build(deps): bump the npm_and_yarn group across 1 directory with 7 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
next	14.2.21	14.2.32
form-data	2.3.3	4.0.4
@cypress/request	3.0.1	3.0.9
nanoid	3.3.8	3.3.11
on-headers	1.0.2	1.1.0
morgan	1.10.0	1.10.1
tmp	0.2.3	0.2.5

Updates next from 14.2.21 to 14.2.32

Release notes

Sourced from next's releases.

v14.2.32

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #82588

Credits

Huge thanks to @​ztanner for helping!

v14.2.31

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(next/image): improve and simplify detect-content-type (#82179)
• fix(next/image): fix image-optimizer.ts headers (#82178)

Credits

Huge thanks to @​styfle and @​ztanner for helping!

Commits

• 89ee561 v14.2.32
• 6a974ad [backport v14]: fix router handling when setting a location response header (...
• 55f7662 v14.2.31
• 5dd68a5 [backport v14]: fix(next/image): improve and simplify detect-content-type (#8...
• bcc7c65 [backport v14]: fix(next/image): fix image-optimizer.ts headers (#82114) (#82...
• 243072b v14.2.30
• f523d4a [backport]: config.allowedDevOrigins (#80410)
• ca92115 v14.2.29
• ec9ee87 Only share incremental cache for edge in next start (#79389)
• e65628a v14.2.28
• Additional commits viewable in compare view

Updates form-data from 2.3.3 to 4.0.4

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

• Merge tags v2.5.3 and v3.0.3 92613b9
• [Tests] migrate from travis to GHA 806eda7
• [Tests] migrate from travis to GHA 8fdb3bc

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Updates @cypress/request from 3.0.1 to 3.0.9

Release notes

Sourced from @​cypress/request's releases.

v3.0.9

3.0.9 (2025-07-24)

Bug Fixes

• update patch version of form-data to address new critical Snyk vulnerability (a2f3199)

v3.0.8

3.0.8 (2025-03-04)

Bug Fixes

• deps: update dependency qs to v6.14.0 (16066b6)

v3.0.7

3.0.7 (2024-12-09)

Bug Fixes

• deps: update dependency qs to v6.13.1 (00d1835)

v3.0.6

3.0.6 (2024-10-29)

Bug Fixes

• deps: update dependency tough-cookie to v5 (65ad82c)

v3.0.5

3.0.5 (2024-09-09)

Bug Fixes

• deps: update dependency form-data to v4 (6b90580)

v3.0.4

3.0.4 (2024-09-05)

Bug Fixes

• deps: update dependency form-data to ~2.5.0 (87b5e92)

v3.0.3

3.0.3 (2024-09-05)

... (truncated)

Commits

• 3cffd53 Merge pull request #88 from ahayes91/update-form-data
• 7c424d5 chore: fix lint issue
• 7f6fdec chore: remove test now that we are on form-data 4.0.4
• a2f3199 fix: update patch version of form-data to address new critical Snyk vulnerabi...
• a1252dd Merge pull request #84 from cypress-io/renovate/qs-6.x
• 16066b6 fix(deps): update dependency qs to v6.14.0
• 5fd0770 Merge pull request #83 from cypress-io/renovate/cimg-node-18.x
• b42b322 chore(deps): update node.js to v18.20.7
• e79201a Merge pull request #80 from cypress-io/renovate/cimg-node-18.x
• 0e4e875 Merge pull request #81 from cypress-io/renovate/qs-6.x
• Additional commits viewable in compare view

Updates nanoid from 3.3.8 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• See full diff in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates morgan from 1.10.0 to 1.10.1

Release notes

Sourced from morgan's releases.

1.10.1

What's Changed

• renaming simple to sample in readme by @​ryhinchey in expressjs/morgan#237
• adding installation instructions to readme by @​ryhinchey in expressjs/morgan#233
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/morgan#291
• ci: replace travis with github actions by @​inigomarquinez in expressjs/morgan#290
• docs: add example output for log formats by @​jonchurch in expressjs/morgan#299
• ci: use ubuntu-latest by @​bjohansebas in expressjs/morgan#301
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in expressjs/morgan#300
• remove --bail by @​jonchurch in expressjs/morgan#314
• ⬆️ bump on-headers by @​ctcpip in expressjs/morgan#319

New Contributors

• @​inigomarquinez made their first contribution in expressjs/morgan#291
• @​jonchurch made their first contribution in expressjs/morgan#299
• @​bjohansebas made their first contribution in expressjs/morgan#301
• @​UlisesGascon made their first contribution in expressjs/morgan#300
• @​ctcpip made their first contribution in expressjs/morgan#319

Full Changelog: expressjs/morgan@1.10.0...1.10.1

Changelog

Sourced from morgan's changelog.

1.10.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• c1c7f10 🔖 1.10.1
• eb896c2 ⬆️ bump on-headers
• 1c3eec6 remove --bail (#314)
• b144728 ci: apply OSSF Scorecard security best practices (#300)
• 68c2d21 ci: use ubuntu-latest (#301)
• 8740a19 docs: add example output for log formats (#299)
• efd6bff ci: migra to GitHub actions (#290)
• 3b89789 ci: add support for OSSF scorecard reporting (#291)
• 19a6aa5 docs: add installation section
• b94f3ff docs: change simple to sample in example descriptions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for morgan since your current version.

Updates tmp from 0.2.3 to 0.2.5

Commits

• 3d2fe38 Bump up the version
• e162828 Merge pull request #309 from fflorent/fix-tmp-dir-with-dir
• b847d2f Fix use of tmp.dir() with dir option
• 08fa3ab Update version
• 1cf4ec5 Merge commit from fork
• 188b25e Fix GHSA-52f5-9888-hmc6
• 73b9fe4 Add test case for GHSA-52f5-9888-hmc6
• b8e2f29 Remove broken tests
• 2892a02 Remove outdated URL
• f592318 Reformat package.json
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package-lock.json	30% smaller
package.json	0% smaller

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)