Bump the npm_and_yarn group across 12 directories with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
esbuild	0.25.8	0.28.1
tmp	0.2.5	0.2.7
yeoman-environment	4.4.3	6.0.1
form-data	2.3.3	2.5.6
aws-sdk	2.1692.0	2.1693.0
@xmldom/xmldom	0.8.11	0.8.13
vitest	3.2.4	3.2.6

Bumps the npm_and_yarn group with 1 update in the /example-apps/basic-auth-typescript directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /example-apps/custom-auth-typescript directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /example-apps/digest-auth-typescript directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /example-apps/files directory: form-data.
Bumps the npm_and_yarn group with 1 update in the /example-apps/oauth1-trello-typescript directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /example-apps/oauth2-typescript directory: vitest.
Bumps the npm_and_yarn group with 1 update in the /example-apps/onedrive directory: lodash.
Bumps the npm_and_yarn group with 1 update in the /example-apps/session-auth-typescript directory: vitest.
Bumps the npm_and_yarn group with 3 updates in the /packages/cli directory: esbuild, tmp and yeoman-environment.
Bumps the npm_and_yarn group with 1 update in the /packages/core directory: form-data.
Bumps the npm_and_yarn group with 2 updates in the /packages/legacy-scripting-runner directory: form-data and @xmldom/xmldom.

Updates esbuild from 0.25.8 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates tmp from 0.2.5 to 0.2.7

Commits

• 8ea1f37 Bump up the version
• 8f24f78 Merge commit from fork
• ce787f3 Reject non-string prefix, postfix, template
• 41f7159 Bump up the version
• efa4a06 Merge commit from fork
• 7ef2728 Check for relative values
• See full diff in compare view

Updates yeoman-environment from 4.4.3 to 6.0.1

Release notes

Sourced from yeoman-environment's releases.

v6.0.1

What's Changed

• fix: ask before installing local packages by @​mshima in yeoman/environment#753
• chore(release): bump version to v6.0.1 by @​github-actions[bot] in yeoman/environment#757

Full Changelog: yeoman/environment@v6.0.0...v6.0.1

v6.0.0

🚀 yeoman-environment v6 – Release Notes

• Switch to @​yeoman/adapter v4 (and inquirer v13) by default. Some behavior changes may happen.

---

yeoman/environment@v5.1.3...v6.0.0

v5.1.3

• fix: only fallback to import if requiring fails with esm/async error (#716) e4fb745

---

yeoman/environment@v5.1.2...v5.1.3

v5.1.2

• fix: use globbySync to resolve PNPM global node_modules paths (#692) 4317fef

---

yeoman/environment@v5.1.1...v5.1.2

v5.1.1

• feat: lookup for generators in pnpm global folder (#680) 2fcd028

---

yeoman/environment@v5.1.0...v5.1.1

v5.1.0

• chore(deps): bump globby from 15.0.0 to 16.0.0 (#676) cd962ec
• chore(deps): bump @​yeoman/conflicter from 3.0.0 to 4.0.0 (#677) 04a104b
• chore(deps): bump globby from 14.1.0 to 15.0.0 (#662) 5d39217
• feat: add generatorLookupOptions option (#674) a301ab8
• fix: expose missing types (#673) 4de747f

---

yeoman/environment@v5.0.0...v5.1.0

... (truncated)

Changelog

Sourced from yeoman-environment's changelog.

Changelog

6.1.0 (2026-04-29)

Features

• add support to ask customInstallTask (#770) (136e4f4)
• deps: bump @​yeoman/namespace from 1.0.1 to 2.1.0 (#766) (4a3ae84)
• extract getFeaturesFromGenerator (#769) (d244f0c)

Commits

• a838fa6 chore(release): bump version to v6.0.1 (#757)
• d4227d8 chore: workflow adjusts (#756)
• 6384bf2 chore: Remove npm caching in Node.js setup (#755)
• efd8eab chore: update dependencies (#754)
• 78d2af7 fix: ask before installing local packages. (#753)
• dccfd12 chore: add publish workflow (#752)
• 1b2d34a chore: remove package-lock.json (#751)
• 32abbfa chore(deps): bump github/codeql-action from 4.32.6 to 4.35.1 (#745)
• d092613 chore(deps): bump picomatch (#743)
• ec98f75 chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 (#740)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for yeoman-environment since your current version.

Updates form-data from 2.3.3 to 2.5.6

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Dev Improvements

• Fixed error in the documentations as indicated in #439
• Added remaining combined-stream options to typedef
• Bumped rimraf to 2.7.1 (dev-dep)
• Added constructor options to TypeScript defs
• Fixed error in callback signatures

Added Types

• Added TS types
• Improved documentation

Added getBuffer method

Updated test builds to support node10 and 12.

Changelog

Sourced from form-data's changelog.

v2.5.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames b620316
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, tape 12be578
• [Dev Deps] update js-randomness-predictor 46cfd23
• [Tests] use safe-buffer so the header-injection test runs on node < 4 633044a
• [Deps] update hasown e3b96ee

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates aws-sdk from 2.1692.0 to 2.1693.0

Release notes

Sourced from aws-sdk's releases.

Release v2.1693.0

See changelog for more information.

Commits

• 9d3c66e Updates SDK to v2.1693.0
• c039567 test(client-elastictranscoder): remove feature test (#4711)
• f5b1a6f docs: end-of-support (#4706)
• 657d6fe chore: use ssh private key for git sync (#4705)
• c12585b chore: remove regression label management (#4699)
• See full diff in compare view

Updates @xmldom/xmldom from 0.8.11 to 0.8.13

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.13

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.12

Commits

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu, @​yoshi389111, @​thesmartshadow, for your contributions

0.8.12

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)

... (truncated)

Commits

• e5c1480 0.8.13
• 9611e20 style: drop unused import in test file
• dc4dff3 docs: add 0.8.13 changelog entry
• 842fa38 fix: prevent stack overflow in normalize (GHSA-2v35-w6hq-6mfw)
• aeff69f test: add normalize behavioral coverage to node.test.js
• cbdb0d7 fix: make walkDOM iterative to prevent stack overflow (GHSA-2v35-w6hq-6mfw)
• 0b543d3 test: assert namespace declarations are isolated between siblings in serializ...
• c007c51 refactor: migrate serializeToString to walkDOM
• 2bb3899 test: add serializeToString coverage for uncovered branches
• e69f38d refactor: migrate importNode to walkDOM
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates vitest from 3.2.4 to 3.2.6

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

• Pin last supported vite-node version  -  by @​sheremet-va (16f12)

    View changes on GitHub

v3.2.5

   🚀 Features

• api: Add allowWrite and allowExec options to api [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10445 (af88b)

   🐞 Bug Fixes

• browser: Disable client cdp API when allowWrite/allowExec: false [backport to v3]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10456 (385a1)

    View changes on GitHub

Commits

• b6d56f8 chore: release v3.2.6
• 16f120d fix: pin last supported vite-node version
• 2cbad0a chore: release v3.2.5
• 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.

Updates ip-address from 10.1.0 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates rollup from 4.53.3 to 4.62.0

Release notes

Sourced from rollup's releases.

v4.62.0

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])
• #6410: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6412: fix(deps): update minor/patch updates (@​renovate[bot])
• #6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@​renovate[bot])
• #6414: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

v4.61.1

4.61.1

2026-06-04

Bug Fixes

• Avoid extraneous newlines when adding headers via plugins (#6403)
• Fix a rare issue where starting Rollup would hang on Windows (#6404)

Pull Requests

• #6402: Improve documentation for manualPureFunctions (@​lukastaegert)
• #6403: Does not add an extra leading line feed for addons (@​TrickyPi)
• #6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@​jdz321, @​lukastaegert)

v4.61.0

4.61.0

2026-06-01

Features

• Sort entry modules to make chunk hashes deterministic (#6391)

Pull Requests

• #6376: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (@​lukastaegert)
• #6378: fix(deps): update minor/patch updates (@​renovate[bot])

... (truncated)

Changelog

Sourced from rollup's changelog.

4.62.0

2026-06-13

Features

• Ensure that shared dependencies between manual chunks and entry points receive a serparate chunk (#6374)

Pull Requests

• #6374: Extract the static dependencies imported by manual chunks into separate chunks (@​TrickyPi, @​lukastaegert)
• #6405: fix(deps): update minor/patch updates (@​renovate[bot])
• #6406: chore(deps): pin dependency concurrently to v9 (@​renovate[bot], @​lukastaegert)
• #6407: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6409: chore(deps): update minor/patch updates to v6.2.0 (@​renovate[bot])
• #6410: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #6412: fix(deps): update minor/patch updates (@​renovate[bot])
• #6413: chore(deps): update dependency eslint-plugin-unicorn to v65 (@​renovate[bot])
• #6414: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

4.61.1

2026-06-04

Bug Fixes

• Avoid extraneous newlines when adding headers via plugins (#6403)
• Fix a rare issue where starting Rollup would hang on Windows (#6404)

Pull Requests

• #6402: Improve documentation for manualPureFunctions (@​lukastaegert)
• #6403: Does not add an extra leading line feed for addons (@​TrickyPi)
• #6404: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (@​jdz321, @​lukastaegert)

4.61.0

2026-06-01

Features

• Sort entry modules to make chunk hashes deterministic (#6391)

Pull Requests

• #6376: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (@​lukastaegert)
• #6378: fix(deps): update minor/patch updates (@​renovate[bot])
• #6379: chore(deps): update dependency lint-staged to v17 (@​renovate[bot], @​lukastaegert)
• #6380: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6381: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)

... (truncated)

Commits

• 5e0066d 4.62.0
• 93e85fc chore(deps): update dependency eslint-plugin-unicorn to v65 (#6413)
• 5c9ef2e fix(deps): update minor/patch updates (#6412)
• 18654d8 chore(deps): lock file maintenance minor/patch updates (#6414)
• d96ed95 Extract the static dependencies imported by manual chunks into separate chunk...
• 126e141 chore(deps): pin dependency concurrently to v9 (#6406)
• f2f58c4 chore(deps): lock file maintenance minor/patch updates (#6410)
• 5a15062 chore(deps): update minor/patch updates to v6.2.0 (#6409)
• d02f03a chore(deps): lock file maintenance minor/patch updates (#6407)
• 844671c fix(deps): update minor/patch updates (#6405)
• Additional commits viewable in compare view

Updates tar from 6.2.1 to 7.5.16

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates vite from 7.2.6 to 7.3.5

Release notes

Sourced from vite's releases.

v7.3.5

Please refer to CHANGELOG.md for details.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.