Bump the zeppelin-web-security-updates group across 1 directory with 21 updates by dependabot[bot] · Pull Request #5220 · apache/zeppelin

dependabot · 2026-04-23T01:25:16Z

Bumps the zeppelin-web-security-updates group with 16 updates in the /zeppelin-web directory:

Package	From	To
angular	`1.5.7`	`1.8.3`
angular-sanitize	`1.5.7`	`1.8.3`
bootstrap	`3.4.1`	`5.3.8`
diff	`3.3.0`	`3.5.1`
lodash	`3.9.3`	`4.18.1`
express	`4.19.2`	`4.22.1`
webpack-dev-server	`4.15.2`	`5.2.1`
cipher-base	`1.0.4`	`1.0.7`
cookie	`0.3.1`	`0.7.2`
elliptic	`6.5.6`	`removed`
follow-redirects	`1.15.6`	`1.16.0`
handlebars	`4.7.8`	`4.7.9`
on-headers	`1.0.2`	`1.1.0`
picomatch	`2.3.1`	`2.3.2`
tmp	`0.0.30`	`0.2.5`
serialize-javascript	`1.9.1`	`7.0.5`

Updates angular from 1.5.7 to 1.8.3

Changelog

Sourced from angular's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

$sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

$sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

SanitizeUriProvider: remove usages of whitelist (76738102)

httpProvider: remove usages of whitelist and blacklist (c953af6b)

sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

Deprecated ~~$compileProvider.aHrefSanitizationWhitelist~~. It is now aHrefSanitizationTrustedUrlList.

Deprecated ~~$compileProvider.imgSrcSanitizationWhitelist~~. It is now imgSrcSanitizationTrustedUrlList.

Deprecated ~~$httpProvider.xsrfWhitelistedOrigins~~. It is now xsrfTrustedOrigins.

Deprecated ~~$sceDelegateProvider.resourceUrlWhitelist~~. It is now trustedResourceUrlList.

Deprecated ~~$sceDelegateProvider.resourceUrlBlacklist~~. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while

... (truncated)

Commits

cf16b24 docs(changelog): add release notes for 1.8.3
757d56e docs(*): update end-of-life messages (#17177)
f362437 docs(eol): add EOL options text and link to template header used in every page
fb04e42 test(Angular): fix angularInit() tests on Safari v15+
6a52c4f test(input): fix tests on Firefox v93+
ed30c4d docs(README.md): add wiki link to MVC
4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
Additional commits viewable in compare view

Updates angular-sanitize from 1.5.7 to 1.8.3

Changelog

Sourced from angular-sanitize's changelog.

1.8.3 ultimate-farewell (2022-04-07)

One final release of AngularJS in order to update package README files on npm.

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

$sceDelegate: ensure that resourceUrlWhitelist() is identical to trustedResourceUrlList() (e41f01, #17090)

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

$sanitize: do not trigger CSP alert/report in Firefox and Chrome (2fab3d)

Refactorings

SanitizeUriProvider: remove usages of whitelist (76738102)

httpProvider: remove usages of whitelist and blacklist (c953af6b)

sceDelegateProvider: remove usages of whitelist and blacklist (a206e267)

Deprecation Notices

Deprecated ~~$compileProvider.aHrefSanitizationWhitelist~~. It is now aHrefSanitizationTrustedUrlList.

Deprecated ~~$compileProvider.imgSrcSanitizationWhitelist~~. It is now imgSrcSanitizationTrustedUrlList.

Deprecated ~~$httpProvider.xsrfWhitelistedOrigins~~. It is now xsrfTrustedOrigins.

Deprecated ~~$sceDelegateProvider.resourceUrlWhitelist~~. It is now trustedResourceUrlList.

Deprecated ~~$sceDelegateProvider.resourceUrlBlacklist~~. It is now bannedResourceUrlList.

For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.

1.8.0 nested-vaccination (2020-06-01)

_This release contains a breaking change to resolve a security issue which was discovered by Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while

... (truncated)

Commits

cf16b24 docs(changelog): add release notes for 1.8.3
757d56e docs(*): update end-of-life messages (#17177)
f362437 docs(eol): add EOL options text and link to template header used in every page
fb04e42 test(Angular): fix angularInit() tests on Safari v15+
6a52c4f test(input): fix tests on Firefox v93+
ed30c4d docs(README.md): add wiki link to MVC
4032655 chore(deps): bump js-yaml from 3.5.5 to 3.14.1
47f8c65 chore(deps): bump normalize-url from 4.5.0 to 4.5.1
56b0ee3 chore(e2e): run tests against Chrome 91 on macOS Catalina
58cd897 chore(e2e): run tests against Firefox 85 on macOS Catalina
Additional commits viewable in compare view

Updates bootstrap from 3.4.1 to 5.3.8

Release notes

Sourced from bootstrap's releases.

v5.3.8

What's Changed

Streamline release prep script by @mdo in twbs/bootstrap#41539

Docs: restore local dev port to 9001 by @chalin in twbs/bootstrap#41545

Docs: use Example shortcode instead of divs with only .bd-example class by @julien-deramond in twbs/bootstrap#41556

Docs: fix scss autorecompile in dev mode by @MaxLardenois in twbs/bootstrap#41574

Fix color-contrast() function for WCAG 2.1 compliance by @julien-deramond in twbs/bootstrap#41585

OSSF Scorecard by @mdo in twbs/bootstrap#41571

Workflows: Use SHA-1 for third-party actions by @julien-deramond in twbs/bootstrap#41595

Docs: unminify downloadable example HTML files by @julien-deramond in twbs/bootstrap#41637

Docs: Add tooltips to buttons when <Example> is used, not just <Code> by @louismaximepiton in twbs/bootstrap#41582

Set cursor pointer on input search cancel button by @mdo in twbs/bootstrap#41639

CSS: Prevent spinner distortion in flex containers with multiline content by @julien-deramond in twbs/bootstrap#41654

Migrate MyGet script to GH actions by @supergibbs in twbs/bootstrap#41583

Revert "Attempt to return focus explicitly to dropdown trigger" by @mdo in twbs/bootstrap#41668

docs: Minor range example code optimization by @coliff in twbs/bootstrap#41665

Remove Themes from docs by @mdo in twbs/bootstrap#41671

Release v5.3.8 by @mdo in twbs/bootstrap#41669

Dependencies

Build(deps-dev): Bump the development-dependencies group with 3 updates by @julien-deramond in twbs/bootstrap#41540

Build(deps-dev): Bump the development-dependencies group with 2 updates by @julien-deramond in twbs/bootstrap#41544

Build(deps-dev): Bump stylelint-config-twbs-bootstrap from 16.0.0 to 16.1.0 by @julien-deramond in twbs/bootstrap#41546

Build(deps-dev): Bump the development-dependencies group with 5 updates by @julien-deramond in twbs/bootstrap#41552

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41560

Build(deps-dev): Bump the development-dependencies group with 3 updates by @julien-deramond in twbs/bootstrap#41566

Build(deps): Bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot[bot] in twbs/bootstrap#41594

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41599

Build(deps-dev): Bump the development-dependencies group with 2 updates by @julien-deramond in twbs/bootstrap#41609

Build(deps): Bump github/codeql-action from 3.29.2 to 3.29.3 by @dependabot[bot] in twbs/bootstrap#41611

Build(deps): Bump streetsidesoftware/cspell-action from 7.1.1 to 7.1.2 by @dependabot[bot] in twbs/bootstrap#41610

Build(deps-dev): Bump the development-dependencies group with 4 updates by @julien-deramond in twbs/bootstrap#41621

Build(deps): Bump streetsidesoftware/cspell-action from 7.1.2 to 7.2.0 by @dependabot[bot] in twbs/bootstrap#41625

Build(deps): Bump actions-cool/issues-helper from 3.6.0 to 3.6.2 by @dependabot[bot] in twbs/bootstrap#41623

Build(deps): Bump github/codeql-action from 3.29.3 to 3.29.4 by @dependabot[bot] in twbs/bootstrap#41624

Build(deps-dev): Bump the development-dependencies group across 1 directory with 3 updates by @dependabot[bot] in twbs/bootstrap#41626

Build(deps): Bump github/codeql-action from 3.29.4 to 3.29.5 by @dependabot[bot] in twbs/bootstrap#41640

Build(deps): Bump tmp from 0.2.3 to 0.2.4 by @dependabot[bot] in twbs/bootstrap#41649

Build(deps): Bump github/codeql-action from 3.29.7 to 3.29.8 by @dependabot[bot] in twbs/bootstrap#41657

Build(deps): Bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in twbs/bootstrap#41655

Build(deps): Bump github/codeql-action from 3.29.8 to 3.29.10 by @dependabot[bot] in twbs/bootstrap#41664

New Contributors

@chalin made their first contribution in twbs/bootstrap#41545

Full Changelog: twbs/bootstrap@v5.3.7...v5.3.8

v5.3.7

📚 Documentation

... (truncated)

Commits

25aa8cc Release v5.3.8 (#41669)
122bff5 Remove Themes from docs (#41671)
320f713 docs: Minor range example code optimization (#41665)
ac5f51c Revert "Attempt to return focus explicitly to dropdown trigger (#41365)" (#41...
4bd8b6c Migrate MyGet script to GH actions (#41583)
f50f38b CSS: Fix spinner deformation in flex boxes when content is multiline (#41654)
47c75b8 Set cursor pointer on input search cancel button (#41639)
26c86ba Build(deps): Bump github/codeql-action from 3.29.8 to 3.29.10 (#41664)
099b02b Build(deps-dev): Bump rollup from 4.46.2 to 4.46.3
4b8a2c9 Build(deps-dev): bump dependencies
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by mdo, a new releaser for bootstrap since your current version.

Updates diff from 3.3.0 to 3.5.1

Changelog

Sourced from diff's changelog.

v3.5.1 - January 2026

Only change from 3.5.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v3.5.0 - March 4th, 2018

Omit redundant slice in join method of diffArrays - 1023590

Support patches with empty lines - fb0f208

Accept a custom JSON replacer function for JSON diffing - 69c7f0a

Optimize parch header parser - 2aec429

Fix typos - e89c832

Commits

v3.4.0 - October 7th, 2017

#183 - Feature request: ability to specify a custom equality checker for diffArrays

#173 - Bug: diffArrays gives wrong result on array of booleans

#158 - diffArrays will not compare the empty string in array?

comparator for custom equality checks - 30e141e

count oldLines and newLines when there are conflicts - 53bf384

Fix: diffArrays can compare falsey items - 9e24284

Docs: Replace grunt with npm test - 00e2f94

Commits

v3.3.1 - September 3rd, 2017

#141 - Cannot apply patch because my file delimiter is "/r/n" instead of "/n"

#192 - Fix: Bad merge when adding new files (#189)

correct spelling mistake - 21fa478

Commits

Commits

e8bb422 v3.5.1
2f5bf5e Backport kpdecker/jsdiff#649
c9f00db Backport kpdecker/jsdiff#647
e9ab948 v3.5.0
b73884c Update release notes
8953021 Update release notes
1023590 Omit redundant slice in join method of diffArrays
c72ef4a Add missing test coverage
b9ef24f Support patches with empty lines
10aaabb Support patches with empty lines
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates lodash from 3.9.3 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm

lodash-es: lodash/lodash@4.18.0-es...4.18.1-es

lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd

lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

Add security notice for _.template in threat model and API docs (#6099)

Document lower > upper behavior in _.random (#6115)

Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

lodash.orderby

lodash.tonumber

lodash.trim

lodash.trimend

lodash.sortedindexby

lodash.zipobjectdeep

lodash.unset

lodash.omit

lodash.template

4.0.0

lodash v4.0.0

... (truncated)

Commits

cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
75535f5 chore: prune stale advisory refs (#6170)
62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
59be2de release(minor): bump to 4.18.0 (#6161)
af63457 fix: broken tests for _.template 879aaa9
1073a76 fix: linting issues
879aaa9 fix: validate imports keys in _.template
fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
b819080 ci: add dist sync validation workflow (#6137)
Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 4.22.1 by @UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

Refactor: improve readability by @sazk07 in expressjs/express#6190

ci: add support for Node.js@23.0 by @UlisesGascon in expressjs/express#6080

Method functions with no path should error by @wesleytodd in expressjs/express#5957

ci: updated github actions ci workflow by @Phillip9587 in expressjs/express#6323

ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in expressjs/express#6336

Backport: ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6506

chore(4.x): wider range for query test skip by @jonchurch in expressjs/express#6513

use tilde notation for certain dependencies by @UlisesGascon in expressjs/express#6905

deps: qs@6.14.0 by @UlisesGascon in expressjs/express#6909

deps: use tilde notation for qs by @Phillip9587 in expressjs/express#6919

Release: 4.22.0 by @UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: path-to-regexp@0.1.11 by @blakeembrey in expressjs/express#5956

deps: bump path-to-regexp@0.1.12 by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: use tilde notation for dependencies

deps: qs@6.14.0

4.21.2 / 2024-11-06

deps: path-to-regexp@0.1.12

Fix backtracking protection

deps: path-to-regexp@0.1.11

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: serve-static@1.16.2

includes send@0.19.0

deps: finalhandler@1.3.1

deps: qs@6.13.0

4.20.0 / 2024-09-10

deps: serve-static@0.16.0

Remove link renderization in html while redirecting

deps: send@0.19.0

Remove link renderization in html while redirecting

deps: body-parser@0.6.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: path-to-regexp@0.1.10

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

12fae14 4.22.1
5ddf311 Revert "sec: security patch for CVE-2024-51999"
49744ab 4.22.0 (#6921)
6e97452 sec: security patch for CVE-2024-51999
6a23d34 deps: use tilde notation for qs (#6919)
8c12cdf deps: qs@6.14.0 (#6909)
7fea74f deps: use tilde notation for certain dependencies (#6905)
dac7a04 chore: wider range for query test skip (#6513)
997919b ci: add node.js 24 to test matrix (#6506)
36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates webpack-dev-server from 4.15.2 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits

0d22a08 chore(release): 5.2.1
6045b1e chore(deps): update (#5444)
ffd0b86 fix: take the first network found instead of the last one, this restores the ...
9ea7b08 ci: update dependency-review-action (#5442)
5c9378b Merge commit from fork
d2575ad Merge commit from fork
8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
5a39c70 ci: update codecov/codecov-action to v5 (#5406)
55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Remove redundant depth check by @blakeembrey in expressjs/body-parser#538

ci: add support for Node.js v23 by @Phillip9587 in expressjs/body-parser#553

ci: restore CI for 1.x branch by @bjohansebas in expressjs/body-parser#665

deps: qs@^6.14.0 by @bjohansebas in expressjs/body-parser#664

deps: use tilde notation and update certain dependencies by @Phillip9587 in expressjs/body-parser#668

chore: remove SECURITY.md by @Phillip9587 in expressjs/body-parser#669

ci: add CodeQL (SAST) by @Phillip9587 in expressjs/body-parser#670

Release: 1.20.4 by @UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

deps: qs@6.13.0

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to node@22.4.1 by @wesleytodd in expressjs/body-parser#527

deps: qs@6.12.3 by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog...
Description has been truncated

…21 updates Bumps the zeppelin-web-security-updates group with 16 updates in the /zeppelin-web directory: | Package | From | To | | --- | --- | --- | | [angular](https://github.com/angular/angular.js) | `1.5.7` | `1.8.3` | | [angular-sanitize](https://github.com/angular/angular.js) | `1.5.7` | `1.8.3` | | [bootstrap](https://github.com/twbs/bootstrap) | `3.4.1` | `5.3.8` | | [diff](https://github.com/kpdecker/jsdiff) | `3.3.0` | `3.5.1` | | [lodash](https://github.com/lodash/lodash) | `3.9.3` | `4.18.1` | | [express](https://github.com/expressjs/express) | `4.19.2` | `4.22.1` | | [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `4.15.2` | `5.2.1` | | [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` | | [cookie](https://github.com/jshttp/cookie) | `0.3.1` | `0.7.2` | | [elliptic](https://github.com/indutny/elliptic) | `6.5.6` | `removed` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.6` | `1.16.0` | | [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` | | [on-headers](https://github.com/jshttp/on-headers) | `1.0.2` | `1.1.0` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [tmp](https://github.com/raszi/node-tmp) | `0.0.30` | `0.2.5` | | [serialize-javascript](https://github.com/yahoo/serialize-javascript) | `1.9.1` | `7.0.5` | Updates `angular` from 1.5.7 to 1.8.3 - [Changelog](https://github.com/angular/angular.js/blob/master/CHANGELOG.md) - [Commits](angular/angular.js@v1.5.7...v1.8.3) Updates `angular-sanitize` from 1.5.7 to 1.8.3 - [Changelog](https://github.com/angular/angular.js/blob/master/CHANGELOG.md) - [Commits](angular/angular.js@v1.5.7...v1.8.3) Updates `bootstrap` from 3.4.1 to 5.3.8 - [Release notes](https://github.com/twbs/bootstrap/releases) - [Commits](twbs/bootstrap@v3.4.1...v5.3.8) Updates `diff` from 3.3.0 to 3.5.1 - [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md) - [Commits](kpdecker/jsdiff@v3.3.0...v3.5.1) Updates `lodash` from 3.9.3 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@3.9.3...4.18.1) Updates `express` from 4.19.2 to 4.22.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md) - [Commits](expressjs/express@4.19.2...v4.22.1) Updates `webpack-dev-server` from 4.15.2 to 5.2.1 - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v4.15.2...v5.2.1) Updates `body-parser` from 1.20.2 to 1.20.4 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.4) Updates `cipher-base` from 1.0.4 to 1.0.7 - [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md) - [Commits](browserify/cipher-base@v1.0.4...v1.0.7) Updates `cookie` from 0.3.1 to 0.7.2 - [Release notes](https://github.com/jshttp/cookie/releases) - [Commits](jshttp/cookie@v0.3.1...v0.7.2) Removes `elliptic` Updates `flatted` from 2.0.2 to 3.4.2 - [Commits](WebReflection/flatted@v2.0.2...v3.4.2) Updates `follow-redirects` from 1.15.6 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.6...v1.16.0) Updates `handlebars` from 4.7.8 to 4.7.9 - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) Updates `http-proxy-middleware` from 2.0.6 to 2.0.9 - [Release notes](https://github.com/chimurai/http-proxy-middleware/releases) - [Changelog](https://github.com/chimurai/http-proxy-middleware/blob/v2.0.9/CHANGELOG.md) - [Commits](chimurai/http-proxy-middleware@v2.0.6...v2.0.9) Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `tmp` from 0.0.30 to 0.2.5 - [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md) - [Commits](raszi/node-tmp@v0.0.30...v0.2.5) Updates `send` from 0.18.0 to 0.19.2 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.2) Updates `serialize-javascript` from 1.9.1 to 7.0.5 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v1.9.1...v7.0.5) Updates `serve-static` from 1.15.0 to 1.16.3 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.3) --- updated-dependencies: - dependency-name: angular dependency-version: 1.8.3 dependency-type: direct:production dependency-group: zeppelin-web-security-updates - dependency-name: angular-sanitize dependency-version: 1.8.3 dependency-type: direct:production dependency-group: zeppelin-web-security-updates - dependency-name: bootstrap dependency-version: 5.3.8 dependency-type: direct:production dependency-group: zeppelin-web-security-updates - dependency-name: diff dependency-version: 3.5.1 dependency-type: direct:production dependency-group: zeppelin-web-security-updates - dependency-name: lodash dependency-version: 4.18.1 dependency-type: direct:production dependency-group: zeppelin-web-security-updates - dependency-name: express dependency-version: 4.22.1 dependency-type: direct:development dependency-group: zeppelin-web-security-updates - dependency-name: webpack-dev-server dependency-version: 5.2.1 dependency-type: direct:development dependency-group: zeppelin-web-security-updates - dependency-name: body-parser dependency-version: 1.20.4 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: cipher-base dependency-version: 1.0.7 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: cookie dependency-version: 0.7.2 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: elliptic dependency-version: dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: http-proxy-middleware dependency-version: 2.0.9 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: tmp dependency-version: 0.2.5 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: send dependency-version: 0.19.2 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect dependency-group: zeppelin-web-security-updates - dependency-name: serve-static dependency-version: 1.16.3 dependency-type: indirect dependency-group: zeppelin-web-security-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the zeppelin-web-security-updates group across 1 directory with 21 updates#5220

Bump the zeppelin-web-security-updates group across 1 directory with 21 updates#5220
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/zeppelin-web/zeppelin-web-security-updates-e66bd0067e

dependabot Bot commented on behalf of github Apr 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 23, 2026

1.8.3 ultimate-farewell (2022-04-07)

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

Refactorings

Deprecation Notices

1.8.0 nested-vaccination (2020-06-01)

1.8.3 ultimate-farewell (2022-04-07)

1.8.2 meteoric-mining (2020-10-21)

Bug Fixes

1.8.1 mutually-supporting (2020-09-30)

Bug Fixes

Refactorings

Deprecation Notices

1.8.0 nested-vaccination (2020-06-01)

v5.3.8

What's Changed

Dependencies

New Contributors

v5.3.7

📚 Documentation

v3.5.1 - January 2026

v3.5.0 - March 4th, 2018

v3.4.0 - October 7th, 2017

v3.3.1 - September 3rd, 2017

4.18.1

Bugs

4.18.0

v4.18.0

Security

Docs

lodash.* modular packages

4.0.0

lodash v4.0.0

v4.22.1

What's Changed

4.22.0

Important: Security

What's Changed

4.21.2

What's Changed

4.21.1

What's Changed

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

v5.2.1

5.2.1 (2025-03-26)

Security

Bug Fixes

v5.2.0

5.2.0 (2024-12-11)

Features

Bug Fixes

v5.1.0

5.1.0 (2024-09-03)

Features

Bug Fixes

v5.0.4

5.0.4 (2024-03-19)

5.2.1 (2025-03-26)

Security

Bug Fixes

5.2.0 (2024-12-11)

Features

Bug Fixes

5.1.0 (2024-09-03)

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

1.20.4

What's Changed

1.20.3

`lodash.*` modular packages