Bump the all-dependencies group across 1 directory with 31 updates by dependabot[bot] · Pull Request #490 · Yelp/beans

dependabot · 2026-06-03T03:24:03Z

Bumps the all-dependencies group with 31 updates in the /frontend directory:

Package	From	To
axios	`1.16.0`	`1.16.1`
cors	`2.8.5`	`2.8.6`
express	`4.22.2`	`5.2.1`
express-session	`1.18.2`	`1.19.0`
http-proxy-middleware	`3.0.5`	`4.0.0`
moment-timezone	`0.5.46`	`0.6.2`
nconf	`0.12.1`	`0.13.0`
react	`18.3.1`	`19.2.7`
react-dom	`18.3.1`	`19.2.7`
react-redux	`9.1.2`	`9.3.0`
react-router-dom	`6.30.3`	`7.16.0`
react-switch	`7.0.0`	`7.1.0`
react-tooltip	`5.28.0`	`6.0.6`
@babel/cli	`7.25.9`	`7.29.7`
@babel/core	`7.26.0`	`7.29.7`
@babel/eslint-parser	`7.25.9`	`7.29.7`
@babel/preset-env	`7.26.0`	`7.29.7`
@babel/preset-react	`7.25.9`	`7.29.7`
@webpack-cli/serve	`2.0.5`	`3.0.1`
babel-jest	`29.7.0`	`30.4.1`
babel-loader	`9.2.1`	`10.1.1`
eslint	`8.57.0`	`10.4.1`
eslint-config-prettier	`9.1.0`	`10.1.8`
eslint-plugin-import	`2.31.0`	`2.32.0`
eslint-plugin-react	`7.37.2`	`7.37.5`
eslint-webpack-plugin	`4.2.0`	`6.0.0`
jest	`29.7.0`	`30.4.2`
nodemon	`3.1.7`	`3.1.14`
react-test-renderer	`18.3.1`	`19.2.7`
webpack	`5.105.0`	`5.107.2`
webpack-cli	`5.1.4`	`7.0.3`

Updates axios from 1.16.0 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)

Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)

CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)

Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)

XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)

Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)

Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)

URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)

composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)

AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)

Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)

Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)

Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@hpinmetaverse (#10836)

@tommyhgunz14 (#7413)

@abhu85 (#10829)

@divyanshuraj1095 (#10853)

@sagodi97 (#10856)

@rkdfx (#10868)

@Liuwei1125 (#10866)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)

Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)

CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)

Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)

XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)

Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)

Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)

URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)

composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)

AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)

Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)

Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)

Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@hpinmetaverse (#10836)

@tommyhgunz14 (#7413)

@abhu85 (#10829)

@divyanshuraj1095 (#10853)

@sagodi97 (#10856)

@rkdfx (#10868)

@Liuwei1125 (#10866)

Full Changelog

Commits

1337d6b chore(release): prepare release 1.16.1 (#10877)
858a790 fix: remove all caches (#10882)
34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
847d89b fix: support URL object as config.url input (#10866)
4094886 fix(progress): guard malformed XHR upload events (#10868)
44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
64e1095 chore: update PR and issue template to use h2 (#10865)
3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
caa00a9 fix: https data in cleartext to proxy (#10858)
Additional commits viewable in compare view

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

Build: Node.js@12.16 and Node.js.13.12 by @smondal in expressjs/cors#189

Update README.md for origin function callback parameters by @dstudzinski in expressjs/cors#180

Suggest passing false for disallowed domains, not erroring by @shackpank in expressjs/cors#175

Changed the term whitelist to allowlist in Documentation by @jkasun in expressjs/cors#200

Fix typo in README by @alex-grover in expressjs/cors#207

Added new link & website in the README by @manjunath00 in expressjs/cors#269

Fix functions call with extra parameter by @LuisEGR in expressjs/cors#245

🐛 Fix readme status badge by @homersimpsons in expressjs/cors#306

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/cors#321

ci: fix errors in ci github action for node 8 by @inigomarquinez in expressjs/cors#322

test: improved test robustness by @Alex-GF in expressjs/cors#320

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/cors#341

ci: add CodeQL (SAST) by @bjohansebas in expressjs/cors#340

docs: remove broken link to demo site by @dpopp07 in expressjs/cors#344

OSSF Scorecard recommendations by @UlisesGascon in expressjs/cors#350

build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @dependabot[bot] in expressjs/cors#351

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/cors#353

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/cors#354

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @dependabot[bot] in expressjs/cors#355

build(deps-dev): bump express from 4.17.1 to 4.21.2 by @dependabot[bot] in expressjs/cors#356

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/cors#352

build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @dependabot[bot] in expressjs/cors#358

update the docs for per request config by @jonchurch in expressjs/cors#338

(fix): readme updated for #271 origin option for * by @dhananjaysa92 in expressjs/cors#289

ci: upgrade Node versions by @UlisesGascon in expressjs/cors#359

chore: add funding to package.json by @bjohansebas in expressjs/cors#363

build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @dependabot[bot] in expressjs/cors#371

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/cors#370

docs: Cleanup README by @efekrskl in expressjs/cors#374

chore: add node v25 by @imangas in expressjs/cors#375

Extend CI test matrix by @imangas in expressjs/cors#376

docs: simplify code examples with header comments by @jonchurch in expressjs/cors#386

docs: tweak intro, add note w/ browser enforcement, FAQ by @jonchurch in expressjs/cors#385

chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @Phillip9587 in expressjs/cors#388

Release: 2.8.6 by @UlisesGascon in expressjs/cors#390

New Contributors

@smondal made their first contribution in expressjs/cors#189

@dstudzinski made their first contribution in expressjs/cors#180

@shackpank made their first contribution in expressjs/cors#175

@jkasun made their first contribution in expressjs/cors#200

@alex-grover made their first contribution in expressjs/cors#207

@manjunath00 made their first contribution in expressjs/cors#269

@LuisEGR made their first contribution in expressjs/cors#245

@homersimpsons made their first contribution in expressjs/cors#306

@inigomarquinez made their first contribution in expressjs/cors#321

@Alex-GF made their first contribution in expressjs/cors#320

@carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

Improve documentation (API, context, examples...)

Remove additional markdown files from tarball

Commits

f00a8c1 2.8.6 (#390)
848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
bbf62a5 docs: simplify code examples with header comments (#386)
f442e77 Extend CI test matrix (#376)
d5cf6cd ci: add support for node@25 (#375)
7e6f7ee docs: revamp content (#374)
b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
9a9a760 chore: add funding to package.json (#363)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates express from 4.22.2 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 5.2.1 by @UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in expressjs/express#6429

Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in expressjs/express#6137

increased code coverage of utils.js file by @ashish3011 in expressjs/express#6386

chore: remove duplicate word by @dufucun in expressjs/express#6456

build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in expressjs/express#6498

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/express#6497

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/express#6496

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6504

ci: update codeql config by @Phillip9587 in expressjs/express#6488

chore: wider range for query test skip by @jonchurch in expressjs/express#6512

chore: fix typos in test by @noritaka1166 in expressjs/express#6535

ci: disable credential persistence for checkout actions by @mertssmnoglu in expressjs/express#6522

ci: allow manual triggering of workflow by @shivarm in expressjs/express#6515

test: add coverage for app.listen() variants by @kgarg1 in expressjs/express#6476

docs: move documentation and charters to the discussions and .github … by @bjohansebas in expressjs/express#6427

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/express#6549

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/express#6548

chore: enforce explicit Buffer import and add lint rule by @shivarm in expressjs/express#6525

chore: use node protocol for querystring by @shivarm in expressjs/express#6520

chore: fix typo by @mountdisk in expressjs/express#6609

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/express#6618

add deprecation warnings for redirect arguments undefined by @bjohansebas in expressjs/express#6405

ci: run CI when the markdown changes by @bjohansebas in expressjs/express#6632

doc: fix CONTRIBUTING link by @jonchurch in expressjs/express#6653

doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in expressjs/express#6601

build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in expressjs/express#6679

build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in expressjs/express#6678

lint: add --fix flag to automatic fix linting issue by @shivarm in expressjs/express#6644

chore: ignore yarn.lock file and update example by @shivarm in expressjs/express#6588

lib: use req.socket over deprecated req.connection by @bjohansebas in expressjs/express#6705

doc: update express app example by @shivarm in expressjs/express#6718

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/express#6675

Remove history.md from being packaged on publish by @sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: body-parser@^2.2.1

A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

Add support for Uint8Array in res.send()

Add support for ETag option in res.sendFile()

Add support for multiple links with the same rel in res.links()

Add funding field to package.json

perf: use loop for acceptParams

refactor: prefix built-in node module imports

deps: remove setprototypeof

deps: remove safe-buffer

deps: remove utils-merge

deps: remove methods

deps: remove depd

deps: debug@^4.4.0

deps: body-parser@^2.2.0

deps: router@^2.2.0

deps: content-type@^1.0.5

deps: finalhandler@^2.1.0

deps: qs@^6.14.0

deps: server-static@2.2.0

deps: type-is@2.0.1

5.0.1 / 2024-10-08

Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

remove:

path-is-absolute dependency - use path.isAbsolute instead

breaking:

res.status() accepts only integers, and input must be greater than 99 and less than 1000

will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range

will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs

deps: send@1.0.0

... (truncated)

Commits

dbac741 5.2.1
697547c Revert "sec: security patch for CVE-2024-51999"
4007ad1 Release: 5.2.0 (#6920)
2f64f68 sec: security patch for CVE-2024-51999
ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
758d435 deps: body-parser@^2.2.1 (#6922)
77bcd52 docs: update emeritus triagers (#6890)
f33caf1 Nominate to @efekrskl for triage team (#6888)
Additional commits viewable in compare view

Updates express-session from 1.18.2 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes
Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.
var app = express()
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: function (req) {
    var match = req.url.match(/^\/([^/]+)/);
    return {
      path: match ? '/' + match[1] : '/',
      httpOnly: true,
      secure: req.secure || false,
      maxAge: 60000
    }
  }
}))
Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

deps: use tilde notation for dependencies
PRs

chore: add funding to package.json by @bjohansebas in expressjs/session#1071

build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @dependabot[bot] in expressjs/session#1086

build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @dependabot[bot] in expressjs/session#1085

build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in expressjs/session#1091

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/session#1090

build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in expressjs/session#1089

build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @dependabot[bot] in expressjs/session#1088

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in expressjs/session#1082

refactor: remove unused sess parameter from generateSessionId fun… by @Ayoub-Mabrouk in expressjs/session#1001

chore: remove history.md from being packaged on publish by @bjohansebas in expressjs/session#1097

deps: use tilde notation for dependencies by @bjohansebas in expressjs/session#1096

Add sameSite 'auto' support to match secure 'auto' pattern by @djunehor in expressjs/session#1087

feat: add support to dynamic cookie options by @lincond in expressjs/session#1027

Release: 1.19.0 by @UlisesGascon in expressjs/session#1107

New Contributors

@Ayoub-Mabrouk made their first contribution in expressjs/session#1001

@djunehor made their first contribution in expressjs/session#1087

@lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

Add dynamic cookie options support

Add sameSite 'auto' support for automatic SameSite attribute configuration

deps: use tilde notation for dependencies

Commits

c10b2a3 1.19.0 (#1107)
2673736 feat: add support to dynamic cookie options (#1027)
73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
264b6a0 deps: use tilde notation for dependencies (#1096)
6d69f09 chore: remove history.md from being packaged on publish (#1097)
00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
Additional commits viewable in compare view

Updates http-proxy-middleware from 3.0.5 to 4.0.0

Release notes

Sourced from http-proxy-middleware's releases.

v4.0.0

Notable changes

Switched proxy from http-proxy to httpxy ✨ (chimurai/http-proxy-middleware#1160) This replaces a long-standing core dependency and brings in many upstream fixes and behavior improvements documented by the httpxy project: unjs/httpxy#2

many fixes: https://github.com/unjs/httpxy/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aclosed

http/2 support: unjs/httpxy#102

performance: unjs/httpxy#124

ESM-only package [BREAKING CHANGE] 💣 http-proxy-middleware now ships as native ES modules only. CommonJS require() usage is no longer supported, so imports should use ESM syntax.

Updated Node.js support policy [BREAKING CHANGE] 💣 Dropped Node.js 14, 16, 18, and 20. New minimum supported runtime is Node.js 22.15.0

Removed legacyCreateProxyMiddleware() [BREAKING CHANGE] 💣 The legacy compatibility wrapper has been removed as part of API cleanup. Use createProxyMiddleware() directly.

Added IPv6 literal support ✨ target and forward now support literal IPv6 URLs, for example: http://[::1]:3000.

Experimental Hono support 🧪 Added createHonoProxyMiddleware() for Hono apps, including dedicated subpath support via http-proxy-middleware/hono.

Many thanks to everyone who helped make this release possible. 🙏

What's Changed

fix(types): fix Logger type by @chimurai in chimurai/http-proxy-middleware#1104

fix(fixRequestBody): support text/plain by @knudtty in chimurai/http-proxy-middleware#1103

chore(examples): bump deps by @chimurai in chimurai/http-proxy-middleware#1105

build(prettier): improve prettier setup by @chimurai in chimurai/http-proxy-middleware#1108

chore(deps): fix punycode node deprecation warning by @chimurai in chimurai/http-proxy-middleware#1109

chore(examples): bump deps by @chimurai in chimurai/http-proxy-middleware#1110

build(codespaces): add devcontainer.json by @chimurai in chimurai/http-proxy-middleware#1112

chore(package): bump dev dependencies by @chimurai in chimurai/http-proxy-middleware#1116

ci(github-action): ci.yml add node v24 by @chimurai in chimurai/http-proxy-middleware#1117

chore(package): bump dev dependencies by @chimurai in chimurai/http-proxy-middleware#1118

chore(package): upgrade to jest v30 by @chimurai in chimurai/http-proxy-middleware#1122

chore(examples): upgrade deps by @chimurai in chimurai/http-proxy-middleware#1124

chore(package): update dev deps by @chimurai in chimurai/http-proxy-middleware#1125

test(websocket): fix ws import by @chimurai in chimurai/http-proxy-middleware#1126

chore(refactor): use node: protocol imports by @chimurai in chimurai/http-proxy-middleware#1127

ci(node24): pin node24 due to TLS issue with mockttp by @chimurai in chimurai/http-proxy-middleware#1137

docs(recipes/pathRewrite.md): fix comment by @DEBargha2004 in chimurai/http-proxy-middleware#1135

chore(package): bump dev deps by @chimurai in chimurai/http-proxy-middleware#1138

chore(deps): update actions/checkout action to v5 by @chimurai in chimurai/http-proxy-middleware#1140

fix(error-response-plugin): sanitize input by @chimurai in chimurai/http-proxy-middleware#1141

chore(package.json): update dev deps by @chimurai in chimurai/http-proxy-middleware#1143

... (truncated)

Changelog

Sourced from http-proxy-middleware's changelog.

v4.0.0

fix(types): fix Logger type

fix(error-response-plugin): sanitize input

feat: drop node v14/v16/v18 [BREAKING CHANGE]

refactor: replace http-proxy w/ httpxy

chore: remove legacyCreateProxyMiddleware() [BREAKING CHANGE]

ci: migrate from jest to vitest

chore(package.json): esm only [BREAKING CHANGE]

chore(package.json): bump to httpxy 0.5.0 (#1183)

chore(package.json): drop node20 [BREAKING CHANGE] (#1179)

refactor: remove deprecated url.parse() (#1176)

fix(fixRequestBody): support content-encoding on request body (#1142)

fix: prevent TypeError when ws enabled but server is undefined (#1163)

fix: applyPathRewrite logs old req.url instead of rewritten path (#1157)

feat(hono): support for hono with createHonoProxyMiddleware

feat(ipv6): support literal IPv6 addresses in target and forward options (ie. "http://[::1]:8000")

chore(packag...
Description has been truncated

Bumps the all-dependencies group with 31 updates in the /frontend directory: | Package | From | To | | --- | --- | --- | | [axios](https://github.com/axios/axios) | `1.16.0` | `1.16.1` | | [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` | | [express](https://github.com/expressjs/express) | `4.22.2` | `5.2.1` | | [express-session](https://github.com/expressjs/session) | `1.18.2` | `1.19.0` | | [http-proxy-middleware](https://github.com/chimurai/http-proxy-middleware) | `3.0.5` | `4.0.0` | | [moment-timezone](https://github.com/moment/moment-timezone) | `0.5.46` | `0.6.2` | | [nconf](https://github.com/flatiron/nconf) | `0.12.1` | `0.13.0` | | [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `18.3.1` | `19.2.7` | | [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `18.3.1` | `19.2.7` | | [react-redux](https://github.com/reduxjs/react-redux) | `9.1.2` | `9.3.0` | | [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) | `6.30.3` | `7.16.0` | | [react-switch](https://github.com/markusenglund/react-switch) | `7.0.0` | `7.1.0` | | [react-tooltip](https://github.com/ReactTooltip/react-tooltip) | `5.28.0` | `6.0.6` | | [@babel/cli](https://github.com/babel/babel/tree/HEAD/packages/babel-cli) | `7.25.9` | `7.29.7` | | [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) | `7.26.0` | `7.29.7` | | [@babel/eslint-parser](https://github.com/babel/babel/tree/HEAD/eslint/babel-eslint-parser) | `7.25.9` | `7.29.7` | | [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) | `7.26.0` | `7.29.7` | | [@babel/preset-react](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-react) | `7.25.9` | `7.29.7` | | [@webpack-cli/serve](https://github.com/webpack/webpack-cli) | `2.0.5` | `3.0.1` | | [babel-jest](https://github.com/jestjs/jest/tree/HEAD/packages/babel-jest) | `29.7.0` | `30.4.1` | | [babel-loader](https://github.com/babel/babel-loader) | `9.2.1` | `10.1.1` | | [eslint](https://github.com/eslint/eslint) | `8.57.0` | `10.4.1` | | [eslint-config-prettier](https://github.com/prettier/eslint-config-prettier) | `9.1.0` | `10.1.8` | | [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) | `2.31.0` | `2.32.0` | | [eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react) | `7.37.2` | `7.37.5` | | [eslint-webpack-plugin](https://github.com/webpack/eslint-webpack-plugin) | `4.2.0` | `6.0.0` | | [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `29.7.0` | `30.4.2` | | [nodemon](https://github.com/remy/nodemon) | `3.1.7` | `3.1.14` | | [react-test-renderer](https://github.com/facebook/react/tree/HEAD/packages/react-test-renderer) | `18.3.1` | `19.2.7` | | [webpack](https://github.com/webpack/webpack) | `5.105.0` | `5.107.2` | | [webpack-cli](https://github.com/webpack/webpack-cli) | `5.1.4` | `7.0.3` | Updates `axios` from 1.16.0 to 1.16.1 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.16.0...v1.16.1) Updates `cors` from 2.8.5 to 2.8.6 - [Release notes](https://github.com/expressjs/cors/releases) - [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md) - [Commits](expressjs/cors@v2.8.5...v2.8.6) Updates `express` from 4.22.2 to 5.2.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@v4.22.2...v5.2.1) Updates `express-session` from 1.18.2 to 1.19.0 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.2...v1.19.0) Updates `http-proxy-middleware` from 3.0.5 to 4.0.0 - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/master/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v3.0.5...v4.0.0) Updates `moment-timezone` from 0.5.46 to 0.6.2 - [Release notes](https://github.com/moment/moment-timezone/releases) - [Changelog](https://github.com/moment/moment-timezone/blob/develop/changelog.md) - [Commits](moment/moment-timezone@0.5.46...0.6.2) Updates `nconf` from 0.12.1 to 0.13.0 - [Release notes](https://github.com/flatiron/nconf/releases) - [Changelog](https://github.com/indexzero/nconf/blob/v0.13.0/CHANGELOG.md) - [Commits](indexzero/nconf@v0.12.1...v0.13.0) Updates `react` from 18.3.1 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react) Updates `react-dom` from 18.3.1 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) Updates `react-redux` from 9.1.2 to 9.3.0 - [Release notes](https://github.com/reduxjs/react-redux/releases) - [Changelog](https://github.com/reduxjs/react-redux/blob/master/CHANGELOG.md) - [Commits](reduxjs/react-redux@v9.1.2...v9.3.0) Updates `react-router-dom` from 6.30.3 to 7.16.0 - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/react-router-dom@7.16.0/packages/react-router-dom) Updates `react-switch` from 7.0.0 to 7.1.0 - [Changelog](https://github.com/markusenglund/react-switch/blob/master/CHANGELOG.md) - [Commits](https://github.com/markusenglund/react-switch/commits) Updates `react-tooltip` from 5.28.0 to 6.0.6 - [Release notes](https://github.com/ReactTooltip/react-tooltip/releases) - [Changelog](https://github.com/ReactTooltip/react-tooltip/blob/master/CHANGELOG.md) - [Commits](ReactTooltip/react-tooltip@v5.28.0...v6.0.6) Updates `@babel/cli` from 7.25.9 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-cli) Updates `@babel/core` from 7.26.0 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-core) Updates `@babel/eslint-parser` from 7.25.9 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/eslint/babel-eslint-parser) Updates `@babel/preset-env` from 7.26.0 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-preset-env) Updates `@babel/preset-react` from 7.25.9 to 7.29.7 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-preset-react) Updates `@webpack-cli/serve` from 2.0.5 to 3.0.1 - [Release notes](https://github.com/webpack/webpack-cli/releases) - [Changelog](https://github.com/webpack/webpack-cli/blob/main/CHANGELOG.md) - [Commits](https://github.com/webpack/webpack-cli/compare/@webpack-cli/serve@2.0.5...@webpack-cli/serve@3.0.1) Updates `babel-jest` from 29.7.0 to 30.4.1 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.4.1/packages/babel-jest) Updates `babel-loader` from 9.2.1 to 10.1.1 - [Release notes](https://github.com/babel/babel-loader/releases) - [Changelog](https://github.com/babel/babel-loader/blob/main/CHANGELOG.md) - [Commits](babel/babel-loader@v9.2.1...v10.1.1) Updates `eslint` from 8.57.0 to 10.4.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v8.57.0...v10.4.1) Updates `eslint-config-prettier` from 9.1.0 to 10.1.8 - [Release notes](https://github.com/prettier/eslint-config-prettier/releases) - [Changelog](https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md) - [Commits](prettier/eslint-config-prettier@v9.1.0...v10.1.8) Updates `eslint-plugin-import` from 2.31.0 to 2.32.0 - [Release notes](https://github.com/import-js/eslint-plugin-import/releases) - [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md) - [Commits](import-js/eslint-plugin-import@v2.31.0...v2.32.0) Updates `eslint-plugin-react` from 7.37.2 to 7.37.5 - [Release notes](https://github.com/jsx-eslint/eslint-plugin-react/releases) - [Changelog](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/CHANGELOG.md) - [Commits](jsx-eslint/eslint-plugin-react@v7.37.2...v7.37.5) Updates `eslint-webpack-plugin` from 4.2.0 to 6.0.0 - [Release notes](https://github.com/webpack/eslint-webpack-plugin/releases) - [Changelog](https://github.com/webpack/eslint-webpack-plugin/blob/main/CHANGELOG.md) - [Commits](webpack/eslint-webpack-plugin@v4.2.0...v6.0.0) Updates `jest` from 29.7.0 to 30.4.2 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest) Updates `nodemon` from 3.1.7 to 3.1.14 - [Release notes](https://github.com/remy/nodemon/releases) - [Commits](remy/nodemon@v3.1.7...v3.1.14) Updates `react-test-renderer` from 18.3.1 to 19.2.7 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-test-renderer) Updates `webpack` from 5.105.0 to 5.107.2 - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.105.0...v5.107.2) Updates `webpack-cli` from 5.1.4 to 7.0.3 - [Release notes](https://github.com/webpack/webpack-cli/releases) - [Changelog](https://github.com/webpack/webpack-cli/blob/main/CHANGELOG.md) - [Commits](https://github.com/webpack/webpack-cli/compare/webpack-cli@5.1.4...webpack-cli@7.0.3) --- updated-dependencies: - dependency-name: axios dependency-version: 1.16.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: cors dependency-version: 2.8.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: express dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: express-session dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: http-proxy-middleware dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: moment-timezone dependency-version: 0.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: nconf dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: react dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: react-redux dependency-version: 9.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: react-router-dom dependency-version: 7.16.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: react-switch dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: react-tooltip dependency-version: 6.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: "@babel/cli" dependency-version: 7.29.7 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@babel/core" dependency-version: 7.29.7 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@babel/eslint-parser" dependency-version: 7.29.7 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@babel/preset-env" dependency-version: 7.29.7 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@babel/preset-react" dependency-version: 7.29.7 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@webpack-cli/serve" dependency-version: 3.0.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: babel-jest dependency-version: 30.4.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: babel-loader dependency-version: 10.1.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: eslint dependency-version: 10.4.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: eslint-config-prettier dependency-version: 10.1.8 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: eslint-plugin-import dependency-version: 2.32.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: eslint-plugin-react dependency-version: 7.37.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: eslint-webpack-plugin dependency-version: 6.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: jest dependency-version: 30.4.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: nodemon dependency-version: 3.1.14 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: react-test-renderer dependency-version: 19.2.7 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: webpack dependency-version: 5.107.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: webpack-cli dependency-version: 7.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 3, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the all-dependencies group across 1 directory with 31 updates#490

Bump the all-dependencies group across 1 directory with 31 updates#490
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/all-dependencies-458fe838ac

dependabot Bot commented on behalf of github Jun 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 3, 2026

v1.16.1 — May 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.16.1 — May 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v2.8.6

What's Changed

New Contributors

2.8.6 / 2026-01-22

v5.2.1

What's Changed

v5.2.0

Important: Security

What's Changed

5.2.1 / 2025-12-01

5.2.0 / 2025-12-01

5.1.0 / 2025-03-31

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

v1.19.0

What's Changed

Main Changes

PRs

New Contributors

1.19.0 / 2026-01-22

v4.0.0

Notable changes

What's Changed

v4.0.0

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants