build(deps): bump path-to-regexp, @vaadin/router and express in /apps/pwabuilder

[dependabot]

Bumps path-to-regexp to 6.3.0 and updates ancestor dependencies path-to-regexp, @vaadin/router and express. These dependencies need to be updated together.

Updates path-to-regexp from 0.1.7 to 6.3.0

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking in 6.x

Fixed

• Add backtrack protection to 6.x (#324) f1253b4

pillarjs/path-to-regexp@v6.2.2...v6.3.0

Updated README

No API changes. Documentation only release.

Changed

• Fix readme example c7ec332
• Update shield URL e828000

pillarjs/path-to-regexp@v6.2.1...v6.2.2

Fix matching :name* parameter

Fixed

• Fix invalid matching of :name* parameter (#261) 762bc6b
• Compare delimiter string over regexp 86baef8

Added

• New example in documentation (#256) ae9e576
• Update demo link (#250) 77df638
• Update README encode example b39edd4

pillarjs/path-to-regexp@v6.2.0...v6.2.1

Named Capturing Groups

Added

• Support named capturing groups for RegExps (#225)

Fixed

• Update strict flag documentation (#227)
• Ignore test files when bundling (#220)

Use /#? as Default Delimiter

Fixed

• Use /#? as default delimiter to avoid matching on query or fragment parameters
  • If you are matching non-paths (e.g. hostnames), you can adjust delimiter: '.'

Custom Prefix and Suffix Groups

This release reverts the prefix behavior added in v3 back to the behavior seen in v2. For the most part, path matching is backward compatible with v2 with these enhancements:

... (truncated)

Changelog

Sourced from path-to-regexp's changelog.

Moved to GitHub Releases

3.0.0 / 2019-01-13

• Always use prefix character as delimiter token, allowing any character to be a delimiter (e.g. /:att1-:att2-:att3-:att4-:att5)
• Remove partial support, prefer escaping the prefix delimiter explicitly (e.g. \\/(apple-)?icon-:res(\\d+).png)

2.4.0 / 2018-08-26

• Support start option to disable anchoring from beginning of the string

2.3.0 / 2018-08-20

• Use delimiter when processing repeated matching groups (e.g. foo/bar has no prefix, but has a delimiter)

2.2.1 / 2018-04-24

• Allow empty string with end: false to match both relative and absolute paths

2.2.0 / 2018-03-06

• Pass token as second argument to encode option (e.g. encode(value, token))

2.1.0 / 2017-10-20

• Handle non-ending paths where the final character is a delimiter
  • E.g. /foo/ before required either /foo/ or /foo// to match in non-ending mode

2.0.0 / 2017-08-23

• New option! Ability to set endsWith to match paths like /test?query=string up to the query string
• New option! Set delimiters for specific characters to be treated as parameter prefixes (e.g. /:test)
• Remove isarray dependency
• Explicitly handle trailing delimiters instead of trimming them (e.g. /test/ is now treated as /test/ instead of /test when matching)
• Remove overloaded keys argument that accepted options
• Remove keys list attached to the RegExp output
• Remove asterisk functionality (it's a real pain to properly encode)
• Change tokensToFunction (e.g. compile) to accept an encode function for pretty encoding (e.g. pass your own implementation)

1.7.0 / 2016-11-08

• Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

1.6.0 / 2016-10-03

• Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
• Allow a delimiter option to be passed in with parse
• Updated TypeScript definition with Keys and Options updated

1.5.3 / 2016-06-15

... (truncated)

Commits

• 75a92c3 6.3.0
• f1253b4 Add backtrack protection to 6.x (#324)
• 28a5b27 6.2.2
• 270876d Test on min node 16
• d5a42b6 Run tests on ubuntu
• 1c265a1 Upgrade dev deps, prettier format
• c7ec332 Fix readme example
• 25da491 Bump node v14 for tests
• 980d1db Add v8 coverage
• e828000 Update shield URL
• Additional commits viewable in compare view

Updates @vaadin/router from 1.7.5 to 2.0.0

Release notes

Sourced from @​vaadin/router's releases.

v2.0.0

API documentation

With the v2 major release, Vaadin Router was entirely ported to TypeScript. We removed outdated code and features targeting MSIE 11, bower, and HTML imports, and updated the libraries and build tools we use. In addition, we introduced generic parameters on the router core types, which facilitates extendibility of the route definition on the user end.

New Features

• Generic route type support. The Router class supports route object extensions provided with a generic argument. This allows adding custom metadata directly on the route object with keeping consistent types:

  /**
   * Custom route metadata.
   */
  type RouteMeta = Readonly<{
    title: string;
  }>;
  const router = new Router<RouteMeta>(document.body);
  router.setRoutes([
  {
  path: '',
  component: 'page-index',
  title: 'Index page',
  },
  ]);

Breaking Changes

• Removing support for MS Internet Explorer.
• Support for bundle route key was removed. Now that using ES modules is common, for lazy loading of views use dynamic import from the action callback.
• The Router namespace export was removed. For referencing router types, either refer to exports directly, or use ES module namespace import:

  import type * as RouterTypes from '@vaadin/router';

• The path-to-regexp library was updated to v6.3.0. This update brought some behavior altering changes affecting route parameter parsing and matching. See to the library README for the supported patterns.
• Some TypeScript interfaces of the router library were changed with introducing generic support:
  • The Context type was replaced with the RouteContext generic type.
  • The ComponentResult type is replaced with the standard HTMLElement type.
  • The AfterEnterObserver, AfterLeaveObserver, BeforeEnterObserver, BeforeLeaveObserver interfaces were combined into the single generic WebComponentInterface with multiple optional user callbacks.
  • The ActionFn function type has no direct alternative yet. Use the key of the Route type: NonNullable<Route["action"]>.

Known Limitations

The following known issues of the router v2.0.0 release will be addressed in the next v2.0.1 release:

• Type compatibility with the Router v1 is lacking due to missing type definitions for Router v1 types: Context, ComponentResult, AfterEnterObserver, AfterLeaveObserver, BeforeEnterObserver, BeforeLeaveObserver observer interfaces.
• The Router requires ES2022 target setting in TypeScript due to relying on the ErrorOptions type, see vaadin/router#897

In addition, the live router demos are not available yet. We're currently working on porting them from HTML imports and Polymer toolset to ES modules, TypeScript and Vite.

... (truncated)

Commits

• 7e87b3b fix: use es2021 as a target for TypeScript (#900)
• 842b6f7 chore: use concurrently instead of abandoned npm-run-all (#899)
• 23e485a chore: rename d.ts files to t.ts to resolve skipLibCheck issue (#892)
• 7a889a9 fix: add route v1 compatibility type definitions (#895)
• e2e579c chore(deps-dev): bump stylelint from 16.9.0 to 16.10.0 (#894)
• 8a5d64d Update README.md
• ca6359c docs: add documentation system and more docs (#890)
• fc5df13 2.0.0
• 167efd6 2.0.0-rc4
• 1c559fb fix: Router#resolve typings (#891)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by sunzhewyq, a new releaser for @​vaadin/router since your current version.

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump path-to-regexp@0.1.12 (#6209)
• 59fc270 deps: path-to-regexp@0.1.11 (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): cookie@0.7.1
• 7e562c6 4.21.0
• 1bcde96 fix(deps): qs@6.13.0 (#5946)
• 7d36477 fix(deps): serve-static@1.16.2 (#5951)
• 40d2d8f fix(deps): finalhandler@1.3.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[microsoft-github-policy-service]

Thanks dependabot[bot] for opening a Pull Request! The reviewers will test the PR and highlight if there is any conflict or changes required. If the PR is approved we will proceed to merge the pull request 🙌