Update external fixes

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@openwhisk/wskdebug	1.3.0 → 1.4.0			devDependencies	minor
adobe/aio-apps-action	2.0.1 → 2.0.2			action	patch
adobe/aio-cli-setup-action	1.1.0 → v1.3.0			action	minor
axios (source)	^0.27.2 → ^0.32.0			devDependencies	minor
chai (source)	4.3.5 → 4.5.0			devDependencies	minor
core-js (source)	3.20.3 → 3.49.0			dependencies	minor
eslint-plugin-react	7.28.0 → 7.37.5			devDependencies	minor
graphiql (source)	1.5.16 → 1.11.5			dependencies	minor
inquirer (source)	8.2.0 → 8.2.7			devDependencies	patch
regenerator-runtime (source)	0.13.9 → 0.14.1			dependencies	minor

---

Release Notes

apache/openwhisk-wskdebug (@​openwhisk/wskdebug)

v1.4.0

Compare Source

Improvements

• travis: log detailed test output on failure
• travis: get most verbose logging while keeping standard npm test quiet
• chore: example/nodejs: put name first in vs code launch.json examples
• chore: README: put name first in vs code launch.json examples
• chore: configure more github project properties vis asf.yaml #​88
• chore: update openwhisk-client-js to 3.21.4

Fixes

• fix: swap isomorphic-fetch for node-fetch for security issue #​96
• fix: disable installation of peer dependencies (npm@​7 default) #​97
• fix: pull image before test runs - should fix flaky agentmgr.test.js tests in Travis #​84
• fix: wskdebug does not work with new VS Code 1.48 debugger #​74
• fix: use lts node, instead of latest (test Dockerfile)
• fix: fix travis badge url #​92
• fix: formatting for github and usage output
• fix: spelling #​86
• fix: link and grammar #​87
• chore: various dependabot dependency updates #​99 #​100 #​102 #​103
• chore: update copyright notice #​90
• chore: npm audit fixes

adobe/aio-apps-action (adobe/aio-apps-action)

v2.0.2

Compare Source

What's Changed

• Update README.md by @​meryllblanchet in #​12
• Doc update by @​sandeep-paliwal in #​14
• fix: update --skip-build (deprecated) to use --no-build by @​shazron in #​15

New Contributors

• @​meryllblanchet made their first contribution in #​12
• @​shazron made their first contribution in #​15

Full Changelog: adobe/aio-apps-action@v2.0.1...2.0.2

adobe/aio-cli-setup-action (adobe/aio-cli-setup-action)

v1.3.0: 1.3.0

Compare Source

• Merge pull request #​20 from adobe/node-20 a84c76e
• Merge pull request #​21 from adobe/fix-input-warnings 10e1ffe
• fix: input warnings 0204d7d
• chore: update to node 20 a43e7c4

v1.3.0: 1.3.0

Compare Source

• Merge pull request #​20 from adobe/node-20 a84c76e
• Merge pull request #​21 from adobe/fix-input-warnings 10e1ffe
• fix: input warnings 0204d7d
• chore: update to node 20 a43e7c4

v1.2.0

Compare Source

Bug fix, for aio -v

New Contributors

• @​amulyakashyap09 made their first contribution in #​7
• @​dependabot made their first contribution in #​8
• @​purplecabbage made their first contribution in #​19

Full Changelog: adobe/aio-cli-setup-action@1.1.0...1.2.0

axios/axios (axios)

v0.32.0

Compare Source

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#​10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#​10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#​10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#​10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#​10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#​10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#​10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#​10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#​10838)

Full Changelog

v0.31.1

Compare Source

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#​10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#​10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#​10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#​10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#​10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#​10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @​jasonsaayman to set a default reviewer for all paths. (#​10740)

Full Changelog

v0.31.0

Compare Source

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

• Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#​10688)

• CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#​10638, #​10639, #​10667)

🐛 Bug Fixes

• TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#​6253, #​7328)

• Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#​6484)

🔧 Maintenance & Chores

• Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#​10690, #​10691, #​10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​nakataki17 (#​6253)
• @​gmasclet (#​6484)
• @​shaanmajid (#​10638, #​10639, #​10667)
• @​ivan-churakov (#​7328)

Full Changelog

v0.30.3: Release notes - v0.30.3

Compare Source

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

• Backport: Fix DoS via proto key in merge config
  • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in PR #​7388

⚙️ Maintenance & CI

• CI Infrastructure Update
  • Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @​jasonsaayman in PR #​7407

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

Full Changelog: v0.30.2...v0.30.3

v0.30.2

Compare Source

What's Changed

• Backport maxContentLength vulnerability fix to v0.x by @​FeBe95 in #​7034

New Contributors

• @​FeBe95 made their first contribution in #​7034

Full Changelog: axios/axios@v0.30.1...v0.30.2

v0.30.1

Compare Source

Release notes:

Bug Fixes

• chore(deps): bump form-data from 4.0.0 to 4.0.4 for v0.x by @​wolandec in #​6978

Contributors to this release

• @​wolandec made their first contribution in #​6978

Full Changelog: axios/axios@v0.30.0...v0.30.1

v0.30.0

Compare Source

Release notes:

Bug Fixes

• fix: modify log while request is aborted by @​mori5321 in #​4917
• fix: update CHANGELOG.md for v0.x by @​TehZarathustra in #​6271
• fix: modify upgrade guide for 0.28.1's breaking change by @​nafeger in #​6787
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @​thatguyinabeanie in #​6829
• fix: add allowAbsoluteUrls type by @​thatguyinabeanie in #​6849

Contributors to this release

• @​mori5321 made their first contribution in #​4917
• @​TehZarathustra made their first contribution in #​6271
• @​nafeger made their first contribution in #​6787
• @​thatguyinabeanie made their first contribution in #​6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Compare Source

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #​6167 and #​6163 to v0.x by @​Sean-Powell in #​6402
• fix: omit nulls in params by @​Willshaw in #​6394
• fix(backport): fix paramsSerializer function validation by @​solonzhu in #​6361
• fix: Regular Expression Denial of Service (ReDoS) by @​qiongshusheng in #​6708

Contributors to this release

• @​Sean-Powell made their first contribution in #​6402
• @​Willshaw made their first contribution in #​6394
• @​solonzhu made their first contribution in #​6361
• @​qiongshusheng made their first contribution in #​6708

v0.28.1

Compare Source

Release notes:

Release notes:

Bug Fixes

• fix(backport): custom params serializer support (#​6263)
• fix(backport): uncaught ReferenceError req is not defined (#​6307)

v0.28.0

Compare Source

Release notes:

Bug Fixes

• fix(security): fixed CVE-2023-45857 by backporting withXSRFToken option to v0.x (#​6091)

Backports from v1.x:

• Allow null indexes on formSerializer and paramsSerializer v0.x (#​4961)
• Fixing content-type header repeated #​4745
• Fixed timeout error message for HTTP 4738
• Added axios.formToJSON method (#​4735)
• URL params serializer (#​4734)
• Fixed toFormData Blob issue on node>v17 #​4728
• Adding types for progress event callbacks #​4675
• Fixed max body length defaults #​4731
• Added data URL support for node.js (#​4725)
• Added isCancel type assert (#​4293)
• Added the ability for the url-encoded-form serializer to respect the formSerializer config (#​4721)
• Add string[] to AxiosRequestHeaders type (#​4322)
• Allow type definition for axios instance methods (#​4224)
• Fixed AxiosError stack capturing; (#​4718)
• Fixed AxiosError status code type; (#​4717)
• Adding Canceler parameters config and request (#​4711)
• fix(types): allow to specify partial default headers for instance creation (#​4185)
• Added blob to the list of protocols supported by the browser (#​4678)
• Fixing Z_BUF_ERROR when no content (#​4701)
• Fixed race condition on immediate requests cancellation (#​4261)
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an Axios instance #​4248
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill (#​4229)
• Fix TS definition for AxiosRequestTransformer (#​4201)
• Use type alias instead of interface for AxiosPromise (#​4505)
• Include request and config when creating a CanceledError instance (#​4659)
• Added generic TS types for the exposed toFormData helper (#​4668)
• Optimized the code that checks cancellation (#​4587)
• Replaced webpack with rollup (#​4596)
• Added stack trace to AxiosError (#​4624)
• Updated AxiosError.config to be optional in the type definition (#​4665)
• Removed incorrect argument for NetworkError constructor (#​4656)

chaijs/chai (chai)

v4.5.0

Compare Source

• Update type detect (#​1631) 1a36d35

What's Changed

• Update type detect by @​koddsson in #​1631

Full Changelog: chaijs/chai@v4.4.1...v4.5.0

v4.4.1

Compare Source

What's Changed

• fix: removes ?? for node compat by @​43081j in #​1574

Full Changelog: chaijs/chai@v4.4.0...v4.4.1

v4.4.0

Compare Source

What's Changed

• Allow deepEqual fonction to be configured globally (4.x.x branch) by @​forty in #​1553

Full Changelog: chaijs/chai@v4.3.10...v4.4.0

v4.3.10

Compare Source

This release simply bumps all dependencies to their latest non-breaking versions.

What's Changed

• upgrade all dependencies by @​keithamus in #​1540

Full Changelog: chaijs/chai@v4.3.9...v4.3.10

v4.3.9

Compare Source

Upgrade dependencies.

This release upgrades dependencies to address CVE-2023-43646 where a large function name can cause "catastrophic backtracking" (aka ReDOS attack) which can cause the test suite to hang.

Full Changelog: chaijs/chai@v4.3.8...v4.3.9

v4.3.8

Compare Source

What's Changed

• 4.x.x: Fix link to commit logs on GitHub by @​bugwelle in #​1487
• build(deps): bump socket.io-parser from 4.0.4 to 4.0.5 by @​dependabot in #​1488
• Small typo in test.js by @​mavaddat in #​1459
• docs: specify return type of objDisplay by @​scarf005 in #​1490
• Update CONTRIBUTING.md by @​matheus-rodrigues00 in #​1521
• Fix: update exports.version to current version by @​peanutenthusiast in #​1534

New Contributors

• @​bugwelle made their first contribution in #​1487
• @​mavaddat made their first contribution in #​1459
• @​scarf005 made their first contribution in #​1490
• @​matheus-rodrigues00 made their first contribution in #​1521
• @​peanutenthusiast made their first contribution in #​1534

Full Changelog: chaijs/chai@v4.3.7...v4.3.8

v4.3.7

Compare Source

What's Changed

• fix: deep-eql bump package to support symbols comparison by @​snewcomer in #​1483

Full Changelog: chaijs/chai@v4.3.6...v4.3.7

v4.3.6

Compare Source

Update loupe to 2.3.1

zloirock/core-js (core-js)

v3.49.0

Compare Source

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #​1503, #​1464, #​1510, thanks @​johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #​810, #​1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill
• Fixed block of protocol change for file with empty host in the URL polyfill
• Fixed invalid code points handling in UTF-8 decode in the URLSearchParams polyfill
• Fixed some cases of serialization in URL polyfill (/. prefix for non-special URLs with null host and path starting with empty segment)
• Fixed URL polyfill .origin getter with blob scheme
• Fixed a lack of error in URLSearchParams.prototype.set polyfill on calling only with 1 argument
• Fixed handling invalid UTF-8 continuation bytes in URLSearchParams polyfill
• Fixed incomplete sequences with out-of-range continuation bytes handling in URLSearchParams polyfill
• Fixed allowing unexpected symbols in scheme in the URL polyfill
• Fixed repeated ToPropertyKey calling in Reflect.{ get, set, deleteProperty } polyfills
• Fixed Reflect.set polyfill with some descriptors cases
• Fixed Reflect.set polyfill with some non-extensible receiver cases
• Fixed the order of Reflect.construct polyfill arguments validation (observable only in the error message)
• Fixed a lack of error in Reflect.defineProperty polyfill with malformed descriptor
• Fixed a lack of error in JSON.parse polyfill on unterminated object and array literals
• Fixed a lack of error in JSON.parse polyfill on numbers with ., but without a fraction part
• Fixed a lack of error on \u{} in String.dedent polyfill
• Fixed some cases of hex escaping in the end of string in String.dedent polyfill
• Fixed %AsyncFromSyncIteratorPrototype% to make it a little stricter
• Fixed counter in some cases of some AsyncIterator methods
• Fixed order of async iterators closing
• Fixed iterator closing in AsyncIterator.prototype.flatMap polyfill
• Fixed iterator closing in AsyncIterator.prototype.map polyfill on error in underlying iterator .next()
• Fixed iterator closing in AsyncIterator.prototype.take polyfill with return: null
• Fixed validation .return() result as object in AsyncIterator.prototype.take polyfill
• Fixed a lack of error in structuredClone polyfill on attempt to transfer multiple objects, some of which are non-transferable
• Fixed resizable ArrayBuffer transferring where newByteLength exceeds the original maxByteLength
• Fixed possible loss of symbol enumerability in Object.defineProperty in Symbol polyfill
• Fixed return value of Object.defineProperty in Symbol polyfill in Android ~ 2
• Fixed order of %TypedArray%.from arguments validation
• Fixed a lack of error on passing an ArrayBuffer and a negative length to the %TypedArray% and DataView constructors polyfills
• Fixed some cases of @@​toStringTag on %TypedArray% polyfill
• Fixed some cases of ToUint8Clamp conversion
• Fixed NaN handling in Date.prototype.setYear polyfill
• Fixed false positive on a WeakMap validation in the pure version
• Fixed some minor { Map, Set }.prototype.forEach moments in the pure version
• Fixed possible error in Array.isTemplateObject polyfill on frozen array
• Fixed semantics of Observable.from with multiple subscriptions of the obsolete ECMAScript Observable proposal polyfill
• Fixed handling of ending zeroes in the fraction part in Number.fromString polyfill
• Fixed esmodules: intersect option of core-js-compat
• Fixed a lack of reactnative alias in core-js-compat types
• Fixed a minor logical bug in the debugging output of core-js-builder
• Fixed ignorance of the obsolete blacklist option of core-js-builder - it should be removed only in the next major release
• In case of bugs in String.prototype.{ match, matchAll, replace, split } in modern engines, add s, d and v flag support to polyfills of those methods
• Just in case, added an extra input string validation to the polyfill of obsolete Number.fromString proposals
• Simplified iOS detection
• Many minor stylistic fixes and optimizations
• Compat data improvements:
  • Math.sumPrecise marked as shipped in V8 ~ Chrome 147
  • Iterator.concat marked as shipped in V8 ~ Chrome 146
  • Iterator.concat marked as shipped in Safari 26.4
  • Because of a bug, Array.prototype.includes marked as not supported in modern Safari
  • Fixed compat data for parseInt and parseFloat
  • Added Deno 2.6.7, 2.7.0 and 2.7.2 compat data mapping
  • Added Electron 42 compat data mapping
  • Added Opera for Android 95 and 96 compat data mapping
  • Added Oculus Quest Browser 42 compat data mapping

v3.48.0

Compare Source

• Changes v3.47.0...v3.48.0 (126 commits)
• Map upsert proposal:
  • Built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
  • Moved to stable ES, January 2026 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Use CreateDataProperty / CreateDataPropertyOrThrow in some missed cases, #​1497
• Minor fix / optimization in the RegExp constructor (NCG and dotAll) polyfill
• Added some more workarounds for a Safari < 13 bug with silent ignore of non-writable array .length
• Added detection of a Webkit bug: Iterator.prototype.flatMap throws on iterator without return method
• Added detection of a V8 ~ Chromium < 144 bug: Uint8Array.prototype.setFromHex throws an error on length-tracking views over ResizableArrayBuffer
• Compat data improvements:
  • Map upsert proposal features marked as shipped in V8 ~ Chrome 145
  • Joint iteration proposal features marked as shipped in FF148
  • Iterator.concat marked as shipped in Bun 1.3.7
  • Added Rhino 1.9.0 compat data
  • Added Deno 2.6 compat data mapping
  • Added Opera Android 93 and 94 compat data mapping
  • Added Electron 41 compat data mapping
  • Iterator.prototype.flatMap marked as supported from Safari 26.2 and Bun 1.2.21 because of a bug: throws on iterator without return method
  • Uint8Array.prototype.setFromHex marked as supported from V8 ~ Chromium 144 because of a bug: throws an error on length-tracking views over ResizableArrayBuffer

v3.47.0

Compare Source

• Changes v3.46.0...v3.47.0 (117 commits)
• JSON.parse source text access proposal :
  • Built-ins:
    • JSON.isRawJSON
    • JSON.parse
    • JSON.rawJSON
    • JSON.stringify
  • Moved to stable ES, November 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Reworked JSON.stringify internals
• Iterator sequencing proposal:
  • Built-ins:
    • Iterator.concat
  • Moved to stable ES, November 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Joint iteration proposal:
  • Built-ins:
    • Iterator.zip
    • Iterator.zipKeyed
  • Moved to stage 3, November 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Fixed increasing .size in URLSearchParams.prototype.append polyfill in IE8-
• Compat data improvements:
  • Iterator.concat marked as shipped in FF147
  • Map upsert proposal features marked as shipped in Safari 26.2
  • Math.sumPrecise marked as shipped in Safari 26.2
  • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as fixed in Safari 26.2
  • Missed Explicit Resource Management features added in Bun 1.3.0
  • Added Oculus Quest Browser 41 compat data mapping
  • Added Electron 40 compat data mapping

v3.46.0

Compare Source

• Changes v3.45.1...v3.46.0 (116 commits)
• Map upsert stage 3 proposal:
  • Fixed a FF WeakMap.prototype.getOrInsertComputed bug with callback calling before validation a key
• Iterator chunking proposal:
  • Built-ins:
    • Iterator.prototype.chunks
    • Iterator.prototype.windows
  • Moved to stage 2.7, September 2025 TC39 meeting
  • Iterator.prototype.sliding method replaced with an extra parameter of Iterator.prototype.windows method, tc39/proposal-iterator-chunking/#​24, tc39/proposal-iterator-chunking/#​26
• Fixed Iterator.zip and Iterator.zipKeyed behavior with mode: 'longest' option, #​1469, thanks @​lionel-rowe
• Fixed work of Object.groupBy and Iterator.zipKeyed together with Symbol polyfill - some cases of symbol keys on result null-prototype object were able to leak out to for-in
• Compat data improvements:
  • Map upsert proposal features marked as shipped from FF144
  • Added Node 25.0 compat data mapping
  • Added Deno 2.5 compat data mapping
  • Updated Electron 39 compat data mapping
  • Updated Opera 121+ compat data mapping
  • Added Opera Android 92 compat data mapping
  • Added Oculus Quest Browser 40 compat data mapping

v3.45.1

Compare Source

• Changes v3.45.0...v3.45.1 (30 commits)
• Fixed a conflict of native methods from Map upsert proposal with polyfilled methods in the pure version
• Added bugs fields to package.json of all packages
• Compat data improvements:
  • Map upsert proposal features marked as shipped from Bun 1.2.20
  • Added Samsung Internet 29 compat data mapping
  • Added Electron 39 compat data mapping

v3.45.0

Compare Source

• Changes v3.44.0...v3.45.0 (70 commits)
• Uint8Array to / from base64 and hex proposal:
  • Built-ins:
    • Uint8Array.fromBase64
    • Uint8Array.fromHex
    • Uint8Array.prototype.setFromBase64
    • Uint8Array.prototype.setFromHex
    • Uint8Array.prototype.toBase64
    • Uint8Array.prototype.toHex
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Added detection of a Webkit bug: Uint8Array fromBase64 / setFromBase64 does not throw an error on incorrect length of base64 string
• Math.sumPrecise proposal:
  • Built-ins:
    • Math.sumPrecise
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Iterator sequencing proposal:
  • Built-ins:
    • Iterator.concat
  • Moved to stage 3, July 2025 TC39 meeting
  • A

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!