deps: bump the all-dependencies group with 6 updates by dependabot[bot] · Pull Request #22 · random42/passport-spid

dependabot · 2026-01-01T04:19:33Z

Bumps the all-dependencies group with 6 updates:

Package	From	To
fast-xml-parser	`5.3.2`	`5.3.3`
@biomejs/biome	`2.3.8`	`2.3.10`
@types/node	`24.10.1`	`25.0.3`
express	`5.1.0`	`5.2.1`
@types/express	`5.0.5`	`5.0.6`
fs-extra	`11.3.2`	`11.3.3`

Updates fast-xml-parser from 5.3.2 to 5.3.3

Release notes

Sourced from fast-xml-parser's releases.

bug fix and performance improvements

fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

Performance improvement for stopNodes (By Maciek Lamberski)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

5.3.3 / 2025-12-12

fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

fix for import statement for v6

5.3.1 / 2025-11-03

Performance improvement for stopNodes (By Maciek Lamberski)

5.3.0 / 2025-10-03

Use Uint8Array in place of Buffer in Parser

5.2.5 / 2025-06-08

Inform user to use fxp-cli instead of in-built CLI feature

Export typings for direct use

5.2.4 / 2025-06-06

fix (#747): fix EMPTY and ANY with ELEMENT in DOCTYPE

5.2.3 / 2025-05-11

fix (#747): support EMPTY and ANY with ELEMENT in DOCTYPE

5.2.2 / 2025-05-05

fix (#746): update strnum to fix parsing issues related to enotations

5.2.1 / 2025-04-22

fix: read DOCTYPE entity value correctly

read DOCTYPE NOTATION, ELEMENT exp but not using read values

5.2.0 / 2025-04-03

feat: support metadata on nodes (#593) (By Steven R. Loomis)

5.1.0 / 2025-04-02

feat: declare package as side-effect free (#738) (By Thomas Bouffard)

fix cjs build mode

fix builder return type to string

5.0.9 / 2025-03-14

fix: support numeric entities with values over 0xFFFF (#726) (By Marc Durdin)

fix: update strnum to fix parsing 0 if skiplike option is used

5.0.8 / 2025-02-27

fix parsing 0 if skiplike option is used.

updating strnum dependency

5.0.7 / 2025-02-25

... (truncated)

Commits

f335cbf update publish detail
fcedd31 fix #775: transformTagName with allowBooleanAttributes adds an unnecessary at...
54d2262 Fix captureMetaData casing (#773)
See full diff in compare view

Updates @biomejs/biome from 2.3.8 to 2.3.10

Release notes

Sourced from @biomejs/biome's releases.

Biome CLI v2.3.10

2.3.10

Patch Changes
#8417 c3a2557 Thanks @taga3s! - Fixed #7809: noRedeclare no longer reports redeclarations for infer type in conditional types.

#8477 90e8684 Thanks @dyc3! - Fixed #8475: fixed a regression in how noExtraNonNullAssertion flags extra non-null assertions

#8479 250b519 Thanks @dyc3! - Fixed #8473: The semantic model now indexes typescript constructor method definitions, and no longer panics if you use one (a regression in 2.3.9).

#8448 2af85c1 Thanks @mdevils! - Improved handling of defineProps() macro in Vue components. The noVueReservedKeys rule now avoids false positives in non-setup scripts.

#8420 42033b0 Thanks @vsn4ik! - Fixed the nursery rule noLeakedRender.

The biome migrate eslint command now correctly detects the rule react/jsx-no-leaked-render in your eslint configurations.

#8426 285d932 Thanks @anthonyshew! - Added a Turborepo domain and a new "noUndeclaredEnvVars" rule in it for warning users of unsafe environment variable usage in Turborepos.

#8410 a21db74 Thanks @ematipico! - Fixed #2988 where Biome couldn't handle properly characters that contain multiple code points when running in stdin mode.
#8372 b352ee4 Thanks @Netail! - Added the nursery rule noAmbiguousAnchorText, which disallows ambiguous anchor descriptions.

Invalid
<a>learn more</a>
What's Changed

feat: new Turborepo domain and noUndeclaredEnvVars rule by @anthonyshew in biomejs/biome#8426

fix(noExtraNonNullAssertion): fix regression by @dyc3 in biomejs/biome#8477

fix(analyze/js): index ts constructor methods in semantic model (regression) by @dyc3 in biomejs/biome#8479

fix(lint): lint/suspicous/noRedeclare should not report redeclarations for infer type in conditional types by @taga3s in biomejs/biome#8417

fix(noLeakedRender): eslint rule name fix by @vsn4ik in biomejs/biome#8420

chore: add kraken as bronze sponsor by @dyc3 in biomejs/biome#8486

fix(linter): improve Vue defineProps handling in noVueReservedKeys by @mdevils in biomejs/biome#8448

fix(cli): colors with multi-codepoints characters by @ematipico in biomejs/biome#8410

feat(lint): implement noAmbiguousAnchorText by @Netail in biomejs/biome#8372

ci: release by @github-actions[bot] in biomejs/biome#8474

docs: fix typos for assist/actions/organize-imports by @sergioness in biomejs/biome#8490

New Contributors

@taga3s made their first contribution in biomejs/biome#8417

@vsn4ik made their first contribution in biomejs/biome#8420

@sergioness made their first contribution in biomejs/biome#8490

... (truncated)

Changelog

Sourced from @biomejs/biome's changelog.

2.3.10

Patch Changes
#8417 c3a2557 Thanks @taga3s! - Fixed #7809: noRedeclare no longer reports redeclarations for infer type in conditional types.

#8477 90e8684 Thanks @dyc3! - Fixed #8475: fixed a regression in how noExtraNonNullAssertion flags extra non-null assertions

#8479 250b519 Thanks @dyc3! - Fixed #8473: The semantic model now indexes typescript constructor method definitions, and no longer panics if you use one (a regression in 2.3.9).

#8448 2af85c1 Thanks @mdevils! - Improved handling of defineProps() macro in Vue components. The noVueReservedKeys rule now avoids false positives in non-setup scripts.

#8420 42033b0 Thanks @vsn4ik! - Fixed the nursery rule noLeakedRender.

The biome migrate eslint command now correctly detects the rule react/jsx-no-leaked-render in your eslint configurations.

#8426 285d932 Thanks @anthonyshew! - Added a Turborepo domain and a new "noUndeclaredEnvVars" rule in it for warning users of unsafe environment variable usage in Turborepos.

#8410 a21db74 Thanks @ematipico! - Fixed #2988 where Biome couldn't handle properly characters that contain multiple code points when running in stdin mode.
#8372 b352ee4 Thanks @Netail! - Added the nursery rule noAmbiguousAnchorText, which disallows ambiguous anchor descriptions.

Invalid
<a>learn more</a>
2.3.9

Patch Changes
#8232 84c9e08 Thanks @ruidosujeira! - Added the nursery rule noScriptUrl.

This rule disallows the use of javascript: URLs, which are considered a form of eval and can pose security risks such as XSS vulnerabilities.
<a href="javascript:alert('XSS')">Click me</a>
#8341 343dc4d Thanks @arendjr! - Added the nursery rule useAwaitThenable, which enforces that await is only used on Promise values.

Invalid
await "value";
const createValue = () => "value";
await createValue();

... (truncated)

Commits

fd279f3 ci: release (#8474)
b352ee4 feat(lint): implement noAmbiguousAnchorText (#8372)
67546bc chore: add kraken as bronze sponsor (#8486)
285d932 feat: new Turborepo domain and noUndeclaredEnvVars rule (#8426)
ec43141 ci: release (#8469)
382786b fix(lint): remove useExhaustiveDependencies spurious errors on dependency-f...
fc32352 fix: improve rustdoc for IndentStyle (#8425)
09acf2a feat(lint): update docs & diagnostic for lint/nursery/noProto (#8414)
84c9e08 feat: implement noScriptUrl rule (#8232)
d407efb refactor(formatter): reduce best fitting allocations (#8137)
Additional commits viewable in compare view

Updates @types/node from 24.10.1 to 25.0.3

Commits

See full diff in compare view

Updates express from 5.1.0 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Release: 5.2.1 by @UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @dependabot[bot] in expressjs/express#6429

Refactor: simplify acceptsLanguages implementation using spread operator by @Ayoub-Mabrouk in expressjs/express#6137

increased code coverage of utils.js file by @ashish3011 in expressjs/express#6386

chore: remove duplicate word by @dufucun in expressjs/express#6456

build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @dependabot[bot] in expressjs/express#6498

build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @dependabot[bot] in expressjs/express#6497

build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @dependabot[bot] in expressjs/express#6496

ci: add node.js 24 to test matrix by @Phillip9587 in expressjs/express#6504

ci: update codeql config by @Phillip9587 in expressjs/express#6488

chore: wider range for query test skip by @jonchurch in expressjs/express#6512

chore: fix typos in test by @noritaka1166 in expressjs/express#6535

ci: disable credential persistence for checkout actions by @mertssmnoglu in expressjs/express#6522

ci: allow manual triggering of workflow by @shivarm in expressjs/express#6515

test: add coverage for app.listen() variants by @kgarg1 in expressjs/express#6476

docs: move documentation and charters to the discussions and .github … by @bjohansebas in expressjs/express#6427

build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @dependabot[bot] in expressjs/express#6549

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in expressjs/express#6548

chore: enforce explicit Buffer import and add lint rule by @shivarm in expressjs/express#6525

chore: use node protocol for querystring by @shivarm in expressjs/express#6520

chore: fix typo by @mountdisk in expressjs/express#6609

build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @dependabot[bot] in expressjs/express#6618

add deprecation warnings for redirect arguments undefined by @bjohansebas in expressjs/express#6405

ci: run CI when the markdown changes by @bjohansebas in expressjs/express#6632

doc: fix CONTRIBUTING link by @jonchurch in expressjs/express#6653

doc: update contributing guidelines and code of conduct links by @ShubhamOulkar in expressjs/express#6601

build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @dependabot[bot] in expressjs/express#6679

build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @dependabot[bot] in expressjs/express#6678

lint: add --fix flag to automatic fix linting issue by @shivarm in expressjs/express#6644

chore: ignore yarn.lock file and update example by @shivarm in expressjs/express#6588

lib: use req.socket over deprecated req.connection by @bjohansebas in expressjs/express#6705

doc: update express app example by @shivarm in expressjs/express#6718

build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in expressjs/express#6675

Remove history.md from being packaged on publish by @sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

deps: body-parser@^2.2.1

A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

Commits

dbac741 5.2.1
697547c Revert "sec: security patch for CVE-2024-51999"
4007ad1 Release: 5.2.0 (#6920)
2f64f68 sec: security patch for CVE-2024-51999
ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
758d435 deps: body-parser@^2.2.1 (#6922)
77bcd52 docs: update emeritus triagers (#6890)
f33caf1 Nominate to @efekrskl for triage team (#6888)
Additional commits viewable in compare view

Updates @types/express from 5.0.5 to 5.0.6

Commits

See full diff in compare view

Updates fs-extra from 11.3.2 to 11.3.3

Changelog

Sourced from fs-extra's changelog.

11.3.3 / 2025-12-18

Fix copying symlink when destination is a symlink to the same target (#1019, #1060)

Commits

1de81e9 11.3.3
ddc46f7 Fix symlink copy failing when source and dest symlinks point to same target (...
5023c22 Use macos-15-intel runner (#1061)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all-dependencies group with 6 updates: | Package | From | To | | --- | --- | --- | | [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `5.3.2` | `5.3.3` | | [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome) | `2.3.8` | `2.3.10` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.10.1` | `25.0.3` | | [express](https://github.com/expressjs/express) | `5.1.0` | `5.2.1` | | [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) | `5.0.5` | `5.0.6` | | [fs-extra](https://github.com/jprichardson/node-fs-extra) | `11.3.2` | `11.3.3` | Updates `fast-xml-parser` from 5.3.2 to 5.3.3 - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v5.3.2...v5.3.3) Updates `@biomejs/biome` from 2.3.8 to 2.3.10 - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.3.10/packages/@biomejs/biome) Updates `@types/node` from 24.10.1 to 25.0.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `express` from 5.1.0 to 5.2.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@v5.1.0...v5.2.1) Updates `@types/express` from 5.0.5 to 5.0.6 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) Updates `fs-extra` from 11.3.2 to 11.3.3 - [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md) - [Commits](jprichardson/node-fs-extra@11.3.2...11.3.3) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.3.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: "@biomejs/biome" dependency-version: 2.3.10 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: "@types/node" dependency-version: 25.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: all-dependencies - dependency-name: express dependency-version: 5.2.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: all-dependencies - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-dependencies - dependency-name: fs-extra dependency-version: 11.3.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: all-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-01-01T04:19:34Z

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot · 2026-02-01T04:13:18Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot closed this Feb 1, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/all-dependencies-2118978052 branch February 1, 2026 04:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

deps: bump the all-dependencies group with 6 updates#22

deps: bump the all-dependencies group with 6 updates#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/all-dependencies-2118978052

dependabot Bot commented on behalf of github Jan 1, 2026 •

edited

Loading

Invalid

Invalid

Invalid

Uh oh!

dependabot Bot commented on behalf of github Jan 1, 2026

Uh oh!

dependabot Bot commented on behalf of github Feb 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jan 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

bug fix and performance improvements

Biome CLI v2.3.10

2.3.10

Patch Changes

Invalid

What's Changed

New Contributors

2.3.10

Patch Changes

Invalid

2.3.9

Patch Changes

Invalid

v5.2.1

What's Changed

v5.2.0

Important: Security

What's Changed

5.2.1 / 2025-12-01

5.2.0 / 2025-12-01

11.3.3 / 2025-12-18

Uh oh!

dependabot Bot commented on behalf of github Jan 1, 2026

Labels

Uh oh!

dependabot Bot commented on behalf of github Feb 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jan 1, 2026 •

edited

Loading