chore(deps): bump the production-dependencies group across 1 directory with 12 updates

[dependabot]

Bumps the production-dependencies group with 12 updates in the /backend directory:

Package	From	To
@octokit/core	6.1.4	7.0.4
cron	4.1.3	4.3.3
dayjs	1.11.13	1.11.18
dotenv	16.4.7	17.2.2
eventsource	3.0.6	4.0.0
express	4.21.2	5.1.0
express-rate-limit	7.5.0	8.1.0
mongoose	8.13.2	8.18.2
mysql2	3.14.0	3.15.0
octokit	4.1.2	5.0.3
smee-client	3.1.1	4.3.1
validator	13.15.0	13.15.15

Updates @octokit/core from 6.1.4 to 7.0.4

Release notes

Sourced from @​octokit/core's releases.

v7.0.4

7.0.4 (2025-09-16)

Bug Fixes

• deps: update dependency @​octokit/types to v15 (#748) (03b6c28)

v7.0.3

7.0.3 (2025-07-10)

Bug Fixes

• add createLogger to ensure that pino does not break (#744) (0896c50)

v7.0.2

7.0.2 (2025-05-20)

Bug Fixes

• deps: update octokit monorepo (major) (#742) (629fa4e)

v7.0.1

7.0.1 (2025-05-20)

Bug Fixes

• deps: update dependency before-after-hook to v4 (#739) (2abf89e)

v7.0.0

7.0.0 (2025-05-20)

Continuous Integration

• stop testing against NodeJS v18 (#738) (78747bf)

BREAKING CHANGES

• Drop support for NodeJS v18

• build: set minimal node version in build script to v20

• ci: stop testing against NodeJS v18

v6.1.6

... (truncated)

Commits

• 03b6c28 fix(deps): update dependency @​octokit/types to v15 (#748)
• 4951837 ci(action): update actions/checkout action to v5 (#745)
• f576bc8 chore(deps): bump vite from 6.3.5 to 6.3.6 (#747)
• 9c425e3 chore(deps): update dependency prettier to v3.6.2 (#743)
• 0896c50 fix: add createLogger to ensure that pino does not break (#744)
• 629fa4e fix(deps): update octokit monorepo (major) (#742)
• 1aba598 chore(deps): update dependency undici to v7 (#711)
• 2abf89e fix(deps): update dependency before-after-hook to v4 (#739)
• 78747bf ci: stop testing against NodeJS v18 (#738)
• 38dd554 chore(deps): update dependency undici to v6.21.2 [security] (#741)
• Additional commits viewable in compare view

Updates cron from 4.1.3 to 4.3.3

Release notes

Sourced from cron's releases.

v4.3.3

4.3.3 (2025-08-01)

🛠 Builds

• deps: update dependency @​types/luxon to ~3.7.0 (9bd0c4e)

♻️ Chores

• action: update github/codeql-action action to v3.29.4 (f28ea6a)
• action: update marocchino/sticky-pull-request-comment action to v2.9.4 (ceb7a0c)
• action: update step-security/harden-runner action to v2.13.0 (91e2402)
• deps: lock file maintenance (34130fc)
• deps: lock file maintenance (b79e0c2)
• deps: lock file maintenance (281e1aa)
• deps: update dependency @​types/node to v22.16.5 (16cdbab)
• deps: update dependency chai to v5.2.1 (08b58ce)
• deps: update dependency semantic-release to v24.2.7 (bc3fab6)
• deps: update linters (b692865)
• deps: update swc monorepo (4f3d063)

v4.3.2

4.3.2 (2025-07-13)

🛠 Builds

• deps: update dependency luxon to ~3.7.0 (db69c74)

♻️ Chores

• action: update github/codeql-action action to v3.29.0 (#990) (a3fbb3c)
• action: update github/codeql-action action to v3.29.2 (0403c53)
• action: update marocchino/sticky-pull-request-comment action to v2.9.3 (eda0c4d)
• action: update ossf/scorecard-action action to v2.4.2 (#991) (29a3a60)
• action: update step-security/harden-runner action to v2.12.1 (ba49a56)
• action: update step-security/harden-runner action to v2.12.2 (845202e)
• deps: lock file maintenance (#989) (bc1bf72)
• deps: lock file maintenance (#999) (e78d986)
• deps: update dependency @​swc/core to v1.12.1 (#992) (b5d3bd3)
• deps: update dependency @​swc/core to v1.12.5 (d374494)
• deps: update dependency @​swc/core to v1.12.9 (8060c41)
• deps: update dependency @​types/node to v22.15.32 (#993) (ce9743b)
• deps: update dependency @​types/node to v22.16.0 (7bae5b1)
• deps: update linters (24eb53f)
• deps: update linters (#995) (9395484)
• deps: update node.js to v23.11.1 (#985) (674a344)
• deps: update semantic-release related packages (cc2676a)
• deps: update semantic-release related packages (#994) (4d738df)

v4.3.1

... (truncated)

Changelog

Sourced from cron's changelog.

4.3.3 (2025-08-01)

🛠 Builds

• deps: update dependency @​types/luxon to ~3.7.0 (9bd0c4e)

♻️ Chores

• action: update github/codeql-action action to v3.29.4 (f28ea6a)
• action: update marocchino/sticky-pull-request-comment action to v2.9.4 (ceb7a0c)
• action: update step-security/harden-runner action to v2.13.0 (91e2402)
• deps: lock file maintenance (34130fc)
• deps: lock file maintenance (b79e0c2)
• deps: lock file maintenance (281e1aa)
• deps: update dependency @​types/node to v22.16.5 (16cdbab)
• deps: update dependency chai to v5.2.1 (08b58ce)
• deps: update dependency semantic-release to v24.2.7 (bc3fab6)
• deps: update linters (b692865)
• deps: update swc monorepo (4f3d063)

4.3.2 (2025-07-13)

🛠 Builds

• deps: update dependency luxon to ~3.7.0 (db69c74)

♻️ Chores

• action: update github/codeql-action action to v3.29.0 (#990) (a3fbb3c)
• action: update github/codeql-action action to v3.29.2 (0403c53)
• action: update marocchino/sticky-pull-request-comment action to v2.9.3 (eda0c4d)
• action: update ossf/scorecard-action action to v2.4.2 (#991) (29a3a60)
• action: update step-security/harden-runner action to v2.12.1 (ba49a56)
• action: update step-security/harden-runner action to v2.12.2 (845202e)
• deps: lock file maintenance (#989) (bc1bf72)
• deps: lock file maintenance (#999) (e78d986)
• deps: update dependency @​swc/core to v1.12.1 (#992) (b5d3bd3)
• deps: update dependency @​swc/core to v1.12.5 (d374494)
• deps: update dependency @​swc/core to v1.12.9 (8060c41)
• deps: update dependency @​types/node to v22.15.32 (#993) (ce9743b)
• deps: update dependency @​types/node to v22.16.0 (7bae5b1)
• deps: update linters (24eb53f)
• deps: update linters (#995) (9395484)
• deps: update node.js to v23.11.1 (#985) (674a344)
• deps: update semantic-release related packages (cc2676a)
• deps: update semantic-release related packages (#994) (4d738df)

4.3.1 (2025-05-29)

🐛 Bug Fixes

... (truncated)

Commits

• 6ce81eb Release v4.3.3 [skip ci]
• 9bd0c4e build(deps): update dependency @​types/luxon to ~3.7.0
• 34130fc chore(deps): lock file maintenance
• 4f3d063 chore(deps): update swc monorepo
• b692865 chore(deps): update linters
• 91e2402 chore(action): update step-security/harden-runner action to v2.13.0
• bc3fab6 chore(deps): update dependency semantic-release to v24.2.7
• 08b58ce chore(deps): update dependency chai to v5.2.1
• 16cdbab chore(deps): update dependency @​types/node to v22.16.5
• ceb7a0c chore(action): update marocchino/sticky-pull-request-comment action to v2.9.4
• Additional commits viewable in compare view

Updates dayjs from 1.11.13 to 1.11.18

Release notes

Sourced from dayjs's releases.

v1.11.18

1.11.18 (2025-08-30)

Bug Fixes

• error semantic-release dependency (8cfb313)

v1.11.17

1.11.17 (2025-08-29)

Bug Fixes

• [en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

v1.11.16

1.11.16 (2025-08-29)

Bug Fixes

• test release workflow (no code changes) (c38c428)

v1.11.15

1.11.15 (2025-08-28)

Bug Fixes

• Fix misspellings in Irish or Irish Gaelic [ga] (#2861) (9c14a42)

v1.11.14

1.11.14 (2025-08-27)

Bug Fixes

• .utcOffset(0, true) result and its clone are different bug (#2505) (fefdcd4)

Changelog

Sourced from dayjs's changelog.

1.11.18 (2025-08-30)

Bug Fixes

• error semantic-release dependency (8cfb313)

1.11.17 (2025-08-29)

Bug Fixes

• [en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

1.11.16 (2025-08-29)

Bug Fixes

• test release workflow (no code changes) (c38c428)

1.11.15 (2025-08-28)

Bug Fixes

• Fix misspellings in Irish or Irish Gaelic [ga] (#2861) (9c14a42)

1.11.14 (2025-08-27)

Bug Fixes

• .utcOffset(0, true) result and its clone are different bug (#2505) (fefdcd4)

Commits

• 9beb3f3 chore(release): 1.11.18 [skip ci]
• d72d0cf Merge pull request #2925 from iamkun/dev
• 9be50d5 chore: update workflow
• 8cfb313 fix: error semantic-release dependency
• b9815f9 chore: update workflow
• 7fcf939 chore(release): 1.11.17 [skip ci]
• b832bab d2m (#2922)
• 1b95ecd fix: [en-AU] locale use the same ordinal as moment (#2878)
• 5465380 chore: update .npmignore
• fcdbc82 chore: update workflow debug @​semantic-release/github
• Additional commits viewable in compare view

Updates dotenv from 16.4.7 to 17.2.2

Changelog

Sourced from dotenv's changelog.

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

$ node index.js
Hello World
or
$ DOTENV_CONFIG_QUIET=true node index.js

17.1.0 (2025-07-07)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
</tr></table> 

... (truncated)

Commits

• 2ea1a76 17.2.2
• 0947a83 changelog 🪵
• c8fb4aa changelog 🪵
• a2b13d2 update README
• d92a91e remove
• 37cf55a 17.2.1
• f2d92e9 changelog 🪵
• bd27017 Merge pull request #897 from motdotla/adjust-tip-for-click
• 8a9ce45 add to tests
• 19e5ad9 adjust clickable tip
• Additional commits viewable in compare view

Updates eventsource from 3.0.6 to 4.0.0

Release notes

Sourced from eventsource's releases.

v4.0.0

4.0.0 (2025-05-13)

⚠ BREAKING CHANGES

• FetchLikeInit is now removed. Use EventSourceFetchInit.
• Drop support for Node.js v18, as it is end-of-life.

Features

• require node.js v20 or higher (91a3a48)

Bug Fixes

• drop FetchLikeInit type. Use EventSourceFetchInit instead. (6786e46)

---

This release is also available on:

• npm package (@​latest dist-tag)

v3.0.7

3.0.7 (2025-05-09)

Bug Fixes

• mark fetch init properties required in typings (1282872)

---

This release is also available on:

• npm package (@​latest dist-tag)

Changelog

Sourced from eventsource's changelog.

4.0.0 (2025-05-13)

⚠ BREAKING CHANGES

• FetchLikeInit is now removed. Use EventSourceFetchInit.
• Drop support for Node.js v18, as it is end-of-life.

Features

• require node.js v20 or higher (91a3a48)

Bug Fixes

• drop FetchLikeInit type. Use EventSourceFetchInit instead. (6786e46)

3.0.7 (2025-05-09)

Bug Fixes

• mark fetch init properties required in typings (1282872)

Commits

• d4385cb chore(release): 4.0.0 [skip ci]
• 3057f3a docs: update migration guide
• 6786e46 fix!: drop FetchLikeInit type. Use EventSourceFetchInit instead.
• 91a3a48 feat!: require node.js v20 or higher
• 54fbb3e chore(deps): upgrade dev dependencies to latest versions
• 270e7f2 chore(release): 3.0.7 [skip ci]
• 1282872 fix: mark fetch init properties required in typings
• See full diff in compare view

Updates express from 4.21.2 to 5.1.0

Release notes

Sourced from express's releases.

v5.1.0

What's Changed

• Update captains by @​UlisesGascon in expressjs/express#6027
• build: Node.js 23.0 by @​bjohansebas in expressjs/express#6075
• Add funding field (v5) by @​bjohansebas in expressjs/express#6064
• ✅ add discarded middleware test by @​ctcpip in expressjs/express#5819
• update homepage link http to https by @​bjohansebas in expressjs/express#5920
• Improve readme by @​bjohansebas in expressjs/express#5994
• Add bjohansebas as repo captain for expressjs.com by @​crandmck in expressjs/express#6058
• Remove Object.setPrototypeOf polyfill by @​Phillip9587 in expressjs/express#6081
• fix(buffer): use node:buffer instead of safe-buffer by @​bhavya3024 in expressjs/express#6071
• docs: Add DCO by @​UlisesGascon in expressjs/express#6048
• cleanup: remove promise support check from tests by @​Phillip9587 in expressjs/express#6148
• Use loop for acceptParams by @​blakeembrey in expressjs/express#6066
• Improve documentation step in release process by @​bjohansebas in expressjs/express#6150
• cleanup: remove unnecessary require for global Buffer by @​Phillip9587 in expressjs/express#6146
• cleanup: remove AsyncLocalStorage check by @​Phillip9587 in expressjs/express#6147
• update history.md for acceptParams change by @​jonchurch in expressjs/express#6177
• docs: add @​rxmarbles to the triage team by @​UlisesGascon in expressjs/express#6151
• refactor: improve readability by @​sazk07 in expressjs/express#6173
• docs: clarify the security process in the triage role by @​bjohansebas in expressjs/express#6217
• chore: replace methods dependency with standard library by @​jonkoops in expressjs/express#6196
• Remove utils-merge dependency - use spread syntax instead by @​Phillip9587 in expressjs/express#6091
• fix(securite): fix vulnerabilities by @​Abdel-Monaam-Aouini in expressjs/express#6211
• refactor: prefix built-in node module imports by @​slagiewka in expressjs/express#6236
• fix: remove download size badges by @​wesleytodd in expressjs/express#6266
• Remove unused depd dependency by @​jonkoops in expressjs/express#6197
• fix: usage of Invalid action input 'persist-credentials' for actions/setup-node@v4 in ci.yml by @​hamirmahal in expressjs/express#6256
• Add support for OSSF scorecard reporting by @​UlisesGascon in expressjs/express#5431
• docs: add @​Phillip9587 to the triage team by @​bjohansebas in expressjs/express#6276
• fix: added a missing semicolon in css styles in examples/auth by @​pr4j3sh in expressjs/express#6297
• docs: include team email in the security policy by @​UlisesGascon in expressjs/express#6278
• refactor: simplify normalizeTypes function by @​Ayoub-Mabrouk in expressjs/express#6097
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6314
• ci: fix npm install --include typo by @​Phillip9587 in expressjs/express#6324
• ci: updated scorecard actions by @​Phillip9587 in expressjs/express#6322
• build(deps): use carat notation for dependency versions by @​dpopp07 in expressjs/express#6317
• chore(deps): update debug to ^4.4.0 by @​Phillip9587 in expressjs/express#6313
• docs: retroactively note 5.0.0-beta.1 api change in history file by @​dpopp07 in expressjs/express#6333
• feat(deps): body-parser@^2.1.0 by @​wesleytodd in expressjs/express#6332
• feat(deps): router@^2.1.0 by @​wesleytodd in expressjs/express#6331
• Update repo captains by @​UlisesGascon in expressjs/express#6234
• deps: upgrade nyc by @​agungjati in expressjs/express#6122
• fix (deps): update deps by @​wesleytodd in expressjs/express#6337
• response: add support for ETag option in res.sendFile by @​juanarbol in expressjs/express#6073
• Update multiple links to use https instead of http by @​Phillip9587 in expressjs/express#6338
• Extend res.links() to allow adding multiple links with the same rel #2729 by @​andvea in expressjs/express#4885
• docs: update emeritus triagers by @​UlisesGascon in expressjs/express#6345
• docs: update guidance for triager nominations by @​bjohansebas in expressjs/express#6349
• docs: clarify guidelines for becoming a committer by @​bjohansebas in expressjs/express#6364

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: [email protected]
• deps: [email protected]

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: [email protected]
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: [email protected]
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: [email protected]
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0

... (truncated)

Commits

• cd7d439 5.1.0
• 4c4f3ea fix(deps): serve-static@^2.2.0 (#6418)
• cb4c56e fix(docs): remove @​mertcanaltin from Triagers (#6408)
• 7b44e1d ci: use full SHAs for github action versions
• eb6d125 deps: router@^2.2.0 (#6417)
• f1a2dc8 deps: type-is@^2.0.1 (#6420)
• 6b51e8e deps: body-parser@^2.2.0 (#6419)
• 1f311c5 build(deps-dev): bump cookie-session from 2.0.0 to 2.1.0 (#6399)
• 9e97144 feat(deps): [email protected] (#6373)
• 29d0980 build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#6397)
• Additional commits viewable in compare view

Updates express-rate-limit from 7.5.0 to 8.1.0

Release notes

Sourced from express-rate-limit's releases.

v8.1.0

You can view the changelog here.

v8.0.1

You can view the changelog here.

v8.0.0

You can view the changelog here.

v7.5.1

Changed

• Narrowed type of standardHeaders from string to just the supported values via a TypeScript const assertion (#506)

---

You can view the full changelog here.

Commits

• 6061935 8.1.0
• 2f2ed4d Add validation check for Forwarded header (#549)
• d0e7c85 chore(deps-dev): bump the all group across 1 directory with 5 updates (#554)
• 66aa1b0 test: check for renamed Request in types (#543)
• 658c201 Document windowMs limit for MemoryStore and warn on invalid values (#550)
• aa3b291 fix: include RateLimit-Reset header when resetSeconds is 0 (#553)
• 1eca1a4 Update CI workflow to include pull_request trigger
• ec8a6f9 chore: migrate biome config for current version
• 207100e chore(deps-dev): bump the all group with 4 updates (#548)
• 471076d chore(deps-dev): bump the all group with 4 updates (#547)
• Additional commits viewable in compare view

Updates mongoose from 8.13.2 to 8.18.2

Release notes

Sourced from mongoose's releases.

8.18.2 / 2025-09-22

• fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays #15633 #15625
• fix(connection): use correct collection name for model when using useConnection() #15637
• fix(connection): propagate changes to _lastHeartbeatAt to useDb() child connections #15640 #15635
• types: fix schema property type definition in SchemaType #15631

8.18.1 / 2025-09-08

• types: correct type inference for maps of maps #15602
• types(model): copy base model statics onto discriminator model #15623 #15600
• types: fix types for a string of enums #15605 ruiaraujo
• types(SchemaOptions): disallow versionKey: true, which fails at runtime #15606
• docs(typescript): add example explaining how to use query helper overrides for handling lean() #15622 #15601
• docs(transactions): add note about nested transactions #15624

8.18.0 / 2025-08-22

• feat(schema): support for union types #15574 #10894
• fix: trim long strings in minLength and maxLength error messages and display the string length #15571 #15550
• types(connection+collection): make BaseCollection and BaseConnection usable as values #15575 #15548
• types: remove logic that omits timestamps when virtuals, methods, etc. options set #15577 #12807

8.17.2 / 2025-08-18

• fix: avoid Model.validate() hanging when all paths fail casting #15580 #15579 piotracalski
• types(document): better support for flattenObjectIds and versionKey options for toObject() and toJSON() #15582 #15578
• docs: fix docs jsdoc tags and add UUID to be listed #15585
• docs(document): fix code sample that errors with "Cannot set properties of undefined" #15589

8.17.1 / 2025-08-07

• fix(query): propagate read preference and read concern to populate if read() called after populate() #15567 #15553
• fix(model): call correct function in autoSearchIndex #15569 #15565
• fix(model): allow setting statics option on discriminator schema #15568 #15556
• fix(model): remove unnecessary conversion of undefined -> null in findById #15566 #15551
• types: allow passing in projections without as const #15564 #15557
• types: support maxLength and minLength in SchemaTypeOptions #15570 #4720

8.17.0 / 2025-07-30

• feat: upgrade mongodb -> 6.18.0 #15552
• feat(mongoose): export base Connection and Collection classes #15548
• feat: make Schema.prototype.$conditionalHandlers public #15497
• types: automatically infer discriminator type #15547 #15535
• types: make versionKey: false disable __v from hydrated document #15524 #15511
• types: indicate support for mongodb abort #15549 GalacticHypernova
• types: add options property to schemas #15524
• types(schematype): make defaultOptions static and add schemaOptions to DocumentArray #15529 #15524

... (truncated)

Changelog

Sourced from mongoose's changelog.

8.18.2 / 2025-09-22

• fix(document): prevent $clone() from converting mongoose arrays into vanilla arrays

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

View full job summary