[PR #22769] [CLOSED] chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates #49904

Closed
opened 2026-04-30 02:19:48 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22769
Author: @dependabot[bot]
Created: 3/17/2026
Status: Closed

Base: mainHead: dependabot/npm_and_yarn/npm_and_yarn-289a4d1b78


📝 Commits (1)

  • 38b9768 chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates

📊 Changes

2 files changed (+564 additions, -694 deletions)

View changed files

📝 package-lock.json (+557 -687)
📝 package.json (+7 -7)

📄 Description

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package From To
dompurify 3.2.6 3.3.3
jspdf 4.0.0 4.2.1
undici 7.11.0 7.24.4
undici 6.21.2 6.24.1
svelte 5.42.2 5.53.13
minimatch 3.1.2 3.1.5
immutable 5.0.3 5.1.5
js-yaml 4.1.0 4.1.1
markdown-it 14.1.0 14.1.1
qs 6.13.0 6.14.2
rollup 4.22.4 4.59.0
tar 7.4.3 7.5.11
underscore 1.13.7 1.13.8

Updates dompurify from 3.2.6 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

  • Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

  • Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
  • Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
  • Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
  • Bumped and removed several dependencies, thanks @​Rotzbua
  • Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

  • Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
  • Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

  • Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
  • Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
  • Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

  • Added new attributes and elements to default allow-list, thanks @​elrion018
  • Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
  • Added better check for animated href attributes, thanks @​llamakko
  • Updated and improved the bundled types, thanks @​ssi02014
  • Updated several tests to better align with new browser encoding behaviors
  • Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
  • Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq
Commits
  • 8bcbf73 chore: Preparing 3.3.3 release
  • 5faddd6 fix: engine requirement (#1210)
  • 0f91e3a Update README.md
  • d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
  • c3efd48 fix: moved back from jsdom 28 to jsdom 20
  • 988b888 fix: moved back from jsdom 28 to jsdom 20
  • 2726c74 chore: Preparing 3.3.2 release
  • 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
  • 302b51d fix: Expanded the regex ever so slightly to also cover script
  • cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
  • Additional commits viewable in compare view

Updates jspdf from 4.0.0 to 4.2.1

Release notes

Sourced from jspdf's releases.

v4.2.1

This release fixes two security issues.

What's Changed

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1

v4.2.0

This release fixes three security issues.

What's Changed

New Contributors

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0

v4.1.0

This release fixes several security issues.

What's Changed

Full Changelog: https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0

Commits

Updates undici from 7.11.0 to 7.24.4

Release notes

Sourced from undici's releases.

v7.24.4

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3

v7.24.2

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2

v7.24.1

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

  • GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
    Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

  • GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
    Malicious WebSocket 64-bit frame length handling could crash the client.

  • GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
    Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

  • GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.


Updates undici from 6.21.2 to 6.24.1

Release notes

Sourced from undici's releases.

v7.24.4

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3

v7.24.2

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2

v7.24.1

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

  • GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
    Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

  • GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
    Malicious WebSocket 64-bit frame length handling could crash the client.

  • GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
    Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

  • GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.


Updates svelte from 5.42.2 to 5.53.13

Release notes

Sourced from svelte's releases.

svelte@5.53.13

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#17943)

  • fix: resume inert effects when they come from offscreen (#17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#17938)

  • fix: discard batches made obsolete by commit (#17934)

  • fix: ensure "is standalone child" is correctly reset (#17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#17932)

svelte@5.53.12

Patch Changes

  • fix: update select.__value on change (#17745)

  • chore: add invariant helper for debugging (#17929)

  • fix: ensure deriveds values are correct across batches (#17917)

  • fix: handle async RHS in assignment_value_stale (#17925)

  • fix: avoid traversing clean roots (#17928)

svelte@5.53.11

Patch Changes

  • fix: remove untrack circular dependency (#17910)

  • fix: recover from errors that leave a corrupted effect tree (#17888)

  • fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

  • fix: resolve boundary in correct batch when hydrating (#17914)

  • chore: rebase batches after process, not during (#17900)

svelte@5.53.10

Patch Changes

  • fix: re-process batch if new root effects were scheduled (#17895)

svelte@5.53.9

Patch Changes

  • fix: better bind:this cleanup timing (#17885)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.53.13

Patch Changes

  • fix: ensure $inspect after top level await doesn't break builds (#17943)

  • fix: resume inert effects when they come from offscreen (#17942)

  • fix: don't eagerly access not-yet-initialized functions in template (#17938)

  • fix: discard batches made obsolete by commit (#17934)

  • fix: ensure "is standalone child" is correctly reset (#17944)

  • fix: remove nodes in boundary when work is pending and HMR is active (#17932)

5.53.12

Patch Changes

  • fix: update select.__value on change (#17745)

  • chore: add invariant helper for debugging (#17929)

  • fix: ensure deriveds values are correct across batches (#17917)

  • fix: handle async RHS in assignment_value_stale (#17925)

  • fix: avoid traversing clean roots (#17928)

5.53.11

Patch Changes

  • fix: remove untrack circular dependency (#17910)

  • fix: recover from errors that leave a corrupted effect tree (#17888)

  • fix: properly lazily evaluate RHS when checking for assignment_value_stale (#17906)

  • fix: resolve boundary in correct batch when hydrating (#17914)

  • chore: rebase batches after process, not during (#17900)

5.53.10

Patch Changes

  • fix: re-process batch if new root effects were scheduled (#17895)

... (truncated)

Commits

Updates minimatch from 3.1.2 to 3.1.5

Commits

Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

  • 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

  • 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

  • a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
  • a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

  • 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.


Updates immutable from 5.0.3 to 5.1.5

Release notes

Sourced from immutable's releases.

v5.1.5

What's Changed

Full Changelog: https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5

v5.1.4

What's Changed

Documentation

Internal

New Contributors

Full Changelog: https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4

v5.1.3

What's Changed

TypeScript

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples.

... (truncated)

Changelog

Sourced from immutable's changelog.

5.1.5

  • Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Documentation

Internal

5.1.3

TypeScript

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

5.1.2

... (truncated)

Commits
  • b37b855 5.1.5
  • 16b3313 Merge commit from fork
  • fd2ef49 fix new proto key injection
  • 6734b7b fix Prototype Pollution in mergeDeep, toJS, etc.
  • 6f772de Merge pull request #2175 from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0
  • 5f3dc61 Bump rollup from 4.34.8 to 4.59.0
  • 049a594 Merge pull request #2173 from immutable-js/dependabot/npm_and_yarn/lodash-4.1...
  • 2481a77 Merge pull request #2172 from mrazauskas/update-tstyche
  • eb04779 Bump lodash from 4.17.21 to 4.17.23
  • b973bf3 format
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.


Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

  • Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.
Commits

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates rollup from 4.22.4 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

v4.57.1

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

  • #6251: fix: Isolat...

    Description has been truncated


    🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22769 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 3/17/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `dependabot/npm_and_yarn/npm_and_yarn-289a4d1b78` --- ### 📝 Commits (1) - [`38b9768`](https://github.com/open-webui/open-webui/commit/38b97683fa145578a3f8f42ea493e2b11e7bfed9) chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates ### 📊 Changes **2 files changed** (+564 additions, -694 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+557 -687) 📝 `package.json` (+7 -7) </details> ### 📄 Description Bumps the npm_and_yarn group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [dompurify](https://github.com/cure53/DOMPurify) | `3.2.6` | `3.3.3` | | [jspdf](https://github.com/parallax/jsPDF) | `4.0.0` | `4.2.1` | | [undici](https://github.com/nodejs/undici) | `7.11.0` | `7.24.4` | | [undici](https://github.com/nodejs/undici) | `6.21.2` | `6.24.1` | | [svelte](https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte) | `5.42.2` | `5.53.13` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [immutable](https://github.com/immutable-js/immutable-js) | `5.0.3` | `5.1.5` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` | `14.1.1` | | [qs](https://github.com/ljharb/qs) | `6.13.0` | `6.14.2` | | [rollup](https://github.com/rollup/rollup) | `4.22.4` | `4.59.0` | | [tar](https://github.com/isaacs/node-tar) | `7.4.3` | `7.5.11` | | [underscore](https://github.com/jashkenas/underscore) | `1.13.7` | `1.13.8` | Updates `dompurify` from 3.2.6 to 3.3.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/cure53/DOMPurify/releases">dompurify's releases</a>.</em></p> <blockquote> <h2>DOMPurify 3.3.3</h2> <ul> <li>Fixed an engine requirement for Node 20 which caused hiccups, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> </ul> <h2>DOMPurify 3.3.2</h2> <ul> <li>Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters</li> <li>Fixed a prototype pollution issue when working with custom elements, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Fixed a lenient config parsing in <code>_isValidAttribute</code>, thanks <a href="https://github.com/christos-eth"><code>@​christos-eth</code></a></li> <li>Bumped and removed several dependencies, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> <li>Fixed the test suite after bumping dependencies, thanks <a href="https://github.com/Rotzbua"><code>@​Rotzbua</code></a></li> </ul> <h2>DOMPurify 3.3.1</h2> <ul> <li>Updated <code>ADD_FORBID_CONTENTS</code> setting to extend default list, thanks <a href="https://github.com/MariusRumpf"><code>@​MariusRumpf</code></a></li> <li>Updated the ESM import syntax to be more correct, thanks <a href="https://github.com/binhpv"><code>@​binhpv</code></a></li> </ul> <h2>DOMPurify 3.3.0</h2> <ul> <li>Added the SVG <code>mask-type</code> attribute to default allow-list, thanks <a href="https://github.com/prasadrajandran"><code>@​prasadrajandran</code></a></li> <li>Added support for <code>ADD_ATTR</code> and <code>ADD_TAGS</code> to accept functions, thanks <a href="https://github.com/nelstrom"><code>@​nelstrom</code></a></li> <li>Fixed an issue with the <code>slot</code> element being in both SVG and HTML allow-list, thanks <a href="https://github.com/Wim-Valgaeren"><code>@​Wim-Valgaeren</code></a></li> </ul> <h2>DOMPurify 3.2.7</h2> <ul> <li>Added new attributes and elements to default allow-list, thanks <a href="https://github.com/elrion018"><code>@​elrion018</code></a></li> <li>Added <code>tagName</code> parameter to custom element <code>attributeNameCheck</code>, thanks <a href="https://github.com/nelstrom"><code>@​nelstrom</code></a></li> <li>Added better check for animated <code>href</code> attributes, thanks <a href="https://github.com/llamakko"><code>@​llamakko</code></a></li> <li>Updated and improved the bundled types, thanks <a href="https://github.com/ssi02014"><code>@​ssi02014</code></a></li> <li>Updated several tests to better align with new browser encoding behaviors</li> <li>Improved the handling of potentially risky content inside CDATA elements, thanks <a href="https://github.com/securityMB"><code>@​securityMB</code></a> &amp; <a href="https://github.com/terjanq"><code>@​terjanq</code></a></li> <li>Improved the regular expression for raw-text elements to cover textareas, thanks <a href="https://github.com/securityMB"><code>@​securityMB</code></a> &amp; <a href="https://github.com/terjanq"><code>@​terjanq</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/cure53/DOMPurify/commit/8bcbf73ae7eb56e7b4f1300b66cf543342c7ee27"><code>8bcbf73</code></a> chore: Preparing 3.3.3 release</li> <li><a href="https://github.com/cure53/DOMPurify/commit/5faddd60af7b4d612f32a0c6b44432b77c8c490c"><code>5faddd6</code></a> fix: engine requirement (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1210">#1210</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/0f91e3add5c028bc4110c513b0c2571b284c35af"><code>0f91e3a</code></a> Update README.md</li> <li><a href="https://github.com/cure53/DOMPurify/commit/d5ff1a8c605df1df998c2e7df2c4c8ac762b0dea"><code>d5ff1a8</code></a> Merge branch 'main' of github.com:cure53/DOMPurify</li> <li><a href="https://github.com/cure53/DOMPurify/commit/c3efd489010366e755de9d65fd741888fd8b7462"><code>c3efd48</code></a> fix: moved back from jsdom 28 to jsdom 20</li> <li><a href="https://github.com/cure53/DOMPurify/commit/988b888108c8df911ef37e68d0e26c85ad90e885"><code>988b888</code></a> fix: moved back from jsdom 28 to jsdom 20</li> <li><a href="https://github.com/cure53/DOMPurify/commit/2726c74e9c6a0645127d1630e5ca49f64bc9fe67"><code>2726c74</code></a> chore: Preparing 3.3.2 release</li> <li><a href="https://github.com/cure53/DOMPurify/commit/6202c7e43e9df01ba606396aed60fbae5583f7a1"><code>6202c7e</code></a> build(deps): bump <code>@​tootallnate/once</code> and jsdom (<a href="https://redirect.github.com/cure53/DOMPurify/issues/1204">#1204</a>)</li> <li><a href="https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"><code>302b51d</code></a> fix: Expanded the regex ever so slightly to also cover script</li> <li><a href="https://github.com/cure53/DOMPurify/commit/cd85175da3c4614aeb0f1022f2a347e5e9bdd58b"><code>cd85175</code></a> Merge branch 'main' of github.com:cure53/DOMPurify</li> <li>Additional commits viewable in <a href="https://github.com/cure53/DOMPurify/compare/3.2.6...3.3.3">compare view</a></li> </ul> </details> <br /> Updates `jspdf` from 4.0.0 to 4.2.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/parallax/jsPDF/releases">jspdf's releases</a>.</em></p> <blockquote> <h2>v4.2.1</h2> <p>This release fixes two security issues.</p> <h2>What's Changed</h2> <ul> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5">HTML Injection in output methods</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24">PDF Object Injection via free text annotation color</a> vulnerability.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1">https://github.com/parallax/jsPDF/compare/v4.2.0...v4.2.1</a></p> <h2>v4.2.0</h2> <p>This release fixes three security issues.</p> <h2>What's Changed</h2> <ul> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton children)</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj">Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions</a> vulnerability.</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp">PDF Object Injection via Unsanitized Input in addJS Method</a> vulnerability.</li> <li>Add &quot;default&quot; property to export section in package.json by <a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/stefan-schweiger"><code>@​stefan-schweiger</code></a> made their first contribution in <a href="https://redirect.github.com/parallax/jsPDF/pull/3953">parallax/jsPDF#3953</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0">https://github.com/parallax/jsPDF/compare/v4.1.0...v4.2.0</a></p> <h2>v4.1.0</h2> <p>This release fixes several security issues.</p> <h2>What's Changed</h2> <ul> <li>Upgrade optional dompurify dependency to 3.3.1 in <a href="https://redirect.github.com/parallax/jsPDF/pull/3948">parallax/jsPDF#3948</a></li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328">PDF Injection in AcroForm module allows Arbitrary JavaScript Execution</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422">Stored XMP Metadata Injection (Spoofing &amp; Integrity Violation)</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4">Shared State Race Condition in addJS Method</a> vulnerability</li> <li>Fix <a href="https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c">Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder</a> vulnerability</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0">https://github.com/parallax/jsPDF/compare/v4.0.0...v4.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/parallax/jsPDF/commit/4562ce8aa35bd5ecd98cd5e262e3da2af96476f6"><code>4562ce8</code></a> 4.2.1</li> <li><a href="https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"><code>4155c48</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7"><code>87a40bb</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/b1607a9391d4cd65ea7ade25998aea8345ae1be3"><code>b1607a9</code></a> Bump minimatch from 3.1.2 to 3.1.5 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3961">#3961</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/42ac89097de83bcedd10870af47a0a25c11ca3d1"><code>42ac890</code></a> Bump rollup from 2.79.2 to 2.80.0 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3960">#3960</a>)</li> <li><a href="https://github.com/parallax/jsPDF/commit/7af912cadaf0f9a2ad28afe7af53033a2c61de64"><code>7af912c</code></a> 4.2.0</li> <li><a href="https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"><code>56b46d4</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6"><code>2e5e156</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375"><code>71ad2db</code></a> Merge commit from fork</li> <li><a href="https://github.com/parallax/jsPDF/commit/885a7778070d500887c9a5d2b02b55460009a9d0"><code>885a777</code></a> fix: upgrade <code>@​babel/runtime</code> from 7.28.4 to 7.28.6 (<a href="https://redirect.github.com/parallax/jsPDF/issues/3954">#3954</a>)</li> <li>Additional commits viewable in <a href="https://github.com/parallax/jsPDF/compare/v4.0.0...v4.2.1">compare view</a></li> </ul> </details> <br /> Updates `undici` from 7.11.0 to 7.24.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.24.4</h2> <h2>What's Changed</h2> <ul> <li>fix(fetch): handle URL credentials in dispatch path extraction by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4892">nodejs/undici#4892</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4">https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4</a></p> <h2>v7.24.3</h2> <h2>What's Changed</h2> <ul> <li>fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by <a href="https://github.com/hxinhan"><code>@​hxinhan</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4881">nodejs/undici#4881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3">https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3</a></p> <h2>v7.24.2</h2> <h2>What's Changed</h2> <ul> <li>fix fetch path logic by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4890">nodejs/undici#4890</a></li> <li>remove maxDecompressedMessageSize by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4891">nodejs/undici#4891</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2">https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2</a></p> <h2>v7.24.1</h2> <h2>What's Changed</h2> <ul> <li>fix: <strong>proto</strong> pollution by <a href="https://github.com/rahulyadav5524"><code>@​rahulyadav5524</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p> <h2>v7.24.0</h2> <h1>Undici v7.24.0 Security Release Notes</h1> <p>This release addresses multiple security vulnerabilities in Undici.</p> <h2>Upgrade guidance</h2> <p>All users on v7 should upgrade to <strong>v7.24.0</strong> or later.</p> <h2>Fixed advisories</h2> <ul> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm">GHSA-2mjp-6q6p-2qxm</a> / CVE-2026-1525 (Medium)<br /> Inconsistent interpretation of HTTP requests (request/response smuggling class issue).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj">GHSA-f269-vfmq-vjvj</a> / CVE-2026-1528 (High)<br /> Malicious WebSocket 64-bit frame length handling could crash the client.</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h">GHSA-phc3-fgpg-7m6h</a> / CVE-2026-2581 (Medium)<br /> Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq">GHSA-4992-7rv2-5pvq</a> / CVE-2026-1527 (Medium)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/4991f3e1fbb93c8243fe072a69b08c47fd5d0e24"><code>4991f3e</code></a> Bumped v7.24.4</li> <li><a href="https://github.com/nodejs/undici/commit/ea3a06d76e1b0b3e23c77ead15836474906fd635"><code>ea3a06d</code></a> fix(fetch): preserve path for credentialed URLs (<a href="https://redirect.github.com/nodejs/undici/issues/4892">#4892</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9b96516c266ddf37f658179448a1a19479d8c204"><code>9b96516</code></a> Bumped v7.24.3</li> <li><a href="https://github.com/nodejs/undici/commit/79266603db63492826382375a504c580d86845c8"><code>7926660</code></a> Ignore .githuman</li> <li><a href="https://github.com/nodejs/undici/commit/9eaa5af23e8be069556af812a982bc7d59932bb7"><code>9eaa5af</code></a> fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...</li> <li><a href="https://github.com/nodejs/undici/commit/a9bfe210b093366a5d11ce5315e56adbadfbb78d"><code>a9bfe21</code></a> ignore .pi</li> <li><a href="https://github.com/nodejs/undici/commit/f2e155bb90b79acb6764d5b02d2879462daf0ecd"><code>f2e155b</code></a> Bumped v7.24.2</li> <li><a href="https://github.com/nodejs/undici/commit/4d2d1afd59a8c00002d029775859bde3d47549da"><code>4d2d1af</code></a> remove maxDecompressedMessageSize (<a href="https://redirect.github.com/nodejs/undici/issues/4891">#4891</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3a05a4f7dfe4257417821d4ae9da8f1f8fd227cb"><code>3a05a4f</code></a> fix fetch path logic (<a href="https://redirect.github.com/nodejs/undici/issues/4890">#4890</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/23e3cd362ba6beb3988e6a9a63000336dd219591"><code>23e3cd3</code></a> Bumped v7.24.1</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.11.0...v7.24.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for undici since your current version.</p> </details> <br /> Updates `undici` from 6.21.2 to 6.24.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.24.4</h2> <h2>What's Changed</h2> <ul> <li>fix(fetch): handle URL credentials in dispatch path extraction by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4892">nodejs/undici#4892</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4">https://github.com/nodejs/undici/compare/v7.24.3...v7.24.4</a></p> <h2>v7.24.3</h2> <h2>What's Changed</h2> <ul> <li>fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by <a href="https://github.com/hxinhan"><code>@​hxinhan</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4881">nodejs/undici#4881</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3">https://github.com/nodejs/undici/compare/v7.24.2...v7.24.3</a></p> <h2>v7.24.2</h2> <h2>What's Changed</h2> <ul> <li>fix fetch path logic by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4890">nodejs/undici#4890</a></li> <li>remove maxDecompressedMessageSize by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4891">nodejs/undici#4891</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2">https://github.com/nodejs/undici/compare/v7.24.1...v7.24.2</a></p> <h2>v7.24.1</h2> <h2>What's Changed</h2> <ul> <li>fix: <strong>proto</strong> pollution by <a href="https://github.com/rahulyadav5524"><code>@​rahulyadav5524</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p> <h2>v7.24.0</h2> <h1>Undici v7.24.0 Security Release Notes</h1> <p>This release addresses multiple security vulnerabilities in Undici.</p> <h2>Upgrade guidance</h2> <p>All users on v7 should upgrade to <strong>v7.24.0</strong> or later.</p> <h2>Fixed advisories</h2> <ul> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm">GHSA-2mjp-6q6p-2qxm</a> / CVE-2026-1525 (Medium)<br /> Inconsistent interpretation of HTTP requests (request/response smuggling class issue).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj">GHSA-f269-vfmq-vjvj</a> / CVE-2026-1528 (High)<br /> Malicious WebSocket 64-bit frame length handling could crash the client.</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h">GHSA-phc3-fgpg-7m6h</a> / CVE-2026-2581 (Medium)<br /> Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq">GHSA-4992-7rv2-5pvq</a> / CVE-2026-1527 (Medium)</p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/4991f3e1fbb93c8243fe072a69b08c47fd5d0e24"><code>4991f3e</code></a> Bumped v7.24.4</li> <li><a href="https://github.com/nodejs/undici/commit/ea3a06d76e1b0b3e23c77ead15836474906fd635"><code>ea3a06d</code></a> fix(fetch): preserve path for credentialed URLs (<a href="https://redirect.github.com/nodejs/undici/issues/4892">#4892</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/9b96516c266ddf37f658179448a1a19479d8c204"><code>9b96516</code></a> Bumped v7.24.3</li> <li><a href="https://github.com/nodejs/undici/commit/79266603db63492826382375a504c580d86845c8"><code>7926660</code></a> Ignore .githuman</li> <li><a href="https://github.com/nodejs/undici/commit/9eaa5af23e8be069556af812a982bc7d59932bb7"><code>9eaa5af</code></a> fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...</li> <li><a href="https://github.com/nodejs/undici/commit/a9bfe210b093366a5d11ce5315e56adbadfbb78d"><code>a9bfe21</code></a> ignore .pi</li> <li><a href="https://github.com/nodejs/undici/commit/f2e155bb90b79acb6764d5b02d2879462daf0ecd"><code>f2e155b</code></a> Bumped v7.24.2</li> <li><a href="https://github.com/nodejs/undici/commit/4d2d1afd59a8c00002d029775859bde3d47549da"><code>4d2d1af</code></a> remove maxDecompressedMessageSize (<a href="https://redirect.github.com/nodejs/undici/issues/4891">#4891</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/3a05a4f7dfe4257417821d4ae9da8f1f8fd227cb"><code>3a05a4f</code></a> fix fetch path logic (<a href="https://redirect.github.com/nodejs/undici/issues/4890">#4890</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/23e3cd362ba6beb3988e6a9a63000336dd219591"><code>23e3cd3</code></a> Bumped v7.24.1</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v7.11.0...v7.24.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for undici since your current version.</p> </details> <br /> Updates `svelte` from 5.42.2 to 5.53.13 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/releases">svelte's releases</a>.</em></p> <blockquote> <h2>svelte@5.53.13</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17943">#17943</a>)</p> </li> <li> <p>fix: resume inert effects when they come from offscreen (<a href="https://redirect.github.com/sveltejs/svelte/pull/17942">#17942</a>)</p> </li> <li> <p>fix: don't eagerly access not-yet-initialized functions in template (<a href="https://redirect.github.com/sveltejs/svelte/pull/17938">#17938</a>)</p> </li> <li> <p>fix: discard batches made obsolete by commit (<a href="https://redirect.github.com/sveltejs/svelte/pull/17934">#17934</a>)</p> </li> <li> <p>fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://redirect.github.com/sveltejs/svelte/pull/17944">#17944</a>)</p> </li> <li> <p>fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://redirect.github.com/sveltejs/svelte/pull/17932">#17932</a>)</p> </li> </ul> <h2>svelte@5.53.12</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update <code>select.__value</code> on <code>change</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17745">#17745</a>)</p> </li> <li> <p>chore: add <code>invariant</code> helper for debugging (<a href="https://redirect.github.com/sveltejs/svelte/pull/17929">#17929</a>)</p> </li> <li> <p>fix: ensure deriveds values are correct across batches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17917">#17917</a>)</p> </li> <li> <p>fix: handle async RHS in <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17925">#17925</a>)</p> </li> <li> <p>fix: avoid traversing clean roots (<a href="https://redirect.github.com/sveltejs/svelte/pull/17928">#17928</a>)</p> </li> </ul> <h2>svelte@5.53.11</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: remove <code>untrack</code> circular dependency (<a href="https://redirect.github.com/sveltejs/svelte/pull/17910">#17910</a>)</p> </li> <li> <p>fix: recover from errors that leave a corrupted effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17888">#17888</a>)</p> </li> <li> <p>fix: properly lazily evaluate RHS when checking for <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17906">#17906</a>)</p> </li> <li> <p>fix: resolve boundary in correct batch when hydrating (<a href="https://redirect.github.com/sveltejs/svelte/pull/17914">#17914</a>)</p> </li> <li> <p>chore: rebase batches after process, not during (<a href="https://redirect.github.com/sveltejs/svelte/pull/17900">#17900</a>)</p> </li> </ul> <h2>svelte@5.53.10</h2> <h3>Patch Changes</h3> <ul> <li>fix: re-process batch if new root effects were scheduled (<a href="https://redirect.github.com/sveltejs/svelte/pull/17895">#17895</a>)</li> </ul> <h2>svelte@5.53.9</h2> <h3>Patch Changes</h3> <ul> <li>fix: better <code>bind:this</code> cleanup timing (<a href="https://redirect.github.com/sveltejs/svelte/pull/17885">#17885</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/svelte/blob/main/packages/svelte/CHANGELOG.md">svelte's changelog</a>.</em></p> <blockquote> <h2>5.53.13</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://redirect.github.com/sveltejs/svelte/pull/17943">#17943</a>)</p> </li> <li> <p>fix: resume inert effects when they come from offscreen (<a href="https://redirect.github.com/sveltejs/svelte/pull/17942">#17942</a>)</p> </li> <li> <p>fix: don't eagerly access not-yet-initialized functions in template (<a href="https://redirect.github.com/sveltejs/svelte/pull/17938">#17938</a>)</p> </li> <li> <p>fix: discard batches made obsolete by commit (<a href="https://redirect.github.com/sveltejs/svelte/pull/17934">#17934</a>)</p> </li> <li> <p>fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://redirect.github.com/sveltejs/svelte/pull/17944">#17944</a>)</p> </li> <li> <p>fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://redirect.github.com/sveltejs/svelte/pull/17932">#17932</a>)</p> </li> </ul> <h2>5.53.12</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: update <code>select.__value</code> on <code>change</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17745">#17745</a>)</p> </li> <li> <p>chore: add <code>invariant</code> helper for debugging (<a href="https://redirect.github.com/sveltejs/svelte/pull/17929">#17929</a>)</p> </li> <li> <p>fix: ensure deriveds values are correct across batches (<a href="https://redirect.github.com/sveltejs/svelte/pull/17917">#17917</a>)</p> </li> <li> <p>fix: handle async RHS in <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17925">#17925</a>)</p> </li> <li> <p>fix: avoid traversing clean roots (<a href="https://redirect.github.com/sveltejs/svelte/pull/17928">#17928</a>)</p> </li> </ul> <h2>5.53.11</h2> <h3>Patch Changes</h3> <ul> <li> <p>fix: remove <code>untrack</code> circular dependency (<a href="https://redirect.github.com/sveltejs/svelte/pull/17910">#17910</a>)</p> </li> <li> <p>fix: recover from errors that leave a corrupted effect tree (<a href="https://redirect.github.com/sveltejs/svelte/pull/17888">#17888</a>)</p> </li> <li> <p>fix: properly lazily evaluate RHS when checking for <code>assignment_value_stale</code> (<a href="https://redirect.github.com/sveltejs/svelte/pull/17906">#17906</a>)</p> </li> <li> <p>fix: resolve boundary in correct batch when hydrating (<a href="https://redirect.github.com/sveltejs/svelte/pull/17914">#17914</a>)</p> </li> <li> <p>chore: rebase batches after process, not during (<a href="https://redirect.github.com/sveltejs/svelte/pull/17900">#17900</a>)</p> </li> </ul> <h2>5.53.10</h2> <h3>Patch Changes</h3> <ul> <li>fix: re-process batch if new root effects were scheduled (<a href="https://redirect.github.com/sveltejs/svelte/pull/17895">#17895</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/svelte/commit/6a303c3638b351386dfc6523db5def622428ce62"><code>6a303c3</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17936">#17936</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/f081a6c3b1ca3eade9f870325ebdd892dfa4276f"><code>f081a6c</code></a> fix: resume inert effects when they come from offscreen (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17942">#17942</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/1cd06451aff585a0d654bfd39c1abb7c26c239e2"><code>1cd0645</code></a> fix: remove nodes in boundary when work is pending and HMR is active (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17932">#17932</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/32a48ed174868e6fdf1fd8f078d2e296ed12353a"><code>32a48ed</code></a> fix: don't eagerly access not-yet-initialized functions in template (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17938">#17938</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/b472171de66fe8290b55f28623df3fc0e9f34aae"><code>b472171</code></a> fix: ensure <code>$inspect</code> after top level await doesn't break builds (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17943">#17943</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/d4bd6ad8f3605bed53eb223a3c31769b911d86e1"><code>d4bd6ad</code></a> fix: ensure &quot;is standalone child&quot; is correctly reset (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17944">#17944</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/98e8b635fab10be1d82c593097276af373300a55"><code>98e8b63</code></a> fix: discard batches made obsolete by commit (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17934">#17934</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/8b86bdd82db5d91156b0128e33a16027f2667ac1"><code>8b86bdd</code></a> Version Packages (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17919">#17919</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/dcf4865b22a2ea5ca52549e240a13e628f6b5836"><code>dcf4865</code></a> chore: add &quot;untracked allows writes&quot; test (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17930">#17930</a>)</li> <li><a href="https://github.com/sveltejs/svelte/commit/1ebed6832270b7ae6abf5251d2e659a39687dd13"><code>1ebed68</code></a> fix: avoid traversing clean roots (<a href="https://github.com/sveltejs/svelte/tree/HEAD/packages/svelte/issues/17928">#17928</a>)</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/svelte/commits/svelte@5.53.13/packages/svelte">compare view</a></li> </ul> </details> <br /> Updates `minimatch` from 3.1.2 to 3.1.5 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/isaacs/minimatch/commit/7bba97888a27a6162983056bcce2a6e28f668712"><code>7bba978</code></a> 3.1.5</li> <li><a href="https://github.com/isaacs/minimatch/commit/bd259425b2ca17b42897997f93e890314155522d"><code>bd25942</code></a> docs: add warning about ReDoS</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a9c27c75725474dbde57db2995b6281b267756d"><code>1a9c27c</code></a> fix partial matching of globstar patterns</li> <li><a href="https://github.com/isaacs/minimatch/commit/1a2e084af579731af66c221214e3ca8222c9bf23"><code>1a2e084</code></a> 3.1.4</li> <li><a href="https://github.com/isaacs/minimatch/commit/ae24656237c3d58067442f790ce17eff84463a47"><code>ae24656</code></a> update lockfile</li> <li><a href="https://github.com/isaacs/minimatch/commit/b1003749228b2a79e1f237963a0d559ef7a0941e"><code>b100374</code></a> limit recursion for **, improve perf considerably</li> <li><a href="https://github.com/isaacs/minimatch/commit/26ffeaa091b9f660833e23f42e07165b33e85c13"><code>26ffeaa</code></a> lockfile update</li> <li><a href="https://github.com/isaacs/minimatch/commit/9eca892a4e5dbb20534f9f30483b85cdeee6c2eb"><code>9eca892</code></a> lock node version to 14</li> <li><a href="https://github.com/isaacs/minimatch/commit/00c323b188b704e5d4bc534ecec2268cfa70a32a"><code>00c323b</code></a> 3.1.3</li> <li><a href="https://github.com/isaacs/minimatch/commit/30486b2048929264f44d18822891cfffa02af78b"><code>30486b2</code></a> update CI matrix and actions</li> <li>Additional commits viewable in <a href="https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5">compare view</a></li> </ul> </details> <br /> Updates `devalue` from 5.1.1 to 5.6.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/releases">devalue's releases</a>.</em></p> <blockquote> <h2>v5.6.4</h2> <h3>Patch Changes</h3> <ul> <li> <p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed <code>Object</code> wrapper payloads</p> <p>This validates the <code>&quot;Object&quot;</code> parse path and throws when the wrapped value has an own <code>__proto__</code> key.</p> </li> <li> <p>40f1db1: fix: ensure sparse array indices are integers</p> </li> <li> <p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype object parsing</p> <p>This disallows <code>__proto__</code> keys in the <code>&quot;null&quot;</code> parse path so null-prototype object hydration cannot carry that key through parse/unflatten.</p> </li> </ul> <h2>v5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>v5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>v5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>v5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>v5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>v5.4.2</h2> <h3>Patch Changes</h3> <ul> <li>5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers</li> </ul> <h2>v5.4.1</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md">devalue's changelog</a>.</em></p> <blockquote> <h2>5.6.4</h2> <h3>Patch Changes</h3> <ul> <li> <p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed <code>Object</code> wrapper payloads</p> <p>This validates the <code>&quot;Object&quot;</code> parse path and throws when the wrapped value has an own <code>__proto__</code> key.</p> </li> <li> <p>40f1db1: fix: ensure sparse array indices are integers</p> </li> <li> <p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype object parsing</p> <p>This disallows <code>__proto__</code> keys in the <code>&quot;null&quot;</code> parse path so null-prototype object hydration cannot carry that key through parse/unflatten.</p> </li> </ul> <h2>5.6.3</h2> <h3>Patch Changes</h3> <ul> <li>0f04d4d: fix: Properly handle <code>__proto__</code></li> <li>819f1ac: fix: better encoding for sparse arrays</li> </ul> <h2>5.6.2</h2> <h3>Patch Changes</h3> <ul> <li>1175584: fix: validate input for <code>ArrayBuffer</code> parsing</li> <li>e46afa6: fix: validate input for typed arrays</li> <li>1175584: fix: more helpful errors for inputs causing stack overflows</li> </ul> <h2>5.6.1</h2> <h3>Patch Changes</h3> <ul> <li>2161d44: fix: add hasOwn check before calling reviver</li> </ul> <h2>5.6.0</h2> <h3>Minor Changes</h3> <ul> <li>a3d09d4: feat: expose <code>DevalueError</code> for <code>instanceof</code> checks in <code>catch</code> clauses</li> <li>a3d09d4: feat: add <code>value</code> and <code>root</code> properties in <code>DevalueError</code> instances</li> </ul> <h2>5.5.0</h2> <h3>Minor Changes</h3> <ul> <li>828fa1c: Enable support for custom reducer/reviver for &quot;function&quot; values</li> </ul> <h2>5.4.2</h2> <h3>Patch Changes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sveltejs/devalue/commit/6cbb3f51258e01d7769e2b3d77b6ce9ed060804b"><code>6cbb3f5</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/133">#133</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/40f1db13afdd65c8e2ebd02f684276c273ef81b0"><code>40f1db1</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d"><code>87c1f3c</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/a4a37d208a4d1bdd0d58c82e5644c87cab855259"><code>a4a37d2</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/132">#132</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/819f1ac7475ab37547645cfb09bf2f678a799cf0"><code>819f1ac</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/0f04d4d678eac39ad5d7a07d1956275d7874e81c"><code>0f04d4d</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/fcf4e88275f2e2e45b9ea70ffaa5247c8f55f057"><code>fcf4e88</code></a> fix tests</li> <li><a href="https://github.com/sveltejs/devalue/commit/1d8a5ea5863bcd9992755ce5a3842265753cb4ab"><code>1d8a5ea</code></a> Version Packages (<a href="https://redirect.github.com/sveltejs/devalue/issues/131">#131</a>)</li> <li><a href="https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4"><code>1175584</code></a> Merge commit from fork</li> <li><a href="https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7"><code>e46afa6</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/sveltejs/devalue/compare/v5.1.1...v5.6.4">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for devalue since your current version.</p> </details> <br /> Updates `immutable` from 5.0.3 to 5.1.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/immutable-js/immutable-js/releases">immutable's releases</a>.</em></p> <blockquote> <h2>v5.1.5</h2> <h2>What's Changed</h2> <ul> <li>Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable</li> <li>Upgrade devtools and use immutable version by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2158">immutable-js/immutable-js#2158</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5">https://github.com/immutable-js/immutable-js/compare/v5.1.4...v5.1.5</a></p> <h2>v5.1.4</h2> <h2>What's Changed</h2> <ul> <li>Migrate some files to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2125">immutable-js/immutable-js#2125</a> <ul> <li>Iterator.ts</li> <li>PairSorting.ts</li> <li>toJS.ts</li> <li>Math.ts</li> <li>Hash.ts</li> </ul> </li> <li>Extract CollectionHelperMethods and convert to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2131">immutable-js/immutable-js#2131</a></li> <li>Use npm <a href="https://docs.npmjs.com/trusted-publishers">trusted publishing only</a> to avoid token stealing.</li> </ul> <h3>Documentation</h3> <ul> <li>Fix/a11y issues by <a href="https://github.com/lyannel"><code>@​lyannel</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li>Doc add Map.get signature update by <a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> <li>fix(doc):minor-issues#2132 by <a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li>Fix algolia search by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2135">immutable-js/immutable-js#2135</a></li> <li>Typo in OrderedMap by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2144">immutable-js/immutable-js#2144</a></li> </ul> <h3>Internal</h3> <ul> <li>chore: Sort all imports and activate eslint import rule by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2119">immutable-js/immutable-js#2119</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li><a href="https://github.com/lyannel"><code>@​lyannel</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li><a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> made their first contribution in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4">https://github.com/immutable-js/immutable-js/compare/v5.1.3...v5.1.4</a></p> <h2>v5.1.3</h2> <h2>What's Changed</h2> <h3>TypeScript</h3> <ul> <li>fix: allow readonly map entry constructor by <a href="https://github.com/septs"><code>@​septs</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2123">immutable-js/immutable-js#2123</a></li> </ul> <h3>Documentation</h3> <p>There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md">immutable's changelog</a>.</em></p> <blockquote> <h2>5.1.5</h2> <ul> <li>Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable</li> </ul> <h2>5.1.4</h2> <ul> <li>Migrate some files to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2125">immutable-js/immutable-js#2125</a> <ul> <li>Iterator.ts</li> <li>PairSorting.ts</li> <li>toJS.ts</li> <li>Math.ts</li> <li>Hash.ts</li> </ul> </li> <li>Extract CollectionHelperMethods and convert to TS by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2131">immutable-js/immutable-js#2131</a></li> <li>Use npm <a href="https://docs.npmjs.com/trusted-publishers">trusted publishing only</a> to avoid token stealing.</li> </ul> <h3>Documentation</h3> <ul> <li>Fix/a11y issues by <a href="https://github.com/lyannel"><code>@​lyannel</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2136">immutable-js/immutable-js#2136</a></li> <li>Doc add Map.get signature update by <a href="https://github.com/borracciaBlu"><code>@​borracciaBlu</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2138">immutable-js/immutable-js#2138</a></li> <li>fix(doc):minor-issues#2132 by <a href="https://github.com/JayMeDotDot"><code>@​JayMeDotDot</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2133">immutable-js/immutable-js#2133</a></li> <li>Fix algolia search by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2135">immutable-js/immutable-js#2135</a></li> <li>Typo in OrderedMap by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2144">immutable-js/immutable-js#2144</a></li> </ul> <h3>Internal</h3> <ul> <li>chore: Sort all imports and activate eslint import rule by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2119">immutable-js/immutable-js#2119</a></li> </ul> <h2>5.1.3</h2> <h3>TypeScript</h3> <ul> <li>fix: allow readonly map entry constructor by <a href="https://github.com/septs"><code>@​septs</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2123">immutable-js/immutable-js#2123</a></li> </ul> <h3>Documentation</h3> <p>There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: <a href="https://immutable-js.com/browser-extension/">https://immutable-js.com/browser-extension/</a></p> <h3>Internal</h3> <ul> <li>replace rimraf by a node script by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2113">immutable-js/immutable-js#2113</a></li> <li>remove warning for tseslint config by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2114">immutable-js/immutable-js#2114</a></li> <li>Use default tsconfig for tests by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2055">immutable-js/immutable-js#2055</a></li> <li>add tests for arrCopy by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a> in <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2120">immutable-js/immutable-js#2120</a></li> </ul> <h2>5.1.2</h2> <ul> <li>Revert previous assertion as it introduced a regression <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2102">#2102</a> by <a href="https://github.com/giggo1604"><code>@​giggo1604</code></a></li> <li>Merge should work with empty record <a href="https://redirect.github.com/immutable-js/immutable-js/pull/2103">#2103</a> by <a href="https://github.com/jdeniau"><code>@​jdeniau</code></a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/immutable-js/immutable-js/commit/b37b85568632227751ddc8a16034cacc0f42b652"><code>b37b855</code></a> 5.1.5</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/16b3313fdf2c5f579f10799e22869f6909abf945"><code>16b3313</code></a> Merge commit from fork</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/fd2ef4977ee654c5bf26368dbf2f983c8d679bd6"><code>fd2ef49</code></a> fix new proto key injection</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/6734b7b2af7e9dadf517eb9473cc64d2dfe2e301"><code>6734b7b</code></a> fix Prototype Pollution in mergeDeep, toJS, etc.</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/6f772de1e44dcde14128e48d19081a7a077f2162"><code>6f772de</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2175">#2175</a> from immutable-js/dependabot/npm_and_yarn/rollup-4.59.0</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/5f3dc61fd0e231654f04a850b8764e7e864c54b3"><code>5f3dc61</code></a> Bump rollup from 4.34.8 to 4.59.0</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/049a594410962c13dfd0f2d0bf0ef2154271079e"><code>049a594</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2173">#2173</a> from immutable-js/dependabot/npm_and_yarn/lodash-4.1...</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/2481a77331122eea4ace8afd4842042c6ae7510c"><code>2481a77</code></a> Merge pull request <a href="https://redirect.github.com/immutable-js/immutable-js/issues/2172">#2172</a> from mrazauskas/update-tstyche</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/eb047790b44dac8e5ace49529a5c9928edfc8e12"><code>eb04779</code></a> Bump lodash from 4.17.21 to 4.17.23</li> <li><a href="https://github.com/immutable-js/immutable-js/commit/b973bf3b6242c9966143169825e1e14248c07c31"><code>b973bf3</code></a> format</li> <li>Additional commits viewable in <a href="https://github.com/immutable-js/immutable-js/compare/v5.0.3...v5.1.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for immutable since your current version.</p> </details> <br /> Updates `js-yaml` from 4.1.0 to 4.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md">js-yaml's changelog</a>.</em></p> <blockquote> <h2>[4.1.1] - 2025-11-12</h2> <h3>Security</h3> <ul> <li>Fix prototype pollution issue in yaml merge (&lt;&lt;) operator.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodeca/js-yaml/commit/cc482e775913e6625137572a3712d2826170e53a"><code>cc482e7</code></a> 4.1.1 released</li> <li><a href="https://github.com/nodeca/js-yaml/commit/50968b862e75866ef90e626572fe0b2f97b55f9f"><code>50968b8</code></a> dist rebuild</li> <li><a href="https://github.com/nodeca/js-yaml/commit/d092d866031751cb27c12d93f3e2470ad74d678b"><code>d092d86</code></a> lint fix</li> <li><a href="https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879"><code>383665f</code></a> fix prototype pollution in merge (&lt;&lt;)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/0d3ca7a27b03a6c974790a30a89e456007d62976"><code>0d3ca7a</code></a> README.md: HTTP =&gt; HTTPS (<a href="https://redirect.github.com/nodeca/js-yaml/issues/678">#678</a>)</li> <li><a href="https://github.com/nodeca/js-yaml/commit/49baadd52af887d2991e2c39a6639baa56d6c71b"><code>49baadd</code></a> doc: 'empty' style option for !!null</li> <li><a href="https://github.com/nodeca/js-yaml/commit/ba3460eb9d3e4478edcbc29edabe17c2157fc9ce"><code>ba3460e</code></a> Fix demo link (<a href="https://redirect.github.com/nodeca/js-yaml/issues/618">#618</a>)</li> <li>See full diff in <a href="https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1">compare view</a></li> </ul> </details> <br /> Updates `markdown-it` from 14.1.0 to 14.1.1 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md">markdown-it's changelog</a>.</em></p> <blockquote> <h2>[14.1.1] - 2026-01-11</h2> <h3>Security</h3> <ul> <li>Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to <a href="https://github.com/ltduc147"><code>@​ltduc147</code></a> for report.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/markdown-it/markdown-it/commit/b4a9b659ef5734223731cfaa3ad5eacc6fc22918"><code>b4a9b65</code></a> 14.1.1 released</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"><code>4b4bbca</code></a> Fixed perf regression in linkify-it wrapper</li> <li><a href="https://github.com/markdown-it/markdown-it/commit/d2782d892a51201b25d3eeab172201ad5a53a24c"><code>d2782d8</code></a> Add supplementary example-driven documentation (<a href="https://redirect.github.com/markdown-it/markdown-it/issues/1092">#1092</a>)</li> <li>See full diff in <a href="https://github.com/markdown-it/markdown-it/compare/14.1.0...14.1.1">compare view</a></li> </ul> </details> <br /> Updates `qs` from 6.13.0 to 6.14.2 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's changelog</a>.</em></p> <blockquote> <h2><strong>6.14.2</strong></h2> <ul> <li>[Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code> (<a href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li> <li>[Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li> <li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when <code>throwOnLimitExceeded</code> is true (<a href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li> <li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove extraneous comments (<a href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.14.1</strong></h2> <ul> <li>[Fix] ensure <code>arrayLimit</code> applies to <code>[]</code> notation as well</li> <li>[Fix] <code>parse</code>: when a custom decoder returns <code>null</code> for a key, ignore that key</li> <li>[Refactor] <code>parse</code>: extract key segment splitting helper</li> <li>[meta] add threat model</li> <li>[actions] add workflow permissions</li> <li>[Tests] <code>stringify</code>: increase coverage</li> <li>[Dev Deps] update <code>eslint</code>, <code>@ljharb/eslint-config</code>, <code>npmignore</code>, <code>es-value-fixtures</code>, <code>for-each</code>, <code>object-inspect</code></li> </ul> <h2><strong>6.14.0</strong></h2> <ul> <li>[New] <code>parse</code>: add <code>throwOnParameterLimitExceeded</code> option (<a href="https://redirect.github.com/ljharb/qs/issues/517">#517</a>)</li> <li>[Refactor] <code>parse</code>: use <code>utils.combine</code> more</li> <li>[patch] <code>parse</code>: add explicit <code>throwOnLimitExceeded</code> default</li> <li>[actions] use shared action; re-add finishers</li> <li>[meta] Fix changelog formatting bug</li> <li>[Deps] update <code>side-channel</code></li> <li>[Dev Deps] update <code>es-value-fixtures</code>, <code>has-bigints</code>, <code>has-proto</code>, <code>has-symbols</code></li> <li>[Tests] increase coverage</li> </ul> <h2><strong>6.13.3</strong></h2> <p>[Fix] fix regressions from robustness refactor [actions] update reusable workflows</p> <h2><strong>6.13.2</strong></h2> <ul> <li>[Robustness] avoid <code>.push</code>, use <code>void</code></li> <li>[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation (<a href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li> <li>[readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output (<a href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li> <li>[readme] replace runkit CI badge with shields.io check-runs badge</li> <li>[actions] fix rebase workflow permissions</li> </ul> <h2><strong>6.13.1</strong></h2> <ul> <li>[Fix] <code>stringify</code>: avoid a crash when a <code>filter</code> key is <code>null</code></li> <li>[Fix] <code>utils.merge</code>: functions should not be stringified into keys</li> <li>[Fix] <code>parse</code>: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset</li> <li>[Fix] <code>stringify</code>: ensure a non-string <code>filter</code> does not crash</li> <li>[Refactor] use <code>__proto__</code> syntax instead of <code>Object.create</code> for null objects</li> <li>[Refactor] misc cleanup</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a> v6.14.2</li> <li><a href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a> [readme] document that <code>addQueryPrefix</code> does not add <code>?</code> to empty output</li> <li><a href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a> [readme] clarify <code>parseArrays</code> and <code>arrayLimit</code> documentation</li> <li><a href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a> [Fix] <code>parse</code>: mark overflow objects for indexed notation exceeding <code>arrayLimit</code></li> <li><a href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a> [Fix] <code>arrayLimit</code> means max count, not max index, in <code>combine</code>/<code>merge</code>/`pars...</li> <li><a href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a> [Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with indexed notation when `thr...</li> <li><a href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a> [Fix] <code>parse</code>: enforce <code>arrayLimit</code> on <code>comma</code>-parsed values</li> <li><a href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a> [Fix] <code>parse</code>: fix error message to reflect arrayLimit as max index; remove e...</li> <li><a href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a> [actions] fix rebase workflow permissions</li> <li><a href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a> [meta] fix changelog typo (<code>arrayLength</code> → <code>arrayLimit</code>)</li> <li>Additional commits viewable in <a href="https://github.com/ljharb/qs/compare/v6.13.0...v6.14.2">compare view</a></li> </ul> </details> <br /> Updates `rollup` from 4.22.4 to 4.59.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/releases">rollup's releases</a>.</em></p> <blockquote> <h2>v4.59.0</h2> <h2>4.59.0</h2> <p><em>2026-02-22</em></p> <h3>Features</h3> <ul> <li>Throw when the generated bundle contains paths that would leave the output directory (<a href="https://redirect.github.com/rollup/rollup/issues/6276">#6276</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6275">#6275</a>: Validate bundle stays within output dir (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <h2>v4.58.0</h2> <h2>4.58.0</h2> <p><em>2026-02-20</em></p> <h3>Features</h3> <ul> <li>Also support <code>__NO_SIDE_EFFECTS__</code> annotation before variable declarations declaring function expressions (<a href="https://redirect.github.com/rollup/rollup/issues/6272">#6272</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6256">#6256</a>: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (<a href="https://github.com/njg7194"><code>@​njg7194</code></a>, <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6259">#6259</a>: docs: Correct typo and improve sentence structure in docs for <code>output.experimentalMinChunkSize</code> (<a href="https://github.com/millerick"><code>@​millerick</code></a>, <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6260">#6260</a>: fix(deps): update rust crate swc_compiler_base to v47 (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6261">#6261</a>: fix(deps): lock file maintenance minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6262">#6262</a>: Avoid unnecessary cloning of the code string (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6263">#6263</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6265">#6265</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6267">#6267</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6268">#6268</a>: chore(deps): update dependency eslint-plugin-unicorn to v63 (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6269">#6269</a>: chore(deps): update dependency lru-cache to v11 (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6270">#6270</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@​renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6272">#6272</a>: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (<a href="https://github.com/lukastaegert"><code>@​lukastaegert</code></a>)</li> </ul> <h2>v4.57.1</h2> <h2>4.57.1</h2> <p><em>2026-01-30</em></p> <h3>Bug Fixes</h3> <ul> <li>Fix heap corruption issue in Windows (<a href="https://redirect.github.com/rollup/rollup/issues/6251">#6251</a>)</li> <li>Ensure exports of a dynamic import are fully included when called from a try...catch (<a href="https://redirect.github.com/rollup/rollup/issues/6254">#6254</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6251">#6251</a>: fix: Isolat... _Description has been truncated_ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-30 02:19:48 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#49904