deps: bump the safe-dependencies group with 8 updates #256

dependabot · 2026-01-01T14:55:58Z

Bumps the safe-dependencies group with 8 updates:

Package	From	To
express	`5.1.0`	`5.2.1`
@types/express	`5.0.5`	`5.0.6`
@types/node	`24.10.0`	`24.10.4`
eslint	`9.39.1`	`9.39.2`
firebase-tools	`14.15.2`	`14.27.0`
nodemon	`3.1.10`	`3.1.11`
prettier	`3.6.2`	`3.7.4`
prettier-plugin-packagejson	`2.5.19`	`2.5.20`

Updates express from 5.1.0 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 5.2.1 by @UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in expressjs/express#6429

Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in expressjs/express#6137

increased code coverage of utils.js file by @ashish3011 in expressjs/express#6386

chore: remove duplicate word by @dufucun in expressjs/express#6456

build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in expressjs/express#6498

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/express#6497

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/express#6496

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6504

ci: update codeql config by @Phillip9587 in expressjs/express#6488

chore: wider range for query test skip by @jonchurch in expressjs/express#6512

chore: fix typos in test by @noritaka1166 in expressjs/express#6535

ci: disable credential persistence for checkout actions by @mertssmnoglu in expressjs/express#6522

ci: allow manual triggering of workflow by @shivarm in expressjs/express#6515

test: add coverage for app.listen() variants by @kgarg1 in expressjs/express#6476

docs: move documentation and charters to the discussions and .github … by @bjohansebas in expressjs/express#6427

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/express#6549

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/express#6548

chore: enforce explicit Buffer import and add lint rule by @shivarm in expressjs/express#6525

chore: use node protocol for querystring by @shivarm in expressjs/express#6520

chore: fix typo by @mountdisk in expressjs/express#6609

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/express#6618

add deprecation warnings for redirect arguments undefined by @bjohansebas in expressjs/express#6405

ci: run CI when the markdown changes by @bjohansebas in expressjs/express#6632

doc: fix CONTRIBUTING link by @jonchurch in expressjs/express#6653

doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in expressjs/express#6601

build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in expressjs/express#6679

build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in expressjs/express#6678

lint: add --fix flag to automatic fix linting issue by @shivarm in expressjs/express#6644

chore: ignore yarn.lock file and update example by @shivarm in expressjs/express#6588

lib: use req.socket over deprecated req.connection by @bjohansebas in expressjs/express#6705

doc: update express app example by @shivarm in expressjs/express#6718

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/express#6675

Remove history.md from being packaged on publish by @sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: body-parser@^2.2.1

A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

Commits

dbac741 5.2.1
697547c Revert "sec: security patch for CVE-2024-51999"
4007ad1 Release: 5.2.0 (#6920)
2f64f68 sec: security patch for CVE-2024-51999
ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
758d435 deps: body-parser@^2.2.1 (#6922)
77bcd52 docs: update emeritus triagers (#6890)
f33caf1 Nominate to @efekrskl for triage team (#6888)
Additional commits viewable in compare view

Updates @types/express from 5.0.5 to 5.0.6

Commits

See full diff in compare view

Updates @types/express from 5.0.5 to 5.0.6

Commits

See full diff in compare view

Updates @types/node from 24.10.0 to 24.10.4

Commits

See full diff in compare view

Updates eslint from 9.39.1 to 9.39.2

Release notes

Sourced from eslint's releases.

v9.39.2

Bug Fixes

5705833 fix: warn when eslint-env configuration comments are found (#20381) (sethamus)

Build Related

506f154 build: add .scss files entry to knip (#20391) (Milos Djermanovic)

Chores

7ca0af7 chore: upgrade to @eslint/[email protected] (#20394) (Francesco Trotta)

c43ce24 chore: package.json update for @eslint/js release (Jenkins)

4c9858e ci: add v9.x-dev branch (#20382) (Milos Djermanovic)

Commits

9278324 9.39.2
542266a Build: changelog update for 9.39.2
7ca0af7 chore: upgrade to @eslint/[email protected] (#20394)
c43ce24 chore: package.json update for @eslint/js release
5705833 fix: warn when eslint-env configuration comments are found (#20381)
506f154 build: add .scss files entry to knip (#20391)
4c9858e ci: add v9.x-dev branch (#20382)
See full diff in compare view

Updates firebase-tools from 14.15.2 to 14.27.0

Release notes

Sourced from firebase-tools's releases.

v14.27.0

Fixed issue where MCP server didn't detect if iOS app uses Crashlytics in projects that use project.pbxproj (#9515)

Add logic to synchronize v2 scheduled function timeout with Cloud Schduler's attempt deadline (#9544)

Prevent deployments of Next.js apps vulnerable to CVE-2025-66478 (#9572)

Updated Data Connect emulator to v2.17.3:

Fixed Swift codegen: Include FirebaseCore import in the connector keys file.

Fixed a bug where debug details of Internal errors were swallowed: firebase/firebase-tools#9508

v14.26.0

Add support for nodejs24 (beta) runtime for Cloud Functions for Firebase. (#9475)

Adds listServices and also defines trigger within runv2.ts (#9482)

Updates the firebase init functions template to use firebase-functions 7.0.0 (#9496)

Updated to v2.17.2 of the Data Connect emulator, which fixes a bug with handling of optional enum lists in generated Flutter SDKs. (#9391)

v14.25.1

Fixed an issue that was causing the MCP server to fail to start when run from directories with deeply nested children.

v14.25.0

Added Node 24 support.

Updated superstatic to v10.

Fixed a crash during parallel deployments when buildConfig is empty (#9455)

[Added] support for new google-genai plugin during init genkit (#8957)

Updated to v2.17.1 of the Data Connect emulator, which fixes an admin SDK bug for operation without argument #9449 (#9454).

Fixed "Precondition failed" error when updating GCFv2 functions in a FAILED state without code changes.

v14.24.2

Fixes MCP server issue where googleapis is not available. (#9443)

v14.24.1

Fixed issue where MCP server was blocked by console.log

v14.24.0

Adds 2nd gen Firebase Data Connect triggers to firebase deploy (#9394).

Upgrades @google-cloud/pubsub to v5 (#9428).

Updated to v2.17.0 of the Data Connect emulator, which includes internal improvements and now supports Generated Admin SDKs (#9430).

v14.23.0

Fix the __name__ normalization of vector indexes for Firestore standard edition databases.

Fixed an issue where the emulator would fail to start when using firebase-functions v7+ (#9401).

Added functions.list_functions as a MCP tool (#9369)

Added AI Logic to firebase init CLI command and firebase_init MCP tool. (#9185)

Improved error messages for Firebase AI Logic provisioning during 'firebase init' (#9377)

Fixed issue where 'init hosting' failed to prompt for the public directory and set up Hosting files (#9403)

Added appdistribution:testcases:export and appdistribution:testcases:import (#9397)

Updated to v2.16.0 of the Data Connect emulator, which includes internal improvements.

Data Connect now allows executing a valid query / operation even if the other operations are invalid. (This toleration provides convenience on a best-effort basis. Some errors like invalid syntax can still cause the whole request to be rejected.)

Fixed enum list deserialization in Data Connect generated Dart SDKs.

Added GraphQL __typename support in Data Connect.

Support enum values in Data Connect CEL expressions.

... (truncated)

Commits

fe59d29 14.27.0
a893579 Fix typo in release script
763951a prevent deployments of Next.js apps vulnerable to CVE-2025-66478 (#9572)
c23ac23 Update past react 19.2.0 (#9566)
5677708 Data Connect Emulator release v2.17.3 (#9573)
bc0e7ea Fix remoteconfig:versions:list error (#9549)
b14d2d7 add simplified Firebase MCP Server README for Antigravity (#9534)
c65d86b Adding tests for loadCJSON (#9556)
c6fc7d8 Docker image vulnerbaility fixes (#9560)
63e891e working progress of mcp server registry (#9491)
Additional commits viewable in compare view

Updates nodemon from 3.1.10 to 3.1.11

Release notes

Sourced from nodemon's releases.

v3.1.11

3.1.11 (2025-11-11)

Bug Fixes

script.start with missing file (8d927f1), closes #2258

Commits

8d927f1 fix: script.start with missing file
9c966c1 chore: website
1bf915d chore: website
89e92da chore: website
838ea0c chore: website
7a64464 chore: website
079c683 chore: website
71934a3 chore: website
d6ec490 chore: website
745a994 Merge branch 'main' of github.com:remy/nodemon
Additional commits viewable in compare view

Updates prettier from 3.6.2 to 3.7.4

Release notes

Sourced from prettier's releases.

3.7.4

What's Changed

Fix comment in union type gets duplicated by @fisker in prettier/prettier#18393

Fix unstable comment print in union type by @fisker in prettier/prettier#18395

Avoid quote around LWC interpolations by @kovsu in prettier/prettier#18383

🔗 Changelog

3.7.3

What's Changed

Fix prettier.getFileInfo() change that breaks VSCode extension by @fisker in prettier/prettier#18375

🔗 Changelog

3.7.2

What's Changed

Fix string print when switching quotes by @fisker in prettier/prettier#18351

Preserve quote for embedded HTML attribute values by @kovsu in prettier/prettier#18352

Fix comment in empty type literal by @fisker in prettier/prettier#18364

🔗 Changelog

3.7.1

Fix performance regression in doc printer (#18342 by @fisker)

🔗 Changelog

3.7.0

diff

🔗 Release note

Changelog

Sourced from prettier's changelog.

3.7.4

diff

LWC: Avoid quote around interpolations (#18383 by `@kovsu`)

<!-- Input -->
<div foo={bar}>   </div>
<!-- Prettier 3.7.3 (--embedded-language-formatting off) -->
<div foo="{bar}"></div>
<!-- Prettier 3.7.4 (--embedded-language-formatting off) -->
<div foo={bar}></div>

TypeScript: Fix comment inside union type gets duplicated (#18393 by `@fisker`)

// Input
type Foo = (/** comment */ a | b) | c;
// Prettier 3.7.3
type Foo = /** comment / (/* comment */ a | b) | c;
// Prettier 3.7.4
type Foo = /** comment */ (a | b) | c;

TypeScript: Fix unstable comment print in union type comments (#18395 by `@fisker`)

// Input
type X = (A | B) & (
  // comment
  A | B
);
// Prettier 3.7.3 (first format)
type X = (A | B) &
(// comment
A | B);
// Prettier 3.7.3 (second format)
type X = (
| A
</tr></table>

... (truncated)

Commits

7848357 Release 3.7.4
7686c59 Release @prettier/plugin-hermes & @prettier/plugin-oxc v0.1.3
fe49434 Remove dead code checking union/intersection types length (#18396)
ca02b37 Fix unstable comment print (#18395)
7efb988 Fix comment in union type get duplicated (#18393)
cfa92c1 Update dependency @angular/compiler to v21.0.2 (#18392)
1de2737 Update dependency yaml to v2.8.2 (#18391)
706aa4e Switch js parse postprocess to onEnter (#18382)
d3eb2b2 Reuse arrays in visitor keys (#18386)
c45fef1 Fix LWC attribute with --embedded-language-formatting off (#18383)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for prettier since your current version.

Updates prettier-plugin-packagejson from 2.5.19 to 2.5.20

Release notes

Sourced from prettier-plugin-packagejson's releases.

v2.5.20

2.5.20 (2025-11-28)

Bug Fixes

deps: update dependency sort-package-json to v3.5.0 (f04e33c)

Commits

0dc0a7e Merge pull request #266 from matzkoh/renovate/sort-package-json-3.x
f04e33c fix(deps): update dependency sort-package-json to v3.5.0
b6fca98 chore: Add write permission for contents in release workflow
f6aa6aa Merge pull request #254 from matzkoh/renovate/jest-monorepo
2c2e3ff Merge pull request #264 from matzkoh/claude/fix-errors-merge-014UuscNDYKfqgXT...
65cbb66 test: update snapshot header link for Jest 30.2.0
0f7469e chore(deps): update dependency jest to v30.2.0
2e65867 Merge pull request #262 from matzkoh/renovate/node-24.x
4b264b7 chore: Add permissions for id-token in release workflow
79def39 chore(deps): update node.js to v24
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for prettier-plugin-packagejson since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the safe-dependencies group with 8 updates: | Package | From | To | | --- | --- | --- | | [express](https://github.com/expressjs/express) | `5.1.0` | `5.2.1` | | [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) | `5.0.5` | `5.0.6` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.10.0` | `24.10.4` | | [eslint](https://github.com/eslint/eslint) | `9.39.1` | `9.39.2` | | [firebase-tools](https://github.com/firebase/firebase-tools) | `14.15.2` | `14.27.0` | | [nodemon](https://github.com/remy/nodemon) | `3.1.10` | `3.1.11` | | [prettier](https://github.com/prettier/prettier) | `3.6.2` | `3.7.4` | | [prettier-plugin-packagejson](https://github.com/matzkoh/prettier-plugin-packagejson) | `2.5.19` | `2.5.20` | Updates `express` from 5.1.0 to 5.2.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@v5.1.0...v5.2.1) Updates `@types/express` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) Updates `@types/express` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) Updates `@types/node` from 24.10.0 to 24.10.4 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.39.1 to 9.39.2 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.39.1...v9.39.2) Updates `firebase-tools` from 14.15.2 to 14.27.0 - [Release notes](https://github.com/firebase/firebase-tools/releases) - [Changelog](https://github.com/firebase/firebase-tools/blob/main/CHANGELOG.md) - [Commits](firebase/firebase-tools@v14.15.2...v14.27.0) Updates `nodemon` from 3.1.10 to 3.1.11 - [Release notes](https://github.com/remy/nodemon/releases) - [Commits](remy/nodemon@v3.1.10...v3.1.11) Updates `prettier` from 3.6.2 to 3.7.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.6.2...3.7.4) Updates `prettier-plugin-packagejson` from 2.5.19 to 2.5.20 - [Release notes](https://github.com/matzkoh/prettier-plugin-packagejson/releases) - [Commits](matzkoh/prettier-plugin-packagejson@v2.5.19...v2.5.20) --- updated-dependencies: - dependency-name: express dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: safe-dependencies - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies - dependency-name: "@types/node" dependency-version: 24.10.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies - dependency-name: eslint dependency-version: 9.39.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies - dependency-name: firebase-tools dependency-version: 14.27.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: safe-dependencies - dependency-name: nodemon dependency-version: 3.1.11 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies - dependency-name: prettier dependency-version: 3.7.4 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: safe-dependencies - dependency-name: prettier-plugin-packagejson dependency-version: 2.5.20 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: safe-dependencies ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jan 1, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

deps: bump the safe-dependencies group with 8 updates #256

deps: bump the safe-dependencies group with 8 updates #256

Uh oh!

dependabot bot commented on behalf of github Jan 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

deps: bump the safe-dependencies group with 8 updates #256

Are you sure you want to change the base?

deps: bump the safe-dependencies group with 8 updates #256

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 1, 2026

v5.2.1

What's Changed

v5.2.0

Important: Security

What's Changed

5.2.1 / 2025-12-01

5.2.0 / 2025-12-01

v9.39.2

Bug Fixes

Build Related

Chores

v14.27.0

v14.26.0

v14.25.1

v14.25.0

v14.24.2

v14.24.1

v14.24.0

v14.23.0

v3.1.11

3.1.11 (2025-11-11)

Bug Fixes

3.7.4

What's Changed

3.7.3

What's Changed

3.7.2

What's Changed

3.7.1

3.7.0

3.7.4

LWC: Avoid quote around interpolations (#18383 by @​kovsu)

TypeScript: Fix comment inside union type gets duplicated (#18393 by @​fisker)

TypeScript: Fix unstable comment print in union type comments (#18395 by @​fisker)

v2.5.20

2.5.20 (2025-11-28)

Bug Fixes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

LWC: Avoid quote around interpolations (#18383 by `@kovsu`)

TypeScript: Fix comment inside union type gets duplicated (#18393 by `@fisker`)

TypeScript: Fix unstable comment print in union type comments (#18395 by `@fisker`)