[PR #22872] [CLOSED] chore(deps): bump the npm_and_yarn group across 1 directory with 15 updates #42530

Closed
opened 2026-04-25 14:24:09 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22872
Author: @dependabot[bot]
Created: 3/20/2026
Status: Closed

Base: mainHead: dependabot/npm_and_yarn/npm_and_yarn-41f0952b8d


📝 Commits (1)

  • 34a4800 chore(deps): bump the npm_and_yarn group across 1 directory with 15 updates

📊 Changes

2 files changed (+597 additions, -702 deletions)

View changed files

📝 package-lock.json (+590 -695)
📝 package.json (+7 -7)

📄 Description

Bumps the npm_and_yarn group with 14 updates in the / directory:

Package From To
dompurify 3.2.6 3.3.3
jspdf 4.0.0 4.2.1
undici 7.11.0 7.24.5
undici 6.21.2 6.24.1
svelte 5.42.2 5.54.0
minimatch 3.1.2 3.1.5
flatted 3.3.1 3.4.2
immutable 5.0.3 5.1.5
js-yaml 4.1.0 4.1.1
markdown-it 14.1.0 14.1.1
qs 6.13.0 6.14.2
rollup 4.22.4 4.59.0
socket.io-parser 4.2.4 4.2.6
tar 7.4.3 7.5.11
underscore 1.13.7 1.13.8

Updates dompurify from 3.2.6 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

  • Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq
Commits
  • 8bcbf73 chore: Preparing 3.3.3 release
  • 5faddd6 fix: engine requirement (#1210)
  • 0f91e3a Update README.md
  • d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
  • c3efd48 fix: moved back from jsdom 28 to jsdom 20
  • 988b888 fix: moved back from jsdom 28 to jsdom 20
  • 2726c74 chore: Preparing 3.3.2 release
  • 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
  • 302b51d fix: Expanded the regex ever so slightly to also cover script
  • cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
  • Additional commits viewable in compare view

Updates jspdf from 4.0.0 to 4.2.1

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

New Contributors

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0

Commits

Updates undici from 7.11.0 to 7.24.5

Release notes

Sourced from undici's releases.

v7.24.5

What's Changed

New Contributors

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5

v7.24.4

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3

v7.24.2

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2

v7.24.1

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.


Updates undici from 6.21.2 to 6.24.1

Release notes

Sourced from undici's releases.

v7.24.5

What's Changed

New Contributors

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5

v7.24.4

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3

v7.24.2

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2

v7.24.1

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.


Updates svelte from 5.42.2 to 5.54.0

Release notes

Sourced from svelte's releases.

svelte@5.54.0

Minor Changes

  • feat: allow css, runes, customElement compiler options to be functions (#17951)

Patch Changes

  • fix: reinstate reactivity loss tracking (#17801)

svelte@5.53.13

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#17943)

  • fix: resume inert effects when they come from offscreen (#17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#17938)

  • fix: discard batches made obsolete by commit (#17934)

  • fix: ensure "is standalone child" is correctly reset (#17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#17932)

svelte@5.53.12

Patch Changes

  • fix: update select.__value on change (#17745)

  • chore: add invariant helper for debugging (#17929)

  • fix: ensure deriveds values are correct across batches (#17917)

  • fix: handle async RHS in assignment_value_stale (#17925)

  • fix: avoid traversing clean roots (#17928)

svelte@5.53.11

Patch Changes

  • fix: remove untrack circular dependency (#17910)

  • fix: recover from errors that leave a corrupted effect tree (#17888)

  • fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

  • fix: resolve boundary in correct batch when hydrating (#17914)

  • chore: rebase batches after process, not during (#17900)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.54.0

Minor Changes

  • feat: allow css, runes, customElement compiler options to be functions (#17951)

Patch Changes

  • fix: reinstate reactivity loss tracking (#17801)

5.53.13

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#17943)

  • fix: resume inert effects when they come from offscreen (#17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#17938)

  • fix: discard batches made obsolete by commit (#17934)

  • fix: ensure "is standalone child" is correctly reset (#17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#17932)

5.53.12

Patch Changes

  • fix: update select.__value on change (#17745)

  • chore: add invariant helper for debugging (#17929)

  • fix: ensure deriveds values are correct across batches (#17917)

  • fix: handle async RHS in assignment_value_stale (#17925)

  • fix: avoid traversing clean roots (#17928)

5.53.11

Patch Changes

  • fix: remove untrack circular dependency (#17910)

  • fix: recover from errors that leave a corrupted effect tree (#17888)

  • fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

... (truncated)

Commits
  • 7ec156a Version Packages (#17953)
  • c89f6ab feat: allow css, runes, customElement compiler options to be functions ...
  • 5faf102 fix: reinstate reactivity loss tracking (#17801)
  • 6a303c3 Version Packages (#17936)
  • f081a6c fix: resume inert effects when they come from offscreen (#17942)
  • 1cd0645 fix: remove nodes in boundary when work is pending and HMR is active (#17932)
  • 32a48ed fix: don't eagerly access not-yet-initialized functions in template (#17938)
  • b472171 fix: ensure $inspect after top level await doesn't break builds (#17943)
  • d4bd6ad fix: ensure "is standalone child" is correctly reset (#17944)
  • 98e8b63 fix: discard batches made obsolete by commit (#17934)
  • Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.


Updates flatted from 3.3.1 to 3.4.2

Commits
  • 3bf0909 3.4.2
  • 885ddcc fix CWE-1321
  • 0bdba70 added flatted-view to the benchmark
  • 2a02dce 3.4.1
  • fba4e8f Merge pull request #89 from WebReflection/python-fix
  • 5fe8648 added "when in Rome" also a test for PHP
  • 53517ad some minor improvement
  • b3e2a0c Fixing recursion issue in Python too
  • c4b46db Add SECURITY.md for security policy and reporting
  • f86d071 Create dependabot.yml for version updates
  • Additional commits viewable in compare view

Updates immutable from 5.0.3 to 5.1.5

Release notes

Sourced from immutable's releases.

v5.1.5

What's Changed

Full Changelog: https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5

v5.1.4

What's Changed

Documentation

Internal

New Contributors

Full Changelog: https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4

v5.1.3

What's Changed

TypeScript

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples.

... (truncated)

Changelog

Sourced from immutable's changelog.

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Documentation

Internal

5.1.3

TypeScript

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

5.1.2

... (truncated)

Commits
  • b37b855 5.1.5
  • 16b3313 Merge commit from fork
  • fd2ef49 fix new proto key injection
  • 6734b7b fix Prototype Pollution in mergeDeep, toJS, etc.
  • 6f772de Merge pull request #2175 from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0
  • 5f3dc61 Bump rollup from 4.34.8 to 4.59.0
  • 049a594 Merge pull request #2173 from immutable-js/dependabot/npm_and_yarn/lodash-4.1...
  • 2481a77 Merge pull request #2172 from mrazauskas/update-tstyche
  • eb04779 Bump lodash from 4.17.21 to 4.17.23
  • b973bf3 format
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.


Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates rollup from 4.22.4 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

  • #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
  • #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, Description has been truncated


    🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22872 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 3/20/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/npm_and_yarn-41f0952b8d` --- ### 📝 Commits (1) - [`34a4800`](https://github.com/open-webui/open-webui/commit/34a48000e9a8b67cc219d0b6043d630b48b2dbdc) chore(deps): bump the npm_and_yarn group across 1 directory with 15 updates ### 📊 Changes **2 files changed** (+597 additions, -702 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+590 -695) 📝 `package.json` (+7 -7) </details> ### 📄 Description Bumps the npm_and_yarn group with 14 updates in the / directory: | Package | From | To | | --- | --- | --- | | [dompurify](https://github.com/cure53/DOMPurify) | `3.2.6` | `3.3.3` | | [jspdf](https://github.com/parallax/jsPDF) | `4.0.0` | `4.2.1` | | [undici](https://github.com/nodejs/undici) | `7.11.0` | `7.24.5` | | [undici](https://github.com/nodejs/undici) | `6.21.2` | `6.24.1` | | [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.42.2` | `5.54.0` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [flatted](https://github.com/WebReflection/flatted) | `3.3.1` | `3.4.2` | | [immutable](https://github.com/immutable-js/immutable-js) | `5.0.3` | `5.1.5` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` | | [qs](https://github.com/ljharb/qs) | `6.13.0` | `6.14.2` | | [rollup](https://github.com/rollup/rollup) | `4.22.4` | `4.59.0` | | [socket.io-parser](https://github.com/socketio/socket.io) | `4.2.4` | `4.2.6` | | [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.11` | | [underscore](https://github.com/jashkenas/underscore) | `1.13.7` | `1.13.8` | Updates `dompurify` from 3.2.6 to 3.3.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.3.3</h2> <ul> <li>Fixed an engine requirement for Node 20 which caused hiccups, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> </ul> <h2>DOMPurify 3.3.2</h2> <ul> <li>Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters</li> <li>Fixed a prototype pollution issue when working with custom elements, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Fixed a lenient config parsing in <code>_isValidAttribute</code>, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Bumped and removed several dependencies, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> <li>Fixed the test suite after bumping dependencies, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> </ul> <h2>DOMPurify 3.3.1</h2> <ul> <li>Updated <code>ADD_FORBID_CONTENTS</code> setting to extend default list, thanks <a href="https://github.com/MariusRumpf"><code>@​MariusRumpf</code></a></li> <li>Updated the ESM import syntax to be more correct, thanks <a href="https://github.com/binhpv"><code>@​binhpv</code></a></li> </ul> <h2>DOMPurify 3.3.0</h2> <ul> <li>Added the SVG <code>mask-type</code> attribute to default allow-list, thanks <a href="https://github.com/prasadrajandran"><code>@​prasadrajandran</code></a></li> <li>Added support for <code>ADD_ATTR</code> and <code>ADD_TAGS</code> to accept functions, thanks <a href="https://github.com/nelstrom"><code>@​nelstrom</code></a></li> <li>Fixed an issue with the <code>slot</code> element being in both SVG and HTML allow-list, thanks <a href="https://github.com/Wim-Valgaeren"><code>@​Wim-Valgaeren</code></a></li> </ul> <h2>DOMPurify 3.2.7</h2> <ul> <li>Added new attributes and elements to default allow-list, thanks <a href="https://github.com/elrion018"><code>@​elrion018</code></a></li> <li>Added <code>tagName</code> parameter to custom element <code>attributeNameCheck</code>, thanks <a href="https://github.com/nelstrom"><code>@​nelstrom</code></a></li> <li>Added better check for animated <code>href</code> attributes, thanks <a href="https://github.com/llamakko"><code>@​llamakko</code></a></li> <li>Updated and improved the bundled types, thanks <a href="https://github.com/ssi02014"><code>@​ssi02014</code></a></li> <li>Updated several tests to better align with new browser encoding behaviors</li> <li>Improved the handling of potentially risky content inside CDATA elements, thanks <a href="https://github.com/securityMB"><code>@​securityMB</code></a> &amp; <a href="https://github.com/terjanq"><code>@​terjanq</code></a></li> <li>Improved the regular expression for raw-text elements to cover textareas, thanks <a href="https://github.com/securityMB"><code>@​securityMB</code></a> &amp; <a href="https://github.com/terjanq"><code>@​terjanq</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/8bcbf73ae7eb56e7b4f1300b66cf543342c7ee27"><code>8bcbf73</code></a> chore: Preparing 3.3.3 release</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5faddd60af7b4d612f32a0c6b44432b77c8c490c"><code>5faddd6</code></a> fix: engine requirement (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1210">#1210</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/0f91e3add5c028bc4110c513b0c2571b284c35af"><code>0f91e3a</code></a> Update README.md</li> <li><a href="https://github.com/cure53/DOMPurify/commit/d5ff1a8c605df1df998c2e7df2c4c8ac762b0dea"><code>d5ff1a8</code></a> Merge branch 'main' of github.com:cure53/DOMPurify</li> <li><a href="https://github.com/cure53/DOMPurify/commit/c3efd489010366e755de9d65fd741888fd8b7462"><code>c3efd48</code></a> fix: moved back from jsdom 28 to jsdom 20</li> <li><a href="https://github.com/cure53/DOMPurify/commit/988b888108c8df911ef37e68d0e26c85ad90e885"><code>988b888</code></a> fix: moved back from jsdom 28 to jsdom 20</li> <li><a href="https://github.com/cure53/DOMPurify/commit/2726c74e9c6a0645127d1630e5ca49f64bc9fe67"><code>2726c74</code></a> chore: Preparing 3.3.2 release</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6202c7e43e9df01ba606396aed60fbae5583f7a1"><code>6202c7e</code></a> build(deps): bump <code>@​tootallnate/once</code> and jsdom (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1204">#1204</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"><code>302b51d</code></a> fix: Expanded the regex ever so slightly to also cover script</li> <li><a href="https://github.com/cure53/DOMPurify/commit/cd85175da3c4614aeb0f1022f2a347e5e9bdd58b"><code>cd85175</code></a> Merge branch 'main' of github.com:cure53/DOMPurify</li> <li>Additional commits viewable in <a href="https://github.com/cure53/DOMPurify/compare/3.2.6...3.3.3">compare view</a></li> </ul> </details> <br /> Updates `jspdf` from 4.0.0 to 4.2.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/parallax/jsPDF/releases">jspdf's releases</a>.</em></p> <blockquote> <h2>v4.2.1</h2> <p>This release fixes two security issues.</p> <h2>What's Changed</h2> <ul> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5">HTML Injection in output methods</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24">PDF Object Injection via free text annotation color</a> vulnerability.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1">https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1</a></p> <h2>v4.2.0</h2> <p>This release fixes three security issues.</p> <h2>What's Changed</h2> <ul> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children)</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj">Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp">PDF Object Injection via Unsanitized Input in addJS Method</a> vulnerability.</li> <li>Add &quot;default&quot; property to export section in package.json by <a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> made their first contribution in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0">https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0</a></p> <h2>v4.1.0</h2> <p>This release fixes several security issues.</p> <h2>What's Changed</h2> <ul> <li>Upgrade optional dompurify dependency to 3.3.1 in <a href="https://redirect.github.com/parallax/jsPDF/pull/3948">parallax/jsPDF#3948</a></li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422">Stored XMP Metadata Injection (Spoofing &amp; Integrity Violation)</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4">Shared State Race Condition in addJS Method</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c">Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder</a> vulnerability</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0">https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/parallax/jsPDF/commit/4562ce8aa35bd5ecd98cd5e262e3da2af96476f6"><code>4562ce8</code></a> 4.2.1</li> <li><a href="https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"><code>4155c48</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7"><code>87a40bb</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/b1607a9391d4cd65ea7ade25998aea8345ae1be3"><code>b1607a9</code></a> Bump minimatch from 3.1.2 to 3.1.5 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3961">#3961</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/42ac89097de83bcedd10870af47a0a25c11ca3d1"><code>42ac890</code></a> Bump rollup from 2.79.2 to 2.80.0 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3960">#3960</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/7af912cadaf0f9a2ad28afe7af53033a2c61de64"><code>7af912c</code></a> 4.2.0</li> <li><a href="https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"><code>56b46d4</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6"><code>2e5e156</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375"><code>71ad2db</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/885a7778070d500887c9a5d2b02b55460009a9d0"><code>885a777</code></a> fix: upgrade <code>@​babel/runtime</code> from 7.28.4 to 7.28.6 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3954">#3954</a>)</li> <li>Additional commits viewable in <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.2.1">compare view</a></li> </ul> </details> <br /> Updates `undici` from 7.11.0 to 7.24.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.24.5</h2> <h2>What's Changed</h2> <ul> <li>Formdata tests by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4902">nodejs/undici#4902</a></li> <li>test: add unexpected disconnect guards to more client test files by <a href="https://github.com/samayer12"><code>@​samayer12</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4844">nodejs/undici#4844</a></li> <li>fix(cache): only apply 1-year deleteAt for immutable responses by <a href="https://github.com/metalix2"><code>@​metalix2</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/metalix2"><code>@​metalix2</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5">https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5</a></p> <h2>v7.24.4</h2> <h2>What's Changed</h2> <ul> <li>fix(fetch): handle URL credentials in dispatch path extraction by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4892">nodejs/undici#4892</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4">https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4</a></p> <h2>v7.24.3</h2> <h2>What's Changed</h2> <ul> <li>fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by <a href="https://github.com/hxinhan"><code>@​hxinhan</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4881">nodejs/undici#4881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3">https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3</a></p> <h2>v7.24.2</h2> <h2>What's Changed</h2> <ul> <li>fix fetch path logic by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4890">nodejs/undici#4890</a></li> <li>remove maxDecompressedMessageSize by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4891">nodejs/undici#4891</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2">https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2</a></p> <h2>v7.24.1</h2> <h2>What's Changed</h2> <ul> <li>fix: <strong>proto</strong> pollution by <a href="https://github.com/rahulyadav5524"><code>@​rahulyadav5524</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p> <h2>v7.24.0</h2> <h1>Undici v7.24.0 Security Release Notes</h1> <p>This release addresses multiple security vulnerabilities in Undici.</p> <h2>Upgrade guidance</h2> <p>All users on v7 should upgrade to <strong>v7.24.0</strong> or later.</p> <h2>Fixed advisories</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/51fd6617e5b4bd6a605628b7a9d40510fc0a723e"><code>51fd661</code></a> Bumped v7.24.5 (<a href="https://redirect.github.com/nodejs/undici/issues/4915">#4915</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/90775009148e5956ac58ace0eb493001db8b2b7c"><code>9077500</code></a> fix(cache): only apply 1-year deleteAt for immutable responses (<a href="https://redirect.github.com/nodejs/undici/issues/4913">#4913</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/1c5dc1ad36c886aa11d025cf6381c5ea1fff0ca4"><code>1c5dc1a</code></a> test: add unexpected disconnect guards to more client test files (<a href="https://redirect.github.com/nodejs/undici/issues/4844">#4844</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/28853613a582b74315617ec44dde06bd3cee3c11"><code>2885361</code></a> Formdata tests (<a href="https://redirect.github.com/nodejs/undici/issues/4902">#4902</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/4991f3e1fbb93c8243fe072a69b08c47fd5d0e24"><code>4991f3e</code></a> Bumped v7.24.4</li> <li><a href="https://github.com/nodejs/undici/commit/ea3a06d76e1b0b3e23c77ead15836474906fd635"><code>ea3a06d</code></a> fix(fetch): preserve path for credentialed URLs (<a href="https://redirect.github.com/nodejs/undici/issues/4892">#4892</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9b96516c266ddf37f658179448a1a19479d8c204"><code>9b96516</code></a> Bumped v7.24.3</li> <li><a href="https://github.com/nodejs/undici/commit/79266603db63492826382375a504c580d86845c8"><code>7926660</code></a> Ignore .githuman</li> <li><a href="https://github.com/nodejs/undici/commit/9eaa5af23e8be069556af812a982bc7d59932bb7"><code>9eaa5af</code></a> fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...</li> <li><a href="https://github.com/nodejs/undici/commit/a9bfe210b093366a5d11ce5315e56adbadfbb78d"><code>a9bfe21</code></a> ignore .pi</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.11.0...v7.24.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for undici since your current version.</p> </details> <br /> Updates `undici` from 6.21.2 to 6.24.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.24.5</h2> <h2>What's Changed</h2> <ul> <li>Formdata tests by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4902">nodejs/undici#4902</a></li> <li>test: add unexpected disconnect guards to more client test files by <a href="https://github.com/samayer12"><code>@​samayer12</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4844">nodejs/undici#4844</a></li> <li>fix(cache): only apply 1-year deleteAt for immutable responses by <a href="https://github.com/metalix2"><code>@​metalix2</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/metalix2"><code>@​metalix2</code></a> made their first contribution in <a href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5">https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5</a></p> <h2>v7.24.4</h2> <h2>What's Changed</h2> <ul> <li>fix(fetch): handle URL credentials in dispatch path extraction by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4892">nodejs/undici#4892</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4">https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4</a></p> <h2>v7.24.3</h2> <h2>What's Changed</h2> <ul> <li>fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by <a href="https://github.com/hxinhan"><code>@​hxinhan</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4881">nodejs/undici#4881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3">https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3</a></p> <h2>v7.24.2</h2> <h2>What's Changed</h2> <ul> <li>fix fetch path logic by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4890">nodejs/undici#4890</a></li> <li>remove maxDecompressedMessageSize by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4891">nodejs/undici#4891</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2">https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2</a></p> <h2>v7.24.1</h2> <h2>What's Changed</h2> <ul> <li>fix: <strong>proto</strong> pollution by <a href="https://github.com/rahulyadav5524"><code>@​rahulyadav5524</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p> <h2>v7.24.0</h2> <h1>Undici v7.24.0 Security Release Notes</h1> <p>This release addresses multiple security vulnerabilities in Undici.</p> <h2>Upgrade guidance</h2> <p>All users on v7 should upgrade to <strong>v7.24.0</strong> or later.</p> <h2>Fixed advisories</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/51fd6617e5b4bd6a605628b7a9d40510fc0a723e"><code>51fd661</code></a> Bumped v7.24.5 (<a href="https://redirect.github.com/nodejs/undici/issues/4915">#4915</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/90775009148e5956ac58ace0eb493001db8b2b7c"><code>9077500</code></a> fix(cache): only apply 1-year deleteAt for immutable responses (<a href="https://redirect.github.com/nodejs/undici/issues/4913">#4913</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/1c5dc1ad36c886aa11d025cf6381c5ea1fff0ca4"><code>1c5dc1a</code></a> test: add unexpected disconnect guards to more client test files (<a href="https://redirect.github.com/nodejs/undici/issues/4844">#4844</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/28853613a582b74315617ec44dde06bd3cee3c11"><code>2885361</code></a> Formdata tests (<a href="https://redirect.github.com/nodejs/undici/issues/4902">#4902</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/4991f3e1fbb93c8243fe072a69b08c47fd5d0e24"><code>4991f3e</code></a> Bumped v7.24.4</li> <li><a href="https://github.com/nodejs/undici/commit/ea3a06d76e1b0b3e23c77ead15836474906fd635"><code>ea3a06d</code></a> fix(fetch): preserve path for credentialed URLs (<a href="https://redirect.github.com/nodejs/undici/issues/4892">#4892</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9b96516c266ddf37f658179448a1a19479d8c204"><code>9b96516</code></a> Bumped v7.24.3</li> <li><a href="https://github.com/nodejs/undici/commit/79266603db63492826382375a504c580d86845c8"><code>7926660</code></a> Ignore .githuman</li> <li><a href="https://github.com/nodejs/undici/commit/9eaa5af23e8be069556af812a982bc7d59932bb7"><code>9eaa5af</code></a> fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...</li> <li><a href="https://github.com/nodejs/undici/commit/a9bfe210b093366a5d11ce5315e56adbadfbb78d"><code>a9bfe21</code></a> ignore .pi</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.11.0...v7.24.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for undici since your current version.</p> </details> <br /> Updates `svelte` from 5.42.2 to 5.54.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/releases">svelte's releases</a>.</em></p> <blockquote> <h2>svelte@5.54.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: allow <code>css</code>, <code>runes</code>, <code>customElement</code> compiler options to be functions (<a href="https://redirect.github.com/sveltejs/svelte/pull/17951">#17951</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li>fix: reinstate reactivity loss tracking (<a href="https://redirect.github.com/sveltejs/svelte/pull/17801">#17801</a>)</li> </ul> <h2>svelte@5.53.13</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17943">#17943</a>)</p> </li> <li> <p>fix: resume inert effects when they come from offscreen (<a href="https://redirect.github.com/sveltejs/svelte/pull/17942">#17942</a>)</p> </li> <li> <p>fix: don't eagerly access not-yet-initialized functions in template (<a href="https://redirect.github.com/sveltejs/svelte/pull/17938">#17938</a>)</p> </li> <li> <p>fix: discard batches made obsolete by commit (<a href="https://redirect.github.com/sveltejs/svelte/pull/17934">#17934</a>)</p> </li> <li> <p>fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://redirect.github.com/sveltejs/svelte/pull/17944">#17944</a>)</p> </li> <li> <p>fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://redirect.github.com/sveltejs/svelte/pull/17932">#17932</a>)</p> </li> </ul> <h2>svelte@5.53.12</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update <code>select.__value</code> on <code>change</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17745">#17745</a>)</p> </li> <li> <p>chore: add <code>invariant</code> helper for debugging (<a href="https://redirect.github.com/sveltejs/svelte/pull/17929">#17929</a>)</p> </li> <li> <p>fix: ensure deriveds values are correct across batches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17917">#17917</a>)</p> </li> <li> <p>fix: handle async RHS in <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17925">#17925</a>)</p> </li> <li> <p>fix: avoid traversing clean roots (<a href="https://redirect.github.com/sveltejs/svelte/pull/17928">#17928</a>)</p> </li> </ul> <h2>svelte@5.53.11</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: remove <code>untrack</code> circular dependency (<a href="https://redirect.github.com/sveltejs/svelte/pull/17910">#17910</a>)</p> </li> <li> <p>fix: recover from errors that leave a corrupted effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17888">#17888</a>)</p> </li> <li> <p>fix: properly lazily evaluate RHS when checking for <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17906">#17906</a>)</p> </li> <li> <p>fix: resolve boundary in correct batch when hydrating (<a href="https://redirect.github.com/sveltejs/svelte/pull/17914">#17914</a>)</p> </li> <li> <p>chore: rebase batches after process, not during (<a href="https://redirect.github.com/sveltejs/svelte/pull/17900">#17900</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md">svelte's changelog</a>.</em></p> <blockquote> <h2>5.54.0</h2> <h3>Minor Changes</h3> <ul> <li>feat: allow <code>css</code>, <code>runes</code>, <code>customElement</code> compiler options to be functions (<a href="https://redirect.github.com/sveltejs/svelte/pull/17951">#17951</a>)</li> </ul> <h3>Patch Changes</h3> <ul> <li>fix: reinstate reactivity loss tracking (<a href="https://redirect.github.com/sveltejs/svelte/pull/17801">#17801</a>)</li> </ul> <h2>5.53.13</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17943">#17943</a>)</p> </li> <li> <p>fix: resume inert effects when they come from offscreen (<a href="https://redirect.github.com/sveltejs/svelte/pull/17942">#17942</a>)</p> </li> <li> <p>fix: don't eagerly access not-yet-initialized functions in template (<a href="https://redirect.github.com/sveltejs/svelte/pull/17938">#17938</a>)</p> </li> <li> <p>fix: discard batches made obsolete by commit (<a href="https://redirect.github.com/sveltejs/svelte/pull/17934">#17934</a>)</p> </li> <li> <p>fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://redirect.github.com/sveltejs/svelte/pull/17944">#17944</a>)</p> </li> <li> <p>fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://redirect.github.com/sveltejs/svelte/pull/17932">#17932</a>)</p> </li> </ul> <h2>5.53.12</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update <code>select.__value</code> on <code>change</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17745">#17745</a>)</p> </li> <li> <p>chore: add <code>invariant</code> helper for debugging (<a href="https://redirect.github.com/sveltejs/svelte/pull/17929">#17929</a>)</p> </li> <li> <p>fix: ensure deriveds values are correct across batches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17917">#17917</a>)</p> </li> <li> <p>fix: handle async RHS in <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17925">#17925</a>)</p> </li> <li> <p>fix: avoid traversing clean roots (<a href="https://redirect.github.com/sveltejs/svelte/pull/17928">#17928</a>)</p> </li> </ul> <h2>5.53.11</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: remove <code>untrack</code> circular dependency (<a href="https://redirect.github.com/sveltejs/svelte/pull/17910">#17910</a>)</p> </li> <li> <p>fix: recover from errors that leave a corrupted effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17888">#17888</a>)</p> </li> <li> <p>fix: properly lazily evaluate RHS when checking for <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17906">#17906</a>)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/svelte/commit/7ec156a7b025a916da2745808c72c92dc6e05593"><code>7ec156a</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17953">#17953</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/c89f6abae863c6db00557e0a283aa0e6f31b45c6"><code>c89f6ab</code></a> feat: allow <code>css</code>, <code>runes</code>, <code>customElement</code> compiler options to be functions ...</li> <li><a href="https://github.com/sveltejs/svelte/commit/5faf102782b6efc60df4290ad2858650594f1ff2"><code>5faf102</code></a> fix: reinstate reactivity loss tracking (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17801">#17801</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/6a303c3638b351386dfc6523db5def622428ce62"><code>6a303c3</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17936">#17936</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/f081a6c3b1ca3eade9f870325ebdd892dfa4276f"><code>f081a6c</code></a> fix: resume inert effects when they come from offscreen (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17942">#17942</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/1cd06451aff585a0d654bfd39c1abb7c26c239e2"><code>1cd0645</code></a> fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17932">#17932</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/32a48ed174868e6fdf1fd8f078d2e296ed12353a"><code>32a48ed</code></a> fix: don't eagerly access not-yet-initialized functions in template (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17938">#17938</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/b472171de66fe8290b55f28623df3fc0e9f34aae"><code>b472171</code></a> fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17943">#17943</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/d4bd6ad8f3605bed53eb223a3c31769b911d86e1"><code>d4bd6ad</code></a> fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17944">#17944</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/98e8b635fab10be1d82c593097276af373300a55"><code>98e8b63</code></a> fix: discard batches made obsolete by commit (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17934">#17934</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/svelte/commits/svelte@5.54.0/packages/svelte">compare view</a></li> </ul> </details> <br /> Updates `minimatch` from 3.1.2 to 3.1.5 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/minimatch/commit/7bba97888a27a6162983056bcce2a6e28f668712"><code>7bba978</code></a> 3.1.5</li> <li><a href="https://github.com/isaacs/minimatch/commit/bd259425b2ca17b42897997f93e890314155522d"><code>bd25942</code></a> docs: add warning about ReDoS</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a9c27c75725474dbde57db2995b6281b267756d"><code>1a9c27c</code></a> fix partial matching of globstar patterns</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a2e084af579731af66c221214e3ca8222c9bf23"><code>1a2e084</code></a> 3.1.4</li> <li><a href="https://github.com/isaacs/minimatch/commit/ae24656237c3d58067442f790ce17eff84463a47"><code>ae24656</code></a> update lockfile</li> <li><a href="https://github.com/isaacs/minimatch/commit/b1003749228b2a79e1f237963a0d559ef7a0941e"><code>b100374</code></a> limit recursion for **, improve perf considerably</li> <li><a href="https://github.com/isaacs/minimatch/commit/26ffeaa091b9f660833e23f42e07165b33e85c13"><code>26ffeaa</code></a> lockfile update</li> <li><a href="https://github.com/isaacs/minimatch/commit/9eca892a4e5dbb20534f9f30483b85cdeee6c2eb"><code>9eca892</code></a> lock node version to 14</li> <li><a href="https://github.com/isaacs/minimatch/commit/00c323b188b704e5d4bc534ecec2268cfa70a32a"><code>00c323b</code></a> 3.1.3</li> <li><a href="https://github.com/isaacs/minimatch/commit/30486b2048929264f44d18822891cfffa02af78b"><code>30486b2</code></a> update CI matrix and actions</li> <li>Additional commits viewable in <a href="https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5">compare view</a></li> </ul> </details> <br /> Updates `devalue` from 5.1.1 to 5.6.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/releases">devalue's releases</a>.</em></p> <blockquote> <h2>v5.6.4</h2> <h3>Patch Changes</h3> <ul> <li> <p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed <code>Object</code> wrapper payloads</p> <p>This validates the <code>&quot;Object&quot;</code> parse path and throws when the wrapped value has an own <code>__proto__</code> key.</p> </li> <li> <p>40f1db1: fix: ensure sparse array indices are integers</p> </li> <li> <p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype object parsing</p> <p>This disallows <code>__proto__</code> keys in the <code>&quot;null&quot;</code> parse path so null-prototype object hydration cannot carry that key through parse/unflatten.</p> </li> </ul> <h2>v5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>v5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>v5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>v5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>v5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>v5.4.2</h2> <h3>Patch Changes</h3> <ul> <li>5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers</li> </ul> <h2>v5.4.1</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md">devalue's changelog</a>.</em></p> <blockquote> <h2>5.6.4</h2> <h3>Patch Changes</h3> <ul> <li> <p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed <code>Object</code> wrapper payloads</p> <p>This validates the <code>&quot;Object&quot;</code> parse path and throws when the wrapped value has an own <code>__proto__</code> key.</p> </li> <li> <p>40f1db1: fix: ensure sparse array indices are integers</p> </li> <li> <p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype object parsing</p> <p>This disallows <code>__proto__</code> keys in the <code>&quot;null&quot;</code> parse path so null-prototype object hydration cannot carry that key through parse/unflatten.</p> </li> </ul> <h2>5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>5.4.2</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/devalue/commit/6cbb3f51258e01d7769e2b3d77b6ce9ed060804b"><code>6cbb3f5</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/133">#133</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/40f1db13afdd65c8e2ebd02f684276c273ef81b0"><code>40f1db1</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d"><code>87c1f3c</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/a4a37d208a4d1bdd0d58c82e5644c87cab855259"><code>a4a37d2</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/132">#132</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/819f1ac7475ab37547645cfb09bf2f678a799cf0"><code>819f1ac</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c"><code>0f04d4d</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/fcf4e88275f2e2e45b9ea70ffaa5247c8f55f057"><code>fcf4e88</code></a> fix tests</li> <li><a href="https://github.com/sveltejs/devalue/commit/1d8a5ea5863bcd9992755ce5a3842265753cb4ab"><code>1d8a5ea</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/131">#131</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4"><code>1175584</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7"><code>e46afa6</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/devalue/compare/v5.1.1...v5.6.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for devalue since your current version.</p> </details> <br /> Updates `flatted` from 3.3.1 to 3.4.2 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a> 3.4.2</li> <li><a href="https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a> fix CWE-1321</li> <li><a href="https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a> added flatted-view to the benchmark</li> <li><a href="https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a> 3.4.1</li> <li><a href="https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a> Merge pull request <a href="https://redirect.github.com/WebReflection/flatted/issues/89">#89</a> from WebReflection/python-fix</li> <li><a href="https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a> added &quot;when in Rome&quot; also a test for PHP</li> <li><a href="https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a> some minor improvement</li> <li><a href="https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a> Fixing recursion issue in Python too</li> <li><a href="https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a> Add SECURITY.md for security policy and reporting</li> <li><a href="https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a> Create dependabot.yml for version updates</li> <li>Additional commits viewable in <a href="https://github.com/WebReflection/flatted/compare/v3.3.1...v3.4.2">compare view</a></li> </ul> </details> <br /> Updates `immutable` from 5.0.3 to 5.1.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/immutable-js/immutable-js/releases">immutable's releases</a>.</em></p> <blockquote> <h2>v5.1.5</h2> <h2>What's Changed</h2> <ul> <li>Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable</li> <li>Upgrade devtools and use immutable version by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2158">immutable-js/immutable-js#2158</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5">https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5</a></p> <h2>v5.1.4</h2> <h2>What's Changed</h2> <ul> <li>Migrate some files to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2125">immutable-js/immutable-js#2125</a> <ul> <li>Iterator.ts</li> <li>PairSorting.ts</li> <li>toJS.ts</li> <li>Math.ts</li> <li>Hash.ts</li> </ul> </li> <li>Extract CollectionHelperMethods and convert to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2131">immutable-js/immutable-js#2131</a></li> <li>Use npm <a href="https://docs.npmjs.com/trusted-publishers">trusted publishing only</a> to avoid token stealing.</li> </ul> <h3>Documentation</h3> <ul> <li>Fix/a11y issues by <a href="https://github.com/lyannel"><code>@​lyannel</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li>Doc add Map.get signature update by <a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> <li>fix(doc):minor-issues#2132 by <a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li>Fix algolia search by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2135">immutable-js/immutable-js#2135</a></li> <li>Typo in OrderedMap by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2144">immutable-js/immutable-js#2144</a></li> </ul> <h3>Internal</h3> <ul> <li>chore: Sort all imports and activate eslint import rule by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2119">immutable-js/immutable-js#2119</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li><a href="https://github.com/lyannel"><code>@​lyannel</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li><a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4">https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4</a></p> <h2>v5.1.3</h2> <h2>What's Changed</h2> <h3>TypeScript</h3> <ul> <li>fix: allow readonly map entry constructor by <a href="https://github.com/septs"><code>@​septs</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2123">immutable-js/immutable-js#2123</a></li> </ul> <h3>Documentation</h3> <p>There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md">immutable's changelog</a>.</em></p> <blockquote> <h2>5.1.5</h2> <ul> <li>Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable</li> </ul> <h2>5.1.4</h2> <ul> <li>Migrate some files to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2125">immutable-js/immutable-js#2125</a> <ul> <li>Iterator.ts</li> <li>PairSorting.ts</li> <li>toJS.ts</li> <li>Math.ts</li> <li>Hash.ts</li> </ul> </li> <li>Extract CollectionHelperMethods and convert to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2131">immutable-js/immutable-js#2131</a></li> <li>Use npm <a href="https://docs.npmjs.com/trusted-publishers">trusted publishing only</a> to avoid token stealing.</li> </ul> <h3>Documentation</h3> <ul> <li>Fix/a11y issues by <a href="https://github.com/lyannel"><code>@​lyannel</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li>Doc add Map.get signature update by <a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> <li>fix(doc):minor-issues#2132 by <a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li>Fix algolia search by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2135">immutable-js/immutable-js#2135</a></li> <li>Typo in OrderedMap by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2144">immutable-js/immutable-js#2144</a></li> </ul> <h3>Internal</h3> <ul> <li>chore: Sort all imports and activate eslint import rule by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2119">immutable-js/immutable-js#2119</a></li> </ul> <h2>5.1.3</h2> <h3>TypeScript</h3> <ul> <li>fix: allow readonly map entry constructor by <a href="https://github.com/septs"><code>@​septs</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2123">immutable-js/immutable-js#2123</a></li> </ul> <h3>Documentation</h3> <p>There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: <a href="https://immutable-js.com/browser-extension/">https://immutable-js.com/browser-extension/</a></p> <h3>Internal</h3> <ul> <li>replace rimraf by a node script by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2113">immutable-js/immutable-js#2113</a></li> <li>remove warning for tseslint config by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2114">immutable-js/immutable-js#2114</a></li> <li>Use default tsconfig for tests by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2055">immutable-js/immutable-js#2055</a></li> <li>add tests for arrCopy by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2120">immutable-js/immutable-js#2120</a></li> </ul> <h2>5.1.2</h2> <ul> <li>Revert previous assertion as it introduced a regression <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2102">#2102</a> by <a href="https://github.com/giggo1604"><code>@​giggo1604</code></a></li> <li>Merge should work with empty record <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2103">#2103</a> by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/immutable-js/immutable-js/commit/b37b85568632227751ddc8a16034cacc0f42b652"><code>b37b855</code></a> 5.1.5</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945"><code>16b3313</code></a> Merge commit from fork</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/fd2ef4977ee654c5bf26368dbf2f983c8d679bd6"><code>fd2ef49</code></a> fix new proto key injection</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/6734b7b2af7e9dadf517eb9473cc64d2dfe2e301"><code>6734b7b</code></a> fix Prototype Pollution in mergeDeep, toJS, etc.</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/6f772de1e44dcde14128e48d19081a7a077f2162"><code>6f772de</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2175">#2175</a> from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/5f3dc61fd0e231654f04a850b8764e7e864c54b3"><code>5f3dc61</code></a> Bump rollup from 4.34.8 to 4.59.0</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/049a594410962c13dfd0f2d0bf0ef2154271079e"><code>049a594</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2173">#2173</a> from immutable-js/dependabot/npm_and_yarn/lodash-4.1...</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/2481a77331122eea4ace8afd4842042c6ae7510c"><code>2481a77</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2172">#2172</a> from mrazauskas/update-tstyche</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/eb047790b44dac8e5ace49529a5c9928edfc8e12"><code>eb04779</code></a> Bump lodash from 4.17.21 to 4.17.23</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/b973bf3b6242c9966143169825e1e14248c07c31"><code>b973bf3</code></a> format</li> <li>Additional commits viewable in <a href="https://github.com/immutable-js/immutable-js/compare/v5.0.3...v5.1.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for immutable since your current version.</p> </details> <br /> Updates `js-yaml` from 4.1.0 to 4.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (&lt;&lt;) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (&lt;&lt;)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP =&gt; HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> Updates `markdown-it` from 14.1.0 to 14.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md">markdown-it's changelog</a>.</em></p> <blockquote> <h2>[14.1.1] - 2026-01-11</h2> <h3>Security</h3> <ul> <li>Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to <a href="https://github.com/ltduc147"><code>@​ltduc147</code></a> for report.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/markdown-it/markdown-it/commit/b4a9b659ef5734223731cfaa3ad5eacc6fc22918"><code>b4a9b65</code></a> 14.1.1 released</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"><code>4b4bbca</code></a> Fixed perf regression in linkify-it wrapper</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/d2782d892a51201b25d3eeab172201ad5a53a24c"><code>d2782d8</code></a> Add supplementary example-driven documentation (<a href="https://redirect.github.com/markdown-it/markdown-it/issues/1092">#1092</a>)</li> <li>See full diff in <a href="https://github.com/markdown-it/markdown-it/compare/14.1.0...14.1.1">compare view</a></li> </ul> </details> <br /> Updates `qs` from 6.13.0 to 6.14.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.2</strong></h2> <ul> <li>[Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code> (<a href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li> <li>[Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li> <li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when <code>throwOnLimitExceeded</code> is true (<a href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li> <li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove extraneous comments (<a href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure <code>arrayLimit</code> applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> <h2><strong>6.14.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>throwOnParameterLimitExceeded</code> option (<a href="https://redirect.github.com/ljharb/qs/issues/517">#517</a>)</li> <li>[Refactor] <code>parse</code>: use <code>utils.combine</code> more</li> <li>[patch] <code>parse</code>: add explicit <code>throwOnLimitExceeded</code> default</li> <li>[actions] use shared action; re-add finishers</li> <li>[meta] Fix changelog formatting bug</li> <li>[Deps] update <code>side-channel</code></li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>has-bigints</code>, <code>has-proto</code>, <code>has-symbols</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.13.3</strong></h2> <p>[Fix] fix regressions from robustness refactor [actions] update reusable workflows</p> <h2><strong>6.13.2</strong></h2> <ul> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.13.1</strong></h2> <ul> <li>[Fix] <code>stringify</code>: avoid a crash when a <code>filter</code> key is <code>null</code></li> <li>[Fix] <code>utils.merge</code>: functions should not be stringified into keys</li> <li>[Fix] <code>parse</code>: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset</li> <li>[Fix] <code>stringify</code>: ensure a non-string <code>filter</code> does not crash</li> <li>[Refactor] use <code>__proto__</code> syntax instead of <code>Object.create</code> for null objects</li> <li>[Refactor] misc cleanup</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a> v6.14.2</li> <li><a href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a> [readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output</li> <li><a href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a> [readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation</li> <li><a href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a> [Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code></li> <li><a href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a> [Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/`pars...</li> <li><a href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a> [Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when `thr...</li> <li><a href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a> [Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li><a href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a> [Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove e...</li> <li><a href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a> [actions] fix rebase workflow permissions</li> <li><a href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a> [meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.13.0...v6.14.2">compare view</a></li> </ul> </details> <br /> Updates `rollup` from 4.22.4 to 4.59.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/releases">rollup's releases</a>.</em></p> <blockquote> <h2>v4.59.0</h2> <h2>4.59.0</h2> <p><em>2026-02-22</em></p> <h3>Features</h3> <ul> <li>Throw when the generated bundle contains paths that would leave the output directory (<a href="https://redirect.github.com/rollup/rollup/issues/6276">#6276</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6275">#6275</a>: Validate bundle stays within output dir (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <h2>v4.58.0</h2> <h2>4.58.0</h2> <p><em>2026-02-20</em></p> <h3>Features</h3> <ul> <li>Also support <code>__NO_SIDE_EFFECTS__</code> annotation before variable declarations declaring function expressions (<a href="https://redirect.github.com/rollup/rollup/issues/6272">#6272</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6256">#6256</a>: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (<a href="https://github.com/njg7194"><code>@​njg7194</code></a>, <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6259">#6259</a>: docs: Correct typo and improve sentence structure in docs for <code>output.experimentalMinChunkSize</code> (<a href="https://github.com/millerick"><code>@​millerick</code></a>, <a href="http... _Description has been truncated_ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 14:24:09 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#42530