Bump the npm_and_yarn group across 1 directory with 47 updates

[dependabot]

Bumps the npm_and_yarn group with 27 updates in the / directory:

Package	From	To
moment	2.29.1	2.29.4
openzeppelin-solidity	4.2.0	4.8.1
@babel/traverse	7.14.7	7.25.4
@truffle/db	0.5.20	0.5.59
cross-fetch	2.2.3	2.2.6
debug	2.6.9	4.3.2
truffle	5.4.0	5.11.5
ansi-html	0.0.7	0.0.9
react-scripts	4.0.3	5.0.1
async	2.6.3	2.6.4
qs	6.5.2	6.5.3
body-parser	1.19.0	1.20.2
express	4.17.1	4.19.2
browserify-sign	4.2.1	4.2.3
cookiejar	2.1.2	2.1.4
crypto-js	3.3.0	removed
truffle-hdwallet-provider-privkey	0.3.0	1.0.3
decode-uri-component	0.2.0	0.2.2
es5-ext	0.10.53	0.10.64
follow-redirects	1.14.1	1.15.6
get-func-name	2.0.0	2.0.2
http-cache-semantics	4.1.0	4.1.1
minimatch	3.0.4	3.1.2
recursive-readdir	2.2.2	2.2.3
shelljs	0.8.4	0.8.5
simple-get	2.8.1	2.8.2
word-wrap	1.2.3	1.2.5

Updates moment from 2.29.1 to 2.29.4

Changelog

Sourced from moment's changelog.

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

Commits

• 000ac18 Build 2.24.4
• f2006b6 Bump version to 2.24.4
• 536ad0c Update changelog for 2.29.4
• 9a3b589 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 6374fd8 Merge branch 'master' into develop
• b4e6153 Revert "[bugfix] Fix redos in preprocessRFC2822 regex (#6015)"
• 7aebb16 [bugfix] Fix redos in preprocessRFC2822 regex (#6015)
• 57c9062 Build 2.29.3
• aaf50b6 Fixup release complaints
• 26f4aef Bump version to 2.29.3
• Additional commits viewable in compare view

Updates openzeppelin-solidity from 4.2.0 to 4.8.1

Release notes

Sourced from openzeppelin-solidity's releases.

v4.8.1

• ERC4626: Use staticcall instead of call when fetching underlying ERC-20 decimals. (#3943)

v4.8.0

Note Don't miss the section on Breaking changes at the end.

• TimelockController: Added a new admin constructor parameter that is assigned the admin role instead of the deployer account. (#3722)
• Initializable: add internal functions _getInitializedVersion and _isInitializing (#3598)
• ERC165Checker: add supportsERC165InterfaceUnchecked for consulting individual interfaces without the full ERC165 protocol. (#3339)
• Address: optimize functionCall by calling functionCallWithValue directly. (#3468)
• Address: optimize functionCall functions by checking contract size only if there is no returned data. (#3469)
• Governor: make the relay function payable, and add support for EOA payments. (#3730)
• GovernorCompatibilityBravo: remove unused using statements. (#3506)
• ERC20: optimize _transfer, _mint and _burn by using unchecked arithmetic when possible. (#3513)
• ERC20Votes, ERC721Votes: optimize getPastVotes for looking up recent checkpoints. (#3673)
• ERC20FlashMint: add an internal _flashFee function for overriding. (#3551)
• ERC4626: use the same decimals() as the underlying asset by default (if available). (#3639)
• ERC4626: add internal _initialConvertToShares and _initialConvertToAssets functions to customize empty vaults behavior. (#3639)
• ERC721: optimize transfers by making approval clearing implicit instead of emitting an event. (#3481)
• ERC721: optimize burn by making approval clearing implicit instead of emitting an event. (#3538)
• ERC721: Fix balance accounting when a custom _beforeTokenTransfer hook results in a transfer of the token under consideration. (#3611)
• ERC721: use unchecked arithmetic for balance updates. (#3524)
• ERC721Consecutive: Implementation of EIP-2309 that allows batch minting of ERC721 tokens during construction. (#3311)
• ReentrancyGuard: Reduce code size impact of the modifier by using internal functions. (#3515)
• SafeCast: optimize downcasting of signed integers. (#3565)
• ECDSA: Remove redundant check on the v value. (#3591)
• VestingWallet: add releasable getters. (#3580)
• VestingWallet: remove unused library Math.sol. (#3605)
• VestingWallet: make constructor payable. (#3665)
• Create2: optimize address computation by using assembly instead of abi.encodePacked. (#3600)
• Clones: optimized the assembly to use only the scratch space during deployments, and optimized predictDeterministicAddress to use fewer operations. (#3640)
• Checkpoints: Use procedural generation to support multiple key/value lengths. (#3589)
• Checkpoints: Add new lookup mechanisms. (#3589)
• Arrays: Add unsafeAccess functions that allow reading and writing to an element in a storage array bypassing Solidity's "out-of-bounds" check. (#3589)
• Strings: optimize toString. (#3573)
• Ownable2Step: extension of Ownable that makes the ownership transfers a two step process. (#3620)
• Math and SignedMath: optimize function max by using > instead of >=. (#3679)
• Math: Add log2, log10 and log256. (#3670)
• Arbitrum: Update the vendored arbitrum contracts to match the nitro upgrade. (#3692)

Breaking changes

• ERC721: In order to add support for batch minting via ERC721Consecutive it was necessary to make a minor breaking change in the internal interface of ERC721. Namely, the hooks _beforeTokenTransfer and _afterTokenTransfer have one additional argument that may need to be added to overrides:

 function _beforeTokenTransfer(
     address from,
     address to,
     uint256 tokenId,
</tr></table> 

... (truncated)

Changelog

Sourced from openzeppelin-solidity's changelog.

4.8.1 (2023-01-12)

• ERC4626: Use staticcall instead of call when fetching underlying ERC-20 decimals. (#3943)

4.8.0 (2022-11-08)

• TimelockController: Added a new admin constructor parameter that is assigned the admin role instead of the deployer account. (#3722)
• Initializable: add internal functions _getInitializedVersion and _isInitializing (#3598)
• ERC165Checker: add supportsERC165InterfaceUnchecked for consulting individual interfaces without the full ERC165 protocol. (#3339)
• Address: optimize functionCall by calling functionCallWithValue directly. (#3468)
• Address: optimize functionCall functions by checking contract size only if there is no returned data. (#3469)
• Governor: make the relay function payable, and add support for EOA payments. (#3730)
• GovernorCompatibilityBravo: remove unused using statements. (#3506)
• ERC20: optimize _transfer, _mint and _burn by using unchecked arithmetic when possible. (#3513)
• ERC20Votes, ERC721Votes: optimize getPastVotes for looking up recent checkpoints. (#3673)
• ERC20FlashMint: add an internal _flashFee function for overriding. (#3551)
• ERC4626: use the same decimals() as the underlying asset by default (if available). (#3639)
• ERC4626: add internal _initialConvertToShares and _initialConvertToAssets functions to customize empty vaults behavior. (#3639)
• ERC721: optimize transfers by making approval clearing implicit instead of emitting an event. (#3481)
• ERC721: optimize burn by making approval clearing implicit instead of emitting an event. (#3538)
• ERC721: Fix balance accounting when a custom _beforeTokenTransfer hook results in a transfer of the token under consideration. (#3611)
• ERC721: use unchecked arithmetic for balance updates. (#3524)
• ERC721Consecutive: Implementation of EIP-2309 that allows batch minting of ERC721 tokens during construction. (#3311)
• ReentrancyGuard: Reduce code size impact of the modifier by using internal functions. (#3515)
• SafeCast: optimize downcasting of signed integers. (#3565)
• ECDSA: Remove redundant check on the v value. (#3591)
• VestingWallet: add releasable getters. (#3580)
• VestingWallet: remove unused library Math.sol. (#3605)
• VestingWallet: make constructor payable. (#3665)
• Create2: optimize address computation by using assembly instead of abi.encodePacked. (#3600)
• Clones: optimized the assembly to use only the scratch space during deployments, and optimized predictDeterministicAddress to use fewer operations. (#3640)
• Checkpoints: Use procedural generation to support multiple key/value lengths. (#3589)
• Checkpoints: Add new lookup mechanisms. (#3589)
• Arrays: Add unsafeAccess functions that allow reading and writing to an element in a storage array bypassing Solidity's "out-of-bounds" check. (#3589)
• Strings: optimize toString. (#3573)
• Ownable2Step: extension of Ownable that makes the ownership transfers a two step process. (#3620)
• Math and SignedMath: optimize function max by using > instead of >=. (#3679)
• Math: Add log2, log10 and log256. (#3670)
• Arbitrum: Update the vendored arbitrum contracts to match the nitro upgrade. (#3692)

Breaking changes

• ERC721: In order to add support for batch minting via ERC721Consecutive it was necessary to make a minor breaking change in the internal interface of ERC721. Namely, the hooks _beforeTokenTransfer and _afterTokenTransfer have one additional argument that may need to be added to overrides:

 function _beforeTokenTransfer(
     address from,
     address to,
     uint256 tokenId,
+    uint256 batchSize
</tr></table> 

... (truncated)

Commits

• 0457042 4.8.1
• 1dfccff Add docs on non-stability of internal function use (#3952)
• 472b996 Add explicit permissions to docs workflow
• cd50a86 Use a staticcall to fetch ERC20.decimals in ERC4626 (#3943)
• 873a01b Fix governance tutorial contract (#3948)
• 011a0fb Add documentation about the security of overrides (#3725)
• 4e5b119 Improve documentation of Initializable getters (#3861)
• 3e97221 Add ERC-4626 Upgrade Note (#3849)
• fad1172 Add Ownable2Step to the docs (#3836)
• 53eb531 Improve some NatSpec (#3809)
• Additional commits viewable in compare view

Updates @babel/traverse from 7.14.7 to 7.25.4

Release notes

Sourced from @​babel/traverse's releases.

v7.25.4 (2024-08-22)

🐛 Bug Fix

• babel-traverse
  • #16756 fix: Skip computed key when renaming (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16755 fix: Decorator 2018-09 may throw an exception (@​liuxingbaoyu)
• babel-types
  • #16710 Visit AST fields nodes according to their syntactical order (@​nicolo-ribaudo)
• babel-generator
  • #16709 Print semicolon after TS export namespace as A (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-runtime-corejs2, babel-runtime, babel-traverse
  • #16722 Avoid unnecessary parens around sequence expressions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-transform-class-properties
  • #16714 Avoid unnecessary parens around exported arrow functions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-transform-object-rest-spread
  • #16712 Avoid printing unnecessary parens around object destructuring (@​nicolo-ribaudo)

🔬 Output optimization

• babel-generator
  • #16740 Avoid extra spaces between comments/regexps in compact mode (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.25.3 (2024-07-31)

🐛 Bug Fix

• babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-traverse
  • #16699 Avoid validating visitors produced by traverse.visitors.merge (@​nicolo-ribaudo)

🏠 Internal

• babel-parser
  • #16688 Add @babel/types as a dependency of @babel/parser (@​nicolo-ribaudo)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.25.2 (2024-07-30)

🐛 Bug Fix

• babel-core, babel-traverse
  • #16695 Ensure that requeueComputedKeyAndDecorators is available (@​nicolo-ribaudo)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.25.4 (2024-08-22)

🐛 Bug Fix

• babel-traverse
  • #16756 fix: Skip computed key when renaming (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16755 fix: Decorator 2018-09 may throw an exception (@​liuxingbaoyu)
• babel-types
  • #16710 Visit AST fields nodes according to their syntactical order (@​nicolo-ribaudo)
• babel-generator
  • #16709 Print semicolon after TS export namespace as A (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-runtime-corejs2, babel-runtime, babel-traverse
  • #16722 Avoid unnecessary parens around sequence expressions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-transform-class-properties
  • #16714 Avoid unnecessary parens around exported arrow functions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-transform-object-rest-spread
  • #16712 Avoid printing unnecessary parens around object destructuring (@​nicolo-ribaudo)

🔬 Output optimization

• babel-generator
  • #16740 Avoid extra spaces between comments/regexps in compact mode (@​nicolo-ribaudo)

v7.25.3 (2024-07-31)

🐛 Bug Fix

• babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-traverse
  • #16699 Avoid validating visitors produced by traverse.visitors.merge (@​nicolo-ribaudo)

🏠 Internal

• babel-parser
  • #16688 Add @babel/types as a dependency of @babel/parser (@​nicolo-ribaudo)

v7.25.2 (2024-07-30)

🐛 Bug Fix

• babel-core, babel-traverse
  • #16695 Ensure that requeueComputedKeyAndDecorators is available (@​nicolo-ribaudo)

v7.25.1 (2024-07-28)

🐛 Bug Fix

• babel-plugin-transform-function-name
  • #16683 fix: ensureFunctionName may be undefined (@​liuxingbaoyu)
• babel-plugin-transform-react-constant-elements
  • #16582 fix plugin-transform-react-constant-elements transform JSXFrament but not add JSXExpressionContainer (@​keiseiTi)
• babel-traverse
  • #16587 fix: fixed issue16583 + test (@​nerodesu017)

🏠 Internal

• #16663 Test eslint plugin against eslint 9 (@​JLHwung)

v7.25.0 (2024-07-26)

... (truncated)

Commits

• cbf124c v7.25.4
• 2b289fb fix: skip computed key when renaming (#16756)
• 575863c Avoid unnecessary parens around sequence expressions (#16722)
• 5174ad1 Clean all always enabled parser plugins (#16572)
• 52718ab Discontinue babel-eslint-config-internal (#16718)
• dba45d3 Ignore devDependencies when generating tsconfig.json (#16659)
• 787c7cd v7.25.3
• 992c6e0 Avoid validating visitors produced by traverse.visitors.merge (#16699)
• 44efb5f print @​babel/traverse version on unknown AST types (#16701)
• 0f8f408 v7.25.2
• Additional commits viewable in compare view

Updates @truffle/db from 0.5.20 to 0.5.59

Commits

• 5c7b580 Publish
• e7396c1 Publish
• 1258916 Publish
• 01c1d42 Publish
• b389f81 bump ganache to ^7.0.3
• c05d042 bump ganache to ^7.0.2
• 33ab666 nuke the dead code - jest comment
• f116e2f new hair dont care!
• e7a0b9c Merge pull request #4797 from trufflesuite/eslint-mocha-jest-env
• e6275c6 align with the other package .eslintrcs
• Additional commits viewable in compare view

Updates cross-fetch from 2.2.3 to 2.2.6

Commits

• bfe5fe2 2.2.6
• 1a89b66 added caret range to whatwg-fetch.
• 695a888 removed and disabled package-lock.json.
• eac6c00 Update away from vulnerable version of node-fetch (#135)
• 3abdc67 2.2.5
• 982e107 Locked node-fetch version.
• 0820407 2.2.4
• 19fec4e Fixed vulnerability CVE-2020-15168 by upgrading node-fetch to 2.6.1.
• See full diff in compare view

Updates debug from 2.6.9 to 4.3.2

Release notes

Sourced from debug's releases.

4.3.2

Patch release 4.3.2

• Caches enabled statuses on a per-logger basis to speed up .enabled checks (#799)

Thank you @​omg!

4.3.1

Patch release 4.3.1

• Fixes a ReDOS regression (#458) - see #797 for details.

4.3.0

Minor release

• Deprecated debugInstance.destroy(). Future major versions will not have this method; please remove it from your codebases as it currently does nothing.
• Fixed quoted percent sign
• Fixed memory leak within debug instances that are created dynamically

4.2.0

Minor Release

• Replaced phantomJS with chrome backend for browser tests
• Deprecated and later removed Changelog.md in lieu of releases page
• Removed bower.json (#602)
• Removed .eslintrc (since we've switched to XO)
• Removed .coveralls.yml
• Removed the build system that was in place for various alternate package managers
• Removed the examples folder (#650)
• Switched to console.debug in the browser only when it is available (#600)
• Copied custom logger to namespace extension (#646)
• Added issue and pull request templates
• Added "engines" key to package.json
• Added ability to control selectColor (#747)
• Updated dependencies
• Marked supports-color as an optional peer dependency

4.1.1

This backport fixes a bug in coveralls configuration as well as the .extend() function.

Patches

• test: only run coveralls on travis (#663, #664, d0e498f159bd425b3403db38c98fe26a345d4dcd)
• copy custom logger to namespace extension (#646, 57ef085703a0158679cc4a56a4980653b828ce51)

4.1.0

Minor Changes

• migrate Makefile to npm scripts (4236585a40787fe60ed625452163299600df2ce6)
• feat: Return namespaces string when invoking disable() (7ef8b417a86941372074f749019b9f439a1f6ef6)

... (truncated)

Commits

• e47f96d 4.3.2
• 1e9d38c cache enabled status per-logger (#799)
• 0d3d66b 4.3.1
• b6d12fd fix regression
• 3f56313 4.3.0
• e2d3bc9 add deprecation notice for debug.destroy()
• 72e7f86 fix memory leak within debug instance
• 27152ca add test for enable/disable of existing instances
• 22e13fe fix quoted percent sign
• 80ef62a 4.2.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by qix, a new releaser for debug since your current version.

Updates truffle from 5.4.0 to 5.11.5

Release notes

Sourced from truffle's releases.

v5.11.5 — Dessertressed

Hello all! Tiny release this week, just internal improvements and dependency updates. Thanks once again to @​legobeat for getting all of these! That's it for now!

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle
npm install -g truffle

Changelog

Internal improvements

• Enforce deduped lockfile when linting dependencies (#6193 by @​legobeat)

Dependency updates

• Deduplicate all dependencies and devDependencies (#6194 by @​legobeat)
• Dedupe and lockbump ethers, ethereumjs, web3 (#6192 by @​legobeat)
• Dedupe runtime libraries (#6191 by @​legobeat)
• Dedupe devDependencies and library packages (#6188 by @​legobeat)

v5.11.4 — Malted milk powder

Hello all! Not much this week, primarily just a bunch of internal improvements and dependency updates. 🏗️ Thanks to @​legobeat for getting a bunch of these! 🧱🥁 We've also updated the list of Sourcify networks, even though the fetcher no longer actually checks it.

That's it for now! 👋

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle
npm install -g truffle

Changelog

Enhancements

• Add new sourcify networks; fix problem with beam testnet (#6182 by @​haltman-at)

Internal improvements

• Remove gitHead field that snuck its way in (#6187 by @​haltman-at)
• Indicate Node.js supported versions (#6180 by @​legobeat)
• Pin nodejs 20 to 20.5 due to regression in 20.6 (#6186 by @​legobeat)

... (truncated)

Commits

• a26df1f Publish
• 9b23a59 devDeps: webpack@^5.73.0->^5.88.2
• 033fc64 Publish
• 4c80841 Merge pull request #6180 from legobeat/node-version
• 005ebb9 deps: semver@7.5.2->7.5.4
• 56cab73 chore: set engines.node in package manifests
• 3fa384f Publish
• 878725a Turn off mysteriously failing test (sorry)
• c519492 Update Ganache to 7.9.1
• a9ca7ea Publish
• Additional commits viewable in compare view

Updates ansi-html from 0.0.7 to 0.0.9

Commits

• See full diff in compare view

Updates react-scripts from 4.0.3 to 5.0.1

Commits

• 19fa58d Publish
• 9802941 fix: webpack noise printed only if error or warning (#12245)
• 2eef1d0 Update templates to use React 18 createRoot (#12220)
• 221e511 Publish
• 5614c87 Add support for Tailwind (#11717)
• 20edab4 fix(webpackDevServer): disable overlay for warnings (#11413)
• 3afbbc0 Update all dependencies (#11624)
• f5467d5 feat(eslint-config-react-app): support ESLint 8.x (#11375)
• c7627ce Update webpack and dev server (#11646)
• 544befe Update package.json (#11597)
• Additional commits viewable in compare view

Updates apollo-server from 2.25.2 to 3.13.0

Commits

• f93284e Release
• ea2e2c3 Release
• fac578a Release
• 6247d96 Release
• 538151b Release
• f519e1d Release
• 985c079 Release
• 2bf7f66 chore(deps): update all non-major dependencies (main) (#6852)
• f6c5c9f Release
• e6097d6 Release
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apollo-bot, a new releaser for apollo-server since your current version.

Updates apollo-server-core from 2.25.2 to 3.13.0

Commits

• f93284e Release
• 4745ebe Rename option from disableValidation to dangerouslyDisableValidation
• 11f5981 Add disableValidation option to apollo-server-core
• ea2e2c3 Release
• 1dd45b8 get CI passing
• d38b43b Merge pull request from GHSA-j5g3-5c8r-7qfx
• fac578a Release
• 8554050 Update protobuf (version-3) (#7412)
• 6247d96 Release
• 538151b Release
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by apollo-bot, a new releaser for apollo-server-core since your current version.

Updates async from 2.6.3 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates axios from 0.20.0 to 1.5.0

Release notes

Sourced from axios's releases.

Release v1.5.0

Release notes:

Bug Fixes

• adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#5837) (9a414bb)
• dns: fixed cacheable-lookup integration; (#5836) (b3e327d)
• headers: added support for setting header names that overlap with class methods; (#5831) (d8b4ca0)
• headers: fixed common Content-Type header merging; (#5832) (8fda276)

Features

• export getAdapter function (#5324) (ca73eb8)
• export: export adapters without unsafe prefix (#5839) (1601f4a)

Contributors to this release

• Dmitriy Mozgovoy
• 夜葬
• Jonathan Budiman
• Michael Di Prisco

Release v1.4.0

Release notes:

Bug Fixes

• formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
• package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

• dns: added support for a custom lookup function; (#5339) (2701911)
• types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

• merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

[changeset-bot]

⚠️ No Changeset found

Latest commit: e3465c3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Report too large to display inline

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Install scripts	npm/es5-ext@0.10.64	Install script: postinstall Source: node -e "try{require('./_postinstall')}catch(e){}" || exit 0	package-lock.json	🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/es5-ext@0.10.64