feat(deps): update all dependencies (non-major) - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@emotion/core (source)	10.1.1 -> 10.3.1
@emotion/styled (source)	10.0.27 -> 10.3.0
apollo-server-express (source)	2.19.2 -> 2.26.2
bs-css-emotion	2.2.0 -> 2.5.1
common-tags	1.8.0 -> 1.8.2
compression	1.7.4 -> 1.8.1
cookie-session	2.0.0-rc.1 -> 2.1.1
cross-fetch	3.1.5 -> 3.2.0
dataloader	2.0.0 -> 2.2.3
dotenv	8.2.0 -> 8.6.0
emoji-datasource	6.0.0 -> 6.1.1
emotion-theming (source)	10.0.27 -> 10.3.0
execa	5.0.0 -> 5.1.1
graphql	15.4.0 -> 15.10.1
graphql-tag	2.11.0 -> 2.12.6
helmet (source)	4.4.1 -> 4.6.0
ioredis	4.19.4 -> 4.30.1
minimist	1.2.6 -> 1.2.8
morgan	1.10.0 -> 1.10.1
newrelic	7.1.0 -> 7.5.2
next-offline	5.0.3 -> 5.0.5
open	7.3.1 -> 7.4.2
polished (source)	4.0.5 -> 4.3.1
prop-types (source)	15.7.2 -> 15.8.1
react (source)	17.0.1 -> 17.0.2
react-dom (source)	17.0.1 -> 17.0.2
reason-react (source)	0.9.1 -> 0.11.0
screenfull	5.1.0 -> 5.2.0
serve-favicon	2.5.0 -> 2.5.1
subscriptions-transport-ws	0.9.18 -> 0.11.0

---

Release Notes

emotion-js/emotion (@​emotion/core)

v10.3.1

Compare Source

Patch Changes

• #​2576 33c01578 Thanks @​Methuselah96! - Export Keyframes type to avoid TypeScript inserting import("@​emotion/serialize").Keyframes references into declaration files emitted based on a source files exporting keyframes result. This avoids issues with strict package managers that don't allow accessing undeclared dependencies.

v10.3.0

Compare Source

Minor Changes

• #​2566 122e9f11 Thanks @​eps1lon, @​Andarist! - Fixed hydration mismatches if React.useId (an upcoming API in React 18) is used within a tree below our components.

• #​2560 b5a26619 Thanks @​eps1lon! - Dropped usage of a deprecated SFC React type in favor of FC. The FC type has been introduced in @types/react@16.7.2 so this version of this package is now a minimum requirement for TypeScript users.

apollographql/apollo-server (apollo-server-express)

v2.26.2

Compare Source

v2.26.1

Compare Source

v2.26.0

Compare Source

v2.25.4

Compare Source

v2.25.3

Compare Source

v2.25.2

Compare Source

v2.25.1

Compare Source

v2.25.0

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

v2.23.0

Compare Source

v2.22.2

Compare Source

v2.22.1

Compare Source

v2.22.0

Compare Source

v2.21.2

Compare Source

v2.21.1

Compare Source

v2.21.0

Compare Source

v2.20.0

Compare Source

reasonml-labs/bs-css (bs-css-emotion)

v2.5.1

• Fix test helper dependency - #​237

bs-css-dom@​2.5.1, bs-css-emotion@​2.5.1, bs-css-fela@​1.0.1

v2.5.0

• BREAKING CHANGE bs-css: updated the Css_Core API to accept renderer. it should have no impact on existing implementations.
• Added bs-css-fela with a dependency to the fela library

bs-css-dom@​2.5.0, bs-css-emotion@​2.5.0, bs-css-fela@​1.0.0

v2.4.1

• Move react dependency out of bs-css-emotion
• Use peer dependencies in bs-css-dom
• Fix broken link to rei (doc) by @​abenoit - #​234
• Add support for focus-visible pseudo-class by @​TomiS - #​233

bs-css-dom@​2.4.1, bs-css-emotion@​2.4.1

v2.4.0

• Fix strokeDasharray property by @​lucasweng - #​232
• Fix backdropFilter property by @​lucasweng - #​231
• Fix color - #​230

bs-css-dom@​2.4.0, bs-css-emotion@​2.4.0

v2.3.0

• Add touchAction by @​RuslanGrigoryev - #​256

bs-css-dom@​3.3.0, bs-css-emotion@​4.3.0, bs-css-fela@​2.3.0

zspecza/common-tags (common-tags)

v1.8.2

Compare Source

This release is based on the same code that v1.8.1, but it fixes a regression caused by forgetting to run the build before publishing. Thanks @​alumni for the hint!

v1.8.1: : The "anti-takeover" one

Compare Source

The creator of the package changed the handle from declandewet to zspecza, and for a while GitHub was redirecting from the old repo to the new one. This changed with the "takeover" of the original user handle by a random person, and so in this release all the links in package.json are updated to include the new handle.

expressjs/compression (compression)

v1.8.1

Compare Source

==========

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

v1.8.0

Compare Source

==================

• Use res.headersSent when available
• Replace _implicitHeader with writeHead property
• add brotli support for versions of node that support it
• Add the enforceEncoding option for requests without Accept-Encoding header

v1.7.5

Compare Source

==================

• deps: Replace accepts with negotiator@~0.6.4
  • Add preference option
• deps: bytes@​3.1.2
  • Add petabyte (pb) support
  • Fix "thousandsSeparator" incorrecting formatting fractional part
  • Fix return value for un-parsable strings
• deps: compressible@~2.0.18
  • Mark font/ttf as compressible
  • Remove compressible from multipart/mixed
  • deps: mime-db@'>= 1.43.0 < 2'
• deps: safe-buffer@​5.2.1

expressjs/cookie-session (cookie-session)

v2.1.1

Compare Source

==========

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

v2.1.0

Compare Source

==================

• Fix loading sessions with special keys
• deps: cookies@​0.9.1
  • Add partitioned option for CHIPS support
  • Add priority option for Priority cookie support
  • Fix accidental cookie name/value truncation when given invalid chars
  • Fix maxAge option to reject invalid values
  • Remove quotes from returned quoted cookie value
  • Use req.socket over deprecated req.connection
  • pref: small lookup regexp optimization

v2.0.0

Compare Source

==================

• deps: debug@​3.2.7
• deps: safe-buffer@​5.2.1

lquixada/cross-fetch (cross-fetch)

v3.2.0

Compare Source

What's Changed

FEATURES

• Upgraded node-fetch from 2.6.12 to 2.7.0. Please refer to node-fetch release notes for features and bug fixes.
• Upgraded whatwg-fetch from 3.0.0 to 3.6.20. Please refer to whatwg-fetch release notes for features and bug fixes.

v3.1.8

Compare Source

What's Changed

• Restored caret range to node-fetch version for automatic feature and fix updates.

Full Changelog: lquixada/cross-fetch@v3.1.7...v3.1.8

v3.1.7

Compare Source

What's Changed

• Updated node-fetch version to 2.6.12

Full Changelog: lquixada/cross-fetch@v3.1.6...v3.1.7

v3.1.6

Compare Source

What's Changed

• Updated node-fetch version to 2.6.11
• Added caret range to node-fetch version for automatic feature and fix updates.

Full Changelog: lquixada/cross-fetch@v3.1.5...v3.1.6

graphql/dataloader (dataloader)

v2.2.3

Compare Source

Patch Changes

• #​342 38fedd4 Thanks @​abendi! - Ensure cacheKeyFn is not called when caching is disabled, since the key is not utilized in that case.

v2.2.2

Compare Source

Patch Changes

• #​334 e286f66 Thanks @​henrinormak! - Added missing type definition for Dataloader.name

v2.2.1

Compare Source

Patch Changes

• #​331 6d2efb7 Thanks @​saihaj! - name is an optional property

v2.2.0

Compare Source

Minor Changes

• #​326 6c758d0 Thanks @​SimenB! - Add name property to DataLoader. Useful in APM tools.

Patch Changes

• #​318 588a8b6 Thanks @​boopathi! - Fix the propagation of sync throws in the batch function to the loader function instead of crashing the process wtih an uncaught exception.

• #​252 fae38f1 Thanks @​LinusU! - Fix types for priming cache with promise

• #​321 3cd3a43 Thanks @​thekevinbrown! - Resolves an issue where the maxBatchSize parameter wouldn't be fully used on each batch sent to the backend loader.

v2.1.0

Compare Source

Minor Changes

• 28cf959: - Do not return void results from arrow functions 3b0bae9
  • Fix typo in loader.load() error message 249b2b9
  • Fix typo in SQL example cae1a3d
  • Fix typo in TypeScript declaration ef6d32f
  • Most of the browsers don't have setImmediate. setImmediate || setTimeout doesn't work and it throws setImmediate is not defined in this case, so we should check setImmediate with typeof. And some environments like Cloudflare Workers don't allow you to set setTimeout directly to another variable. 3e62fbe

Patch Changes

• 3135e9a: Fix typo in jsdoc comment; flip "objects are keys" to "keys are objects"

motdotla/dotenv (dotenv)

v8.6.0

Compare Source

Added

• define package.json in exports

v8.5.1

Compare Source

Changed

• updated dev dependencies via npm audit

v8.5.0

Compare Source

Added

• allow for import "dotenv/config"

v8.4.0

Compare Source

Changed

• point to exact types file to work with VS Code

v8.3.0

Compare Source

Changed

• Breaking: drop support for Node v8 (mistake to be released as minor bump. later bumped to 9.0.0. see above.)

iamcal/emoji-data (emoji-datasource)

v6.1.1

Compare Source

• NPM packages now include categories.json (fixes #​187)
• Added subcategory property for all emoji (thanks to @​ekohilas)
• Switched sort_order to be globally unique
• categories.json now includes sub-categories - data structure is not backwards compatible

v6.1.0

Compare Source

v6.0.1

Compare Source

• Fixes image set versions in the README
• Updated the build steps to not forget that in the future
• Switched U+1F41E LADY BEETLE to use :ladybug:/:lady_beetle: as a short code (:beetle: is now used by U+1FAB2 BEETLE)
• Codepoint U+1F46A FAMILY now only has the shortcode :family:, as it is no longer considered gendered (previous also had :man-woman-boy:)
• Sequence 1F468-200D-1F469-200D-1F466 now only has the shortcode man-woman-boy (previously had :family:)
• Codepoint U+1F935 MANY IN TUXEDO now has the shortcode :person_in_tuxedo: (since :man_in_tuxedo: is used by sequence 1F935*-200D-2642-FE0F. The Emoji standard and the Unicode standard appear to disagree here, but this choice seems reasonable)
• Codepoint U+1F46B MAN AND WOMAN HOLDING HANDS now has :couple: as a secondary shortcode, rather than the primary
• Added names for all sequences (fixes #​180)

sindresorhus/execa (execa)

v5.1.1

Compare Source

• Fix error message when user passes a single array argument (#​468) 2b9c0e1

v5.1.0

Compare Source

• Add .escapedCommand property to the results (#​466) 712bafc

v5.0.1

Compare Source

• Fix timeout option validation (#​463) 427c5c2

graphql/graphql-js (graphql)

v15.10.1

Compare Source

v15.10.1 (2025-01-14)

Bug Fix 🐞

• #​4326 Re-export GraphQLFormattedError as type (@​enisdenjo)

Committers: 1

• Denis Badurina(@​enisdenjo)

v15.10.0

Compare Source

v15.10.0 (2025-01-13)

New Feature 🚀

• #​4324 Backport GraphQLError toJSON method to v15 (@​enisdenjo)

Committers: 1

• Denis Badurina(@​enisdenjo)

v15.9.0

Compare Source

v15.9.0 (2024-06-21)

New Feature 🚀

• #​4120 backport[v15]: Introduce "recommended" validation rules (@​benjie)

Bug Fix 🐞

• #​3708 Fix crash in node when mixing sync/async resolvers (backport of #​3706) (@​chrskrchr)
• #​4000 Backport "Prevent Infinite Loop in OverlappingFieldsCanBeMergedRule" to v15 (@​benjie)

Internal 🏠

• #​4126 backport(v15): fix publish scripts (@​benjie)

Committers: 2

• Benjie(@​benjie)
• Chris Karcher(@​chrskrchr)

v15.8.0

Compare Source

v15.8.0 (2021-12-07)

New Feature 🚀

• #​3410 Refine getNamedType() for Input and Output types (@​IvanGoncharov)

Internal 🏠

2 PRs were merged

• #​3411 publish 15.x.x packages only under '15.x.x' tag (@​IvanGoncharov)
• #​3412 cspell: do not show progress (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v15.7.2

Compare Source

v15.7.2 (2021-10-28)

Bug Fix 🐞

• #​3343 GraphQLError: Fixed originalError.extensions overriding extensions argument to constructor (@​klippx)

Committers: 1

• Mathias Klippinge(@​klippx)

v15.7.1

Compare Source

v15.7.1 (2021-10-27)

Bug Fix 🐞

• #​3341 GraphQLError: revert originalError to be nullable (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v15.7.0

Compare Source

v15.7.0 (2021-10-26)

New Feature 🚀

• #​3327 Change type of error extensions from anonymous Record to named interfaces (@​IvanGoncharov)
• #​3333 GraphQLError: major refactoring to be more in line with v16 (@​IvanGoncharov)
• #​3334 GraphQLError: keep extensions always present (@​IvanGoncharov)

Bug Fix 🐞

• #​3332 GraphQLError: fix empty locations if error got nodes without locations (@​IvanGoncharov)
• #​3335 GraphQLError: restore order of enumerable fields (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v15.6.1

Compare Source

v15.6.1 (2021-10-05)

Bug Fix 🐞

• #​3275 type/introspection: add missing __Directive.args(includeDeprecated:) (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v15.6.0

Compare Source

v15.6.0 (2021-09-20)

New Feature 🚀

• #​3267 Depreacate 'VisitorKeyMap' and backported 'ASTVisitorKeyMap' type (@​IvanGoncharov)

Committers: 1

• Ivan Goncharov(@​IvanGoncharov)

v15.5.3

Compare Source

v15.5.3 (2021-09-06)

Bug Fix 🐞

• #​3254 Parser: fix function definition of parseArguments and parseArgument (@​n1ru4l)
• #​3260 backport: Preserve deprecationReason on GraphQLInputFields (@​IvanGoncharov)

Committers: 2

• Ivan Goncharov(@​IvanGoncharov)
• Laurin Quast(@​n1ru4l)

v15.5.2

Compare Source

v15.5.2 (2021-08-30)

Bug Fix 🐞

• #​3251 backport parser typescript type-definitions for 15.x.x release (@​n1ru4l)

Committers: 1

• Laurin Quast(@​n1ru4l)

v15.5.1

Compare Source

v15.5.1 (2021-06-20)

Bug Fix 🐞

• #​3186 Backport instanceOf Error Check Improvements (@​tubbo)

Internal 🏠

• #​3191 Remove deprecated rmdirSync usage from internal scripts (@​IvanGoncharov)

Committers: 2

• Ivan Goncharov(@​IvanGoncharov)
• Tom Scott(@​tubbo)

v15.5.0

Compare Source

v15.5.0 (2021-01-26)

Bug Fix 🐞

• #​2852 introspectionFromSchema: enable 'specifiedByUrl' by default (@​IvanGoncharov)
• #​2855 introspection: Add missing support for deprecated input values (@​IvanGoncharov)
• #​2859 separateOperations: distinguish query and fragment names (@​IvanGoncharov)
• #​2876 Replace 'localeCompare' with function independent from locale (@​IvanGoncharov)
• #​2893 Fix handling of input objects with 'length' property (@​IvanGoncharov)

Docs 📝

• #​2849 README: add instructions on using experimental features (@​robrichard)

Polish 💅

7 PRs were merged

• #​2847 Add tests for supporting Iterable collections across the lib (@​IvanGoncharov)
• #​2851 tests: update 'getIntrospectionQuery' tests to use custom matchers (@​IvanGoncharov)
• #​2858 separateOperations-test: refactor tests to look like snapshots (@​IvanGoncharov)
• #​2868 Extract types for normalized configs into named types (@​IvanGoncharov)
• #​2878 fix: type annotation cannot appear on a constructor declaration (@​saihaj)
• #​2879 fix: no need to mark param optional if default value is given (@​saihaj)
• #​2889 Simplify isAsyncIterable (@​IvanGoncharov)

Internal 🏠

7 PRs were merged

• #​2831 build: add support for experimental releases (@​IvanGoncharov)
• #​2836 CI: test on node 15 (@​IvanGoncharov)
• #​2837 Flow: remove support for measuring Flow coverage (@​IvanGoncharov)
• #​2838 TS: exclude integration tests from root tsconfig.json (@​IvanGoncharov)
• #​2840 resources: use named groups in RegExp (@​IvanGoncharov)
• #​2886 Use correct flags for rmdir/mkdir functions (@​IvanGoncharov)
• #​2891 benchmark: fix temp dir creation (@​IvanGoncharov)

Dependency 📦

5 PRs were merged

• #​2835 Update deps (@​IvanGoncharov)
• #​2844 Update deps (@​IvanGoncharov)
• #​2850 Update deps (@​IvanGoncharov)
• #​2884 Update deps (@​IvanGoncharov)
• #​2890 Update deps (@​IvanGoncharov)

Committers: 3

• Ivan Goncharov(@​IvanGoncharov)
• Rob Richard(@​robrichard)
• Saihajpreet Singh(@​saihaj)

apollographql/graphql-tag (graphql-tag)

v2.12.6

Compare Source

• Update peer dependencies to allow graphql ^16.0.0.
  
  @​brainkim in #​530

v2.12.5

Compare Source

• Also publish src/ directory to npm, enabling source maps.
  
  @​maclockard in #​403

v2.12.4

Compare Source

• Allow fragments to be imported by name when using the webpack loader.
  
  @​dobesv in #​257

v2.12.3

Compare Source

• Update tslib dependency to version 2.1.0.
  
  @​benjamn in #​381

v2.12.2

Compare Source

• Avoid using Object.assign to attach extra properties to gql.
  
  @​benjamn in #​380

v2.12.1

Compare Source

• To accommodate older versions of TypeScript, usage of the import type ... syntax (introduced by #​325) has been removed, fixing issue #​345.
  
  @​benjamn in #​352

v2.12.0

Compare Source

• The graphql-tag repository has been converted to TypeScript, adding type safety and enabling both ECMAScript and CommonJS module exports. While these changes are intended to be as backwards-compatible as possible, we decided to bump the minor version to reflect the significant refactoring.
  
  @​PowerKiKi and @​benjamn in #​325

helmetjs/helmet (helmet)

v4.6.0

Compare Source

Added

• helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
• Explicitly define TypeScript types in package.json. See #​303

v4.5.0

[Compare Source]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.