⬆️ deps(backend): Bump the minor-and-patch group across 1 directory with 6 updates by dependabot[bot] · Pull Request #192 · bigtcze/noteer

dependabot · 2026-04-06T11:37:59Z

Bumps the minor-and-patch group with 6 updates in the /backend directory:

Package	From	To
cors	`2.8.5`	`2.8.6`
dotenv	`17.2.3`	`17.4.1`
express-validator	`7.3.1`	`7.3.2`
multer	`2.0.2`	`2.1.1`
openid-client	`6.8.1`	`6.8.2`
pg	`8.17.0`	`8.20.0`

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

Build: Node.js@12.16 and Node.js.13.12 by @smondal in expressjs/cors#189

Update README.md for origin function callback parameters by @dstudzinski in expressjs/cors#180

Suggest passing false for disallowed domains, not erroring by @shackpank in expressjs/cors#175

Changed the term whitelist to allowlist in Documentation by @jkasun in expressjs/cors#200

Fix typo in README by @alex-grover in expressjs/cors#207

Added new link & website in the README by @manjunath00 in expressjs/cors#269

Fix functions call with extra parameter by @LuisEGR in expressjs/cors#245

🐛 Fix readme status badge by @homersimpsons in expressjs/cors#306

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/cors#321

ci: fix errors in ci github action for node 8 by @inigomarquinez in expressjs/cors#322

test: improved test robustness by @Alex-GF in expressjs/cors#320

chore: upgrade scorecard workflow pinned action versions by @carpasse in expressjs/cors#341

ci: add CodeQL (SAST) by @bjohansebas in expressjs/cors#340

docs: remove broken link to demo site by @dpopp07 in expressjs/cors#344

OSSF Scorecard recommendations by @UlisesGascon in expressjs/cors#350

build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @dependabot[bot] in expressjs/cors#351

build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/cors#353

build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @dependabot[bot] in expressjs/cors#354

build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @dependabot[bot] in expressjs/cors#355

build(deps-dev): bump express from 4.17.1 to 4.21.2 by @dependabot[bot] in expressjs/cors#356

build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in expressjs/cors#352

build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @dependabot[bot] in expressjs/cors#358

update the docs for per request config by @jonchurch in expressjs/cors#338

(fix): readme updated for #271 origin option for * by @dhananjaysa92 in expressjs/cors#289

ci: upgrade Node versions by @UlisesGascon in expressjs/cors#359

chore: add funding to package.json by @bjohansebas in expressjs/cors#363

build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @dependabot[bot] in expressjs/cors#371

build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in expressjs/cors#370

docs: Cleanup README by @efekrskl in expressjs/cors#374

chore: add node v25 by @imangas in expressjs/cors#375

Extend CI test matrix by @imangas in expressjs/cors#376

docs: simplify code examples with header comments by @jonchurch in expressjs/cors#386

docs: tweak intro, add note w/ browser enforcement, FAQ by @jonchurch in expressjs/cors#385

chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @Phillip9587 in expressjs/cors#388

Release: 2.8.6 by @UlisesGascon in expressjs/cors#390

New Contributors

@smondal made their first contribution in expressjs/cors#189

@dstudzinski made their first contribution in expressjs/cors#180

@shackpank made their first contribution in expressjs/cors#175

@jkasun made their first contribution in expressjs/cors#200

@alex-grover made their first contribution in expressjs/cors#207

@manjunath00 made their first contribution in expressjs/cors#269

@LuisEGR made their first contribution in expressjs/cors#245

@homersimpsons made their first contribution in expressjs/cors#306

@inigomarquinez made their first contribution in expressjs/cors#321

@Alex-GF made their first contribution in expressjs/cors#320

@carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

Improve documentation (API, context, examples...)

Remove additional markdown files from tarball

Commits

f00a8c1 2.8.6 (#390)
848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
bbf62a5 docs: simplify code examples with header comments (#386)
f442e77 Extend CI test matrix (#376)
d5cf6cd ci: add support for node@25 (#375)
7e6f7ee docs: revamp content (#374)
b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
9a9a760 chore: add funding to package.json (#363)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates dotenv from 17.2.3 to 17.4.1

Changelog

Sourced from dotenv's changelog.

17.4.1 (2026-04-05)

Changed

Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

Tighten up logs: ◇ injecting env (14) from .env (#1003)

17.3.1 (2026-02-12)

Changed

Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

Add a new README section on dotenv’s approach to the agentic future.

Changed

Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

Commits

48aa216 17.4.1
e4282b0 changelog 🪵
c540e75 Merge pull request #1006 from motdotla/skills-update
5626f9b dotenvx skill
2411f2a update dotenvx skill
1e08a70 simplify dotenv skill
747f417 Merge pull request #1005 from motdotla/injected
271df30 changelog 🪵
3f01a8b injecting to injected
ccc50d5 update
Additional commits viewable in compare view

Updates express-validator from 7.3.1 to 7.3.2

Release notes

Sourced from express-validator's releases.

v7.3.2

What's Changed

bump lodash to 4.17.23 to fix CVE-2025-13465 by @mahmoodhamdi in express-validator/express-validator#1355

Plus several docs changes.

New Contributors

@mahmoodhamdi made their first contribution in express-validator/express-validator#1357

Full Changelog: express-validator/express-validator@v7.3.1...v7.3.2

Commits

7d06bc3 7.3.2
73fb78b ci: bump node version used across several action jobs
8a6c2d6 deps: upgrade docusaurus and friends
2db1d81 deps: further bump lodash to v4.18.1
0b1dbe3 docs: fix incorrect type references in oneOf and validation-result docs (#1358)
0386b00 docs: fix duplicate variable declaration in matchedData example (#1359)
97fde88 fix(deps): bump lodash to 4.17.23 to fix CVE-2025-13465 (#1355)
6c2df4d docs: fix incorrect checkSchema().run() example (#1357)
See full diff in compare view

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

chore: add node version to 25.x in CI by @imangas in expressjs/multer#1372

chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @dependabot[bot] in expressjs/multer#1378

chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @dependabot[bot] in expressjs/multer#1377

chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @dependabot[bot] in expressjs/multer#1376

chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @dependabot[bot] in expressjs/multer#1375

chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @dependabot[bot] in expressjs/multer#1374

fix error/abort handling by @ctcpip in expressjs/multer#1373

2.1.1 by @UlisesGascon in expressjs/multer#1380

New Contributors

@imangas made their first contribution in expressjs/multer#1372

@dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)

Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

chore: add funding to package.json by @bjohansebas in expressjs/multer#1346

chore: drop mkdirp dependency by @wojtekmaj in expressjs/multer#1350

chore: drop object-assign dependency by @wojtekmaj in expressjs/multer#1351

chore: drop xtend dependency by @wojtekmaj in expressjs/multer#1352

chore(gitignore): ignore .nyc_output directory by @ShubhamOulkar in expressjs/multer#1332

Fix typo in README-vi.md regarding file upload by @Kunniii in expressjs/multer#1366

Fix typo in README-pt-br.md for array method by @matheushbm192 in expressjs/multer#1367

headers-support-utf8 by @Doc999tor in expressjs/multer#1210

Add Turkish translation (README-tr.md) by @Sabandogan in expressjs/multer#1360

Release: 2.1.0 by @UlisesGascon in expressjs/multer#1371

New Contributors

@wojtekmaj made their first contribution in expressjs/multer#1350

@ShubhamOulkar made their first contribution in expressjs/multer#1332

@Kunniii made their first contribution in expressjs/multer#1366

@matheushbm192 made their first contribution in expressjs/multer#1367

@Doc999tor made their first contribution in expressjs/multer#1210

@Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

fix error/abort handling

2.1.0

Add defParamCharset option for UTF-8 filename support (#1210)

Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)

Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

368c8a1 2.1.1 (#1380)
7e66481 🐛 fix recursion issue
643571e ✅ add explicit test for client able to send body without abrupt disconnect
e86fa52 fix error/abort handling
ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
17d7f51 chore: add node version to 25.x in CI
Additional commits viewable in compare view

Updates openid-client from 6.8.1 to 6.8.2

Release notes

Sourced from openid-client's releases.

v6.8.2

Fixes

use duplex: half for fetchProtectedResource with ReadableStream body input (f6f84e2)

Changelog

Sourced from openid-client's changelog.

6.8.2 (2026-02-07)

Fixes

use duplex: half for fetchProtectedResource with ReadableStream body input (f6f84e2)

Commits

b14e51c chore(release): 6.8.2
f6f84e2 fix: use duplex: half for fetchProtectedResource with ReadableStream body input
f879890 chore: bump packages
b506e1a build(deps): bump the actions group with 4 updates (#853)
0baa958 chore: bump packages
c5d4931 chore: bump packages
7cf3c12 test: revert undici for the time being
8b2e360 chore: bump packages
79386b7 build(deps): bump lodash from 4.17.21 to 4.17.23 (#849)
950e199 build(deps-dev): bump tar from 7.5.3 to 7.5.6 (#848)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for openid-client since your current version.

Updates pg from 8.17.0 to 8.20.0

Changelog

Sourced from pg's changelog.

pg@8.20.0

Add onConnect callback to pg.Pool constructor options allowing for async initialization of newly created & connected pooled clients.

pg@8.19.0

Deprecate interal query queue.

Pass connection parameters to password callback.

pg@8.18.0

Return the client instance as the result of calling connect (previously it was void).

Commits

c9070cc Publish
ad36e3c fix: typo in deprecation notice for client.query() (#3618)
f2d7d11 Publish
5a4bafc Deprecate Client's internal query queue (#3603)
a215bfb Typo fix in PgPass deprecation (funciton) (#3605)
01e0556 fix(pg-query-stream): invoke this.callback on cursor end/error (#2810)
e6e3692 Pass connection parameters to password callback (#3602)
d80d883 test: Fix TLS connection test ending too early
f332f28 fix: Connection timeout handling for native clients in connected state (#3512)
b2e9cb1 Remove testAsync - its redundant (#3588)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…ith 6 updates Bumps the minor-and-patch group with 6 updates in the /backend directory: | Package | From | To | | --- | --- | --- | | [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` | | [dotenv](https://github.com/motdotla/dotenv) | `17.2.3` | `17.4.1` | | [express-validator](https://github.com/express-validator/express-validator) | `7.3.1` | `7.3.2` | | [multer](https://github.com/expressjs/multer) | `2.0.2` | `2.1.1` | | [openid-client](https://github.com/panva/openid-client) | `6.8.1` | `6.8.2` | | [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) | `8.17.0` | `8.20.0` | Updates `cors` from 2.8.5 to 2.8.6 - [Release notes](https://github.com/expressjs/cors/releases) - [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md) - [Commits](expressjs/cors@v2.8.5...v2.8.6) Updates `dotenv` from 17.2.3 to 17.4.1 - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v17.2.3...v17.4.1) Updates `express-validator` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/express-validator/express-validator/releases) - [Commits](express-validator/express-validator@v7.3.1...v7.3.2) Updates `multer` from 2.0.2 to 2.1.1 - [Release notes](https://github.com/expressjs/multer/releases) - [Changelog](https://github.com/expressjs/multer/blob/main/CHANGELOG.md) - [Commits](expressjs/multer@v2.0.2...v2.1.1) Updates `openid-client` from 6.8.1 to 6.8.2 - [Release notes](https://github.com/panva/openid-client/releases) - [Changelog](https://github.com/panva/openid-client/blob/main/CHANGELOG.md) - [Commits](panva/openid-client@v6.8.1...v6.8.2) Updates `pg` from 8.17.0 to 8.20.0 - [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md) - [Commits](https://github.com/brianc/node-postgres/commits/pg@8.20.0/packages/pg) --- updated-dependencies: - dependency-name: cors dependency-version: 2.8.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: dotenv dependency-version: 17.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: express-validator dependency-version: 7.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: multer dependency-version: 2.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch - dependency-name: openid-client dependency-version: 6.8.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: pg dependency-version: 8.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-04-06T11:38:00Z

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot bot added the backend label Apr 6, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

⬆️ deps(backend): Bump the minor-and-patch group across 1 directory with 6 updates#192

⬆️ deps(backend): Bump the minor-and-patch group across 1 directory with 6 updates#192
dependabot[bot] wants to merge 1 commit intodevelopmentfrom
dependabot/npm_and_yarn/backend/minor-and-patch-79b7621bd5

dependabot bot commented on behalf of github Apr 6, 2026 •

edited

Loading

Uh oh!

dependabot bot commented on behalf of github Apr 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.8.6

What's Changed

New Contributors

2.8.6 / 2026-01-22

17.4.1 (2026-04-05)

Changed

17.4.0 (2026-04-01)

Added

Changed

17.3.1 (2026-02-12)

Changed

17.3.0 (2026-02-12)

Added

Changed

17.2.4 (2026-02-05)

Changed

v7.3.2

What's Changed

New Contributors

v2.1.1

Important

What's Changed

New Contributors

v2.1.0

Important

What's Changed

New Contributors

2.1.1

2.1.0

v6.8.2

Fixes

6.8.2 (2026-02-07)

Fixes

pg@8.20.0

pg@8.19.0

pg@8.18.0

Uh oh!

dependabot bot commented on behalf of github Apr 6, 2026

Labels

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Apr 6, 2026 •

edited

Loading