github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[PR #21844] [CLOSED] chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates #26299

New Issue
Closed
opened 2026-04-20 06:25:45 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:25:45 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21844
Author: @dependabot[bot]
Created: 2/25/2026
Status: Closed

Base: mainHead: dependabot/npm_and_yarn/npm_and_yarn-3fb5c2cb11

📝 Commits (1)

  • 6e5a3ae chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates

📊 Changes

2 files changed (+376 additions, -1062 deletions)

View changed files

📝 package-lock.json (+371 -1057)
📝 package.json (+5 -5)

📄 Description

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package From To
jspdf 4.0.0 4.2.0
svelte 5.42.2 5.53.3
minimatch 3.1.2 3.1.4
js-yaml 4.1.0 4.1.1
markdown-it 14.1.0 14.1.1
qs 6.13.0 6.14.2
tar 7.4.3 7.5.9

Updates jspdf from 4.0.0 to 4.2.0

Release notes

Sourced from jspdf's releases.

v4.2.0

This release fixes three security issues.

What's Changed

New Contributors

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0

Commits

Updates svelte from 5.42.2 to 5.53.3

Release notes

Sourced from svelte's releases.

svelte@5.53.3

Patch Changes

  • fix: render :catch of #await block with correct key (#17769)

  • chore: pin aria-query@5.3.1 (#17772)

  • fix: make string coercion consistent to toString (#17774)

svelte@5.53.2

Patch Changes

  • fix: update expressions on server deriveds (#17767)

  • fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

svelte@5.53.1

Patch Changes

  • fix: handle shadowed function names correctly (#17753)

svelte@5.53.0

Minor Changes

  • feat: allow comments in tags (#17671)

  • feat: allow error boundaries to work on the server (#17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable support, where necessary (#17743)

  • fix: ensure head effects are kept in the effect tree (#17746)

  • chore: deactivate current_batch by default in unset_context (#17738)

svelte@5.52.0

Minor Changes

  • feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

  • fix: re-run non-render-bound deriveds on the server (#17674)

svelte@5.51.5

Patch Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.3

Patch Changes

  • fix: render :catch of #await block with correct key (#17769)

  • chore: pin aria-query@5.3.1 (#17772)

  • fix: make string coercion consistent to toString (#17774)

5.53.2

Patch Changes

  • fix: update expressions on server deriveds (#17767)

  • fix: further obfuscate node:crypto import from overzealous static analysis (#17763)

5.53.1

Patch Changes

  • fix: handle shadowed function names correctly (#17753)

5.53.0

Minor Changes

  • feat: allow comments in tags (#17671)

  • feat: allow error boundaries to work on the server (#17672)

Patch Changes

  • fix: use TrustedHTML to test for customizable <select> support, where necessary (#17743)

  • fix: ensure head effects are kept in the effect tree (#17746)

  • chore: deactivate current_batch by default in unset_context (#17738)

5.52.0

Minor Changes

  • feat: support TrustedHTML in {@html} expressions (#17701)

Patch Changes

  • fix: repair dynamic component truthy/falsy hydration mismatches (#17737)

... (truncated)

Commits

Updates minimatch from 3.1.2 to 3.1.4

Commits

Updates devalue from 5.1.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

  • ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

  • 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

  • b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

  • ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.


Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates tar from 7.4.3 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21844 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 2/25/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/npm_and_yarn-3fb5c2cb11` --- ### 📝 Commits (1) - [`6e5a3ae`](https://github.com/open-webui/open-webui/commit/6e5a3ae3d1dff5b2e58cc30b3313389bc0ab211e) chore(deps): bump the npm_and_yarn group across 1 directory with 8 updates ### 📊 Changes **2 files changed** (+376 additions, -1062 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+371 -1057) 📝 `package.json` (+5 -5) </details> ### 📄 Description Bumps the npm_and_yarn group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [jspdf](https://github.com/parallax/jsPDF) | `4.0.0` | `4.2.0` | | [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.42.2` | `5.53.3` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.4` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` | | [qs](https://github.com/ljharb/qs) | `6.13.0` | `6.14.2` | | [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.9` | Updates `jspdf` from 4.0.0 to 4.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/parallax/jsPDF/releases">jspdf's releases</a>.</em></p> <blockquote> <h2>v4.2.0</h2> <p>This release fixes three security issues.</p> <h2>What's Changed</h2> <ul> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children)</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj">Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp">PDF Object Injection via Unsanitized Input in addJS Method</a> vulnerability.</li> <li>Add &quot;default&quot; property to export section in package.json by <a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> made their first contribution in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0">https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0</a></p> <h2>v4.1.0</h2> <p>This release fixes several security issues.</p> <h2>What's Changed</h2> <ul> <li>Upgrade optional dompurify dependency to 3.3.1 in <a href="https://redirect.github.com/parallax/jsPDF/pull/3948">parallax/jsPDF#3948</a></li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422">Stored XMP Metadata Injection (Spoofing &amp; Integrity Violation)</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4">Shared State Race Condition in addJS Method</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c">Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder</a> vulnerability</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0">https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/parallax/jsPDF/commit/7af912cadaf0f9a2ad28afe7af53033a2c61de64"><code>7af912c</code></a> 4.2.0</li> <li><a href="https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"><code>56b46d4</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6"><code>2e5e156</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375"><code>71ad2db</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/885a7778070d500887c9a5d2b02b55460009a9d0"><code>885a777</code></a> fix: upgrade <code>@​babel/runtime</code> from 7.28.4 to 7.28.6 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3954">#3954</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/3b92c7da6b3218e63a4f0c98bb9c4ddaba29eb06"><code>3b92c7d</code></a> Add default export to package.json (<a href="https://redirect.github.com/parallax/jsPDF/issues/3953">#3953</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/02273814bf0222eda02944f9a14128811f3b5a33"><code>0227381</code></a> 4.1.0</li> <li><a href="https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d"><code>ae4b93f</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e"><code>2863e5c</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff"><code>efe54bf</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.2.0">compare view</a></li> </ul> </details> <br /> Updates `svelte` from 5.42.2 to 5.53.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/releases">svelte's releases</a>.</em></p> <blockquote> <h2>svelte@5.53.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: render <code>:catch</code> of <code>#await</code> block with correct key (<a href="https://redirect.github.com/sveltejs/svelte/pull/17769">#17769</a>)</p> </li> <li> <p>chore: pin aria-query@5.3.1 (<a href="https://redirect.github.com/sveltejs/svelte/pull/17772">#17772</a>)</p> </li> <li> <p>fix: make string coercion consistent to <code>toString</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17774">#17774</a>)</p> </li> </ul> <h2>svelte@5.53.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update expressions on server deriveds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17767">#17767</a>)</p> </li> <li> <p>fix: further obfuscate <code>node:crypto</code> import from overzealous static analysis (<a href="https://redirect.github.com/sveltejs/svelte/pull/17763">#17763</a>)</p> </li> </ul> <h2>svelte@5.53.1</h2> <h3>Patch Changes</h3> <ul> <li>fix: handle shadowed function names correctly (<a href="https://redirect.github.com/sveltejs/svelte/pull/17753">#17753</a>)</li> </ul> <h2>svelte@5.53.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>feat: allow comments in tags (<a href="https://redirect.github.com/sveltejs/svelte/pull/17671">#17671</a>)</p> </li> <li> <p>feat: allow error boundaries to work on the server (<a href="https://redirect.github.com/sveltejs/svelte/pull/17672">#17672</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: use TrustedHTML to test for customizable <!-- raw HTML omitted --> support, where necessary (<a href="https://redirect.github.com/sveltejs/svelte/pull/17743">#17743</a>)</p> </li> <li> <p>fix: ensure head effects are kept in the effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17746">#17746</a>)</p> </li> <li> <p>chore: deactivate current_batch by default in unset_context (<a href="https://redirect.github.com/sveltejs/svelte/pull/17738">#17738</a>)</p> </li> </ul> <h2>svelte@5.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: support TrustedHTML in <code>{@html}</code> expressions (<a href="https://redirect.github.com/sveltejs/svelte/pull/17701">#17701</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: repair dynamic component truthy/falsy hydration mismatches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17737">#17737</a>)</p> </li> <li> <p>fix: re-run non-render-bound deriveds on the server (<a href="https://redirect.github.com/sveltejs/svelte/pull/17674">#17674</a>)</p> </li> </ul> <h2>svelte@5.51.5</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md">svelte's changelog</a>.</em></p> <blockquote> <h2>5.53.3</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: render <code>:catch</code> of <code>#await</code> block with correct key (<a href="https://redirect.github.com/sveltejs/svelte/pull/17769">#17769</a>)</p> </li> <li> <p>chore: pin aria-query@5.3.1 (<a href="https://redirect.github.com/sveltejs/svelte/pull/17772">#17772</a>)</p> </li> <li> <p>fix: make string coercion consistent to <code>toString</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17774">#17774</a>)</p> </li> </ul> <h2>5.53.2</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update expressions on server deriveds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17767">#17767</a>)</p> </li> <li> <p>fix: further obfuscate <code>node:crypto</code> import from overzealous static analysis (<a href="https://redirect.github.com/sveltejs/svelte/pull/17763">#17763</a>)</p> </li> </ul> <h2>5.53.1</h2> <h3>Patch Changes</h3> <ul> <li>fix: handle shadowed function names correctly (<a href="https://redirect.github.com/sveltejs/svelte/pull/17753">#17753</a>)</li> </ul> <h2>5.53.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>feat: allow comments in tags (<a href="https://redirect.github.com/sveltejs/svelte/pull/17671">#17671</a>)</p> </li> <li> <p>feat: allow error boundaries to work on the server (<a href="https://redirect.github.com/sveltejs/svelte/pull/17672">#17672</a>)</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li> <p>fix: use TrustedHTML to test for customizable <code>&lt;select&gt;</code> support, where necessary (<a href="https://redirect.github.com/sveltejs/svelte/pull/17743">#17743</a>)</p> </li> <li> <p>fix: ensure head effects are kept in the effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17746">#17746</a>)</p> </li> <li> <p>chore: deactivate current_batch by default in unset_context (<a href="https://redirect.github.com/sveltejs/svelte/pull/17738">#17738</a>)</p> </li> </ul> <h2>5.52.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: support TrustedHTML in <code>{@html}</code> expressions (<a href="https://redirect.github.com/sveltejs/svelte/pull/17701">#17701</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li>fix: repair dynamic component truthy/falsy hydration mismatches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17737">#17737</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/svelte/commit/97f3ac557158dd7754264dfe735ed83c2ce95e1f"><code>97f3ac5</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17775">#17775</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/7deedc5bb4fd6d0f033d00fa9741c7141fffd730"><code>7deedc5</code></a> fix: render <code>:catch</code> of <code>#await</code> block with correct key (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17769">#17769</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/f67d03df5b49e7c9c2e65ec66739f30c9d3d403a"><code>f67d03d</code></a> fix: make string coercion consistent to <code>toString</code> (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17774">#17774</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/4e29eee4b008588d90df36fb519a126e14529852"><code>4e29eee</code></a> chore: pin aria-query@5.3.1 (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17772">#17772</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/69e6c4cdbb872b0863809fd0778e59d710ad3de3"><code>69e6c4c</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17768">#17768</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/d75d1f7dbb6b943d8ab672d7ac2a5bf2c3ccd53a"><code>d75d1f7</code></a> fix: further obfuscate <code>node:crypto</code> import from overzealous static analysis ...</li> <li><a href="https://github.com/sveltejs/svelte/commit/6aa7b9c64a14a1e5f97510d7801c9d6173cb48e3"><code>6aa7b9c</code></a> fix: update expressions on server deriveds (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17767">#17767</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/d258f8523599ca1f56bc7698dc915918cfb5ea7f"><code>d258f85</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17755">#17755</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/0c7f815143c878d4c2819e45e5f2992da1209f63"><code>0c7f815</code></a> fix: handle shadowed function names correctly (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17753">#17753</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/7106da4dd292d1fd3e323ff3b4eddee52942dbc9"><code>7106da4</code></a> chore: fix changelog (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17754">#17754</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/svelte/commits/svelte@5.53.3/packages/svelte">compare view</a></li> </ul> </details> <br /> Updates `minimatch` from 3.1.2 to 3.1.4 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/minimatch/commit/1a2e084af579731af66c221214e3ca8222c9bf23"><code>1a2e084</code></a> 3.1.4</li> <li><a href="https://github.com/isaacs/minimatch/commit/ae24656237c3d58067442f790ce17eff84463a47"><code>ae24656</code></a> update lockfile</li> <li><a href="https://github.com/isaacs/minimatch/commit/b1003749228b2a79e1f237963a0d559ef7a0941e"><code>b100374</code></a> limit recursion for **, improve perf considerably</li> <li><a href="https://github.com/isaacs/minimatch/commit/26ffeaa091b9f660833e23f42e07165b33e85c13"><code>26ffeaa</code></a> lockfile update</li> <li><a href="https://github.com/isaacs/minimatch/commit/9eca892a4e5dbb20534f9f30483b85cdeee6c2eb"><code>9eca892</code></a> lock node version to 14</li> <li><a href="https://github.com/isaacs/minimatch/commit/00c323b188b704e5d4bc534ecec2268cfa70a32a"><code>00c323b</code></a> 3.1.3</li> <li><a href="https://github.com/isaacs/minimatch/commit/30486b2048929264f44d18822891cfffa02af78b"><code>30486b2</code></a> update CI matrix and actions</li> <li><a href="https://github.com/isaacs/minimatch/commit/9c31b2d4e0af72a6c2d2d62c5dbc2247da669802"><code>9c31b2d</code></a> update test expectations for coalesced consecutive stars</li> <li><a href="https://github.com/isaacs/minimatch/commit/46fe687857cf02f6cf45469cc593b97e11b10c96"><code>46fe687</code></a> coalesce consecutive non-globstar * characters</li> <li><a href="https://github.com/isaacs/minimatch/commit/5a9ccbda64befc5d94b965534dbea2853c92aebd"><code>5a9ccbd</code></a> [meta] update publishConfig.tag to legacy-v3</li> <li>See full diff in <a href="https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.4">compare view</a></li> </ul> </details> <br /> Updates `devalue` from 5.1.1 to 5.6.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/releases">devalue's releases</a>.</em></p> <blockquote> <h2>v5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>v5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>v5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>v5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>v5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>v5.4.2</h2> <h3>Patch Changes</h3> <ul> <li>5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers</li> </ul> <h2>v5.4.1</h2> <h3>Patch Changes</h3> <ul> <li>ca3c7b6: chore: Remove impossible <code>void</code> type from replacer's <code>uneval</code></li> </ul> <h2>v5.4.0</h2> <h3>Minor Changes</h3> <ul> <li>9306d09: feat: pass <code>uneval</code> to replacer, for handling nested custom types</li> </ul> <h3>Patch Changes</h3> <ul> <li>b617c7c: perf: shrink <code>uneval</code> output with null-proto objects</li> </ul> <h2>v5.3.2</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md">devalue's changelog</a>.</em></p> <blockquote> <h2>5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>5.4.2</h2> <h3>Patch Changes</h3> <ul> <li>5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers</li> </ul> <h2>5.4.1</h2> <h3>Patch Changes</h3> <ul> <li>ca3c7b6: chore: Remove impossible <code>void</code> type from replacer's <code>uneval</code></li> </ul> <h2>5.4.0</h2> <h3>Minor Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/devalue/commit/a4a37d208a4d1bdd0d58c82e5644c87cab855259"><code>a4a37d2</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/132">#132</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/819f1ac7475ab37547645cfb09bf2f678a799cf0"><code>819f1ac</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c"><code>0f04d4d</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/fcf4e88275f2e2e45b9ea70ffaa5247c8f55f057"><code>fcf4e88</code></a> fix tests</li> <li><a href="https://github.com/sveltejs/devalue/commit/1d8a5ea5863bcd9992755ce5a3842265753cb4ab"><code>1d8a5ea</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/131">#131</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4"><code>1175584</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7"><code>e46afa6</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/5e07a67eda945b3ac2ebac26b18863beabee7357"><code>5e07a67</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/129">#129</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/aa096040e21a17c628dabea4bcb9d2d4f4542366"><code>aa09604</code></a> Bump js-yaml from 3.14.1 to 3.14.2 (<a href="https://redirect.github.com/sveltejs/devalue/issues/125">#125</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/2161d4490aa66e4b120cfa9521874b6f857319dd"><code>2161d44</code></a> fix: add hasOwn check before calling reviver (<a href="https://redirect.github.com/sveltejs/devalue/issues/128">#128</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/devalue/compare/v5.1.1...v5.6.3">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for devalue since your current version.</p> </details> <br /> Updates `js-yaml` from 4.1.0 to 4.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (&lt;&lt;) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (&lt;&lt;)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP =&gt; HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> Updates `markdown-it` from 14.1.0 to 14.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md">markdown-it's changelog</a>.</em></p> <blockquote> <h2>[14.1.1] - 2026-01-11</h2> <h3>Security</h3> <ul> <li>Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to <a href="https://github.com/ltduc147"><code>@​ltduc147</code></a> for report.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/markdown-it/markdown-it/commit/b4a9b659ef5734223731cfaa3ad5eacc6fc22918"><code>b4a9b65</code></a> 14.1.1 released</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"><code>4b4bbca</code></a> Fixed perf regression in linkify-it wrapper</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/d2782d892a51201b25d3eeab172201ad5a53a24c"><code>d2782d8</code></a> Add supplementary example-driven documentation (<a href="https://redirect.github.com/markdown-it/markdown-it/issues/1092">#1092</a>)</li> <li>See full diff in <a href="https://github.com/markdown-it/markdown-it/compare/14.1.0...14.1.1">compare view</a></li> </ul> </details> <br /> Updates `qs` from 6.13.0 to 6.14.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.2</strong></h2> <ul> <li>[Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code> (<a href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li> <li>[Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li> <li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when <code>throwOnLimitExceeded</code> is true (<a href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li> <li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove extraneous comments (<a href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure <code>arrayLimit</code> applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> <h2><strong>6.14.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>throwOnParameterLimitExceeded</code> option (<a href="https://redirect.github.com/ljharb/qs/issues/517">#517</a>)</li> <li>[Refactor] <code>parse</code>: use <code>utils.combine</code> more</li> <li>[patch] <code>parse</code>: add explicit <code>throwOnLimitExceeded</code> default</li> <li>[actions] use shared action; re-add finishers</li> <li>[meta] Fix changelog formatting bug</li> <li>[Deps] update <code>side-channel</code></li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>has-bigints</code>, <code>has-proto</code>, <code>has-symbols</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.13.3</strong></h2> <p>[Fix] fix regressions from robustness refactor [actions] update reusable workflows</p> <h2><strong>6.13.2</strong></h2> <ul> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.13.1</strong></h2> <ul> <li>[Fix] <code>stringify</code>: avoid a crash when a <code>filter</code> key is <code>null</code></li> <li>[Fix] <code>utils.merge</code>: functions should not be stringified into keys</li> <li>[Fix] <code>parse</code>: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset</li> <li>[Fix] <code>stringify</code>: ensure a non-string <code>filter</code> does not crash</li> <li>[Refactor] use <code>__proto__</code> syntax instead of <code>Object.create</code> for null objects</li> <li>[Refactor] misc cleanup</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a> v6.14.2</li> <li><a href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a> [readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output</li> <li><a href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a> [readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation</li> <li><a href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a> [Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code></li> <li><a href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a> [Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/`pars...</li> <li><a href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a> [Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when `thr...</li> <li><a href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a> [Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li><a href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a> [Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove e...</li> <li><a href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a> [actions] fix rebase workflow permissions</li> <li><a href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a> [meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.13.0...v6.14.2">compare view</a></li> </ul> </details> <br /> Updates `tar` from 7.4.3 to 7.5.9 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md">tar's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>7.5</h2> <ul> <li>Added <code>zstd</code> compression support.</li> <li>Consistent TOCTOU behavior in sync t.list</li> <li>Only read from ustar block if not specified in Pax</li> <li>Fix sync tar.list when file size reduces while reading</li> <li>Sanitize absolute linkpaths properly</li> <li>Prevent writing hardlink entries to the archive ahead of their file target</li> </ul> <h2>7.4</h2> <ul> <li>Deprecate <code>onentry</code> in favor of <code>onReadEntry</code> for clarity.</li> </ul> <h2>7.3</h2> <ul> <li>Add <code>onWriteEntry</code> option</li> </ul> <h2>7.2</h2> <ul> <li>DRY the command definitions into a single <code>makeCommand</code> method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.</li> </ul> <h2>7.1</h2> <ul> <li>Update minipass to v7.1.0</li> <li>Update the type definitions of <code>write()</code> and <code>end()</code> methods on <code>Unpack</code> and <code>Parser</code> classes to be compatible with the NodeJS.WritableStream type in the latest versions of <code>@types/node</code>.</li> </ul> <h2>7.0</h2> <ul> <li>Drop support for node &lt;18</li> <li>Rewrite in TypeScript, provide ESM and CommonJS hybrid interface</li> <li>Add tree-shake friendly exports, like <code>import('tar/create')</code> and <code>import('tar/read-entry')</code> to get individual functions or classes.</li> <li>Add <code>chmod</code> option that defaults to false, and deprecate <code>noChmod</code>. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.</li> <li>Add <code>processUmask</code> option to avoid having to call <code>process.umask()</code> when <code>chmod: true</code> (or <code>noChmod: false</code>) is set.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/node-tar/commit/1f0c2c9006b10199cf2686f8ef43e79a1773e1aa"><code>1f0c2c9</code></a> 7.5.9</li> <li><a href="https://github.com/isaacs/node-tar/commit/fbb08518bf290733b68ca4d4135f75becf73fd75"><code>fbb0851</code></a> build minified version as default export</li> <li><a href="https://github.com/isaacs/node-tar/commit/6b8eba0ef367ac937e703238daa6df94ae6f823f"><code>6b8eba0</code></a> 7.5.8</li> <li><a href="https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384"><code>2cb1120</code></a> fix(unpack): improve UnpackSync symlink error &quot;into&quot; path accuracy</li> <li><a href="https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f"><code>d18e4e1</code></a> fix: do not write linkpaths through symlinks</li> <li><a href="https://github.com/isaacs/node-tar/commit/4a37eb9a1cf1137df4eb70c5c7f849f412ff3cdb"><code>4a37eb9</code></a> 7.5.7</li> <li><a href="https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"><code>f4a7aa9</code></a> fix: properly sanitize hard links containing ..</li> <li><a href="https://github.com/isaacs/node-tar/commit/394ece6ad8d81742a4e4058af227c616cd947a25"><code>394ece6</code></a> 7.5.6</li> <li><a href="https://github.com/isaacs/node-tar/commit/7d4cc17c76f6bd11dcd83de47187dc6dff206eee"><code>7d4cc17</code></a> fix race puting a Link ahead of its target File</li> <li><a href="https://github.com/isaacs/node-tar/commit/26ab90474e642cf00d84a05bcdc2eaf2a19f1581"><code>26ab904</code></a> 7.5.5</li> <li>Additional commits viewable in <a href="https://github.com/isaacs/node-tar/compare/v7.4.3...v7.5.9">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar since your current version.</p> </details> <details> <summary>Install script changes</summary> <p>This version adds <code>prepare</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/open-webui/open-webui/network/alerts). </details> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:25:45 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#26299
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?