Bump the npm_and_yarn group across 1 directory with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
jsonwebtoken	8.5.1	9.0.2
mysql2	2.3.3	3.15.1
nodemailer	6.10.1	7.0.9
pm2	4.5.6	6.0.13
sequelize	5.22.5	6.37.7
sequelize-typescript	1.1.0	2.1.6

Updates jsonwebtoken from 8.5.1 to 9.0.2

Changelog

Sourced from jsonwebtoken's changelog.

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

Commits

• bc28861 Release 9.0.2 (#935)
• 96b8906 refactor: use specific lodash packages (#933)
• ed35062 security: Updating semver to 7.5.4 to resolve CVE-2022-25883 (#932)
• 84539b2 Updating package version to 9.0.1 (#920)
• a99fd4b fix(stubs): allow decode method to be stubbed (#876)
• e1fa9dc Merge pull request from GHSA-8cf7-32gw-wr33
• 5eaedbf chore(ci): remove github test actions job (#861)
• cd4163e chore(ci): configure Github Actions jobs for Tests & Security Scanning (#856)
• ecdf6cc fix!: Prevent accidental use of insecure key sizes & misconfiguration of secr...
• 8345030 fix(sign&verify)!: Remove default none support from sign and verify met...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by charlesrea, a new releaser for jsonwebtoken since your current version.

Updates mysql2 from 2.3.3 to 3.15.1

Release notes

Sourced from mysql2's releases.

v3.15.1

3.15.1 (2025-09-24)

Bug Fixes

• typings: fix missing callback to PoolCluster.end() (#3819) (53a9bc2)

v3.15.0

3.15.0 (2025-09-16)

Features

• gracefully end pool connections #3148 (#3776) (e72247f)

v3.14.5

3.14.5 (2025-09-08)

Bug Fixes

• types: restrict StreamOptions.objectMode to true (#3686) (#3784) (c091f1b)

v3.14.4

3.14.4 (2025-09-01)

Bug Fixes

• stream: destroy connection when stream errors (#3769) (cc34a83)
• stream: resume connection when stream errors or is destroyed (#3775) (9642a1e)
• stream: fix backpressure when using TLS (#1752) (64ea4cd)

v3.14.3

3.14.3 (2025-07-29)

Bug Fixes

• resolve parser cache collision with dual typeCast connections (#3644) (ce2ad75)

v3.14.2

3.14.2 (2025-07-10)

Bug Fixes

• pass columnType to readDateTimeString (#3700) (1ee48cc)

... (truncated)

Changelog

Sourced from mysql2's changelog.

3.15.1 (2025-09-24)

Bug Fixes

• typings: missing callback to PoolCluster.end() (#3819) (53a9bc2)

3.15.0 (2025-09-16)

Features

• gracefully end pool connections #3148 (#3776) (e72247f)

3.14.5 (2025-09-08)

Bug Fixes

• types: restrict StreamOptions.objectMode to true (#3686) (#3784) (c091f1b)

3.14.4 (2025-09-01)

Bug Fixes

• destroy connection when stream errors (#3769) (cc34a83)
• fix backpressure when using TLS (#1752) (64ea4cd)
• stream: resume connection when stream errors or is destroyed (#3775) (9642a1e)

3.14.3 (2025-07-29)

Bug Fixes

• resolve parser cache collision with dual typeCast connections (#3644) (ce2ad75)

3.14.2 (2025-07-10)

Bug Fixes

• pass columnType to readDateTimeString (#3700) (1ee48cc)

3.14.1 (2025-04-27)

Miscellaneous Chores

• release 3.14.1 (9d097f8)

... (truncated)

Commits

• 036f463 chore(master): release 3.15.1 (#3821)
• 78b2aab build(deps): bump sass from 1.93.1 to 1.93.2 in /website (#3820)
• 53a9bc2 fix(typings): missing callback to PoolCluster.end() (#3819)
• 6bfad13 ci: resolve Promise wrapper flaky test (#3817)
• 4449c23 build(deps): bump sass from 1.93.0 to 1.93.1 in /website (#3815)
• 9fa7020 build(deps-dev): bump @​eslint/markdown from 7.2.0 to 7.3.0 (#3812)
• 82f7bc5 build(deps-dev): bump @​typescript-eslint/eslint-plugin (#3814)
• d7b00f8 build(deps): bump sass from 1.92.1 to 1.93.0 in /website (#3811)
• 171a9eb build(deps-dev): bump @​eslint/js from 9.35.0 to 9.36.0 (#3810)
• ef47e49 build(deps-dev): bump @​types/node from 24.5.1 to 24.5.2 (#3806)
• Additional commits viewable in compare view

Updates nodemailer from 6.10.1 to 7.0.9

Release notes

Sourced from nodemailer's releases.

v7.0.9

7.0.9 (2025-10-07)

Bug Fixes

• release: Trying to fix release proecess by upgrading Node version in runner (579fce4)

v7.0.8

7.0.8 (2025-10-07)

Bug Fixes

• addressparser: flatten nested groups per RFC 5322 (8f8a77c)

v7.0.7

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

v7.0.6

7.0.6 (2025-08-27)

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

v7.0.5

7.0.5 (2025-07-07)

Bug Fixes

• updated well known delivery service list (fa2724b)

v7.0.4

7.0.4 (2025-06-29)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

7.0.9 (2025-10-07)

Bug Fixes

• release: Trying to fix release proecess by upgrading Node version in runner (579fce4)

7.0.8 (2025-10-07)

Bug Fixes

• addressparser: flatten nested groups per RFC 5322 (8f8a77c)

7.0.7 (2025-10-05)

Bug Fixes

• addressparser: Fixed addressparser handling of quoted nested email addresses (1150d99)
• dns: add memory leak prevention for DNS cache (0240d67)
• linter: Updated eslint and created prettier formatting task (df13b74)
• refresh expired DNS cache on error (#1759) (ea0fc5a)
• resolve linter errors in DNS cache tests (3b8982c)

7.0.6 (2025-08-27)

Bug Fixes

• encoder: avoid silent data loss by properly flushing trailing base64 (#1747) (01ae76f)
• handle multiple XOAUTH2 token requests correctly (#1754) (dbe0028)
• ReDoS vulnerability in parseDataURI and _processDataUrl (#1755) (90b3e24)

7.0.5 (2025-07-07)

Bug Fixes

• updated well known delivery service list (fa2724b)

7.0.4 (2025-06-29)

Bug Fixes

• pools: Emit 'clear' once transporter is idle and all connections are closed (839e286)
• smtp-connection: jsdoc public annotation for socket (#1741) (c45c84f)
• well-known-services: Added AliyunQiye (bb9e6da)

7.0.3 (2025-05-08)

Bug Fixes

... (truncated)

Commits

• 92ae1c4 chore(master): release 7.0.9 (#1769)
• c675d9e Merge branch 'master' of github.com:nodemailer/nodemailer
• 579fce4 fix(release): Trying to fix release proecess by upgrading Node version in runner
• a0a4af1 chore(master): release 7.0.8 (#1768)
• 378d01a chore: upgrade release-please action to v4
• e1f40ee test(addressparser): add comprehensive edge case tests
• 6219754 chore: exclude CHANGELOG.md from prettier formatting
• 8f8a77c fix(addressparser): flatten nested groups per RFC 5322
• ce120a3 chore: migrate npm publishing to trusted publishers with OIDC
• 9357a71 chore(master): release 7.0.7 [skip-ci] (#1761)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nodemailer since your current version.

Updates pm2 from 4.5.6 to 6.0.13

Release notes

Sourced from pm2's releases.

v6.0.13

• fix blessed dep

v6.0.12

• #6037 Drop npm-shrinkwrap in favor of fixed dependencies versions
• #5577 fix pm2 monit crash

v6.0.11

• #6034 replace package-lock.json by npm-shrinkwrap.json
• #5915 fix allowing to update namespaced pm2 NPM module (@​org/module-name)

v6.0.10

• revert #5971 #6031

v6.0.9

6.0.9

• updates all typescript definitions
• upgrade github ci workflows
• upgrade mocha dep and adapt tests
• bump packages
• fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #5971

v6.0.8

• fix: package-lock update

v6.0.7

• fix: ansis-node10 Unitech/pm2@99d9224 @
  webdiscus

v6.0.6

• refactor: replace chalk with ansis by @​webdiscus fix #5976 #5247

v6.0.5

6.0.5

• Bun support - Fixes #5893 #5774 #5682 #5675 #5777
• Disable git parsing by default #5909 #2182 #5801 #5051 #5696
• Add WEBP content type for pm2 serve #5900 @​tbo47
• Enable PM2 module update from tarball #5906 @​AYOKINYA
• Fix treekil on FreeBSD #5896 @​skeyby
• fix allowing to update namespaced pm2 NPM module (@​org/module-name) #5915 @​endelendel

v5.4.2

• Unitech/pm2#5833
• keymetrics/pm2-io-apm#301

5.4.1

Update websocket dependency in pm2/agent submodule

5.4.0

... (truncated)

Changelog

Sourced from pm2's changelog.

6.0.13

• Fix blessed package import

6.0.12

• #6037 Drop npm-shrinkwrap in favor of fixed dependencies versions
• #5577 fix pm2 monit crash

6.0.11

• #6034 replace package-lock.json by npm-shrinkwrap.json
• #5915 fix allowing to update namespaced pm2 NPM module (@​org/module-name)

6.0.10

• revert #5971 #6031

6.0.9

• updates all typescript definitions
• upgrade github ci workflows
• upgrade mocha dep and adapt tests
• bump packages
• fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #5971

6.0.8

• fix: package-lock update

6.0.7

• fix: ansis-node10 Unitech/pm2@99d9224 @​webdiscus

6.0.6

• refactor: replace chalk with smaller alternative by @​webdiscus

6.0.5

• Bun support - Fixes #5893 #5774 #5682 #5675 #5777
• Disable git parsing by default #5909 #2182 #5801 #5051 #5696
• Add WEBP content type for pm2 serve #5900 @​tbo47
• Enable PM2 module update from tarball #5906 @​AYOKINYA
• Fix treekil on FreeBSD #5896 @​skeyby
• fix allowing to update namespaced pm2 NPM module (@​org/module-name) #5915 @​endelendel

5.4.3

• Update sub packages

... (truncated)

Commits

• 2c44471 pm2@6.0.13
• d6f299d pm2@6.0.12
• 5ff07ee update package-lock.json
• 0b5d575 debug@4.4.3
• 4c309aa use forked blessed #5577
• 12f1896 drop npm-shrinkwrap + add package-lock + pin exact dependency version
• 49e2761 python leaking memory test
• 646dc80 pm2@6.0.11
• b836aab remove some npm scripts
• 77078a5 #6034 add npm shrinkwrap
• Additional commits viewable in compare view

Updates sequelize from 5.22.5 to 6.37.7

Release notes

Sourced from sequelize's releases.

v6.37.7

6.37.7 (2025-03-28)

Bug Fixes

• oracle: fix changeColumn SQL for BLOB to avoid implicit conversion (#17719) (5b7c801)

v6.37.6

6.37.6 (2025-03-04)

Meta

• add call for new maintainers to README (#17701) (ef3bffb)

v6.37.5

6.37.5 (2024-10-25)

Bug Fixes

• cast numbers in DataTypes.STRING to strings (#17564) (fce5ad3)

v6.37.4

6.37.4 (2024-10-04)

Bug Fixes

• oracle: add support for Oracle Database 23ai (#17345) (b9e71a7)
• oracle: validate input with TO_TIMESTAMP_TZ and TO_DATE (#17516) (5deadd2)

v6.37.3

6.37.3 (2024-04-13)

Bug Fixes

• postgres: use schema for foreign key constrains of a table (#17099) (6aba382)

v6.37.2

6.37.2 (2024-03-29)

Bug Fixes

... (truncated)

Commits

• 5b7c801 fix(oracle): fix changeColumn SQL for BLOB to avoid implicit conversion (#17...
• 5623e2d ci: use ubuntu-22.04 for jobs that use Node 10 (#17724)
• ef3bffb fix: add call for new maintainers to README (#17701)
• fce5ad3 fix: cast numbers in DataTypes.STRING to strings (#17564)
• 78a9733 meta: ignore mssql failures for releasing v6 (#17524)
• 5deadd2 fix(oracle): validate input with TO_TIMESTAMP_TZ and TO_DATE (#17516)
• b9e71a7 fix(oracle): add support for Oracle Database 23ai (#17345)
• 6aba382 fix(postgres): use schema for foreign key constrains of a table (#17099)
• 7c8972f fix: add readOnly to the transaction options types and docs (#17226)
• 505467b fix(types): Add definition of returning in SaveOptions. (#16954)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by sdepold, a new releaser for sequelize since your current version.

Updates sequelize-typescript from 1.1.0 to 2.1.6

Release notes

Sourced from sequelize-typescript's releases.

v2.1.6

Bug Fixes

• deny modifying the object prototype (#1698) (5ce8afd)

v2.1.5

Bug Fixes

• deps: revert to glob@7.2.0 for sequelize@6 & node@10 compatibility (#1479) (7c8eea7)

v2.1.4

Bug Fixes

• ci: bump markdownlint (#1470) (b24869b)
• model: compatible constructor with sequelize (#1310) (4f03520)
• update to TypeScript 4.8 (#1453) (5ddfa61)

v2.1.3

What's Changed

• Fix sequelize/types/lib/hooks path by @​mystylelee in RobinBuschmann/sequelize-typescript#1202
• build(deps-dev): bump prettier from 2.4.1 to 2.5.1 by @​dependabot in RobinBuschmann/sequelize-typescript#1176
• build(deps): bump node-fetch from 2.6.5 to 2.6.7 by @​dependabot in RobinBuschmann/sequelize-typescript#1203
• build(deps-dev): bump mysql2 from 2.3.0 to 2.3.3 by @​dependabot in RobinBuschmann/sequelize-typescript#1204
• build(deps-dev): bump dev dependencies by @​lukashroch in RobinBuschmann/sequelize-typescript#1205

New Contributors

• @​mystylelee made their first contribution in RobinBuschmann/sequelize-typescript#1202

Full Changelog: sequelize/sequelize-typescript@v2.1.2...v2.1.3

v2.1.2

Bug Fixes

• use custom decorator on column have a property descriptor (#1070) (7ce03de)
• validators: allow any values for isIn/notIn (#1124) (d25b392)

v2.1.1

Bug Fixes

• model: adjust init method to recently introduced sequelize type changes (b60c011)

v2.1.0

Initial release with Changelog.

Bug Fixes

• allow $set null (remove association) (#774) (ffe1c78)
• model associations methods to reflect sequelize v6 (#888) (6b1e3ff)
• typeof Model errors by using typeof Model generics (#900) (b865840)

... (truncated)

Changelog

Sourced from sequelize-typescript's changelog.

2.1.6 (2023-11-24)

Bug Fixes

• deny modifying the object prototype (#1698) (5ce8afd)

Changelog

2.1.5 (2022-10-17)

Bug Fixes

• deps: revert to glob@7.2.0 for sequelize@6 & node@10 compatibility (#1479) (7c8eea7)

2.1.4 (2022-10-15)

Bug Fixes

• ci: bump markdownlint (#1470) (b24869b)
• model: compatible constructor with sequelize (#1310) (4f03520)
• update to TypeScript 4.8 (#1453) (5ddfa61)

2.1.3 (2022-02-16)

Bug Fixes

• Fix sequelize/types/lib/hooks path (#1202) (ab45c14)

2.1.2 (2022-01-03)

Bug Fixes

• use custom decorator on column have a property descriptor (#1070) (7ce03de)
• validators: allow any values for isIn/notIn (#1124) (d25b392)

2.1.1 (2021-10-10)

Bug Fixes

• model: adjust init method to recently introduced sequelize type changes (b60c011)

2.1.0 (2021-02-14)

Initial release with Changelog.

Bug Fixes

• allow $set null (remove association) (#774) (ffe1c78)
• model associations methods to reflect sequelize v6 (#888) (6b1e3ff)

... (truncated)

Commits

• 32e4824 chore: ignore CHANGELOG for markdownlint
• 92c3f49 chore(release): v2.1.6
• 5ce8afd fix: deny modifying the object prototype (#1698)
• 837a3cc build(deps): bump vm2 from 3.9.11 to 3.9.15 (#1626)
• 0e43d08 build(deps-dev): bump sequelize from 6.28.2 to 6.29.0 (#1597)
• ce980e5 build(deps-dev): bump sequelize from 6.25.8 to 6.28.2 (#1590)
• 113aa3b build(deps-dev): bump husky from 8.0.1 to 8.0.2 (#1521)
• 1816663 build(deps-dev): bump sequelize from 6.25.5 to 6.25.8 (#1519)
• 91eb2df build(deps-dev): bump prettier from 2.7.1 to 2.8.0 (#1518)
• 264af5f build(deps): bump wagoid/commitlint-github-action from 5.2.2 to 5.3.0 (#1513)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.