build(deps): bump the npm_and_yarn group across 17 directories with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /pkgs/applications/editors/rstudio directory: minimatch, tar and yaml.
Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/editors/uivonim directory: picomatch.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/applications/networking/browsers/vieb directory: picomatch and flatted.
Bumps the npm_and_yarn group with 4 updates in the /pkgs/applications/networking/misc/zammad directory: minimatch, yaml, picomatch and flatted.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/applications/video/epgstation directory: file-type and multer.
Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/video/mirakurun directory: picomatch.
Bumps the npm_and_yarn group with 3 updates in the /pkgs/development/compilers/emscripten directory: minimatch, picomatch and flatted.
Bumps the npm_and_yarn group with 3 updates in the /pkgs/development/python-modules/apache-airflow directory: yaml, picomatch and svgo.
Bumps the npm_and_yarn group with 1 update in the /pkgs/development/tools/yarn2nix-moretea/yarn2nix directory: minimatch.
Bumps the npm_and_yarn group with 4 updates in the /pkgs/servers/monitoring/grafana-image-renderer directory: minimatch, yaml, picomatch and flatted.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/servers/monitoring/matrix-alertmanager directory: picomatch and flatted.
Bumps the npm_and_yarn group with 5 updates in the /pkgs/servers/web-apps/hedgedoc directory:

Package	From	To
yaml	1.10.2	1.10.3
picomatch	2.3.0	2.3.2
flatted	3.2.2	3.4.2
file-type	16.5.3	21.3.2
svgo	2.6.0	2.8.2

Bumps the npm_and_yarn group with 1 update in the /pkgs/servers/web-apps/lemmy directory: serialize-javascript.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/tools/admin/meshcentral directory: picomatch and node-forge.
Bumps the npm_and_yarn group with 6 updates in the /pkgs/tools/admin/pgadmin directory:

Package	From	To
minimatch	3.0.4	3.1.5
yaml	1.10.2	1.10.3
picomatch	2.3.0	2.3.2
flatted	3.2.2	3.4.2
svgo	2.8.0	2.8.2
underscore	1.13.1	1.13.8

Bumps the npm_and_yarn group with 1 update in the /pkgs/tools/graphics/puppeteer-cli directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /pkgs/tools/misc/fx_cast directory: picomatch.

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates tar from 6.1.11 to 6.2.1

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

• cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

• 57493ee #332 ensuring close event is emited after stream has ended (@​webark)
• b003c64 #314 replace deprecated String.prototype.substr() (#314) (@​CommanderRoot, @​lukekarrys)

Documentation

• f129929 #313 remove dead link to benchmarks (#313) (@​yetzt)
• c1faa9f add examples/explanation of using tar.t (@​isaacs)

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bef7b1e 6.2.1
• fe8cd57 prevent extraction in excessively deep subfolders
• fe7ebfd remove security.md
• 5bc9d40 6.2.0
• fe1ef5e changelog 6.2
• e483220 get rid of npm lint stuff
• 689928a ci that works outside of npm org
• db6f539 file inference improvements for .tbr and .tgz
• 336fa8f refactor: dry and other pr comments
• eeba222 chore: lint fixes
• Additional commits viewable in compare view

Updates yaml from 1.7.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates picomatch from 2.2.3 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

• Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

• Some documentation improvements (f81d236, 421e0e7).

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• 5467a5a 2.3.1
• 9f241ef Merge pull request #102 from micromatch/ISSUE-93_incorrect_extglob_expanding
• ac3cb66 fix: support stars in negation extglobs with expression after closing parenth...
• 719d348 Merge pull request #85 from XhmikosR/codeql
• ac74e57 Merge pull request #91 from XhmikosR/patch-1
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

• Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

• Some documentation improvements (f81d236, 421e0e7).

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• 5467a5a 2.3.1
• 9f241ef Merge pull request #102 from micromatch/ISSUE-93_incorrect_extglob_expanding
• ac3cb66 fix: support stars in negation extglobs with expression after closing parenth...
• 719d348 Merge pull request #85 from XhmikosR/codeql
• ac74e57 Merge pull request #91 from XhmikosR/patch-1
• Additional commits viewable in compare view

Updates flatted from 3.2.5 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates yaml from 1.10.2 to 1.10.3

Release notes

Sourced from yaml's releases.

v1.10.2

• prettier/prettier#10510

v1.10.1

This release backports the following non-breaking fixes made during the work on yaml@2 on top of yaml@1.10.0:

• Support for __proto__ as mapping key & anchor identifier (#192)
• Fix broken TS type for BigInt toggle
• Dump long keys properly (#195)
• When folding highly indented lines, require at least minContentWidth chars on the first line (#196)
• Fix YAML.stringify() for certain null values (#197)
• Do not break escaped chars with escaped newlines (#237, awslabs/cdk8s8)
• Set type: "module" within browser/dist/ (#208)
• Use CommonJS for the browser endpoints yaml/types & yaml/util (#208)
• Always stringify non-Node object keys using explicit notation (#218)
• Specify node type of Document.Parsed.contents (#221)
• Add missing type for CST Node.rangeAsLinePos (#222)
• Prefer literal over folded block scalar when lineWidth=0 is set (#232)
• Allow for empty lines after node props (#242)
• Update dev dependencies

v1.10.0

This will probably be the last minor release of yaml@1. I'm aiming to release yaml@2 within a few months; prereleases of that will be published using the next dist-tag on npm. Patch releases for 1.10 may still happen, if necessary.

New Features

• Use Rollup for Node.js & browser builds (#165)
  • This removes most of the internal dist/ paths from the release. If you want/need to use a class or function that is no longer public, please file an issue and we can add it to the exports.
  • Drop dependency on @babel/runtime. After this, the package has 0 runtime dependencies. 🎉
  • Add exports { Alias, Collection, Merge, Node } to 'yaml/types'
• Document Schema.createPair() & make its ctx arg optional (#157)
• Always indent top-level scalars with lines starting with document markers or % directives (#162)
• Use double-space when forcing top-level block scalar indent, for clarity (#162)
• Add getNodes(): string[] method to Anchors (#166)
• Refactor Jest config, adding tests for compiled dist/ endpoints
• Rename & refactor source files. This should have no effect on the results, but lots of stuff moved around

Improved Errors & Warnings

• Throw more helpful error when setting Pair.commentBefore incorrectly (#157)
• Better errors for bad indents (#169)
• Drop incorrect error for flow mapping keys with length > 1024 chars
• Add errors for plain scalars that start with reserved indicators
• Add more explicit errors for block scalar values with bad indents
• Enable log prints during npm start debugging

Improved TypeScript declarations

• Fix/simplify export mapping of 'yaml/types' and 'yaml/util'
• Fix types, dropping AST.{AstNode,ScalarNode,CollectionNode} (#160)
• Add missing toString() methods to AST nodes (#159)
• Add directivesEndMarker to Document type (#167)

... (truncated)

Commits

• cfe8f04 1.10.3
• 7abcf45 fix: Catch stack overflow during CST composition
• a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
• a5e83b0 style: Apply updates Prettier rules
• b8ddca0 chore: Refresh lockfile
• 395f892 ci: Use a different (working) submodule checkout
• 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
• 4cdcde6 1.10.2
• 7c0e083 Allow for unindented comment after node props (#242)
• 8ef0157 1.10.1
• Additional commits viewable in compare view

Updates picomatch from 2.3.0 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

2.3.1

Fixed

• Fixes bug when a pattern containing an expression after the closing parenthesis (/!(*.d).{ts,tsx}) was incorrectly converted to regexp (9f241ef).

Changed

• Some documentation improvements (f81d236, 421e0e7).

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• 5467a5a 2.3.1
• 9f241ef Merge pull request #102 from micromatch/ISSUE-93_incorrect_extglob_expanding
• ac3cb66 fix: support stars in negation extglobs with expression after closing parenth...
• 719d348 Merge pull request #85 from XhmikosR/codeql
• ac74e57 Merge pull request #91 from XhmikosR/patch-1
• Additional commits viewable in compare view

Updates flatted from 3.2.4 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates file-type from 16.5.3 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

• Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
• Fix bound recursive BOM and ID3 detection 370ed91

---

sindresorhus/file-type@v21.3.1...v21.3.2

v21.3.1

• Fix infinite loop in ASF parser on malformed input (GHSA-5v7r-6r5c-r473) 319abf8

---

sindresorhus/file-type@v21.3.0...v21.3.1

v21.3.0

• Add support for Mach-O Universal (aka "Fat") binaries and additional architectures (#779) d223491

---

sindresorhus/file-type@v21.2.0...v21.3.0

v21.2.0

• Add support for SPSS data files (#787) 889f638
• Add support for JMP (#784) 093dba0

---

sindresorhus/file-type@v21.1.1...v21.2.0

v21.1.1

• Fix handling of partial Gunzip file (#783) 710e053

---

sindresorhus/file-type@v21.1.0...v21.1.1

v21.1.0

• Add support for .tar.gz (gunzipped tarball file) (#763) eda03a7
• Add support for Windows registry (.reg) files 0db61ec 7d2ddcf
• Add support for Windows registry hive file (.dat) (#767) f8d62be
• Fix: Handle partial unzip (#773) 7ad3a90

---

sindresorhus/file-type@v21.0.0...v21.1.0

v21.0.0

Breaking

... (truncated)

Commits

• e18028c 21.3.2
• a155cd7 Fix ZIP bomb in known-size ZIP probing
• 6954817 Harden parser more
• 370ed91 Fix bound recursive BOM and ID3 detection
• d2ecea1 Add a few more safeguards
• 41fcff5 Update readme
• a8f6934 Fix CI
• ad5857e 21.3.1
• 5d2fedf Harden parser
• 319abf8 Fix infinite loop in ASF parser on malformed input
• Additional commits viewable in compare view

Updates multer from 1.4.3 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

... (truncated)

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

2.0.2

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

2.0.1

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

2.0.0

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

1.4.5-lts.2

• Fix out-of-band error event from busboy (#1177)

1.4.5-lts.1

• No changes

1.4.4-lts.1

• Bugfix: Bump busboy to fix CVE-2022-24434 (#1097)
• Breaking: Require Node.js 10.16.0 or later (#1097)

1.4.4 - 2021-12-07

• Bugfix: Handle missing field names (#913)
• Docs: Add Vietnamese translation (#803)
• Docs: Improve Spanish translation (#948)

Commits