Skip to content

build(deps): bump the security-all group across 1 directory with 19 updates#35

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/security-all-307383c042
Open

build(deps): bump the security-all group across 1 directory with 19 updates#35
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/security-all-307383c042

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown

Bumps the security-all group with 16 updates in the / directory:

Package From To
electron 27.0.2 39.8.5
@babel/runtime 7.23.2 7.29.7
@sentry/browser 7.74.0 10.50.0
braces 3.0.2 3.0.3
cookie 0.5.0 0.7.2
express 4.18.2 4.22.2
follow-redirects 1.15.2 1.16.0
immutable 4.3.0 5.1.6
ip 2.0.0 removed
lodash 4.17.21 4.18.1
node-forge 1.3.1 1.4.0
on-headers 1.0.2 1.1.0
postcss 8.4.24 8.5.15
serialize-javascript 6.0.1 6.0.2
tmp 0.2.1 0.2.7
webpack 5.88.0 5.107.2

Updates electron from 27.0.2 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

  • Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
  • Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

  • Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
  • Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
  • Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
  • Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

  • Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
  • Backported fix for 485935305. #50440
  • Backported fix for 489381399. #50443
  • Backported fix for chromium:475877320. #50436
  • Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

  • Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
  • Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

  • Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

  • Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
  • Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
  • Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
  • Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
  • Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits
  • 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
  • 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
  • be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
  • 7007907 chore: cherry-pick 3 changes from chromium (#50461)
  • 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
  • 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
  • 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
  • 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
  • 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
  • 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
  • Additional commits viewable in compare view

Updates @babel/runtime from 7.23.2 to 7.29.7

Release notes

Sourced from @​babel/runtime's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

  • babel-preset-env
    • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

  • babel-parser

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/runtime since your current version.


Updates @sentry/browser from 7.74.0 to 10.50.0

Release notes

Sourced from @​sentry/browser's releases.

10.50.0

Important Changes

  • feat(effect): Support v4 beta (#20394)

    The @sentry/effect integration now supports Effect v4 beta, enabling Sentry instrumentation for the latest Effect framework version. Read more in the Effect SDK readme.

  • feat(hono): Add @sentry/hono/bun for Bun runtime (#20355)

    A new @sentry/hono/bun entry point adds first-class support for running Hono applications instrumented with Sentry on the Bun runtime. Read more in the Hono SDK readme.

  • feat(replay): Add replayStart/replayEnd client lifecycle hooks (#20369)

    New replayStart and replayEnd client lifecycle hooks let you react to replay session start and end events in your application.

Other Changes

  • feat(core): Emit no_parent_span client outcomes for discarded spans requiring a parent (#20350)
  • feat(deps): Bump protobufjs from 7.5.4 to 7.5.5 (#20372)
  • feat(hono): Add runtime packages as optional peer dependencies (#20423)
  • feat(opentelemetry): Add tracingChannel utility for context propagation (#20358)
  • fix(browser): Enrich graphqlClient spans for relative URLs (#20370)
  • fix(browser): Filter implausible LCP values (#20338)
  • fix(cloudflare): Use TransformStream to keep track of streams (#20452)
  • fix(console): Re-patch console in AWS Lambda runtimes (#20337)
  • fix(core): Correct GoogleGenAIIstrumentedMethod typo in type name
  • fix(core): Handle stateless MCP wrapper transport correlation (#20293)
  • fix(hono): Remove undefined from options type (#20419)
  • fix(node): Guard against null httpVersion in outgoing request span attributes (#20430)
  • fix(node-core): Pass rejection reason instead of Promise as originalException (#20366)
  • chore: Ignore claude worktrees (#20440)
  • chore: Prevent test from creating zombie process (#20392)
  • chore: Update size-limit (#20412)
  • chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
  • chore(e2e-tests): Use tarball symlinks for E2E tests instead of verdaccio (#20386)
  • chore(lint): Remove lint warnings (#20413)
  • chore(test): Remove empty variant tests (#20443)
  • chore(tests): Use verdaccio as node process instead of docker image (#20336)
  • docs(readme): Update usage instructions for binary scripts (#20426)
  • ref(node): Vendor undici instrumentation (#20190)
  • test(aws-serverless): Ensure aws-serverless E2E tests run locally (#20441)
  • test(aws-serverless): Split npm & layer tests (#20442)
  • test(browser): Fix flaky sessions route-lifecycle test + upgrade axios (#20197)
  • test(cloudflare): Use .makeRequestAndWaitForEnvelope to wait for envelopes (#20208)

... (truncated)

Changelog

Sourced from @​sentry/browser's changelog.

10.50.0

Important Changes

  • feat(effect): Support v4 beta (#20394)

    The @sentry/effect integration now supports Effect v4 beta, enabling Sentry instrumentation for the latest Effect framework version. Read more in the Effect SDK readme.

  • feat(hono): Add @sentry/hono/bun for Bun runtime (#20355)

    A new @sentry/hono/bun entry point adds first-class support for running Hono applications instrumented with Sentry on the Bun runtime. Read more in the Hono SDK readme.

  • feat(replay): Add replayStart/replayEnd client lifecycle hooks (#20369)

    New replayStart and replayEnd client lifecycle hooks let you react to replay session start and end events in your application.

Other Changes

  • feat(core): Emit no_parent_span client outcomes for discarded spans requiring a parent (#20350)
  • feat(deps): Bump protobufjs from 7.5.4 to 7.5.5 (#20372)
  • feat(hono): Add runtime packages as optional peer dependencies (#20423)
  • feat(opentelemetry): Add tracingChannel utility for context propagation (#20358)
  • fix(browser): Enrich graphqlClient spans for relative URLs (#20370)
  • fix(browser): Filter implausible LCP values (#20338)
  • fix(cloudflare): Use TransformStream to keep track of streams (#20452)
  • fix(console): Re-patch console in AWS Lambda runtimes (#20337)
  • fix(core): Correct GoogleGenAIIstrumentedMethod typo in type name
  • fix(core): Handle stateless MCP wrapper transport correlation (#20293)
  • fix(hono): Remove undefined from options type (#20419)
  • fix(node): Guard against null httpVersion in outgoing request span attributes (#20430)
  • fix(node-core): Pass rejection reason instead of Promise as originalException (#20366)
  • chore: Ignore claude worktrees (#20440)
  • chore: Prevent test from creating zombie process (#20392)
  • chore: Update size-limit (#20412)
  • chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
  • chore(e2e-tests): Use tarball symlinks for E2E tests instead of verdaccio (#20386)
  • chore(lint): Remove lint warnings (#20413)
  • chore(test): Remove empty variant tests (#20443)
  • chore(tests): Use verdaccio as node process instead of docker image (#20336)
  • docs(readme): Update usage instructions for binary scripts (#20426)
  • ref(node): Vendor undici instrumentation (#20190)
  • test(aws-serverless): Ensure aws-serverless E2E tests run locally (#20441)
  • test(aws-serverless): Split npm & layer tests (#20442)
  • test(browser): Fix flaky sessions route-lifecycle test + upgrade axios (#20197)

... (truncated)

Commits
  • 785e756 release: 10.50.0
  • ed26a19 Merge pull request #20461 from getsentry/prepare-release/10.50.0
  • 7b584c4 meta(changelog): Update changelog for 10.50.0
  • 39740da test(cloudflare): Use .makeRequestAndWaitForEnvelope to wait for envelopes (#...
  • c741030 test(aws-serverless): Split npm & layer tests (#20442)
  • f97076d chore(dev-deps): Bump nx from 22.5.0 to 22.6.5 (#20458)
  • 4b4ac76 fix(node): Guard against null httpVersion in outgoing request span attribut...
  • 7569b10 fix(cloudflare): Use TransformStream to keep track of streams (#20452)
  • a4c9686 test(hono): Add E2E tests for middleware spans (#20451)
  • ff23846 chore: Ignore claude worktrees (#20440)
  • Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

Updates cookie from 0.5.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

  • Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

  • Allow leading dot for domain (#174)
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

  • Add partitioned option
Commits
Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.


Updates express from 4.18.2 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates express from 4.18.2 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

4.22.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates follow-redirects from 1.15.2 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • 21ef28a Release version 1.15.11 of the npm package.
  • 7c88135 Roll back tree shaking.
  • 6e389ba Release version 1.15.10 of the npm package.
  • 5bc496e Shake me up before you go-go.
  • 694d6b4 Bump minimist from 1.2.5 to 1.2.8
  • Additional commits viewable in compare view

Updates immutable from 4.3.0 to 5.1.6

Release notes

Sourced from immutable's releases.

v5.1.6

What's Changed

Internal

Full Changelog: immutable-js/immutable-js@v5.1.5...v5.1.6

v5.1.5

What's Changed

Full Changelog: immutable-js/immutable-js@v5.1.4...v5.1.5

v5.1.4

What's Changed

Documentation

Internal

  • chore: Sort all imports and ac...

    Description has been truncated

…pdates

Bumps the security-all group with 16 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [electron](https://github.com/electron/electron) | `27.0.2` | `39.8.5` |
| [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) | `7.23.2` | `7.29.7` |
| [@sentry/browser](https://github.com/getsentry/sentry-javascript) | `7.74.0` | `10.50.0` |
| [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` |
| [cookie](https://github.com/jshttp/cookie) | `0.5.0` | `0.7.2` |
| [express](https://github.com/expressjs/express) | `4.18.2` | `4.22.2` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.2` | `1.16.0` |
| [immutable](https://github.com/immutable-js/immutable-js) | `4.3.0` | `5.1.6` |
| [ip](https://github.com/indutny/node-ip) | `2.0.0` | `removed` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.1` | `1.4.0` |
| [on-headers](https://github.com/jshttp/on-headers) | `1.0.2` | `1.1.0` |
| [postcss](https://github.com/postcss/postcss) | `8.4.24` | `8.5.15` |
| [serialize-javascript](https://github.com/yahoo/serialize-javascript) | `6.0.1` | `6.0.2` |
| [tmp](https://github.com/raszi/node-tmp) | `0.2.1` | `0.2.7` |
| [webpack](https://github.com/webpack/webpack) | `5.88.0` | `5.107.2` |



Updates `electron` from 27.0.2 to 39.8.5
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v27.0.2...v39.8.5)

Updates `@babel/runtime` from 7.23.2 to 7.29.7
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.7/packages/babel-runtime)

Updates `@sentry/browser` from 7.74.0 to 10.50.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@7.74.0...10.50.0)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `cookie` from 0.5.0 to 0.7.2
- [Release notes](https://github.com/jshttp/cookie/releases)
- [Commits](jshttp/cookie@v0.5.0...v0.7.2)

Updates `express` from 4.18.2 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.18.2...v4.22.2)

Updates `express` from 4.18.2 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@4.18.2...v4.22.2)

Updates `follow-redirects` from 1.15.2 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.2...v1.16.0)

Updates `immutable` from 4.3.0 to 5.1.6
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@v4.3.0...v5.1.6)

Removes `ip`

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `node-forge` from 1.3.1 to 1.4.0
- [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md)
- [Commits](digitalbazaar/forge@v1.3.1...v1.4.0)

Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases)
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md)
- [Commits](jshttp/on-headers@v1.0.2...v1.1.0)

Updates `postcss` from 8.4.24 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.4.24...8.5.15)

Updates `qs` from 6.11.0 to 6.15.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.0...v6.15.2)

Updates `send` from 0.18.0 to 0.19.2
- [Release notes](https://github.com/pillarjs/send/releases)
- [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md)
- [Commits](pillarjs/send@0.18.0...0.19.2)

Updates `serialize-javascript` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.1...v6.0.2)

Updates `serve-static` from 1.15.0 to 1.16.3
- [Release notes](https://github.com/expressjs/serve-static/releases)
- [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md)
- [Commits](expressjs/serve-static@v1.15.0...v1.16.3)

Updates `tmp` from 0.2.1 to 0.2.7
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.2.1...v0.2.7)

Updates `webpack` from 5.88.0 to 5.107.2
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.88.0...v5.107.2)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 39.8.5
  dependency-type: direct:development
  dependency-group: security-all
- dependency-name: "@babel/runtime"
  dependency-version: 7.29.7
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: "@sentry/browser"
  dependency-version: 10.50.0
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: cookie
  dependency-version: 0.7.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: immutable
  dependency-version: 5.1.6
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: ip
  dependency-version:
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: node-forge
  dependency-version: 1.4.0
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: on-headers
  dependency-version: 1.1.0
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: send
  dependency-version: 0.19.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: serialize-javascript
  dependency-version: 6.0.2
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: serve-static
  dependency-version: 1.16.3
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: tmp
  dependency-version: 0.2.7
  dependency-type: indirect
  dependency-group: security-all
- dependency-name: webpack
  dependency-version: 5.107.2
  dependency-type: indirect
  dependency-group: security-all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants