Update Mend: high confidence minor and patch dependency updates

[mend-for-github-com]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@cyclonedx/cyclonedx-npm	1.19.3 → 1.20.0
@types/chai (source)	4.3.16 → 4.3.20
@types/compression (source)	1.7.5 → 1.8.1
@types/config (source)	3.3.4 → 3.3.5
@types/cookie-parser (source)	1.4.7 → 1.4.10
@types/cors (source)	2.8.17 → 2.8.19
@types/express (source)	4.17.21 → 4.17.25
@types/express-serve-static-core (source)	4.19.5 → 4.19.8
@types/i18n (source)	^0.12.0 → ^0.13.0
@types/jasmine (source)	~3.9.1 → ~3.10.0
@types/morgan (source)	1.9.9 → 1.9.10
@types/multer (source)	1.4.11 → 1.4.13
@types/on-finished (source)	2.3.4 → 2.3.5
@types/pdfkit (source)	^0.10.6 → ^0.17.0
@types/request (source)	2.48.12 → 2.48.13
@types/semver (source)	7.5.8 → 7.7.1
@types/swagger-ui-express (source)	4.1.6 → 4.1.8
@types/unzipper (source)	0.10.9 → 0.10.11
@types/validator (source)	13.12.0 → 13.15.10
@typescript-eslint/eslint-plugin (source)	6.18.1 → 6.21.0
@typescript-eslint/parser (source)	6.18.1 → 6.21.0
body-parser	1.20.2 → 1.20.4
canvas-confetti	1.9.3 → 1.9.4
chai (source)	4.4.1 → 4.5.0
codemirror	5.65.17 → 5.65.20
compression	1.7.4 → 1.8.1
cookie-parser	1.4.6 → 1.4.7
cross-spawn	7.0.3 → 7.0.6
cypress (source)	13.13.1 → 13.17.0
eslint (source)	8.57.0 → 8.57.1
eslint-config-prettier	7.1.0 → 7.2.0
eslint-plugin-import	2.29.1 → 2.32.0
ethers (source)	6.13.1 → 6.16.0
ethers (source)	5.7.2 → 5.8.0
express (source)	4.19.2 → 4.22.1
glob	10.4.5 → 10.5.0
http-server	^0.12.3 → ^0.13.0
i18n	^0.11.1 → ^0.15.0
jasmine-core (source)	~3.9.0 → ~3.99.0
karma (source)	6.4.3 → 6.4.4
karma-chrome-launcher	~3.1.0 → ~3.2.0
material-icons (source)	^0.3.1 → ^0.7.0
morgan	1.10.0 → 1.10.1
multer	1.4.5-lts.1 → 1.4.5-lts.2
node-pre-gyp	^0.15.0 → ^0.17.0
pdfkit (source)	^0.11.0 → ^0.17.0
rxjs (source)	6.6.3 → 6.6.7
sanitize-html	1.4.2 → 1.27.5
sass	1.77.8 → 1.97.3
semver	7.6.3 → 7.7.3
sequelize (source)	6.37.3 → 6.37.7
shelljs	^0.8.4 → ^0.10.0
typescript (source)	~4.6.0 → ~4.9.0
typescript (source)	~4.8.4 → ~4.9.0
unzipper	0.9.15 → 0.12.3
winston	3.13.1 → 3.19.0
zustand	4.4.1 → 4.5.7

---

Release Notes

CycloneDX/cyclonedx-node-npm (@​cyclonedx/cyclonedx-npm)

v1.20.0

Compare Source

• Added
  • Official support for npm@11 (#​1245 via #​1249)
  • Capability to gather license text evidences (#​256 via #​1243)
    This feature can be controlled via CLI switch --gather-license-texts.
    This feature is experimental. This feature is disabled per default.
• Dependencies
  • No longer directly depend on packageurl-js (via #​1237)
• Build
  • Use TypeScript v5.7.3 now, was v5.5.3 (via #​1209, #​1218, #​1255)

typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)

v6.21.0

Compare Source

🚀 Features

• export plugin metadata

• allow parserOptions.project: false

• eslint-plugin: add rule prefer-find

🩹 Fixes

• eslint-plugin: [no-unused-vars] don't report on types referenced in export assignment expression

• eslint-plugin: [switch-exhaustiveness-check] better support for intersections, infinite types, non-union values

• eslint-plugin: [consistent-type-imports] dont report on types used in export assignment expressions

• eslint-plugin: [no-unnecessary-condition] handle left-hand optional with exactOptionalPropertyTypes option

• eslint-plugin: [class-literal-property-style] allow getter when same key setter exists

• eslint-plugin: [no-unnecessary-type-assertion] provide valid fixes for assertions with extra tokens before as keyword

❤️ Thank You

• auvred
• Brad Zacher
• Kirk Waiblinger
• Pete Gonzalez
• YeonJuan

You can read about our versioning strategy and releases on our website.

v6.20.0

Compare Source

🚀 Features

• eslint-plugin: [member-ordering] allow easy reuse of the default ordering

🩹 Fixes

• eslint-plugin: [no-useless-template-literals] incorrect bigint autofix result

• eslint-plugin: [prefer-nullish-coalescing] treat any/unknown as non-nullable

• eslint-plugin: [no-useless-template-literals] report Infinity & NaN

• eslint-plugin: [prefer-readonly] disable checking accessors

❤️ Thank You

• Alex Parloti
• auvred
• James Browning
• StyleShit
• YeonJuan

You can read about our versioning strategy and releases on our website.

v6.19.1

Compare Source

🩹 Fixes

• type-utils: preventing isUnsafeAssignment infinite recursive calls

• eslint-plugin: [no-unnecessary-condition] fix false positive for type variable

❤️ Thank You

• YeonJuan

You can read about our versioning strategy and releases on our website.

v6.19.0

Compare Source

🚀 Features

• eslint-plugin: [prefer-promise-reject-errors] add rule

• eslint-plugin: [no-array-delete] add new rule

• eslint-plugin: [no-useless-template-literals] add fix suggestions

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] detect unnecessary non-null-assertion on a call expression

• eslint-plugin: [no-unnecesary-type-assertion] treat unknown/any as nullable

❤️ Thank You

• auvred
• Brad Zacher
• Josh Goldberg ✨
• Joshua Chen
• LJX
• Steven
• StyleShit

You can read about our versioning strategy and releases on our website.

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v6.21.0

Compare Source

🚀 Features

• allow parserOptions.project: false

❤️ Thank You

• auvred
• Brad Zacher
• Kirk Waiblinger
• Pete Gonzalez
• YeonJuan

You can read about our versioning strategy and releases on our website.

v6.20.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v6.19.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

v6.19.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

expressjs/body-parser (body-parser)

v1.20.4

Compare Source

===================

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

v1.20.3

Compare Source

===================

• deps: qs@​6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

catdad/canvas-confetti (canvas-confetti)

v1.9.4

Compare Source

What's Changed

• Fix error in canDrawBitmap if OffscreenCanvas exists but is not supported by @​Gavin-Hofer in #​258

Maintenance

• updating github actions to the latest versions by @​catdad in #​259

New Contributors

• @​Gavin-Hofer made their first contribution in #​258

Full Changelog: catdad/canvas-confetti@1.9.3...1.9.4

chaijs/chai (chai)

v4.5.0

Compare Source

• Update type detect (#​1631) 1a36d35

What's Changed

• Update type detect by @​koddsson in #​1631

Full Changelog: chaijs/chai@v4.4.1...v4.5.0

codemirror/basic-setup (codemirror)

v5.65.20

Compare Source

v5.65.19

Compare Source

v5.65.18

Compare Source

expressjs/compression (compression)

v1.8.1

Compare Source

==========

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

v1.8.0

Compare Source

==================

• Use res.headersSent when available
• Replace _implicitHeader with writeHead property
• add brotli support for versions of node that support it
• Add the enforceEncoding option for requests without Accept-Encoding header

v1.7.5

Compare Source

==================

• deps: Replace accepts with negotiator@~0.6.4
  • Add preference option
• deps: bytes@​3.1.2
  • Add petabyte (pb) support
  • Fix "thousandsSeparator" incorrecting formatting fractional part
  • Fix return value for un-parsable strings
• deps: compressible@~2.0.18
  • Mark font/ttf as compressible
  • Remove compressible from multipart/mixed
  • deps: mime-db@'>= 1.43.0 < 2'
• deps: safe-buffer@​5.2.1

expressjs/cookie-parser (cookie-parser)

v1.4.7

Compare Source

==========

• deps: cookie@​0.7.2
  • Fix object assignment of hasOwnProperty
• deps: cookie@​0.7.1
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: cookie@​0.7.0
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack
• deps: cookie@​0.6.0
  • Add partitioned option
• deps: cookie@​0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse
• deps: cookie@​0.4.2
  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

moxystudio/node-cross-spawn (cross-spawn)

v7.0.6

Compare Source

v7.0.5

Compare Source

v7.0.4

Compare Source

cypress-io/cypress (cypress)

v13.17.0

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#13-17-0

v13.16.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#13-16-1

v13.16.0

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-16-0

v13.15.2

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-15-2

v13.15.1

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-15-1

v13.15.0

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-15-0

v13.14.2

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-14-2

v13.14.1

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-14-1

v13.14.0

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-14-0

v13.13.3

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-13-3

v13.13.2

Compare Source

Changelog: https://docs.cypress.io/guides/references/changelog#13-13-2

eslint/eslint (eslint)

v8.57.1

Compare Source

Bug Fixes

• a19072f fix: add logic to handle fixTypes in the lintText() method (#​18900) (Francesco Trotta)
• 04c7188 fix: Don't lint same file multiple times (#​18899) (Francesco Trotta)
• 87ec3c4 fix: do not throw when defining a global named __defineSetter__ (#​18898) (Francesco Trotta)
• 60a1267 fix: Provide helpful error message for nullish configs (#​18889) (Milos Djermanovic)
• a0dea8e fix: allow name in global ignores, fix --no-ignore for non-global (#​18875) (Milos Djermanovic)
• 3836bb4 fix: do not crash on error in fs.walk filter (#​18886) (Milos Djermanovic)
• 2dec349 fix: skip processor code blocks that match only universal patterns (#​18880) (Milos Djermanovic)

Documentation

• 6a5add4 docs: v8.x Add EOL banner (#​18744) (Amaresh S M)
• b034575 docs: v8.x add version support page to the dropdown (#​18731) (Amaresh S M)
• 760ef7d docs: v8.x add version support page in the side navbar (#​18740) (Amaresh S M)
• 428b7ea docs: Add Powered by Algolia label to the search (#​18658) (Amaresh S M)
• c68c07f docs: version selectors synchronization (#​18265) (Milos Djermanovic)

Build Related

• 35d366a build: Support updates to previous major versions (#​18870) (Milos Djermanovic)

Chores

• 140ec45 chore: upgrade @​eslint/js@​8.57.1 ([#​18913](https://redirect

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box