npm(deps): bump the npm-dependencies group across 1 directory with 18 updates

[dependabot]

Bumps the npm-dependencies group with 18 updates in the / directory:

Package	From	To
dotenv	16.5.0	17.2.3
express-rate-limit	7.5.0	8.1.0
joi	17.13.3	18.0.1
mongoose	8.15.1	8.19.1
morgan	1.10.0	1.10.1
winston	3.17.0	3.18.3
yaml	2.8.0	2.8.1
@babel/preset-env	7.27.2	7.28.3
@eslint/js	9.28.0	9.37.0
cross-env	7.0.3	10.1.0
eslint-config-prettier	10.1.5	10.1.8
globals	16.2.0	16.4.0
jest	29.7.0	30.2.0
lint-staged	16.1.0	16.2.4
mongodb-memory-server	10.1.4	10.2.3
prettier	3.5.3	3.6.2
semver	7.7.2	7.7.3
supertest	7.1.1	7.1.4

Updates dotenv from 16.5.0 to 17.2.3

Changelog

Sourced from dotenv's changelog.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

$ node index.js
Hello World
or
$ DOTENV_CONFIG_QUIET=true node index.js

17.1.0 (2025-07-07)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

... (truncated)

Commits

• affe113 17.2.3
• db1ff1f changelog 🪵
• 7063f16 Merge pull request #913 from motdotla/new-tips
• 0bbe72c test against expected tips
• 017951b only run .js tests
• 39eda1f add space back
• fcc030e update tips
• b6c7a0d updated tips - as Dotenvx Radar has been renamed Dotenvx Ops
• b3c8b16 remove unnecessary call to npx
• d6e4c17 Merge pull request #912 from adjerbetian/fix/typescript-error-definition
• Additional commits viewable in compare view

Updates express-rate-limit from 7.5.0 to 8.1.0

Release notes

Sourced from express-rate-limit's releases.

v8.1.0

You can view the changelog here.

v8.0.1

You can view the changelog here.

v8.0.0

You can view the changelog here.

v7.5.1

Changed

• Narrowed type of standardHeaders from string to just the supported values via a TypeScript const assertion (#506)

---

You can view the full changelog here.

Commits

• 6061935 8.1.0
• 2f2ed4d Add validation check for Forwarded header (#549)
• d0e7c85 chore(deps-dev): bump the all group across 1 directory with 5 updates (#554)
• 66aa1b0 test: check for renamed Request in types (#543)
• 658c201 Document windowMs limit for MemoryStore and warn on invalid values (#550)
• aa3b291 fix: include RateLimit-Reset header when resetSeconds is 0 (#553)
• 1eca1a4 Update CI workflow to include pull_request trigger
• ec8a6f9 chore: migrate biome config for current version
• 207100e chore(deps-dev): bump the all group with 4 updates (#548)
• 471076d chore(deps-dev): bump the all group with 4 updates (#547)
• Additional commits viewable in compare view

Updates joi from 17.13.3 to 18.0.1

Commits

• 1b923c1 18.0.1
• 1ceea4e Merge pull request #3087 from hapijs/fix/array-types
• c8bee29 fix: proper types for more complex cases of array
• 0ffadef chore: run prettier on types
• 55b0096 18.0.0
• 8ccad73 chore: add guid wrapper types
• 6c9dead Merge pull request #3082 from ben-walters/feature/fail-bracketed-uuid
• d8d8434 Applied suggestions
• dec12ec Added wrapper option to uuid function
• 703c12c chore: fix timeout warning
• Additional commits viewable in compare view

Updates mongoose from 8.15.1 to 8.19.1

Release notes

Sourced from mongoose's releases.

8.19.1 / 2025-10-06

• perf: avoid getting all modified paths in update when checking if versionKey needs to be set #15677 #15672
• perf: Avoid needless path translation #15679 orgads
• fix(query): throw error if using update operator with modifier and no path #15670 #15642
• types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #15676 #15671
• docs: update installation instructions #15675 aalok-y

8.19.0 / 2025-10-02

• feat: upgrade mongodb driver to 6.20.0 #15651 #15656
• feat(model): add virtuals option to Model.hydrate() to set virtuals #15638 #15627
• fix(schema): handle casting array filters underneath maps of Mixed #15655 #15653
• types: optimize InferRawDocType #15588 ssalbdivad
• types(schema): add lean schema option to TypeScript types #15646 #15583 #10090

8.18.3 / 2025-09-29

• fix(update): avoid throwing error if update has a top-level $addToSet with no path #15648 #15642
• types(query): allow passing arbitrary options #15644 #15643
• docs(connection+mongoose): correct mongodb option name user -> username #15650 #15647
• test: add tests covering vector search and text search using Atlas CLI #15649 #15645

8.18.2 / 2025-09-22

• fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays #15633 #15625
• fix(connection): use correct collection name for model when using useConnection() #15637
• fix(connection): propagate changes to _lastHeartbeatAt to useDb() child connections #15640 #15635
• types: fix schema property type definition in SchemaType #15631

8.18.1 / 2025-09-08

• types: correct type inference for maps of maps #15602
• types(model): copy base model statics onto discriminator model #15623 #15600
• types: fix types for a string of enums #15605 ruiaraujo
• types(SchemaOptions): disallow versionKey: true, which fails at runtime #15606
• docs(typescript): add example explaining how to use query helper overrides for handling lean() #15622 #15601
• docs(transactions): add note about nested transactions #15624

8.18.0 / 2025-08-22

• feat(schema): support for union types #15574 #10894
• fix: trim long strings in minLength and maxLength error messages and display the string length #15571 #15550
• types(connection+collection): make BaseCollection and BaseConnection usable as values #15575 #15548
• types: remove logic that omits timestamps when virtuals, methods, etc. options set #15577 #12807

8.17.2 / 2025-08-18

• fix: avoid Model.validate() hanging when all paths fail casting #15580 #15579 piotracalski
• types(document): better support for flattenObjectIds and versionKey options for toObject() and toJSON() #15582 #15578

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.19.1 / 2025-10-06

• perf: avoid getting all modified paths in update when checking if versionKey needs to be set #15677 #15672
• perf: Avoid needless path translation #15679 orgads
• fix(query): throw error if using update operator with modifier and no path #15670 #15642
• types: avoid making FilterQuery a conditional type because of how typescript handles distributed conditional unions #15676 #15671
• docs: update installation instructions #15675 aalok-y

8.19.0 / 2025-10-02

• feat: upgrade mongodb driver to 6.20.0 #15651 #15656
• feat(model): add virtuals option to Model.hydrate() to set virtuals #15638 #15627
• fix(schema): handle casting array filters underneath maps of Mixed #15655 #15653
• types: optimize InferRawDocType #15588 ssalbdivad
• types(schema): add lean schema option to TypeScript types #15646 #15583 #10090

8.18.3 / 2025-09-29

• fix(update): avoid throwing error if update has a top-level $addToSet with no path #15648 #15642
• types(query): allow passing arbitrary options #15644 #15643
• docs(connection+mongoose): correct mongodb option name user -> username #15650 #15647
• test: add tests covering vector search and text search using Atlas CLI #15649 #15645

8.18.2 / 2025-09-22

• fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays #15633 #15625
• fix(connection): use correct collection name for model when using useConnection() #15637
• fix(connection): propagate changes to _lastHeartbeatAt to useDb() child connections #15640 #15635
• types: fix schema property type definition in SchemaType #15631

8.18.1 / 2025-09-08

• types: correct type inference for maps of maps #15602
• types(model): copy base model statics onto discriminator model #15623 #15600
• types: fix types for a string of enums #15605 ruiaraujo
• types(SchemaOptions): disallow versionKey: true, which fails at runtime #15606
• docs(typescript): add example explaining how to use query helper overrides for handling lean() #15622 #15601
• docs(transactions): add note about nested transactions #15624

8.18.0 / 2025-08-22

• feat(schema): support for union types #15574 #10894
• fix: trim long strings in minLength and maxLength error messages and display the string length #15571 #15550
• types(connection+collection): make BaseCollection and BaseConnection usable as values #15575 #15548
• types: remove logic that omits timestamps when virtuals, methods, etc. options set #15577 #12807

8.17.2 / 2025-08-18

• fix: avoid Model.validate() hanging when all paths fail casting #15580 #15579 piotracalski
• types(document): better support for flattenObjectIds and versionKey options for toObject() and toJSON() #15582 #15578

... (truncated)

Commits

• a24dce3 fix lint
• b2ae288 chore: release 8.19.1
• 7d70708 Merge pull request #15676 from Automattic/vkarpov15/gh-15671
• 616b7ca perf: reduce instantiations by avoiding FilterQuery on non-records in a way t...
• 66915ea Merge branch 'master' into vkarpov15/gh-15671
• daa978d Merge pull request #15677 from Automattic/vkarpov15/gh-15672-2
• d030c29 Merge pull request #15679 from orgads/perf-array-filters
• d4c921d perf: Avoid needless path translation
• e89d752 Merge pull request #15675 from aalok-y/main
• 931f606 Update README.md
• Additional commits viewable in compare view

Updates morgan from 1.10.0 to 1.10.1

Release notes

Sourced from morgan's releases.

1.10.1

What's Changed

• renaming simple to sample in readme by @​ryhinchey in expressjs/morgan#237
• adding installation instructions to readme by @​ryhinchey in expressjs/morgan#233
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/morgan#291
• ci: replace travis with github actions by @​inigomarquinez in expressjs/morgan#290
• docs: add example output for log formats by @​jonchurch in expressjs/morgan#299
• ci: use ubuntu-latest by @​bjohansebas in expressjs/morgan#301
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in expressjs/morgan#300
• remove --bail by @​jonchurch in expressjs/morgan#314
• ⬆️ bump on-headers by @​ctcpip in expressjs/morgan#319

New Contributors

• @​inigomarquinez made their first contribution in expressjs/morgan#291
• @​jonchurch made their first contribution in expressjs/morgan#299
• @​bjohansebas made their first contribution in expressjs/morgan#301
• @​UlisesGascon made their first contribution in expressjs/morgan#300
• @​ctcpip made their first contribution in expressjs/morgan#319

Full Changelog: expressjs/morgan@1.10.0...1.10.1

Changelog

Sourced from morgan's changelog.

1.10.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• c1c7f10 🔖 1.10.1
• eb896c2 ⬆️ bump on-headers
• 1c3eec6 remove --bail (#314)
• b144728 ci: apply OSSF Scorecard security best practices (#300)
• 68c2d21 ci: use ubuntu-latest (#301)
• 8740a19 docs: add example output for log formats (#299)
• efd6bff ci: migra to GitHub actions (#290)
• 3b89789 ci: add support for OSSF scorecard reporting (#291)
• 19a6aa5 docs: add installation section
• b94f3ff docs: change simple to sample in example descriptions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for morgan since your current version.

Updates winston from 3.17.0 to 3.18.3

Release notes

Sourced from winston's releases.

v3.18.3

• Update diagnostics dependency (removes fix-esm transitive dependency) a15a9e9

---

winstonjs/winston@v3.18.2...v3.18.3

v3.18.2

• Bump diagnostics package to resolve #2583 (again) f4582c3

---

winstonjs/winston@v3.18.1...v3.18.2

v3.18.1

• Bump diagnostics package to resolve #2583 e668c2c

---

winstonjs/winston@v3.18.0...v3.18.1

v3.18.0

• Update diagnostics package to latest version to remove vulnerability 376e331
• add @​initd.sg/winston-cloudwatch (#2532) 71ee92a
• Update transports.md (#2549) 3547a95
• docs: update transport.md (#2550) dc88db0
• feat: adds helper function for highest log level (#2514) c69cdb0

---

winstonjs/winston@v3.17.0...v3.18.0

Commits

• 4dc03d6 3.18.3
• a15a9e9 Update diagnostics dependency (removes fix-esm transitive dependency)
• ca142d0 3.18.2
• f4582c3 Bump diagnostics package to resolve #2583 (again)
• 347316e 3.18.1
• e668c2c Bump diagnostics package to resolve #2583
• 6864728 3.18.0
• 376e331 Update diagnostics package to latest version to remove vulnerability
• 71ee92a add @​initd.sg/winston-cloudwatch (#2532)
• 3547a95 Update transports.md (#2549)
• Additional commits viewable in compare view

Updates yaml from 2.8.0 to 2.8.1

Release notes

Sourced from yaml's releases.

v2.8.1

• Preserve empty block literals (#634)

Commits

• 1dc3c3b 2.8.1
• 5bbb1cb chore: Add explicit jest-resolve@29 dev dependency to keep Node.js 15 compati...
• b3ba632 chore: Refresh lockfile
• de8a0ab fix: Preserve empty block literals (#634)
• 81eb3bf docs: Update site intro
• ef23196 docs: Update README & docs/CONTRIBUTING
• aa29f42 docs: Note that schema can be a Schema
• cad823e docs: Update instructions on vulnerability reporting
• See full diff in compare view

Updates @babel/preset-env from 7.27.2 to 7.28.3

Release notes

Sourced from @​babel/preset-env's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/preset-env's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• 98d18aa Misc: Cleanup Babel 8 tasks (#17429)
• fb57f26 chore: update browser compat libs (#17469)
• f4a9616 [static blocks] Do not inject new static fields after static code (#17443)
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• ccc5fae v7.28.0
• 743ecd4 Add explicit resource management to preset-env (#17355)
• cd0de90 Update babel-polyfill packages (#17403)
• fdbf1b3 fix: finally causes unexpected return value (#17366)
• 7ba1afa Update babel 8 preset env fixtures (#17356)
• Additional commits viewable in compare view

Updates @eslint/js from 9.28.0 to 9.37.0

Release notes

Sourced from @​eslint/js's releases.

v9.37.0

Features

• 39f7fb4 feat: preserve-caught-error should recognize all static "cause" keys (#20163) (Pixel998)
• f81eabc feat: support TS syntax in no-restricted-imports (#19562) (Nitin Kumar)

Bug Fixes

• a129cce fix: correct no-loss-of-precision false positives for leading zeros (#20164) (Francesco Trotta)
• 09e04fc fix: add missing AST token types (#20172) (Pixel998)
• 861c6da fix: correct ESLint typings (#20122) (Pixel998)

Documentation

• b950359 docs: fix typos across the docs (#20182) (루밀LuMir)
• 42498a2 docs: improve ToC accessibility by hiding non-semantic character (#20181) (Percy Ma)
• 29ea092 docs: Update README (GitHub Actions Bot)
• 5c97a04 docs: show availableUntil in deprecated rule banner (#20170) (Pixel998)
• 90a71bf docs: update README files to add badge and instructions (#20115) (루밀LuMir)
• 1603ae1 docs: update references from master to main (#20153) (루밀LuMir)

Chores

• afe8a13 chore: update @eslint/js dependency to version 9.37.0 (#20183) (Francesco Trotta)
• abee4ca chore: package.json update for @​eslint/js release (Jenkins)
• fc9381f chore: fix typos in comments (#20175) (overlookmotel)
• e1574a2 chore: unpin jiti (#20173) (renovate[bot])
• e1ac05e refactor: mark ESLint.findConfigFile() as async, add missing docs (#20157) (Pixel998)
• 347906d chore: update eslint (#20149) (renovate[bot])
• 0cb5897 test: remove tmp dir created for circular fixes in multithread mode test (#20146) (Milos Djermanovic)
• bb99566 ci: pin jiti to version 2.5.1 (#20151) (Pixel998)
• 177f669 perf: improve worker count calculation for "auto" concurrency (#20067) (Francesco Trotta)
• 448b57b chore: Mark deprecated formatting rules as available until v11.0.0 (#20144) (Milos Djermanovic)

v9.36.0

Features

• 47afcf6 feat: correct preserve-caught-error edge cases (#20109) (Francesco Trotta)

Bug Fixes

• 75b74d8 fix: add missing rule option types (#20127) (ntnyq)
• 1c0d850 fix: update eslint-all.js to use Object.freeze for rules object (#20116) (루밀LuMir)
• 7d61b7f fix: add missing scope types to Scope.type (#20110) (Pixel998)
• 7a670c3 fix: correct rule option typings in rules.d.ts (#20084) (Pixel998)

Documentation

• b73ab12 docs: update examples to use defineConfig (#20131) (sethamus)
• 31d9392 docs: fix typos (#20118) (Pixel998)
• c7f861b docs: Update README (GitHub Actions Bot)
• 6b0c08b docs: Update README (GitHub Actions Bot)
• 91f97c5 docs: Update README (GitHub Actions Bot)

Chores

• 12411e8 chore: upgrade @​eslint/js@​9.36.0 (#20139) (Milos Djermanovic)
• 488cba6 chore: package.json update for @​eslint/js release (Jenkins)

... (truncated)

Commits

• abee4ca chore: package.json update for @​eslint/js release
• 90a71bf docs: update README files to add badge and instructions (#20115)
• 488cba6 chore: package.json update for @​eslint/js release
• 1c0d850 fix: update eslint-all.js to use Object.freeze for rules object (#20116)
• af2a087 chore: package.json update for @​eslint/js release
• 84ffb96 chore: update @eslint-community/eslint-utils (#20069)
• b48fa20 chore: package.json update for @​eslint/js release
• ad28371 chore: package.json update for @​eslint/js release
• 50de1ce chore: package.json update for @​eslint/js release
• d5054e5 chore: package.json update for @​eslint/js release
• Additional commits viewable in compare view

Updates cross-env from 7.0.3 to 10.1.0

Release notes

Sourced from cross-env's releases.

v10.1.0

10.1.0 (2025-09-29)

Features

• add support for default...

  Description has been truncated

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml