Skip to content

⬆️(deps): Bump the npm-major group with 2 updates#2164

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm-major-cec34e0cfa
Open

⬆️(deps): Bump the npm-major group with 2 updates#2164
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/npm-major-cec34e0cfa

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 22, 2026

Bumps the npm-major group with 2 updates: express and jose.

Updates express from 4.22.2 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

Updates jose from 5.10.0 to 6.2.3

Release notes

Sourced from jose's releases.

v6.2.3

Refactor

  • cleanly reject invalid PBES2 p2c (0cdb851)

v6.2.2

Fixes

  • reject failed decompression with JWEInvalid error (043b181)

v6.2.1

Refactor

  • reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Features

  • re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

  • clarify return of general jws and jwe (56682b4)

v6.1.3

Refactor

  • avoid export * as for google closure's compiler sake (6303d98), closes #832

v6.1.2

Refactor

v6.1.1

Documentation

  • add link to RFC9864 (767edde)
  • link to ML-DSA for JOSE (ed4252c)
  • remove mention of Edge Runtime from the readme (94fdde7)
  • update README.md (25098ef)

Refactor

  • eliminate named exports in the source code (f6ae30d)
  • expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
  • faster path for symmetric key checks (a44c2ec)
  • improve en/decoding overheads (daee426)

... (truncated)

Changelog

Sourced from jose's changelog.

6.2.3 (2026-04-27)

Refactor

  • cleanly reject invalid PBES2 p2c (0cdb851)

6.2.2 (2026-03-18)

Fixes

  • reject failed decompression with JWEInvalid error (043b181)

6.2.1 (2026-03-09)

Refactor

  • reorganize internals, less files, smaller footprint (d4231f9)

6.2.0 (2026-03-05)

Features

  • re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

  • clarify return of general jws and jwe (56682b4)

6.1.3 (2025-12-02)

Refactor

  • avoid export * as for google closure's compiler sake (6303d98), closes #832

6.1.2 (2025-11-15)

Refactor

6.1.1 (2025-11-09)

... (truncated)

Commits
  • 41ad7e9 chore(release): 6.2.3
  • 988e90f chore: account for commit-and-tag-version instead of standard-version
  • 4b24656 chore: update CHANGELOG.md header
  • 0cdb851 refactor: cleanly reject invalid PBES2 p2c
  • a0b261e test: update Bun expectations
  • b39dc1a chore: use fs.globSync
  • 0675be1 build: replace rollup umd build with a custom esbuild iife wrap
  • 9b03323 chore: bump packages
  • 914b73d chore(deps-dev): bump lodash
  • 9dce817 chore: bump packages
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for jose since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
⬆️(deps): Bump the npm-major group with 2 updates
428ea96 
Bumps the npm-major group with 2 updates: [express](https://github.com/expressjs/express) and [jose](https://github.com/panva/jose).


Updates `express` from 4.22.2 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v4.22.2...v5.2.1)

Updates `jose` from 5.10.0 to 6.2.3
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md)
- [Commits](panva/jose@v5.10.0...v6.2.3)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
- dependency-name: jose
  dependency-version: 6.2.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 22, 2026

Assignees

The following users could not be added as assignees: Lissy93. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: 📦 Dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from lissy93 as a code owner May 22, 2026 09:35
@netlify
Copy link
Copy Markdown

netlify Bot commented May 22, 2026
edited
Loading

Deploy Preview for dashy-dev ready!

Name Link
🔨 Latest commit 428ea96
🔍 Latest deploy log https://app.netlify.com/projects/dashy-dev/deploys/6a1023684cf28a0008f6f66b
😎 Deploy Preview https://deploy-preview-2164--dashy-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lissy93 lissy93 Awaiting requested review from lissy93 lissy93 is a code owner

Assignees

@lissy93 lissy93

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lissy93