Bump the npm_and_yarn group across 1 directory with 34 updates

[dependabot]

Bumps the npm_and_yarn group with 30 updates in the / directory:

Package	From	To
lodash	4.17.10	4.17.21
json5	0.5.1	1.0.2
bl	1.2.1	1.2.3
browserify-sign	4.0.4	4.2.3
cached-path-relative	1.0.1	1.1.0
chownr	1.0.1	1.1.4
clean-css	4.1.9	4.1.11
copy-props	2.0.2	2.0.5
css-what	2.1.0	2.1.3
decode-uri-component	0.2.0	0.2.2
elliptic	6.4.0	6.6.1
es5-ext	0.10.39	0.10.64
eslint-utils	1.3.1	1.4.3
fsevents	1.1.3	1.2.13
handlebars	4.0.11	4.7.8
hosted-git-info	2.5.0	2.8.9
ini	1.3.5	1.3.8
js-yaml	3.11.0	3.14.1
loader-utils	1.1.0	1.4.2
minimatch	3.0.4	3.1.2
mixin-deep	1.3.1	1.3.2
moment	2.21.0	2.30.1
nwmatcher	1.4.3	1.4.4
path-parse	1.0.5	1.0.7
set-getter	0.1.0	0.1.1
shell-quote	1.6.1	1.8.2
stringstream	0.0.5	0.0.6
tmpl	1.0.4	1.0.5
trim-off-newlines	1.0.1	1.0.3
y18n	3.2.1	3.2.2

Updates lodash from 4.17.10 to 4.17.21

Commits

• f299b52 Bump to v4.17.21
• c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
• 3469357 Prevent command injection through _.template's variable option
• ded9bc6 Bump to v4.17.20.
• 63150ef Documentation fixes.
• 00f0f62 test.js: Remove trailing comma.
• 846e434 Temporarily use a custom fork of lodash-cli.
• 5d046f3 Re-enable Travis tests on 4.17 branch.
• aa816b3 Remove /npm-package.
• d7fbc52 Bump to v4.17.19
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Updates json5 from 0.5.1 to 1.0.2

Release notes

Sourced from json5's releases.

v1.0.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295). This has been backported to v1. (#298)

v1.0.1

This release includes a bug fix and minor change.

• Fix: parse throws on unclosed objects and arrays.

• New: package.json5 has been removed until an easier way to keep it in sync with package.json is found.

v1.0.0

This release includes major internal changes and public API enhancements.

• Major JSON5 officially supports Node.js v4 and later. Support for Node.js v0.10 and v0.12 have been dropped.

• New: Unicode property names and Unicode escapes in property names are supported. (#1)

• New: stringify outputs trailing commas in objects and arrays when a space option is provided. (#66)

• New: JSON5 allows line and paragraph separator characters (U+2028 and U+2029) in strings in order to be compatible with JSON. However, ES5 does not allow these characters in strings, so JSON5 gives a warning when they are parsed and escapes them when they are stringified. (#70)

• New: stringify accepts an options object as its second argument. The supported options are replacer, space, and a new quote option that specifies the quote character used in strings. (#71)

• New: The CLI supports STDIN and STDOUT and adds --out-file, --space, and --validate options. See json5 --help for more information. (#72, #84, and #108)

• New: In addition to the white space characters space \t, \v, \f, \n, \r, and \xA0, the additional white space characters \u2028, \u2029, and all other characters in the Space Separator Unicode category are allowed.

• New: In addition to the character escapes \', \", \\, \b, \f, \n, \r, and \t, the additional character escapes \v and \0, hexadecimal escapes like \x0F, and unnecessary escapes like \a are allowed in string values and string property names.

• New: stringify outputs strings with single quotes by default but intelligently uses double quotes if there are more single quotes than double quotes inside the string. (i.e. stringify('Stay here.') outputs 'Stay here.' while stringify('Let\'s go.') outputs "Let's go.")

... (truncated)

Changelog

Sourced from json5's changelog.

Unreleased [code, diff]

v2.2.3 [code, diff]

• Fix: [email protected] is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

... (truncated)

Commits

• a62db1e 1.0.2
• e0c23fe docs: update CHANGELOG for v1.0.2
• 62a6540 fix: add proto to objects and arrays
• 072eb40 1.0.1
• e7bdcd1 Update CHANGELOG for v1.0.1
• 342d575 Remove package.json5 file
• 0336c9c Fix unclosed object and array bug
• 25929ab Fix typo in API documentation
• 607c18f Readme: fix typo in attribution. [skip ci]
• 1d64ece 1.0.0
• Additional commits viewable in compare view

Updates bl from 1.2.1 to 1.2.3

Release notes

Sourced from bl's releases.

v1.2.2

• use safe-buffer #51

Commits

• d69edfd 1.2.3
• 847473a test all branches
• 0bd87ec Fix unintialized memory access
• dc097f3 test newer versions of Node
• feaaa4c Bumped v1.2.2.
• 307da45 Merge pull request #51 from rvagg/safe-buffeer
• cf6b00e Removed node 7 from .travis.yml
• 4b8f524 Added safe-buffer and updated dependencies
• 4acbe24 Merge pull request #45 from EdwardBetts/spelling
• 52ed96c correct spelling mistake
• See full diff in compare view

Updates browserify-sign from 4.0.4 to 4.2.3

Changelog

Sourced from browserify-sign's changelog.

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

v4.2.1 - 2020-08-04

Merged

• bump elliptic [#58](https://github.com/crypto-browserify/browserify-sign/issues/58)

v4.2.0 - 2020-05-18

Merged

• switch to safe buffer [#53](https://github.com/crypto-browserify/browserify-sign/issues/53)

... (truncated)

Commits

• bf2c3ec v4.2.3
• 9247adf [patch] widen support to 0.12
• f427270 [Deps] update `parse-asn1
• 87f3a35 [Dev Deps] update aud, npmignore, tape
• fb261ce [Deps] update elliptic
• 4d0ee49 [patch] drop minimum node support to v1
• 9e2bf12 [Deps] pin hash-base to ~3.0, due to a breaking change
• 168e16f [Deps] pin elliptic due to a breaking change
• 37a4758 [actions] remove redundant finisher
• 4af5a90 v4.2.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cached-path-relative from 1.0.1 to 1.1.0

Commits

• See full diff in compare view

Updates chownr from 1.0.1 to 1.1.4

Commits

• 814f642 1.1.4
• a0d7ae0 push to github before npm
• 1a3667a ignore stuff
• 147eac4 Full tests, handle errors properly in many cases
• 578fb9f update tap, fix rimraf version
• 5bbda8c feat: ignore ENOENT errors during chown
• deaa058 1.1.3
• 190e311 Don't early-capture the fs.lchownSync method
• df2826a push to git with 1 command, not 2
• cf3b27b 1.1.2
• Additional commits viewable in compare view

Updates clean-css from 4.1.9 to 4.1.11

Changelog

Sourced from clean-css's changelog.

4.1.11 / 2018-03-06

• Backports fixes to ReDOS vulnerabilities in validator code.

4.1.10 / 2018-03-05

• Fixed issue #988 - edge case in dropping default animation-duration.
• Fixed issue #989 - edge case in removing unused at rules.
• Fixed issue #1001 - corrupted tokenizer state.
• Fixed issue #1006 - edge case in handling invalid source maps.
• Fixed issue #1008 - edge case in breaking up font shorthand.

Commits

• 7812d59 Version 4.1.11.
• 0440b4a Fixes ReDOS vulnerabilities.
• c601ebd Version 4.1.10.
• 9e0a38e Fixes #1006 - handling invalid input source maps.
• 913d72c Fixes #1008 - edge case in breaking up font.
• bedd8a9 Adds @​abarre fix to #1001 to release notes.
• e944a2b #1001 Fix corrupted state of tokenizer (#1010)
• 8be4084 Fixes #989 - edge case in removing unused at-rules.
• 21a5df0 Fixes #988 - edge case in dropping animation-duration.
• See full diff in compare view

Updates copy-props from 2.0.2 to 2.0.5

Commits

• See full diff in compare view

Updates css-what from 2.1.0 to 2.1.3

Commits

• 2db00ca 2.1.3
• dc51092 fix(css-selectors): extend regex to include superscript in range, fix #27 (#28)
• a5f1991 Test on node LTS
• b2a2117 2.1.2
• e9ef3f1 Run prettier
• 070b2f8 Add remaining parsed outputs (#25)
• af801e4 update license references to match license file (#23)
• 2d495d0 Update to node 10 in .travis.yml (#22)
• c636f0d Allow escaped parentheses in pseudo selectors (#20)
• 4e255c9 Update .travis.yml
• Additional commits viewable in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates elliptic from 6.4.0 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates es5-ext from 0.10.39 to 0.10.64

Release notes

Sourced from es5-ext's releases.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

---

Comparison since last release

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

---

Comparison since last release

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

---

Comparison since last release

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

---

Comparison since last release

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

---

... (truncated)

Changelog

Sourced from es5-ext's changelog.

0.10.64 (2024-02-27)

Bug Fixes

• Revert update to postinstall script meant to fix Powershell issue, as it's a regression for some Linux terminals (c2e2bb9)

0.10.63 (2024-02-23)

Bug Fixes

• Do not rely on problematic regex (3551cdd), addresses #201
• Support ES2015+ function definitions in function#toStringTokens() (a52e957), addresses #021
• Ensure postinstall script does not crash on Windows, fixes #181 (bf8ed79)

Maintenance Improvements

• Simplify the manifest message (7855319)

0.10.62 (2022-08-02)

Maintenance Improvements

• Manifest improvements:
  • (#190) (b8dc53f)
  • (c51d552)

0.10.61 (2022-04-20)

Bug Fixes

• Ensure postinstall script does not error (a0be4fd)

Maintenance Improvements

• Bump dependencies (d7e0a61)

0.10.60 (2022-04-07)

Maintenance Improvements

• Improve postinstall script configuration (ab6b121)

0.10.59 (2022-03-17)

Maintenance Improvements

• Improve manifest wording (#122) (eb7ae59)
• Update data in manifest (3d2935a)

0.10.58 (2022-03-11)

... (truncated)

Commits

• f76b03d chore: Release v0.10.64
• 2881acd chore: Bump dependencies
• c2e2bb9 fix: Revert update meant to fix Powershell issue, as it's a regression
• 16f2b72 docs: Fix date in the changelog
• de4e03c chore: Release v0.10.63
• 3fd53b7 chore: Upgrade lint-staged to v13
• bf8ed79 chore: Ensure postinstall script does not crash on Windows
• 2cbbb07 chore: Bump dependencies
• 22d0416 chore: Bump LICENSE year
• a52e957 fix: Support ES2015+ function definitions in function#toStringTokens()
• Additional commits viewable in compare view

Updates eslint-utils from 1.3.1 to 1.4.3

Release notes

Sourced from eslint-utils's releases.

v1.4.3

🐛 Bug fixes

• 8f9e481ecc1204c7a1331b697f97903f90c75154 fixed false positive of ReferenceTracker.

v1.4.2

🐛 Bug fixes

• e4cb01498df6096b66edb0c78965ee6f47d3ac77 fixed a regression of the previous release.

v1.4.1

🐛 Bug fixes

• c119e832952c8c653bd4f21e39eb9f7ce48e5947 fixed getStaticValue() function to handle null literal correctly even if runtimes don't support BigInt natively.
• 587cca2f82c245f5fc4a8b9fb2cf6b35c0d02552 fixed getStringIfConstant() function to handle regular expression literals and BigInt literals even if runtimes don't support those.
• 08158db1c98fd71cf0f32ddefbc147e2620e724c fixed GHSA-3gx7-xhv7-5mx3.

v1.4.0

✨ Enhancements

• 66456c5356310fc4309b4fe2756995f27b907747 (and ebf5a8378d3f0a20a74adb158a7112cb616bce44, aac472e815551688d23cc8fd88f9044dbf276804) added isParenthesized() function that checks if a given node is parenthesized or not.
• 4f8407dd6cd52274ba115b3a8558153ec6d799a7 (and cb518c70ee037722f802d808bbbe93da83f07fb3) added hasSideEffect() function that checks if a given node may have side-effects or not.

Commits

• 23f4ddc 🔖 1.4.3
• 8f9e481 🐛 fix reference tracker false positive
• 6633278 ⚒ fix test scripts
• 7c8e67c ⚒ fix build scripts
• 41ff95e ⚒ update dependencies
• 4942012 ⚒ fix build scripts
• f1c8d02 ⚒ update build scripts
• a88598a Create FUNDING.yml
• 4e1bc07 1.4.2
• e4cb014 🐛 add null test
• Additional commits viewable in compare view

Updates fsevents from 1.1.3 to 1.2.13

Release notes

Sourced from fsevents's releases.

Release v1.2.13

Only build on Mac-OSX

Release v1.2.11

Removing node-pre-gyp so that building fsevents becomes easier and enabled without the download of binaries.

The credentials to the AWS store have been lost. Releasing to AWS is both insecure and no longer possible due to the lost credentials.

Intermediate Release

No release notes provided.

Release v1.2.9 - Node v12 compatibility

No release notes provided.

Release Pre-NAPI v1.2.8

No release notes provided.

Version Bump (bundle node-pre-gyp)

No release notes provided.

Prebuilt v11.x

No release notes provided.

v1.2.3

• Added node v10 for pre-built binaries
• C++ tuning to fix potential SIGILL and cyclic dependency (#204)

v1.2.2

Fixed node-pre-gyp bundling issue

v1.2.1

[unpublished because of errors during publish process]

v1.2.0

• BREAKING: End support for Node v0.12. If you are using Node v0.12 please pin your fsevents dependencies to v1.1.3. Not bumping semver major for this release was a compromise solution discussed in #199 and #201.
  • Node v0.10 should continue to work with local compilation for now, but hosted pre-built binaries will no longer be provided. If this is a constraint for you, please pin to an earlier version.
• Fixed security vulnerability warnings by updating node-pre-gyp to ^0.9.0
• Compatibility updates for nan v2.9.0

Commits

• 844a05d Version Bump
• f393f2a Only build fsevents on macOS (#322)
• 6a281a7 [publish binary]
• acc2bce [publish binary]
• f532b6e [publish binary]
• 4c6a1c0 Add node 13 to travis matrix.
• 92e40aa Release 1.2.12.
• 909af26 Release v1.2.11
• 7074adb Release v1.2.10
• 0a052f6 Node.js v12 support for v1.x (#274)
• Additional commits viewable in compare view

Updates handlebars from 4.0.11 to 4.7.8

Release notes

Sourced from handlebars's releases.

v4.7.8

• Make library compatible with workers (#1894) - 3d3796c
• Don't rely on Node.js global object (#1776) - 2954e7e
• Fix compiling of each block params in strict mode (#1855) - 30dbf04
• Fix rollup warning when importing Handlebars as ESM - 03d387b
• Fix bundler issue with webpack 5 (#1862) - c6c6bbb
• Use https instead of git for mustache submodule - 88ac068

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.8 - July 27th, 2023

• Make library compatible with workers (#1894) - 3d3796c
• Don't rely on Node.js global object (#1776) - 2954e7e
• Fix compiling of each block params in strict mode (#1855) - 30dbf04
• Fix rollup warning when importing Handlebars as ESM - 03d387b
• Fix bundler issue with webpack 5 (#1862) - c6c6bbb
• Use https instead of git for mustache submodule - 88ac068

Commits

v4.7.7 - February 15th, 2021

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#1736) - b6d3de7
• fix: escape property names in compat mode (#1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods can be allowed via runtime-options. See #1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6 - April 3rd, 2020

Chore/Housekeeping:

• #1672 - Switch cmd parser to latest minimist (@​dougwilson

Compatibility notes:

• Restored Node.js compatibility

Commits

v4.7.5 - April 2nd, 2020

Chore/Housekeeping:

• Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

... (truncated)

Commits

• 8dc3d25 v4.7.8
• 668c4fb Fix browser tests in CI pipeline
• c65c6cc Test on Node 18
• 3d3796c Make library compatible with workers
• 075b354 Fix sync issue with npm lock-file
• 30dbf04 Fix compiling of each block params in strict mode
• e3a5448 Fix bundler issue with webpack 5
• 8e23642 Fix integration-tests issue with npm >= 7
• 88ac068 use https instead of git for mustache submodule
• c68bc08 Fix typo
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jaylinski, a new releaser for handlebars since your current version.

Updates hawk from 3.1.3 to 6.0.2

Commits

• d251edf Fix missing let in crypto browser helper. Closes #210
• 5c25e82 Merge pull request #205 from LKI/master
• c7f9fab Be more specific on hash algorithm in README
• 2c0012f Update deps. Closes #203
• 05e585d Merge pull request #198 from Dreyer/fix_readme
• 40a9fab Updated usage example in README.md
• 7ea2c0a 6.0.0
• 54be9e2 Linting
• 552f81e Remove component support. Closes #196
• 0816715 Remove bower support. Closes #195
• Additional commits viewable in compare view

Updates hoek from 2.16.3 to 4.2.1

Commits

• ebe3680 4.2.1
• 623667e Merge pull request #231 from hapijs/backport-proto-fix
• 0cd2a12 Revert to lab 13 style
• 5aed1a8 skip assignment to proto
• 1db691b 4.2.0
• a4b9939 node 8
• 8a2e118 Merge pull request #204 from g-k/add-escape-json
• be57205 escapeJson matching on charcodes
• 9bff98b document escapeJSON function
• d1231c9 remove unused namedJson internal
• Additional commits viewable in compare view

Updates hosted-git-info from 2.5.0 to 2.8.9

Changelog

Sourced from hosted-git-info's changelog.

2.8.9 (2021-04-07)

Bug Fixes

• backport regex fix from #76 (29adfe5), closes #84

2.8.8 (2020-02-29)

Bug Fixes

• #61 & #65 addressing issues w/ url.URL implmentation which regressed node 6 support (5038b18), closes #66

2.8.7 (2020-02-26)

Bug Fixes

• Do not attempt to use url.URL when unavailable (2d0bb66), closes #61 #62
• Do not pass scp-style URLs to the WhatWG url.URL (f2cdfcf), closes #60

2.8.6 (2020-02-25)

2.8.5 (2019-10-07)

Bug Fixes

• updated pathmatch for gitlab (e8325b5), closes #51
• updated pathmatch for gitlab (ffe056f)

2.8.4 (2019-08-12)

... (truncated)

Commits

• 8d4b369 chore(release): 2.8.9
• 29adfe5 fix: backport regex fix from