Skip to content

Bump path-to-regexp, express and firebase-tools#612

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-f6c62e683c
Open

Bump path-to-regexp, express and firebase-tools#612
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-f6c62e683c

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Mar 28, 2026

Bumps path-to-regexp to 0.1.13 and updates ancestor dependencies path-to-regexp, express and firebase-tools. These dependencies need to be updated together.

Updates path-to-regexp from 0.1.7 to 0.1.13

Release notes

Sourced from path-to-regexp's releases.

0.1.13

Important

Full Changelog: pillarjs/path-to-regexp@v0.1.12...v.0.1.13

Fix backtracking (again)

Fixed

  • Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

  • Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

  • Add backtrack protection to parameters 29b96b4
    • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

  • Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

  • Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Changelog

Sourced from path-to-regexp's changelog.

0.1.13 / 2026-03-26

Commits
Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for path-to-regexp since your current version.


Updates express from 4.17.1 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates firebase-tools from 9.1.2 to 15.12.0

Release notes

Sourced from firebase-tools's releases.

v15.12.0

  • Moved MCP server firebase-debug.log to ~/.cache/firebase/firebase-debug.log. (#9982)
  • Added a prompt to firebase init to install Agent Skills for Firebase.
  • Updated the Firebase Data Connect local toolkit to v3.3.1, which includes the following changes: (#10190)
    • [added] Support for configuring client-side caching in connector.yaml / generate section

v15.11.0

  • Add support for dataAccessMode in Firestore database creation. This allows choosing between FIRESTORE_NATIVE and MONGODB_COMPATIBLE for Enterprise edition databases.
  • Updated Firestore Emulator to v1.20.4, which includes minor bug fixes for Firestore Native Mode.
  • Added apptesting:execute command to run App Testing agent tests from YAML files.
  • Updated Data Connect emulator to v3.3.0:
    • firebase dataconnect:sdk:generate now performs compilation check first before generating SDKs.
    • Updated the Golang dependency version from 1.24.13 to 1.25.8, which removes support for macOS versions prior to Monterey.
    • Prevent concurrent execution of operations. firebase/firebase-tools#9866
    • Support for skip and include directives.
    • Vector similarity search now supports offset as well as limit

v15.10.1

  • Updated Pub/Sub emulator to version 0.8.29.

v15.10.0

  • Add support for VPC direct connect in GCF 2nd gen (#10033)
  • Added --only flag for emulators:export (#4033)
  • Added support for custom PostgreSQL schema names in Data Connect. (#9271)
  • When SSR web app features are detected in the firebase init hosting flow, offer to switch to App Hosting (#9887)
  • Removed the experimental web frameworks prompt from firebase init hosting (#9843)
  • Added studio:export command to export Firebase Studio projects to Antigravity.

v15.9.1

  • Added support for next.config.ts and next.config.mts in Next.js deployments (#9871)
  • Enabled free trials without a billing instrument for Firebase Data Connect (#10042)

v15.9.0

  • Added *_EMULATOR_VERSION env variables to allow overriding specific versions of downloadable emulators
  • Updated the functions.config deprecation notice from March 2026 to March 2027 (#9941)
  • Detects when App Hosting fails to deploy, returning an error. (#8866)
  • Add firestore_query_collection tool back to MCP as it is not available in the OneMCP server yet.
  • Add support for custom resolvers in Firebase Data Connect (#9967)
  • Updated the Firebase Data Connect local toolkit to v3.2.1, which includes the following changes: (#10022)

v15.8.0

  • Corrects issue with updateService in runv2.ts (#9918)
  • Updated suite of MCP tools for Firestore to include many new tools. Firestore tools no longer support emulator mode.
  • Updated the Firebase Data Connect local toolkit to v3.2.0, which includes the following changes: (#9975)
    • Support for uuidV7()
    • Support for custom PostgreSQL schema names.

v15.7.0

  • Updated Python Functions template to use firebase_functions v0.5.x

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump path-to-regexp, express and firebase-tools
cb4ef90 
Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.13 and updates ancestor dependencies [path-to-regexp](https://github.com/pillarjs/path-to-regexp), [express](https://github.com/expressjs/express) and [firebase-tools](https://github.com/firebase/firebase-tools). These dependencies need to be updated together.


Updates `path-to-regexp` from 0.1.7 to 0.1.13
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md)
- [Commits](pillarjs/path-to-regexp@v0.1.7...v.0.1.13)

Updates `express` from 4.17.1 to 4.22.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md)
- [Commits](expressjs/express@4.17.1...v4.22.1)

Updates `firebase-tools` from 9.1.2 to 15.12.0
- [Release notes](https://github.com/firebase/firebase-tools/releases)
- [Commits](firebase/firebase-tools@v9.1.2...v15.12.0)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-version: 0.1.13
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.22.1
  dependency-type: direct:production
- dependency-name: firebase-tools
  dependency-version: 15.12.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 28, 2026
@dependabot dependabot bot mentioned this pull request Mar 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants