build(deps): bump the ledger-npm group across 1 directory with 18 updates by dependabot[bot] · Pull Request #81 · SentinelOps-CI/provability-fabric

dependabot · 2026-06-03T18:51:25Z

Bumps the ledger-npm group with 18 updates in the /runtime/ledger directory:

Package	From	To
@apollo/server	`4.12.2`	`5.5.1`
@modelcontextprotocol/sdk	`1.17.4`	`1.29.0`
@prisma/client	`5.22.0`	`7.8.0`
axios	`1.11.0`	`1.18.0`
body-parser	`1.20.3`	`2.3.0`
cors	`2.8.5`	`2.8.6`
date-fns	`2.30.0`	`4.4.0`
express	`4.21.2`	`5.2.1`
@types/express	`4.17.23`	`5.0.6`
graphql	`16.11.0`	`17.0.0`
jwks-rsa	`3.2.0`	`4.0.1`
morgan	`1.10.1`	`1.11.0`
prisma	`5.22.0`	`7.8.0`
winston	`3.17.0`	`3.19.0`
@types/node	`20.19.9`	`25.9.3`
jest	`29.7.0`	`30.4.2`
@types/jest	`29.5.14`	`30.0.0`
typescript	`5.8.3`	`6.0.3`

Updates @apollo/server from 4.12.2 to 5.5.1

Release notes

Sourced from @apollo/server's releases.

@apollo/server-integration-testsuite@5.5.1

Patch Changes

Updated dependencies [3f46c51]:

@apollo/server@5.5.1

@apollo/server@5.5.1

Patch Changes

#8201 3f46c51 Thanks @mhassan1! - Replace dependency uuid with calls to crypto.randomUUID.

@apollo/server-integration-testsuite@5.5.0

Minor Changes

#8191 ada1200 - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

Patch Changes

Updated dependencies [ada1200]:

@apollo/server@5.5.0

@apollo/server@5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

... (truncated)

Changelog

Sourced from @apollo/server's changelog.

5.5.1

Patch Changes

#8201 3f46c51 Thanks @mhassan1! - Replace dependency uuid with calls to crypto.randomUUID.

5.5.0

Minor Changes

#8191 ada1200 Thanks @glasser! - ⚠️ SECURITY @apollo/server/standalone:

Apollo Server now rejects GraphQL GET requests which contain a Content-Type header other than application/json (with optional parameters such as ; charset=utf-8). Any other value is now rejected with a 415 status code.

(GraphQL GET requests without a Content-Type header are still allowed, though they do still need to contain a non-empty X-Apollo-Operation-Name or Apollo-Require-Preflight header to be processed if the default CSRF prevention feature is enabled.)

This improvement makes Apollo Server's CSRF more resistant to browsers which implement CORS in non-spec-compliant ways. Apollo is aware of one browser which as of March 2026 has a bug which allows an attacker to circumvent Apollo Server's CSRF prevention feature to carry out read-only XS-Search-style CSRF attacks. The browser vendor is in the process of patching this vulnerability; upgrading Apollo Server to v5.5.0 mitigates this vulnerability.

If your server uses cookies (or HTTP Basic Auth) for authentication, Apollo encourages you to upgrade to v5.5.0.

This is technically a backwards-incompatible change. Apollo is not aware of any GraphQL clients which provide non-empty Content-Type headers with GET requests with types other than application/json. If your use case requires such requests, please file an issue and we may add more configurability in a follow-up release.

See advisory GHSA-9q82-xgwf-vj6h for more details.

5.4.0

Minor Changes

d25a5bd Thanks @phryneas! - ⚠️ SECURITY @apollo/server/standalone:

The default configuration of startStandaloneServer was vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings.

In accordance with RFC 7159, we now only accept request bodies encoded in UTF-8, UTF-16 (LE or BE), or UTF-32 (LE or BE). Any other character set will be rejected with a 415 Unsupported Media Type error. Note that the more recent JSON RFC, RFC 8259, is more strict and will only allow UTF-8. Since this is a minor release, we have chosen to remain compatible with the more permissive RFC 7159 for now. In a future major release, we may tighten this restriction further to only allow UTF-8.

If you were not using startStandaloneServer, you were not affected by this vulnerability.

Generally, please note that we provide startStandaloneServer as a convenience tool for quickly getting started with Apollo Server. For production deployments, we recommend using Apollo Server with a more fully-featured web server framework such as Express, Koa, or Fastify, where you have more control over security-related configuration options.

5.3.0

Minor Changes
#8062 8e54e58 Thanks @cristunaranjo! - Allow configuration of graphql execution options (maxCoercionErrors)

... (truncated)

Commits

4f15406 Version Packages (#8207)
3f46c51 fix(deps): remove vulnerable dependency uuid (#8201)
64c0e1b Version Packages (#8192)
ada1200 Reject GET requests with a Content-Type other than application/json (#8191)
ad45d15 Version Packages (#8179)
d25a5bd Merge commit from fork
443e547 fix repository urls
28d6d47 Version Packages (#8172)
26320bc feat: Allow configuration of graphql validation options #8014
f2c16a7 bump dependency
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @apollo/server since your current version.

Updates @modelcontextprotocol/sdk from 1.17.4 to 1.29.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.29.0

What's Changed

fix: treat v1.x as primary branch for npm latest tag (backport #1577) by @felixweinberger in modelcontextprotocol/typescript-sdk#1749

[v1.x] fix: disallow null (infinite) requested TTL by @LucaButBoring in modelcontextprotocol/typescript-sdk#1339

[v1.x] fix: add missing size field to ResourceSchema by @olaservo in modelcontextprotocol/typescript-sdk#1575

Add typings exports by @tdraier in modelcontextprotocol/typescript-sdk#1623

v1.x npm audit fix by @KKonstantinov in modelcontextprotocol/typescript-sdk#1780

v1.x #1623 follow up -add missing types to package.json by @KKonstantinov in modelcontextprotocol/typescript-sdk#1773

[v1.x backport] Allow servers / clients to advertise extensions in the capability object by @localden in modelcontextprotocol/typescript-sdk#1811

fix(stdio): always set windowsHide on Windows, not just in Electron by @jnMetaCode in modelcontextprotocol/typescript-sdk#1640

chore: bump version to 1.29.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1820

New Contributors

@tdraier made their first contribution in modelcontextprotocol/typescript-sdk#1623

@jnMetaCode made their first contribution in modelcontextprotocol/typescript-sdk#1640

Full Changelog: modelcontextprotocol/typescript-sdk@v1.28.0...v1.29.0

v1.28.0

What's Changed

feat: use scopes_supported from resource metadata by default (fixes #580) by @antogyn in modelcontextprotocol/typescript-sdk#757

[v1.x backport] Default to client_secret_basic when server omits token_endpoint_auth_methods_supported by @pcarleton in modelcontextprotocol/typescript-sdk#1611

fix: reject plain JSON Schema objects passed as inputSchema by @tiluckdave in modelcontextprotocol/typescript-sdk#1596

fix: clear _timeoutInfo in _onclose() and scope .finally() abort controller cleanup by @pcarleton in modelcontextprotocol/typescript-sdk#1462

fix(server/auth): RFC 8252 loopback port relaxation by @poteat in modelcontextprotocol/typescript-sdk#1738

chore: bump version to 1.28.0 by @felixweinberger in modelcontextprotocol/typescript-sdk#1746

New Contributors

@antogyn made their first contribution in modelcontextprotocol/typescript-sdk#757

@tiluckdave made their first contribution in modelcontextprotocol/typescript-sdk#1596

@poteat made their first contribution in modelcontextprotocol/typescript-sdk#1738

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.1...v1.28.0

v1.27.1

What's Changed

feat: implement auth/pre-registration conformance scenario by @felixweinberger in modelcontextprotocol/typescript-sdk#1545

docs: add governance documentation for SEP-1730 by @felixweinberger in modelcontextprotocol/typescript-sdk#1547

docs: comprehensive feature documentation for SEP-1730 Tier 1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1548

fix: prevent command injection in example URL opening (v1.x backport) by @maxisbey in modelcontextprotocol/typescript-sdk#1579

fix: call onerror for silently swallowed transport errors by @qing-ant in modelcontextprotocol/typescript-sdk#1580

chore: bump version to 1.27.1 by @felixweinberger in modelcontextprotocol/typescript-sdk#1581

New Contributors

@qing-ant made their first contribution in modelcontextprotocol/typescript-sdk#1580

Full Changelog: modelcontextprotocol/typescript-sdk@v1.27.0...v1.27.1

v1.27.0

What's Changed

... (truncated)

Commits

e12cbd7 chore: bump version to 1.29.0 (#1820)
3913fd4 fix(stdio): always set windowsHide on Windows, not just in Electron (#1640)
5608e78 [v1.x backport] Allow servers / clients to advertise extensions in the capabi...
7213816 v1.x #1623 follow up -add missing types to package.json (#1773)
364f38c v1.x npm audit fix (#1780)
c95cc09 Add typings exports (#1623)
ddadaa6 [v1.x] fix: add missing size field to ResourceSchema (#1575)
2a15851 [v1.x] fix: disallow null (infinite) requested TTL (#1339)
13e30f1 fix: treat v1.x as primary branch for npm latest tag (backport #1577) (#1749)
a056569 chore: bump version to 1.28.0 (#1746)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates @prisma/client from 5.22.0 to 7.8.0

Release notes

Sourced from @prisma/client's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804

Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806

Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)

Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)

Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)

Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799

Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

@prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

7.7.0

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

... (truncated)

Commits

62b44ac chore(deps): update engines to 7.8.0-5.e96eae70cf4ade6a15d7e6064d5b0b4f7d835d...
4104864 feat: add a query plan cache size parameter (#29503)
723ba7b chore(deps): update engines to 7.8.0-4.8c287008617e9b12f313df99e2c821ae61ea9a...
cadbafe chore(deps): update engines to 7.8.0-2.3187e3937290320ba3c7dbd5aa94af67942b44...
f705533 chore(deps): update engines to 7.8.0-1.7b80cc56c645c6e03c7541474e6a7c8d91b70d...
fbab4e8 Fix 29271 (#29303)
6a3c3cc chore: extract parameterization to client-engine-runtime (#29422)
5b420f8 fix(client): prevent caching of createMany queries to avoid cache bloat and p...
30f0af6 feat: dmmf streaming with an E2E test (#29377)
14c3c2e fix: pin E2E typescript to prevent 6 upgrade (#29383)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @prisma/client since your current version.

Updates axios from 1.11.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@drori12 (#10984)

@eyupcanakman (#10899)

@Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)

Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)

Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)

React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@drori12 (#10984)

@eyupcanakman (#10899)

@Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)

Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)

Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)

React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits

2d06f96 chore(release): prepare release 1.18.0 (#11003)
32fc489 fix: malformed http urls (#11000)
b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
fe964f9 docs: mark proxy config as Node.js only (#10995)
5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
fae9d4e docs: clarify package update PR policy (#10992)
28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
614f455 docs: publish v1.17.0 release notes (#10988)
6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates body-parser from 1.20.3 to 2.3.0

Release notes

Sourced from body-parser's releases.

v2.3.0

What's Changed

build(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in expressjs/body-parser#681

build(deps): bump actions/checkout from 5.0.0 to 6.0.1 by @dependabot[bot] in expressjs/body-parser#682

build(deps): bump actions/setup-node from 6.0.0 to 6.1.0 by @dependabot[bot] in expressjs/body-parser#683

build(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in expressjs/body-parser#685

build(deps): bump github/codeql-action from 4.31.2 to 4.31.9 by @dependabot[bot] in expressjs/body-parser#684

perf(urlencoded): move empty-body guard to avoid extra function closure by @Phillip9587 in expressjs/body-parser#647

Improve ESM compatibility by @Phillip9587 in expressjs/body-parser#697

docs: add recommendations for configuring payload limits by @bjohansebas in expressjs/body-parser#699

build(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @dependabot[bot] in expressjs/body-parser#701

build(deps): bump github/codeql-action from 4.31.10 to 4.32.0 by @dependabot[bot] in expressjs/body-parser#702

build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in expressjs/body-parser#700

chore: add explicit type commonjs to package.json by @Phillip9587 in expressjs/body-parser#711

deps: update dependencies to latest versions by @Phillip9587 in expressjs/body-parser#708

build(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 by @dependabot[bot] in expressjs/body-parser#712

build(deps): bump github/codeql-action from 4.32.0 to 4.32.4 by @dependabot[bot] in expressjs/body-parser#713

build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in expressjs/body-parser#714

fix: improve limit option validation by @Phillip9587 in expressjs/body-parser#698

build(deps): bump github/codeql-action from 4.32.4 to 4.35.1 by @dependabot[bot] in expressjs/body-parser#719

build(deps): bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot[bot] in expressjs/body-parser#718

build(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @dependabot[bot] in expressjs/body-parser#717

perf: eliminate conditional check in json strict mode hot path by @Phillip9587 in expressjs/body-parser#651

ci: add node.js 26 to text matrix by @Phillip9587 in expressjs/body-parser#726

build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in expressjs/body-parser#725

build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in expressjs/body-parser#724

build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @dependabot[bot] in expressjs/body-parser#723

Upgrade "content-type" by @blakeembrey in expressjs/body-parser#728

refactor: switch to const/let and enable eslint no-var rule by @Phillip9587 in expressjs/body-parser#729

Update outdated reference to MDN docs by @krzysdz in expressjs/body-parser#730

build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 by @dependabot[bot] in expressjs/body-parser#731

build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in expressjs/body-parser#732

chore: updated deps to latest by @Phillip9587 in expressjs/body-parser#733

2.3.0 by @UlisesGascon in expressjs/body-parser#735

New Contributors

@krzysdz made their first contribution in expressjs/body-parser#730

Full Changelog: expressjs/body-parser@v2.2.2...v2.3.0

v2.2.2

What's Changed

docs: update README links by @efekrskl in expressjs/body-parser#673

docs: release notes for the v1.20.4 release by @Phillip9587 in expressjs/body-parser#674

docs: update URL-encoded parser description to include ISO-8859-1 encoding support by @Phillip9587 in expressjs/body-parser#679

docs: use standard jsdoc tags everywhere by @Phillip9587 in expressjs/body-parser#677

deps: qs@^6.14.1 by @UlisesGascon in expressjs/body-parser#689

refactor(json): simplify strict mode error string construction by @jonchurch in expressjs/body-parser#693

Release: 2.2.2 by @UlisesGascon in expressjs/body-parser#691

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.3.0 / 2026-06-15

fix: use static exports instead of lazy getters to improve ESM compatibility

feat: add subpath exports for individual parsers

fix: improve limit option validation (#698)

Invalid limit values (e.g. unparseable strings or NaN) now throw instead of being silently ignored, which previously disabled size limit enforcement

null and undefined fall back to the default 100kb limit

deps:

content-type@^2.0.0

http-errors@^2.0.1

iconv-lite^0.7.2

qs@^6.15.2

raw-body@^3.0.2

type-is@^2.1.0

2.2.2 / 2026-01-07

deps: qs@^6.14.1

refactor(json): simplify strict mode error string construction

2.2.1 / 2025-11-24

Security fix for GHSA-wqch-xfxh-vrr4

deps:

type-is@^2.0.1

iconv-lite@^0.7.0

Handle split surrogate pairs when encoding UTF-8

Avoid false positives in encodingExists by using prototype-less objects

raw-body@^3.0.1

debug@^4.4.3

2.2.0 / 2025-03-27

refactor: normalize common options for all parsers

deps:

iconv-lite@^0.6.3

2.1.0 / 2025-02-10

deps:

type-is@^2.0.0

debug@^4.4.0

Removed destroy

refactor: prefix built-in node module imports

use the node require cache instead of custom caching

... (truncated)

Commits

d0f2ace 2.3.0 (#735)
7d03f2f chore: updated deps to latest (#733)
8024ba7 build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#732)
32b4ed4 build(deps): bump github/codeql-action from 4.35.3 to 4.36.1 (#731)
ff0f6b9 docs: update outdated reference to MDN docs (#730)
14d001a refactor: switch to const/let and enable eslint no-var rule (#729)
37f36a2 deps: update content-type and type-is (#728)

…ates Bumps the ledger-npm group with 18 updates in the /runtime/ledger directory: | Package | From | To | | --- | --- | --- | | [@apollo/server](https://github.com/apollographql/apollo-server/tree/HEAD/packages/server) | `4.12.2` | `5.5.1` | | [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk) | `1.17.4` | `1.29.0` | | [@prisma/client](https://github.com/prisma/prisma/tree/HEAD/packages/client) | `5.22.0` | `7.8.0` | | [axios](https://github.com/axios/axios) | `1.11.0` | `1.18.0` | | [body-parser](https://github.com/expressjs/body-parser) | `1.20.3` | `2.3.0` | | [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` | | [date-fns](https://github.com/date-fns/date-fns) | `2.30.0` | `4.4.0` | | [express](https://github.com/expressjs/express) | `4.21.2` | `5.2.1` | | [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) | `4.17.23` | `5.0.6` | | [graphql](https://github.com/graphql/graphql-js) | `16.11.0` | `17.0.0` | | [jwks-rsa](https://github.com/auth0/node-jwks-rsa) | `3.2.0` | `4.0.1` | | [morgan](https://github.com/expressjs/morgan) | `1.10.1` | `1.11.0` | | [prisma](https://github.com/prisma/prisma/tree/HEAD/packages/cli) | `5.22.0` | `7.8.0` | | [winston](https://github.com/winstonjs/winston) | `3.17.0` | `3.19.0` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.9` | `25.9.3` | | [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `29.7.0` | `30.4.2` | | [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) | `29.5.14` | `30.0.0` | | [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `6.0.3` | Updates `@apollo/server` from 4.12.2 to 5.5.1 - [Release notes](https://github.com/apollographql/apollo-server/releases) - [Changelog](https://github.com/apollographql/apollo-server/blob/main/packages/server/CHANGELOG.md) - [Commits](https://github.com/apollographql/apollo-server/commits/@apollo/server@5.5.1/packages/server) Updates `@modelcontextprotocol/sdk` from 1.17.4 to 1.29.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.17.4...v1.29.0) Updates `@prisma/client` from 5.22.0 to 7.8.0 - [Release notes](https://github.com/prisma/prisma/releases) - [Commits](https://github.com/prisma/prisma/commits/7.8.0/packages/client) Updates `axios` from 1.11.0 to 1.18.0 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.11.0...v1.18.0) Updates `body-parser` from 1.20.3 to 2.3.0 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.3...v2.3.0) Updates `cors` from 2.8.5 to 2.8.6 - [Release notes](https://github.com/expressjs/cors/releases) - [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md) - [Commits](expressjs/cors@v2.8.5...v2.8.6) Updates `date-fns` from 2.30.0 to 4.4.0 - [Release notes](https://github.com/date-fns/date-fns/releases) - [Commits](date-fns/date-fns@v2.30.0...v4.4.0) Updates `express` from 4.21.2 to 5.2.1 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/master/History.md) - [Commits](expressjs/express@4.21.2...v5.2.1) Updates `@types/express` from 4.17.23 to 5.0.6 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) Updates `graphql` from 16.11.0 to 17.0.0 - [Release notes](https://github.com/graphql/graphql-js/releases) - [Commits](graphql/graphql-js@v16.11.0...v17.0.0) Updates `jwks-rsa` from 3.2.0 to 4.0.1 - [Release notes](https://github.com/auth0/node-jwks-rsa/releases) - [Changelog](https://github.com/auth0/node-jwks-rsa/blob/master/CHANGELOG.md) - [Commits](auth0/node-jwks-rsa@v3.2.0...v4.0.1) Updates `morgan` from 1.10.1 to 1.11.0 - [Release notes](https://github.com/expressjs/morgan/releases) - [Changelog](https://github.com/expressjs/morgan/blob/master/HISTORY.md) - [Commits](expressjs/morgan@1.10.1...1.11.0) Updates `prisma` from 5.22.0 to 7.8.0 - [Release notes](https://github.com/prisma/prisma/releases) - [Commits](https://github.com/prisma/prisma/commits/7.8.0/packages/cli) Updates `winston` from 3.17.0 to 3.19.0 - [Release notes](https://github.com/winstonjs/winston/releases) - [Changelog](https://github.com/winstonjs/winston/blob/master/CHANGELOG.md) - [Commits](winstonjs/winston@v3.17.0...v3.19.0) Updates `@types/express` from 4.17.23 to 5.0.6 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) Updates `@types/node` from 20.19.9 to 25.9.3 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `jest` from 29.7.0 to 30.4.2 - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest) Updates `@types/jest` from 29.5.14 to 30.0.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest) Updates `typescript` from 5.8.3 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.8.3...v6.0.3) --- updated-dependencies: - dependency-name: "@apollo/server" dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.29.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ledger-npm - dependency-name: "@prisma/client" dependency-version: 7.8.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: "@types/jest" dependency-version: 30.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: "@types/node" dependency-version: 25.9.1 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: axios dependency-version: 1.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ledger-npm - dependency-name: body-parser dependency-version: 2.2.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: cors dependency-version: 2.8.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ledger-npm - dependency-name: date-fns dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: express dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: graphql dependency-version: 16.14.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ledger-npm - dependency-name: jest dependency-version: 30.4.2 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: jwks-rsa dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: morgan dependency-version: 1.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ledger-npm - dependency-name: prisma dependency-version: 7.8.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: ledger-npm - dependency-name: winston dependency-version: 3.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ledger-npm ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 3, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/runtime/ledger/ledger-npm-3f9f42dcca branch from d69c3ca to b46a249 Compare June 16, 2026 00:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the ledger-npm group across 1 directory with 18 updates#81

build(deps): bump the ledger-npm group across 1 directory with 18 updates#81
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/runtime/ledger/ledger-npm-3f9f42dcca

dependabot Bot commented on behalf of github Jun 3, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

@​apollo/server-integration-testsuite@​5.5.1

Patch Changes

@​apollo/server@​5.5.1

Patch Changes

@​apollo/server-integration-testsuite@​5.5.0

Minor Changes

Patch Changes

@​apollo/server@​5.5.0

Minor Changes

5.5.1

Patch Changes

5.5.0

Minor Changes

5.4.0

Minor Changes

5.3.0

Minor Changes

v1.29.0

What's Changed

New Contributors

v1.28.0

What's Changed

New Contributors

v1.27.1

What's Changed

New Contributors

v1.27.0

What's Changed

7.8.0

Highlights

ORM

Features

Bug Fixes

Open roles at Prisma

Enterprise support

7.7.0

v1.18.0 — June 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.17.0 — June 1, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v1.18.0 — June 13, 2026

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

v1.17.0 — June 1, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v2.3.0

What's Changed

New Contributors

v2.2.2

What's Changed

2.3.0 / 2026-06-15

2.2.2 / 2026-01-07

2.2.1 / 2025-11-24

2.2.0 / 2025-03-27

2.1.0 / 2025-02-10

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 3, 2026 •

edited

Loading

`@apollo/server-integration-testsuite@5`.5.1

`@apollo/server@5`.5.1

`@apollo/server-integration-testsuite@5`.5.0

`@apollo/server@5`.5.0