Skip to content

Bump express and raneto in /custom#284

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/custom/multi-7944ca9cc0
Open

Bump express and raneto in /custom#284
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/custom/multi-7944ca9cc0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Dec 1, 2025
edited by sparkfabrik-ai-bot Bot
Loading

User description

Bumps express to 5.1.0 and updates ancestor dependency raneto. These dependencies need to be updated together.

Updates express from 4.18.2 to 5.1.0

Release notes

Sourced from express's releases.

v5.1.0

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0
    • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
  • change:
    • res.clearCookie will ignore user provided maxAge and expires options
  • deps: cookie-signature@^1.2.1
  • deps: debug@4.3.6
  • deps: merge-descriptors@^2.0.0
  • deps: serve-static@^2.1.0
  • deps: qs@6.13.0
  • deps: accepts@^2.0.0
  • deps: mime-types@^3.0.0
    • application/javascript => text/javascript
  • deps: type-is@^2.0.0
  • deps: content-disposition@^1.0.0

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by wesleytodd, a new releaser for express since your current version.


Updates raneto from 0.17.5 to 0.18.0

Release notes

Sourced from raneto's releases.

v0.18.0

2025.09.15 / v0.18.0

This is a modernization refactor.

  • [BREAKING] Default port is 8080 and not 3000
  • [BREAKING] Minimum Node.js is v22.x LTS
  • [BREAKING] Rename branch to "main" from "master"
  • [BREAKING] Packages removed: pm2, commander, tail, serve-favicon
  • [BREAKING] bin/raneto removed as it is out of scope. Please do not use PM2 and instead use npm start, containers, systemd, etc.
  • [BREAKING] Modernizing, moving to ESModules, require => import, const/let, node: import prefix, module.exports => export, 'use strict'; etc.
  • [BREAKING] CSP (Content Security Policy) is now enforcing
  • [New] Theme redesign
  • [New] Table of Contents Link Targets (marked-gfm-heading-id)
  • [New] Multi-architecture container builds
  • [New] File-based sessions to prevent requiring login on restart
  • [Fix] Better searching (fuzzy, partial matches)
  • [Misc] Replacing underscore with lodash and sanitize-html
  • [Misc] Remove node-fetch, using native Node.js version
  • [Misc] Remove extend, explicitly declaring @​eslint/js dependency
  • [Misc] Remove hogan-express in favor of mustache-express
  • [Misc] Change "Meta information" to "metadata"
  • [Misc] Upgrading to Express v5.x
  • [Misc] Dependency upgrades
  • [Add] Container build (raneto:latest) on push to main
  • [Add] Container build (raneto:tag) on tag creation
  • [Fix] Windows support (mainline versions only)

v0.17.8

2024.02.22 / v0.17.8

  • [New] ShowOnMenu by @​mgdesign #388
  • [Misc] Upgrading to latest Node.js LTS v18.x and v20.x
  • [Misc] Linting / Prettier

v0.17.7

2024.02.21 / v0.17.7

v0.17.6

2023.11.06 / v0.17.6

  • [Misc] Dependency upgrades
Changelog

Sourced from raneto's changelog.

2025.09.15 / v0.18.0

This is a modernization refactor.

  • [BREAKING] Default port is 8080 and not 3000
  • [BREAKING] Minimum Node.js is v22.x LTS
  • [BREAKING] Rename branch to "main" from "master"
  • [BREAKING] Packages removed: pm2, commander, tail, serve-favicon
  • [BREAKING] bin/raneto removed as it is out of scope. Please do not use PM2 and instead use npm start, containers, systemd, etc.
  • [BREAKING] Modernizing, moving to ESModules, require => import, const/let, node: import prefix, module.exports => export, 'use strict'; etc.
  • [BREAKING] CSP (Content Security Policy) is now enforcing
  • [New] Theme redesign
  • [New] Table of Contents Link Targets (marked-gfm-heading-id)
  • [New] Multi-architecture container builds
  • [New] File-based sessions to prevent requiring login on restart
  • [Fix] Better searching (fuzzy, partial matches)
  • [Misc] Replacing underscore with lodash and sanitize-html
  • [Misc] Remove node-fetch, using native Node.js version
  • [Misc] Remove extend, explicitly declaring @​eslint/js dependency
  • [Misc] Remove hogan-express in favor of mustache-express
  • [Misc] Change "Meta information" to "metadata"
  • [Misc] Upgrading to Express v5.x
  • [Misc] Dependency upgrades
  • [Add] Container build (raneto:latest) on push to main
  • [Add] Container build (raneto:tag) on tag creation
  • [Fix] Windows support (mainline versions only)

2024.02.22 / v0.17.8

  • [New] ShowOnMenu by @​mgdesign #388
  • [Misc] Upgrading to latest Node.js LTS v18.x and v20.x
  • [Misc] Linting / Prettier

2024.02.21 / v0.17.7

2023.11.05 / v0.17.6

  • [Misc] Dependency upgrades
Commits
  • 9f9fb0a Release: v0.18.0
  • 5f770d1 Dependencies: Upgrading packages
  • cee03ef Fix: ESLint rules to ignore unused with underscore prefix
  • 15085ef Dependencies: Upgrading to Express v5.x
  • e04725e Edit: Linting
  • 4c47f5b Fix: ReDos vulnerability
  • 52fe5f3 Add: Multi-architecture container builds
  • 21fff58 Edit: CSP (Content Security Policy) is now enforcing
  • 844e35d Move: HISTORY.md to CHANGELOG.md
  • 5fcd18b Dependencies: Upgrading @​raneto/theme-default from v0.5.0 to v0.8.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

PR Type

Dependencies

Description

  • Updated raneto dependency from version 0.17.5 to 0.18.0

  • Indirect update of express from 4.18.2 to 5.1.0

Diagram Walkthrough

flowchart LR
  A["raneto 0.17.5"] -- "upgrade" --> B["raneto 0.18.0"]
  C["express 4.18.2"] -- "indirect upgrade" --> D["express 5.1.0"]
  B --> D
Loading

File Walkthrough
Relevant files
Dependencies
package.json
Upgrade raneto and express dependencies                                   

custom/package.json

  • Updated raneto dependency version from 0.17.5 to 0.18.0
  • Indirect update to express from 4.18.2 to 5.1.0 as ancestor dependency
 +1/-1     

@dependabot
Bump express and raneto in /custom
4708b62 
Bumps [express](https://github.com/expressjs/express) to 5.1.0 and updates ancestor dependency [raneto](https://github.com/ryanlelek/Raneto). These dependencies need to be updated together.


Updates `express` from 4.18.2 to 5.1.0
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...v5.1.0)

Updates `raneto` from 0.17.5 to 0.18.0
- [Release notes](https://github.com/ryanlelek/Raneto/releases)
- [Changelog](https://github.com/ryanlelek/Raneto/blob/main/CHANGELOG.md)
- [Commits](ryanlelek/Raneto@0.17.5...0.18.0)

---
updated-dependencies:
- dependency-name: express
  dependency-version: 5.1.0
  dependency-type: indirect
- dependency-name: raneto
  dependency-version: 0.18.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 1, 2025
@sparkfabrik-ai-bot
Copy link
Copy Markdown

sparkfabrik-ai-bot Bot commented Dec 1, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Missing Express Dependency

The PR title mentions bumping both express and raneto, but only raneto version is updated in package.json (from 0.17.5 to 0.18.0). The express dependency is not visible in the diff, which suggests it might be a transitive dependency through raneto. Verify that the express version is actually updated to 5.1.0 as claimed, and consider if express should be explicitly listed as a direct dependency if the application directly uses it.

 
"dependencies": {
  "markdown-link-validator": "github:jenkin/markdown-link-validator#feature/sparkfabrik-enhancements",
  "raneto": "0.18.0"
},

@sparkfabrik-ai-bot
Copy link
Copy Markdown

sparkfabrik-ai-bot Bot commented Dec 1, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@paolomainardi paolomainardi requested a review from Copilot December 2, 2025 07:50
@paolomainardi
Copy link
Copy Markdown
Member

paolomainardi commented Dec 2, 2025

@stickgrinder, do you have some time to test out this branch?

Copilot AI reviewed Dec 2, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the raneto dependency from version 0.17.5 to 0.18.0, which includes a major version upgrade to express (from 4.18.2 to 5.1.0) as a transitive dependency. The update addresses security vulnerabilities and includes breaking changes related to Node.js version requirements, Express v5 compatibility, and ESModule migration.

Key Changes:

  • Upgrade raneto to 0.18.0, which introduces breaking changes including minimum Node.js v22.x requirement and Express v5 compatibility
  • Indirect upgrade of express to 5.1.0, bringing breaking API changes and security fixes

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

Comment thread custom/package.json
"dependencies": {
"markdown-link-validator": "github:jenkin/markdown-link-validator#feature/sparkfabrik-enhancements",
"raneto": "0.17.5"
"raneto": "0.18.0"
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upgrade to raneto 0.18.0 introduces several breaking changes that require documentation: (1) Minimum Node.js version is now v22.x LTS, (2) Default port changes from 3000 to 8080, (3) Express v5 breaking changes including stricter res.status() validation. Consider adding migration notes or verifying compatibility with the current Node.js version used in this project.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code Review effort 1/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@paolomainardi