Skip to content

chore(deps): bump the backend-prod group across 1 directory with 7 updates#15

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/backend-prod-d30bb71b6c
Closed

chore(deps): bump the backend-prod group across 1 directory with 7 updates#15
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/backend/backend-prod-d30bb71b6c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown

Bumps the backend-prod group with 7 updates in the /backend directory:

Package From To
@google/genai 1.52.0 2.8.0
bcryptjs 2.4.3 3.0.3
dotenv 16.6.1 17.4.2
express 4.22.2 5.2.1
morgan 1.10.1 1.11.0
mysql2 3.17.2 3.22.5
nodemailer 8.0.10 8.0.11

Updates @google/genai from 1.52.0 to 2.8.0

Release notes

Sourced from @​google/genai's releases.

v2.8.0

2.8.0 (2026-06-03)

Features

  • Add Agent Platform MCP support to async generate_content (baeaeaa)
  • Add transcription language code. (d2981d6)
  • Add TranslationConfig for live translation. (8c44240)
  • Support ReinforcementTuning in GenAI SDK including ValidateReward API method. (36f0bfb)

v2.7.0

2.7.0 (2026-05-27)

Features

  • Add Skill Registry ListSkills and DeleteSkill to SDK (d75582a)
  • additional computer_use field support for vertex. (54a692b)
  • interaction-api: Allow "text/csv" as a supported document mime type for Interaction API. (3cc830e)
  • interaction-api: Enable BigQuery tool in Deep Research config. (58c8c7e)
  • Support Reinforcement Tuning in GenAI SDK (418cc35)

v2.6.0

2.6.0 (2026-05-21)

Features

  • add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
  • Add budget_exceeded status (1e97bd0)
  • Add gemini-3.5-flash (1e97bd0)
  • add new fields (b78eeee)

v2.5.0

2.5.0 (2026-05-20)

Features

  • Add Gemini 3.5 Flash model to options (fcf26e3)

v2.4.0

2.4.0 (2026-05-17)

Features

  • support Agent and Environment APIs. (b0d9d2b)

... (truncated)

Changelog

Sourced from @​google/genai's changelog.

2.8.0 (2026-06-03)

Features

  • Add Agent Platform MCP support to async generate_content (baeaeaa)
  • Add transcription language code. (d2981d6)
  • Add TranslationConfig for live translation. (8c44240)
  • Support ReinforcementTuning in GenAI SDK including ValidateReward API method. (36f0bfb)

2.7.0 (2026-05-27)

Features

  • Add Skill Registry ListSkills and DeleteSkill to SDK (d75582a)
  • additional computer_use field support for vertex. (54a692b)
  • interaction-api: Allow "text/csv" as a supported document mime type for Interaction API. (3cc830e)
  • interaction-api: Enable BigQuery tool in Deep Research config. (58c8c7e)
  • Support Reinforcement Tuning in GenAI SDK (418cc35)

2.6.0 (2026-05-21)

Features

  • add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
  • Add budget_exceeded status (1e97bd0)
  • Add gemini-3.5-flash (1e97bd0)
  • add new fields (b78eeee)

2.5.0 (2026-05-20)

Features

  • Add Gemini 3.5 Flash model to options (fcf26e3)

2.4.0 (2026-05-17)

Features

  • support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

  • output_text for turns that don't end with text. (1a3d94f)

... (truncated)

Commits
  • ea0dd60 chore(main): release 2.8.0 (#1646)
  • 36f0bfb feat: Support ReinforcementTuning in GenAI SDK including ValidateReward API m...
  • d2981d6 feat: Add transcription language code.
  • 98ac90d chore: deprecate Google Maps grounding widget API fields
  • 8c44240 feat: Add TranslationConfig for live translation.
  • baeaeaa feat: Add Agent Platform MCP support to async generate_content
  • c1d3cb7 chore: Internal cleanup
  • bd78ed3 chore: Fix relative import path in pagers.ts.
  • 2821346 chore(main): release 2.7.0 (#1630)
  • 54a692b feat: additional computer_use field support for vertex.
  • Additional commits viewable in compare view

Updates bcryptjs from 2.4.3 to 3.0.3

Release notes

Sourced from bcryptjs's releases.

v3.0.3

Bug fixes

  • Always yield to event loop before nextTick for async versions (#164) (1211e9a2213e0b3ee232a204b3ce899beebce31a)

v3.0.2

Bug fixes

  • Use upstream fix to emit interop helpers (28e510389374f5736c447395443d4a6687325048)

v3.0.1

Bug fixes

  • Separate ESM and UMD type definitions (e7055caf0c723cbcf8bc3f0784b8c30ee332380f)

v3.0.0

Breaking changes

  • Modernize project structure (2f45985738604c743c4b8cc8464e3e7d3e04c73d) The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
  • Generate 2b hashes by default (d36bfb42fa642b6d6986a84ce106a7110e5824db) This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.

Features

  • Add helper to check for password input length (d5656b39e2e368c87724a312e4e454456a4e5d1b)

Other

  • Update publish workflow (2a9bea9e276e6be04dbd403f9695937788b3b10a)
  • Add note on using the ESM variant in the browser (e09eb9afb14170069aaea19631b763307ee7b480)
  • Update types (58333a1533dd53838e2697628f84b98d54a5c079)
  • Merge lint and test workflows (2e3b17659e8856696acfe3015631ce2989eb3084)
  • Fix tests (ec02e8a0ada7a8f6c71a91df164db8c25bbbb7b4)
  • Update legacy fallback to handle crypto dependency (9db275fa10b1b40da4a6844480d7f8ae8df27fb8)
  • Update lint workflow title (ac70ac57c2f99ad5639eddf54578e5fdd07b9c4c)
  • Adapt crypto module usage for ESM environments (574d690d4972bcebbd5ca07880a62abab9ae3c0b)
  • Format with prettier (e7465479282d8155852ce88d6407eccb14adc106)
  • Rename default branch to 'main' (548559d032d7dd5ac3e4e16d7afd87b36ebe96ca)
  • Update description to mention TypeScript support (4977df0849eaf8cad5b0d0b543fe452432a2d761)
  • Add stale action for issues and PRs (a84d4e45487df0972d8781feafa477d5db4c1dbd)
  • Fix typo (c8c9c01799bbc13092fcbb20cfab4d9015d14c61)
  • Fix Node.js version in CI (1b54cc48d4120b50e1d9058e5a67f326102fd744)

Backlog from v2

  • Added externs to .npmignore (#124) (7e2e93af99df2952253f9cf32db29aefa8f272f7) The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
  • Make sure the bin script uses LF (684fac6814a81d974c805a15e22fd69922c7ca6e)
  • Post-merge; Clean up a bit (b09f7f266a7015456b7b36deeb026dc636f64542)

... (truncated)

Commits
  • 1211e9a fix: Always yield to event loop before nextTick for async versions (#164)
  • 28e5103 fix: Use upstream fix to emit interop helpers
  • e7055ca fix: Separate ESM and UMD type definitions
  • 2a9bea9 Update publish workflow
  • d5656b3 Add helper to check for password input length
  • e09eb9a Add note on using the ESM variant in the browser
  • 58333a1 Update types
  • 2e3b176 Merge lint and test workflows
  • ec02e8a Fix tests
  • 9db275f Update legacy fallback to handle crypto dependency
  • Additional commits viewable in compare view

Updates dotenv from 16.6.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

  • Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

  • Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

  • Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

  • Tighten up logs: ◇ injecting env (14) from .env (#1003)

17.3.1 (2026-02-12)

Changed

  • Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

  • Add a new README section on dotenv’s approach to the agentic future.

Changed

  • Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

  • Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)
  • Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

17.2.3 (2025-09-29)

Changed

  • Fixed typescript error definition (#912)

... (truncated)

Commits

Updates express from 4.22.2 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

Updates morgan from 1.10.1 to 1.11.0

Release notes

Sourced from morgan's releases.

1.11.0

What's Changed

Security Fix:

New Contributors

Full Changelog: expressjs/morgan@1.10.0...1.11.0

Changelog

Sourced from morgan's changelog.

1.11.0 / 2026-06-02

  • add :pid token

Security Fix:

Commits
  • e0e6f17 Release 1.11.0 (#350)
  • b3f5d9b Merge commit from fork
  • 203c758 build(deps): bump github/codeql-action from 4.32.4 to 4.35.2 (#346)
  • 002bc81 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#347)
  • 561b0d7 build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.0 (#338)
  • 2db705e build(deps): bump github/codeql-action from 3.29.7 to 4.32.4 (#337)
  • a373c5f build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.3 (#327)
  • c8e72fa build(deps): bump actions/checkout from 4.1.1 to 6.0.1 (#324)
  • 023300e build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 (#307)
  • 9d8d6c0 build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#306)
  • Additional commits viewable in compare view

Updates mysql2 from 3.17.2 to 3.22.5

Release notes

Sourced from mysql2's releases.

v3.22.5

3.22.5 (2026-06-06)

Bug Fixes

  • keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4327) (2af33a1)

v3.22.4

3.22.4 (2026-05-24)

Bug Fixes

v3.22.3

3.22.3 (2026-04-24)

Bug Fixes

  • allow resetOnRelease in connection config validation (#4278) (e72f923)

v3.22.2

3.22.2 (2026-04-21)

Bug Fixes

  • promise: point rejection stacks at caller for promise API (#4267) (c79a3f3)

v3.22.1

3.22.1 (2026-04-17)

Bug Fixes

  • async stack traces not pointing to correct source, regression introduced by #4257 (#4265) (5b6206c)
  • packet: return INVALID_DATE for zero dates with numeric timezone offset (#1019) (#4258) (cb5adcc)

v3.22.0

3.22.0 (2026-04-10)

Features

  • disable mysql_clear_password plugin by default (#4236) (884bec5), closes #1617
  • implement COM_RESET_CONNECTION with pool integration (#4148) (49a64cc)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.22.5 (2026-06-06)

Bug Fixes

  • keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4327) (2af33a1)

3.22.4 (2026-05-26)

Bug Fixes

3.22.3 (2026-04-24)

Bug Fixes

  • allow resetOnRelease in connection config validation (#4278) (e72f923)

3.22.2 (2026-04-21)

Bug Fixes

  • promise: point rejection stacks at caller for promise API (#4267) (c79a3f3)

3.22.1 (2026-04-17)

Bug Fixes

  • async stack traces not pointing to correct source, regression introduced by #4257 (#4265) (5b6206c)
  • packet: return INVALID_DATE for zero dates with numeric timezone offset (#1019) (#4258) (cb5adcc)

3.22.0 (2026-04-10)

Features

  • disable mysql_clear_password plugin by default (#4236) (884bec5), closes #1617
  • implement COM_RESET_CONNECTION with pool integration (#4148) (49a64cc)

Performance Improvements

  • defer Error object creation to error handlers in promise wrappers (#4257) (ab131de)

3.21.1 (2026-04-09)

... (truncated)

Commits
  • 14a479b chore(master): release 3.22.5 (#4328)
  • 2af33a1 fix: keep 00:00:00 time for TIMESTAMP in binary protocol with dateStrings (#4...
  • f3ce399 docs: add Cursor Cloud development environment instructions
  • b895afe build(deps-dev): bump rollup in the dev-dependencies group (#4326)
  • b8131c5 build(deps-dev): bump the dev-dependencies group with 5 updates (#4322)
  • 63a8803 build(deps): bump the react group across 1 directory with 2 updates (#4323)
  • 188a342 build(deps-dev): bump tsx (#4324)
  • 8fc97ba build(deps): bump @​easyops-cn/docusaurus-search-local in /website (#4325)
  • dd1fc93 build(deps-dev): bump eslint-plugin-prettier (#4318)
  • 3fbadbd build(deps): bump postcss from 8.5.6 to 8.5.15 in /website (#4320)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for mysql2 since your current version.


Updates nodemailer from 8.0.10 to 8.0.11

Release notes

Sourced from nodemailer's releases.

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)
Changelog

Sourced from nodemailer's changelog.

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)
Commits
  • e3b1bda chore(master): release 8.0.11 (#1826)
  • 4358caf refactor: remove dead checks flagged by Code Quality analysis
  • cf5195c chore: harden workflow token permissions and update GitHub Actions
  • 067aebe fix: parse Ethereal response props without polynomial regex backtracking
  • 0cee4fe chore: add CodeQL code scanning workflow
  • cb9da47 chore: update dev dependencies
  • e0a4928 chore: format CLAUDE.md with prettier
  • 8620f2f docs: correct stale timeout defaults in SMTPConnection options JSDoc
  • efa647a fix: tag AWS SES transport errors with the ESES code
  • 07ffe8c fix: return the promise from every resolveContent branch
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the backend-prod group across 1 directory with 7 up…
3b881c2 
…dates

Bumps the backend-prod group with 7 updates in the /backend directory:

| Package | From | To |
| --- | --- | --- |
| [@google/genai](https://github.com/googleapis/js-genai) | `1.52.0` | `2.8.0` |
| [bcryptjs](https://github.com/dcodeIO/bcrypt.js) | `2.4.3` | `3.0.3` |
| [dotenv](https://github.com/motdotla/dotenv) | `16.6.1` | `17.4.2` |
| [express](https://github.com/expressjs/express) | `4.22.2` | `5.2.1` |
| [morgan](https://github.com/expressjs/morgan) | `1.10.1` | `1.11.0` |
| [mysql2](https://github.com/sidorares/node-mysql2) | `3.17.2` | `3.22.5` |
| [nodemailer](https://github.com/nodemailer/nodemailer) | `8.0.10` | `8.0.11` |



Updates `@google/genai` from 1.52.0 to 2.8.0
- [Release notes](https://github.com/googleapis/js-genai/releases)
- [Changelog](https://github.com/googleapis/js-genai/blob/main/CHANGELOG.md)
- [Commits](googleapis/js-genai@v1.52.0...v2.8.0)

Updates `bcryptjs` from 2.4.3 to 3.0.3
- [Release notes](https://github.com/dcodeIO/bcrypt.js/releases)
- [Commits](dcodeIO/bcrypt.js@2.4.3...v3.0.3)

Updates `dotenv` from 16.6.1 to 17.4.2
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v16.6.1...v17.4.2)

Updates `express` from 4.22.2 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v4.22.2...v5.2.1)

Updates `morgan` from 1.10.1 to 1.11.0
- [Release notes](https://github.com/expressjs/morgan/releases)
- [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md)
- [Commits](expressjs/morgan@1.10.1...1.11.0)

Updates `mysql2` from 3.17.2 to 3.22.5
- [Release notes](https://github.com/sidorares/node-mysql2/releases)
- [Changelog](https://github.com/sidorares/node-mysql2/blob/master/Changelog.md)
- [Commits](sidorares/node-mysql2@v3.17.2...v3.22.5)

Updates `nodemailer` from 8.0.10 to 8.0.11
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.10...v8.0.11)

---
updated-dependencies:
- dependency-name: "@google/genai"
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: backend-prod
- dependency-name: bcryptjs
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: backend-prod
- dependency-name: dotenv
  dependency-version: 17.4.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: backend-prod
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: backend-prod
- dependency-name: morgan
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend-prod
- dependency-name: mysql2
  dependency-version: 3.22.5
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: backend-prod
- dependency-name: nodemailer
  dependency-version: 8.0.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: backend-prod
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/backend/backend-prod-d30bb71b6c branch June 10, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@teruselearning