step-node-agent 3.29.0 → 3.29.2

package/node_modules/body-parser/HISTORY.md

@@ -1,3 +1,11 @@
+1.20.4 / 2025-12-01
+===================
+
+  * deps: qs@~6.14.0
+  * deps: use tilde notation for dependencies
+  * deps: http-errors@~2.0.1
+  * deps: raw-body@~2.5.3
+
 1.20.3 / 2024-09-10
 ===================
 

package/node_modules/body-parser/lib/types/urlencoded.js

@@ -55,9 +55,6 @@ function urlencoded (options) {
     : opts.limit
   var type = opts.type || 'application/x-www-form-urlencoded'
   var verify = opts.verify || false
-  var depth = typeof opts.depth !== 'number'
-    ? Number(opts.depth || 32)
-    : opts.depth
 
   if (verify !== false && typeof verify !== 'function') {
     throw new TypeError('option verify must be function')
@@ -121,8 +118,7 @@ function urlencoded (options) {
       encoding: charset,
       inflate: inflate,
       limit: limit,
-      verify: verify,
-      depth: depth
+      verify: verify
     })
   }
 }
@@ -137,10 +133,7 @@ function extendedparser (options) {
   var parameterLimit = options.parameterLimit !== undefined
     ? options.parameterLimit
     : 1000
-
-  var depth = typeof options.depth !== 'number'
-    ? Number(options.depth || 32)
-    : options.depth
+  var depth = options.depth !== undefined ? options.depth : 32
   var parse = parser('qs')
 
   if (isNaN(parameterLimit) || parameterLimit < 1) {

package/node_modules/body-parser/package.json

@@ -1,7 +1,7 @@
 {
   "name": "body-parser",
   "description": "Node.js body parsing middleware",
-  "version": "1.20.3",
+  "version": "1.20.4",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
     "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"
@@ -9,18 +9,18 @@
   "license": "MIT",
   "repository": "expressjs/body-parser",
   "dependencies": {
-    "bytes": "3.1.2",
+    "bytes": "~3.1.2",
     "content-type": "~1.0.5",
     "debug": "2.6.9",
     "depd": "2.0.0",
-    "destroy": "1.2.0",
-    "http-errors": "2.0.0",
-    "iconv-lite": "0.4.24",
-    "on-finished": "2.4.1",
-    "qs": "6.13.0",
-    "raw-body": "2.5.2",
+    "destroy": "~1.2.0",
+    "http-errors": "~2.0.1",
+    "iconv-lite": "~0.4.24",
+    "on-finished": "~2.4.1",
+    "qs": "~6.14.0",
+    "raw-body": "~2.5.3",
     "type-is": "~1.6.18",
-    "unpipe": "1.0.0"
+    "unpipe": "~1.0.0"
   },
   "devDependencies": {
     "eslint": "8.34.0",
@@ -40,7 +40,6 @@
     "lib/",
     "LICENSE",
     "HISTORY.md",
-    "SECURITY.md",
     "index.js"
   ],
   "engines": {

package/node_modules/cookie/index.js

@@ -21,6 +21,7 @@ exports.serialize = serialize;
  */
 
 var __toString = Object.prototype.toString
+var __hasOwnProperty = Object.prototype.hasOwnProperty
 
 /**
  * RegExp to match cookie-name in RFC 6265 sec 4.1.1
@@ -130,7 +131,7 @@ function parse(str, opt) {
     var key = str.slice(keyStartIdx, keyEndIdx);
 
     // only assign once
-    if (!obj.hasOwnProperty(key)) {
+    if (!__hasOwnProperty.call(obj, key)) {
       var valStartIdx = startIndex(str, eqIdx + 1, endIdx);
       var valEndIdx = endIndex(str, endIdx, valStartIdx);
 

package/node_modules/cookie/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cookie",
   "description": "HTTP server cookie parsing and serialization",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "author": "Roman Shtylman <shtylman@gmail.com>",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>"

package/node_modules/cookie-signature/History.md

@@ -1,10 +1,14 @@
+1.0.7 / 2023-04-12
+==================
+
+* backport the buffer support from the 1.2.x release branch (thanks @FadhiliNjagi!)
+
 1.0.6 / 2015-02-03
 ==================
 
 * use `npm test` instead of `make test` to run tests
 * clearer assertion messages when checking input
 
-
 1.0.5 / 2014-09-05
 ==================
 

package/node_modules/cookie-signature/index.js

@@ -8,14 +8,14 @@ var crypto = require('crypto');
  * Sign the given `val` with `secret`.
  *
  * @param {String} val
- * @param {String} secret
+ * @param {String|NodeJS.ArrayBufferView|crypto.KeyObject} secret
  * @return {String}
  * @api private
  */
 
 exports.sign = function(val, secret){
-  if ('string' != typeof val) throw new TypeError("Cookie value must be provided as a string.");
-  if ('string' != typeof secret) throw new TypeError("Secret string must be provided.");
+  if ('string' !== typeof val) throw new TypeError("Cookie value must be provided as a string.");
+  if (null == secret) throw new TypeError("Secret key must be provided.");
   return val + '.' + crypto
     .createHmac('sha256', secret)
     .update(val)
@@ -28,14 +28,14 @@ exports.sign = function(val, secret){
  * returning `false` if the signature is invalid.
  *
  * @param {String} val
- * @param {String} secret
+ * @param {String|NodeJS.ArrayBufferView|crypto.KeyObject} secret
  * @return {String|Boolean}
  * @api private
  */
 
 exports.unsign = function(val, secret){
-  if ('string' != typeof val) throw new TypeError("Signed cookie string must be provided.");
-  if ('string' != typeof secret) throw new TypeError("Secret string must be provided.");
+  if ('string' !== typeof val) throw new TypeError("Signed cookie string must be provided.");
+  if (null == secret) throw new TypeError("Secret key must be provided.");
   var str = val.slice(0, val.lastIndexOf('.'))
     , mac = exports.sign(str, secret);
   

package/node_modules/cookie-signature/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cookie-signature",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Sign and unsign cookies",
   "keywords": ["cookie", "sign", "unsign"],
   "author": "TJ Holowaychuk <tj@learnboost.com>",
@@ -15,4 +15,4 @@
     "test": "mocha --require should --reporter spec"
   },
   "main": "index"
-}
+}

package/node_modules/express/History.md

@@ -1,3 +1,14 @@
+4.22.1 / 2025-12-01
+==========
+
+  * Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+
+4.22.0 / 2025-12-01
+==========
+  * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+  * deps: use tilde notation for dependencies
+  * deps: qs@6.14.0
+
 4.21.2 / 2024-11-06
 ==========
 

package/node_modules/express/package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.21.2",
+  "version": "4.22.1",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -34,32 +34,32 @@
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
-    "body-parser": "1.20.3",
-    "content-disposition": "0.5.4",
+    "body-parser": "~1.20.3",
+    "content-disposition": "~0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.7.1",
-    "cookie-signature": "1.0.6",
+    "cookie": "~0.7.1",
+    "cookie-signature": "~1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",
-    "finalhandler": "1.3.1",
-    "fresh": "0.5.2",
-    "http-errors": "2.0.0",
+    "finalhandler": "~1.3.1",
+    "fresh": "~0.5.2",
+    "http-errors": "~2.0.0",
     "merge-descriptors": "1.0.3",
     "methods": "~1.1.2",
-    "on-finished": "2.4.1",
+    "on-finished": "~2.4.1",
     "parseurl": "~1.3.3",
-    "path-to-regexp": "0.1.12",
+    "path-to-regexp": "~0.1.12",
     "proxy-addr": "~2.0.7",
-    "qs": "6.13.0",
+    "qs": "~6.14.0",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
-    "send": "0.19.0",
-    "serve-static": "1.16.2",
+    "send": "~0.19.0",
+    "serve-static": "~1.16.2",
     "setprototypeof": "1.2.0",
-    "statuses": "2.0.1",
+    "statuses": "~2.0.1",
     "type-is": "~1.6.18",
     "utils-merge": "1.0.1",
     "vary": "~1.1.2"
@@ -75,11 +75,11 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "10.2.0",
+    "mocha": "^6.2.2",
     "morgan": "1.10.0",
-    "nyc": "15.1.0",
+    "nyc": "^14.1.1",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.3.0",
+    "supertest": "^6.1.6",
     "vhost": "~3.0.2"
   },
   "engines": {

package/node_modules/finalhandler/HISTORY.md

@@ -1,3 +1,9 @@
+v1.3.2 / 2025-12-01
+==================
+
+  * deps: use tilde notation for dependencies
+  * deps: statuses@~2.0.2
+
 v1.3.1 / 2024-09-11
 ==================
 

package/node_modules/finalhandler/package.json

@@ -1,7 +1,7 @@
 {
   "name": "finalhandler",
   "description": "Node.js final http responder",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "author": "Douglas Christopher Wilson <doug@somethingdoug.com>",
   "license": "MIT",
   "repository": "pillarjs/finalhandler",
@@ -9,9 +9,9 @@
     "debug": "2.6.9",
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
-    "on-finished": "2.4.1",
+    "on-finished": "~2.4.1",
     "parseurl": "~1.3.3",
-    "statuses": "2.0.1",
+    "statuses": "~2.0.2",
     "unpipe": "~1.0.0"
   },
   "devDependencies": {

package/node_modules/http-errors/HISTORY.md

@@ -1,3 +1,9 @@
+2.0.1 / 2025-11-20
+==================
+
+  * deps: use tilde notation for dependencies
+  * deps: update statuses to 2.0.2
+
 2.0.0 / 2021-12-17
 ==================
 

package/node_modules/http-errors/index.js

@@ -279,11 +279,12 @@ function populateConstructorExports (exports, codes, HttpError) {
 
 /**
  * Get a class name from a name identifier.
+ *
+ * @param {string} name
+ * @returns {string}
  * @private
  */
 
 function toClassName (name) {
-  return name.substr(-5) !== 'Error'
-    ? name + 'Error'
-    : name
+  return name.slice(-5) === 'Error' ? name : name + 'Error'
 }

package/node_modules/http-errors/package.json

@@ -1,7 +1,7 @@
 {
   "name": "http-errors",
   "description": "Create HTTP error objects",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",
   "contributors": [
     "Alan Plum <me@pluma.io>",
@@ -9,17 +9,21 @@
   ],
   "license": "MIT",
   "repository": "jshttp/http-errors",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/express"
+  },
   "dependencies": {
-    "depd": "2.0.0",
-    "inherits": "2.0.4",
-    "setprototypeof": "1.2.0",
-    "statuses": "2.0.1",
-    "toidentifier": "1.0.1"
+    "depd": "~2.0.0",
+    "inherits": "~2.0.4",
+    "setprototypeof": "~1.2.0",
+    "statuses": "~2.0.2",
+    "toidentifier": "~1.0.1"
   },
   "devDependencies": {
     "eslint": "7.32.0",
     "eslint-config-standard": "14.1.1",
-    "eslint-plugin-import": "2.25.3",
+    "eslint-plugin-import": "2.32.0",
     "eslint-plugin-markdown": "2.2.1",
     "eslint-plugin-node": "11.1.0",
     "eslint-plugin-promise": "5.2.0",
@@ -32,7 +36,7 @@
   },
   "scripts": {
     "lint": "eslint . && node ./scripts/lint-readme-list.js",
-    "test": "mocha --reporter spec --bail",
+    "test": "mocha --reporter spec",
     "test-ci": "nyc --reporter=lcov --reporter=text npm test",
     "test-cov": "nyc --reporter=html --reporter=text npm test",
     "version": "node scripts/version-history.js && git add HISTORY.md"

package/node_modules/qs/.github/SECURITY.md

@@ -0,0 +1,11 @@
+# Security
+
+Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## Incident Response Plan
+
+Please see our [Incident Response Plan](https://github.com/ljharb/.github/blob/main/INCIDENT_RESPONSE_PLAN.md).
+
+## Threat Model
+
+Please see [THREAT_MODEL.md](./THREAT_MODEL.md).

package/node_modules/qs/.github/THREAT_MODEL.md

@@ -0,0 +1,78 @@
+## Threat Model for qs (querystring parsing library)
+
+### 1. Library Overview
+
+- **Library Name:** qs
+- **Brief Description:** A JavaScript library for parsing and stringifying URL query strings, supporting nested objects and arrays. It is widely used in Node.js and web applications for processing query parameters[2][6][8].
+- **Key Public APIs/Functions:** `qs.parse()`, `qs.stringify()`
+
+### 2. Define Scope
+
+This threat model focuses on the core parsing and stringifying functionality, specifically the handling of nested objects and arrays, option validation, and cycle management in stringification.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → qs.parse(input, options) → Parsing Engine → Output Object
+                           │
+                           └→ Options Handling
+
+Caller Application → qs.stringify(obj, options) → Stringifying Engine → Output String
+                           │
+                           └→ Options Handling
+                           └→ Cycle Tracking
+```
+
+**Trust Boundaries:**
+- **Input string (parse):** May come from untrusted sources (e.g., user input, network requests)
+- **Input object (stringify):** May contain cycles, which can lead to infinite loops during stringification
+- **Options:** Provided by the caller
+- **Cycle Tracking:** Used only during stringification to detect and handle circular references
+
+### 4. Identify Assets
+
+- **Integrity of parsed output:** Prevent malicious manipulation of the output object structure, especially ensuring builtins/globals are not modified as a result of parse[3][4][8].
+- **Confidentiality of processed data:** Avoid leaking sensitive information through errors or output.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion in the consuming application.
+- **Security of host application:** Prevent the library from being a vector for attacks (e.g., prototype pollution, DoS).
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1].
+
+### 5. Identify Threats
+
+| Component / API / Interaction         | S  | T  | R  | I  | D  | E  |
+|---------------------------------------|----|----|----|----|----|----|
+| Public API Call (`parse`)             | –  | ✓  | –  | ✓  | ✓  | ✓  |
+| Public API Call (`stringify`)         | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                      | ✓  | ✓  | –  | ✓  | –  | ✓  |
+| Dependency Interaction                | –  | –  | –  | –  | ✓  | –  |
+
+**Key Threats:**
+- **Tampering:** Malicious input can, if not prevented, alter parsed output (e.g., prototype pollution via `__proto__`, modification of builtins/globals)[3][4][8].
+- **Information Disclosure:** Error messages may expose internal details or sensitive data.
+- **Denial of Service:** Large or malformed input can exhaust memory or CPU.
+- **Elevation of Privilege:** Prototype pollution can lead to unintended privilege escalation in the host application[3][4][8].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                                 | Proposed Mitigation |
+|---------------------------------------------------|---------------------|
+| Tampering (malicious input, prototype pollution)  | Strict input validation; keep `allowPrototypes: false` by default; use `plainObjects` for output; ensure builtins/globals are never modified by parse[4][8]. |
+| Information Disclosure (error messages)           | Generic error messages without stack traces or internal paths. |
+| Denial of Service (memory/CPU exhaustion)         | Enforce `arrayLimit` and `parameterLimit` with safe defaults; enable `throwOnLimitExceeded`; limit nesting depth[7]. |
+| Elevation of Privilege (prototype pollution)      | Keep `allowPrototypes: false`; validate options against allowlist; use `plainObjects` to avoid prototype pollution[4][8]. |
+
+### 7. Risk Ranking
+
+- **High:** Denial of Service via array parsing or malformed input (historical vulnerability)
+- **Medium:** Prototype pollution via options or input (if `allowPrototypes` enabled)
+- **Low:** Information disclosure in errors
+
+### 8. Next Steps & Review
+
+1. **Audit option validation logic.**
+2. **Add depth limiting to nested parsing and stringification.**
+3. **Implement fuzz testing for parser and stringifier edge cases.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Ensure builtins/globals are never modified as a result of parse.**
+7. **Support round-trip consistency between parse and stringify as a non-security goal, with the right options[5][9].**

package/node_modules/qs/CHANGELOG.md

@@ -1,3 +1,34 @@
+## **6.14.1**
+- [Fix] ensure arrayLength applies to `[]` notation as well
+- [Fix] `parse`: when a custom decoder returns `null` for a key, ignore that key
+- [Refactor] `parse`: extract key segment splitting helper
+- [meta] add threat model
+- [actions] add workflow permissions
+- [Tests] `stringify`: increase coverage
+- [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `npmignore`, `es-value-fixtures`, `for-each`, `object-inspect`
+
+## **6.14.0**
+- [New] `parse`: add `throwOnParameterLimitExceeded` option (#517)
+- [Refactor] `parse`: use `utils.combine` more
+- [patch] `parse`: add explicit `throwOnLimitExceeded` default
+- [actions] use shared action; re-add finishers
+- [meta] Fix changelog formatting bug
+- [Deps] update `side-channel`
+- [Dev Deps] update `es-value-fixtures`, `has-bigints`, `has-proto`, `has-symbols`
+- [Tests] increase coverage
+
+## **6.13.1**
+- [Fix] `stringify`: avoid a crash when a `filter` key is `null`
+- [Fix] `utils.merge`: functions should not be stringified into keys
+- [Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
+- [Fix] `stringify`: ensure a non-string `filter` does not crash
+- [Refactor] use `__proto__` syntax instead of `Object.create` for null objects
+- [Refactor] misc cleanup
+- [Tests] `utils.merge`: add some coverage
+- [Tests] fix a test case
+- [actions] split out node 10-20, and 20+
+- [Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape`
+
 ## **6.13.0**
 - [New] `parse`: add `strictDepth` option (#511)
 - [Tests] use `npm audit` instead of `aud`

package/node_modules/qs/README.md

@@ -49,7 +49,7 @@ assert.deepEqual(qs.parse('foo[bar]=baz'), {
 });
 ```
 
-When using the `plainObjects` option the parsed value is returned as a null object, created via `Object.create(null)` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
+When using the `plainObjects` option the parsed value is returned as a null object, created via `{ __proto__: null }` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
 
 ```javascript
 var nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });
@@ -135,6 +135,18 @@ var limited = qs.parse('a=b&c=d', { parameterLimit: 1 });
 assert.deepEqual(limited, { a: 'b' });
 ```
 
+If you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.
+```javascript
+try {
+    qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true });
+} catch (err) {
+    assert(err instanceof Error);
+    assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.');
+}
+```
+
+When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error.
+
 To bypass the leading question mark, use `ignoreQueryPrefix`:
 
 ```javascript
@@ -286,6 +298,18 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
+If you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.
+```javascript
+try {
+    qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true });
+} catch (err) {
+    assert(err instanceof Error);
+    assert.strictEqual(err.message, 'Array limit exceeded. Only 0 elements allowed in an array.');
+}
+```
+
+When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key
+
 To disable array parsing entirely, set `parseArrays` to `false`.
 
 ```javascript