Sourced from @​firebase/util's changelog.

1.9.6

Patch Changes

• ab883d016 #8237 - Bump all packages so staging works.

1.9.5

Patch Changes

• 0c5150106 #8079 - Update repository.url field in all package.json files to NPM's preferred format.

1.9.4

Patch Changes

• 434f8418c #7963 (fixes #7962) - Fix isSafari() throwing on React Native

1.9.3

Patch Changes

• c59f537b1 #7019 - Modify base64 decoding logic to throw on invalid input, rather than silently truncating it.

1.9.2

Patch Changes

• d071bd1ac #7007 (fixes #7005) - Move exports.default fields to always be the last field. This fixes a bug caused in 9.17.0 that prevented some bundlers and frameworks from building.

1.9.1

Patch Changes

• 0bab0b7a7 #6981 - Added browser CJS entry points (expected by Jest when using JSDOM mode).

1.9.0

Minor Changes

• 06dc1364d #6901 - Allow users to specify their environment as node or browser to override Firebase's runtime environment detection and force the SDK to act as if it were in the respective environment.

Patch Changes

• d4114a4f7 #6874 (fixes #6838) - Reformat a comment that causes compile errors in some build toolchains.

1.8.0

Minor Changes

... (truncated)

• 8fb372a Version Packages (#8236)
• 13762a4 Version Packages (#8101)
• 0c51501 Run npm pkg fix on all packages (#8079)
• 9fa0e9f Version Packages (#7995)
• 434f841 Fix isSafari() throwing on React Native (fixes #7962) (#7963)
• ebc694a Comment changes for OSS (#7778)
• 2be12d7 [CI] update chrome install steps for Auth builds. (#7602)
• 2e7e548 Version Packages (#7069)
• c59f537 Improve decodeBase64() to throw on invalid input rather than silently accept ...
• 3d605f8 Version Packages (#7008)
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for @​firebase/util since your current version.

Sourced from firebase-admin's releases.

Firebase Admin Node.js SDK v12.1.0

New Features

• feat(rc): Add server side Remote Config support (#2529)

Miscellaneous

• [chore] Release 12.1.0 (#2532)
• Fix minor typo (#2533)
• chore: Excluding certain event_types from processing uid (#2370)
• build(deps-dev): bump gulp from 4.0.2 to 5.0.0 (#2526)
• build(deps-dev): bump @​firebase/app-compat from 0.2.29 to 0.2.30 (#2527)
• build(deps): bump @​google-cloud/firestore from 7.5.0 to 7.6.0 (#2528)
• build(deps): bump undici in /.github/actions/send-email (#2521)
• build(deps-dev): bump @​firebase/auth-types from 0.12.0 to 0.12.1 (#2514)
• build(deps-dev): bump mocha from 10.3.0 to 10.4.0 (#2513)
• build(deps): bump @​types/node from 20.11.30 to 20.12.2 (#2516)
• build(deps): bump @​google-cloud/firestore from 7.4.0 to 7.5.0 (#2517)
• build(deps-dev): bump @​firebase/app-compat from 0.2.28 to 0.2.29 (#2510)
• build(deps): bump @​google-cloud/storage from 7.7.0 to 7.9.0 (#2509)
• build(deps-dev): bump @​microsoft/api-extractor from 7.42.3 to 7.43.0 (#2511)
• build(deps): bump @​types/node from 20.11.24 to 20.11.30 (#2508)
• [chore] Fixed links to rtdb api docs (#2501)
• issue 2467: add async to send each loop to prevent local validation from throwing in an unknown state (#2469)
• build(deps): bump @​fastify/busboy from 2.1.0 to 2.1.1 (#2491)
• build(deps): bump follow-redirects in /.github/actions/send-email (#2497)
• build(deps): bump @​google-cloud/firestore from 7.3.0 to 7.4.0 (#2499)
• build(deps): bump jose from 4.15.4 to 4.15.5 (#2489)
• build(deps-dev): bump @​microsoft/api-extractor from 7.42.0 to 7.42.3 (#2485)
• build(deps): bump @​types/node from 20.11.19 to 20.11.24 (#2484)
• build(deps-dev): bump @​firebase/app-compat from 0.2.27 to 0.2.28 (#2483)
• build(deps-dev): bump @​microsoft/api-extractor from 7.40.3 to 7.42.0 (#2480)
• build(deps-dev): bump eslint from 8.56.0 to 8.57.0 (#2473)
• build(deps-dev): bump nock from 13.5.3 to 13.5.4 (#2475)
• build(deps-dev): bump @​microsoft/api-extractor from 7.40.1 to 7.40.3 (#2465)
• build(deps-dev): bump nock from 13.5.1 to 13.5.3 (#2463)
• build(deps): bump @​types/node from 20.11.17 to 20.11.19 (#2464)
• build(deps): bump undici in /.github/actions/send-email (#2459)
• build(deps): bump @​types/node from 20.11.5 to 20.11.17 (#2455)
• build(deps-dev): bump mocha from 10.2.0 to 10.3.0 (#2454)
• build(deps-dev): bump @​microsoft/api-extractor from 7.39.4 to 7.40.1 (#2452)
• [chore] Update Github action workflows to fix node version and set-output deprecation warnings (#2431)
• [chore] Bump mailgun.js to v10.1.0 (#2451)
• build(deps): bump @​google-cloud/firestore from 7.1.0 to 7.3.0 (#2446)
• build(deps-dev): bump @​types/uuid from 9.0.7 to 9.0.8 (#2445)
• build(deps-dev): bump @​firebase/app-compat from 0.2.25 to 0.2.27 (#2443)
• build(deps-dev): bump @​types/sinon from 17.0.2 to 17.0.3 (#2442)
• [chore] Bump @actions/core to ^1.10.1 to remove set-output warning and set action to use Node 20 (#2432)
• build(deps-dev): bump ts-node from 10.9.1 to 10.9.2 (#2435)

... (truncated)

• 67151e6 [chore] Release 12.1.0 (#2532)
• ba20755 Fix minor typo (#2533)
• 19c74dc chore: Excluding certain event_types from processing uid (#2370)
• a833f4e feat(rc): Add server side Remote Config support (#2529)
• a00de0c build(deps-dev): bump gulp from 4.0.2 to 5.0.0 (#2526)
• 25b2c68 build(deps-dev): bump @​firebase/app-compat from 0.2.29 to 0.2.30 (#2527)
• fa59e2a build(deps): bump @​google-cloud/firestore from 7.5.0 to 7.6.0 (#2528)
• 34f0ac2 build(deps): bump undici in /.github/actions/send-email (#2521)
• 837b69b build(deps-dev): bump @​firebase/auth-types from 0.12.0 to 0.12.1 (#2514)
• e7ea83e build(deps-dev): bump mocha from 10.3.0 to 10.4.0 (#2513)
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for firebase-admin since your current version.

Sourced from @​google-cloud/firestore's releases.

v7.7.0

7.7.0 (2024-05-07)

Features

• Add several fields to manage state of database encryption update (5811492)
• Lazy-started transactions (#2017) (2c726a1)

Bug Fixes

• Nonblocking rollback (#2039) (52099c8)
• Upgrade the google-gax dependency version. (#2040) (0b9efa6)

v7.6.0

7.6.0 (2024-04-02)

Features

• Vector Search (#2006) (e906b42)

v7.5.0

7.5.0 (2024-03-25)

Features

• Protos and autogen client for vector (#2027) (c65cef0)
• Query Profile (#2014) (9a45ec8)

v7.4.0

7.4.0 (2024-03-15)

Features

• A new message Backup is added (#2021) (6bced86)
• A new message BackupSchedule is added (6bced86)
• A new message CreateBackupScheduleRequest is added (6bced86)
• A new message DailyRecurrence is added (6bced86)
• A new message DeleteBackupRequest is added (6bced86)
• A new message DeleteBackupScheduleRequest is added (6bced86)
• A new message GetBackupRequest is added (6bced86)
• A new message GetBackupScheduleRequest is added (6bced86)
• A new message ListBackupSchedulesRequest is added (6bced86)
• A new message ListBackupSchedulesResponse is added (6bced86)
• A new message ListBackupsRequest is added (6bced86)
• A new message ListBackupsResponse is added (6bced86)

... (truncated)

Sourced from @​google-cloud/firestore's changelog.

7.7.0 (2024-05-07)

Features

• Add several fields to manage state of database encryption update (5811492)
• Lazy-started transactions (#2017) (2c726a1)

Bug Fixes

• Nonblocking rollback (#2039) (52099c8)
• Upgrade the google-gax dependency version. (#2040) (0b9efa6)

7.6.0 (2024-04-02)

Features

• Vector Search (#2006) (e906b42)

7.5.0 (2024-03-25)

Features

• Protos and autogen client for vector (#2027) (c65cef0)
• Query Profile (#2014) (9a45ec8)

7.4.0 (2024-03-15)

Features

• A new message Backup is added (#2021) (6bced86)
• A new message BackupSchedule is added (6bced86)
• A new message CreateBackupScheduleRequest is added (6bced86)
• A new message DailyRecurrence is added (6bced86)
• A new message DeleteBackupRequest is added (6bced86)
• A new message DeleteBackupScheduleRequest is added (6bced86)
• A new message GetBackupRequest is added (6bced86)
• A new message GetBackupScheduleRequest is added (6bced86)
• A new message ListBackupSchedulesRequest is added (6bced86)
• A new message ListBackupSchedulesResponse is added (6bced86)
• A new message ListBackupsRequest is added (6bced86)
• A new message ListBackupsResponse is added (6bced86)
• A new message RestoreDatabaseMetadata is added (6bced86)
• A new message RestoreDatabaseRequest is added (6bced86)
• A new message UpdateBackupScheduleRequest is added (6bced86)
• A new message WeeklyRecurrence is added (6bced86)

... (truncated)

• 392ecf3 chore(main): release 7.7.0 (#2038)
• 0b9efa6 fix: Upgrade the google-gax dependency version. (#2040)
• 52099c8 fix: Nonblocking rollback (#2039)
• 2c726a1 feat: Lazy-started transactions (#2017)
• 5811492 docs: Allow 14 week backup retention for Firestore daily backups (#2031)
• 9da9fb0 chore(main): release 7.6.0 (#2033)
• e906b42 feat: Vector Search (#2006)
• d2d6bcb chore: run api-report for main (#2032)
• 1d751a8 chore(main): release 7.5.0 (#2030)
• 9a45ec8 feat: Query Profile (#2014)
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for @​google-cloud/firestore since your current version.

Sourced from express's releases.

4.19.2

What's Changed

• Improved fix for open redirect allow list bypass

Full Changelog: expressjs/express@4.19.1...4.19.2

4.19.1

What's Changed

• Fix ci after location patch by @​wesleytodd in expressjs/express#5552
• fixed un-edited version in history.md for 4.19.0 by @​wesleytodd in expressjs/express#5556

Full Changelog: expressjs/express@4.19.0...4.19.1

4.19.0

What's Changed

• fix typo in release date by @​UlisesGascon in expressjs/express#5527
• docs: nominating @​wesleytodd to be project captian by @​wesleytodd in expressjs/express#5511
• docs: loosen TC activity rules by @​wesleytodd in expressjs/express#5510
• Add note on how to update docs for new release by @​crandmck in expressjs/express#5541
• Prevent open redirect allow list bypass due to encodeurl
• Release 4.19.0 by @​wesleytodd in expressjs/express#5551

New Contributors

• @​crandmck made their first contribution in expressjs/express#5541

Full Changelog: expressjs/express@4.18.3...4.19.0

4.18.3

Main Changes

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2

Other Changes

• Use https: protocol instead of deprecated git: protocol by @​vcsjones in expressjs/express#5032
• build: Node.js@16.18 and Node.js@18.12 by @​abenhamdine in expressjs/express#5034
• ci: update actions/checkout to v3 by @​armujahid in expressjs/express#5027
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5124
• Remove unused originalIndex from acceptParams by @​raksbisht in expressjs/express#5119
• Fixed typos by @​raksbisht in expressjs/express#5117
• examples: remove unused params by @​raksbisht in expressjs/express#5113
• fix: parameter str is not described in JSDoc by @​raksbisht in expressjs/express#5130
• fix: typos in History.md by @​raksbisht in expressjs/express#5131
• build : add Node.js@19.7 by @​abenhamdine in expressjs/express#5028
• test: remove unused function arguments in params by @​raksbisht in expressjs/express#5137

... (truncated)

Sourced from express's changelog.

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@0.6.0

4.18.3 / 2024-02-29

• Fix routing requests without method
• deps: body-parser@1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@2.5.2
• deps: cookie@0.6.0
  • Add partitioned option

4.18.2 / 2022-10-08

• Fix regression routing a large stack in a single route
• deps: body-parser@1.20.1
  • deps: qs@6.11.0
  • perf: remove unnecessary object clone
• deps: qs@6.11.0

4.18.1 / 2022-04-29

• Fix hanging on large stack of sync routes

4.18.0 / 2022-04-25

• Add "root" option to res.download
• Allow options without filename in res.download
• Deprecate string and non-integer arguments to res.status
• Fix behavior of null/undefined as maxAge in res.cookie
• Fix handling very large stacks of sync middleware
• Ignore Object.prototype values in settings through app.set/app.get

... (truncated)

• 04bc627 4.19.2
• da4d763 Improved fix for open redirect allow list bypass
• 4f0f6cc 4.19.1
• a003cfa Allow passing non-strings to res.location with new encoding handling checks f...
• a1fa90f fixed un-edited version in history.md for 4.19.0
• 11f2b1d build: fix build due to inconsistent supertest behavior in older versions
• 084e365 4.19.0
• 0867302 Prevent open redirect allow list bypass due to encodeurl
• 567c9c6 Add note on how to update docs for new release (#5541)
• 69a4cf2 deps: cookie@0.6.0
• Additional commits viewable in compare view

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.

Sourced from jsonwebtoken's changelog.

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

• Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
• Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
• Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
• ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

... (truncated)

• bc28861 Release 9.0.2 (#935)
• 96b8906 refactor: use specific lodash packages (#933)
• ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932)
• 84539b2 Updating package version to 9.0.1 (#920)
• a99fd4b fix(stubs): allow decode method to be stubbed (#876)
• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• Additional commits viewable in compare view

This version was pushed to npm by charlesrea, a new releaser for jsonwebtoken since your current version.

Sourced from firebase-functions's releases.

v5.0.1

• Fix App fetching for named firestore instances (#1562).

v5.0.0

• Add option to get named firestore instance for v2 firestore functions (#1550).
• Remove firebase-admin v10 dependency for Firestore triggers multi-DB support (#1555).

v4.9.0

• Add new 2nd gen Firestore auth context triggers. (#1519)

v4.8.2

Fix bug with CORS options for an array of one string (#1544)

v4.8.1

Fix bug where 1st gen functions eventually fail with stack too deep (#1540) Make simple CORS options static for improved debugability (#1536)

v4.8.0

Add onInit callback function for global variable initialization (#1531)

v4.7.0

• Fixes access on deeply nested, nonexistent property. (#1432)
• Add IteratedDataSnapshot interface to match with firebase admin v12 (#1517).
• Make bucket parameterizeable in storage functions (#1518)
• Introduce helper library for select and multi-select input (#1518)

v4.6.0

• Wrap 2nd gen onCall functions with trace context. (#1491)
• Bump peer depdencies for firebase-admin to support 12.0.0. (#1509)

v4.5.0

• Remove HTTP server shutdown message. (#1457)
• Add features to task queue functions. (#1423)
• Add traces to V2 Firestore trigger logs. (#1440)
• Fix incorrectly parsed timestamps in auth blocking functions. (#1472)
• Add recaptcha verdict support for auth blocking functions (#1458)

v4.4.1

• Update list of supported regions for 2nd Gen Functions. (#1402)
• Fix bug where log message on structured log was being overwritten (#1416)
• Fix bug where exists() should return true for falsy values like 0, "" (#1410)

v4.4.0

• Fix typo on alert event type. (#1384)
• Add consumeAppCheckToken option for callable functions (#1374)

v4.3.1

• Export Change interface from the v2 firestore path (#1379).

v4.3.0

... (truncated)

• 80c5a37 5.0.1
• 680849e Fix: get the app when fetching named firestore (#1562)
• 77c16ff [firebase-release] Removed change log and reset repo after 5.0.0 release
• f59cd1a 5.0.0
• e7c72f3 Add changelog entry for removing admin v10 dep (#1560)
• 29bf78f bump firebase-admin version (#1555)
• 909215f bumping ts version (#1552)
• 6beaaeb Add option to get named firestore instance for v2 firestore functions (#1550)
• c89994f [firebase-release] Removed change log and reset repo after 4.9.0 release
• 482529a 4.9.0
• Additional commits viewable in compare view

This version was pushed to npm by google-wombot, a new releaser for firebase-functions since your current version.

Sourced from node-forge's changelog.

1.3.1 - 2022-03-29

Fixes

• RFC 3447 and RFC 8017 allow for optional DigestAlgorithm NULL parameters for sha* algorithms and require NULL paramters for md2 and md5 algorithms.

1.3.0 - 2022-03-17

Security

• Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
• HIGH: Leniency in checking digestAlgorithm structure can lead to signature forgery.
  • The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24771
  • GHSA ID: GHSA-cfm4-qjh2-4765
• HIGH: Failing to check tailing garbage bytes can lead to signature forgery.
  • The code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
  • CVE ID: CVE-2022-24772
  • GHSA ID: GHSA-x4jg-mjrx-434g
• MEDIUM: Leniency in checking type octet.
  • DigestInfo is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.
  • CVE ID: CVE-2022-24773
  • GHSA ID: GHSA-2r2c-g63r-vccr

Fixed

• [asn1] Add fallback to pretty print invalid UTF8 data.
• [asn1] fromDer is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new option parseAllBytes can disable this behavior.
  • NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
• [rsa] Add and use a validator to check for proper structure of parsed ASN.1

... (truncated)

• a0a4a42 Release 1.3.1.
• a33830f Update changelog.
• 740954d Allow optional DigestAlgorithm parameters.
• 56f4316 Allow DigestInfo.DigestAlgorith.parameters to be optional
• cbf0bd5 Start 1.3.1-0.
• 6c5b901 Release 1.3.0.
• 0f3972a Update changelog.
• dc77b39 Fix error checking.
• bb822c0 Add advisory links.
• d4395fe Update changelog.
• Additional commits viewable in compare view

Sourced from qs's changelog.

6.11.0

• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
• [readme] fix version badge

6.10.5

• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

6.10.4

• [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
• [meta] use npmignore to autogenerate an npmignore file
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

6.10.3

• [Fix] parse: ignore __proto__ keys (#428)
• [Robustness] stringify: avoid relying on a global undefined (#427)
• [actions] reuse common workflows
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

6.10.2

• [Fix] stringify: actually fix cyclic references (#426)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#408)
• [actions] update codecov uploader
• [actions] update workflows
• [Tests] clean up stringify tests slightly
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

6.10.1

• [Fix] stringify: avoid exception on repeated object values (#402)

6.10.0

• [New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
Description has been truncated