chore(deps): bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
cors	2.8.5	2.8.6
dotenv	17.2.1	17.2.3
express-rate-limit	8.1.0	8.2.1
winston	3.18.3	3.19.0
@typescript-eslint/eslint-plugin	8.45.0	8.53.1

Updates cors from 2.8.5 to 2.8.6

Release notes

Sourced from cors's releases.

v2.8.6

What's Changed

• Build: Node.js@12.16 and Node.js.13.12 by @​smondal in expressjs/cors#189
• Update README.md for origin function callback parameters by @​dstudzinski in expressjs/cors#180
• Suggest passing false for disallowed domains, not erroring by @​shackpank in expressjs/cors#175
• Changed the term whitelist to allowlist in Documentation by @​jkasun in expressjs/cors#200
• Fix typo in README by @​alex-grover in expressjs/cors#207
• Added new link & website in the README by @​manjunath00 in expressjs/cors#269
• Fix functions call with extra parameter by @​LuisEGR in expressjs/cors#245
• 🐛 Fix readme status badge by @​homersimpsons in expressjs/cors#306
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/cors#321
• ci: fix errors in ci github action for node 8 by @​inigomarquinez in expressjs/cors#322
• test: improved test robustness by @​Alex-GF in expressjs/cors#320
• chore: upgrade scorecard workflow pinned action versions by @​carpasse in expressjs/cors#341
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/cors#340
• docs: remove broken link to demo site by @​dpopp07 in expressjs/cors#344
• OSSF Scorecard recommendations by @​UlisesGascon in expressjs/cors#350
• build(deps): bump github/codeql-action from 3.24.7 to 3.28.19 by @​dependabot[bot] in expressjs/cors#351
• build(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/cors#353
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/cors#354
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.2 by @​dependabot[bot] in expressjs/cors#355
• build(deps-dev): bump express from 4.17.1 to 4.21.2 by @​dependabot[bot] in expressjs/cors#356
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @​dependabot[bot] in expressjs/cors#352
• build(deps-dev): bump mocha from 9.1.1 to 9.2.2 by @​dependabot[bot] in expressjs/cors#358
• update the docs for per request config by @​jonchurch in expressjs/cors#338
• (fix): readme updated for #271 origin option for * by @​dhananjaysa92 in expressjs/cors#289
• ci: upgrade Node versions by @​UlisesGascon in expressjs/cors#359
• chore: add funding to package.json by @​bjohansebas in expressjs/cors#363
• build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 by @​dependabot[bot] in expressjs/cors#371
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/cors#370
• docs: Cleanup README by @​efekrskl in expressjs/cors#374
• chore: add node v25 by @​imangas in expressjs/cors#375
• Extend CI test matrix by @​imangas in expressjs/cors#376
• docs: simplify code examples with header comments by @​jonchurch in expressjs/cors#386
• docs: tweak intro, add note w/ browser enforcement, FAQ by @​jonchurch in expressjs/cors#385
• chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball by @​Phillip9587 in expressjs/cors#388
• Release: 2.8.6 by @​UlisesGascon in expressjs/cors#390

New Contributors

• @​smondal made their first contribution in expressjs/cors#189
• @​dstudzinski made their first contribution in expressjs/cors#180
• @​shackpank made their first contribution in expressjs/cors#175
• @​jkasun made their first contribution in expressjs/cors#200
• @​alex-grover made their first contribution in expressjs/cors#207
• @​manjunath00 made their first contribution in expressjs/cors#269
• @​LuisEGR made their first contribution in expressjs/cors#245
• @​homersimpsons made their first contribution in expressjs/cors#306
• @​inigomarquinez made their first contribution in expressjs/cors#321
• @​Alex-GF made their first contribution in expressjs/cors#320
• @​carpasse made their first contribution in expressjs/cors#341

... (truncated)

Changelog

Sourced from cors's changelog.

2.8.6 / 2026-01-22

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

Commits

• f00a8c1 2.8.6 (#390)
• 848e2bd chore: remove HISTORY.md and nonexistent CONTRIBUTING.md from tarball (#388)
• cf8947e docs: tweak intro, add note w/ browser enforcement, FAQ (#385)
• bbf62a5 docs: simplify code examples with header comments (#386)
• f442e77 Extend CI test matrix (#376)
• d5cf6cd ci: add support for node@25 (#375)
• 7e6f7ee docs: revamp content (#374)
• b25644c build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#370)
• f881e91 build(deps): bump github/codeql-action from 3.28.19 to 4.31.2 (#371)
• 9a9a760 chore: add funding to package.json (#363)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for cors since your current version.

Updates dotenv from 17.2.1 to 17.2.3

Changelog

Sourced from dotenv's changelog.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

Commits

• affe113 17.2.3
• db1ff1f changelog 🪵
• 7063f16 Merge pull request #913 from motdotla/new-tips
• 0bbe72c test against expected tips
• 017951b only run .js tests
• 39eda1f add space back
• fcc030e update tips
• b6c7a0d updated tips - as Dotenvx Radar has been renamed Dotenvx Ops
• b3c8b16 remove unnecessary call to npx
• d6e4c17 Merge pull request #912 from adjerbetian/fix/typescript-error-definition
• Additional commits viewable in compare view

Updates express-rate-limit from 8.1.0 to 8.2.1

Release notes

Sourced from express-rate-limit's releases.

v8.2.1

You can view the changelog here.

v8.2.0

You can view the changelog here.

Commits

• fe1604d 8.2.1
• b11c05b Fix: don't warn for extra config from express-slow-down (#580)
• 3734733 8.2.0
• 962d737 feat: Unknown Options validation check (#578)
• 992c15c chore(deps-dev): bump the development-dependencies group with 3 updates (#579)
• 449a28a chore(deps-dev): bump the development-dependencies group across 1 directory w...
• ceaff6f chore(deps-dev): bump @​biomejs/biome from 2.2.5 to 2.2.6 (#574)
• 4fccb9e chore(deps-dev): bump lint-staged from 16.2.4 to 16.2.5 (#573)
• b597770 Rework dependabot grouping
• 03e8336 chore(deps-dev): bump mintlify from 4.2.114 to 4.2.175 (#572)
• Additional commits viewable in compare view

Updates winston from 3.18.3 to 3.19.0

Release notes

Sourced from winston's releases.

v3.19.0

• Run npm audit fix e7ccdc4
• Don't include jest.config.js in npm package 5a63c8c
• fix: append error cause when using logger.child() (#2467) e74a7ae
• Bump rimraf from 5.0.1 to 5.0.10 (#2517) 8a956fd
• fix: ensure File transport flushes all data before emitting finish (#2594) 86c890f
• Bump actions/setup-node from 4 to 6 (#2589) 3b8be02
• Bump @​babel/core from 7.28.0 to 7.28.5 (#2591) f4c3e2c
• Bump actions/checkout from 4 to 6 (#2593) dd7906e
• chore: migrate test runner from mocha to jest (#2567) 2e9eb18

---

winstonjs/winston@v3.18.3...v3.19.0

Commits

• ed45345 3.19.0
• e7ccdc4 Run npm audit fix
• 5a63c8c Don't include jest.config.js in npm package
• e74a7ae fix: append error cause when using logger.child() (#2467)
• 8a956fd Bump rimraf from 5.0.1 to 5.0.10 (#2517)
• 86c890f fix: ensure File transport flushes all data before emitting finish (#2594)
• 3b8be02 Bump actions/setup-node from 4 to 6 (#2589)
• f4c3e2c Bump @​babel/core from 7.28.0 to 7.28.5 (#2591)
• dd7906e Bump actions/checkout from 4 to 6 (#2593)
• 2e9eb18 chore: migrate test runner from mocha to jest (#2567)
• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.45.0 to 8.53.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
• utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.53.0

8.53.0 (2026-01-12)

🚀 Features

• eslint-plugin: [no-unused-vars] add a fixer to remove unused imports (#11922)
• eslint-plugin: add rule [strict-void-return] (#9707)
• project-service: allow passing Partial<ts.server.ServerHost> to project service (#11932)

🩹 Fixes

• eslint-plugin: replace unclear "error typed" with more helpful description (#11704)
• eslint-plugin: [no-useless-default-assignment] fix false positive for parameters corresponding to a rest parameter (#11916)
• typescript-estree: forbid type-only import with both default and named specifiers (#11930)
• typescript-estree: fix syntax check for using declaration (#11910)
• typescript-estree: forbid invalid class implements (#11934)
• typescript-estree: forbid invalid "import equals" declaration (#11936)
• typescript-estree: forbid invalid extends and implements in interface declaration (#11935)

❤️ Thank You

• auvred @​auvred
• Brad Zacher @​bradzacher
• fisker Cheung @​fisker
• Josh Goldberg
• Josh Goldberg ✨
• Kirk Waiblinger
• Niki @​phaux
• Nikita
• SungHyun627 @​SungHyun627
• Will Harney @​wjhsf

You can read about our versioning strategy and releases on our website.

v8.52.0

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.53.1 (2026-01-19)

🩹 Fixes

• utils: make RuleCreator root defaultOptions optional (#11956)
• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

8.53.0 (2026-01-12)

🚀 Features

• eslint-plugin: add rule [strict-void-return] (#9707)
• eslint-plugin: [no-unused-vars] add a fixer to remove unused imports (#11922)

🩹 Fixes

• eslint-plugin: [no-useless-default-assignment] fix false positive for parameters corresponding to a rest parameter (#11916)
• eslint-plugin: replace unclear "error typed" with more helpful description (#11704)
• typescript-estree: forbid invalid extends and implements in interface declaration (#11935)
• typescript-estree: forbid invalid class implements (#11934)
• typescript-estree: forbid type-only import with both default and named specifiers (#11930)

❤️ Thank You

• Brad Zacher @​bradzacher
• fisker Cheung @​fisker
• Josh Goldberg
• Josh Goldberg ✨
• Kirk Waiblinger
• Niki @​phaux
• Nikita
• SungHyun627 @​SungHyun627
• Will Harney @​wjhsf

You can read about our versioning strategy and releases on our website.

8.52.0 (2026-01-05)

🚀 Features

• eslint-plugin-internal: [no-multiple-lines-of-errors] add rule (#11899)

🩹 Fixes

... (truncated)

Commits

• 9940e53 chore(release): publish 8.53.1
• e0f2a01 fix(utils): make RuleCreator root defaultOptions optional (#11956)
• 76f8ff7 fix(eslint-plugin): [consistent-indexed-object-style] skip fixer if interface...
• 3021ede chore(release): publish 8.53.0
• 722ab62 fix(eslint-plugin): [no-useless-default-assignment] fix false positive for pa...
• 92fcf3e feat(eslint-plugin): add rule [strict-void-return] (#9707)
• 3fb0381 docs(eslint-plugin): [no-useless-default-assignment] fix misformatted link (#...
• 62ee26e feat(eslint-plugin): [no-unused-vars] add a fixer to remove unused imports (#...
• c4d5a56 fix(eslint-plugin): replace unclear "error typed" with more helpful descrip...
• 3ac7735 fix(typescript-estree): forbid invalid extends and implements in interfac...
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.45.0 to 8.53.1

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.53.1

8.53.1 (2026-01-19)

🩹 Fixes

• eslint-plugin: [consistent-indexed-object-style] skip fixer if interface is a default export (#11951)
• utils: make RuleCreator root defaultOptions optional (#11956)

❤️ Thank You

• Cameron
• Yukihiro Hasegawa @​y-hsgw

You can read about our versioning strategy and releases on our website.

v8.53.0

8.53.0 (2026-01-12)

🚀 Features

• eslint-plugin: [no-unused-vars] add a fixer to remove unused imports (#11922)
• eslint-plugin: add rule [strict-void-return] (#9707)
• project-service: allow passing Partial<ts.server.ServerHost> to project service (#11932)

🩹 Fixes

• eslint-plugin: replace unclear "error typed" with more helpful description (#11704)
• eslint-plugin: [no-useless-default-assignment] fix false positive for parameters corresponding to a rest parameter (#11916)
• typescript-estree: forbid type-only import with both default and named specifiers (#11930)
• typescript-estree: fix syntax check for using declaration (#11910)
• typescript-estree: forbid invalid class implements (#11934)
• typescript-estree: forbid invalid "import equals" declaration (#11936)
• typescript-estree: forbid invalid extends and implements in interface declaration (#11935)

❤️ Thank You

• auvred @​auvred
• Brad Zacher @​bradzacher
• fisker Cheung @​fisker
• Josh Goldberg
• Josh Goldberg ✨
• Kirk Waiblinger
• Niki @​phaux
• Nikita
• SungHyun627 @​SungHyun627
• Will Harney @​wjhsf

You can read about our versioning strategy and releases on our website.

v8.52.0

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.53.1 (2026-01-19)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.53.0 (2026-01-12)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.52.0 (2026-01-05)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.51.0 (2025-12-29)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.50.1 (2025-12-22)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.50.0 (2025-12-15)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.49.0 (2025-12-08)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.48.1 (2025-12-02)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.48.0 (2025-11-24)

... (truncated)

Commits

• 9940e53 chore(release): publish 8.53.1
• 3021ede chore(release): publish 8.53.0
• 9ddd571 chore(release): publish 8.52.0
• 95c7c73 chore: update deps to latest minor/patch (#11921)
• e4c57f5 chore(release): publish 8.51.0
• d520b88 chore(release): publish 8.50.1
• c62e858 chore(release): publish 8.50.0
• 864595a chore(release): publish 8.49.0
• 32b7e89 chore(deps): update dependency @​vitest/eslint-plugin to v1.5.1 (#11816)
• 8fe3445 chore(release): publish 8.48.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: automated, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.