Bump the npm_and_yarn group across 3 directories with 26 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the /controller/web-server directory:

Package	From	To
ws	8.13.0	8.17.1
@babel/traverse	7.22.8	7.24.7
@grpc/grpc-js	1.8.21	1.8.22
braces	3.0.2	3.0.3
browserslist	4.21.10	4.23.1
loader-utils	3.2.1	3.3.1
postcss	8.4.27	8.4.39
react-devtools-core	4.28.0	4.28.5
tar	6.1.15	6.2.1
terser	5.19.2	5.31.1
undici	5.26.5	5.28.4
@firebase/firestore	4.4.1	4.6.4

Bumps the npm_and_yarn group with 4 updates in the /controller/web-server/server directory: ws, braces, ejs and express.
Bumps the npm_and_yarn group with 16 updates in the /policy/frontend directory:

Package	From	To
ws	6.2.1	6.2.3
@babel/traverse	7.12.10	7.24.7
hosted-git-info	2.8.8	2.8.9
path-parse	1.0.6	1.0.7
ssri	6.0.1	6.0.2
tar	6.0.5	6.2.1
tmpl	1.0.4	1.0.5
tough-cookie	4.1.3	4.1.4
express	4.18.2	4.19.2
browserify-sign	4.2.1	4.2.3
color-string	1.5.4	1.9.1
dns-packet	1.3.1	1.3.4
elliptic	6.5.3	6.5.5
es5-ext	0.10.53	0.10.64
follow-redirects	1.13.1	1.15.6
react-dev-utils	11.0.1	11.0.4

Updates ws from 8.13.0 to 8.17.1

Release notes

Sourced from ws's releases.

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1. Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size][] and/or the [maxHeaderSize][] options so that no more headers than the server.maxHeadersCount limit can be sent.

... (truncated)

Commits

• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• 934c9d6 [ci] Test on node 22
• 1817bac [ci] Do not test on node 21
• 96c9b3d [major] Flip the default value of allowSynchronousEvents (#2221)
• e5f32c7 [fix] Emit at most one event per event loop iteration (#2218)
• Additional commits viewable in compare view

Updates @babel/traverse from 7.22.8 to 7.24.7

Release notes

Sourced from @​babel/traverse's releases.

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@​nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@​liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@​liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@​blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@​amjed-98)
• Babel Bot (@​babel-bot)
• Blake Wilson (@​blakewilson)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• Sukka (@​SukkaW)
• @​liuxingbaoyu

v7.24.6 (2024-05-24)

Thanks @​amjed-98, @​blakewilson, @​coelhucas, and @​SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@​nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@​JLHwung)
  • #16484 Fix decorator bare yield await (@​JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@​liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@​nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@​nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@​nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@​nicolo-ribaudo)
• Other

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@​nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@​liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@​liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@​blakewilson)

v7.24.6 (2024-05-24)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@​nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@​JLHwung)
  • #16484 Fix decorator bare yield await (@​JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@​liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@​nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@​nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@​nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@​nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@​JLHwung)

v7.24.5 (2024-04-29)

🐛 Bug Fix

• babel-plugin-transform-classes, babel-traverse
  • #16377 fix: TypeScript annotation affects output (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #16440 Fix suppressed error order (@​sossost)
  • #16408 Await nullish async disposable (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• bf1e9a3 v7.24.7
• 4463aa5 fix: incorrect constantViolations with destructuring (#16522)
• 07bd000 Improve getBindingIdentifiers (#16544)
• 17a5502 [Babel 8] Remove extra.shorthand (#16521)
• 7934963 Use type: module in all package.jsons (#16535)
• 9630250 v7.24.6
• 1f010df Explicitly define NodePath.prototype.* (#16488)
• 6e3539b [babel 8] Publish .d.ts files for every package (#16416)
• e37e64d Use eslint v9 (#16479)
• 3ff20b9 Statically generate boilerplate for bitfield accessors (#16482)
• Additional commits viewable in compare view

Updates @grpc/grpc-js from 1.8.21 to 1.8.22

Release notes

Sourced from @​grpc/grpc-js's releases.

@​grpc/grpc-js 1.8.22

• Avoid buffering significantly more than grpc.max_receive_message_size per received message.

Commits

• a8a0203 Merge pull request from GHSA-7v5v-9h63-cj86
• 3b110cd grpc-js: Bump to 1.8.22
• 8e62222 grpc-js: Avoid buffering significantly more than max_receive_message_size per...
• 9d83947 Merge pull request #2742 from sergiitk/backport-1.8-psm-interop-common-prod-t...
• 00f348c Merge pull request #2729 from sergiitk/psm-interop-common-prod-tests
• 36d105b Merge pull request #2737 from murgatroid99/backport-1.8-grpc-js_linkify-it_fix
• 969e305 Merge pull request #2735 from murgatroid99/grpc-js_linkify-it_fix
• d78216f Merge pull request #2715 from sergiitk/backport-1.8-psm-interop-pkg-dev
• f38966a Merge pull request #2712 from sergiitk/psm-interop-pkg-dev
• ffefff2 Merge pull request #2640 from XuanWang-Amos/backport-1.8-psm-interop-shared-b...
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates browserslist from 4.21.10 to 4.23.1

Release notes

Sourced from browserslist's releases.

4.23.1

• Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

Changelog

Sourced from browserslist's changelog.

4.23.1

• Fixed feature query with mobile to desktop when caniuse lags (by @​steverep).

4.23.0

• Added BROWSERSLIST_ROOT_PATH (by @​teleclimber).

4.22.3

• Fixed white spaces support in supports query (@​g-plane).
• Fixed shared config like @company/package/browserslist-config (@​boucodes).

4.22.2

• Fixed idempotency in time queries with mobileToDesktop (by Aliaksei Sapach).

4.22.1

• Updated Firefox ESR (by @​lerkor).

4.22

• Added fully supports query (by Ben Scott).
• Added partially supports alias for supports query (by Ben Scott).

4.21.11

• Added warning to --update-db to move to new CLI (by Ivan Vasilev).
• Fixed docs (by Tatsunori Uchino).

Commits

• edd5309 Release 4.23.1 version
• 9e8ca3d Simplify code
• bbe6821 Update lock
• a36e1ad Update ESLint and dependencies
• 4424c96 Use pnpm 9 for Node.js 20 and 18
• 2185077 Add Node.js 22 to CI
• f78f90c Move to pnpm 9
• ed723f7 Fix feature queries with mobile to desktop when caniuse lags latest release (...
• c6ddf7b 📝 Fix typos in README.md (#822)
• a23d971 Release 4.23 version
• Additional commits viewable in compare view

Updates loader-utils from 3.2.1 to 3.3.1

Release notes

Sourced from loader-utils's releases.

v3.3.1

3.3.1 (2024-06-05)

Bug Fixes

• base64safe regex (3b2d3b1)

v3.3.0

3.3.0 (2024-06-04)

Features

• add digestType 'base64safe' (#259) (af15793)

v3.2.2

3.2.2 (2024-05-29)

Bug Fixes

• unreachable code for directories (128f945)

Changelog

Sourced from loader-utils's changelog.

3.3.1 (2024-06-05)

Bug Fixes

• base64safe regex (3b2d3b1)

3.3.0 (2024-06-04)

Features

• add digestType 'base64safe' (#259) (af15793)

3.2.2 (2024-05-29)

Bug Fixes

• unreachable code for directories (128f945)

Commits

• 06fcc0a chore(release): 3.3.1
• 3b2d3b1 fix: base64safe regex
• 2d6ed3c chore(release): 3.3.0
• af15793 feat: add digestType 'base64safe' (#259)
• 977b28d chore(release): 3.2.2
• 83e1c68 style: fix (#258)
• 128f945 fix: unreachable code for directories
• 50890cd docs: add missing security policy (#251)
• 62e12f1 chore(deps): bump word-wrap from 1.2.3 to 1.2.4 (#247)
• 9e20ec8 chore(deps): bump semver from 5.7.1 to 5.7.2 (#246)
• Additional commits viewable in compare view

Updates postcss from 8.4.27 to 8.4.39

Release notes

Sourced from postcss's releases.

8.4.39

• Fixed CssSyntaxError types (by @​romainmenke).

8.4.38

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

8.4.37

• Fixed original.column are not numbers error in another case.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

8.4.35

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

8.4.34

• Fixed AtRule#nodes type (by @​tim-we).
• Cleaned up code (by @​DrKiraDmitry).

8.4.33

• Fixed NoWorkResult behavior difference with normal mode (by @​romainmenke).
• Fixed NoWorkResult usage conditions (by @​ahmdammarr).

8.4.32

• Fixed postcss().process() types (by @​ferreira-tb).

8.4.31

• Fixed \r parsing to fix CVE-2023-44270.

8.4.30

• Improved source map performance (by @​romainmenke).

8.4.29

• Fixed Node#source.offset (by @​idoros).
• Fixed docs (by @​coliff).

8.4.28

• Fixed Root.source.end for better source map (by @​romainmenke).
• Fixed Result.root types when process() has no parser.

Changelog

Sourced from postcss's changelog.

8.4.39

• Fixed CssSyntaxError types (by @​romainmenke).

8.4.38

• Fixed endIndex: 0 in errors and warnings (by @​romainmenke).

8.4.37

• Fixed original.column are not numbers error in another case.

8.4.36

• Fixed original.column are not numbers error on broken previous source map.

8.4.35

• Avoid ! in node.parent.nodes type.
• Allow to pass undefined to node adding method to simplify types.

8.4.34

• Fixed AtRule#nodes type (by Tim Weißenfels).
• Cleaned up code (by Dmitry Kirillov).

8.4.33

• Fixed NoWorkResult behavior difference with normal mode (by Romain Menke).
• Fixed NoWorkResult usage conditions (by @​ahmdammarr).

8.4.32

• Fixed postcss().process() types (by Andrew Ferreira).

8.4.31

• Fixed \r parsing to fix CVE-2023-44270.

8.4.30

• Improved source map performance (by Romain Menke).

8.4.29

• Fixed Node#source.offset (by Ido Rosenthal).
• Fixed docs (by Christian Oliff).

8.4.28

• Fixed Root.source.end for better source map (by Romain Menke).
• Fixed Result.root types when process() has no parser.

Commits

• e0efb16 Release 8.4.39 version
• 48304c5 Update dependencies
• 155ac57 Merge pull request #1947 from romainmenke/fix-css-syntax-error-type--reliable...
• 1b9b466 fix CssSyntaxError type declaration
• 3f4d96e Update dependencies
• b952be7 Update CI actions
• b512b29 Typo
• f9a9868 Move to pnpm 9 and Node.js 22
• 79052c2 Merge pull request #1940 from Xvezda/patch-1
• 0eedad4 Update changed urls
• Additional commits viewable in compare view

Updates react-devtools-core from 4.28.0 to 4.28.5

Commits

• See full diff in compare view

Updates tar from 6.1.15 to 6.2.1

Changelog

Sourced from tar's changelog.

Changelog

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

• Add support for brotli compression
• Add maxDepth option to prevent extraction into excessively deep folders.

6.1

• remove dead link to benchmarks (#313) (@​yetzt)
• add examples/explanation of using tar.t (@​isaacs)
• ensure close event is emited after stream has ended (@​webark)

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Updates terser from 5.19.2 to 5.31.1

Changelog

Sourced from terser's changelog.

v5.31.1

• Allow drop-unused to drop the whole assignment (not just the assigned name) in more situations, in order to avoid duplication of long strings.

v5.31.0

• Sync up property mangler exceptions with current contents of Firefox and Chrome environments
• Add more webcomponent properties to property mangler exceptions (#1525)
• Drop non-nullish constants in ...spreads in objects (#1141)

v5.30.4

• Fix parsing #private in ... when next to other operators

v5.30.3

• Fix precedence of #private in ... operator

v5.30.2

• Avoid optimizations inside computed keys, because they can cause js-engine-specific bugs.

v5.30.1

• Removed useless \ escapes for non-ascii characters
• Make modern identifier characters quoted for older environments (#1512)

v5.30.0

• Improve removal of classes referring to themselves

v5.29.2

• Make sure 'computed_props' creates string keys
• Take into account the evaluated size when inlining

v5.29.1

• fix optimisation of all-bits mask check

v5.29.0

• Re-releases previously reverted 5.28.0
• Fix crash while optimizing some bitwise ops
• (internal) Remove needless wrapper for from_moz (#1499)

v5.28.1

(hotfix release)

• Reverts v5.28.0

v5.28.0

• Optimise redundant or shrinkable bitwise operations (|, ^, &, >>, <<)
• Evaluate some BigInt math operations

v5.27.2

• Recognise this as a reference to the surrounding class in drop_unused. Closes #1472

v5.27.1

• Fixed case where collapse_vars inlines await expressions into non-async functions.

... (truncated)

Commits

• 57ea592 5.31.1
• cf57d77 fix normalization of AST_Sequence
• 14cc291 avoid drop-unused leaving behind the contents of an assignment. Related to we...
• 78d95b8 5.31.0
• 98dbfbb update changelog
• 14062bc sync domprops with Firefox 125 and Chrome 124
• 4cd17bf fix more webcomponent mangling bugs (#1525)
• d7e10df fix WebComponents mangling bug (#1524)
• db932f0 object spread: also drop non-nullish constants (e.g. { ...true }) (#1141)
• 096cac0 5.30.4
• Additional commits viewable in compare view

Updates undici from 5.26.5 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

⚠️ Security Release ⚠️

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in nodejs/undici#2470
• fix: remove node: prefix by @​tsctx in nodejs/undici#2471
• perf: avoid Headers initialization by @​tsctx in nodejs/undici#2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in nodejs/undici#2466
• fix: Add null type to signal in RequestInit by @​gebsh in nodejs/undici#2455
• fix: correctly handle data URL with hashes. by @​tsctx in nodejs/undici#2475
• fix: check response for timinginfo allow flag by @​ToshB in nodejs/undici#2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in nodejs/undici#2478
• refactor: better integrity check by @​tsctx in nodejs/undici#2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in nodejs/undici#2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in nodejs/undici#2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in nodejs/undici#2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in nodejs/undici#2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in nodejs/undici#2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in nodejs/undici#2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in nodejs/undici#2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in nodejs/undici#2302

New Contributors

• @​bugb made their first contribution in nodejs/undici#2470
• @​gebsh made their first contribution in nodejs/undici#2455
• @​ToshB made their first contribution in nodejs/undici#2477
• @​MzUgM made their first contribution in nodejs/undici#2478
• @​matt-way made their first contribution in nodejs/undici#2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

What's Changed

• perf: Improve normalizeMethod by @​tsctx in nodejs/undici#2456
• fix: dispatch error handling by @​ronag in nodejs/undici#2459

... (truncated)

Commits

• fb98306 Bumped v5.28.4
• 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
• 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
• 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
• 0e9d54b skip failing test due to Node.js changes
• e71cb4c Bumped v5.28.3
• 20c65b8 Fix tests for Node.js v20.11.0 (#2618)
• 8ec52cd Fix tests for Node.js v21 (#2609)
• d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
• 9a14e5f Bumped v5.28.2
• Additional commits viewable in compare view

Updates @firebase/firestore from 4.4.1 to 4.6.4

Release notes

Sourced from @​firebase/firestore's releases.

4.5.2

Fixes

• Fixed a regression where the react-native property was missing from the firebase package.json
• Fixed a regression where the value of firebase.SDK_VERSION wasn't properly being populated.

4.5.1

Features

Shipped individual modules for the following packages:

• @firebase/app
• @firebase/auth
• @firebase/database
• @firebase/firestore
• @firebase/messaging
• @firebase/polyfill
• @firebase/storage
• @firebase/util

4.5.0

Features

• Added support for Cloud Firestore. For more information, see the following resources:
  • Blog post
  • Web getting started guide
  • Reference Documentation

Changelog

Sourced from @​firebase/firestore's changelog.

4.6.4

Patch Changes

• ecadbe380 #8339 (fixes #8314) - Fix persistence multi-tab snapshot listener metadata sync issue.

• Updated dependencies [192561b15, b09a267ba]:

  • @​firebase/util@​1.9.7
  • @​firebase/webchannel-wrapper@​1.0.1
  • @​firebase/component@​0.6.8

4.6.3

Patch Changes

• 2ce95696f #8247 - Fix multi-tab persistence raising empty snapshot issue

4.6.2

Patch Changes

• 4b49630c7 #8190 - Use closure-net as a dependency of webchannel-wrapper and Firestore.

• ab883d016 #8237 - Bump all packages so staging works.

• Updated dependencies [14f9da66f, 4b49630c7, ab883d016]:

  • @​firebase/webchannel-wrapper@​1.0.0
  • @​firebase/component@​0.6.7
  • @​firebase/logger@​0.4.2
  • @​firebase/util@​1.9.6

4.6.1

Patch Changes

• 224419457 #8145 - Prevent spurious "Backend didn't respond within 10 seconds" errors when network is indeed responding, just slowly.

• bd12e83cd #8150 - Updated protobufjs transitive dependency in Firetore.

• e1a7764cf #8197 - Go back using xmlhttprequest for bidi-streams, as fetch streams seem to be having connection ...

  Description has been truncated