deps(deps): bump the production-minor-patch group across 1 directory with 42 updates

[dependabot]

Bumps the production-minor-patch group with 15 updates in the / directory:

Package	From	To
cookie-parser	1.4.5	1.4.7
express-session	1.17.1	1.19.0
lodash	4.17.20	4.18.1
moment	2.29.1	2.30.1
sqlite3	5.0.2	5.1.7
validator	13.5.2	13.15.35
cors	2.8.5	2.8.6
handlebars	4.0.0	4.7.9
decompress	4.2.0	4.2.1
shell-quote	1.7.2	1.8.3
bytes	3.1.0	3.1.2
cookie-signature	1.0.6	1.0.7
destroy	1.0.4	1.2.0
iconv-lite	0.4.24	0.6.3
mime-db	1.52.0	1.54.0

Updates cookie-parser from 1.4.5 to 1.4.7

Release notes

Sourced from cookie-parser's releases.

1.4.7

What's Changed

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cookie-parser#103
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/cookie-parser#104
• ci: Use GITHUB_OUTPUT envvar instead of set-output command by @​arunsathiya in expressjs/cookie-parser#100
• deps: cookie@0.7.2 by @​SamChatfield in expressjs/cookie-parser#116
• Release: 1.4.7 by @​UlisesGascon in expressjs/cookie-parser#117

New Contributors

• @​inigomarquinez made their first contribution in expressjs/cookie-parser#103
• @​arunsathiya made their first contribution in expressjs/cookie-parser#100
• @​SamChatfield made their first contribution in expressjs/cookie-parser#116
• @​UlisesGascon made their first contribution in expressjs/cookie-parser#117

Full Changelog: expressjs/cookie-parser@1.4.6...1.4.7

1.4.6

• deps: cookie@0.4.1

Changelog

Sourced from cookie-parser's changelog.

1.4.7 / 2024-10-08

• deps: cookie@0.7.2
  • Fix object assignment of hasOwnProperty
• deps: cookie@0.7.1
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: cookie@0.7.0
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack
• deps: cookie@0.6.0
  • Add partitioned option
• deps: cookie@0.5.0
  • Add priority option
  • Fix expires option to reject invalid dates
  • pref: improve default decode speed
  • pref: remove slow string split in parse
• deps: cookie@0.4.2
  • pref: read value only when assigning in parse
  • pref: remove unnecessary regexp in parse

1.4.6 / 2021-11-16

• deps: cookie@0.4.1

Commits

• 5d61e1e 1.4.7
• ccf1f54 deps: cookie@0.7.2 (#116)
• 429cfd4 ci: Use GITHUB_OUTPUT envvar instead of set-output command (#100)
• ca4c97e ci: fix errors in ci pipeline for node 8 and 9 (#104)
• 97bdf39 ci: add support for OSSF scorecard reporting (#103)
• e5862bd build: Node.js@17.6
• f0688d2 build: Node.js@14.19
• 44ec541 build: Node.js@16.14
• 695435a deps: cookie@0.4.2
• f66e7e1 build: mocha@9.2.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cookie-parser since your current version.

Updates express-session from 1.17.1 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes

• Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.

  var app = express()
  app.use(session({
    secret: 'keyboard cat',
    resave: false,
    saveUninitialized: true,
    cookie: function (req) {
      var match = req.url.match(/^\/([^/]+)/);
      return {
        path: match ? '/' + match[1] : '/',
        httpOnly: true,
        secure: req.secure || false,
        maxAge: 60000
      }
    }
  }))

• Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

• deps: use tilde notation for dependencies

PRs

• chore: add funding to package.json by @​bjohansebas in expressjs/session#1071
• build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @​dependabot[bot] in expressjs/session#1086
• build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @​dependabot[bot] in expressjs/session#1085
• build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @​dependabot[bot] in expressjs/session#1091
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/session#1090
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @​dependabot[bot] in expressjs/session#1089
• build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @​dependabot[bot] in expressjs/session#1088
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @​dependabot[bot] in expressjs/session#1082
• refactor: remove unused sess parameter from generateSessionId fun… by @​Ayoub-Mabrouk in expressjs/session#1001
• chore: remove history.md from being packaged on publish by @​bjohansebas in expressjs/session#1097
• deps: use tilde notation for dependencies by @​bjohansebas in expressjs/session#1096
• Add sameSite 'auto' support to match secure 'auto' pattern by @​djunehor in expressjs/session#1087
• feat: add support to dynamic cookie options by @​lincond in expressjs/session#1027
• Release: 1.19.0 by @​UlisesGascon in expressjs/session#1107

New Contributors

• @​Ayoub-Mabrouk made their first contribution in expressjs/session#1001
• @​djunehor made their first contribution in expressjs/session#1087
• @​lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

• Add dynamic cookie options support
• Add sameSite 'auto' support for automatic SameSite attribute configuration
• deps: use tilde notation for dependencies

1.18.2 / 2025-07-17

• deps: mocha@10.8.2
• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

1.18.1 / 2024-10-08

• deps: cookie@0.7.2
  • Fix object assignment of hasOwnProperty
• deps: cookie@0.7.1
  • Allow leading dot for domain
    • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
  • Add fast path for serialize without options, use obj.hasOwnProperty when parsing
• deps: cookie@0.7.0
  • perf: parse cookies ~10% faster
  • fix: narrow the validation of cookies to match RFC6265
  • fix: add main to package.json for rspack

1.18.0 / 2024-01-28

• Add debug log for pathname mismatch
• Add partitioned to cookie options
• Add priority to cookie options
• Fix handling errors from setting cookie
• Support any type in secret that crypto.createHmac supports
• deps: cookie@0.6.0
  • Fix expires option to reject invalid dates
  • perf: improve default decode speed
  • perf: remove slow string split in parse
• deps: cookie-signature@1.0.7

1.17.3 / 2022-05-11

• Fix resaving already-saved new session at end of request
• deps: cookie@0.4.2

1.17.2 / 2021-05-19

... (truncated)

Commits

• c10b2a3 1.19.0 (#1107)
• 2673736 feat: add support to dynamic cookie options (#1027)
• 73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
• 264b6a0 deps: use tilde notation for dependencies (#1096)
• 6d69f09 chore: remove history.md from being packaged on publish (#1097)
• 00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
• 2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
• 1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
• 0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
• a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express-session since your current version.

Updates lodash from 4.17.20 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates moment from 2.29.1 to 2.30.1

Changelog

Sourced from moment's changelog.

2.30.1

• Release Dec 27, 2023
• Revert moment/moment#5827, because it's breaking a lot of TS code.

2.30.0 Full changelog

• Release Dec 26, 2023

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

Commits

• 485d9a7 Build 2.30.1
• e048b09 Bump version to 2.30.1
• f9f2d58 Update changelog for 2.30.1
• a52ffb2 Revert "Merge pull request #5827 from BobZombie:feature/fix_d.ts"
• ddd6809 Build 2.30.0
• be64d00 Bump version to 2.30.0
• ad41179 Update changelog for 2.30.0
• 63fe479 [misc] Make code ES6 compatible
• 0f0195f Revert "Merge pull request #5599 from Alanscut:issue_4985"
• 15b82f5 Revert "Merge pull request #5597 from Alanscut:issue-5596"
• Additional commits viewable in compare view

Updates sqlite3 from 5.0.2 to 5.1.7

Release notes

Sourced from sqlite3's releases.

v5.1.7

What's Changed

• Updated bundled SQLite to v3.44.2 by @​daniellockyer
• Replaced @mapbox/node-pre-gyp with prebuild + prebuild-install (TryGhost/node-sqlite3@605c7f9) by @​daniellockyer
  • this should fix a lot of bundling issues reported by the community
• Improved RowToJS performance by removing Napi::String::New instantiation by @​daniellockyer
• Various minor code refactors and improvements (thanks @​zenon8adams!)

New Contributors

• @​zenon8adams made their first contribution in TryGhost/node-sqlite3#1701

Full Changelog: TryGhost/node-sqlite3@v5.1.6...v5.1.7

v5.1.7-rc.0

Please install v5.1.7 instead.

Full Changelog: TryGhost/node-sqlite3@v5.1.6...v5.1.7-rc.0

v5.1.6

What's Changed

• Fixed glibc compatibility by hardcoding lower version for log2 by @​daniellockyer
• Add generic type annotations for Statement and Database get/all/each methods callback rows by @​stevescruz in TryGhost/node-sqlite3#1686

New Contributors

• @​stevescruz made their first contribution in TryGhost/node-sqlite3#1686

Full Changelog: TryGhost/node-sqlite3@v5.1.5...v5.1.6

v5.1.5

What's Changed

• 🔒 Fixed code execution vulnerability due to Object coercion by @​daniellockyer
• Updated bundled SQLite to v3.41.1 by @​daniellockyer
• Fixed rpath linker option when using a custom sqlite by @​jeromew in TryGhost/node-sqlite3#1654

Full Changelog: TryGhost/node-sqlite3@v5.1.4...v5.1.5

v5.1.4

What's Changed

• Fixed glibc compatibility by downgrading CI to Ubuntu 20 by @​daniellockyer in TryGhost/node-sqlite3#1664

Full Changelog: TryGhost/node-sqlite3@v5.1.3...v5.1.4

v5.1.3

What's Changed

... (truncated)

Commits

• ba4ba07 v5.1.7
• d04c1fb Removed Node version from matrix title
• 03d6e75 v5.1.7-rc.0
• 8398daa Fixed uploading assets from Docker
• 8b86e41 Fixed uploading release assets on Windows
• 83c8c0a Configured releases to be created as prereleases
• f792f69 Update dependency node-addon-api to v7
• 4ef11bf Removed extraneous parameter to event emit function
• e99160a Inlined init() functions into class header files
• 3372130 Improved RowToJS performance by removing Napi::String::New instantiation
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by daniellockyer, a new releaser for sqlite3 since your current version.

Install script changes

This version modifies install script that runs during installation. Review the package contents before updating.

Updates validator from 13.5.2 to 13.15.35

Release notes

Sourced from validator's releases.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

New Contributors

• @​Manaskarthik28 made their first contribution in validatorjs/validator.js#2658
• @​johanpoirier-d4 made their first contribution in validatorjs/validator.js#2663
• @​yuna0831 made their first contribution in validatorjs/validator.js#2661
• @​easedu made their first contribution in validatorjs/validator.js#2644
• @​jesroffrouk made their first contribution in validatorjs/validator.js#2643
• @​Kartikeya-guthub made their first contribution in validatorjs/validator.js#2676
• @​moogblob made their first contribution in validatorjs/validator.js#2682
• @​noritaka1166 made their first contribution in validatorjs/validator.js#2592
• @​relu91 made their first contribution in validatorjs/validator.js#2690
• @​Shrawak made their first contribution in validatorjs/validator.js#2693

Full Changelog: validatorjs/validator.js@13.15.26...13.15.35

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

New Contributors

• @​ds1371dani made their first contribution in validatorjs/validator.js#2634
• @​Numbers0689 made their first contribution in validatorjs/validator.js#2535

Full Changelog: validatorjs/validator.js@13.15.23...13.15.26

13.15.23

Fixes, New Locales and Enhancements

... (truncated)

Changelog

Sourced from validator's changelog.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

13.15.26

Fixes, New Locales and Enhancements

• #2535 isHexColor: add require_hashtag option @​Numbers0689
• #2633 isURL: handle possible bypass with URL-encoded content @​WikiRik
• #2634 isIBAN: improve IR locale @​ds1371dani
• Doc fixes and others:
  • #2640 @​WikiRik

13.15.23

Fixes, New Locales and Enhancements

• Doc fixes and others:
  • #2631 @​WikiRik

13.15.22

Fixes, New Locales and Enhancements

• #2622 isURL: fix regression with hostnames with ports @​mbtools
• #2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #2621 @​mbtools

13.15.20

Fixes, New Locales and Enhancements

• #2556 isMobilePhone: add ar-QA locale @​WardKhaddour

... (truncated)

Commits

• 7a80797 maintenance: 2604 release (#2695)
• 941db7f fix(isSlug): restrict allowed characters to valid slug charset (#2693)
• 2758f70 chore: fix typo in comment (#2591)
• fcfbff5 feat(isJson): allow any valid JSON value to pass (#2690)
• f06caee refactor: replace if-then-else flow by a single return statement (#2592)
• 9fa1e3a feat(isPostalCode): Add postal code for Monaco (#2682)
• b1aea75 feat(isMobilePhone): add Djibouti (fr-DJ) mobile phone validation (#2676)
• f715cdd fix(isPassportNumber): improve MX locale (#2643)
• e8c6914 fix(isTaxID): add formatted CPF support and additional test cases for pt-BR l...
• 90b0a9a fix(isTaxID): improve pt-BR locale by adding support for alphanumeric CNPJ ...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for validator since your current version.

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

• Build: Node.js@12.16 and Node.js.13.12 by @​smondal in expressjs/cors#189
• Update README.md for origin function callback parameters by @​dstudzinski in expressjs/cors#180
• Suggest passing false for disallowed domains, not erroring by @​shackpank in expressjs/cors#175
• Changed the term whitelist to allowlist in Documentation by @​jkasun in expressjs/cors#200
• Fix typo in README by @​alex-grover in expressjs/cors#207
• Added new link & website in the README by @​manjunath00 in expressjs/cors#269
• Fix functions call with extra parameter by @​LuisEGR in expressjs/cors#245
• 🐛 Fix readme status badge by @​homersimpsons in expressjs/cors#306
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cors#321
• ci: fix errors in ci github action for node 8 by @​inigomarquinez in expressjs/cors#322
• test: improved test robustness by @​Alex-GF in expressjs/cors#320
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/cors#341
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/cors#340
• docs: remove broken link to demo site by @​dpopp07 in expressjs/cors#344
• OSSF Scorecard recommendations by @​UlisesGascon in expressjs/cors#350
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @​dependabot[bot] in expressjs/cors#351
• build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/cors#353
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/cors#354
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @​dependabot[bot] in expressjs/cors#355
• build(deps-dev): bump express from 4.17.1 to 4.21.2 by @​dependabot[bot] in expressjs/cors#356
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @​dependabot[bot] in expressjs/cors#352
• build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @​dependabot[bot] in expressjs/cors#358
• update the docs for per request config by @​jonchurch in expressjs/cors#338
• (fix): readme updated for #271 origin option for * by @​dhananjaysa92 in expressjs/cors#289
• ci: upgrade Node versions by @​UlisesGascon in expressjs/cors#359
• chore: add funding to package.json by @​bjohansebas in expressjs/cors#363
• build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @​dependabot[bot] in expressjs/cors#371
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/cors#370
• docs: Cleanup README by @​efekrskl in expressjs/cors#374
• chore: add node v25 by @​imangas in expressjs/cors#375
• Extend CI test matrix by @​imangas in expressjs/cors#376
• docs: simplify code examples with header comments by @​jonchurch in expressjs/cors#386
• docs: tweak intro, add note w/ browser enforcement, FAQ by @​jonchurch in expressjs/cors#385
• chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @​Phillip9587 in expressjs/cors#388
• Release: 2.8.6 by @​UlisesGascon in expressjs/cors#390

New Contributors

• @​smondal made their first contribution in expressjs/cors#189
• @​dstudzinski made their first contribution in expressjs/cors#180
• @​shackpank made their first contribution in expressjs/cors#175
• @​jkasun made their first contribution in expressjs/cors#200
• @​alex-grover made their first contribution in expressjs/cors#207
• @​manjunath00 made their first contribution in expressjs/cors#269
• @​LuisEGR made their first contribution in expressjs/cors#245
• @​homersimpsons made their first contribution in expressjs/cors#306
• @​inigomarquinez made their first contribution in expressjs/cors#321
• @​Alex-GF made their first contribution in expressjs/cors#320
• @​carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

Commits

• f00a8c1 2.8.6 (#390)
• 848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
• cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
• bbf62a5 docs: simplify code examples with header comments (#386)
• f442e77 Extend CI test matrix (#376)
• d5cf6cd ci: add support for node@25 (#375)
• 7e6f7ee docs: revamp content (#374)
• b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
• f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
• 9a9a760 chore: add funding to package.json (#363)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates handlebars from 4.0.0 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to ...

  Description has been truncated

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 67 packages with OpenSSF Scorecard issues.

View full job summary

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.