Skip to content

Bump the npm_and_yarn group across 2 directories with 4 updates#3

Open
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/npm_and_yarn/npm_and_yarn-b0e91cb582
Open

Bump the npm_and_yarn group across 2 directories with 4 updates#3
dependabot[bot] wants to merge 1 commit intodevfrom
dependabot/npm_and_yarn/npm_and_yarn-b0e91cb582

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 19, 2026

Bumps the npm_and_yarn group with 4 updates in the / directory: axios, koa, pug and qs.
Bumps the npm_and_yarn group with 4 updates in the /packages/backend directory: axios, koa, pug and qs.

Updates axios from 1.7.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

  • Fix/5657. (PR #7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

  • Add input validation to isAbsoluteURL. (PR #7326)
  • Refactor: bump minor package versions. (PR #7356)

Documentation

  • Clarify object-check comment. (PR #7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

  • Chore: fix issues with YAML. (PR #7355)
  • CI: update workflow YAMLs. (PR #7372)
  • CI: fix run condition. (PR #7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
  • Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

  • fix: issues with version 1.13.3 (#7352) (ee90dfc)
    • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 29f7542 chore(release): prepare release 1.13.5 (#7379)
  • 431c3a3 ci: fix run condition (#7373)
  • 9ff3a78 ci: update ymls (#7372)
  • 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
  • 475e75a feat: add input validation to isAbsoluteURL (#7326)
  • 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
  • 04cf019 docs: clarify object check comment (#7323)
  • 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
  • 569f028 fix: added a option to choose between legacy and the new request/response int...
  • 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.


Updates koa from 2.14.2 to 3.0.3

Release notes

Sourced from koa's releases.

v3.0.3

What's Changed

Full Changelog: koajs/koa@v3.0.2...v3.0.3

v3.0.2

What's Changed

New Contributors

Full Changelog: koajs/koa@v3.0.1...v3.0.2

v3.0.1

What's Changed

Full Changelog: koajs/koa@v3.0.0...v3.0.1

v3.0.0

This is a major release.

Breaking

  • Minimum node v18
  • Removes .redirect('back'), adds .back(fallback_url) @​fl0w koajs/koa#1115
  • For .redirect(), don't render redirect values in anchor ref koajs/koa@ff25eb4
  • req.origin should display the origin header if it exists, not the current hostname koajs/koa#1008. origin now aligns with the Origin header as used in CORS.
  • .body=<json> should not overwrite type if type already json koajs/koa#1120
  • Remove special ENOENT support koajs/koa#1861 - this is a big change and will require any file servers to adapt to this change for handling 404s / files not found
  • Removes generator deprecation messages. Generators are no longer supported. Koa no longer asserts if generators are used. Set content-length: 0 if body is explicitly set to null @​ognjenjevremovic #1528 Remove obsolete createAsyncCtxStorageMiddleware koajs/koa#1817
  • ctx.throw now requires a format of ctx.throw(status, error, properties). See: https://www.npmjs.com/package/http-errors

... (truncated)

Changelog

Sourced from koa's changelog.

[!IMPORTANT] Moving forwards we are using the GitHub releases page at https://github.com/koajs/koa/releases in combination with np for publishing releases and their changelogs.

3.0.0-alpha.3 / 2025-02-11

fixes

  • Avoid redos on host and protocol getter

3.0.0-alpha.2 / 2024-11-04

breaking changes

  • Update http-errors to v2.0.0 #1486
  • Remove res.redirect('back'), add back() method to ctx #1115
  • Replace node querystring with URLSearchParams #1828
  • Remove obsolete createAsyncCtxStorageMiddleware #1817

features

  • Add support for web WHATWG #1830

updates

  • Update cookies to ~0.9.1 #1846
  • Update statuses to ^2.0.1
  • Update supertest to ^7.0.0 #1841

fixes

  • Fix exports.defaults in package.json #1630
  • Fix leaky handles in tests #1838
  • Fix body null checks #1814
  • Fix reformatting redirect URLs #1805 #1804
  • Fix passing ctx in error handler #1758

migrations

  • Migrate from jest to the native node test runner #1845

3.0.0-alpha.1 / 2023-04-12

fixes

3.0.0-alpha.0 / 2023-01-02

Breaking Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for koa since your current version.


Updates pug from 2.0.4 to 3.0.3

Release notes

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

  • Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

  • Update pug-code-gen with the following fix: (#3438)

    Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

pug-code-gen@3.0.2

Bug Fixes

  • Sanitise the pretty option (#3314)

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug@3.0.2

Bug Fixes

  • Serialize Buffers to strings when storing sources for use with compileDebug: true (#3269)

pug-code-gen@3.0.1

Bug Fixes

  • Update with to resolve core-js deprecation notice (#3259)

pug-runtime@3.0.1

Bug Fixes

  • Properly handle non-string values when rethrowing errors (#3269)

pug@3.0.1

Bug Fixes

  • Sanitise the pretty option (#3314)

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug-attrs@3.0.0

Breaking Changes

  • Drop support for node 6 and 8 (#3243)

pug-code-gen@3.0.0

Breaking Changes

  • Drop support for node 6 and 8 (#3243)

... (truncated)

Commits
  • 32acfe8 fix: ensure template names are valid identifiers (#3438)
  • 4767caf refactor: convert pug-error to TypeScript (#3355)
  • a724446 chore: update character-parser (#3354)
  • 6cca8f7 docs: fix GitHub format in README (#3335)
  • d4b7f60 Properly handle errors originating from included files when compileDebug is e...
  • d6f0615 fix capture groups for "each" statements (#3274)
  • 73ea7cf fix: keep lexer plugins inside tag interpolation (#3296)
  • 29a53c5 fix: Fix pug-lexer parsed escaped interpolations incorrectly (#3299)
  • 60b1b15 chore: update supported versions (#3315)
  • 991e78f fix: sanitise and escape the pretty option (#3314)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by pug-bot, a new releaser for pug since your current version.


Updates qs from 6.11.2 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates axios from 1.7.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

  • Fix/5657. (PR #7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

  • Add input validation to isAbsoluteURL. (PR #7326)
  • Refactor: bump minor package versions. (PR #7356)

Documentation

  • Clarify object-check comment. (PR #7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

  • Chore: fix issues with YAML. (PR #7355)
  • CI: update workflow YAMLs. (PR #7372)
  • CI: fix run condition. (PR #7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
  • Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

  • fix: issues with version 1.13.3 (#7352) (ee90dfc)
    • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 29f7542 chore(release): prepare release 1.13.5 (#7379)
  • 431c3a3 ci: fix run condition (#7373)
  • 9ff3a78 ci: update ymls (#7372)
  • 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
  • 475e75a feat: add input validation to isAbsoluteURL (#7326)
  • 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
  • 04cf019 docs: clarify object check comment (#7323)
  • 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
  • 569f028 fix: added a option to choose between legacy and the new request/response int...
  • 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.


Updates koa from 2.14.2 to 3.0.3

Release notes

Sourced from koa's releases.

v3.0.3

What's Changed

Full Changelog: koajs/koa@v3.0.2...v3.0.3

v3.0.2

What's Changed

New Contributors

Full Changelog: koajs/koa@v3.0.1...v3.0.2

v3.0.1

What's Changed

Full Changelog: koajs/koa@v3.0.0...v3.0.1

v3.0.0

This is a major release.

Breaking

  • Minimum node v18
  • Removes .redirect('back'), adds .back(fallback_url) @​fl0w koajs/koa#1115
  • For .redirect(), don't render redirect values in anchor ref koajs/koa@ff25eb4
  • req.origin should display the origin header if it exists, not the current hostname koajs/koa#1008. origin now aligns with the Origin header as used in CORS.
  • .body=<json> should not overwrite type if type already json koajs/koa#1120
  • Remove special ENOENT support koajs/koa#1861 - this is a big change and will require any file servers to adapt to this change for handling 404s / files not found
  • Removes generator deprecation messages. Generators are no longer supported. Koa no longer asserts if generators are used. Set content-length: 0 if body is explicitly set to null @​ognjenjevremovic #1528 Remove obsolete createAsyncCtxStorageMiddleware koajs/koa#1817
  • ctx.throw now requires a format of ctx.throw(status, error, properties). See: https://www.npmjs.com/package/http-errors

... (truncated)

Changelog

Sourced from koa's changelog.

[!IMPORTANT] Moving forwards we are using the GitHub releases page at https://github.com/koajs/koa/releases in combination with np for publishing releases and their changelogs.

3.0.0-alpha.3 / 2025-02-11

fixes

  • Avoid redos on host and protocol getter

3.0.0-alpha.2 / 2024-11-04

breaking changes

  • Update http-errors to v2.0.0 #1486
  • Remove res.redirect('back'), add back() method to ctx #1115
  • Replace node querystring with URLSearchParams #1828
  • Remove obsolete createAsyncCtxStorageMiddleware #1817

features

  • Add support for web WHATWG #1830

updates

  • Update cookies to ~0.9.1 #1846
  • Update statuses to ^2.0.1
  • Update supertest to ^7.0.0 #1841

fixes

  • Fix exports.defaults in package.json #1630
  • Fix leaky handles in tests #1838
  • Fix body null checks #1814
  • Fix reformatting redirect URLs #1805 #1804
  • Fix passing ctx in error handler #1758

migrations

  • Migrate from jest to the native node test runner #1845

3.0.0-alpha.1 / 2023-04-12

fixes

3.0.0-alpha.0 / 2023-01-02

Breaking Changes

... (truncated)

Commits

@dependabot
Bump the npm_and_yarn group across 2 directories with 4 updates
ad03e59 
Bumps the npm_and_yarn group with 4 updates in the / directory: [axios](https://github.com/axios/axios), [koa](https://github.com/koajs/koa), [pug](https://github.com/pugjs/pug) and [qs](https://github.com/ljharb/qs).
Bumps the npm_and_yarn group with 4 updates in the /packages/backend directory: [axios](https://github.com/axios/axios), [koa](https://github.com/koajs/koa), [pug](https://github.com/pugjs/pug) and [qs](https://github.com/ljharb/qs).


Updates `axios` from 1.7.4 to 1.13.5
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.7.4...v1.13.5)

Updates `koa` from 2.14.2 to 3.0.3
- [Release notes](https://github.com/koajs/koa/releases)
- [Changelog](https://github.com/koajs/koa/blob/master/History.md)
- [Commits](koajs/koa@2.14.2...v3.0.3)

Updates `pug` from 2.0.4 to 3.0.3
- [Release notes](https://github.com/pugjs/pug/releases)
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.3)

Updates `qs` from 6.11.2 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.2...v6.14.2)

Updates `axios` from 1.7.4 to 1.13.5
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.7.4...v1.13.5)

Updates `koa` from 2.14.2 to 3.0.3
- [Release notes](https://github.com/koajs/koa/releases)
- [Changelog](https://github.com/koajs/koa/blob/master/History.md)
- [Commits](koajs/koa@2.14.2...v3.0.3)

Updates `pug` from 2.0.4 to 3.0.3
- [Release notes](https://github.com/pugjs/pug/releases)
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.3)

Updates `qs` from 6.11.2 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.2...v6.14.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: koa
  dependency-version: 3.0.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: pug
  dependency-version: 3.0.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: koa
  dependency-version: 3.0.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: pug
  dependency-version: 3.0.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 19, 2026
@dependabot dependabot bot mentioned this pull request Feb 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants