Bump the default group across 1 directory with 6 updates #152

dependabot · 2026-01-23T07:03:05Z

Bumps the default group with 6 updates in the / directory:

Package	From	To
body-parser	`2.2.1`	`2.2.2`
config	`4.1.1`	`4.2.0`
cors	`2.8.5`	`2.8.6`
express-session	`1.18.2`	`1.19.0`
globals	`16.5.0`	`17.1.0`
supertest	`7.1.4`	`7.2.2`

Updates body-parser from 2.2.1 to 2.2.2

Release notes

Sourced from body-parser's releases.

v2.2.2

What's Changed

docs: update README links by @efekrskl in expressjs/body-parser#673

docs: release notes for the v1.20.4 release by @Phillip9587 in expressjs/body-parser#674

docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @Phillip9587 in expressjs/body-parser#679

docs: use standard jsdoc tags everywhere by @Phillip9587 in expressjs/body-parser#677

deps: qs@^6.14.1 by @UlisesGascon in expressjs/body-parser#689

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#693

Release: 2.2.2 by @UlisesGascon in expressjs/body-parser#691

New Contributors

@efekrskl made their first contribution in expressjs/body-parser#673

Full Changelog: expressjs/body-parser@v2.2.1...v2.2.2

Changelog

Sourced from body-parser's changelog.

2.2.2 / 2026-01-07

deps: qs@^6.14.1

refactor(json): simplify strict mode error string construction

Commits

3d24866 2.2.2 (#691)
8474a98 refactor(json): simplify strict mode error string construction (#693)
03f17c2 deps: qs@^6.14.1 (#689)
ea1f25e docs: use standard jsdoc tags everywhere (#677)
d7deef8 docs: update URL-encoded parser description to include ISO-8859-1 encoding su...
b6f52aa docs: release notes for the v1.20.4 release (#674)
2965ca4 docs: update links (#673)
See full diff in compare view

Updates config from 4.1.1 to 4.2.0

Release notes

Sourced from config's releases.

v4.2.0

What's Changed

Delete deprecated functions in Config.util, and associated tests. by @jdmarshall in node-config/node-config#845

Default to yaml over js-yaml by @jdmarshall in node-config/node-config#859

Breaking Changes

All deprecated functions in config.util have been removed. Please use lib/util for similar functionality

Default Yaml parser has changed to a more maintained alternative. Please validate your config files for correct processing, or adjust your package.json to force js-yaml to be used

Full Changelog: node-config/node-config@v4.1.1...v4.2.0

Commits

848cde5 js-yaml is mostly dead although it did get a CVE patch to address
6406d90 4.2.0
52aa438 Merge pull request #845 from jdmarshall/deletions
0f7fee6 Linter feedback fixes.
a0ad69f Retiring diffDeep.
2af4909 Delete deprecated functions in Config.util, and associated tests.
See full diff in compare view

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

Build: Node.js@12.16 and Node.js.13.12 by @smondal in expressjs/cors#189

Update README.md for origin function callback parameters by @dstudzinski in expressjs/cors#180

Suggest passing false for disallowed domains, not erroring by @shackpank in expressjs/cors#175

Changed the term whitelist to allowlist in Documentation by @jkasun in expressjs/cors#200

Fix typo in README by @alex-grover in expressjs/cors#207

Added new link & website in the README by @manjunath00 in expressjs/cors#269

Fix functions call with extra parameter by @LuisEGR in expressjs/cors#245

🐛 Fix readme status badge by @homersimpsons in expressjs/cors#306

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/cors#321

ci: fix errors in ci github action for node 8 by @inigomarquinez in expressjs/cors#322

test: improved test robustness by @Alex-GF in expressjs/cors#320

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/cors#341

ci: add CodeQL (SAST) by @bjohansebas in expressjs/cors#340

docs: remove broken link to demo site by @dpopp07 in expressjs/cors#344

OSSF Scorecard recommendations by @UlisesGascon in expressjs/cors#350

build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @dependabot[bot] in expressjs/cors#351

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/cors#353

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/cors#354

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @dependabot[bot] in expressjs/cors#355

build(deps-dev): bump express from 4.17.1 to 4.21.2 by @dependabot[bot] in expressjs/cors#356

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/cors#352

build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @dependabot[bot] in expressjs/cors#358

update the docs for per request config by @jonchurch in expressjs/cors#338

(fix): readme updated for #271 origin option for * by @dhananjaysa92 in expressjs/cors#289

ci: upgrade Node versions by @UlisesGascon in expressjs/cors#359

chore: add funding to package.json by @bjohansebas in expressjs/cors#363

build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @dependabot[bot] in expressjs/cors#371

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/cors#370

docs: Cleanup README by @efekrskl in expressjs/cors#374

chore: add node v25 by @imangas in expressjs/cors#375

Extend CI test matrix by @imangas in expressjs/cors#376

docs: simplify code examples with header comments by @jonchurch in expressjs/cors#386

docs: tweak intro, add note w/ browser enforcement, FAQ by @jonchurch in expressjs/cors#385

chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @Phillip9587 in expressjs/cors#388

Release: 2.8.6 by @UlisesGascon in expressjs/cors#390

New Contributors

@smondal made their first contribution in expressjs/cors#189

@dstudzinski made their first contribution in expressjs/cors#180

@shackpank made their first contribution in expressjs/cors#175

@jkasun made their first contribution in expressjs/cors#200

@alex-grover made their first contribution in expressjs/cors#207

@manjunath00 made their first contribution in expressjs/cors#269

@LuisEGR made their first contribution in expressjs/cors#245

@homersimpsons made their first contribution in expressjs/cors#306

@inigomarquinez made their first contribution in expressjs/cors#321

@Alex-GF made their first contribution in expressjs/cors#320

@carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

Improve documentation (API, context, examples...)

Remove additional markdown files from tarball

Commits

f00a8c1 2.8.6 (#390)
848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
bbf62a5 docs: simplify code examples with header comments (#386)
f442e77 Extend CI test matrix (#376)
d5cf6cd ci: add support for node@25 (#375)
7e6f7ee docs: revamp content (#374)
b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
9a9a760 chore: add funding to package.json (#363)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates express-session from 1.18.2 to 1.19.0

Release notes

Sourced from express-session's releases.

v1.19.0

What's Changed

Main Changes
Add dynamic cookie options support Cookie options can now be dynamic, allowing for more flexible and context-aware configuration based on each request. This feature enables programmatic modification of cookie attributes like secure, httpOnly, sameSite, maxAge, domain, and path based on session or request conditions.
var app = express()
app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: true,
  cookie: function (req) {
    var match = req.url.match(/^\/([^/]+)/);
    return {
      path: match ? '/' + match[1] : '/',
      httpOnly: true,
      secure: req.secure || false,
      maxAge: 60000
    }
  }
}))
Add sameSite 'auto' support for automatic SameSite attribute configuration Added sameSite: 'auto' option for cookie configuration that automatically sets SameSite=None for HTTPS and SameSite=Lax for HTTP connections, simplifying cookie handling across different environments.

deps: use tilde notation for dependencies
PRs

chore: add funding to package.json by @bjohansebas in expressjs/session#1071

build(deps): bump actions/download-artifact from 4.3.0 to 6.0.0 by @dependabot[bot] in expressjs/session#1086

build(deps): bump github/codeql-action from 3.28.18 to 4.31.2 by @dependabot[bot] in expressjs/session#1085

build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 by @dependabot[bot] in expressjs/session#1091

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/session#1090

build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 by @dependabot[bot] in expressjs/session#1089

build(deps): bump actions/checkout from 4.2.2 to 6.0.0 by @dependabot[bot] in expressjs/session#1088

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 by @dependabot[bot] in expressjs/session#1082

refactor: remove unused sess parameter from generateSessionId fun… by @Ayoub-Mabrouk in expressjs/session#1001

chore: remove history.md from being packaged on publish by @bjohansebas in expressjs/session#1097

deps: use tilde notation for dependencies by @bjohansebas in expressjs/session#1096

Add sameSite 'auto' support to match secure 'auto' pattern by @djunehor in expressjs/session#1087

feat: add support to dynamic cookie options by @lincond in expressjs/session#1027

Release: 1.19.0 by @UlisesGascon in expressjs/session#1107

New Contributors

@Ayoub-Mabrouk made their first contribution in expressjs/session#1001

@djunehor made their first contribution in expressjs/session#1087

@lincond made their first contribution in expressjs/session#1027

... (truncated)

Changelog

Sourced from express-session's changelog.

1.19.0 / 2026-01-22

Add dynamic cookie options support

Add sameSite 'auto' support for automatic SameSite attribute configuration

deps: use tilde notation for dependencies

Commits

c10b2a3 1.19.0 (#1107)
2673736 feat: add support to dynamic cookie options (#1027)
73e0193 Add sameSite 'auto' support to match secure 'auto' pattern (#1087)
264b6a0 deps: use tilde notation for dependencies (#1096)
6d69f09 chore: remove history.md from being packaged on publish (#1097)
00b8a5f refactor: remove unused sess parameter from generateSessionId function (#...
2cd6561 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.3 (#1082)
1307f30 build(deps): bump actions/checkout from 4.2.2 to 6.0.0 (#1088)
0e7a438 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#1089)
a095a9a build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#1090)
Additional commits viewable in compare view

Updates globals from 16.5.0 to 17.1.0

Release notes

Sourced from globals's releases.

v17.1.0

Add webpack and rspack globals (#333) 65cae73

sindresorhus/globals@v17.0.0...v17.1.0

v17.0.0

Breaking

Split audioWorklet environment from browser (#320) 7bc293e

Improvements

Update globals (#329) ebe1063

Get all browser globals from both chrome and firefox (#321) 59ceff8

Add bunBuiltin environment (#324) 1bc6e3b

Add denoBuiltin environment (#324) 1bc6e3b

Add paintWorklet environment (#323) 4b78f56

Add sharedWorker environment (#322) 4a02a85

sindresorhus/globals@v16.5.0...v17.0.0

Commits

7a2f354 17.1.0
65cae73 Add webpack and rspack globals (#333)
3efe5aa Remove script transform (#332)
bb89b18 17.0.0
ebe1063 Update globals (2026-01-01) (#329)
e3d8da3 Revert "Automate script for paintWorklet environment (#325)" (#328)
e7c0453 Automate script for paintWorklet environment (#325)
1bc6e3b Add bunBuiltin and denoBuiltin (#324)
4b78f56 Add paintWorklet environment (#323)
59ceff8 Get all browser globals from both chrome and firefox (#321)
Additional commits viewable in compare view

Updates supertest from 7.1.4 to 7.2.2

Release notes

Sourced from supertest's releases.

v7.2.2

fix: replace 'should' dependency with native assertions in cookies module 1954bcf

forwardemail/supertest@v7.2.1...v7.2.2

v7.2.1

fix: correct case-sensitive require path for assertion module d4f04fb

forwardemail/supertest@v7.2.0...v7.2.1

v7.2.0

fix: fixed package lock c4b08a6

fix: drop v14 and v16 from tests d084ce2

Merge pull request #872 from forwardemail/dependabot/npm_and_yarn/js-yaml-3.14.2 61f3ddf

Merge pull request #873 from forwardemail/dependabot/npm_and_yarn/multi-6d05d0e569 bd2fe45

chore(deps): bump qs, body-parser and express 07bf4fb

Merge pull request #866 from SchroederSteffen/use-lowercase-header-name 0666797

Merge pull request #868 from dmurvihill/cookie-assertions 953eca7

chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 81ab94c

Merge pull request #870 from kudlav/patch-1 14d905d

Update links to documentation in README f508b30

feat(cookies): add cookie assertions 4f89680

chore(readme): use lower-case header name 1e642b0

forwardemail/supertest@v7.1.4...v7.2.0

Commits

d799751 7.2.2
1954bcf fix: replace 'should' dependency with native assertions in cookies module
8fb7453 7.2.1
d4f04fb fix: correct case-sensitive require path for assertion module
b8f0a43 7.2.0
c4b08a6 fix: fixed package lock
d084ce2 fix: drop v14 and v16 from tests
61f3ddf Merge pull request #872 from forwardemail/dependabot/npm_and_yarn/js-yaml-3.14.2
bd2fe45 Merge pull request #873 from forwardemail/dependabot/npm_and_yarn/multi-6d05d...
07bf4fb chore(deps): bump qs, body-parser and express
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the default group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [body-parser](https://github.com/expressjs/body-parser) | `2.2.1` | `2.2.2` | | [config](https://github.com/node-config/node-config) | `4.1.1` | `4.2.0` | | [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` | | [express-session](https://github.com/expressjs/session) | `1.18.2` | `1.19.0` | | [globals](https://github.com/sindresorhus/globals) | `16.5.0` | `17.1.0` | | [supertest](https://github.com/ladjs/supertest) | `7.1.4` | `7.2.2` | Updates `body-parser` from 2.2.1 to 2.2.2 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@v2.2.1...v2.2.2) Updates `config` from 4.1.1 to 4.2.0 - [Release notes](https://github.com/node-config/node-config/releases) - [Changelog](https://github.com/node-config/node-config/blob/master/History.md) - [Commits](node-config/node-config@v4.1.1...v4.2.0) Updates `cors` from 2.8.5 to 2.8.6 - [Release notes](https://github.com/expressjs/cors/releases) - [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md) - [Commits](expressjs/cors@v2.8.5...v2.8.6) Updates `express-session` from 1.18.2 to 1.19.0 - [Release notes](https://github.com/expressjs/session/releases) - [Changelog](https://github.com/expressjs/session/blob/master/HISTORY.md) - [Commits](expressjs/session@v1.18.2...v1.19.0) Updates `globals` from 16.5.0 to 17.1.0 - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.5.0...v17.1.0) Updates `supertest` from 7.1.4 to 7.2.2 - [Release notes](https://github.com/ladjs/supertest/releases) - [Commits](forwardemail/supertest@v7.1.4...v7.2.2) --- updated-dependencies: - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: default - dependency-name: config dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: default - dependency-name: cors dependency-version: 2.8.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: default - dependency-name: express-session dependency-version: 1.19.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: default - dependency-name: globals dependency-version: 17.1.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: default - dependency-name: supertest dependency-version: 7.2.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: default ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 23, 2026

github-actions bot enabled auto-merge January 23, 2026 07:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the default group across 1 directory with 6 updates #152

Bump the default group across 1 directory with 6 updates #152

dependabot bot commented on behalf of github Jan 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Bump the default group across 1 directory with 6 updates #152

Are you sure you want to change the base?

Bump the default group across 1 directory with 6 updates #152

Conversation

dependabot bot commented on behalf of github Jan 23, 2026

v2.2.2

What's Changed

New Contributors

2.2.2 / 2026-01-07

v4.2.0

What's Changed

Breaking Changes

v2.8.6

What's Changed

New Contributors

2.8.6 / 2026-01-22

v1.19.0

What's Changed

Main Changes

PRs

New Contributors

1.19.0 / 2026-01-22

v17.1.0

v17.0.0

Breaking

Improvements

v7.2.2

v7.2.1

v7.2.0

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant