Bump the npm_and_yarn group across 1 directory with 37 updates

[dependabot]

Bumps the npm_and_yarn group with 33 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory:

Package	From	To
@google-cloud/firestore	4.15.1	6.2.0
aws-sdk	2.1240.0	2.1693.0
axios	0.21.4	0.30.2
esbuild	0.15.12	0.25.0
express	4.18.2	4.22.0
firebase	7.24.0	10.9.0
koa	2.13.4	3.0.3
mongoose	5.13.15	6.13.6
prismjs	1.29.0	1.30.0
pug	3.0.2	3.0.3
semver	7.3.8	7.5.2
vm2	3.9.11	3.10.2
@babel/helpers	7.19.4	7.28.6
@smithy/config-resolver	4.1.4	4.4.6
body-parser	1.20.1	1.20.4
brace-expansion	1.1.11	1.1.12
browserify-sign	4.2.1	4.2.5
cipher-base	1.0.4	1.0.7
cross-spawn	6.0.5	6.0.6
es5-ext	0.10.62	0.10.64
jose	2.0.6	2.0.7
jws	3.2.2	3.2.3
lodash	4.17.21	4.17.23
min-document	2.19.0	2.19.2
msgpackr	1.7.2	1.11.8
nodemailer	6.8.0	6.10.1
pbkdf2	3.1.2	3.1.5
sha.js	2.4.11	2.4.12
socket.io-parser	3.3.2	3.3.4
tar-fs	2.1.1	2.1.4
tar	6.1.11	6.2.1
validator	13.7.0	13.15.26
word-wrap	1.2.3	1.2.5

Updates @google-cloud/firestore from 4.15.1 to 6.2.0

Release notes

Sourced from @​google-cloud/firestore's releases.

v6.2.0

6.2.0 (2022-09-13)

Features

• Use REST (#1698) (d85b0e9)

Bug Fixes

• Minify proto JSON files (#1771) (6393fe7)
• Remove hack in update.sh, and replace with existing pattern for protobuf dependencies. (#1769) (6ba6751)

v6.1.0

6.1.0 (2022-09-07)

Features

• Accept google-gax instance as a parameter (#1757) (ef59a22)

Bug Fixes

• Better support for fallback mode (#1756) (a029a6e)
• Don't allow serialization of firestore settings (#1742) (fa0ad66)
• Pin Typescript to prevent new type checking. (#1764) (dd01b27)
• Update GAX (#1758) (1931415)
• Version 7 of protobufjs broke the update.sh script. Added path to built in protobuf. (#1766) (40f1db3)

v6.0.0

6.0.0 (2022-07-22)

⚠ BREAKING CHANGES

• update library to use Node 12 (#1725)

Features

• Enable RunQueryResponse.done (#1712) (0cc549c)
• Support Logical Termination on RunQueryResponse (#1741) (07de28a)
• support regapic LRO (#1729) (b9d8fef)
• update client libraries to support Database operations (#1676) (533aade)

Bug Fixes

• change REST binding for ListDocuments to support root collection (#1695) (6185f13)

... (truncated)

Changelog

Sourced from @​google-cloud/firestore's changelog.

6.2.0 (2022-09-13)

Features

• Use REST (#1698) (d85b0e9)

Bug Fixes

• Minify proto JSON files (#1771) (6393fe7)
• Remove hack in update.sh, and replace with existing pattern for protobuf dependencies. (#1769) (6ba6751)

6.1.0 (2022-09-07)

Features

• Accept google-gax instance as a parameter (#1757) (ef59a22)

Bug Fixes

• Better support for fallback mode (#1756) (a029a6e)
• Don't allow serialization of firestore settings (#1742) (fa0ad66)
• Pin Typescript to prevent new type checking. (#1764) (dd01b27)
• Update GAX (#1758) (1931415)
• Version 7 of protobufjs broke the update.sh script. Added path to built in protobuf. (#1766) (40f1db3)

6.0.0 (2022-07-22)

⚠ BREAKING CHANGES

• update library to use Node 12 (#1725)

Features

• Enable RunQueryResponse.done (#1712) (0cc549c)
• Support Logical Termination on RunQueryResponse (#1741) (07de28a)
• support regapic LRO (#1729) (b9d8fef)
• update client libraries to support Database operations (#1676) (533aade)

Bug Fixes

• change REST binding for ListDocuments to support root collection (#1695) (6185f13)
• deps: update dependency protobufjs to v7 (#1747) (4e8d33c)
• split v1 and v1beta1 protos to improve startup time (#1664) (f3729cf)

... (truncated)

Commits

• 282ac8a chore(main): release 6.2.0 (#1770)
• 6393fe7 fix: minify proto JSON files (#1771)
• d85b0e9 feat: Use REST (#1698)
• 6ba6751 fix: Remove hack in update.sh, and replace with existing pattern for protobuf...
• 5eea279 chore(main): release 6.1.0 (#1753)
• 40f1db3 fix: Version 7 of protobufjs broke the update.sh script. Added path to built ...
• ef59a22 feat: accept google-gax instance as a parameter (#1757)
• dd01b27 fix: Pin Typescript to prevent new type checking. (#1764)
• 1931415 fix: Update GAX (#1758)
• a029a6e fix: better support for fallback mode (#1756)
• Additional commits viewable in compare view

Updates aws-sdk from 2.1240.0 to 2.1693.0

Release notes

Sourced from aws-sdk's releases.

Release v2.1693.0

See changelog for more information.

Release v2.1692.0

See changelog for more information.

Release v2.1691.0

See changelog for more information.

Release v2.1690.0

See changelog for more information.

Release v2.1689.0

See changelog for more information.

Release v2.1688.0

See changelog for more information.

Release v2.1687.0

See changelog for more information.

Release v2.1686.0

See changelog for more information.

Release v2.1685.0

See changelog for more information.

Release v2.1684.0

See changelog for more information.

Release v2.1683.0

See changelog for more information.

Release v2.1682.0

See changelog for more information.

Release v2.1681.0

See changelog for more information.

Release v2.1680.0

See changelog for more information.

Release v2.1679.0

See changelog for more information.

Release v2.1678.0

See changelog for more information.

Release v2.1677.0

See changelog for more information.

... (truncated)

Commits

• 9d3c66e Updates SDK to v2.1693.0
• c039567 test(client-elastictranscoder): remove feature test (#4711)
• f5b1a6f docs: end-of-support (#4706)
• 657d6fe chore: use ssh private key for git sync (#4705)
• c12585b chore: remove regression label management (#4699)
• 966fa6c Updates SDK to v2.1692.0
• 5d0e38a Delete EC2 launch configuration e2e tests (#4685)
• b9ce346 chore: fix issue config (#4683)
• c066681 Update issue template config and disable docs requests (#4682)
• 163a7cf Modified bug issue template to add checkbox to report potential regression. (...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by aws-sdk-bot, a new releaser for aws-sdk since your current version.

Updates axios from 0.21.4 to 0.30.2

Release notes

Sourced from axios's releases.

v0.30.2

What's Changed

• Backport maxContentLength vulnerability fix to v0.x by @​FeBe95 in axios/axios#7034

New Contributors

• @​FeBe95 made their first contribution in axios/axios#7034

Full Changelog: axios/axios@v0.30.1...v0.30.2

Release v0.30.1

Release notes:

Bug Fixes

• chore(deps): bump form-data from 4.0.0 to 4.0.4 for v0.x by @​wolandec in axios/axios#6978

Contributors to this release

• @​wolandec made their first contribution in axios/axios#6978

Full Changelog: axios/axios@v0.30.0...v0.30.1

Release v0.30.0

Release notes:

Bug Fixes

• fix: modify log while request is aborted by @​mori5321 in axios/axios#4917
• fix: update CHANGELOG.md for v0.x by @​TehZarathustra in axios/axios#6271
• fix: modify upgrade guide for 0.28.1's breaking change by @​nafeger in axios/axios#6787
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @​thatguyinabeanie in axios/axios#6829
• fix: add allowAbsoluteUrls type by @​thatguyinabeanie in axios/axios#6849

Contributors to this release

• @​mori5321 made their first contribution in axios/axios#4917
• @​TehZarathustra made their first contribution in axios/axios#6271
• @​nafeger made their first contribution in axios/axios#6787
• @​thatguyinabeanie made their first contribution in axios/axios#6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #6167 and #6163 to v0.x by @​Sean-Powell in axios/axios#6402
• fix: omit nulls in params by @​Willshaw in axios/axios#6394
• fix(backport): fix paramsSerializer function validation by @​solonzhu in axios/axios#6361
• fix: Regular Expression Denial of Service (ReDoS) by @​qiongshusheng in axios/axios#6708

Contributors to this release

• @​Sean-Powell made their first contribution in axios/axios#6402
• @​Willshaw made their first contribution in axios/axios#6394
• @​solonzhu made their first contribution in axios/axios#6361

... (truncated)

Commits

• 2fcb4ec chore: v0.30.2
• 153f483 chore: preversion
• ee548ff fix: tests failing
• a1b1d3f fix: backport maxContentLength vulnerability fix to v0.x (#7034)
• b17c4de chore: build latest version
• ad6b82a chore: build latest version
• da447d5 chore(deps): bump form-data from 4.0.0 to 4.0.4 (#6978)
• 6e922e4 chore: added build artifacts
• a06ed1e chore: added pre-release artifacts
• c010622 feat: add type for allowAbsoluteUrls (#6849)
• Additional commits viewable in compare view

Updates esbuild from 0.15.12 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates express from 4.18.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

... (truncated)

Commits

• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• 3a5edfa fix(ci): updated github actions ci workflow (#6323)
• 52d9781 fix(test): add test for method routes without paths #5955
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates firebase from 7.24.0 to 10.9.0

Commits

• 1eb302f Version Packages (#8063)
• b498867 Merge master into release
• ce88e71 snapshot listeners source from cache (#7982)
• 6d487d7 Prevent using authTokenSyncURL if the string begins with a double slash (#8060)
• b4d59d6 Merge master into release
• 2b22838 Fix glob pattern to work with Node 20 and its NPM version (#8059)
• feb5038 Update CI node.js versions to 20.x (#8055)
• 245dd26 Enforce authTokenSyncURL being a path and not a url. (#8056)
• e60188d Version Packages (#8046)
• 7e2efbf Merge master into release
• Additional commits viewable in compare view

Updates koa from 2.13.4 to 3.0.3

Release notes

Sourced from koa's releases.

v3.0.3

What's Changed

• fix: normalize referer before redirect by @​fengmk2 in koajs/koa#1908

Full Changelog: koajs/koa@v3.0.2...v3.0.3

v3.0.2

What's Changed

• fix: fixes response.attachment behaviour leads to Content-Type Sniffing by @​yowainwright in koajs/koa#1904
• chore: use NPM trusted publishing with semver tag triggers by @​Copilot in koajs/koa#1907

New Contributors

• @​Copilot made their first contribution in koajs/koa#1907

Full Changelog: koajs/koa@v3.0.1...v3.0.2

v3.0.1

What's Changed

• fix(security): only allow same origin referer on response back koajs/koa@422c551
• chore: adds initial doc text refresh; migration guide [CHORE-1870] by @​yowainwright in koajs/koa#1877
• build(deps-dev): bump formidable from 3.5.2 to 3.5.4 by @​dependabot[bot] in koajs/koa#1878
• chore: removes done callbacks in tests [CHORE-1870] by @​yowainwright in koajs/koa#1875
• build(deps-dev): bump supertest from 7.1.0 to 7.1.1 by @​dependabot[bot] in koajs/koa#1879
• build(deps): bump debug from 4.4.0 to 4.4.1 by @​dependabot[bot] in koajs/koa#1880
• feat: replace debug module with pure node:util::debuglog by @​3imed-jaberi in koajs/koa#1885
• feat: replace cache-content-type with mime-types directly by @​3imed-jaberi in koajs/koa#1886
• build(deps): bump statuses from 2.0.1 to 2.0.2 by @​dependabot[bot] in koajs/koa#1888
• build(deps-dev): bump supertest from 7.1.1 to 7.1.4 by @​dependabot[bot] in koajs/koa#1895
• build(deps-dev): bump form-data from 4.0.3 to 4.0.4 by @​dependabot[bot] in koajs/koa#1894

Full Changelog: koajs/koa@v3.0.0...v3.0.1

v3.0.0

This is a major release.

Breaking

• Minimum node v18
• Removes .redirect('back'), adds .back(fallback_url) @​fl0w koajs/koa#1115
• For .redirect(), don't render redirect values in anchor ref koajs/koa@ff25eb4
• req.origin should display the origin header if it exists, not the current hostname koajs/koa#1008. origin now aligns with the Origin header as used in CORS.
• .body=<json> should not overwrite type if type already json koajs/koa#1120
• Remove special ENOENT support koajs/koa#1861 - this is a big change and will require any file servers to adapt to this change for handling 404s / files not found
• Removes generator deprecation messages. Generators are no longer supported. Koa no longer asserts if generators are used. Set content-length: 0 if body is explicitly set to null @​ognjenjevremovic #1528 Remove obsolete createAsyncCtxStorageMiddleware koajs/koa#1817
• ctx.throw now requires a format of ctx.throw(status, error, properties). See: https://www.npmjs.com/package/http-errors

... (truncated)

Changelog

Sourced from koa's changelog.

[!IMPORTANT] Moving forwards we are using the GitHub releases page at https://github.com/koajs/koa/releases in combination with np for publishing releases and their changelogs.

---

3.0.0-alpha.3 / 2025-02-11

fixes

• Avoid redos on host and protocol getter

3.0.0-alpha.2 / 2024-11-04

breaking changes

• Update http-errors to v2.0.0 #1486
  • ctx.throw now requires a format of ctx.throw(status, error, properties). See: https://www.npmjs.com/package/http-errors
• Remove res.redirect('back'), add back() method to ctx #1115
• Replace node querystring with URLSearchParams #1828
• Remove obsolete createAsyncCtxStorageMiddleware #1817

features

• Add support for web WHATWG #1830

updates

• Update cookies to ~0.9.1 #1846
• Update statuses to ^2.0.1
• Update supertest to ^7.0.0 #1841

fixes

• Fix exports.defaults in package.json #1630
• Fix leaky handles in tests #1838
• Fix body null checks #1814
• Fix reformatting redirect URLs #1805 #1804
• Fix passing ctx in error handler #1758

migrations

• Migrate from jest to the native node test runner #1845

3.0.0-alpha.1 / 2023-04-12

fixes

• [e98b8d1] - fix: can not get currentContext in error handler (#1758) (Gxkl <gxkl203@gmail.com>)

3.0.0-alpha.0 / 2023-01-02

Breaking Changes

... (truncated)

Commits

• ffd497a 3.0.3
• 769fd75 fix: normalize referer before redirect (#1908)
• 433b20c 3.0.2
• 307013b chore: use NPM trusted publishing with semver tag triggers (#1907)
• 83128eb fix: fixes response.attachment behavior leads to Content-Type Sniffing (#1904)
• 1ddb048 3.0.1
• 422c551 Merge commit from fork
• 6e51eb1 build(deps-dev): bump form-data from 4.0.3 to 4.0.4 (#1894)
• d378e5c build(deps-dev): bump supertest from 7.1.1 to 7.1.4 (#1895)
• cb22d8d build(deps): bump statuses from 2.0.1 to 2.0.2 (#1888)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for koa since your current version.

Updates mongoose from 5.13.15 to 6.13.6

Release notes

Sourced from mongoose's releases.

6.13.6 / 2025-01-13

• fix: disallow nested $where in populate match

Changelog

Sourced from mongoose's changelog.

6.13.6 / 2025-01-13

• fix: disallow nested $where in populate match CVE-2025-23061

8.9.4 / 2025-01-09

• fix(document): fix document not applying manual populate when using a function in schema.options.ref #15138 IchirokuXV...

  Description has been truncated