Bump the npm_and_yarn group across 1 directory with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 13 updates in the / directory:

Package	From	To
nuxt	2.12.1	3.19.0
vue-template-compiler	2.6.11	2.7.16
browserify-sign	4.0.4	4.2.5
cipher-base	1.0.4	1.0.7
decode-uri-component	0.2.0	0.2.2
elliptic	6.5.2	6.6.1
eventsource	1.0.7	1.1.2
express	4.17.1	4.21.2
moment	2.24.0	2.30.1
secp256k1	3.8.0	3.8.1
sha.js	2.4.11	2.4.12
thenify	3.3.0	3.3.1
url-parse	1.4.7	1.5.10

Updates nuxt from 2.12.1 to 3.19.0

Release notes

Sourced from nuxt's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#32858)
• kit: Add onInstall and onUpgrade module hooks (#32397)
• nuxt,vite: Add experimental support for rolldown-vite (#31812)
• nuxt: Extract defineRouteRules to page rules property (#32897)
• nuxt,vite: Use importmap to increase chunk stability (#33075)
• nuxt: Lazy hydration macros without auto-imports (#33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#32877)
• nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#32902)
• nuxt: Type response in useFetch hooks (#32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)
• nuxt: Use correct unit thresholds for relative time (#32893)
• nuxt: Handle uncached current build manifests (#32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#32857)
• schema,vite: Bump requestTimeout + allow configuration (#32874)
• nuxt: Deep merge extracted route meta (#32887)
• nuxt: Do not expose app components until fully resolved (#32993)
• kit: Only exclude node_modules/ if no custom srcDir (#32987)
• nuxt: Compare final matched routes when syncing route object (#32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)
• kit: Ensure local layers are prioritised alphabetically (#33030)
• kit,nuxt: Expose global types to vue compiler (#33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#33025)
• nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

• 8956505 v3.19.0
• 9a3b445 test: update test for app creation
• ae8b0d2 fix(kit): prioritise local layers over extended layers
• 2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
• 6cc79dd feat(kit,nuxt,schema): allow modules to specify dependencies (#33063)
• 78153ba fix(nuxt): add validation for nuxt island reviver key (#33069)
• f4e38b7 fix(nuxt): delete nuxtApp._runningTransition on resolve (#33025)
• 31a9282 fix(nuxt): search for colliding names in route children
• 10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
• 04dda84 feat(nuxt): lazy hydration macros without auto-imports (#33037)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nuxt since your current version.

Updates vue-template-compiler from 2.6.11 to 2.7.16

Release notes

Sourced from vue-template-compiler's releases.

v2.7.16 "Swan Song"

This is the final release for Vue 2.

Vue 2 will reach End of Life on December 31st, 2023. For more details, please read this blog post.

Please refer to CHANGELOG.md for details.

v2.7.16-beta.2

Please refer to CHANGELOG.md for details.

v2.7.16-beta.1

Please refer to CHANGELOG.md for details.

v2.7.15

Please refer to CHANGELOG.md for details.

v2.7.14

Please refer to CHANGELOG.md for details.

v2.7.13

Please refer to CHANGELOG.md for details.

v2.7.12

Please refer to CHANGELOG.md for details.

v2.7.11

Please refer to CHANGELOG.md for details.

v2.7.10

Please refer to CHANGELOG.md for details.

v2.7.9

Please refer to CHANGELOG.md for details.

v2.7.8

Please refer to CHANGELOG.md for details.

v2.7.7

Please refer to CHANGELOG.md for details.

v2.7.6

Please refer to CHANGELOG.md for details.

v2.7.5

Please refer to CHANGELOG.md for details.

v2.7.4

Please refer to CHANGELOG.md for details.

v2.7.3

... (truncated)

Changelog

Sourced from vue-template-compiler's changelog.

2.7.16 Swan Song (2023-12-24)

Bug Fixes

• lifecycle: ensure component effect scopes are disconnected (56ce7f8), closes #13134

2.7.16-beta.2 (2023-12-14)

Bug Fixes

• account for nested render calls (db9c566), closes #13131
• types: export more types for v3 alignment (jsx / component options) (895669f), closes #13078 #13128

2.7.16-beta.1 (2023-12-08)

Bug Fixes

• compiler-sfc: check template ref usage, (#12985) (83d9535), closes #12984
• compiler-sfc: fix rewriteDefault edge cases (25f97a5), closes #13060 #12892 #12906
• keep-alive: fix keep-alive memory leak (2632249), closes #12827
• keep-alive: fix memory leak without breaking transition tests (e0747f4)
• props: should not unwrap props that are raw refs (08382f0), closes #12930
• shallowReactive: should track value if already reactive when set in shallowReactive (0ad8e8d)
• style: always set new styles (f5ef882), closes #12901 #12946
• types: fix shallowRef's return type (#12979) (a174c29), closes #12978
• types: fix type augmentation and compiler-sfc types w/moduleResolution: bundler (#13107) (de0b97b), closes #13106
• types: provide types for built-in components (3650c12), closes #13002
• types: type VNodeChildren should allow type number (#13067) (24fcf69), closes #12973
• utils: unwrap refs when stringifying values in template (ae3e4b1), closes #12884 #12888
• watch: new property addition should trigger deep watcher with getter (6d857f5), closes #12967 #12972

2.7.15 (2023-10-23)

Bug Fixes

• compiler-sfc: add semicolon after defineProps statement (#12879) (51fef2c)
• compiler-sfc: fix macro usage in multi-variable declaration (#12873) (d27c128)
• compiler-sfc: Optimize the value of emitIdentifier (#12851) (bb59751)
• compiler-sfc: Resolve object expression parsing errors in v-on (#12862) (b8c8b3f)
• lifecycle: scope might changed when call hook (#13070) (74ca5a1)

... (truncated)

Commits

• 13f4e7d release: v2.7.16
• 56ce7f8 fix(lifecycle): esnure component effect scopes are disconnected
• 305e4ae release: v2.7.16-beta.2
• 3e1037e chore: bump vitest to 1.0.4
• db9c566 fix: account for nested render calls
• 895669f fix(types): export more types for v3 alignment (jsx / component options)
• 73bdf14 release: v2.7.16-beta.1
• e0747f4 fix(keep-alive): fix memory leak without breaking transition tests
• 2632249 fix(keep-alive): fix keep-alive memory leak
• 3650c12 fix(types): provide types for built-in components
• Additional commits viewable in compare view

Updates browserify-sign from 4.0.4 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

• [Tests] clean up tests and convert console info skips to tape skips 37b083c
• [Fix] restore node 0.10 support faade86
• [Deps] update parse-asn1 5a0f159
• [actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

• [actions] split out node 10-20, and 20+ 17920d9
• [meta] remove files field 6d5b280
• [Deps] update bn.js, browserify-rsa, elliptic 31be0c2
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982
• [Tests] replace aud with npm audit d44b24d
• [Dev Deps] add missing peer dep ab975f4
• [Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](browserify/browserify-sign@f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

v4.2.2 - 2023-10-25

Fixed

• [Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits

• d3a7458 v4.2.5
• 37b083c [Tests] clean up tests and convert console info skips to tape skips
• faade86 [Fix] restore node 0.10 support
• 5a0f159 [Deps] update parse-asn1
• 106be97 [actions] drop unsupported nodes from CI
• 9c37172 v4.2.4
• 6d5b280 [meta] remove files field
• 17920d9 [actions] split out node 10-20, and 20+
• 31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
• ab975f4 [Dev Deps] add missing peer dep
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

• [Refactor] use to-buffer fd1e5ee
• [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

• [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

• [Tests] standard -> eslint, make test dir, etc ae02fd6
• [Tests] migrate from travis to GHA 66387d7
• [meta] fix package.json indentation 5c02918
• [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
• [meta] add auto-changelog 88dc806
• [meta] add npmignore and safe-publish-latest 7a137d7
• Only apps should have lockfiles 42528f2
• [Deps] update inherits, safe-buffer 0e7a2d9
• [meta] add missing engines.node f2dc13e

Commits

• 0056718 v1.0.7
• fd1e5ee [Refactor] use to-buffer
• 08ba803 [Dev Deps] update @ljharb/eslint-config
• f5249f9 v1.0.6
• b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
• f03cebf v1.0.5
• 88dc806 [meta] add auto-changelog
• 7a137d7 [meta] add npmignore and safe-publish-latest
• 5c02918 [meta] fix package.json indentation
• 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.

Updates cookie from 0.3.1 to 0.4.0

Release notes

Sourced from cookie's releases.

0.4.0

• Add SameSite=None support

Changelog

Sourced from cookie's changelog.

0.4.0 / 2019-05-15

• Add SameSite=None support

Commits

• aec1177 0.4.0
• 6aafdaf build: add version script for npm version releases
• 6e5b36b Add SameSite=None support
• 966281a build: support Node.js 12.x
• 30d40ae build: [email protected]
• 1f9b572 build: [email protected]
• 4f5046f build: [email protected]
• 18386a4 build: [email protected]
• 11eb36a build: speed up logic in Travis CI build steps
• 42515e2 build: [email protected]
• Additional commits viewable in compare view

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

• Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

• Switch to GitHub workflows 76abc93
• Fix issue where decode throws - fixes #6 746ca5d
• Update license (#1) 486d7e2
• Tidelift tasks a650457
• Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

• a0eea46 0.2.2
• 980e0bf Prevent overwriting previously decoded tokens
• 3c8a373 0.2.1
• 76abc93 Switch to GitHub workflows
• 746ca5d Fix issue where decode throws - fixes #6
• 486d7e2 Update license (#1)
• a650457 Tidelift tasks
• 66e1c28 Meta tweaks
• See full diff in compare view

Updates elliptic from 6.5.2 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates eventsource from 1.0.7 to 1.1.2

Changelog

Sourced from eventsource's changelog.

1.1.2 (2022-06-08)

Features

• Inline origin resolution, drops original dependency (#281 Espen Hovlandsdal)

1.1.1 (2022-05-11)

Bug Fixes

• Do not include authorization and cookie headers on redirect to different origin (#273 Espen Hovlandsdal)

1.1.0 (2021-03-18)

Features

• Improve performance for large messages across many chunks (#130 Trent Willis)
• Add createConnection option for http or https requests (#120 Vasily Lavrov)
• Support HTTP 302 redirects (#116 Ryan Bonte)

Bug Fixes

• Prevent sequential errors from attempting multiple reconnections (#125 David Patty)
• Add new to correct test (#111 Stéphane Alnet)
• Fix reconnections attempts now happen more than once (#136 Icy Fish)

Commits

• 0a8b85b 1.1.2
• f99ae66 docs: update history for 1.1.2
• 06c9721 chore: rebuild polyfill
• 9494642 fix: inline origin resolution, drop original dependency (#281)
• aa7a408 1.1.1
• 56d489e chore: rebuild polyfill
• 4a951e5 docs: update history for 1.1.1
• f9f6416 fix: strip sensitive headers on redirect to different origin
• 9dd0687 1.1.0
• 49497ba Update history for 1.1.0 (#146)
• Additional commits viewable in compare view

Updates express from 4.17.1 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates moment from 2.24.0 to 2.30.1

Changelog

Sourced from moment's changelog.

2.30.1

• Release Dec 27, 2023
• Revert moment/moment#5827, because it's breaking a lot of TS code.

2.30.0 Full changelog

• Release Dec 26, 2023

2.29.4

• Release Jul 6, 2022
  • #6015 [bugfix] Fix ReDoS in preprocessRFC2822 regex

2.29.3 Full changelog

• Release Apr 17, 2022
  • #5995 [bugfix] Remove const usage
  • #5990 misc: fix advisory link

2.29.2 See full changelog

• Release Apr 3 2022

Address GHSA-8hfj-j24r-96c4

2.29.1 See full changelog

• Release Oct 6, 2020

Updated deprecation message, bugfix in hi locale

2.29.0 See full changelog

• Release Sept 22, 2020

New locales (es-mx, bn-bd). Minor bugfixes and locale improvements. More tests. Moment is in maintenance mode. Read more at this link: https://momentjs.com/docs/#/-project-status/

2.28.0 See full changelog

• Release Sept 13, 2020

Fix bug where .format() modifies original instance, and locale updates

2.27.0 See full changelog

... (truncated)

Commits

• 485d9a7 Build 2.30.1
• e048b09 Bump version to 2.30.1
• f9f2d58 Update changelog for 2.30.1
• a52ffb2 Revert "Merge pull request #5827 from BobZombie:feature/fix_d.ts"
• ddd6809 Build 2.30.0
• be64d00 Bump version to 2.30.0
• ad41179 Update changelog for 2.30.0
• 63fe479 [misc] Make code ES6 compatible
• 0f0195f Revert "Merge pull request #5599 from Alanscut:issue_4985"
• 15b82f5 Revert "Merge pull request #5597 from Alanscut:issue-5596"
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

• Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• 640e694 0.1.12
• f01c26a Merge commit from fork
• 0c71192 0.1.11
• 8f09549 Add error on bad input values
• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• Additional commits viewable in compare view

Updates secp256k1 from 3.8.0 to 3.8.1

Commits

• 69dcdf1 3.8.1
• e256905 elliptic: fix key verification in loadCompressedPublicKey
• 289dbc3 Update elliptic to 6.5.7 (CVE-2024-42461) (#206)
• See full diff in compare view

Updates send from 0.17.1 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

• Remove link renderization in html while redirecting (