chore(deps): bump the npm_and_yarn group with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 11 updates:

Package	From	To
esbuild	0.23.1	0.25.0
next	14.2.13	14.2.21
axios	1.7.7	1.7.9
@solana/web3.js	1.95.3	1.98.0
elliptic	6.5.7	6.6.0
express	4.21.0	4.21.2
hono	4.6.2	4.6.5
secp256k1	5.0.0	5.0.1
nanoid	3.3.7	3.3.8
path-to-regexp	0.1.10	0.1.12
undici	5.28.4	5.28.5

Updates esbuild from 0.23.1 to 0.25.0

Release notes

Sourced from esbuild's releases.

v0.25.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.24.0 or ~0.24.0. See npm's documentation about semver for more information.

• Restrict access to esbuild's development server (GHSA-67mh-4wv8-2f99)

  This change addresses esbuild's first security vulnerability report. Previously esbuild set the Access-Control-Allow-Origin header to * to allow esbuild's development server to be flexible in how it's used for development. However, this allows the websites you visit to make HTTP requests to esbuild's local development server, which gives read-only access to your source code if the website were to fetch your source code's specific URL. You can read more information in the report.

  Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

  In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

  Thanks to @​sapphi-red for reporting this issue.

• Delete output files when a build fails in watch mode (#3643)

  It has been requested for esbuild to delete files when a build fails in watch mode. Previously esbuild left the old files in place, which could cause people to not immediately realize that the most recent build failed. With this release, esbuild will now delete all output files if a rebuild fails. Fixing the build error and triggering another rebuild will restore all output files again.

• Fix correctness issues with the CSS nesting transform (#3620, #3877, #3933, #3997, #4005, #4037, #4038)

  This release fixes the following problems:

  • Naive expansion of CSS nesting can result in an exponential blow-up of generated CSS if each nesting level has multiple selectors. Previously esbuild sometimes collapsed individual nesting levels using :is() to limit expansion. However, this collapsing wasn't correct in some cases, so it has been removed to fix correctness issues.

    /* Original code */
    .parent {
      > .a,
      > .b1 > .b2 {
        color: red;
      }
    }
    /* Old output (with --supported:nesting=false) */
    .parent > :is(.a, .b1 > .b2) {
    color: red;
    }
    /* New output (with --supported:nesting=false) */
    .parent > .a,
    .parent > .b1 > .b2 {
    color: red;
    }

    Thanks to @​tim-we for working on a fix.

  • The & CSS nesting selector can be repeated multiple times to increase CSS specificity. Previously esbuild ignored this possibility and incorrectly considered && to have the same specificity as &. With this release, this should now work correctly:

    /* Original code (color should be red) */

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• e9174d6 publish 0.25.0 to npm
• c27dbeb fix hosts in plugin-tests.js
• 6794f60 fix hosts in node-unref-tests.js
• de85afd Merge commit from fork
• da1de1b fix #4065: bitwise operators can return bigints
• f4e9d19 switch case liveness: default is always last
• 7aa47c3 fix #4028: minify live/dead switch cases better
• 22ecd30 minify: more constant folding for strict equality
• 4cdf03c fix #4053: reordering of .tsx in node_modules
• dc71977 fix #3692: 0 now picks a random ephemeral port
• Additional commits viewable in compare view

Updates next from 14.2.13 to 14.2.21

Release notes

Sourced from next's releases.

v14.2.21

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade React from 14898b6a9 to 178c267a4e: vercel/next.js#74115
• Fix unstable_allowDynamic when used with pnpm: vercel/next.js#73765

Misc Changes

• chore(docs): add missing search: '' on remotePatterns: vercel/next.js#73927
• chore(docs): update version history of next/image: vercel/next.js#73926

Credits

Huge thanks to @​unstubbable, @​ztanner, and @​styfle for helping!

Commits

• 2655f6e v14.2.21
• 8803d2b Backport (v14): Upgrade React from 14898b6a9 to 178c267a4e (#74115)
• 6e35243 chore(docs): add missing search: '' on remotePatterns (#73925) (#73927)
• 54919d2 chore(docs): update version history of next/image (#73926)
• 049a690 Backport: Fix unstable_allowDynamic when used with pnpm (#73765)
• 663fa9c Fix SWC and React versions for 14-2-1 branch (#73791)
• ed78a4a v14.2.20
• 530421d [backport] Fix/dedupe fetch clone (#73532)
• cbc62ad v14.2.19
• 92280dc [backport] Update max tag items limit in docs (#73445)
• Additional commits viewable in compare view

Updates axios from 1.7.7 to 1.7.9

Release notes

Sourced from axios's releases.

Release v1.7.9

Release notes:

Reverts

• Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

• Jay

Release v1.7.8

Release notes:

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
• core: fixed config merging bug (#6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
• http: fixed proxy-from-env module import (#5222) (12b3295)
• http: use globalThis.TextEncoder when available (#6634) (df956d1)
• ios11 breaks when build (#6608) (7638952)
• types: add missing types for mergeConfig function (#6590) (00de614)
• types: export CJS types from ESM (#6218) (c71811b)
• updated stream aborted error message to be more clear (#6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

Changelog

Sourced from axios's changelog.

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#6218)" (#6729) (c44d2f2), closes #6218 #6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#6680) (eac4619)
• core: fixed config merging bug (#6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#6588) (#6605) (6841d8d)
• http: fixed proxy-from-env module import (#5222) (12b3295)
• http: use globalThis.TextEncoder when available (#6634) (df956d1)
• ios11 breaks when build (#6608) (7638952)
• types: add missing types for mergeConfig function (#6590) (00de614)
• types: export CJS types from ESM (#6218) (c71811b)
• updated stream aborted error message to be more clear (#6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

Commits

• b2cb45d chore(release): v1.7.9 (#6730)
• c44d2f2 Revert "fix(types): export CJS types from ESM (#6218)" (#6729)
• 415ca94 chore(release): v1.7.8 (#6715)
• 0a8d6e1 fix: use URL API instead of DOM to fix a potential vulnerability warning; (#6...
• c71811b fix(types): export CJS types from ESM (#6218)
• 4355a6d chore(sponsor): update sponsor block (#6709)
• 5d54d22 chore(sponsor): update sponsor block (#6707)
• eac4619 fix: allow passing a callback as paramsSerializer to buildURL (#6680)
• df956d1 fix(http): use globalThis.TextEncoder when available (#6634)
• 7139ce9 chore(deps): bump cookie and socket.io (#6704)
• Additional commits viewable in compare view

Updates @solana/web3.js from 1.95.3 to 1.98.0

Release notes

Sourced from @​solana/web3.js's releases.

v1.98.0

1.98.0 (2024-12-16)

Features

• Agave v2 RPC: replace getRecentBlockhash with getLatestBlockhash (#3419) (8ea27fc)

v1.97.0

1.97.0 (2024-12-16)

Features

• agave v2 rpc: replace getConfirmedTransaction with getTransaction (#3418) (a805cb9)

v1.96.0

1.96.0 (2024-12-16)

Features

• Agave v2 RPC: replace getConfirmedBlock with getBlock (#3417) (60e39a6)

v1.95.8

1.95.8 (2024-12-03)

Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 2, 2024.

These two unauthorized versions (1.95.6 and 1.95.7) were caught within hours and have since been unpublished.

We are asking all Solana app developers to upgrade to version 1.95.8. Developers pinned to latest should also upgrade to 1.95.8.

Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on.

v1.95.5

1.95.5 (2024-11-20)

Bug Fixes

• added programId field in TokenBalance type (#3592) (526ce5f)

v1.95.4

1.95.4 (2024-10-17)

Bug Fixes

• log JSON-RPC subscription errors to the console (#3392) (e345937)

Commits

• 8ea27fc feat: Agave v2 RPC: replace getRecentBlockhash with getLatestBlockhash (#...
• a805cb9 feat: agave v2 rpc: replace getConfirmedTransaction with getTransaction (...
• 60e39a6 feat: Agave v2 RPC: replace getConfirmedBlock with getBlock (#3417)
• f554544 chore: link to new repo from issue template (#3717)
• eb3b362 chore: fix the GitHub pages workflow (#3716)
• de972e4 chore: migrate all Actions workflows to the maintenance/v1.x branch (#3714)
• ae15920 chore: update link to web3.js@next line in README (#3713)
• 79e6a87 chore: bump typedoc from 0.27.3 to 0.27.4 (#3699)
• 093fbc4 chore: bump rollup from 4.28.0 to 4.28.1 (#3700)
• ee06179 chore: bump prettier from 3.4.1 to 3.4.2 (#3670)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by solana-devs, a new releaser for @​solana/web3.js since your current version.

Updates elliptic from 6.5.7 to 6.6.0

Commits

• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• See full diff in compare view

Updates express from 4.21.0 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• See full diff in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates hono from 4.6.2 to 4.6.5

Release notes

Sourced from hono's releases.

v4.6.5

Security fix for CSRF Protection Middleware

This release includes a security fix for CSRF Protection Middleware. If you are using CSRF Protection Middleware, please upgrade this hono package immediately.

Before this release, a request without a Content-Type header can bypass the protection. This fix does not allow it. See: GHSA-2234-fmw7-43wr

What's Changed

• perf(types): replace intersection with union to get better perf by @​m-shaka in honojs/hono#3443
• ci: use Deno v2 by @​yusukebe in honojs/hono#3506
• ci: use Deno v2 for a test running for deno by @​nakasyou in honojs/hono#3509
• fix(types): rm ExcludeEmptyObject to fix massively increased type instantiations by @​m-shaka in honojs/hono#3507
• fix(cors): avoid setting Access-Control-Allow-Origin if there is no matching origin by @​uki00a in honojs/hono#3510
• feat(powered-by): optional server name by @​PatrickJS in honojs/hono#3492
• fix(factory): revert PR #3498 by @​yusukebe in honojs/hono#3515
• fix(build): remove private fields by @​nakasyou in honojs/hono#3514

New Contributors

• @​uki00a made their first contribution in honojs/hono#3510
• @​PatrickJS made their first contribution in honojs/hono#3492

Full Changelog: honojs/hono@v4.6.4...v4.6.5

v4.6.4

What's Changed

• chore: upgrade dependencies by @​yusukebe in honojs/hono#3446
• chore: remove crypto-js from dev dependencies by @​yusukebe in honojs/hono#3447
• chore(test): suppress no-unused-vars "'x' is assigned a value but only used as type" by @​exoego in honojs/hono#3451
• chore(test): include bun coverage by @​exoego in honojs/hono#3457
• test(deno): remove duplicated app.get by @​exoego in honojs/hono#3469
• fix(types): add key to IntrinsicAttributes by @​codehz in honojs/hono#3474
• fix(factory): relax Bindings and Variables for createMiddleware by @​yusukebe in honojs/hono#3498
• fix(service-worker): bind fetch to globalThis by @​sapphi-red in honojs/hono#3500
• refactor(jsx): add override to toStringToBuffer in classes extending JSXNode by @​yusukebe in honojs/hono#3505

New Contributors

• @​sapphi-red made their first contribution in honojs/hono#3500

Full Changelog: honojs/hono@v4.6.3...v4.6.4

v4.6.3

This release has many new features, but each feature is small, so we've released it as a patch release.

What's Changed

• chore: rename runtime_tests to runtime-tests by @​yusukebe in honojs/hono#3419
• ci: Type check perf by @​m-shaka in honojs/hono#3406
• refactor(jsx/streaming): Clarified the type of renderToReadableStream. by @​usualoma in honojs/hono#3434
• perf(types): use homomorphic mapped type to reduce conditional branches by @​m-shaka in honojs/hono#3440
• ci: prettify type check result and rm a comment by @​m-shaka in honojs/hono#3442
• fix(types): useSyncExternalStore type by @​codehz in honojs/hono#3437

... (truncated)

Commits

• 89a0ac1 v4.6.5
• c4d19ec chore: update the lockfile
• 6cf01e5 fix(build): remove private fields (#3514)
• aa50e0a Merge commit from fork
• f9e6ea7 fix(factory): revert PR #3498 (#3515)
• fc9cc6d feat(powered-by): optional server name (#3492)
• cebf4e8 fix(cors): avoid setting Access-Control-Allow-Origin if there is no matchin...
• 3311664 fix(types): rm ExcludeEmptyObject to fix massively increased type instantiati...
• bd9effe ci: use Deno v2 for a test running for deno (#3509)
• 9986b47 ci: use Deno v2 (#3506)
• Additional commits viewable in compare view

Updates secp256k1 from 5.0.0 to 5.0.1

Commits

• b3f874f 5.0.1
• 9a15fff elliptic: fix key verification in loadCompressedPublicKey
• dc37f41 Update elliptic to 6.5.7 (CVE-2024-42461) (#206)
• See full diff in compare view

Updates nanoid from 3.3.7 to 3.3.8

Changelog

Sourced from nanoid's changelog.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Updates path-to-regexp from 0.1.10 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

• Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Commits

• 640e694 0.1.12
• f01c26a Merge commit from fork
• 0c71192 0.1.11
• 8f09549 Add error on bad input values
• See full diff in compare view

Updates undici from 5.28.4 to 5.28.5

Release notes

Sourced from undici's releases.

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Commits

• 6139ed2 Bumped v5.28.5
• 711e207 Backport of c2d78cd
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
pay-box-web	❌ Failed (Inspect)			Feb 11, 2025 4:29am

[changeset-bot]

⚠️ No Changeset found

Latest commit: b889df4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR