Skip to content

chore(deps): Bump the production-dependencies group across 1 directory with 11 updates#175

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-4205dcc50f
Open

chore(deps): Bump the production-dependencies group across 1 directory with 11 updates#175
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-4205dcc50f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 7 updates in the / directory:

Package From To
body-parser 2.2.2 2.3.0
es-object-atoms 1.1.1 1.1.2
eventsource-parser 3.0.8 3.1.0
express-rate-limit 8.5.1 8.5.2
form-data 4.0.5 4.0.6
hono 4.12.18 4.12.27
range-parser 1.2.1 1.3.0

Updates body-parser from 2.2.2 to 2.3.0

Release notes

Sourced from body-parser's releases.

v2.3.0

What's Changed

New Contributors

Full Changelog: expressjs/body-parser@v2.2.2...v2.3.0

Changelog

Sourced from body-parser's changelog.

2.3.0 / 2026-06-15

  • fix: use static exports instead of lazy getters to improve ESM compatibility
  • feat: add subpath exports for individual parsers
  • fix: improve limit option validation (#698)
    • Invalid limit values (e.g. unparseable strings or NaN) now throw instead of being silently ignored, which previously disabled size limit enforcement
    • null and undefined fall back to the default 100kb limit
  • deps:
    • content-type@^2.0.0
    • http-errors@^2.0.1
    • iconv-lite^0.7.2
    • qs@^6.15.2
    • raw-body@^3.0.2
    • type-is@^2.1.0
Commits
  • d0f2ace 2.3.0 (#735)
  • 7d03f2f chore: updated deps to latest (#733)
  • 8024ba7 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#732)
  • 32b4ed4 build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 (#731)
  • ff0f6b9 docs: update outdated reference to MDN docs (#730)
  • 14d001a refactor: switch to const/let and enable eslint no-var rule (#729)
  • 37f36a2 deps: update content-type and type-is (#728)
  • e1c244b build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 (#723)
  • e01087f build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#724)
  • a7698d3 build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 (#725)
  • Additional commits viewable in compare view

Updates es-object-atoms from 1.1.1 to 1.1.2

Changelog

Sourced from es-object-atoms's changelog.

v1.1.2 - 2026-05-22

Commits

  • [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, auto-changelog, eslint, npmignore 41e3d94
  • [types] improve isObject type 758edc2
Commits
  • 9e62644 v1.1.2
  • 41e3d94 [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, `auto-changelo...
  • 758edc2 [types] improve isObject type
  • See full diff in compare view

Updates eventsource-parser from 3.0.8 to 3.1.0

Release notes

Sourced from eventsource-parser's releases.

v3.1.0

3.1.0 (2026-05-27)

Features


This release is also available on:

Changelog

Sourced from eventsource-parser's changelog.

3.1.0 (2026-05-27)

Features

Commits

Updates express-rate-limit from 8.5.1 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

Commits
  • 9774693 8.5.2
  • 0e94cc0 v8.5.2 changelog
  • 9a583c5 feat: simplify IPv6 key generation (#633)
  • 4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
  • 3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
  • 18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
  • dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
  • 486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
  • See full diff in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates hasown from 2.0.3 to 2.0.4

Changelog

Sourced from hasown's changelog.

v2.0.4 - 2026-05-28

Commits

  • [types] drop the dead key-narrowing overload fdab00e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint 91f6247
Commits
  • 97f3a85 v2.0.4
  • fdab00e [types] drop the dead key-narrowing overload
  • 91f6247 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint
  • See full diff in compare view

Updates hono from 4.12.18 to 4.12.27

Release notes

Sourced from hono's releases.

v4.12.27

Security fixes

This release includes fixes for the following security issues:

hono/jsx does not isolate context per request

Affects: hono/jsx, hono/jsx-renderer. During SSR, context was stored process-wide instead of per request, so useContext()/useRequestContext() read after an await in an async component could return another concurrent request's value — leading to cross-request data disclosure or authorization checks against the wrong request. GHSA-hvrm-45r6-mjfj

Server-Side XSS via JSX escaping bypass in cx()

Affects: hono/css. cx() marked its composed class name as already-escaped without escaping the input, so untrusted input passed as a class name could break out of the JSX class attribute during SSR and inject markup (XSS). GHSA-w62v-xxxg-mg59

API Gateway v1 adapter can drop a repeated request header value

Affects: hono/aws-lambda. The API Gateway v1 (and VPC Lattice) adapter de-duplicated repeated header values by substring instead of exact match, dropping a value that is a substring of another (e.g. 203.0.113.1 dropped when 203.0.113.10 is present) — affecting logic such as X-Forwarded-For-based IP restriction. GHSA-xgm2-5f3f-mvvc


Users of hono/jsx/hono/jsx-renderer, hono/css (cx()), or the hono/aws-lambda API Gateway v1 / VPC Lattice adapters are encouraged to upgrade.

v4.12.26

What's Changed

Full Changelog: honojs/hono@v4.12.25...v4.12.26

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

... (truncated)

Commits
  • 97c6fe1 4.12.27
  • aa92177 Merge commit from fork
  • cd3f6f7 Merge commit from fork
  • d4853a8 fix(jsx): make merged context-isolation tests pass tsc type check (#5037)
  • 6735fea fix(jsx): cast awaitedFallback through unknown to fix Deno type check (#5036)
  • fab3b13 Merge commit from fork
  • 9f0dadf ci: use npm Staged publishing (#5035)
  • 27b7992 4.12.26
  • d29982c chore: replace arg and glob with Bun native APIs in build script
  • 16215d5 chore: remove unused devcontainer and gitpod configs (#5029)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hono since your current version.


Updates qs from 6.15.1 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates range-parser from 1.2.1 to 1.3.0

Release notes

Sourced from range-parser's releases.

v1.3.0

Fixed

  • Improve number parsing (#58) eba9c7a
  • Handle invalid start and end byte positions in range parsing (#57) 269cb4e

jshttp/range-parser@v1.2.1...v1.3.0

Commits
  • f4bf173 Clamp a suffix whose length exceeds the representation (#66)
  • b49e00f fix: still show ranges if there are multiple ranges, even if some are invalid...
  • 4f3b091 Remove dependabot config (#60)
  • eba9c7a Improve number parsing (#58)
  • 269cb4e fix: handle invalid start and end byte positions in range parsing (#57)
  • 098e332 build(deps): bump github/codeql-action from 3.31.2 to 4.31.6 (#50)
  • 3599369 build(deps): bump actions/checkout from 3.6.0 to 6.0.0 (#51)
  • 054ea57 build(deps): bump github/codeql-action from 2.23.2 to 4.31.2 (#48)
  • d230b16 build(deps): bump actions/upload-artifact from 3.1.3 to 5.0.0 (#49)
  • 54f84f4 chore: add funding to package.json (#42)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for range-parser since your current version.


Updates side-channel from 1.1.0 to 1.1.1

Changelog

Sourced from side-channel's changelog.

v1.1.1 - 2026-06-08

Commits

  • [Fix] assert: do not observably access object keys when throwing fc17361
  • [actions] update workflows 35b18c0
  • [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/tape, auto-changelog, eslint, npmignore b456a01
  • [Deps] update object-inspect, side-channel-list accf1a1
  • [readme] replace runkit CI badge with shields.io check-runs badge 7e0c956
Commits
  • 3d26095 v1.1.1
  • fc17361 [Fix] assert: do not observably access object keys when throwing
  • 35b18c0 [actions] update workflows
  • accf1a1 [Deps] update object-inspect, side-channel-list
  • b456a01 [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, `@ljharb/...
  • 7e0c956 [readme] replace runkit CI badge with shields.io check-runs badge
  • See full diff in compare view

Updates type-is from 2.0.1 to 2.1.0

Release notes

Sourced from type-is's releases.

v2.1.0

Changed

  • Upgraded to content-type@2 for faster parsing
Commits
  • 62a423f 2.1.0
  • accdc2f Upgrade content-type (#95)
  • 2554c0a Remove dependabot (#90)
  • 011ea1a build(deps): bump github/codeql-action from 4.31.2 to 4.32.4 (#91)
  • 9be1494 build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.0 (#92)
  • 663e357 build(deps): bump github/codeql-action from 3.30.0 to 4.31.2 (#80)
  • c463aa1 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#81)
  • fd1e10d build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#77)
  • 6a04dc1 build(deps): bump github/codeql-action from 3.28.18 to 3.30.0 (#76)
  • 8751b97 chore: add funding to package.json (#74)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for type-is since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…y with 11 updates

Bumps the production-dependencies group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [body-parser](https://github.com/expressjs/body-parser) | `2.2.2` | `2.3.0` |
| [es-object-atoms](https://github.com/ljharb/es-object-atoms) | `1.1.1` | `1.1.2` |
| [eventsource-parser](https://github.com/rexxars/eventsource-parser) | `3.0.8` | `3.1.0` |
| [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `8.5.1` | `8.5.2` |
| [form-data](https://github.com/form-data/form-data) | `4.0.5` | `4.0.6` |
| [hono](https://github.com/honojs/hono) | `4.12.18` | `4.12.27` |
| [range-parser](https://github.com/jshttp/range-parser) | `1.2.1` | `1.3.0` |



Updates `body-parser` from 2.2.2 to 2.3.0
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@v2.2.2...v2.3.0)

Updates `es-object-atoms` from 1.1.1 to 1.1.2
- [Changelog](https://github.com/es-shims/es-object-atoms/blob/main/CHANGELOG.md)
- [Commits](es-shims/es-object-atoms@v1.1.1...v1.1.2)

Updates `eventsource-parser` from 3.0.8 to 3.1.0
- [Release notes](https://github.com/rexxars/eventsource-parser/releases)
- [Changelog](https://github.com/rexxars/eventsource-parser/blob/main/CHANGELOG.md)
- [Commits](rexxars/eventsource-parser@v3.0.8...v3.1.0)

Updates `express-rate-limit` from 8.5.1 to 8.5.2
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v8.5.1...v8.5.2)

Updates `form-data` from 4.0.5 to 4.0.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `hasown` from 2.0.3 to 2.0.4
- [Changelog](https://github.com/inspect-js/hasOwn/blob/main/CHANGELOG.md)
- [Commits](inspect-js/hasOwn@v2.0.3...v2.0.4)

Updates `hono` from 4.12.18 to 4.12.27
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.18...v4.12.27)

Updates `qs` from 6.15.1 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.1...v6.15.3)

Updates `range-parser` from 1.2.1 to 1.3.0
- [Release notes](https://github.com/jshttp/range-parser/releases)
- [Changelog](https://github.com/jshttp/range-parser/blob/master/HISTORY.md)
- [Commits](jshttp/range-parser@v1.2.1...v1.3.0)

Updates `side-channel` from 1.1.0 to 1.1.1
- [Changelog](https://github.com/ljharb/side-channel/blob/main/CHANGELOG.md)
- [Commits](ljharb/side-channel@v1.1.0...v1.1.1)

Updates `type-is` from 2.0.1 to 2.1.0
- [Release notes](https://github.com/jshttp/type-is/releases)
- [Commits](jshttp/type-is@2.0.1...v2.1.0)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-version: 2.3.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: es-object-atoms
  dependency-version: 1.1.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: eventsource-parser
  dependency-version: 3.1.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: express-rate-limit
  dependency-version: 8.5.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: hasown
  dependency-version: 2.0.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: hono
  dependency-version: 4.12.27
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: range-parser
  dependency-version: 1.3.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: side-channel
  dependency-version: 1.1.1
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: type-is
  dependency-version: 2.1.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions github-actions Bot enabled auto-merge (squash) June 29, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants