Bump the npm_and_yarn group in /npm_and_yarn/helpers with 5 updates

[dependabot]

Bumps the npm_and_yarn group in /npm_and_yarn/helpers with 6 updates:

Package	From	To
semver	7.6.2	7.6.3
ansi-regex	3.0.0	5.0.1
ansi-regex	4.1.0	5.0.1
http-cache-semantics	3.8.1	4.1.1
npm	6.14.18	10.8.3
tar	4.4.19	6.2.1

Updates semver from 7.6.2 to 7.6.3

Release notes

Sourced from semver's releases.

v7.6.3

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

Changelog

Sourced from semver's changelog.

7.6.3 (2024-07-16)

Bug Fixes

• 73a3d79 #726 optimize Range parsing and formatting (#726) (@​jviide)

Documentation

• 2975ece #719 fix extra backtick typo (#719) (@​stdavis)

Commits

• 0a12d6c chore: release 7.6.3 (#720)
• 73a3d79 fix: optimize Range parsing and formatting (#726)
• 2975ece docs: fix extra backtick typo (#719)
• See full diff in compare view

Updates ansi-regex from 3.0.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

• Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

v5.0.0

Breaking

• Require Node.js 8 166a0d5

Enhancements

• Add TypeScript definition (#32) e77ea17

chalk/ansi-regex@v4.1.0...v5.0.0

v4.1.0

• Support more escape code like links (#29) 96200bb

chalk/ansi-regex@v4.0.0...v4.1.0

Commits

• a9babce 5.0.1
• 4657833 fix incorrect format
• c3c0b3f Fix potential ReDoS (#37)
• 178363b Move to GitHub Actions (#35)
• 0755e66 Add @​Qix- to funding.yml
• 2b56fb0 5.0.0
• f26f7fe Meta tweaks
• e77ea17 Add TypeScript definition (#32)
• 166a0d5 Require Node.js 8
• f115fca Tidelift tasks
• Additional commits viewable in compare view

Updates ansi-regex from 4.1.0 to 5.0.1

Release notes

Sourced from ansi-regex's releases.

v5.0.1

Fixes (backport of 6.0.1 to v5)

This is a backport of the minor ReDos vulnerability in ansi-regex@<6.0.1, as requested in #38.

• Fix ReDoS in certain cases (#37) You are only really affected if you run the regex on untrusted user input in a server context, which it's very unlikely anyone is doing, since this regex is mainly used in command-line tools.

CVE-2021-3807

https://github.com/chalk/ansi-regex/compare/v5.0.0..v5.0.1

Thank you @​yetingli for the patch and reproduction case!

v5.0.0

Breaking

• Require Node.js 8 166a0d5

Enhancements

• Add TypeScript definition (#32) e77ea17

chalk/ansi-regex@v4.1.0...v5.0.0

v4.1.0

• Support more escape code like links (#29) 96200bb

chalk/ansi-regex@v4.0.0...v4.1.0

Commits

• a9babce 5.0.1
• 4657833 fix incorrect format
• c3c0b3f Fix potential ReDoS (#37)
• 178363b Move to GitHub Actions (#35)
• 0755e66 Add @​Qix- to funding.yml
• 2b56fb0 5.0.0
• f26f7fe Meta tweaks
• e77ea17 Add TypeScript definition (#32)
• 166a0d5 Require Node.js 8
• f115fca Tidelift tasks
• Additional commits viewable in compare view

Updates http-cache-semantics from 3.8.1 to 4.1.1

Commits

• 2449650 Update mocha
• 560b2d8 Don't use regex to trim whitespace
• b1bdb92 Remove linting package zoo
• c20dc7e Cache 308
• ed83aec Explain trust server date
• 1b35980 rfc 5861 (stale-if-error, stale-while-revalidate)
• 2c2fac2 Drop trustServerDate
• eb7028f Test names
• 84cc9a8 Bump
• ae5ecd5 Add status to tests
• Additional commits viewable in compare view

Updates npm from 6.14.18 to 10.8.3

Release notes

Sourced from npm's releases.

libnpmhook: v10.0.5

10.0.5 (2024-05-15)

Dependencies

• 63ef498 #7457 [email protected]

Chores

• 9c4d3c4 #7467 template-oss-apply (@​lukekarrys)
• 2b7ec54 #7467 [email protected] (@​lukekarrys)

libnpmhook: v10.0.4

10.0.4 (2024-04-30)

Bug Fixes

• 57ebebf #7418 update repository.url in package.json (#7418) (@​wraithgar)

Dependencies

• a7145d4 #7453 [email protected]

libnpmhook: v10.0.3

10.0.3 (2024-04-25)

Dependencies

• ee4b3e0 #7373 [email protected]

libnpmhook: v10.0.2

10.0.2 (2024-04-03)

Dependencies

• 87a61fc #7334 [email protected]

libnpmpublish: v9.0.9

9.0.9 (2024-05-29)

Bug Fixes

• 2d1d8d0 #7559 adds node: specifier to all native node modules (#7559) (@​reggi)

libnpmpublish: v9.0.8

9.0.8 (2024-05-15)

Dependencies

• 8b20f8c #7480 [email protected]

... (truncated)

Changelog

Sourced from npm's changelog.

10.8.3 (2024-08-28)

Bug Fixes

• 7e61151 #7759 docs: init usage description corrected (#7759) (@​milaninfy)
• 2404c7e #7738 publish: consider package-spec when inside workspace dir (#7738) (@​milaninfy)
• 91e46a3 #7721 init: use locally installed version of given package (#7721) (@​milaninfy)
• 4e81a6a #7674 always set exit code if exiting uncleanly (#7674) (@​wraithgar, @​hashtagchris)
• a947f25 #7679 update lifecycle script list in run-script (#7679) (@​sonsurim)

Documentation

• e674987 #7743 update docs for npmrc and package-json (#7743) (@​milaninfy)
• 24d5350 #7742 fix and update scoped configuration example (#7742) (@​demedos)

Dependencies

• 3fd7a48 #7737 [email protected]
• d7e462b #7737 [email protected]
• df58b0c #7737 [email protected]
• 7342c24 #7737 [email protected]
• 2986f4e #7737 [email protected]
• a44ab26 #7737 [email protected]
• 4e965ad #7737 [email protected]
• 12587fa #7737 [email protected]
• 1a9ac86 #7737 [email protected]
• a303ddd #7737 [email protected]

Chores

• 1772276 #7756 fix duplicate changelog entries (@​wraithgar)
• 8035725 #7756 @npmcli/[email protected] (@​wraithgar)
• ed4add1 #7737 dev dependency updates (@​wraithgar)
• 86b05fc #7683 allow for longer timer values (#7683) (@​wraithgar)
• workspace: [email protected]

10.8.2 (2024-07-09)

Bug Fixes

• 3101a40 #7631 limit concurrent open files during 'npm cache verify' (#7631) (@​oikumene)
• 2273183 #7595 outdated: fixed wanted range for alias with version range (#7595) (@​milaninfy)
• 15be6dd #7574 don't try parsing workspaces if none exist (@​wraithgar)

Documentation

• ac937d4 #7616 install: add save-peer flag (#7616) (@​drew4237)
• 55639ef #7615 use git+https in package.com url examples (#7615) (@​MikeMcC399)
• 93883bb #7582 Improve manpage section for package.json funding properties (#7582) (@​kemitchell)
• 92e71e6 #7576 fix links to community discussions (#7576) (@​leobalter)

Dependencies

• 1c1adae #7636 [email protected]
• 5e4fa18 #7636 [email protected]
• d8fa116 #7636 [email protected]
• 76dab91 #7636 [email protected]
• 094c4ea #7636 [email protected]

... (truncated)

Commits

• ec105f4 chore: release 10.8.3
• 7e61151 fix(docs): init usage description corrected (#7759)
• 1772276 chore: fix duplicate changelog entries
• 8035725 chore: @​npmcli/template-oss@​4.23.3
• e674987 docs: update docs for npmrc and package-json (#7743)
• 2404c7e fix(publish): consider package-spec when inside workspace dir (#7738)
• 24d5350 docs: fix and update scoped configuration example (#7742)
• ed4add1 chore: dev dependency updates
• 3fd7a48 deps: [email protected]
• d7e462b deps: [email protected]
• Additional commits viewable in compare view

Updates tar from 4.4.19 to 6.2.1

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

• cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

• 57493ee #332 ensuring close event is emited after stream has ended (@​webark)
• b003c64 #314 replace deprecated String.prototype.substr() (#314) (@​CommanderRoot, @​lukekarrys)

Documentation

• f129929 #313 remove dead link to benchmarks (#313) (@​yetzt)
• c1faa9f add examples/explanation of using tar.t (@​isaacs)

Changelog

Sourced from tar's changelog.

Changelog

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

• Add support for brotli compression
• Add maxDepth option to prevent extraction into excessively deep folders.

6.1

• remove dead link to benchmarks (#313) (@​yetzt)
• add examples/explanation of using tar.t (@​isaacs)
• ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.