Bump the security group with 5 updates

[dependabot]

Bumps the security group with 5 updates:

Package	From	To
cipher-base	1.0.4	1.0.6
esbuild	0.19.11	0.19.12
form-data	4.0.2	4.0.4
pbkdf2	3.1.2	3.1.3
sha.js	2.4.11	2.4.12

Updates cipher-base from 1.0.4 to 1.0.6

Changelog

Sourced from cipher-base's changelog.

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• 66387d7 [Tests] migrate from travis to GHA
• f2dc13e [meta] add missing engines.node
• 0e7a2d9 [Deps] update inherits, safe-buffer
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates esbuild from 0.19.11 to 0.19.12

Release notes

Sourced from esbuild's releases.

v0.19.12

• The "preserve" JSX mode now preserves JSX text verbatim (#3605)

  The JSX specification deliberately doesn't specify how JSX text is supposed to be interpreted and there is no canonical way to interpret JSX text. Two most popular interpretations are Babel and TypeScript. Yes they are different (esbuild deliberately follows TypeScript by the way).

  Previously esbuild normalized text to the TypeScript interpretation when the "preserve" JSX mode is active. However, "preserve" should arguably reproduce the original JSX text verbatim so that whatever JSX transform runs after esbuild is free to interpret it however it wants. So with this release, esbuild will now pass JSX text through unmodified:

  // Original code
  let el =
    <a href={'/'} title='&apos;&quot;'> some text
      {foo}
        more text </a>
  // Old output (with --loader=jsx --jsx=preserve)
  let el = <a href="/" title={'&quot;}>
  {" some text"}
  {foo}
  {"more text "}
  </a>;
  // New output (with --loader=jsx --jsx=preserve)
  let el = <a href={"/"} title='&apos;&quot;'> some text
  {foo}
  more text </a>;

• Allow JSX elements as JSX attribute values

  JSX has an obscure feature where you can use JSX elements in attribute position without surrounding them with {...}. It looks like this:

  let el = <div data-ab=<><a/><b/></>/>;

  I think I originally didn't implement it even though it's part of the JSX specification because it previously didn't work in TypeScript (and potentially also in Babel?). However, support for it was silently added in TypeScript 4.8 without me noticing and Babel has also since fixed their bugs regarding this feature. So I'm adding it to esbuild too now that I know it's widely supported.

  Keep in mind that there is some ongoing discussion about removing this feature from JSX. I agree that the syntax seems out of place (it does away with the elegance of "JSX is basically just XML with {...} escapes" for something arguably harder to read, which doesn't seem like a good trade-off), but it's in the specification and TypeScript and Babel both implement it so I'm going to have esbuild implement it too. However, I reserve the right to remove it from esbuild if it's ever removed from the specification in the future. So use it with caution.

• Fix a bug with TypeScript type parsing (#3574)

  This release fixes a bug with esbuild's TypeScript parser where a conditional type containing a union type that ends with an infer type that ends with a constraint could fail to parse. This was caused by the "don't parse a conditional type" flag not getting passed through the union type parser. Here's an example of valid TypeScript code that previously failed to parse correctly:

  type InferUnion<T> = T extends { a: infer U extends number } | infer U extends number ? U : never

Changelog

Sourced from esbuild's changelog.

0.19.12

• The "preserve" JSX mode now preserves JSX text verbatim (#3605)

  The JSX specification deliberately doesn't specify how JSX text is supposed to be interpreted and there is no canonical way to interpret JSX text. Two most popular interpretations are Babel and TypeScript. Yes they are different (esbuild deliberately follows TypeScript by the way).

  Previously esbuild normalized text to the TypeScript interpretation when the "preserve" JSX mode is active. However, "preserve" should arguably reproduce the original JSX text verbatim so that whatever JSX transform runs after esbuild is free to interpret it however it wants. So with this release, esbuild will now pass JSX text through unmodified:

  // Original code
  let el =
    <a href={'/'} title='&apos;&quot;'> some text
      {foo}
        more text </a>
  // Old output (with --loader=jsx --jsx=preserve)
  let el = <a href="/" title={'&quot;}>
  {" some text"}
  {foo}
  {"more text "}
  </a>;
  // New output (with --loader=jsx --jsx=preserve)
  let el = <a href={"/"} title='&apos;&quot;'> some text
  {foo}
  more text </a>;

• Allow JSX elements as JSX attribute values

  JSX has an obscure feature where you can use JSX elements in attribute position without surrounding them with {...}. It looks like this:

  let el = <div data-ab=<><a/><b/></>/>;

  I think I originally didn't implement it even though it's part of the JSX specification because it previously didn't work in TypeScript (and potentially also in Babel?). However, support for it was silently added in TypeScript 4.8 without me noticing and Babel has also since fixed their bugs regarding this feature. So I'm adding it to esbuild too now that I know it's widely supported.

  Keep in mind that there is some ongoing discussion about removing this feature from JSX. I agree that the syntax seems out of place (it does away with the elegance of "JSX is basically just XML with {...} escapes" for something arguably harder to read, which doesn't seem like a good trade-off), but it's in the specification and TypeScript and Babel both implement it so I'm going to have esbuild implement it too. However, I reserve the right to remove it from esbuild if it's ever removed from the specification in the future. So use it with caution.

• Fix a bug with TypeScript type parsing (#3574)

  This release fixes a bug with esbuild's TypeScript parser where a conditional type containing a union type that ends with an infer type that ends with a constraint could fail to parse. This was caused by the "don't parse a conditional type" flag not getting passed through the union type parser. Here's an example of valid TypeScript code that previously failed to parse correctly:

  type InferUnion<T> = T extends { a: infer U extends number } | infer U extends number ? U : never

Commits

• d7fd1ad publish 0.19.12 to npm
• e04a690 fix #3605: print the original JSX AST unmodified
• f571399 allow jsx elements as jsx attribute values
• a652e73 run make update-compat-table
• 35c0d65 fix #3574: ts type parser bug with infer + extends
• f6eae0c fix #3569: incorrect ToInt32 behavior on riscv64
• See full diff in compare view

Updates form-data from 4.0.2 to 4.0.4

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Changelog

Sourced from form-data's changelog.

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

Commits

• 41996f5 v4.0.4
• 316c82b [meta] actually ensure the readme backup isn’t published
• 2300ca1 [meta] fix readme capitalization
• 811f682 [meta] add auto-changelog
• 5e34080 [Tests] fix linting errors
• 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• 58c25d7 [Dev Deps] update @ljharb/eslint-config
• 3d17230 [Fix] Switch to using crypto random for boundary values
• d8d67dc v4.0.3
• e6e83cc [meta] remove local commit hooks
• Additional commits viewable in compare view

Updates pbkdf2 from 3.1.2 to 3.1.3

Changelog

Sourced from pbkdf2's changelog.

v3.1.3 - 2025-06-20

Commits

• Only apps should have lockfiles 8b06730
• [lint] fix whitespace 9a76e2f
• [lint] fix parens/curlies/semis/etc 6fd84bf
• [meta] add auto-changelog 796c38d
• [Tests] fix tests in node 17 3661fb0
• Revert "[Tests] fix tests in node < 3" 7431b57
• [Tests] fix tests in node < 3 eb9f97a
• [Fix] ensure unknown algorithms throw + known ones match node 26d4fd3
• [Tests] add GHA, always run nyc 513906a
• [lint] fix a few more rules ab04da8
• [lint] switch to eslint 89694cf
• [Tests] add coverage d0d534b
• [Refactor] use to-buffer e3102a8
• [readme] improve badges fca0c9d
• [Tests] remove unused travis file a2c7d93
• [meta] switch from files to npmignore 7f31fbc
• [Tests] use .nycrc 8d628e8
• [Refactor] minor tweaks fc61005
• [Deps] update create-hmac, safe-buffer, sha.js ae2a7d0
• [Fix] pin create-hash, ripemd160 due to breaking changes e079968
• [Tests] fix tests in node 3 45fbcf3
• [meta] skip publishing benchmarks 19ea57b
• [Dev Deps] add missing peer dep 645e252

Commits

• 3e40827 v3.1.3
• e3102a8 [Refactor] use to-buffer
• 7431b57 Revert "[Tests] fix tests in node < 3"
• 19ea57b [meta] skip publishing benchmarks
• a2c7d93 [Tests] remove unused travis file
• 645e252 [Dev Deps] add missing peer dep
• 796c38d [meta] add auto-changelog
• d0d534b [Tests] add coverage
• 7f31fbc [meta] switch from files to npmignore
• fca0c9d [readme] improve badges
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for pbkdf2 since your current version.

Updates sha.js from 2.4.11 to 2.4.12

Changelog

Sourced from sha.js's changelog.

v2.4.12 - 2025-07-01

Commits

• [eslint] switch to eslint 7acadfb
• [meta] add auto-changelog b46e711
• [eslint] fix package.json indentation df9d521
• [Tests] migrate from travis to GHA c43c64a
• [Fix] support multi-byte wide typed arrays f2a258e
• [meta] reorder package.json d8d77c0
• [meta] add npmignore 35aec35
• [Tests] avoid console logs 73e33ae
• [Tests] fix tests run in batch 2629130
• [Tests] drop node requirement to 0.10 00c7f23
• [Dev Deps] update buffer, hash-test-vectors, standard, tape, typedarray 92b5de5
• [Tests] drop node requirement to v3 9b5eca8
• [meta] set engines to >= 4 807084c
• Only apps should have lockfiles c72789c
• [Deps] update inherits, safe-buffer 5428cfc
• [Dev Deps] update @ljharb/eslint-config 2dbe0aa
• update README to reflect LICENSE 8938256
• [Dev Deps] add missing peer dep d528896
• [Dev Deps] remove unused buffer dep 94ca724

Commits

• eb4ea2f v2.4.12
• d8d77c0 [meta] reorder package.json
• df9d521 [eslint] fix package.json indentation
• 35aec35 [meta] add npmignore
• d528896 [Dev Deps] add missing peer dep
• b46e711 [meta] add auto-changelog
• 94ca724 [Dev Deps] remove unused buffer dep
• 2dbe0aa [Dev Deps] update @ljharb/eslint-config
• 73e33ae [Tests] avoid console logs
• f2a258e [Fix] support multi-byte wide typed arrays
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for sha.js since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.