Skip to content

deps(server)(deps): bump the security-dependencies group across 1 directory with 3 updates#31

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b
Open

deps(server)(deps): bump the security-dependencies group across 1 directory with 3 updates#31
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Bumps the security-dependencies group with 3 updates in the /server directory: express-rate-limit, express-validator and sanitize-html.

Updates express-rate-limit from 8.3.0 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

v8.5.1

You can view the changelog here.

v8.5.0

You can view the changelog here.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

v8.3.2

You can view the changelog here.

v8.3.1

You can view the changelog here.

Commits
  • 9774693 8.5.2
  • 0e94cc0 v8.5.2 changelog
  • 9a583c5 feat: simplify IPv6 key generation (#633)
  • 4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
  • 3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
  • 18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
  • dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
  • 486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
  • 50cc3f6 8.5.1
  • 92c8e3e chore: bump ip-address library to latest (#626)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for express-rate-limit since your current version.


Updates express-validator from 7.3.1 to 7.3.2

Release notes

Sourced from express-validator's releases.

v7.3.2

What's Changed

Plus several docs changes.

New Contributors

Full Changelog: express-validator/express-validator@v7.3.1...v7.3.2

Commits

Updates sanitize-html from 2.17.2 to 2.17.4

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

  • sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

  • Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

  • Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.
Commits

@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 20, 2026

Assignees

The following users could not be added as assignees: fernandocarvalho. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: backend, dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b branch from 1b72554 to 346bf1d Compare April 27, 2026 06:36
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b branch from 346bf1d to 8f0a07e Compare May 4, 2026 06:45
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b branch from 8f0a07e to c9a3d45 Compare May 11, 2026 07:17
@dependabot
deps(server)(deps): bump the security-dependencies group across 1 dir…
935ad97 
…ectory with 3 updates

Bumps the security-dependencies group with 3 updates in the /server directory: [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit), [express-validator](https://github.com/express-validator/express-validator) and [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html).


Updates `express-rate-limit` from 8.3.0 to 8.5.2
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v8.3.0...v8.5.2)

Updates `express-validator` from 7.3.1 to 7.3.2
- [Release notes](https://github.com/express-validator/express-validator/releases)
- [Commits](express-validator/express-validator@v7.3.1...v7.3.2)

Updates `sanitize-html` from 2.17.2 to 2.17.4
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/HEAD/packages/sanitize-html)

---
updated-dependencies:
- dependency-name: express-rate-limit
  dependency-version: 8.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: security-dependencies
- dependency-name: express-validator
  dependency-version: 7.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: security-dependencies
- dependency-name: sanitize-html
  dependency-version: 2.17.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: security-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/server/security-dependencies-5a6a90184b branch from c9a3d45 to 935ad97 Compare May 18, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants