build(deps): bump the npm_and_yarn group across 10 directories with 11 updates by dependabot[bot] · Pull Request #205 · SvenFinn/displaycontroller

dependabot · 2026-03-22T21:08:24Z

Bumps the npm_and_yarn group with 6 updates in the /frontend directory:

Package	From	To
next	`15.5.3`	`15.5.14`
ajv	`6.12.6`	`6.14.0`
lodash	`4.17.21`	`4.17.23`
serialize-javascript	`6.0.2`	`removed`
socket.io-parser	`4.2.4`	`4.2.6`
webpack	`5.101.0`	`5.105.4`

Bumps the npm_and_yarn group with 1 update in the /ranges/merge directory: body-parser.
Bumps the npm_and_yarn group with 2 updates in the /ranges/types directory: lodash and tmp.
Bumps the npm_and_yarn group with 2 updates in the /screens/evaluations directory: body-parser and express-rate-limit.
Bumps the npm_and_yarn group with 2 updates in the /screens/images directory: body-parser and express-rate-limit.
Bumps the npm_and_yarn group with 1 update in the /screens/screenCast directory: socket.io-parser.
Bumps the npm_and_yarn group with 1 update in the /screens/screenManager directory: body-parser.
Bumps the npm_and_yarn group with 1 update in the /screens/types directory: lodash.
Bumps the npm_and_yarn group with 1 update in the /serverState directory: body-parser.
Bumps the npm_and_yarn group with 1 update in the /utils/recorder directory: minimatch.

Updates next from 15.5.3 to 15.5.14

Release notes

Sourced from next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)

Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @styfle and @lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @ztanner for helping!

v15.5.12

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

Tracing: Fix memory leak in span map (#85529)

fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#89134)

Turbopack: fix NFT tracing of sharp 0.34 (#82340)

Turbopack: support pattern into exports field (#82757)

NFT tracing fixes (#84155 and #85323)

Turbopack: validate CSS without computing all paths (#83810)

feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#89129)

Credits

Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!

Commits

d7b012d v15.5.14
2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
cfd5f53 v15.5.13
15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
d23f41c v15.5.12
8e75765 fix unlock in publish-native
6cef992 [backport] normalize CRLF line endings in jscodeshift tests on Windows (#8800...
7a94645 Apply needs for publishRelease
bbfd4e3 v15.5.11
Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

e3af0a7 6.14.0
b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
72f2286 docs: update v7 info
231e52b Merge pull request #1320 from philsturgeon/patch-1
d3475fc Add spectral, an AJV util from a sponsor
413afe0 docs: v7.0.0-beta.3
11e997b update readme for v7
See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Removes serialize-javascript

Updates socket.io-parser from 4.2.4 to 4.2.6

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits

522edcd chore(release): socket.io-parser@4.2.6
3fff7ca fix(parser): add a limit to the number of binary attachments
37aad11 fix: cleanup pending acks on timeout to prevent memory leak
ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
84c2fb7 chore(release): engine.io@6.6.6
07cbe15 fix(eio): add @types/ws as dependency (#5458)
44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
74599a6 fix(types): properly import http module
d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for socket.io-parser since your current version.

Updates webpack from 5.101.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @xiaoxiaojx in #20546)

Handle createRequire in expressions. (by @alexander-akait in #20549)

Fixed types for multi stats. (by @alexander-akait in #20556)

Remove empty needless js output for normal css module. (by @JSerFeng in #20162)

Update enhanced-resolve to support new features for tsconfig.json. (by @alexander-akait in #20555)

Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @hai-x in #20561)

v5.105.3

Patch Changes

Context modules now handle rejections correctly. (by @alexander-akait in #20455)

Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @hai-x in #20535)

Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @hai-x in #20463)

Fixed HMR failure for CSS modules with @import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @import CSS to work correctly during hot module replacement. (by @xiaoxiaojx in #20514)

Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @xiaoxiaojx in #20454)

Do not crash when a referenced chunk is not a runtime chunk. (by @alexander-akait in #20461)

Fix some types. (by @alexander-akait in #20412)

Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @hai-x in #20510)

Added createRequire support for ECMA modules. (by @stefanbinoj in #20497)

Added category for CJS reexport dependency to fix issues with ECMA modules. (by @hai-x in #20444)

Implement immutable bytes for bytes import attribute to match tc39 spec. (by @alexander-akait in #20481)

Fixed deterministic search for graph roots regardless of edge order. (by @veeceey in #20452)

v5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @xiaoxiaojx in #20546)

Handle createRequire in expressions. (by @alexander-akait in #20549)

Fixed types for multi stats. (by @alexander-akait in #20556)

Remove empty needless js output for normal css module. (by @JSerFeng in #20162)

Update enhanced-resolve to support new features for tsconfig.json. (by @alexander-akait in #20555)

Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @hai-x in #20561)

5.105.3

Patch Changes

Context modules now handle rejections correctly. (by @alexander-akait in #20455)

Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @hai-x in #20535)

Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @hai-x in #20463)

Fixed HMR failure for CSS modules with @import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @import CSS to work correctly during hot module replacement. (by @xiaoxiaojx in #20514)

Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @xiaoxiaojx in #20454)

Do not crash when a referenced chunk is not a runtime chunk. (by @alexander-akait in #20461)

Fix some types. (by @alexander-akait in #20412)

Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @hai-x in #20510)

Added createRequire support for ECMA modules. (by @stefanbinoj in #20497)

Added category for CJS reexport dependency to fix issues with ECMA modules. (by @hai-x in #20444)

Implement immutable bytes for bytes import attribute to match tc39 spec. (by @alexander-akait in #20481)

Fixed deterministic search for graph roots regardless of edge order. (by @veeceey in #20452)

5.105.2

Patch Changes

Fixed WebpackPluginInstance type regression. (by @alexander-akait in #20440)

... (truncated)

Commits

27c13b4 chore(release): new release (#20550)
9b2f41e chore: bump terser plugin (#20569)
eafe060 fix: narrow the export presence guard detection (#20561)
75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
afa607d refactor: remove unused code (#20562)
4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
9d76fff refactor: add Module.getSourceBasicTypes for basic JS type detection (#20546)
a3d7839 fix: types for multi stats (#20556)
b8e9b05 fix: update enhanced-resolve to support new features for tsconfig.json (#...
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Updates body-parser from 2.2.0 to 2.2.2

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

docs: update README links by @efekrskl in expressjs/body-parser#673

docs: release notes for the v1.20.4 release by @Phillip9587 in expressjs/body-parser#674

docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @Phillip9587 in expressjs/body-parser#679

docs: use standard jsdoc tags everywhere by @Phillip9587 in expressjs/body-parser#677

deps: qs@^6.14.1 by @UlisesGascon in expressjs/body-parser#689

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#693

Release: 2.2.2 by @UlisesGascon in expressjs/body-parser#691

New Contributors

@efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

v2.2.1

Important: Security

Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

ci: add dependabot by @Phillip9587 in expressjs/body-parser#593

ci: use full SHAs for github action versions by @Phillip9587 in expressjs/body-parser#594

deps: type-is@^2.0.1 by @Phillip9587 in expressjs/body-parser#599

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/body-parser#609

build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot[bot] in expressjs/body-parser#610

build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @dependabot[bot] in expressjs/body-parser#611

build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @dependabot[bot] in expressjs/body-parser#613

build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @dependabot[bot] in expressjs/body-parser#612

ci: add codeql github workflows scanning by @Phillip9587 in expressjs/body-parser#614

ci: update CodeQL config to ignore the test directory by @Phillip9587 in expressjs/body-parser#615

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/body-parser#620

build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot[bot] in expressjs/body-parser#619

chore(deps): unpin devDependencies by @Phillip9587 in expressjs/body-parser#616

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/body-parser#621

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/body-parser#623

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/body-parser#624

chore: add funding to package.json by @Phillip9587 in expressjs/body-parser#617

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/body-parser#625

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/body-parser#630

refactor: move common request validation to read function by @Phillip9587 in expressjs/body-parser#600

deps: bump iconv-lite by @bjohansebas in expressjs/body-parser#631

doc: pull beta changelog forward into 2.0.0 by @jonchurch in expressjs/body-parser#629

refactor: optimize raw and text parsers with shared passthrough function by @Phillip9587 in expressjs/body-parser#634

build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#640

build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in expressjs/body-parser#639

build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#636

build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#637

build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in expressjs/body-parser#638

deps: raw-body@^3.0.1 by @Phillip9587 in expressjs/body-parser#641

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

deps: qs@^6.14.1

refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

Security fix for GHSA-wqch-xfxh-vrr4

deps:

type-is@^2.0.1

iconv-lite@^0.7.0

Handle split surrogate pairs when encoding UTF-8

Avoid false positives in encodingExists by using prototype-less objects

raw-body@^3.0.1

debug@^4.4.3

Commits

3d24866 2.2.2 (#691)
8474a98 refactor(json): simplify strict mode error string construction (#693)
03f17c2 deps: qs@^6.14.1 (#689)
ea1f25e docs: use standard jsdoc tags everywhere (#677)
d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
b6f52aa docs: release notes for the v1.20.4 release (#674)
2965ca4 docs: update links (#673)
d96b63d 2.2.1 (#659)
b204886 sec: security patch for CVE-2025-13466
e20e351 feat: remove history.md from being packaged on publish (#660)
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

d9b4c66 v6.15.0
cb41a54 [New] parse: add strictMerge option to wrap object/primitive conflicts in...
88e1563 [Fix] duplicates option should not apply to bracket notation keys
9d441d2 Merge backport release tags v6.0.6–v6.13.3 into main
85cc8ca v6.12.5
ffc12aa v6.11.4
0506b11 [actions] update reusable workflows
6a37faf [actions] update reusable workflows
8e8df5a [Fix] fix regressions from robustness refactor
d60bab3 v6.10.7
Additional commits viewable in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Removes tmp

Updates body-parser from 2.2.0 to 2.2.2

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

docs: update README links by @efekrskl in expressjs/body-parser#673

docs: release notes for the v1.20.4 release by @Phillip9587 in expressjs/body-parser#674

docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @Phillip9587 in expressjs/body-parser#679

docs: use standard jsdoc tags everywhere by @Phillip9587 in expressjs/body-parser#677

deps: qs@^6.14.1 by @UlisesGascon in expressjs/body-parser#689

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#693

Release: 2.2.2 by @UlisesGascon in expressjs/body-parser#691

New Contributors

@efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

v2.2.1

Important: Security

Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

ci: add dependabot by @Phillip9587 in expressjs/body-parser#593

ci: use full SHAs for github action versions by @Phillip9587 in expressjs/body-parser#594

deps: type-is@^2.0.1 by @Phillip9587 in expressjs/body-parser#599

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/body-parser#609

build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot[bot] in expressjs/body-parser#610

build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @dependabot[bot] in expressjs/body-parser#611

build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @dependabot[bot] in expressjs/body-parser#613

build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @dependabot[bot] in expressjs/body-parser#612

ci: add codeql github workflows scanning by @Phillip9587 in expressjs/body-parser#614

ci: update CodeQL config to ignore the test directory by @Phillip9587 in expressjs/body-parser#615

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/body-parser#620

build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot[bot] in expressjs/body-parser#619

chore(deps): unpin devDependencies by @Phillip9587 in expressjs/body-parser#616

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/body-parser#621

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/body-parser#623

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/body-parser#624

chore: add funding to package.json by @Phillip9587 in expressjs/body-parser#617

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/body-parser#625

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/body-parser#630

refactor: move common request validation to read function by @Phillip9587 in expressjs/body-parser#600

deps: bump iconv-lite by @bjohansebas in expressjs/body-parser#631

doc: pull beta changelog forward into 2.0.0 by @jonchurch in expressjs/body-parser#629

refactor: optimize raw and text parsers with shared passthrough function by @Phillip9587 in expressjs/body-parser#634

build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#640

build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @dependabot[bot] in expressjs/body-parser#639

build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#636

build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @dependabot[bot] in expressjs/body-parser#637

build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @dependabot[bot] in expressjs/body-parser#638

deps: raw-body@^3.0.1 by @Phillip9587 in expressjs/body-parser#641

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

deps: qs@^6.14.1

refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

Security fix for GHSA-wqch-xfxh-vrr4

deps:

type-is@^2.0.1

iconv-lite@^0.7.0

Handle split surrogate pairs when encoding UTF-8

Avoid false positives in encodingExists by using prototype-less objects

raw-body@^3.0.1

debug@^4.4.3

Commits

3d24866 2.2.2 (#691)
8474a98 refactor(json): simplify strict mode error string construction (#693)
03f17c2 deps: qs@^6.14.1 (#689)
ea1f25e docs: use standard jsdoc tags everywhere (#677)
d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
b6f52aa docs: release notes for the v1.20.4 release (#674)
2965ca4 docs: update links (#673)
d96b63d 2.2.1 (#659)
b204886 sec: security patch for CVE-2025-13466
e20e351 feat: remove history.md from being packaged on publish (#660)
Additional commits viewable in compare view

Updates qs from 6.14.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)

[Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)

[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue

[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)

[Fix] parse: enforce arrayLimit on comma-parsed values

[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)

[Robustness] avoid .push, use void

[readme] document that addQueryPrefix does not add ? to empty output (#418)

[readme] clarify parseArrays and arrayLimit documentation (#543)

[readme] replace runkit CI badge with shields.io check-runs badge

[meta] fix changelog typo (arrayLength → arrayLimit)

[actions] fix rebase workflow permissions

6.14.1

[Fix] ensure arrayLimit applies to [] notation as well

[Fix] parse: when a custom decoder returns null for a key, ignore that key

[Refactor] parse: extract key segment splitting helper

[meta] add threat model

[actions] add workflow permissions

[Tests] stringify: increase coverage

[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Details

<...

Description has been truncated

…1 updates Bumps the npm_and_yarn group with 6 updates in the /frontend directory: | Package | From | To | | --- | --- | --- | | [next](https://github.com/vercel/next.js) | `15.5.3` | `15.5.14` | | [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [serialize-javascript](https://github.com/yahoo/serialize-javascript) | `6.0.2` | `removed` | | [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.4` | `4.2.6` | | [webpack](https://github.com/webpack/webpack) | `5.101.0` | `5.105.4` | Bumps the npm_and_yarn group with 1 update in the /ranges/merge directory: [body-parser](https://github.com/expressjs/body-parser). Bumps the npm_and_yarn group with 2 updates in the /ranges/types directory: [lodash](https://github.com/lodash/lodash) and [tmp](https://github.com/raszi/node-tmp). Bumps the npm_and_yarn group with 2 updates in the /screens/evaluations directory: [body-parser](https://github.com/expressjs/body-parser) and [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit). Bumps the npm_and_yarn group with 2 updates in the /screens/images directory: [body-parser](https://github.com/expressjs/body-parser) and [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit). Bumps the npm_and_yarn group with 1 update in the /screens/screenCast directory: [socket.io-parser](https://github.com/socketio/socket.io). Bumps the npm_and_yarn group with 1 update in the /screens/screenManager directory: [body-parser](https://github.com/expressjs/body-parser). Bumps the npm_and_yarn group with 1 update in the /screens/types directory: [lodash](https://github.com/lodash/lodash). Bumps the npm_and_yarn group with 1 update in the /serverState directory: [body-parser](https://github.com/expressjs/body-parser). Bumps the npm_and_yarn group with 1 update in the /utils/recorder directory: [minimatch](https://github.com/isaacs/minimatch). Updates `next` from 15.5.3 to 15.5.14 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.3...v15.5.14) Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Removes `serialize-javascript` Updates `socket.io-parser` from 4.2.4 to 4.2.6 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6) Updates `webpack` from 5.101.0 to 5.105.4 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.101.0...v5.105.4) Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Removes `tmp` Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `express-rate-limit` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.1.0...v8.1.1) Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `express-rate-limit` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.1.0...v8.1.1) Updates `socket.io-parser` from 4.2.4 to 4.2.6 - [Release notes](https://github.com/socketio/socket.io/releases) - [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md) - [Commits](https://github.com/socketio/socket.io/compare/socket.io-parser@4.2.4...socket.io-parser@4.2.6) Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `body-parser` from 2.2.0 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.0...v2.2.2) Updates `qs` from 6.14.0 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.15.0) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.14 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: socket.io-parser dependency-version: 4.2.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: webpack dependency-version: 5.105.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tmp dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express-rate-limit dependency-version: 8.1.1 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: socket.io-parser dependency-version: 4.2.6 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 22, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the npm_and_yarn group across 10 directories with 11 updates#205

build(deps): bump the npm_and_yarn group across 10 directories with 11 updates#205
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/npm_and_yarn-3666e3bddd

dependabot bot commented on behalf of github Mar 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 22, 2026

v15.5.14

Core Changes

Credits

v15.5.13

Core Changes

Credits

v15.5.12

v15.5.11

Core Changes

Credits

socket.io-parser@4.2.6

Bug Fixes

socket.io-parser@4.2.5

v5.105.4

Patch Changes

v5.105.3

Patch Changes

v5.105.2

Patch Changes

v5.105.1

Patch Changes

5.105.4

Patch Changes

5.105.3

Patch Changes

5.105.2

Patch Changes

v2.2.2

What's Changed

New Contributors

v2.2.1

Important: Security

What's Changed

2.2.2 / 2026-01-07

2.2.1 / 2025-11-24

6.15.0

6.14.2

6.14.1

v2.2.2

What's Changed

New Contributors

v2.2.1

Important: Security

What's Changed

2.2.2 / 2026-01-07

2.2.1 / 2025-11-24

6.15.0

6.14.2

6.14.1

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants