chore(deps): bump the production-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the production-dependencies group with 8 updates in the / directory:

Package	From	To
better-sqlite3	12.5.0	12.8.0
cors	2.8.5	2.8.6
express-rate-limit	8.2.1	8.3.1
express-session	1.18.2	1.19.0
ioredis	5.8.2	5.10.1
pg	8.16.3	8.20.0
yaml	2.8.2	2.8.3
zod	4.2.1	4.3.6

Updates better-sqlite3 from 12.5.0 to 12.8.0

Release notes

Sourced from better-sqlite3's releases.

v12.8.0

What's Changed

• Readme: requires Node.js v20 or later by @​Prinzhorn in WiseLibs/better-sqlite3#1443
• Update SQLite to version 3.51.3 in WiseLibs/better-sqlite3#1460
• fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 by @​tstone-1 in WiseLibs/better-sqlite3#1459

New Contributors

• @​tstone-1 made their first contribution in WiseLibs/better-sqlite3#1459

Why SQLite v3.51.3 instead of v3.52.0

From the SQLite team:

Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

Hence, if you were planning to upgrade to 3.52.0 tomorrow (Friday, 2026-03-14), perhaps it would be better to wait a day or so for 3.51.3.

At some point we will do version 3.52.1 which will hopefully resolve the issues that have arisen with the 3.52.0 release.

Full Changelog: WiseLibs/better-sqlite3@v12.7.1...v12.8.0

v12.7.1

Also not a viable release

The V8 API change was more bonkers than expected. See v12.8.0.

What's Changed

• fix: use Holder() instead of This() for Electron 41 compatibility by @​mceachen in WiseLibs/better-sqlite3#1456
• Roll back to SQLite to version 3.51.2 in WiseLibs/better-sqlite3#1457

Full Changelog: WiseLibs/better-sqlite3@v12.7.0...v12.7.1

v12.7.0

CAUTION: NOT A VIABLE RELEASE

Two (!!) reasons:

1. Electron v41 bit us and removed functions we were using, so a bunch of prebuilds are missing
2. From the SQLite team:

   Some important issues have been found with version 3.52.0. In order to give us time to deal with those issues, we plan to withdraw the 3.52.0 release. In its place, we will put up a new 3.51.3 patch release that includes a fix for the recently discovered WAL-reset bug as well as other patches. This will happen probably within about the next twelve hours.

What's Changed

• chore(build.yml): update Electron version support to include v41 by @​mceachen in WiseLibs/better-sqlite3#1452
• Fix Node v25 test errors by @​m4heshd in WiseLibs/better-sqlite3#1454
• Update SQLite to version 3.52.0 in WiseLibs/better-sqlite3#1449
• Revert "Fix Node v25 test errors" by @​mceachen in WiseLibs/better-sqlite3#1455

Full Changelog: WiseLibs/better-sqlite3@v12.6.2...v12.7.0

... (truncated)

Commits

• fe774f5 12.8.0
• 8617ed6 fix: use HolderV2() for PropertyCallbackInfo on V8 >= 12.5 (#1459)
• 959a018 Update SQLite to version 3.51.3 (#1460)
• 43729c0 Readme: requires Node.js v20 or later (#1443)
• 27dc751 12.7.1
• db1119c Update SQLite to version 3.51.2 (#1457)
• d2c4815 fix: use Holder() instead of This() for Electron 41 compatibility (#1456)
• ef9ffce 12.7.0
• 3be46ff Revert "Fix Node v25 test errors" (#1455)
• f3a44a4 Update SQLite to version 3.52.0 (#1449)
• Additional commits viewable in compare view

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

• Build: Node.js@12.16 and Node.js.13.12 by @​smondal in expressjs/cors#189
• Update README.md for origin function callback parameters by @​dstudzinski in expressjs/cors#180
• Suggest passing false for disallowed domains, not erroring by @​shackpank in expressjs/cors#175
• Changed the term whitelist to allowlist in Documentation by @​jkasun in expressjs/cors#200
• Fix typo in README by @​alex-grover in expressjs/cors#207
• Added new link & website in the README by @​manjunath00 in expressjs/cors#269
• Fix functions call with extra parameter by @​LuisEGR in expressjs/cors#245
• 🐛 Fix readme status badge by @​homersimpsons in expressjs/cors#306
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cors#321
• ci: fix errors in ci github action for node 8 by @​inigomarquinez in expressjs/cors#322
• test: improved test robustness by @​Alex-GF in expressjs/cors#320
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/cors#341
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/cors#340
• docs: remove broken link to demo site by @​dpopp07 in expressjs/cors#344
• OSSF Scorecard recommendations by @​UlisesGascon in expressjs/cors#350
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @​dependabot[bot] in expressjs/cors#351
• build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/cors#353
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/cors#354
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @​dependabot[bot] in expressjs/cors#355
• build(deps-dev): bump express from 4.17.1 to 4.21.2 by @​dependabot[bot] in expressjs/cors#356
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @​dependabot[bot] in expressjs/cors#352
• build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @​dependabot[bot] in expressjs/cors#358
• update the docs for per request config by @​jonchurch in expressjs/cors#338
• (fix): readme updated for #271 origin option for * by @​dhananjaysa92 in expressjs/cors#289
• ci: upgrade Node versions by @​UlisesGascon in expressjs/cors#359
• chore: add funding to package.json by @​bjohansebas in expressjs/cors#363
• build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @​dependabot[bot] in expressjs/cors#371
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/cors#370
• docs: Cleanup README by @​efekrskl in expressjs/cors#374
• chore: add node v25 by @​imangas in expressjs/cors#375
• Extend CI test matrix by @​imangas in expressjs/cors#376
• docs: simplify code examples with header comments by @​jonchurch in expressjs/cors#386
• docs: tweak intro, add note w/ browser enforcement, FAQ by @​jonchurch in expressjs/cors#385
• chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @​Phillip9587 in expressjs/cors#388
• Release: 2.8.6 by @​UlisesGascon in expressjs/cors#390

New Contributors

• @​smondal made their first contribution in expressjs/cors#189
• @​dstudzinski made their first contribution in expressjs/cors#180
• @​shackpank made their first contribution in expressjs/cors#175
• @​jkasun made their first contribution in expressjs/cors#200
• @​alex-grover made their first contribution in expressjs/cors#207
• @​manjunath00 made their first contribution in expressjs/cors#269
• @​LuisEGR made their first contribution in expressjs/cors#245
• @​homersimpsons made their first contribution in expressjs/cors#306
• @​inigomarquinez made their first contribution in expressjs/cors#321
• @​Alex-GF made their first contribution in expressjs/cors#320
• @​carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

Commits

• f00a8c1 2.8.6 (#390)
• 848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
• cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
• bbf62a5 docs: simplify code examples with header comments (#386)
• f442e77 Extend CI test matrix (#376)
• d5cf6cd ci: add support for node@25 (#375)
• 7e6f7ee docs: revamp content (#374)
• b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
• f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
• 9a9a760 chore: add funding to package.json (#363)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates express-rate-limit from 8.2.1 to 8.3.1

Release notes

Sourced from express-rate-limit's releases.

v8.3.1

You can view the changelog here.

v8.3.0

You can view the changelog here.

Commits

• 47e5b29 8.3.1
• eb61179 v8.3.1 changelog
• a17377d Fix broken link for contributing guide
• 5aa3f6c fix: revert the dts-bundle-generator update
• 06dea83 ci: run test on node 20, 22, 24, 25 and drop 18 as it reached eol
• c86a27d chore: update dependencies
• 8898ffa chore: migrate biome schema and run formatter
• dd544fd docs: update changelog with backported releases
• 9c90752 ci: setup oidc connect with npm for automatatic publish
• e4477fa 8.3.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for express-rate-limit since your current version.

Updates express-session from 1.18.2 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes

• Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

  var app = express()
  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: function (req) {
      var match = req.url.match(/^\/([^/]+)/);
      return {
        path: match ? '/' + match[1] : '/',
        httpOnly: true,
        secure: req.secure || false,
        maxAge: 60000
      }
    }
  }))

• Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

• deps: use tilde notation for dependencies

PRs

• chore: add funding to package.json by @​bjohansebas in expressjs/session#1071
• build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @​dependabot[bot] in expressjs/session#1086
• build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @​dependabot[bot] in expressjs/session#1085
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @​dependabot[bot] in expressjs/session#1091
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/session#1090
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @​dependabot[bot] in expressjs/session#1089
• build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @​dependabot[bot] in expressjs/session#1088
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @​dependabot[bot] in expressjs/session#1082
• refactor: remove unused sess parameter from generateSessionId fun… by @​Ayoub-Mabrouk in expressjs/session#1001
• chore: remove history.md from being packaged on publish by @​bjohansebas in expressjs/session#1097
• deps: use tilde notation for dependencies by @​bjohansebas in expressjs/session#1096
• Add sameSite 'auto' support to match secure 'auto' pattern by @​djunehor in expressjs/session#1087
• feat: add support to dynamic cookie options by @​lincond in expressjs/session#1027
• Release: 1.19.0 by @​UlisesGascon in expressjs/session#1107

New Contributors

• @​Ayoub-Mabrouk made their first contribution in expressjs/session#1001
• @​djunehor made their first contribution in expressjs/session#1087
• @​lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

• Add dynamic cookie options support
• Add sameSite 'auto' support for automatic SameSite attribute configuration
• deps: use tilde notation for dependencies

Commits

• c10b2a3 1.19.0 (#1107)
• 2673736 feat: add support to dynamic cookie options (#1027)
• 73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
• 264b6a0 deps: use tilde notation for dependencies (#1096)
• 6d69f09 chore: remove history.md from being packaged on publish (#1097)
• 00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
• 2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
• 1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
• 0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
• a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
• Additional commits viewable in compare view

Updates ioredis from 5.8.2 to 5.10.1

Release notes

Sourced from ioredis's releases.

v5.10.1

5.10.1 (2026-03-19)

Bug Fixes

• cluster: lazily start sharded subscribers (#2090) (4f167bb)

v5.10.0

5.10.0 (2026-02-27)

Features

• add hash field expiration commands and tests (5219f9f)
• add hexpireat & hexpiretime (#2082) (b38124f)

v5.9.3

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

v5.9.2

5.9.2 (2026-01-15)

Bug Fixes

• cluster: Cluster reconnect sharded subscribers (#2060) (def9804)
• preserve replica slots on MOVED in pipelines (#2059) (a1c3e9d)

Reverts

• Revert "fix: preserve replica slots on MOVED in pipelines (#2059)" (#2062) (517b932), closes #2059 #2062

v5.9.1

5.9.1 (2026-01-08)

Bug Fixes

• make client-side blocking timeouts opt-in (#2058) (07ed493)

v5.9.0

... (truncated)

Changelog

Sourced from ioredis's changelog.

5.10.1 (2026-03-19)

Bug Fixes

• cluster: lazily start sharded subscribers (#2090) (4f167bb)

5.10.0 (2026-02-27)

Features

• add hash field expiration commands and tests (5219f9f)
• add hexpireat & hexpiretime (#2082) (b38124f)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

5.9.3 (2026-02-12)

Bug Fixes

• autopipelining to route writes to masters with scaleReads (#2072) (8adb1ae)
• fix issue with moved command for replicas (#2064) (de4eed4)
• types: optional properties on RedisOptions allow explicit undefined (#2066) (0a1a898)

5.9.2 (2026-01-15)

Bug Fixes

• cluster: Cluster reconnect sharded subscribers (#2060) (def9804)
• preserve replica slots on MOVED in pipelines (#2059) (a1c3e9d)

Reverts

• Revert "fix: preserve replica slots on MOVED in pipelines (#2059)" (#2062) (517b932), closes #2059 #2062

5.9.1 (2026-01-08)

Bug Fixes

... (truncated)

Commits

• 9e26f8b chore(release): 5.10.1 [skip ci]
• 4f167bb fix(cluster): lazily start sharded subscribers (#2090)
• 623cee5 chore(release): 5.10.0 [skip ci]
• 5219f9f feat: add hash field expiration commands and tests
• b38124f feat: add hexpireat & hexpiretime (#2082)
• 232e548 ci: make Coveralls steps non-blocking in test_with_cov workflow (#2083)
• cd19ab0 chore(release): 5.9.3 [skip ci]
• 326528b chore(release): 5.9.3 [skip ci]
• 0a1a898 fix(types): optional properties on RedisOptions allow explicit undefined (#2066)
• 8adb1ae fix: autopipelining to route writes to masters with scaleReads (#2072)
• Additional commits viewable in compare view

Updates pg from 8.16.3 to 8.20.0

Changelog

Sourced from pg's changelog.

pg@8.20.0

• Add onConnect callback to pg.Pool constructor options allowing for async initialization of newly created & connected pooled clients.

pg@8.19.0

• Deprecate interal query queue.
• Pass connection parameters to password callback.

pg@8.18.0

• Return the client instance as the result of calling connect (previously it was void).

pg@8.17.0

• Throw correct error if database URL parsing fails.

pg@8.16.0

• Add support for min connection pool size.

pg@8.15.0

• Add support for esm importing. CommonJS importing is still also supported.

pg@8.14.0

• Add support from SCRAM-SAH-256-PLUS i.e. channel binding.

pg@8.13.0

• Add ability to specify query timeout on per-query basis.

pg@8.12.0

• Add queryMode config option to force use of the extended query protocol on queries without any parameters.

pg-pool@8.10.0

• Emit release event when client is returned to the pool.

pg@8.9.0

• Add support for stream factory.
• Better errors for SASL authentication.
• Use native crypto module for SASL authentication.

pg@8.8.0

• Bump minimum required version of native bindings.

... (truncated)

Commits

• c9070cc Publish
• ad36e3c fix: typo in deprecation notice for client.query() (#3618)
• f2d7d11 Publish
• 5a4bafc Deprecate Client's internal query queue (#3603)
• a215bfb Typo fix in PgPass deprecation (funciton) (#3605)
• 01e0556 fix(pg-query-stream): invoke this.callback on cursor end/error (#2810)
• e6e3692 Pass connection parameters to password callback (#3602)
• d80d883 test: Fix TLS connection test ending too early
• f332f28 fix: Connection timeout handling for native clients in connected state (#3512)
• b2e9cb1 Remove testAsync - its redundant (#3588)
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.3

Release notes

Sourced from yaml's releases.

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• 9424dee chore: Refresh lockfile
• d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
• 4321509 ci: Drop the branch filter from GitHub PR actions
• 47207d0 chore: Update docs-slate
• 5212fae chore: Update docs-slate
• See full diff in compare view

Updates zod from 4.2.1 to 4.3.6

Release notes

Sourced from zod's releases.

v4.3.6

Commits:

• 9977fb0868432461de265a773319e80a90ba3e37 Add brand.dev to sponsors
• f4b7bae3468f6188b8f004e007d722148fc91d77 Update pullfrog.yml (#5634)
• 251d7163a0ac7740fee741428d913e3c55702ace Clean up workflow_call
• edd4132466da0f5065a8e051b599d01fdd1081d8 fix: add missing User-agent to robots.txt and allow all (#5646)
• 85db85e9091d0706910d60c7eb2e9c181edd87bd fix: typo in codec.test.ts file (#5628)
• cbf77bb12bdfda2e054818e79001f5cb3798ce76 Avoid non null assertion (#5638)
• dfbbf1c1ae0c224b8131d80ddf0a264262144086 Avoid re-exported star modules (#5656)
• 762e911e5773f949452fd6dd4e360f2362110e8e Generalize numeric key handling
• ca3c8629c0c2715571f70b44c2433cad3db7fe4e v4.3.6

v4.3.5

Commits:

• 21afffdb42ccab554036312e33fed0ea3cb8f982 [Docs] Update migration guide docs for deprecation of message (#5595)
• e36743e513aadb307b29949a80d6eb0dcc8fc278 Improve mini treeshaking
• 0cdc0b8597999fd9ca99767b912c1e82c1ff2d6c 4.3.5

v4.3.4

Commits:

• 1a8bea3b474eada6f219c163d0d3ad09fadabe72 Add integration tests
• e01cd02b2f23d7e9078d3813830b146f8a2258b4 Support patternProperties for looserecord (#5592)
• 089e5fbb0f58ce96d2c4fb34cd91724c78df4af5 Improve looseRecord docs
• decef9c418d9a598c3f1bada06891ba5d922c5cd Fix lint
• 9443aab00d44d5d5f4a7eada65fc0fc851781042 Drop iso time in fromJSONSchema
• 66bda7491a1b9eab83bdeec0c12f4efc7290bd48 Remove .refine() from ZodMiniType
• b4ab94ca608cd5b581bfc12b20dd8d95b35b3009 4.3.4

v4.3.3

Commits:

• f3b2151959d215d405f54dff3c7ab3bf1fd887ca v4.3.3

v4.3.2

Commits:

• bf96635d243118de6e4f260077aa137453790bf6 Loosen strictObjectinside intersection (#5587)
• f71dc0182ab0f0f9a6be6295b07faca269e10179 Remove Juno (#5590)
• 0f41e5a12a43e6913c9dcb501b2b5136ea86500d 4.3.2

v4.3.1

Commits:

• 0fe88407a4149c907929b757dc6618d8afe998fc allow non-overwriting extends with refinements. 4.3.1

v4.3.0

This is Zod's biggest release since 4.0. It addresses several of Zod's longest-standing feature requests.

... (truncated)

Commits

• ca3c862 v4.3.6
• 762e911 Generalize numeric key handling
• dfbbf1c Avoid re-exported star modules (#5656)
• cbf77bb Avoid non null assertion (#5638)
• 85db85e fix: typo in codec.test.ts file (#5628)
• edd4132 fix: add missing User-agent to robots.txt and allow all (#5646)
• 251d716 Clean up workflow_call
• f4b7bae Update pullfrog.yml (#5634)
• 9977fb0 Add brand.dev to sponsors
• 0cdc0b8 4.3.5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.