deps: bump the production-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the production-dependencies group with 10 updates in the / directory:

Package	From	To
@sentry/node	8.55.0	10.41.0
axios	1.13.4	1.13.6
bcryptjs	2.4.3	3.0.3
csrf-csrf	3.2.2	4.0.3
dotenv	16.6.1	17.3.1
express	4.22.1	5.2.1
express-rate-limit	7.5.1	8.2.1
multer	2.0.2	2.1.0
pg	8.18.0	8.19.0
@eslint/js	9.39.2	10.0.1

Updates @sentry/node from 8.55.0 to 10.41.0

Release notes

Sourced from @​sentry/node's releases.

10.41.0

Important Changes

• feat(core,cloudflare,deno): Add instrumentPostgresJsSql instrumentation (#19566)

  Added a new instrumentation helper for the postgres (postgres.js) library, designed for SDKs that are not based on OpenTelemetry (e.g. Cloudflare, Deno). This wraps a postgres.js sql tagged template instance so that all queries automatically create Sentry spans.

  import postgres from 'postgres';
  import * as Sentry from '@sentry/cloudflare'; // or '@sentry/deno'
  export default Sentry.withSentry(env => ({ dsn: 'DSN' }), {
  async fetch(request, env, ctx) {
  const sql = Sentry.instrumentPostgresJsSql(postgres(env.DATABASE_URL));
  // All queries now create Sentry spans
  const users = await sql`SELECT * FROM users WHERE id = ${userId}`;
  return Response.json(users);
  
  },
  });

  The instrumentation is available in @sentry/core, @sentry/cloudflare, and @sentry/deno.

• feat(nextjs): Add Turbopack support for thirdPartyErrorFilterIntegration (#19542)

  We added experimental support for the thirdPartyErrorFilterIntegration with Turbopack builds.

  This feature requires Next.js 16+ and is currently behind an experimental flag:

  // next.config.ts
  import { withSentryConfig } from '@sentry/nextjs';
  export default withSentryConfig(nextConfig, {
  _experimental: {
  turbopackApplicationKey: 'my-app-key',
  },
  });

  Then configure the integration in your client instrumentation file with a matching key:

  // instrumentation-client.ts
  import * as Sentry from '@sentry/nextjs';
  Sentry.init({

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.41.0

Important Changes

• feat(core,cloudflare,deno): Add instrumentPostgresJsSql instrumentation (#19566)

  Added a new instrumentation helper for the postgres (postgres.js) library, designed for SDKs that are not based on OpenTelemetry (e.g. Cloudflare, Deno). This wraps a postgres.js sql tagged template instance so that all queries automatically create Sentry spans.

  import postgres from 'postgres';
  import * as Sentry from '@sentry/cloudflare'; // or '@sentry/deno'
  export default Sentry.withSentry(env => ({ dsn: 'DSN' }), {
  async fetch(request, env, ctx) {
  const sql = Sentry.instrumentPostgresJsSql(postgres(env.DATABASE_URL));
  // All queries now create Sentry spans
  const users = await sql`SELECT * FROM users WHERE id = ${userId}`;
  return Response.json(users);
  
  },
  });

  The instrumentation is available in @sentry/core, @sentry/cloudflare, and @sentry/deno.

• feat(nextjs): Add Turbopack support for thirdPartyErrorFilterIntegration (#19542)

  We added experimental support for the thirdPartyErrorFilterIntegration with Turbopack builds.

  This feature requires Next.js 16+ and is currently behind an experimental flag:

  // next.config.ts
  import { withSentryConfig } from '@sentry/nextjs';
  export default withSentryConfig(nextConfig, {
  _experimental: {
  turbopackApplicationKey: 'my-app-key',
  },
  });

  Then configure the integration in your client instrumentation file with a matching key:

  // instrumentation-client.ts
  import * as Sentry from '@sentry/nextjs';

... (truncated)

Commits

• 66f455a release: 10.41.0
• ca12aab Merge pull request #19576 from getsentry/prepare-release/10.41.0
• dc44fe4 meta(changelog): Update changelog for 10.41.0
• 93e3c30 fix(core): Strip inline media from multimodal content before stringification ...
• 9d3ae61 feat(core,cloudflare): Add dispose to the client for proper cleanup (#19506)
• 88078a0 feat(core,cloudflare,deno): Add instrumentPostgresJsSql instrumentation (#19566)
• 43be7b0 fix(deps): Bump transitive rollup deps to patch CVE-2026-27606 (#19565)
• 6707fd3 feat(react-router): Include middleware function names and indices (#19109)
• 0c3b071 test(node): Test runName parameter in handleChainStart for langchain (#19562)
• 2b79e29 Merge pull request #19554 from getsentry/fix/langchain-handlechainstart-runname
• Additional commits viewable in compare view

Updates axios from 1.13.4 to 1.13.6

Release notes

Sourced from axios's releases.

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#7432)
• Infrastructure: Migrated @​rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
• Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @​Gudahtt (#7386)
• @​ybbus (#7392)
• @​Shiwaangee (#7324)
• @​skrtheboss (#7403)
• @​Janaka66 (#7427)
• @​moh3n9595 (#5764)
• @​digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

... (truncated)

Commits

• 7108c88 chore(release): prepare release 1.13.6 (#7446)
• 20a0ba3 refactor(deps): migrate @​rollup/plugin-babel from v5.3.1 to v6.1.0 (#7424)
• 885b4af feat: support react native blob objects (#5764)
• 00d97b9 docs(utils): add missing JSDoc comments (#7427)
• 9712548 chore(deps-dev): bump the development_dependencies group across 1 directory w...
• d51accb fix(core): copy status from source error in AxiosError.from (#7403)
• 3e30bbf chore: fix publish to only run on v1 tags
• 672491d fix: safe FormData detection for WeChat Mini Program (#7306) (#7324)
• 822e3e4 fix: make AxiosError.message property enumerable (#7392)
• ef3711d feat: implement prettier and fix all issues (#7385)
• Additional commits viewable in compare view

Updates bcryptjs from 2.4.3 to 3.0.3

Release notes

Sourced from bcryptjs's releases.

v3.0.3

Bug fixes

• Always yield to event loop before nextTick for async versions (#164) (1211e9a2213e0b3ee232a204b3ce899beebce31a)

v3.0.2

Bug fixes

• Use upstream fix to emit interop helpers (28e510389374f5736c447395443d4a6687325048)

v3.0.1

Bug fixes

• Separate ESM and UMD type definitions (e7055caf0c723cbcf8bc3f0784b8c30ee332380f)

v3.0.0

Breaking changes

• Modernize project structure (2f45985738604c743c4b8cc8464e3e7d3e04c73d) The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
• Generate 2b hashes by default (d36bfb42fa642b6d6986a84ce106a7110e5824db) This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.

Features

• Add helper to check for password input length (d5656b39e2e368c87724a312e4e454456a4e5d1b)

Other

• Update publish workflow (2a9bea9e276e6be04dbd403f9695937788b3b10a)
• Add note on using the ESM variant in the browser (e09eb9afb14170069aaea19631b763307ee7b480)
• Update types (58333a1533dd53838e2697628f84b98d54a5c079)
• Merge lint and test workflows (2e3b17659e8856696acfe3015631ce2989eb3084)
• Fix tests (ec02e8a0ada7a8f6c71a91df164db8c25bbbb7b4)
• Update legacy fallback to handle crypto dependency (9db275fa10b1b40da4a6844480d7f8ae8df27fb8)
• Update lint workflow title (ac70ac57c2f99ad5639eddf54578e5fdd07b9c4c)
• Adapt crypto module usage for ESM environments (574d690d4972bcebbd5ca07880a62abab9ae3c0b)
• Format with prettier (e7465479282d8155852ce88d6407eccb14adc106)
• Rename default branch to 'main' (548559d032d7dd5ac3e4e16d7afd87b36ebe96ca)
• Update description to mention TypeScript support (4977df0849eaf8cad5b0d0b543fe452432a2d761)
• Add stale action for issues and PRs (a84d4e45487df0972d8781feafa477d5db4c1dbd)
• Fix typo (c8c9c01799bbc13092fcbb20cfab4d9015d14c61)
• Fix Node.js version in CI (1b54cc48d4120b50e1d9058e5a67f326102fd744)

Backlog from v2

• Added externs to .npmignore (#124) (7e2e93af99df2952253f9cf32db29aefa8f272f7) The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
• Make sure the bin script uses LF (684fac6814a81d974c805a15e22fd69922c7ca6e)
• Post-merge; Clean up a bit (b09f7f266a7015456b7b36deeb026dc636f64542)

... (truncated)

Commits

• 1211e9a fix: Always yield to event loop before nextTick for async versions (#164)
• 28e5103 fix: Use upstream fix to emit interop helpers
• e7055ca fix: Separate ESM and UMD type definitions
• 2a9bea9 Update publish workflow
• d5656b3 Add helper to check for password input length
• e09eb9a Add note on using the ESM variant in the browser
• 58333a1 Update types
• 2e3b176 Merge lint and test workflows
• ec02e8a Fix tests
• 9db275f Update legacy fallback to handle crypto dependency
• Additional commits viewable in compare view

Updates csrf-csrf from 3.2.2 to 4.0.3

Changelog

Sourced from csrf-csrf's changelog.

4.0.3 (2025-05-27)

generateCsrfToken will now always check if the existing token is valid before returning it. This validation is only derived from the request cookie, this way GET requests are not expected to include the CSRF token to ensure token reuse, this was a bug and not the intended/expected behavior.

If the CSRF token container in the request is somehow invalid when generateCsrfToken is called, this will be silently ignored and a new valid CSRF token will be generated and returned. If validateOnReuse is set to true, an error will be thrown instead.

Bug Fixes

• validateOnReuse incorrectly throws (26b3dd6)

4.0.2 (2025-05-09)

Bug Fixes

• broken type exports (8967de6)

4.0.1 (2025-05-08)

Bug Fixes

• correctly skip CSRF token validation when validateOnReuse is false (bcaf1c3)

4.0.0 (2025-04-27)

⚠ BREAKING CHANGES

This list may not be an exhaustive list of breaking changes, for more information consult the version 3 -> 4 upgrade guide and the updated configuration documentation in the README.

• Token generation now uses createHmac, the format has changed significantly, see the CSRF token format section of the upgrade guide.
• getSessionIdentifier is now required and must return a unique identifier per-request (and per-session) - this is an essential part of CSRF token security
• getTokenFromRequest renamed to getCsrfTokenFromRequest
• generateToken renamed to generateCsrfToken
• overwrite and validateOnReuse parameters for generateCsrfToken have been merged into a single object parameter which also accepts cookieOptions: generateCsrfToken(req, res, options);
• Default value for validateOnReuse is now false
• Default value for cookieOptions.sameSite is now strict
• cookieOptions.signed is no longer available, CSRF tokens are inherently signed, this is redundant
• delimiter option removed, csrfTokenDelimiter and messageDelimiter are now used for the respective purpose
• signed option in cookieOptions config option removed (redundant), csrf tokens generated by csrf-csrf are inherently signed
• size config option now sets the size of the message used to construct the hmac, now defaults to 32 instead of 64, this is combined with the return value of getSessionIdentifier to construct the hmac payload
• Type CsrfTokenCookieOverrides renamed to CsrfTokenCookieOptions
• Type CsrfTokenCreator renamed to CsrfTokenGenerator
• Type doubleCsrfProtection renamed to DoubleCsrfProtection
• Type RequestMethod renamed to CsrfRequestMethod
• Type CsrfIgnoredMethods renamed to CsrfIgnoredRequestMethods

Features

... (truncated)

Commits

• See full diff in compare view

Updates dotenv from 16.6.1 to 17.3.1

Changelog

Sourced from dotenv's changelog.

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
</tr></table> 

... (truncated)

Commits

• 7bc16a4 17.3.1
• 27303fd update README-es
• 6379eb2 update README
• b6d7339 fix spelling
• 5febe35 17.3.0
• f61f383 changelog 🪵
• dec94ad update README
• 4856950 update README
• 6351887 update README
• 23bd017 update README
• Additional commits viewable in compare view

Updates express from 4.22.1 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @​UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @​dependabot[bot] in expressjs/express#6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @​Ayoub-Mabrouk in expressjs/express#6137
• increased code coverage of utils.js file by @​ashish3011 in expressjs/express#6386
• chore: remove duplicate word by @​dufucun in expressjs/express#6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @​dependabot[bot] in expressjs/express#6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/express#6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/express#6496
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6504
• ci: update codeql config by @​Phillip9587 in expressjs/express#6488
• chore: wider range for query test skip by @​jonchurch in expressjs/express#6512
• chore: fix typos in test by @​noritaka1166 in expressjs/express#6535
• ci: disable credential persistence for checkout actions by @​mertssmnoglu in expressjs/express#6522
• ci: allow manual triggering of workflow by @​shivarm in expressjs/express#6515
• test: add coverage for app.listen() variants by @​kgarg1 in expressjs/express#6476
• docs: move documentation and charters to the discussions and .github … by @​bjohansebas in expressjs/express#6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/express#6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/express#6548
• chore: enforce explicit Buffer import and add lint rule by @​shivarm in expressjs/express#6525
• chore: use node protocol for querystring by @​shivarm in expressjs/express#6520
• chore: fix typo by @​mountdisk in expressjs/express#6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/express#6618
• add deprecation warnings for redirect arguments undefined by @​bjohansebas in expressjs/express#6405
• ci: run CI when the markdown changes by @​bjohansebas in expressjs/express#6632
• doc: fix CONTRIBUTING link by @​jonchurch in expressjs/express#6653
• doc: update contributing guidelines and code of conduct links by @​ShubhamOulkar in expressjs/express#6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @​dependabot[bot] in expressjs/express#6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @​dependabot[bot] in expressjs/express#6678
• lint: add --fix flag to automatic fix linting issue by @​shivarm in expressjs/express#6644
• chore: ignore yarn.lock file and update example by @​shivarm in expressjs/express#6588
• lib: use req.socket over deprecated req.connection by @​bjohansebas in expressjs/express#6705
• doc: update express app example by @​shivarm in expressjs/express#6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/express#6675
• Remove history.md from being packaged on publish by @​sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0

... (truncated)

Commits

• dbac741 5.2.1
• 697547c Revert "sec: security patch for CVE-2024-51999"
• 4007ad1 Release: 5.2.0 (#6920)
• 2f64f68 sec: security patch for CVE-2024-51999
• ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• 8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• 30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• 758d435 deps: body-parser@^2.2.1 (#6922)
• 77bcd52 docs: update emeritus triagers (#6890)
• f33caf1 Nominate to @​efekrskl for triage team (#6888)
• Additional commits viewable in compare view

Updates express-rate-limit from 7.5.1 to 8.2.1

Release notes

Sourced from express-rate-limit's releases.

v8.2.1

You can view the changelog here.

v8.2.0

You can view the changelog here.

v8.1.0

You can view the changelog here.

v8.0.1

You can view the changelog here.

v8.0.0

You can view the changelog here.

Commits

• fe1604d 8.2.1
• b11c05b Fix: don't warn for extra config from express-slow-down (#580)
• 3734733 8.2.0
• 962d737 feat: Unknown Options validation check (#578)
• 992c15c chore(deps-dev): bump the development-dependencies group with 3 updates (#579)
• 449a28a chore(deps-dev): bump the development-dependencies group across 1 directory w...
• ceaff6f chore(deps-dev): bump @​biomejs/biome from 2.2.5 to 2.2.6 (#574)
• 4fccb9e chore(deps-dev): bump lint-staged from 16.2.4 to 16.2.5 (#573)
• b597770 Rework dependabot grouping
• 03e8336 chore(deps-dev): bump mintlify from 4.2.114 to 4.2.175 (#572)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates multer from 2.0.2 to 2.1.0

Release notes

Sourced from multer's releases.

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 809f9dd 2.1.0 (#1371)
• 7399190 🔒 fix orphaned files issue
• cccf0fe 🔒️ improve disconnect handling
• 2c8cd23 docs: add Turkish translation (README-tr.md) (#1360)
• fd3c7d3 feat: add defParamCharset option for UTF-8 filename support (#1210)
• c13ab94 docs: improve readability in README-pt-br.md for array method (#1367)
• e28d678 docs: improve readability (#1366)
• 51529e3 fix: add .nyc_output to .gitignore (#1332)
• b6e4b1f chore: drop xtend dependency (#1352)
• 5c8407f chore: drop object-assign dependency (#1351)
• Additional commits viewable in compare view

Updates pg from 8.18.0 to 8.19.0

Changelog

Sourced from pg's changelog.

pg@8.19.0

• Deprecate interal query queue.
• Pass connection parameters to password callback.

Commits

• f2d7d11 Publish
• 5a4bafc Deprecate Client's internal query queue (#3603)
• a215bfb Typo fix in PgPass deprecation (funciton) (#3605)
• 01e0556 fix(pg-query-stream): invoke this.callback on cursor end/error (#2810)
• e6e3692 Pass connection parameters to password callback (#3602)
• d80d883 test: Fix TLS connection test ending too early
• f332f28 fix: Connection timeout handling for native clients in connected state (#3512)
• b2e9cb1 Remove testAsync - its redundant (#3588)
• 46cdf9e [fix] fix unhandled callback error for submittables (#3589)
• See full diff in compare view

Updates @eslint/js from 9.39.2 to 10.0.1

Release notes

Sourced from @​eslint/js's releases.

v10.0.1

Bug Fixes

• c87d5bd fix: update eslint (#20531) (renovate[bot])
• d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
• 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
• 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

• 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
• 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
• b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

• e5c281f chore: updates for v9.39.3 release (Jenkins)
• 8c3832a chore: update @​typescript-eslint/parser to ^8.56.0 (#20514) (Milos Djermanovic)
• 8330d23 test: add tests for config-api (#20493) (Milos Djermanovic)
• 37d6e91 chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494) (Milos Djermanovic)
• da7cd0e refactor: cleanup error message templates (#20479) (Francesco Trotta)
• 84fb885 chore: package.json update for @​eslint/js release (Jenkins)
• 1f66734 chore: add eslint to peerDependencies of @eslint/js (#20467) (Milos Djermanovic)

v10.0.0

Breaking Changes

• f9e54f4 feat!: estimate rule-tester failure location (#20420) (ST-DDT)
• a176319 feat!: replace chalk with styleText and add color to ResultsMeta (#20227) (루밀LuMir)
• c7046e6 feat!: enable JSX reference tracking (#20152) (Pixel998)
• fa31a60 feat!: add name to configs (#20015) (Kirk Waiblinger)
• 3383e7e fix!: remove deprecated SourceCode methods (#20137) (Pixel998)
• 501abd0 feat!: update dependency minimatch to v10 (

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[ESousa97]

This repository is being archived and is now in read-only mode. No further contributions, issues, or pull requests will be accepted. Thank you for your interest and contributions.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml