Skip to content

Comments

Bump the npm_and_yarn group across 3 directories with 8 updates#4

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d48bc1f4f8
Open

Bump the npm_and_yarn group across 3 directories with 8 updates#4
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-d48bc1f4f8

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 20, 2026

Bumps the npm_and_yarn group with 3 updates in the / directory: payload, express and @remix-run/node.
Bumps the npm_and_yarn group with 1 update in the /apps/cms directory: payload.
Bumps the npm_and_yarn group with 1 update in the /apps/web directory: @remix-run/node.

Updates payload from 1.15.8 to 3.74.0

Release notes

Sourced from payload's releases.

v3.74.0

v3.74.0 (2026-01-30)

🚀 Features

  • thread override access in doc level hooks (#15421) (85d5263)
  • extend strictDraftTypes to all draft operations (#15292) (9239164)
  • add support for custom UnpublishButton component (#15400) (94254da)
  • storage-r2: client uploads using R2 multipart api (#14733) (5c38902)
  • ui: allows opting out of popup closing logic (#15407) (fb2b602)
  • ui: allows customizing Popup component portal className (#15406) (0f55464)

Override Access in Document-Level Hooks - Access the overrideAccess value inside collection and global hooks. Useful when hook logic needs to know whether access control was bypassed, such as when querying related documents up a hierarchy. #15421

export const Posts: CollectionConfig = {
  slug: 'posts',
  hooks: {
    beforeChange: [
      ({ overrideAccess, req }) => {
        if (overrideAccess) {
          // Access control was bypassed
        }
      },
    ],
  },
}

Extended strictDraftTypes to All Operations - When strictDraftTypes: true is enabled, TypeScript now enforces draft type safety across all Local API operations (not just queries). The draft option is forbidden for collections/globals without drafts enabled, preventing silent runtime behavior where draft flags are ignored. #15292

import { buildConfig } from 'payload'
export default buildConfig({
typescript: {
strictDraftTypes: true, // Enables compile-time draft enforcement
},
// ...
})

⚠️ Note: Generic collection slugs may require explicit type assertions when using draft options.

... (truncated)

Commits
  • de4fa0c chore(release): v3.74.0 [skip ci]
  • 2dc2e7c fix: isolate payload-preferences by auth collection (#15425)
  • 85d5263 feat: thread override access in doc level hooks (#15421)
  • 9239164 feat: extend strictDraftTypes to all draft operations (#15292)
  • 6b45fee chore: export getSafeFileName utility (#15424)
  • 94254da feat: add support for custom UnpublishButton component (#15400)
  • 99b051e fix: traverseFields returning wrong parentPath dot notation for non-localised...
  • 5561799 fix: widgets and other features failing with transitive dependency imports (#...
  • 7043e3f chore(deps): bump tsx (#15363)
  • 2511c02 fix: replace deprecated scmp with crypto.timingSafeEqual (#15322)
  • Additional commits viewable in compare view

Updates express from 4.20.0 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0
Commits

Updates @remix-run/node from 1.19.3 to 2.17.2

Commits

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

New Contributors

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

  • deps: qs@~6.14.0
  • deps: use tilde notation for dependencies
  • deps: http-errors@~2.0.1
  • deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

  • deps: qs@6.13.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.


Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

  • Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

  • Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

  • Add backtrack protection to parameters 29b96b4
    • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

  • Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

  • Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

Updates qs from 6.4.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates send from 0.18.0 to 0.19.2

Release notes

Sourced from send's releases.

0.19.2

What's Changed

Full Changelog: pillarjs/send@0.19.1...0.19.2

0.19.1

What's Changed

Full Changelog: pillarjs/send@0.19.0...0.19.1

0.19.0

What's Changed

New Contributors

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.2 / 2025-12-15

  • deps: use tilde notation for dependencies
  • deps: http-errors@~2.0.1
  • deps: statuses@~2.0.2

0.19.1 / 2024-10-09

  • deps: encodeurl@~2.0.0

0.19.0 / 2024-09-10

  • Remove link renderization in html while redirecting
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.


Updates serve-static from 1.15.0 to 1.16.3

Release notes

Sourced from serve-static's releases.

v1.16.3

What's Changed

Full Changelog: expressjs/serve-static@v1.16.2...v1.16.3

v1.16.2

What's Changed

Full Changelog: expressjs/serve-static@v1.16.1...v1.16.2

v1.16.1

What's Changed

New Contributors

Full Changelog: expressjs/serve-static@1.16.0...v1.16.1

1.16.0

What's Changed

New Contributors

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

Changelog

Sourced from serve-static's changelog.

1.16.3 / 2024-12-15

  • deps: send@~0.19.1
    • deps: encodeurl@~2.0.0

1.16.2 / 2024-09-11

  • deps: encodeurl@~2.0.0

1.16.1 / 2024-09-11

  • deps: send@0.19.0

1.16.0 / 2024-09-10

  • Remove link renderization in html while redirecting
Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.


Updates payload from 1.15.8 to 3.74.0

Release notes

Sourced from payload's releases.

v3.74.0

v3.74.0 (2026-01-30)

🚀 Features

  • thread override access in doc level hooks (#15421) (85d5263)
  • extend strictDraftTypes to all draft operations (#15292) (9239164)
  • add support for custom UnpublishButton component (#15400) (94254da)
  • storage-r2: client uploads using R2 multipart api (#14733) (5c38902)
  • ui: allows opting out of popup closing logic (#15407) (fb2b602)
  • ui: allows customizing Popup component portal className (#15406) (0f55464)

Override Access in Document-Level Hooks - Access the overrideAccess value inside collection and global hooks. Useful when hook logic needs to know whether access control was bypassed, such as when querying related documents up a hierarchy. #15421

export const Posts: CollectionConfig = {
  slug: 'posts',
  hooks: {
    beforeChange: [
      ({ overrideAccess, req }) => {
        if (overrideAccess) {
          // Access control was bypassed
        }
      },
    ],
  },
}

Extended strictDraftTypes to All Operations - When strictDraftTypes: true is enabled, TypeScript now enforces draft type safety across all Local API operations (not just queries). The draft option is forbidden for collections/globals without drafts enabled, preventing silent runtime behavior where draft flags are ignored. #15292

import { buildConfig } from 'payload'
export default buildConfig({
typescript: {
strictDraftTypes: true, // Enables compile-time draft enforcement
},
// ...
})

⚠️ Note: Generic collection slugs may require explicit type assertions when using draft options.

... (truncated)

Commits
  • de4fa0c chore(release): v3.74.0 [skip ci]
  • 2dc2e7c fix: isolate payload-preferences by auth collection (#15425)
  • 85d5263 feat: thread override access in doc level hooks (#15421)
  • 9239164 feat: extend strictDraftTypes to all draft operations (#15292)
  • 6b45fee chore: export getSafeFileName utility (#15424)
  • 94254da feat: add support for custom UnpublishButton component (#15400)
  • 99b051e fix: traverseFields returning wrong parentPath dot notation for non-localised...
  • 5561799 fix: widgets and other features failing with transitive dependency imports (#...
  • 7043e3f chore(deps): bump tsx (#15363)
  • 2511c02 fix: replace deprecated scmp with crypto.timingSafeEqual (#15322)
  • Additional commits viewable in compare view

Updates @remix-run/node from 1.19.3 to 2.17.2

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 3 directories with 8 updates
feb18eb 
Bumps the npm_and_yarn group with 3 updates in the / directory: [payload](https://github.com/payloadcms/payload/tree/HEAD/packages/payload), [express](https://github.com/expressjs/express) and [@remix-run/node](https://github.com/remix-run/remix/tree/HEAD/packages/remix-node).
Bumps the npm_and_yarn group with 1 update in the /apps/cms directory: [payload](https://github.com/payloadcms/payload/tree/HEAD/packages/payload).
Bumps the npm_and_yarn group with 1 update in the /apps/web directory: [@remix-run/node](https://github.com/remix-run/remix/tree/HEAD/packages/remix-node).


Updates `payload` from 1.15.8 to 3.74.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.74.0/packages/payload)

Updates `express` from 4.20.0 to 4.22.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.22.0/History.md)
- [Commits](expressjs/express@4.20.0...4.22.0)

Updates `@remix-run/node` from 1.19.3 to 2.17.2
- [Release notes](https://github.com/remix-run/remix/releases)
- [Commits](https://github.com/remix-run/remix/commits/remix@2.17.2/packages/remix-node)

Updates `body-parser` from 1.20.2 to 1.20.4
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.20.2...1.20.4)

Updates `path-to-regexp` from 0.1.7 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](pillarjs/path-to-regexp@v0.1.7...v0.1.12)

Updates `qs` from 6.4.1 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.4.1...v6.14.2)

Updates `send` from 0.18.0 to 0.19.2
- [Release notes](https://github.com/pillarjs/send/releases)
- [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md)
- [Commits](pillarjs/send@0.18.0...0.19.2)

Updates `serve-static` from 1.15.0 to 1.16.3
- [Release notes](https://github.com/expressjs/serve-static/releases)
- [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md)
- [Commits](expressjs/serve-static@v1.15.0...v1.16.3)

Updates `payload` from 1.15.8 to 3.74.0
- [Release notes](https://github.com/payloadcms/payload/releases)
- [Commits](https://github.com/payloadcms/payload/commits/v3.74.0/packages/payload)

Updates `@remix-run/node` from 1.19.3 to 2.17.2
- [Release notes](https://github.com/remix-run/remix/releases)
- [Commits](https://github.com/remix-run/remix/commits/remix@2.17.2/packages/remix-node)

---
updated-dependencies:
- dependency-name: payload
  dependency-version: 3.74.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-version: 4.22.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@remix-run/node"
  dependency-version: 2.17.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: body-parser
  dependency-version: 1.20.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-to-regexp
  dependency-version: 0.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: send
  dependency-version: 0.19.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: serve-static
  dependency-version: 1.16.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: payload
  dependency-version: 3.74.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@remix-run/node"
  dependency-version: 2.17.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Feb 20, 2026
This was referenced Feb 20, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants