Bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the /frontend directory:

Package	From	To
form-data	3.0.3	3.0.4
http-proxy-middleware	2.0.7	2.0.9
on-headers	1.0.2	1.1.0
compression	1.8.0	1.8.1
react-router	7.3.0	7.7.1
react-router-dom	7.3.0	7.7.1

Updates form-data from 3.0.3 to 3.0.4

Changelog

Sourced from form-data's changelog.

v3.0.4 - 2025-07-16

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config f5e7eb0
• [meta] add auto-changelog d2eb290
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 e8c574c
• [Fix] Switch to using crypto random for boundary values c6ced61
• [Refactor] use hasown 1a78b5d
• [Fix] validate boundary type in setBoundary() method 70bbaa0
• [Tests] add tests to check the behavior of getBoundary with non-strings b22a64e
• [meta] actually ensure the readme backup isn’t published 0150851
• [meta] remove local commit hooks fc42bb9
• [Dev Deps] remove unused deps a14d09e
• [meta] fix scripts to use prepublishOnly 11d9f73
• [meta] fix readme capitalization fc38b48

Commits

• 9c82fcd v3.0.4
• e8c574c [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• c6ced61 [Fix] Switch to using crypto random for boundary values
• 0150851 [meta] actually ensure the readme backup isn’t published
• fc38b48 [meta] fix readme capitalization
• d2eb290 [meta] add auto-changelog
• fc42bb9 [meta] remove local commit hooks
• a14d09e [Dev Deps] remove unused deps
• 002b9b0 [Fix] append: avoid a crash on nullish values
• 70bbaa0 [Fix] validate boundary type in setBoundary() method
• Additional commits viewable in compare view

Updates http-proxy-middleware from 2.0.7 to 2.0.9

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.9

What's Changed

• fix(fixRequestBody): check readableLength by @​chimurai in chimurai/http-proxy-middleware#1097
• chore(package): v2.0.9 by @​chimurai in chimurai/http-proxy-middleware#1099

Full Changelog: chimurai/http-proxy-middleware@v2.0.8...v2.0.9

v2.0.8

What's Changed

• fix(fixRequestBody): prevent multiple .write() calls by @​chimurai in chimurai/http-proxy-middleware#1090
• fix(fixRequestBody): handle invalid request by @​chimurai in chimurai/http-proxy-middleware#1091
• chore(package): v2.0.8 by @​chimurai in chimurai/http-proxy-middleware#1094

Full Changelog: chimurai/http-proxy-middleware@v2.0.7...v2.0.8

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.9

• fix(fixRequestBody): check readableLength

v2.0.8

• fix(fixRequestBody): prevent multiple .write() calls
• fix(fixRequestBody): handle invalid request

Commits

• 617a7c9 chore(package): v2.0.9 (#1099)
• d22d587 fix(fixRequestBody): check readableLength (#1097)
• d03d51b chore(package): v2.0.8 (#1094)
• c50dd06 fix(fixRequestBody): handle invalid request (#1091)
• 76a9d8d fix(fixRequestBody): prevent multiple .write() calls (#1090)
• See full diff in compare view

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates compression from 1.8.0 to 1.8.1

Release notes

Sourced from compression's releases.

v1.8.1

What's Changed

• fix(docs): update multiple links from http to https by @​Phillip9587 in expressjs/compression#222
• ci: add dependabot for github actions by @​bjohansebas in expressjs/compression#207
• build(deps): bump github/codeql-action from 2.23.2 to 3.28.15 by @​dependabot[bot] in expressjs/compression#228
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.1 by @​dependabot[bot] in expressjs/compression#229
• build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 by @​dependabot[bot] in expressjs/compression#230
• build(deps-dev): bump supertest from 6.2.3 to 6.3.4 by @​dependabot[bot] in expressjs/compression#231
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in expressjs/compression#235
• build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 by @​dependabot[bot] in expressjs/compression#243
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 by @​dependabot[bot] in expressjs/compression#239
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/compression#240
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/compression#241
• build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 by @​dependabot[bot] in expressjs/compression#244
• deps: on-headers@1.1.0 by @​UlisesGascon in expressjs/compression#246
• Release: 1.8.1 by @​UlisesGascon in expressjs/compression#247

New Contributors

• @​dependabot[bot] made their first contribution in expressjs/compression#228
• @​step-security-bot made their first contribution in expressjs/compression#235

Full Changelog: expressjs/compression@1.8.0...v1.8.1

Changelog

Sourced from compression's changelog.

1.8.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 83a0c45 1.8.1
• ce62713 deps: on-headers@1.1.0 (#246)
• f4acb23 build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 (#244)
• 6eaebe6 build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#241)
• 37e0623 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#240)
• bc436b2 build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 (#239)
• 2f9f572 build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 (#243)
• 5f13b14 [StepSecurity] ci: Harden GitHub Actions (#235)
• 76e0945 build(deps-dev): bump supertest from 6.2.3 to 6.3.4 (#231)
• ae6ee80 build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 (#230)
• Additional commits viewable in compare view

Updates react-router from 7.3.0 to 7.7.1

Release notes

Sourced from react-router's releases.

v7.7.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771

v7.7.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v770

v7.6.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v763

v7.6.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v762

v7.6.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v761

v7.6.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v760

v7.5.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v753

v7.5.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v752

v7.5.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v751

v7.5.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v750

v7.4.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v741

v7.4.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v740

Changelog

Sourced from react-router's changelog.

7.7.1

Patch Changes

• In RSC Data Mode, fix bug where routes with errors weren't forced to revalidate when shouldRevalidate returned false (#14026)
• In RSC Data Mode, fix Matched leaf route at location "/..." does not have an element or Component warnings when error boundaries are rendered. (#14021)

7.7.0

Minor Changes

• Add unstable RSC support (#13700)

  For more information, see the RSC documentation.

Patch Changes

• Handle InvalidCharacterError when validating cookie signature (#13847)

• Pass a copy of searchParams to the setSearchParams callback function to avoid muations of the internal searchParams instance. This was an issue when navigations were blocked because the internal instance be out of sync with useLocation().search. (#12784)

• Support invalid Date in turbo-stream v2 fork (#13684)

• In Framework Mode, clear critical CSS in development after initial render (#13872)

• Strip search parameters from patchRoutesOnNavigation path param for fetcher calls (#13911)

• Skip scroll restoration on useRevalidator() calls because they're not new locations (#13671)

• Support unencoded UTF-8 routes in prerender config with ssr set to false (#13699)

• Do not throw if the url hash is not a valid URI component (#13247)

• Fix a regression in createRoutesStub introduced with the middleware feature. (#13946)

  As part of that work we altered the signature to align with the new middleware APIs without making it backwards compatible with the prior AppLoadContext API. This permitted createRoutesStub to work if you were opting into middleware and the updated context typings, but broke createRoutesStub for users not yet opting into middleware.

  We've reverted this change and re-implemented it in such a way that both sets of users can leverage it.

  // If you have not opted into middleware, the old API should work again
  let context: AppLoadContext = {
    /*...*/
  };
  let Stub = createRoutesStub(routes, context);
  // If you have opted into middleware, you should now pass an instantiated unstable_routerContextProvider instead of a getContext factory function.
  let context = new unstable_RouterContextProvider();
  context.set(SomeContext, someValue);
  let Stub = createRoutesStub(routes, context);

... (truncated)

Commits

• 4eb1fd1 chore: Update version for release (#14068)
• 929f773 chore: Update version for release (pre) (#14051)
• d2f6396 Add jsdocs for useOutletContext from main
• ea1cd40 docs: minor updates (#14038)
• 433872f Force revalidation of RSC routes with errors (#14026)
• 3fdce65 Fix RSC outlet fallback warnings on error (#14021)
• 15e9a9e chore: format
• 5bbbc9d docs(api): add some extra reference links (#13985)
• b95cf3f Add JSDocs for RSC apis (#14019)
• 3acd610 docs(api): Fix doc examples that are missing async (#14017)
• Additional commits viewable in compare view

Updates react-router-dom from 7.3.0 to 7.7.1

Release notes

Sourced from react-router-dom's releases.

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.15
  • react-router-dom@6.4.0-pre.15

react-router-dom-v5-compat@6.4.0-pre.11

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.11
  • react-router-dom@6.4.0-pre.11

react-router-dom-v5-compat@6.4.0-pre.10

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.10
  • react-router-dom@6.4.0-pre.10

react-router-dom-v5-compat@6.4.0-pre.9

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.9
  • react-router-dom@6.4.0-pre.9

Changelog

Sourced from react-router-dom's changelog.

7.7.1

Patch Changes

• Updated dependencies:
  • react-router@7.7.1

7.7.0

Patch Changes

• Updated dependencies:
  • react-router@7.7.0

7.6.3

Patch Changes

• Updated dependencies:
  • react-router@7.6.3

7.6.2

Patch Changes

• Updated dependencies:
  • react-router@7.6.2

7.6.1

Patch Changes

• Updated dependencies:
  • react-router@7.6.1

7.6.0

Patch Changes

• Updated dependencies:
  • react-router@7.6.0

7.5.3

Patch Changes

• Updated dependencies:
  • react-router@7.5.3

7.5.2

... (truncated)

Commits

• 4eb1fd1 chore: Update version for release (#14068)
• 929f773 chore: Update version for release (pre) (#14051)
• 14666dd Merge branch 'release-next' into dev
• 63f0cd3 chore: Update version for release (#14015)
• b843323 Upgrade prettier (#13916)
• b7753cf chore: Update version for release (pre) (#14008)
• 216222b chore: Update version for release (pre) (#13999)
• 7204a29 chore: Update version for release (pre) (#13980)
• 0dea762 chore: Update version for release (#13897)
• 183cc68 chore: Update version for release (pre) (#13878)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud