Bump the npm_and_yarn group across 1 directory with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
async	1.5.0	1.5.1
ip	1.1.5	2.0.1
jsonwebtoken	8.5.1	9.0.0
minimatch	3.0.4	3.0.5
nodemailer	4.7.0	6.9.9
passport	0.3.0	0.6.0

Updates async from 1.5.0 to 1.5.1

Changelog

Sourced from async's changelog.

v1.5.1

• Fix issue with pause in queue with concurrency enabled (#946)
• while and until now pass the final result to callback (#963)
• auto will properly handle concurrency when there is no callback (#966)
• auto will no. properly stop execution when an error occurs (#988, #993)
• Various doc fixes (#971, #980)

Commits

• 625a2e1 Version 1.5.1
• 5a9383b update minified build
• 94868a2 update changelog for 1.5.1
• 1604c74 Merge pull request #993 from gr2m/master
• f360e0d fix: auto stops after error #988
• f556b20 test: auto stops after error #988
• b9cc289 Merge pull request #980 from charlierudolph/patch-1
• 761d83b fix typo in #971
• f9f6204 Merge pull request #966 from ex1st/master
• c744ab6 Added test for auto with concurrency but without callback.
• Additional commits viewable in compare view

Updates ip from 1.1.5 to 2.0.1

Commits

• 3b0994a 2.0.1
• 32f468f lib: fixed CVE-2023-42282 and added unit test
• 4b2f4e7 2.0.0
• 369d56d lib: use Buffer.alloc
• af82ef4 1.1.6
• dba19f6 package: exclude test folder from publishing
• 7cd7f30 ci: use github workflows
• 4de50ae lib: node 18 support
• See full diff in compare view

Updates jsonwebtoken from 8.5.1 to 9.0.0

Changelog

Sourced from jsonwebtoken's changelog.

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• 7e6a86b Upload OpsLevel YAML (#849)
• 74d5719 docs: update references vercel/ms references (#770)
• d71e383 docs: document "invalid token" error
• 3765003 docs: fix spelling in README.md: Peak -> Peek (#754)
• a46097e docs: make decode impossible to discover before verify
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jsonwebtoken since your current version.

Updates lodash from 4.17.15 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates minimatch from 3.0.4 to 3.0.5

Commits

• 707e1b2 3.0.5
• a8763f4 Improve redos protection, add many tests
• bafa295 Use master branch for travis badge
• 013d64d update travis
• See full diff in compare view

Updates nodemailer from 4.7.0 to 6.9.9

Release notes

Sourced from nodemailer's releases.

v6.9.9

6.9.9 (2024-02-01)

Bug Fixes

• security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
• tests: Use native node test runner, added code coverage support, removed grunt (#1604) (be45c1b)

v6.9.8

6.9.8 (2023-12-30)

Bug Fixes

• punycode: do not use native punycode module (b4d0e0c)

v6.9.7

6.9.7 (2023-10-22)

Bug Fixes

• customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #1584) (41d482c)

v6.9.6

6.9.6 (2023-10-09)

Bug Fixes

• inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
• tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

6.9.5 (2023-09-06)

Bug Fixes

• license: Updated license year (da4744e)

Changelog

Sourced from nodemailer's changelog.

6.9.9 (2024-02-01)

Bug Fixes

• security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
• tests: Use native node test runner, added code coverage support, removed grunt (#1604) (be45c1b)

6.9.8 (2023-12-30)

Bug Fixes

• punycode: do not use native punycode module (b4d0e0c)

6.9.7 (2023-10-22)

Bug Fixes

• customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #1584) (41d482c)

6.9.6 (2023-10-09)

Bug Fixes

• inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
• tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

6.9.5 (2023-09-06)

Bug Fixes

• license: Updated license year (da4744e)

6.9.4 2023-07-19

• Renamed SendinBlue to Brevo

6.9.3 2023-05-29

• Specified license identifier (was defined as MIT, actual value MIT-0)
• If SMTP server disconnects with a message, process it and include as part of the response error

6.9.2 2023-05-11

• Fix uncaught exception on invalid attachment content payload

... (truncated)

Commits

• 5a2e10f chore(master): release 6.9.9 [skip-ci] (#1606)
• dd8f5e8 fix(security): Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eterna...
• 2c2b46a chore: do not use caret in version specifier
• be45c1b fix(tests): Use native node test runner, added code coverage support, removed...
• 4233f6f chore(master): release 6.9.8 [skip-ci] (#1605)
• 09d502f chore: removed double file
• b4d0e0c fix(punycode): do not use native punycode module
• 8376c02 Test new github notice syntax for README
• bc46a3b Updated stale github action
• 78bdaf8 chore: remove redundant AWS SDK for JavaScript v2 (#1593)
• Additional commits viewable in compare view

Updates passport from 0.3.0 to 0.6.0

Changelog

Sourced from passport's changelog.

[0.6.0] - 2022-05-20

Added

• authenticate(), req#login, and req#logout accept a keepSessionInfo: true option to keep session information after regenerating the session.

Changed

• req#login() and req#logout() regenerate the the session and clear session information by default.
• req#logout() is now an asynchronous function and requires a callback function as the last argument.

Security

• Improved robustness against session fixation attacks in cases where there is physical access to the same system or the application is susceptible to cross-site scripting (XSS).

[0.5.3] - 2022-05-16

Fixed

• initialize() middleware extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions again, reverting change from 0.5.1.

[0.5.2] - 2021-12-16

Fixed

• Introduced a compatibility layer for strategies that depend directly on passport@0.4.x or earlier (such as passport-azure-ad), which were broken by the removal of private variables in passport@0.5.1.

[0.5.1] - 2021-12-15

Added

• Informative error message in session strategy if session support is not available.

Changed

• authenticate() middleware, rather than initialize() middleware, extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions.

[0.5.0] - 2021-09-23

Changed

• initialize() middleware extends request with login(), logIn(), logout(), logOut(), isAuthenticated(), and isUnauthenticated() functions.

... (truncated)

Commits

• c33067b 0.6.0
• 3052bb4 Update changelog.
• 42630cb Merge pull request #900 from jaredhanson/fix-fixation
• 8dd79fe Use utils-merge rather than Object.assign for compatibility.
• 4f6bd5b Change keepSessionData to keepSessionData.
• 46756e5 Silence verbose logging.
• 987b191 Add tests.
• f8a175f Add tests.
• 29a90d6 No need to guard callback existence.
• bfba8a1 Add tests.
• Additional commits viewable in compare view

Updates ajv from 5.2.3 to 6.12.2

Release notes

Sourced from ajv's releases.

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

• error logging example (@​RadiationSickness)
• TypeScript usage notes (@​thetric)

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

v6.10.2

Fix: the unknown keywords were ignored with the option strictKeywords: true (instead of failing compilation) in some sub-schemas (e.g. anyOf), when the sub-schema didn't have known keywords.

v6.10.1

Fix types Fix addSchema (#1001) Update dependencies

v6.10.0

Option strictDefaults to report ignored defaults (#957, @​not-an-aardvark) Option strictKeywords to report unknown keywords (#781)

v6.9.0

OpenAPI keyword nullable can be any boolean (and not only true). Custom keyword definition changes:

• dependencies option in to require the presence of keywords in the same schema.
• more strict validation of the definition using JSON Schema.

v6.8.0

Docs: security considerations. Meta-schema for the security assessment of JSON Schemas.

v6.7.0

Option useDefaults: "empty" to replace null and "" (empty strings) with default values (in addition to assigning defaults to missing and undefined properties). Update draft-04 meta-schema to remove incorrect usage of "uri" format.

v6.6.0

Keyword "nullable" from OpenAPI spec Replaced phantomjs with headless chrome

v6.5.0

... (truncated)

Commits

• 6a67105 6.12.2
• 14bdb4b remove postinstall
• b511ae2 6.12.1
• 5354deb Merge branch 'opencollective-opencollective'
• 891f081 update readme
• bc60f57 Merge branch 'master' into opencollective
• f1ca328 Merge pull request #1191 from epoberezkin/greenkeeper/karma-sauce-launcher-4.1.3
• 3e9f375 Update package.json
• 0b641fe Merge branch 'master' into greenkeeper/karma-sauce-launcher-4.1.3
• db9e73a Merge pull request #1187 from epoberezkin/greenkeeper/karma-5.0.0
• Additional commits viewable in compare view

Updates tough-cookie from 2.3.3 to 2.5.0

Commits

• 7c1fdf1 2.5.0
• 9ff4ba5 Qualify the store.removeAllCookies documentation
• 1855bf3 Additional documentation for removeAllCookies
• 5cc9bd2 Extract tests, cover multiple error path
• 28f0808 Only call removeAllCookies if actually implemented
• 62802ef remove all cookies from cookie jar at once (#115)
• 8783d46 Remove left-over mention of MPL from README
• 8302ebc Merge pull request #121 from salesforce/punycode-2.1
• d6ea115 Merge pull request #120 from salesforce/no-package-lock
• b897b49 Merge pull request #119 from salesforce/inline-version
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.