.0.3

Fix for not git repos

Changelog

Sourced from codecov's changelog.

3.7.1

• Move to execFileSync and security fixes

3.7.0

• Remove the X-Amz-Acl: public-read header

3.6.4

• Fix Cirrus CI

3.6.3

• Fix for AWS Codebuild & package updates

3.6.2

• Command line args sanitized fix

3.6.1

• Fix for Semaphore

3.6.0

• Added AWS CodeBuild and Semaphore2

3.5.0

• Added TeamCity support

3.4.0

• Added Heroku CI support

3.3.0

• Added pipe with --pipe, -l

3.2.0

• Added azure pipelines .

3.1.0

• Custom yaml file. Allow codecov token from yml file.

3.0.4

... (truncated)

Commits

• 29dd5b6 3.7.1
• c0711c6 Switch from execSync to execFileSync (#180)
• 5f6cc62 Bump lodash from 4.17.15 to 4.17.19 (#183)
• 0c4d7f3 Merge pull request #182 from codecov/update-readme-badges
• cc5e121 Update depstat image and urls
• b44b44e Update readme with 400 error info (#181)
• bb79335 V3.7.0 (#179)
• 0d7b9b0 Remove 'x-amz-acl': 'public-read' header (#178)
• eeff4e1 Bump acorn from 5.7.3 to 5.7.4 (#174)
• eb8a527 Merge pull request #172 from RoboCafaz/bugfix/codebuild-pr-parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by drazisil, a new releaser for codecov since your current version.

Updates firebase from 4.12.0 to 11.3.0

Release notes

Sourced from firebase's releases.

firebase@11.3.0

For more detailed release notes, see Firebase JavaScript SDK Release Notes.

What's Changed

@​firebase/app@​0.11.0

Minor Changes

• 97d48c7 #8651 - FirebaseServerApp can now be initalized with an App Check token instead of invoking the App Check getToken method. This should unblock the use of App Check enforced products in SSR environments where the App Check SDK cannot be initialized.

Patch Changes

• dafae52 #8724 - Discard the earliest heartbeat once a limit of 30 heartbeats in storage has been hit.

@​firebase/auth@​1.9.0

Minor Changes

• 9d88e3a #8738 - Added ActionCodeSettings.linkDomain to customize the Firebase Hosting link domain that is used in mobile out-of-band email action flows. Also, deprecated ActionCodeSettings.dynamicLinkDomain.

Patch Changes

• 97d48c7 #8651 - FirebaseServerApp can now be initalized with an App Check token instead of invoking the App Check getToken method. This should unblock the use of App Check enforced products in SSR environments where the App Check SDK cannot be initialized.

@​firebase/auth-types@​0.13.0

Minor Changes

• 9d88e3a #8738 - Added ActionCodeSettings.linkDomain to customize the Firebase Hosting link domain that is used in mobile out-of-band email action flows. Also, deprecated ActionCodeSettings.dynamicLinkDomain.

@​firebase/data-connect@​0.3.0

Minor Changes

• 313faf6 #8749 - Add custom request headers based on the type of SDK (JS/TS, React, Angular, etc) that's invoking Data Connect requests. This will help us understand how users interact with Data Connect when using the Web SDK.

Patch Changes

• 97d48c7 #8651 - FirebaseServerApp can now be initalized with an App Check token instead of invoking the App Check getToken method. This should unblock the use of App Check enforced products in SSR environments where the App Check SDK cannot be initialized.

firebase@11.3.0

Minor Changes

... (truncated)

Commits

• 4e6a5c6 Version Packages (#8766)
• 8daf47f Merge main into release
• 5250e80 fix "TextEncoder undefined" issue in some platforms (#8765)
• 8a0fef2 Merge main into release
• 313faf6 Added more granular tracking for web frameworks
• 721e5a7 FIX: sort strings in UTF-8 encoded byte order (#8691)
• 9d88e3a Add ActionCodeSettings.linkDomain and deprecate ActionCodeSettings.dynamicLin...
• 2f92a74 Update dependencies in packages and repo-scripts (#8729)
• d1c6e31 Skip flaky auth recaptcha test (#8753)
• 82373b3 Give check-version job pull request write permissions (#8743)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by google-wombot, a new releaser for firebase since your current version.

Updates firebase-server from 0.11.0 to 1.1.0

Release notes

Sourced from firebase-server's releases.

1.1.0

• fix #136: upgrade targaryen to 3.1.0
• fix #142: respond with null instead of {} for empty path
• docs #140: Add global test hooks example to README.md
• chore(deps): upgrade ws to 7.x
• chore(deps): bump firebase from 6.0.1 to 7.2.3
• chore(deps): bump mixin-deep from 1.3.1 to 1.3.2
• chore(deps): bump handlebars from 4.0.11 to 4.5.1
• chore(deps): bump lodash from 4.17.10 to 4.17.13
• chore(deps): bump extend from 3.0.1 to 3.0.2
• chore(deps): bump js-yaml from 3.11.0 to 3.13.1

1.0.2

• fix #138: security vulnerability affecting jwt-simple package

1.0.1

• fix #133: cli package vulnerability

1.0.0

• chore: upgrade dependencies (lodash, debug), addresses CVE-2017-16137, CVE-2018-3721
• feat #130: add --version cli option

1.0.0-rc.2

• fix #123: Cannot run server v1.0.0-rc.1

1.0.0-rc.1

• docs: update usage example in README

1.0.0-rc.0

• Migrate project to TypeScript
• Drop node 6.x support
• Add address(), getPort() methods
• close() method now returns a promise
• Upgrade the Firebase JS Library to 5.x
• Upgrade the ws library to 5.x
• Split send payloads according to firebase's custom continuation format (#115, contributed by andrewparmet)
• Align 'now' in Targaryen with firebase-server time (#112, contributed by dotdoom)

Rest API Support

• REST API support (#95, contributed by p-salido)
• Daemonization option (#111, contributed by p-salido)

Changelog

Sourced from firebase-server's changelog.

1.1.0 - 2020-02-01

• fix #136: upgrade targaryen to 3.1.0
• fix #142: respond with null instead of {} for empty path
• docs #140: Add global test hooks example to README.md
• chore(deps): upgrade ws to 7.x
• chore(deps): bump firebase from 6.0.1 to 7.2.3
• chore(deps): bump mixin-deep from 1.3.1 to 1.3.2
• chore(deps): bump handlebars from 4.0.11 to 4.5.1
• chore(deps): bump lodash from 4.17.10 to 4.17.13
• chore(deps): bump extend from 3.0.1 to 3.0.2
• chore(deps): bump js-yaml from 3.11.0 to 3.13.1

1.0.2 - 2019-05-08

• fix #138: security vulnerability affecting jwt-simple package

1.0.1 - 2018-11-29

• fix #133: cli package vulnerability

1.0.0 - 2018-08-29

• chore: upgrade dependencies (lodash, debug), addresses CVE-2017-16137, CVE-2018-3721
• feat #130: add --version cli option

1.0.0-rc.2 - 2018-05-28

• fix #123: Cannot run server v1.0.0-rc.1

1.0.0-rc.1 - 2018-05-20

• docs: update usage example in README

1.0.0-rc.0 - 2018-05-20

• Migrate project to TypeScript
• Drop node 6.x support
• Add address(), getPort() methods
• close() method now returns a promise
• Upgrade the Firebase JS Library to 5.x
• Upgrade the ws library to 5.x
• Split send payloads according to firebase's custom continuation format (#115, contributed by andrewparmet)
• Align 'now' in Targaryen with firebase-server time (#112, contributed by dotdoom)

0.12.0 - 2017-11-16

• REST API support (#95, contributed by p-salido)
• Daemonization option (#111, contributed by p-salido)

Commits

• 287a1a8 chore: release 1.1.0
• bb8aad1 chore: upgrade targaryen to 3.1.0
• e34d087 chore: upgrade ws to 7.x
• 5134ab0 Merge pull request #143 from wyattisimo/empty-path-response
• 4a88eb3 Merge pull request #145 from urish/dependabot/npm_and_yarn/lodash-4.17.13
• dca3a8d Merge pull request #144 from urish/dependabot/npm_and_yarn/mixin-deep-1.3.2
• 62b4f15 Merge pull request #146 from urish/dependabot/npm_and_yarn/extend-3.0.2
• a4f3c99 Merge pull request #147 from urish/dependabot/npm_and_yarn/js-yaml-3.13.1
• 6161bd6 Merge pull request #148 from urish/dependabot/npm_and_yarn/handlebars-4.5.1
• a46301b chore(travis): build on node 12 but not 13
• Additional commits viewable in compare view

Updates ws from 1.1.1 to 3.3.3

Release notes

Sourced from ws's releases.

3.3.3

Bug fixes

• net.Socket errors are no longer swallowed (beff620).
• The status code and close reason are now always taken from the close frame if received (beff620).

3.3.2

Bug fixes

• The parser of the Sec-WebSocket-Extensions header has been rewritten to make it spec-compliant (#1240).

3.3.1

Bug fixes

• Fixed a DoS vulnerability (c4fe466).

A specially crafted value of the Sec-WebSocket-Extensions header that used Object.prototype property names as extension or parameter names could be used to make a ws server crash.

const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor';  // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
Sec-WebSocket-Extensions: ${payload},
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});

The vulnerability has been privately reported by Nick Starke and Ryan Knell of Sonatype Security Research and promptly fixed. Please update now!

... (truncated)

Commits

• 157f58a [dist] 3.3.3
• 6a6ae04 [minor] Send the close status code only when necessary
• 85919f2 [doc] Remove duplicate 'is' (#1252)
• beff620 [fix] Use status code from close frame if received
• ae903b1 [doc] Fix rendering of history in SECURITY.md (#1250)
• ca76e58 chore(package): update eslint to version 4.13.0 (#1249)
• f6e5685 chore(package): update utf-8-validate to version 4.0.0 (#1247)
• b3bc7db [minor] Do not set allowHalfOpen to false
• a166af4 [test] Skip family test if localhost doesn't resolve to ::1 (#1246)
• 009d05c [test] Mark skipped tests as pending
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lpinca, a new releaser for ws since your current version.

Updates body-parser from 1.18.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork
• ade0f3f add scorecard to readme (#531)
• 99a1bd6 deps: qs@6.12.3 (#521)
• 9478591 fix: pin to node@22.4.1
• 83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
• 9d4e212 chore: add support for OSSF scorecard reporting (#522)
• ee91374 1.20.2
• 368a93a Fix strict json error message on Node.js 19+
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.16.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates qs from 6.4.0 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

6.5.2

• [Fix] use safer-buffer instead of Buffer constructor
• [Refactor] utils: module.exports one thing, instead of mutating exports (#230)
• [Dev Deps] update browserify, eslint, iconv-lite, safer-buffer, tape, browserify

6.5.1

• [Fix] Fix parsing & compacting very deep objects (#224)
• [Refactor] name utils functions
• [Dev Deps] update eslint, @ljharb/eslint-config, tape
• [Tests] up to node v8.4; use nvm install-latest-npm so newer npm doesn’t break older node
• [Tests] Use precise dist for Node.js 0.6 runtime (#225)
• [Tests] make 0.6 required, now that it’s passing
• [Tests] on node v8.2; fix npm on node 0.6

6.5.0

• [New] add utils.assign
• [New] pass default encoder/decoder to custom encoder/decoder functions (#206)
• [New] parse/stringify: add ignoreQueryPrefix/addQueryPrefix options, respectively (#213)
• [Fix] Handle stringifying empty objects with addQueryPrefix (#217)
• [Fix] do not mutate options argument (#207)
• [Refactor] parse: cache index to reuse in else statement (#182)
• [Docs] add various badges to readme (#208)
• [Dev Deps] update eslint, browserify, iconv-lite, tape
• [Tests] up to node v8.1, v7.10, v6.11; npm v4.6 breaks on node < v1; npm v5+ breaks on node < v4
• [Tests] add editorconfig-tools

... (truncated)

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6759 [Fix] fix for an impossible situation: when the formatter is called with a no...
• f814a7f [Dev Deps] backport from main
• Additional commits viewable in compare view

Updates qs from 6.5.1 to 6.5.3

Changelog

Sourced from qs's changelog.

6.5.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
• [Fix] correctly parse nested arrays
• [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
• [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
• [Fix] when parseArrays is false, properly handle keys ending in []
• [Fix] fix for an impossible situation: when the formatter is called with a non-string value
• [Fix] utils.merge: avoid a crash with a null target and an array source
• [Refactor] utils: reduce observable [[Get]]s
• [Refactor] use cached Array.isArray
• [Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
• [Refactor] parse: only need to reassign the var once
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
• [Docs] Clarify the need for "arrayLimit" option
• [meta] fix README.md (#399)
• [meta] add FUNDING.yml
• [actions] backport actions from main
• [Tests] always use String(x) over x.toString()
• [Tests] remove nonexistent tape option
• [Dev Deps] backport from main

6.5.2

• [Fix] use safer-buffer instead of Buffer constructor
• [Refactor] utils: module.exports one thing, instead of mutating exports (#230)
• [Dev Deps] update browserify, eslint, iconv-lite, safer-buffer, tape, browserify

6.5.1

• [Fix] Fix parsing & compacting very deep objects (#224)
• [Refactor] name utils functions
• [Dev Deps] update eslint, @ljharb/eslint-config, tape
• [Tests] up to node v8.4; use nvm install-latest-npm so newer npm doesn’t break older node
• [Tests] Use precise dist for Node.js 0.6 runtime (#225)
• [Tests] make 0.6 required, now that it’s passing
• [Tests] on node v8.2; fix npm on node 0.6

6.5.0

• [New] add utils.assign
• [New] pass default encoder/decoder to custom encoder/decoder functions (#206)
• [New] parse/stringify: add ignoreQueryPrefix/addQueryPrefix options, respectively (#213)
• [Fix] Handle stringifying empty objects with addQueryPrefix (#217)
• [Fix] do not mutate options argument (#207)
• [Refactor] parse: cache index to reuse in else statement (#182)
• [Docs] add various badges to readme (#208)
• [Dev Deps] update eslint, browserify, iconv-lite, tape
• [Tests] up to node v8.1, v7.10, v6.11; npm v4.6 breaks on node < v1; npm v5+ breaks on node < v4
• [Tests] add editorconfig-tools

... (truncated)

Commits

• 298bfa5 v6.5.3
• ed0f5dc [Fix] parse: ignore __proto__ keys (#428)
• 691e739 [Robustness] stringify: avoid relying on a global undefined (#427)
• 1072d57 [readme] remove travis badge; add github actions/codecov badges; update URLs
• 12ac1c4 [meta] fix README.md (#399)
• 0338716 [actions] backport actions from main
• 5639c20 Clean up license text so it’s properly detected as BSD-3-Clause
• 51b8a0b add FUNDING.yml
• 45f6...

  Description has been truncated