Update All by renovate[bot] · Pull Request #21 · LuminescentDev/luminescent.dev

renovate · 2023-06-17T00:20:38Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@builder.io/qwik (source)	`1.19.1` → `1.20.0`
@builder.io/qwik-city (source)	`1.19.1` → `1.20.0`
@cloudflare/workers-types	`4.20260310.1` → `4.20260629.1`
@types/node (source)	`25.4.0` → `25.9.4`
eslint-plugin-qwik (source)	`1.19.1` → `1.20.0`
globals	`17.4.0` → `17.7.0`
typescript (source)	`5.8.3` → `5.9.3`
undici (source)	`7.22.0` → `7.28.0`
vite (source)	`7.3.1` → `7.3.6`
wrangler (source)	`4.71.0` → `4.105.0`

Release Notes

QwikDev/qwik (@builder.io/qwik)

`v1.20.0`

Compare Source

`v1.19.2`

Compare Source

Patch Changes

🐞🩹 type casts to bridge Rollup vs Rolldown type differences without changing runtime behavior (by @gioboa in #8405)

QwikDev/qwik (@builder.io/qwik-city)

`v1.20.0`

Compare Source

Minor Changes

🐞🩹 The server plugins were not actually sorted and were relying on directory traversal order. Now they are explicitly sorted by ascending name. (by @wmertens in #8568)

Patch Changes

🐞🩹 include route bundles when their matching origin is not the first manifest origin (by @Varixo in #8455)
🐞🩹 Bun and Deno request URL normalization to prevent protocol-relative paths from overriding the configured origin (by @Varixo in #8463)
✨ getRequestEvent() provides the current request event; used in the starter templates for providing better diagnostics in uncaught exceptions (by @wmertens in #8655)

`v1.19.2`

Compare Source

Patch Changes

🐞🩹 When a form POST is done, keys like "name.1" mean it's an array. However, later keys could be strings like "name.value". Now, we check if all the keys are numbers, otherwise we make an object instead of an array. This allows for more correct form data handling. (by @wmertens in #8424)
🐞🩹 handle special characters in dynamic route (by @gioboa in #8400)

cloudflare/workerd (@cloudflare/workers-types)

QwikDev/qwik (eslint-plugin-qwik)

`v1.20.0`

Compare Source

`v1.19.2`

Compare Source

sindresorhus/globals (globals)

`v17.7.0`

Compare Source

`v17.6.0`

Compare Source

Update globals (2026-05-01) (#343) 00a4dd9

`v17.5.0`

Compare Source

Update globals (2026-04-12) (#342) 5d84602

microsoft/TypeScript (typescript)

`v5.9.3`: TypeScript 5.9.3

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

fixed issues query for Typescript 5.9.0 (Beta).
fixed issues query for Typescript 5.9.1 (RC).
No specific changes for TypeScript 5.9.2 (Stable)
fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

npm

`v5.9.2`: TypeScript 5.9

Compare Source

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

fixed issues query for Typescript 5.9.0 (Beta).
fixed issues query for Typescript 5.9.1 (RC).
No specific changes for TypeScript 5.9.2 (Stable)

Downloads are available on:

npm

nodejs/undici (undici)

`v7.28.0`

Compare Source

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.
npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is
an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the
earlier 7.2x line — the vulnerable single-pool code was still present through
v7.27.2. The per-origin pool fix is
3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	`8cb10f98`
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	`04201f89`
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	`3805b8f8`
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	`85a24055`
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	`d0574cc4`
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	`d0574cc4`
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	`ea8930cf`

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

Affected: applications using new WebSocket(...) or WebSocketStream
against untrusted endpoints.
Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 04201f89 fix: honor requestTls when proxy is SOCKS5 (#5417)

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
requestTls.
Workaround: route traffic through an HTTP-proxy ProxyAgent, where
requestTls functions correctly.

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346
Fix: 3805b8f8 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

Affected: applications using Socks5ProxyAgent across multiple origins
(introduced in 7.23.0 via #4385).
Workaround: use a separate agent instance per origin.

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: 85a24055 fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

Affected: apps using the cache interceptor in shared mode that forward
Authorization upstream and receive non-canonical qualified directives.
Workaround: disable shared-cache mode for authenticated traffic, avoid
caching authenticated responses, or add Vary: Authorization upstream.

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#3789.

Workaround: sanitize values before forwarding — strip or reject CR, LF,
NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: ea8930cf fix: guard idle socket validation to skip fresh sockets, hardened by 8e4046e4 keep idle validation on native timers (#5402) and 0fa80869 keep idle validation on global timers (#5409)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

Requirements: attacker-controlled/compromised upstream and active
keep-alive reuse.
Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
Client or Pool.

Release contents & deliberate backports

v7.28.0 is a security-only release — every change in it is one of the fixes
above, backported to the v7.x maintenance line on purpose from the v8
development line:

#5423 — backport of the WebSocket maxPayloadSize fragment-count / cumulative-size limits (CVE-2026-12151).
#5402 & #5409 — backport of the idle-validation hardening (native + global timers) for the queue-poisoning fix (CVE-2026-6733).
#5417 — requestTls over SOCKS5 fix (CVE-2026-9697).

The cookie (d0574cc4),
cache (85a24055) and
queue-poisoning core (ea8930cf)
fixes were applied directly to the v7.x branch. Full changelog:
v7.27.2...v7.28.0.

Credits

Per-advisory credits (as recorded in each GHSA):

CVE-2026-12151 — reported by @lpinca & @Nadav0077; reviewed by @UlisesGascon.
CVE-2026-9697 — reported by @tonghuaroot; reviewed by @UlisesGascon.
CVE-2026-6734 — reported by @ChALkeR; reviewed by @mcollina; verified by @UlisesGascon.
CVE-2026-9678 — fixed by @mcollina; reviewed by @UlisesGascon.
CVE-2026-9679 — reported by @tndud042713; fixed by @mcollina; reviewed by @KhafraDev & @UlisesGascon.
CVE-2026-11525 — fixed by @mcollina; reviewed by @UlisesGascon.
CVE-2026-6733 — fixed by @mcollina; verified by @UlisesGascon.

`v7.27.2`

Compare Source

What's Changed

fix: use legacy global dispatcher in v7 by @mcollina in #5368

Full Changelog: nodejs/undici@v7.27.1...v7.27.2

`v7.27.1`

Compare Source

What's Changed

fix: preserve raw headers in dispatch handler bridge by @mcollina in #5345

Full Changelog: nodejs/undici@v7.27.0...v7.27.1

`v7.27.0`

Compare Source

What's Changed

[7.x] fix: support Node 26 and legacy global dispatcher by @mcollina in #5319

Full Changelog: nodejs/undici@v7.26.0...v7.27.0

`v7.26.0`

Compare Source

What's Changed

fix: backport safe main fixes to v7.x by @mcollina in #5136
fix: validate EOF for chunked h1 responses by @mcollina in #5307

Full Changelog: nodejs/undici@v7.25.0...v7.26.0

`v7.25.0`

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

`v7.24.8`

Compare Source

What's Changed

fix: backport 401 stream-backed body fix to v7.x by @mcollina in #5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

`v7.24.7`

Compare Source

What's Changed

docs: update broken links in file "Dispatcher.md" by @samuel871211 in #4924
doc: remove unused parameter redirectionLimitReached by @samuel871211 in #4933
test: skip flaky macOS Node 20 cookie fetch cases by @mcollina in #4932
fix(types): align Response with DOM fetch types by @theamodhshetty in #4867
fix(types): Fix clone method type declaration to be an instance method rather than instance property by @mistval in #4925
test: skip IPv6 tests when IPv6 is not available by @mcollina in #4939
fix: correctly handle multi-value rawHeaders in fetch by @mcollina in #4938
ignore AGENTS.md by @mcollina in #4942

New Contributors

@samuel871211 made their first contribution in #4924
@mistval made their first contribution in #4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

`v7.24.6`

Compare Source

What's Changed

fix(test): client wasm compatible with clang 22 by [@rozzilla](htt

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

cloudflare-workers-and-pages · 2023-06-17T00:21:50Z

Deploying luminescent with Cloudflare Pages

Latest commit:	`b054b19`
Status:	🚫 Build failed.

View logs

cloudflare-workers-and-pages · 2025-02-21T01:46:18Z

Deploying luminescent with Cloudflare Pages

Latest commit:	`afc4c70`
Status:	🚫 Build failed.

View logs

renovate Bot force-pushed the renovate/all branch 8 times, most recently from 2c272a1 to 6575368 Compare July 3, 2023 11:11

renovate Bot force-pushed the renovate/all branch 9 times, most recently from 29eaf61 to c538baf Compare July 11, 2023 15:45

renovate Bot changed the title ~~Update All~~ Update All - autoclosed Jul 13, 2023

renovate Bot closed this Jul 13, 2023

renovate Bot deleted the renovate/all branch July 13, 2023 07:43

renovate Bot changed the title ~~Update All - autoclosed~~ Update All Jul 13, 2023

renovate Bot reopened this Jul 13, 2023

renovate Bot restored the renovate/all branch July 13, 2023 17:40

renovate Bot changed the title ~~Update All~~ Update dependency tailwindcss to v3.3.3 Jul 13, 2023

renovate Bot changed the title ~~Update dependency tailwindcss to v3.3.3~~ Update All Jul 13, 2023

renovate Bot force-pushed the renovate/all branch 2 times, most recently from 1a4bf49 to 99fec2b Compare July 14, 2023 17:05

renovate Bot changed the title ~~Update All~~ Update All - autoclosed Jul 16, 2023

renovate Bot closed this Jul 16, 2023

renovate Bot force-pushed the renovate/all branch 4 times, most recently from 0d56aba to b083fb1 Compare August 7, 2023 10:52

renovate Bot force-pushed the renovate/all branch 5 times, most recently from f65935c to c28590a Compare August 15, 2023 23:18

renovate Bot force-pushed the renovate/all branch from c28590a to 02c7c8a Compare August 16, 2023 18:08

renovate Bot changed the title ~~Update All~~ Update All - autoclosed Aug 22, 2023

renovate Bot closed this Aug 22, 2023

renovate Bot deleted the renovate/all branch August 22, 2023 10:31

renovate Bot changed the title ~~Update All - autoclosed~~ Update All Aug 22, 2023

renovate Bot reopened this Aug 22, 2023

renovate Bot restored the renovate/all branch August 22, 2023 10:38

renovate Bot changed the title ~~Update All~~ Update dependency eslint to v8.47.0 Aug 22, 2023

renovate Bot force-pushed the renovate/all branch from 02c7c8a to ddeb64b Compare August 22, 2023 10:38

renovate Bot changed the title ~~Update dependency eslint to v8.47.0~~ Update All Aug 23, 2023

renovate Bot force-pushed the renovate/all branch 5 times, most recently from 9bf263e to 95977a1 Compare August 29, 2023 19:03

renovate Bot force-pushed the renovate/all branch 3 times, most recently from 64ce6f9 to e3963c3 Compare September 9, 2023 19:36

renovate Bot changed the title ~~Update All~~ Update dependency eslint to v8.49.0 Sep 10, 2023

Update All

975efdc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update All#21

Update All#21
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/all

renovate Bot commented Jun 17, 2023 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented Jun 17, 2023 •

edited

Loading

Uh oh!

cloudflare-workers-and-pages Bot commented Feb 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate Bot commented Jun 17, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Patch Changes

Minor Changes

Patch Changes

Patch Changes

v5.9.3: TypeScript 5.9.3

v5.9.2: TypeScript 5.9

⚠️ Security Release

Summary

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

Release contents & deliberate backports

Credits

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

New Contributors

What's Changed

Configuration

Uh oh!

renovate Bot commented Jun 17, 2023 •

edited

Loading

`v5.9.3`: TypeScript 5.9.3

`v5.9.2`: TypeScript 5.9