[Snyk] Upgrade: yaml, qs, , , tslib, , , , ioredis, msgpackr, , , , , , , , , , , , , ajv, ansi-colors, env-var, get-tsconfig, gpt-tokenizer, graphql, joi, zod, openai, langchain, micromatch, mysql2, nanoid, neo4j-driver, octokit, passport, pg, pusher, randomstring, remove-markdown, set-cookie-parser, simple-git, stripe, tree-sitter, tree-sitter-typescript, type-fest, typescript, underscore, webpack, winston, winston-transport-sentry-node

[karlclement]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

yaml
from 2.3.1 to 2.5.0 | 10 versions ahead of your current version | 2 months ago
on 2024-07-24
qs
from 6.12.1 to 6.13.0 | 3 versions ahead of your current version | 2 months ago
on 2024-08-01
@gitbeaker/core
from 39.13.0 to 39.34.3 | 39 versions ahead of your current version | 7 months ago
on 2024-02-20
@gitbeaker/rest
from 39.13.0 to 39.34.3 | 39 versions ahead of your current version | 7 months ago
on 2024-02-20
tslib
from 2.4.1 to 2.7.0 | 9 versions ahead of your current version | a month ago
on 2024-08-23
@slack/oauth
from 2.6.2 to 2.6.3 | 1 version ahead of your current version | a month ago
on 2024-08-16
@types/express
from 4.17.13 to 4.17.21 | 8 versions ahead of your current version | 10 months ago
on 2023-11-07
@slack/bolt
from 3.18.0 to 3.21.1 | 4 versions ahead of your current version | a month ago
on 2024-08-16
ioredis
from 5.3.2 to 5.4.1 | 2 versions ahead of your current version | 5 months ago
on 2024-04-17
msgpackr
from 1.10.1 to 1.11.0 | 2 versions ahead of your current version | 2 months ago
on 2024-07-15
@types/airbnb__node-memwatch
from 2.0.0 to 2.0.3 | 3 versions ahead of your current version | 10 months ago
on 2023-11-06
@types/analytics-node
from 3.1.9 to 3.1.14 | 5 versions ahead of your current version | 10 months ago
on 2023-11-06
@types/command-line-args
from 5.2.0 to 5.2.3 | 3 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/cors
from 2.8.12 to 2.8.17 | 5 versions ahead of your current version | 10 months ago
on 2023-11-20
@types/diff
from 5.0.9 to 5.2.2 | 3 versions ahead of your current version | 24 days ago
on 2024-08-28
@types/js-yaml
from 4.0.5 to 4.0.9 | 4 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/micromatch
from 4.0.7 to 4.0.9 | 2 versions ahead of your current version | 3 months ago
on 2024-06-29
@types/morgan
from 1.9.3 to 1.9.9 | 6 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/passport
from 1.0.8 to 1.0.16 | 8 versions ahead of your current version | 10 months ago
on 2023-11-21
@types/passport-github2
from 1.2.5 to 1.2.9 | 4 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/passport-jwt
from 3.0.6 to 3.0.13 | 7 versions ahead of your current version | 10 months ago
on 2023-11-07
@types/set-cookie-parser
from 2.4.2 to 2.4.10 | 8 versions ahead of your current version | 2 months ago
on 2024-07-09
ajv
from 8.12.0 to 8.17.1 | 5 versions ahead of your current version | 2 months ago
on 2024-07-12
ansi-colors
from 4.1.1 to 4.1.3 | 2 versions ahead of your current version | 2 years ago
on 2022-05-16
env-var
from 7.1.1 to 7.5.0 | 7 versions ahead of your current version | 4 months ago
on 2024-05-20
get-tsconfig
from 4.7.3 to 4.8.0 | 4 versions ahead of your current version | 23 days ago
on 2024-08-29
gpt-tokenizer
from 2.1.2 to 2.2.1 | 2 versions ahead of your current version | 2 months ago
on 2024-07-18
graphql
from 16.8.1 to 16.9.0 | 4 versions ahead of your current version | 3 months ago
on 2024-06-21
joi
from 17.13.1 to 17.13.3 | 2 versions ahead of your current version | 3 months ago
on 2024-06-19
zod
from 3.23.4 to 3.23.8 | 4 versions ahead of your current version | 4 months ago
on 2024-05-08
openai
from 4.47.2 to 4.57.0 | 34 versions ahead of your current version | 23 days ago
on 2024-08-29
langchain
from 0.1.36 to 0.2.17 | 22 versions ahead of your current version | a month ago
on 2024-08-23
micromatch
from 4.0.7 to 4.0.8 | 1 version ahead of your current version | a month ago
on 2024-08-23
mysql2
from 3.10.2 to 3.11.0 | 2 versions ahead of your current version | 2 months ago
on 2024-07-27
nanoid
from 3.3.3 to 3.3.7 | 4 versions ahead of your current version | a year ago
on 2023-11-06
neo4j-driver
from 5.17.0 to 5.24.0 | 7 versions ahead of your current version | 23 days ago
on 2024-08-29
octokit
from 3.2.0 to 3.2.1 | 2 versions ahead of your current version | 5 months ago
on 2024-05-03
passport
from 0.6.0 to 0.7.0 | 1 version ahead of your current version | 10 months ago
on 2023-11-27
pg
from 8.11.3 to 8.12.0 | 4 versions ahead of your current version | 4 months ago
on 2024-06-04
pusher
from 5.0.1 to 5.2.0 | 5 versions ahead of your current version | 10 months ago
on 2023-11-13
randomstring
from 1.2.3 to 1.3.0 | 1 version ahead of your current version | a year ago
on 2023-06-02
remove-markdown
from 0.3.0 to 0.5.3 | 3 versions ahead of your current version | 23 days ago
on 2024-08-29
set-cookie-parser
from 2.5.1 to 2.7.0 | 2 versions ahead of your current version | 2 months ago
on 2024-08-01
simple-git
from 3.21.0 to 3.25.0 | 4 versions ahead of your current version | 3 months ago
on 2024-06-10
stripe
from 15.7.0 to 15.12.0 | 8 versions ahead of your current version | 3 months ago
on 2024-06-17
tree-sitter
from 0.20.6 to 0.21.1 | 2 versions ahead of your current version | 6 months ago
on 2024-03-28
tree-sitter-typescript
from 0.20.3 to 0.21.2 | 4 versions ahead of your current version | 2 months ago
on 2024-07-06
type-fest
from 4.17.0 to 4.26.0 | 14 versions ahead of your current version | 24 days ago
on 2024-08-28
typescript
from 5.4.5 to 5.5.4 | 106 versions ahead of your current version | 2 months ago
on 2024-07-22
underscore
from 1.13.6 to 1.13.7 | 1 version ahead of your current version | 2 months ago
on 2024-07-24
webpack
from 5.91.0 to 5.94.0 | 4 versions ahead of your current version | a month ago
on 2024-08-22
winston
from 3.7.2 to 3.14.2 | 13 versions ahead of your current version | a month ago
on 2024-08-14
winston-transport-sentry-node
from 2.3.0 to 2.8.0 | 7 versions ahead of your current version | 4 months ago
on 2024-06-03

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Denial of Service (DoS) SNYK-JS-WS-7266574	616	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	616	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	616	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-REMOVEMARKDOWN-73635	616	No Known Exploit

Release notes

Package name: yaml

• 2.5.0 - 2024-07-24
  
  • Add --indent option to CLI tool (#559, with thanks to @ danielbayley)
  • Require newline in all cases for props on block sequence (#557)
  • Always reset indentation in lexer on ... (#558)
  • Ignore minContentWidth if greater than lineWidth (#562)
  • Drop unused Collection.maxFlowStringSingleLineLength (#522, #421)
• 2.4.5 - 2024-06-08
  
  • Improve tab handling (#553, yaml-test-suite tests DK95 & Y79Y)
• 2.4.4 - 2024-06-08
  

  With special thanks to @ RedCMD for finding and reporting all of the following:

  • Allow comment after top-level block scalar with explicit indent indicator (#547)
  • Allow tab as indent for line comments before nodes (#548)
  • Do not allow tab before block collection (#549)
  • In flow collections, allow []{} immediately after : with plain key (#550)
  • Require indentation for ? explicit-key contents (#551)
  • Require indentation from block scalar header & flow collections in mapping values (#553)
• 2.4.3 - 2024-06-02
  
  • Improve error when parsing a non-string value (#459)
  • Do not parse -.NaN or +.nan as NaN (#546)
  • Support # within %TAG prefixes with trailing #comments
  • Check for non-node complex keys when stringifying with simpleKeys (#541)
• 2.4.2 - 2024-04-28
  
  • Restrict YAML 1.1 boolean strings to their explicit capitalization (#530)
  • Add sponsorship by Scipress (#536)
• 2.4.1 - 2024-03-06
  
  • cst: Do not drop trailing newline after line comment in block-map if followed by unindented block-seq value (#525)
  • Stringify flow collection comments in parent (#528)
  • Do not skip folding lines after the first in indented block scalars (#529)
• 2.4.0 - 2024-02-25
  
  • Add a command-line tool (#523)
  • Use the lineWidth option for line breaking in flow collections (#522)
• 2.3.4 - 2023-11-03
  
  • Do not throw for carriage return in tag shorthand (#501)
• 2.3.3 - 2023-10-14
  
  • Do not throw error on malformed URI escape in tag (#498)
• 2.3.2 - 2023-08-28
  
  • Fix docs typo (#489)
  • Do not require quotes for implicit keys with flow indicators (#494)
  • Update Prettier to v3 & update ESLint config
• 2.3.1 - 2023-05-26

from yaml GitHub release notes

Package name: qs

• 6.13.0 - 2024-08-01
  

  v6.13.0

• 6.12.3 - 2024-07-08
  

  v6.12.3

• 6.12.2 - 2024-07-01
  

  v6.12.2

• 6.12.1 - 2024-04-12
  

  v6.12.1

from qs GitHub release notes

Package name: tslib

• 2.7.0 - 2024-08-23
  

  What's Changed

  • Implement deterministic collapse of await in await using by @ rbuckton in #262
  • Use global 'Iterator.prototype' for downlevel generators by @ rbuckton in #267

  Full Changelog: v2.6.3...v2.7.0

• 2.6.3 - 2024-06-04
  

  What's Changed

  • 'await using' normative changes by @ rbuckton in #258

  Full Changelog: v2.6.2...v2.6.3

• 2.6.2 - 2023-08-18
  

  What's Changed

  • Fix path to exports["module"]["types"] by @ andrewbranch in #217

  Full Changelog: v2.6.1...v2.6.2

• 2.6.1 - 2023-07-24
  

  What's Changed

  • Allow functions as values in __addDisposableResource by @ rbuckton in #215
  • Stop using es6 syntax in the es6 file by @ andrewbranch in #216

  Full Changelog: 2.6.0...v2.6.1

• 2.6.0 - 2023-06-26
  

  What's Changed

  • Add helpers for using and await using by @ rbuckton in #213

  Full Changelog: v2.5.3...2.6.0

• 2.5.3 - 2023-06-02
  

  What's Changed

  • Do not reference tslib.es6.js from package.json exports by @ andrewbranch in #208

  Full Changelog: 2.5.2...v2.5.3

• 2.5.2 - 2023-05-18
  

  This release explicitly re-exports helpers to work around TypeScript's incomplete symbol resolution for tslib.

• 2.5.1 - 2023-05-17
  

  This release of tslib provides fixes for two issues.

  First, it reverses the order of init hooks provided by decorators to correctly reflect proposed behavior.

  Second, it corrects the exports field of tslib's package.json and provides accurate declaration files so that it may be consumed under the node16 and bundler settings for moduleResolution.

• 2.5.0 - 2023-01-26
  

  What's New

  • Fix asyncDelegator reporting done too early by @ apendua in #187
  • Add support for TypeScript 5.0's __esDecorate and related helpers by @ rbuckton in #193

  Full Changelog: 2.4.1...2.5.0

• 2.4.1 - 2022-10-31
  

  This release contains fixes for early returns and throws invoked on generators.

from tslib GitHub release notes

Package name: @slack/oauth

• 2.6.3 - 2024-08-16
  

  What's Changed

  This patch release bumps the minimum version of axios to 1.7.4 to address a CVE - see Axios 1.7.4 release notes for more information.

  Changelog

  • oauth(build): use a minimum version of @ slack/web-api@6.12.1 - Thanks @ zimeg! #1889

  Full Changelog: https://github.com/slackapi/node-slack-sdk/compare/@ slack/oauth@2.6.2...@ slack/oauth@2.6.3

• 2.6.2 - 2024-01-10

from @slack/oauth GitHub release notes

Package name: @types/express

• 4.17.21 - 2023-11-07
• 4.17.20 - 2023-10-18
• 4.17.19 - 2023-10-10
• 4.17.18 - 2023-09-23
• 4.17.17 - 2023-02-03
• 4.17.16 - 2023-01-23
• 4.17.15 - 2022-12-13
• 4.17.14 - 2022-09-13
• 4.17.13 - 2021-07-06

from @types/express GitHub release notes

Package name: @slack/bolt

• 3.21.1 - 2024-08-16
  

  What's Changed

  This patch release brings improvements to documentation and sureness in our CI, as well as security updates to certain @ slack packages - see CVE-2024-39338 and axios@1.7.4 for more details!

  Changes

  📚 Documentation

  • docs: document custom step usage - Thanks @ WilliamBergamin! #2198

  🔒 Security

  • chore(deps): set a minimum @ slack/web-api@^6.12.1 to address CVE-2024-39338 - Thanks @ zimeg! #2207

  🧰 Maintenance

  • ci: add bolt-ts-custom-function-template to list of test samples - Thanks @ filmaj! #2205

  Full Changelog: https://github.com/slackapi/bolt-js/compare/@ slack/bolt@3.21.0...@ slack/bolt@3.21.1

• 3.21.0 - 2024-08-14
  

  What's Changed

  Bolt-JS now supports Custom Steps! That's right, your trusty Bolt app now let's you expose Custom Steps in Bolt, allowing you to provide steps for use in Workflow Builder.

  You can now use the new function() method to register handlers for the function_executed event. Check out our API docs on the topic to get started.

  Changelog

  • Add support for remote functions by @ misscoded in #2026
  • chore(deps): bump axios to 1.7.4 to address CVE by @ helzahalim in #2201
  • chore: purge the "workflow step" terminology by @ WilliamBergamin in #2199

  New Contributors

  • @ helzahalim made their first contribution in #2201

  Full Changelog: https://github.com/slackapi/bolt-js/compare/@ slack/bolt@3.20.0...@ slack/bolt@3.21.0

• 3.20.0 - 2024-08-12
  

  What's Changed

  • Add missing Events API payload types by @ seratch in #2155
  • docs: replacement steps from apps with custom functions by @ lukegalbraithrussell in #2149
  • Add an optional handler for invalid request signature error by @ dophsquare in #2154
  • Add missing properties in app_mention event payload by @ seratch in #2160
  • fix: add ts to PinnedMessageItem interface by @ maxretries in #2164
  • fix: add missing fields in ChannelCreatedEvent by @ maxretries in #2166
  • Fix broken link in "external select" section by @ ornato-t in #2169
  • Docs: adds Docusaurus site by @ lukegalbraithrussell in #2174
  • Docs: remove overzealous redirect by @ lukegalbraithrussell in #2177
  • docs - add manual redirects scripts by @ lukegalbraithrussell in #2178
  • Docs: Adds landing page and redirects by @ lukegalbraithrussell in #2179
  • Docs - fixes README image link by @ lukegalbraithrussell in #2180
  • Docs: remove superfluous files by @ lukegalbraithrussell in #2181
  • Fix Bold Text Rendering Issue by @ suekou in #2183
  • chore(deps-dev): bump @ types/node from 22.1.0 to 20.14.2 by @ dependabot in #2192
  • chore(deps): bump axios to 1.7.3 to address CVE by @ filmaj in #2194
  • Publish @ slack/bolt@3.20.0 by @ filmaj in #2195

  New Contributors

  • @ dophsquare made their first contribution in #2154
  • @ maxretries made their first contribution in #2164
  • @ ornato-t made their first contribution in #2169
  • @ suekou made their first contribution in #2183

  Full Changelog: https://github.com/slackapi/bolt-js/compare/@ slack/bolt@3.19.0...@ slack/bolt@3.20.0

• 3.19.0 - 2024-06-19
  

  What's Changed

  More customizations for the AwsLambdaReceiver have landed as well as a few touchups to typings and documented details!

  With this release, the signature verification for AwsLambdaReceiver can now be turned off if that's something you're interested in! Perhaps you have your own stylish way of verifying these signatures. The following can be added to your receiver to unlock this:

  const { App, AwsLambdaReceiver } = require('@ slack/bolt');

  const app = new App({
  ...
  receiver: new AwsLambdaReceiver({
  signatureVerification: false,
  }),
  });

  Read on and browse around for more details on all of the changes included!

  🎁 Enhancements

  • Add flag to AwsLambdaReceiver to enable/disable signature verification in #2107 - thanks @ noah-guillory!

  🐛 Fixes

  • Add a type predicate for CodedError in #2110 - thanks @ filmaj!
  • ButtonAction value field not required in #2134 - thanks @ srajiang!
  • fix(types): return void promises from the express receiver middleware parser in #2141 - thanks @ zimeg!

  📚 Documentation

  • docs: fixed duplicative header links in reference in #2120 - thanks @ lukegalbraithrussell!
  • docs: deprecate Steps from Apps docs in #2130 - thanks @ filmaj!
  • docs: add JSDoc to and list out all available builtin middleware functions in the docs in #2136 - thanks @ filmaj!

  🧰 Maintenance

  • ci(test): perform unit testing against node version 22 in #2140 - thanks @ zimeg!
  • chore(release): tag version @ slack/bolt@3.19.0 in #2142 - thanks @ zimeg!

  📦 Dependencies

  • Bump @ types/node from 20.12.7 to 20.12.10 in #2111 - thanks @ dependabot...

[ghost]

Hi there, Squire here! 👋

Here's what I can do today:

• /squire review - Call me to perform a review of this PR
• /squire clear - delete all comments Squire has left in this PR.
• /squire summary - I'll summarize the current state of the PR in a comment based on the latest commits.
• /squire update-description - I'll update the PR description with a summary of the current state of the PR based on the latest commits.
• /squire help - I'll remind you of all the commands I can do.

You can always clear and then run review again if you've committed more to get a fresh review.

For more info, including how to add our generated PR descriptions to a template, check out our docs: https://docs.squire.ai/

[ghost]

Pull request summary created by Squire AI

Summary

This pull request updates multiple dependencies to their latest versions using Snyk. The updates include packages such as yaml, qs, tslib, ioredis, msgpackr, ajv, ansi-colors, env-var, graphql, joi, zod, openai, langchain, micromatch, mysql2, nanoid, neo4j-driver, octokit, passport, pg, pusher, randomstring, remove-markdown, set-cookie-parser, simple-git, stripe, tree-sitter, type-fest, typescript, underscore, webpack, winston, and winston-transport-sentry-node. These updates aim to improve security, performance, and compatibility.

4fec9cd...906abdc

File Summary

File Changes

• package.json: Updated multiple dependencies to their latest versions.

4fec9cd...906abdc