chore(deps): update dependency bcryptjs to version 3.x 🌟 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
bcryptjs	2.4.3 → 3.0.3
express (source)	4.20.0 → 5.2.1
express-jwt	6.1.2 → 8.5.1
express-validator (source)	6.15.0 → 7.3.1
nodemon (source)	2.0.22 → 3.1.14

---

Release Notes

dcodeIO/bcrypt.js (bcryptjs)

v3.0.3

Compare Source

Bug fixes

• Always yield to event loop before nextTick for async versions (#​164) (1211e9a)

v3.0.2

Compare Source

Bug fixes

• Use upstream fix to emit interop helpers (28e5103)

v3.0.1

Compare Source

Bug fixes

• Separate ESM and UMD type definitions (e7055ca)

v3.0.0

Compare Source

Breaking changes

• Modernize project structure (2f45985)
  The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
• Generate 2b hashes by default (d36bfb4)
  This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.

Features

• Add helper to check for password input length (d5656b3)

Other

• Update publish workflow (2a9bea9)
• Add note on using the ESM variant in the browser (e09eb9a)
• Update types (58333a1)
• Merge lint and test workflows (2e3b176)
• Fix tests (ec02e8a)
• Update legacy fallback to handle crypto dependency (9db275f)
• Update lint workflow title (ac70ac5)
• Adapt crypto module usage for ESM environments (574d690)
• Format with prettier (e746547)
• Rename default branch to 'main' (548559d)
• Update description to mention TypeScript support (4977df0)
• Add stale action for issues and PRs (a84d4e4)
• Fix typo (c8c9c01)
• Fix Node.js version in CI (1b54cc4)

Backlog from v2

• Added externs to .npmignore (#​124) (7e2e93a)
  The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
• Make sure the bin script uses LF (684fac6)
• Post-merge; Clean up a bit (b09f7f2)
• Improve safeStringCompare using xor (#​77) (648482a)
• Added bin entry (49a1d1a)

expressjs/express (express)

v5.2.1

Compare Source

=======================

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

v5.2.0

Compare Source

========================

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

v5.1.0

Compare Source

========================

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

v5.0.1

Compare Source

==========

• Update cookie semver lock to address CVE-2024-47764

v5.0.0

Compare Source

=========================

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@​1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@​4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@​6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

v4.22.1

Compare Source

v4.22.0

Compare Source

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in #​6065
• deps: path-to-regexp@​0.1.11 by @​blakeembrey in #​5956
• deps: bump path-to-regexp@​0.1.12 by @​jonchurch in #​6209
• Release: 4.21.2 by @​UlisesGascon in #​6094

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: expressjs/express@4.20.0...4.21.0

auth0/express-jwt (express-jwt)

v8.5.1

Compare Source

v8.5.0

Compare Source

v8.4.1

Compare Source

v8.4.0

Compare Source

v8.3.0

Compare Source

• requestProperty support for nested properties (bbd3606ce68da2602733d6e4ac32564570753ca1)
• Update Typescript instructions in Readme.MD (3c1d5cf8a08a6afbcfc78640b8cdb26fac8002ca)

v8.2.1

Compare Source

• add secret rotation example in readme. close #​310 (0000a44ed58aac97798007af19b0324f28acc436), closes #​310
• update @​types/jsonwebtoken and fix deps in package-lock (2322a9b67a5b5c716f953a53a0bb4bbc696d0a11)

v8.2.0

Compare Source

• add an optional handler for expired tokens. closes #​6048 (ca6c90ccbb4b61b91f417a5dfa56f0b931b81528), closes #​6048

v8.1.0

Compare Source

• update type to match jwks-rsa (bcad8af9cad82b3777cc38d1c05864a35f82bc53)
• feat: export middleware options type. closes #​308 (25a30f0d50c02cc75ab17b09f3592e76e09f9666), closes #​308

v8.0.0

Compare Source

• Upgrade jsonwebtoken to v9. GHSA-27h2-hvpr-p74q .

v7.7.8

Compare Source

v7.7.7

Compare Source

v7.7.6

Compare Source

v7.7.5

Compare Source

v7.7.4

Compare Source

v7.7.3

Compare Source

• Fix tsc build error for express-unless (e1fe1d264bc5363e008d23fea9d8c5d2ac0d8198)
• Remove esModuleInterop and fix assert import in tests (9ccf0cfd6aaa4cc61fce2f8ccdb961c4b0358201)

v7.7.2

Compare Source

• fix instaceof comparison for UnauthorizedError. closes #​292 (6c87fe401ecba868feda1ffa530082c7c539321a), closes #​292
• update changelog (b1344fa7f6f9dd3d27115a9107b3ef4323733895)

v7.7.1

Compare Source

• fix readme and package-lock (7a02ca76c5d7842cfa8b256dcc89dcef1ffbcdc1)
• build(deps): required runtime types (f3f5af5c214241b4f92b91c49db8586ec20e4526)
• docs: fix tiny typo (07e771857489b6344a8dc457069d040a76e84230)

v7.7.0

Compare Source

• deprecate ExpressJwtRequest in favor of Request with optional auth, closes #​284 (de169def56f98f4237741aa6755d0c5e248bd561), closes #​284

v7.6.2

Compare Source

• remove undefined from algorhitms fix #​285 (587238bd0ad7a59f784daf9f626b9bf9abc7e029), closes #​285

v7.6.1

Compare Source

• add note about @​types/jsonwebtoken in readme (03c8419d6fc78c9029a7b474d3aede7f94e80121)
• make algorithms a required parameter in types. closes #​285 (097a1df0d7ba511afce9578e4cf45bca2589b253), closes #​285
• update changelog (9d0f02debb7a3db83edbc9f9b4b6d46993e6a4f4)

v7.6.0

Compare Source

• add ExpressJwtRequestUnrequired to the readme (3890f53f87b0a84dccaafd8de5a43d3c1dfeae89)
• add SecretCallback[Long] back for backward compatibility (c24078e285908cad1c2ac0e63482a75ebf7d7328)
• update changelog (d3a8e80dec3a6c261f840ad763487a16a47bbc4b)

v7.5.2

Compare Source

• export another type for credentialsRequired: false / ExpressJwtRequestUnrequired (1bdb6f3d0cc5f61b7a7b097f700d20cb337d4bef)

v7.5.1

Compare Source

• make req.auth optional in the ExpressJwtRequest type (496fda4a0a20292ca70055b6ab8fdf50414ffa2b)
• update changelog (727b57ddfec1f1c5ee4e16cb335ad1ae5a3c131f)

v7.5.0

Compare Source

• export TokenGetter (eb7479b834fb0e052ffad4279394ce353bb13770)
• improve readme and some types. Closes #​283 (1a67f69c8781179d3ce7e5f3de8ece40d31c1772), closes #​283
• restore requestProperty (bf143d07497046b3e7921d3dd4bcbc18e2daeb67)

v7.4.3

Compare Source

• improve readme (bd2515bec698604c645decd5be93e4f401263662)

v7.4.2

Compare Source

• include '/dist' in package, closes #​280 (cf2665d5581e76ed5742e7c2f34b8d05f91cfd18), closes #​280

v7.4.1

Compare Source

• fix readme definition for revoked and secret callbacks (9015cf729cfbbf1b28a9646cccbf26d523dce1de)
• update changelog (05d7a78baaf76a2a881a95666b0ec7349729d957)

v7.4.0

Compare Source

• handle authorization header in cors when is upper cased. fixes #​180, #​173 (ab0ee806416e3a5a48ef8a1017a298e1a666b17a), closes #​180 #​173

v7.3.0

Compare Source

• add support for capital Authorization header. closes #​200 (6c0698b513e11ff1d4b152e070a627f5092be801), closes #​200

v7.2.0

Compare Source

• Add example on how to enable jwt for specific path (280511342522f11a90da93187a44af1a1b3cf5eb)
• Fix link to auth0.com (b04cb9dea9a9fb2dc999a8dbf30ba6f204f50d15)
• remove travis badge (a854342c28f7186ec70e298124b4d650a26767b2)
• Update docs to continue error handling on mismatch (627b358d07b19d299964a5ef18a772db9b6426e2)
• Update README.md (8d7af267189a49f42b88807d236647bd7398fde3)

v7.1.0

Compare Source

• add support for async, closes #​249 (72236ec1cfb0e7847351c83908be1d84141e30f1), closes #​249
• update changelog (cb50ed43b2de9ae9be8643e7834640fa912ef367)

v7.0.0

Compare Source

• Convert the project to typescript and improve typescript (2b43ccb7252f2cc2fb3c2655a252fd7ae58ce0dd)

express-validator/express-validator (express-validator)

v7.3.1

Compare Source

• Upgraded Validator to v13.15.23 (#​1338, #​1343)

v7.3.0

Compare Source

• Upgraded validator to v13.12.0 (see their release notes: https://github.com/validatorjs/validator.js/releases/tag/13.15.15)

v7.2.1

Compare Source

• Clone non-primitive replacement values when using #default()/#replace() to avoid object reference reuse (#​1316)

v7.2.0

Compare Source

• Add hide() method (#​1304, #​1305)
• Add wildcard values to custom validator's metadata (#​1297, #​1308)
• Correctly select properties of primitives (#​1245, #​1279)

v7.1.0

Compare Source

• Upgraded validator to v13.12.0 (see their release notes: https://github.com/validatorjs/validator.js/releases/tag/13.12.0)
• Added missing fields to IsURLOptions (#​1258, #​1259)
• Added isULID() validator (#​1248)
• Several improvements to docs

v7.0.1

Compare Source

• Fixed checkSchema() warning that known validators are unknown when its value is false - #​1223

v7.0.0

Compare Source

🚀 🙌 First major version in almost 4 years! 🚀 🤯
Thanks everybody for having the patience. Hopefully this version brings many improvements to your developer experience!

Breaking changes 💥

• Minimum supported Node.js version is now 14+
• Removed deprecated APIs - #​993
  • Import paths express-validator/check and express-validator/filter
  • Sanitization-only middlewares (e.g. sanitize(), sanitizeBody(), etc)
  • Deprecated TypeScript types (ValidationParamSchema and ValidationSchema)
• isObject() validator now assumes options.strict = true by default
• Validation errors changed shape
  • Field validation errors param property has been renamed to path
  • oneOf() validation errors no longer have a param: '_error' property
• (TypeScript only) The ValidationError type is now a discriminated union, it might be necessary to use switch or if statements to check that you're dealing with the type that you want to debug/format
• oneOf() signature changed: from oneOf(chains, message) to oneOf(chains, options: { message, errorType })
• oneOf() default error structure now groups errors by their... validation group!, instead of in a flat list

Checkout the migration guide for examples on how to work around some of these:
https://express-validator.github.io/docs/migration-v6-to-v7

New features ✨

• Added validation for no unknown fields - #​558, #​578, #​612, #​1148, #​809, #​927, #​1204
• Added globstars (deep wildcard) support - #​790, #​1137, #​1216
• Added support for multiple custom validators/sanitizers in checkSchema() - #​552, #​1180
• Added request-level bail - #​1100, #​1214
• Added a ExpressValidator class which allows adding "persistent" custom validators, sanitizers, and options - #​1077, #​1079, #​1209
• Added oneOf() support to .if() - #​1170
• Added new error types to oneOf() - #​956, #​1022

Bug fixes 🐛

• Validating/sanitizing arrays no longer drops all but the first value - #​791, #​755, #​704, #​1002
• Added missing ko-KR to MobilePhoneLocale - #​1218, #​1219
• Don't silently fail when setting withMessage and not in schemas - #​664

New Contributors

• @​Yoowatney made their first contribution in #​1219

Full Changelog: express-validator/express-validator@v6.15.0...v7.0.0

remy/nodemon (nodemon)

v3.1.14

Compare Source

Bug Fixes

• get watch working on windows (cfebe2f), closes #​2270

v3.1.13

Compare Source

Bug Fixes

• TypeScript definition for 'restart' args (5c03715), closes #​2265

v3.1.12

Compare Source

Bug Fixes

• bump minimatch (9376af3), closes #​2267

v3.1.11

Compare Source

v3.1.10

Compare Source

Bug Fixes

• update types and jsdocs (#​2232) (297c7c7), closes #​2231

v3.1.9

Compare Source

Bug Fixes

• maintain backward support for exitcrash (9c9de6e)

v3.1.8

Compare Source

Bug Fixes

• types updated (cb91187)

v3.1.7

Compare Source

Bug Fixes

• types for export on ESModule (#​2211) (9b0606a)

v3.1.6

Compare Source

Bug Fixes

• watch nested paths (11fcaaa), closes #​2216

v3.1.5

Compare Source

Bug Fixes

• add missing ignore option to type defintion of config (#​2224) (254c2ab)

v3.1.4

Compare Source

Bug Fixes

• ensure local env have priority (6020968), closes #​2209

v3.1.3

Compare Source

Bug Fixes

• cast the nodemon function as Nodemon type (eaa1d54), closes #​2206

v3.1.2

Compare Source

Bug Fixes

• Type exports correctly (#​2207) (789663c), closes #​2206

v3.1.1

Compare Source

Bug Fixes

• add types to help with required nodemon usage (#​2204) (cd27c0b)

v3.1.0

Compare Source

Features

• Enable nodemon to monitor file removal (#​2182) (02d216f)

v3.0.3

Compare Source

Bug Fixes

• use node when using --import (d3ee86e), closes #​2157

v3.0.2

Compare Source

Bug Fixes

• bump debug out of vuln range (533ad9c), closes #​2146

v3.0.1

Compare Source

Bug Fixes

• restore default ext watch behaviour (95bee00), closes #​2124 #​1957

v3.0.0

Compare Source

Bug Fixes

• also watch cjs (86d5f40)
• node@​10 support back in (af3b9e2)
• semver vuln dep (6bb8766), closes #​2119

Features

• always use polling on IBM i (3b58104)

BREAKING CHANGES

• official support for node@​8 dropped.

However there's no function being used in semver that breaks node 8,
so it's technically still possible to run with node 8, but it will
no longer be supported (or tested in CI).

---

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Note

High Risk
Upgrades major versions of express and express-jwt, which can introduce breaking middleware/auth behavior and runtime incompatibilities without accompanying code changes.

Overview
Updates server/tooling dependencies, including major bumps to bcryptjs (2.x→3.x), express (4.x→5.x), express-jwt (6.x→8.x), express-validator (6.x→7.x), and nodemon (2.x→3.x).

yarn.lock is regenerated accordingly, pulling in new transitive versions (notably jsonwebtoken@9, new router/serve-static/body-parser chains for Express 5).

^{Written by Cursor Bugbot for commit 656039c. This will update automatically on new commits. Configure here.}

[cypress-app-bot]

See the guidelines for reviewing dependency updates for info on how to review dependency update PRs.