Bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
jsonwebtoken	8.5.1	9.0.0
mysql2	2.3.3	3.9.8
sequelize	6.12.2	6.29.0
braces	3.0.2	3.0.3
dottie	2.0.2	2.0.6
es5-ext	0.10.53	0.10.64
got	9.6.0	removed
nodemon	2.0.15	2.0.22
tar	6.1.11	6.2.1

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates mysql2 from 2.3.3 to 3.9.8

Release notes

Sourced from mysql2's releases.

v3.9.8

3.9.8 (2024-05-26)

Bug Fixes

• security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
• support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
• typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

v3.9.7

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection - report by zhaoyudi (Nebulalab) (#2608) (7d4b098)

v3.9.6

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

v3.9.5

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

v3.9.4

3.9.4 (2024-04-09)

Bug Fixes

• SSL: separate each certificate into an individual item #2542 (63f1055)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)
  • Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• security: improve results object creation (#2574) (4a964a3)
  • Fixes a potential Prototype Pollution attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• docs: improve the contribution guidelines (#2552) (8a818ce)

v3.9.3

3.9.3 (2024-03-26)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.9.8 (2024-05-26)

Bug Fixes

• security: sanitize fields and tables when using nestTables (#2702) (efe3db5)
• support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2704) (2e03694)
• typings: typo from jonServerPublicKey to onServerPublicKey (#2699) (8b5f691)

3.9.7 (2024-04-21)

Bug Fixes

• security: sanitize timezone parameter value to prevent code injection (#2608) (7d4b098)

3.9.6 (2024-04-18)

Bug Fixes

• binary parser sometimes reads out of packet bounds when results contain null and typecast is false (#2601) (705835d)

3.9.5 (2024-04-17)

Bug Fixes

• revert breaking change in results creation (#2591) (f7c60d0)

3.9.4 (2024-04-09)

Bug Fixes

• docs: improve the contribution guidelines (#2552) (8a818ce)
• security: improve results object creation (#2574) (4a964a3)
• security: improve supportBigNumbers and bigNumberStrings sanitization (#2572) (74abf9e)

3.9.3 (2024-03-26)

Bug Fixes

• security: improve cache key formation (#2424) (0d54b0c)
  • Fixes a potential parser cache poisoning attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
• update Amazon RDS SSL CA cert (#2131) (d9dccfd)

3.9.2 (2024-02-26)

... (truncated)

Commits

• f637d3f chore(master): release 3.9.8 (#2700)
• efe3db5 fix(security): sanitize fields and tables when using nestTables (#2702)
• 2e03694 fix: support deno + caching_sha2_password FULL_AUTHENTICATION_PACKET flow (#2...
• 8b5f691 fix(typings): typo from jonServerPublicKey to onServerPublicKey (#2699)
• 5c75802 build(deps-dev): bump tsx from 4.10.5 to 4.11.0 in /website (#2695)
• 179769f build(deps): bump @​easyops-cn/docusaurus-search-local in /website (#2696)
• 56289e2 build(deps-dev): bump poku from 1.12.1 to 1.13.0 (#2698)
• b029308 build(deps-dev): bump poku from 1.12.1 to 1.13.0 in /website (#2697)
• 539acb8 build(deps): bump lucide-react from 0.378.0 to 0.379.0 in /website (#2693)
• dc80580 build(deps-dev): bump @​typescript-eslint/eslint-plugin from 7.9.0 to 7.10.0 i...
• Additional commits viewable in compare view

Updates sequelize from 6.12.2 to 6.29.0

Release notes

Sourced from sequelize's releases.

v6.29.0

6.29.0 (2023-02-23)

Features

• throw an error if attribute includes parentheses (fixes CVE-2023-22578) (#15710) (d3f5b5a)

v6.28.2

6.28.2 (2023-02-22)

Bug Fixes

• accept undefined in where (#15703) (13f2e89)

v6.28.1

6.28.1 (2023-02-21)

Bug Fixes

• throw if where receives an invalid value (#15699) (d9e0728)
• update moment-timezone version (#15685) (48d6193)

v6.28.0

6.28.0 (2022-12-20)

Features

• types: use retry-as-promised types for retry options to match documentation (#15484) (fd4afa6)

v6.27.0

6.27.0 (2022-12-12)

Features

• add support for bigints (backport of #14485) (#15413) (1247c01)

v6.26.0

6.26.0 (2022-11-29)

Features

• postgres: add support for lock_timeout [#15345] (#15355) (94beace)

v6.25.8

... (truncated)

Commits

• d3f5b5a feat: throw an error if attribute includes parentheses (fixes CVE-2023-22578)...
• 53bd9b7 meta: fix null test getWhereConditions (#15705)
• 13f2e89 fix: accept undefined in where (#15703)
• d9e0728 fix: throw if where receives an invalid value (#15699)
• 48d6193 fix: update moment-timezone version (#15685)
• fd4afa6 feat(types): use retry-as-promised types for retry options to match documenta...
• 1247c01 feat: add support for bigints (backport of #14485) (#15413)
• 94beace feat(postgres): add support for lock_timeout #15345 (#15355)
• 7885000 fix(oracle): remove hardcoded maxRows value (#15323)
• bc39fd6 fix: fix parameters not being replaced when after $$ strings (#15307)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by sdepold, a new releaser for sequelize since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates dottie from 2.0.2 to 2.0.6

Release notes

Sourced from dottie's releases.

v2.0.3

null values can now be overriden thanks to @​slavivanov (mickhansen/dottie.js#37)

Commits

• 03d7ee7 2.0.6
• 0371a92 Bump minimatch and mocha (#38)
• 0715d4c 2.0.5
• 10e4b14 remove preventExtensions in transform()
• 0edfecf Bump pathval from 1.1.0 to 1.1.1 (#36)
• f840241 add maintenance notice
• b183fff remove mention of preventExtensions
• e0c8bae 2.0.4
• 7d3aee1 rudimentary proto guarding
• b48e227 add github action to run tests
• Additional commits viewable in compare view

Updates es5-ext from 0.10.53 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

---

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

---

Comparison since last release

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

---

Comparison since last release

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

---

Comparison since last release

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

---

... (truncated)

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

0.10.59 (2022-03-17)

Maintenance Improvements

• Improve manifest wording (#122) (eb7ae59)
• Update data in manifest (3d2935a)

0.10.58 (2022-03-11)

... (truncated)

Commits

• f76b03d chore: Release v0.10.64
• 2881acd chore: Bump dependencies
• c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
• 16f2b72 docs: Fix date in the changelog
• de4e03c chore: Release v0.10.63
• 3fd53b7 chore: Upgrade lint-staged to v13
• bf8ed79 chore: Ensure postinstall script does not crash on Windows
• 2cbbb07 chore: Bump dependencies
• 22d0416 chore: Bump LICENSE year
• a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
• Additional commits viewable in compare view

Removes got

Updates nodemon from 2.0.15 to 2.0.22

Release notes

Sourced from nodemon's releases.

v2.0.22

2.0.22 (2023-03-22)

Bug Fixes

• remove ts mapping if loader present (f7816e4), closes #2083

v2.0.21

2.0.21 (2023-03-02)

Bug Fixes

• remove ts mapping if loader present (1468397), closes #2083

v2.0.20

2.0.20 (2022-09-16)

Bug Fixes

• remove postinstall script (e099e91)

v2.0.19

2.0.19 (2022-07-05)

Bug Fixes

• Replace update notifier with simplified deps (#2033) (176c4a6), closes #1961 #2028

v2.0.18

2.0.18 (2022-06-23)

Bug Fixes

• revert update-notifier forcing esm (1b3bc8c)

v2.0.17

2.0.17 (2022-06-23)

Bug Fixes

• bump update-notifier to v6.0.0 (#2029) (0144e4f)
• update packge-lock (27e91c3)

v2.0.16

... (truncated)

Commits

• c971fdc Merge branch 'main' of github.com:remy/nodemon
• b9679a2 chore: supporters
• f7816e4 fix: remove ts mapping if loader present
• 9f3ffdb One more fix
• abc8522 Get rid of spawning shell windows if nodemon is started without console.
• b11ddd1 Merge branch 'main' of github.com:remy/nodemon
• 204af11 chore: missing supporters
• 1468397 fix: remove ts mapping if loader present
• 26b1f0f chore: add conventional commit check
• adaafa1 One more fix
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.2

Commits

• 699c459 3.1.2
• 2f2b5ff fix: trim pattern
• 25d7c0d 3.1.1
• 55dda29 fix: treat nocase:true as always having magic
• 5e1fb8d 3.1.0
• f8145c5 Add 'allowWindowsEscape' option
• 570e8b1 add publishConfig for v3 publishes
• 5b7cd33 3.0.6
• 20b4b56 [fix] revert all breaking syntax changes
• 2ff0388 document, expose, and test 'partial:true' option
• Additional commits viewable in compare view

Updates moment from 2.29.1 to 2.30.1

Changelog

Sourced from moment's changelog.

2.30.1

• Release Dec 27, 2023
• Revert moment/moment#5827, because it's breaking a lot of TS code.

2.30.0 Full changelog

• Release Dec 26, 2023

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

Commits

• 485d9a7 Build 2.30.1
• e048b09 Bump version to 2.30.1
• f9f2d58 Update changelog for 2.30.1
• a52ffb2 Revert "Merge pull request #5827 from BobZombie:feature/fix_d.ts"
• ddd6809 Build 2.30.0
• be64d00 Bump version to 2.30.0
• ad41179 Update changelog for 2.30.0
• 63fe479 [misc] Make code ES6 compatible
• 0f0195f Revert "Merge pull request #5599 from Alanscut:issue_4985"
• 15b82f5 Revert "Merge pull request #5597 from Alanscut:issue-5596"
• Additional commits viewable in compare view

Updates moment-timezone from 0.5.34 to 0.5.45

Release notes

Sourced from moment-timezone's releases.

Release 0.5.45

• Updated data to IANA TZDB 2024a.

Release 0.5.44

• Updated data to IANA TZDB 2023d.
• Fixed .valueOf() to return NaN for invalid zoned objects (matching default moment) #1082.
• Performance improvements:
  • Use binary search when looking up zone information #720.
  • Avoid redundant checks in tz.guess().
  • Avoid redundant getZone() calls in .tz().

Release 0.5.43

* Updated data to IANA TZDB 2023c

Release 0.5.42

• Updated data to IANA TZDB 2023b

Release 0.5.41

• Updated moment npm dependency to 2.29.4 to remove automated warnings about insecure dependencies #1004. Moment Timezone still works with core Moment 2.9.0 and higher.
• Updated all dev dependencies including UglifyJS, which produces the minified builds.
• Added deprecation warning to the pre-built moment-timezone-with-data-2012-2022 bundles #1035. Use the rolling moment-timezone-with-data-10-year-range files instead.

Release 0.5.40

• Updated data to IANA TZDB 2022g

Release 0.5.39

• Updated data to IANA TZDB 2022f

Release 0.5.38

• Updated data to IANA TZDB 2022e
• Added moment.tz.dataVersion property to TypeScript definitions #930
• Removed temporary .tar.gz files from npm releases #1000

Release 0.5.37

• Re-publish npm package, because of extra folder present in 0.5.36, check moment/moment-timezone#999

Release 0.5.36

• Updated data to IANA TZDB 2022c
• Improvements/fixes to data pipeline

Release 0.5.35

• Fix command injection in data pipeline GHSA-56x4-j7p9-fcf9
• Fix cleartext transmission of sensitive information GHSA-v78c-4p63-2j6c

Thanks to the OpenSSF Alpha-Omega project for reporting these!

Changelog

Sourced from moment-timezone's changelog.

0.5.45 2024-02-04

• Updated data to IANA TZDB 2024a.

0.5.44 2023-12-29

• Updated data to IANA TZDB 2023d.
• Fixed .valueOf() to return NaN for invalid zoned objects (matching default moment) #1082.
• Performance improvements:
  • Use binary search when looking up zone information #720.
  • Avoid redundant checks in tz.guess().
  • Avoid redundant getZone() calls in .tz().

0.5.43 2023-03-31

• Updated data to IANA TZDB 2023c

0.5.42 2023-03-24

• Updated data to IANA TZDB 2023b

0.5.41 2023-02-25

• Updated moment npm dependency to 2.29.4 to remove automated warnings about insecure dependencies. Moment Timezone still works with core Moment 2.9.0 and higher.
• Updated all dev dependencies including UglifyJS, which produces the minified builds.
• Added deprecation warning to the pre-built moment-timezone-with-data-2012-2022 bundles #1035. Use the rolling moment-timezone-with-data-10-year-range files instead.

0.5.40 2022-12-11

• Updated data to IANA TZDB 2022g

0.5.39 2022-11-13

• Updated data to IANA TZDB 2022f

0.5.38 2022-10-15

• Updated data to IANA TZDB 2022e
• Added moment.tz.dataVersion property to TypeScript definitions #930
• Removed temporary .tar.gz files from npm releases #1000

0.5.37 2022-08-25

• Re-publish npm package, because of extra folder present in 0.5.36, check moment/moment-timezone#999

0.5.36 2022-08-25

• IANA TZDB 2022c
• improvements/fixes to data pipeline

0.5.35 2022-08-23

• Fix command injection in data pipeline GHSA-56x4-j7p9-fcf9
• Fix cleartext transmission of sensitive information GHSA-v78c-4p63-2j6c

Thanks to the OpenSSF Alpha-Omega project for reporting these!

Commits

• 16157c7 Build moment-timezone 0.5.45
• 2d2b9a3 Bump version to 0.5.45
• 0a32e82 ci: Update to latest version of all actions
• 253bb00 Add editorconfig file for consistent indentation
• 526030f docs: Clarify data update PRs in contributing guide
• 6c31d29 Merge pull request #1095 from moment/automated/data-update
• 4d6bced ci: Force running tests after updating data files
• a276881 data: Add 2024a
• ba275d2 ci: Allow downloading tzcode archive as well as tzdata
• 6bf33a2 build(deps): bump @​babel/traverse from 7.17.3 to 7.23.2 (#1094)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gilmoreorless, a new releaser for moment-timezone since your current version.

Updates tar from 6.1.11 to 6.2.1

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

• cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

• 57493ee #332 ensuring close event is emited after stream has ended (@​webark)
• b003c64 #314 replace deprecated String.prototype.substr() (#314) (@​CommanderRoot, @​lukekarrys)

Documentation

• f129929 #313 remove dead link to benchmarks (#313) (@​yetzt)
• c1faa9f add examples/explanation of using tar.t (@​isaacs)

Changelog

Sourced from tar's changelog.

Changelog

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

• Add support for brotli compression
• Add maxDepth option to prevent extraction into excessively deep folders.

6.1

• remove dead link to benchmarks (#313) (@​yetzt)
• add examples/explanation of using tar.t (@​isaacs)
• ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.