Commit 5211278
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
build(deps): bump the security-updates group across 2 directories with 15 updates (#1032)
Bumps the security-updates group with 9 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) |
`1.1.12` | `1.1.13` |
|
[fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser)
| `4.5.4` | `4.5.5` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` |
`3.4.2` |
| [node-forge](https://github.com/digitalbazaar/forge) | `1.3.3` |
`1.4.0` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` |
`2.3.2` |
| [svgo](https://github.com/svg/svgo) | `3.3.2` | `3.3.3` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.9` | `7.5.13` |
| [undici](https://github.com/nodejs/undici) | `6.23.0` | `6.24.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.2` | `2.8.3` |
Bumps the security-updates group with 11 updates in the /docs directory:
| Package | From | To |
| --- | --- | --- |
| [ajv](https://github.com/ajv-validator/ajv) | `6.12.6` | `6.14.0` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) |
`1.1.12` | `1.1.13` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` |
| [markdown-it](https://github.com/markdown-it/markdown-it) | `14.1.0` |
`14.1.1` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` |
`2.3.2` |
| [qs](https://github.com/ljharb/qs) | `6.14.0` | `6.14.2` |
| [svgo](https://github.com/svg/svgo) | `3.3.2` | `3.3.3` |
| [tar](https://github.com/isaacs/node-tar) | `7.5.2` | `7.5.13` |
| [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` |
| [path-to-regexp](https://github.com/pillarjs/path-to-regexp) |
`0.1.12` | `0.1.13` |
| [webpack](https://github.com/webpack/webpack) | `5.103.0` | `5.105.4`
|
Updates `brace-expansion` from 1.1.12 to 1.1.13
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/6c353caf23beb9644f858eb3fe38d43a68b82898"><code>6c353ca</code></a>
1.1.13</li>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"><code>7fd684f</code></a>
Backport fix for GHSA-f886-m6hf-6m8v (<a
href="https://redirect.github.com/juliangruber/brace-expansion/issues/95">#95</a>)</li>
<li>See full diff in <a
href="https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13">compare
view</a></li>
</ul>
</details>
<br />
Updates `fast-xml-parser` from 4.5.4 to 4.5.5
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's
releases</a>.</em></p>
<blockquote>
<h2>Summary update on all the previous releases from v4.2.4</h2>
<ul>
<li>Multiple minor fixes provided in the validator and parser</li>
<li>v6 is added for experimental use.</li>
<li>ignoreAttributes support function, and array of string or regex</li>
<li>Add support for parsing HTML numeric entities</li>
<li>v5 of the application is ESM module now. However, JS is also
supported</li>
</ul>
<p><strong>Note</strong>: Release section in not updated frequently.
Please check <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">CHANGELOG</a>
or <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/tags">Tags</a>
for latest release information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's
changelog</a>.</em></p>
<blockquote>
<p><!-- raw HTML omitted -->Note: If you find missing information about
particular minor version, that version must have been changed without
any functional change in this library.<!-- raw HTML omitted --></p>
<p>Note: Due to some last quick changes on v4, detail of v4.5.3 &
v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github
repository. I'm extremely sorry for the confusion</p>
<p><strong>5.5.9 / 2026-03-23</strong></p>
<ul>
<li>combine typing files</li>
</ul>
<p><strong>4.5.5 / 2026-03-22</strong></p>
<p>apply fixes from v5 (legacy maintenance branch v4-maintenance)</p>
<ul>
<li>support maxEntityCount</li>
<li>support onDangerousProperty</li>
<li>support maxNestedTags</li>
<li>handle prototype pollution</li>
<li>fix incorrect entity name replacement</li>
<li>fix incorrect condition for entity expansion</li>
</ul>
<p><strong>5.5.8 / 2026-03-20</strong></p>
<ul>
<li>pass read only matcher in callback</li>
</ul>
<p><strong>5.5.7 / 2026-03-19</strong></p>
<ul>
<li>fix: entity expansion limits</li>
<li>update strnum package to 2.2.0</li>
</ul>
<p><strong>5.5.6 / 2026-03-16</strong></p>
<ul>
<li>update builder dependency</li>
<li>fix incorrect regex to replace . in entity name</li>
<li>fix check for entitiy expansion for lastEntities and html entities
too</li>
</ul>
<p><strong>5.5.5 / 2026-03-13</strong></p>
<ul>
<li>sanitize dangerous tag or attribute name</li>
<li>error on critical property name</li>
<li>support onDangerousProperty option</li>
</ul>
<p><strong>5.5.4 / 2026-03-13</strong></p>
<ul>
<li>declare Matcher & Expression as unknown so user is not forced to
install path-expression-matcher</li>
</ul>
<p><strong>5.5.3 / 2026-03-11</strong></p>
<ul>
<li>upgrade builder</li>
</ul>
<p><strong>5.5.2 / 2026-03-11</strong></p>
<ul>
<li>update dependency to fix typings</li>
</ul>
<p><strong>5.5.1 / 2026-03-10</strong></p>
<ul>
<li>fix dependency</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/88d0936a23dabe51bfbf42255e2ce912dfee2221"><code>88d0936</code></a>
apply all fixes from v5</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/d4eb6b4713a8d11e6730943392419040898ecbc0"><code>d4eb6b4</code></a>
update release version</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/b1b9f633ff30cb4708337355c2789f08bc0558d2"><code>b1b9f63</code></a>
update release info</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/faccca126e1db96b90084adda6fbe2ea2ed434e7"><code>faccca1</code></a>
sync with v5.3.9</li>
<li>See full diff in <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v4.5.4...v4.5.5">compare
view</a></li>
</ul>
</details>
<br />
Updates `flatted` from 3.3.3 to 3.4.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a>
3.4.2</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a>
fix CWE-1321</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a>
added flatted-view to the benchmark</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a>
3.4.1</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a>
Merge pull request <a
href="https://redirect.github.com/WebReflection/flatted/issues/89">#89</a>
from WebReflection/python-fix</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a>
added "when in Rome" also a test for PHP</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a>
some minor improvement</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a>
Fixing recursion issue in Python too</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a>
Add SECURITY.md for security policy and reporting</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a>
Create dependabot.yml for version updates</li>
<li>Additional commits viewable in <a
href="https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `node-forge` from 1.3.3 to 1.4.0
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's
changelog</a>.</em></p>
<blockquote>
<h2>1.4.0 - 2026-03-24</h2>
<h3>Security</h3>
<ul>
<li><strong>HIGH</strong>: Denial of Service in
<code>BigInteger.modInverse()</code>
<ul>
<li>A Denial of Service (DoS) vulnerability exists due to an infinite
loop in
the <code>BigInteger.modInverse()</code> function (inherited from the
bundled jsbn
library). When <code>modInverse()</code> is called with a zero value as
input, the
internal Extended Euclidean Algorithm enters an unreachable exit
condition,
causing the process to hang indefinitely and consume 100% CPU.</li>
<li>Reported by Kr0emer.</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33891">CVE-2026-33891</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx">GHSA-5gfm-wpxj-wjgq</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: Signature forgery in RSA-PKCS due to ASN.1
extra field.
<ul>
<li>RSASSA PKCS#1 v1.5 signature verification accepts forged signatures
for low
public exponent keys (e=3). Attackers can forge signatures by stuffing
"garbage" bytes within the ASN.1 structure in order to
construct a
signature that passes verification, enabling Bleichenbacher style
forgery.
This issue is similar to CVE-2022-24771, but adds bytes in an addition
field within the ASN.1 structure, rather than outside of it.</li>
<li>Additionally, forge does not validate that signatures include a
minimum of
8 bytes of padding as defined by the specification, providing attackers
additional space to construct Bleichenbacher forgeries.</li>
<li>Reported as part of a U.C. Berkeley security research project by:
<ul>
<li>Austin Chu, Sohee Kim, and Corban Villa.</li>
</ul>
</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33894">CVE-2026-33894</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp">GHSA-ppp5-5v6c-4jwp</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: Signature forgery in Ed25519 due to missing S
< L check.
<ul>
<li>Ed25519 signature verification accepts forged non-canonical
signatures
where the scalar S is not reduced modulo the group order (S >= L). A
valid
signature and its S + L variant both verify in forge, while Node.js
crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by
the
specification. This class of signature malleability has been exploited
in
practice to bypass authentication and authorization logic (see
CVE-2026-25793, CVE-2022-35961). Applications relying on signature
uniqueness (i.e., dedup by signature bytes, replay tracking,
signed-object
canonicalization checks) may be bypassed.</li>
<li>Reported as part of a U.C. Berkeley security research project by:
<ul>
<li>Austin Chu, Sohee Kim, and Corban Villa.</li>
</ul>
</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33895">CVE-2026-33895</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw">GHSA-q67f-28xg-22rw</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: <code>basicConstraints</code> bypass in
certificate chain verification.
<ul>
<li><code>pki.verifyCertificateChain()</code> does not enforce RFC 5280
<code>basicConstraints</code>
requirements when an intermediate certificate lacks both the
<code>basicConstraints</code> and <code>keyUsage</code> extensions. This
allows any leaf
certificate (without these extensions) to act as a CA and sign other
certificates, which node-forge will accept as valid.</li>
<li>Reported by Doruk Tan Ozturk (<a
href="https://github.com/peaktwilight"><code>@peaktwilight</code></a>)
- doruk.ch</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33896">CVE-2026-33896</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25">GHSA-2328-f5f3-gj25</a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/digitalbazaar/forge/commit/fa385f92440879601240020f158bed68e444e83a"><code>fa385f9</code></a>
Release 1.4.0.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/07d4e162762ed4fdab5caca9ebf78237fcf85339"><code>07d4e16</code></a>
Update changelog.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/cb90fd92091ee34e4abab3ad0c835eeea3d06c3e"><code>cb90fd9</code></a>
Update changelog.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/963e7c5c7b0f03de1b28a1e5a42a6bafda4cf711"><code>963e7c5</code></a>
Add unit test for "pseudonym"</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/f0b6f5b7c5d1c918240e975e0cade4f47d005446"><code>f0b6f5b</code></a>
Add pseudonym OID</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/3df48a311d4b53dc6493b7a47a8d07f3669957d9"><code>3df48a3</code></a>
Fix missing CVE ID.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"><code>2e49283</code></a>
Add x509 <code>basicConstraints</code> check.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85"><code>bdecf11</code></a>
Add canonical signature scaler check for S < L.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/af094e69c60ac5f7b29f2b1957c53ae5e12fd4a0"><code>af094e6</code></a>
Add RSA padding and DigestInfo length checks.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/796eeb1673f6ec636fda02dfc295047d9f7aefe0"><code>796eeb1</code></a>
Improve jsbn fix.</li>
<li>Additional commits viewable in <a
href="https://github.com/digitalbazaar/forge/compare/v1.3.3...v1.4.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `picomatch` from 2.3.1 to 2.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/releases">picomatch's
releases</a>.</em></p>
<blockquote>
<h2>2.3.2</h2>
<p>This is a security release fixing several security relevant
issues.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: exception when glob pattern contains constructor by <a
href="https://github.com/Jason3S"><code>@Jason3S</code></a> in <a
href="https://redirect.github.com/micromatch/picomatch/pull/144">micromatch/picomatch#144</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md">picomatch's
changelog</a>.</em></p>
<blockquote>
<h1>Release history</h1>
<p><strong>All notable changes to this project will be documented in
this file.</strong></p>
<p>The format is based on <a
href="http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>
and this project adheres to <a
href="http://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<!-- raw HTML omitted -->
<ul>
<li>Changelogs are for humans, not machines.</li>
<li>There should be an entry for every single version.</li>
<li>The same types of changes should be grouped.</li>
<li>Versions and sections should be linkable.</li>
<li>The latest version comes first.</li>
<li>The release date of each versions is displayed.</li>
<li>Mention whether you follow Semantic Versioning.</li>
</ul>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>Changelog entries are classified using the following labels <em>(from
<a href="http://keepachangelog.com/">keep-a-changelog</a></em>):</p>
<ul>
<li><code>Added</code> for new features.</li>
<li><code>Changed</code> for changes in existing functionality.</li>
<li><code>Deprecated</code> for soon-to-be removed features.</li>
<li><code>Removed</code> for now removed features.</li>
<li><code>Fixed</code> for any bug fixes.</li>
<li><code>Security</code> in case of vulnerabilities.</li>
</ul>
<!-- raw HTML omitted -->
<h2>4.0.0 (2024-02-07)</h2>
<h3>Fixes</h3>
<ul>
<li>Fix bad text values in parse <a
href="https://redirect.github.com/micromatch/picomatch/issues/126">#126</a>,
thanks to <a
href="https://github.com/connor4312"><code>@connor4312</code></a></li>
</ul>
<h3>Changed</h3>
<ul>
<li>Remove process global to work outside of node <a
href="https://redirect.github.com/micromatch/picomatch/issues/129">#129</a>,
thanks to <a
href="https://github.com/styfle"><code>@styfle</code></a></li>
<li>Add sideEffects to package.json <a
href="https://redirect.github.com/micromatch/picomatch/issues/128">#128</a>,
thanks to <a
href="https://github.com/frandiox"><code>@frandiox</code></a></li>
<li>Removed <code>os</code>, make compatible browser environment. See <a
href="https://redirect.github.com/micromatch/picomatch/issues/124">#124</a>,
thanks to <a
href="https://github.com/gwsbhqt"><code>@gwsbhqt</code></a></li>
</ul>
<h2>3.0.1</h2>
<h3>Fixes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/micromatch/picomatch/commit/81cba8d4b767cab3cb29d26eb4f691eed75b73b2"><code>81cba8d</code></a>
Publish 2.3.2</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/fc1f6b69006e9435caf8fb40d8aff378bc0b7bce"><code>fc1f6b6</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/eec17aee5428a7249e9ca5adbb8a0d28fa29619b"><code>eec17ae</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/78f8ca4362d9e66cadea97b93e292f10096452ed"><code>78f8ca4</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/156">#156</a>
from micromatch/backport-144</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/3f4f10eaa65bf3a52e8f2999674cd27e11fa3c9b"><code>3f4f10e</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/144">#144</a>
from Jason3S/jdent-object-properties</li>
<li>See full diff in <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `svgo` from 3.3.2 to 3.3.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/svg/svgo/releases">svgo's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.3</h2>
<h2>What's Changed</h2>
<h3>Dependencies</h3>
<ul>
<li>Migrates from our unsupported fork of sax (<a
href="https://www.npmjs.com/package/@trysound/sax"><code>@trysound/sax</code></a>)
to the upstream version of sax (<a
href="https://www.npmjs.com/package/sax">sax</a>).</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>No longer throws error when encountering comments in DTD.</li>
</ul>
<h2>Metrics</h2>
<p>Before and after of the browser bundle of each respective
version:</p>
<table>
<thead>
<tr>
<th></th>
<th>v3.3.2</th>
<th>v3.3.3</th>
<th>Delta</th>
</tr>
</thead>
<tbody>
<tr>
<td>svgo.browser.js</td>
<td>910.9 kB</td>
<td>912.9 kB</td>
<td>⬆️ 2 kB</td>
</tr>
</tbody>
</table>
<h2>Support</h2>
<p>SVGO v3 is not officially supported, please consider upgrading to
SVGO v4 instead. We've backported this fix as there are security
implications, but there is no commitment to do this for more complex
changes in future.</p>
<p>Consider reading our <a
href="https://svgo.dev/docs/migrations/migration-from-v3-to-v4/">Migration
Guide from v3 to v4</a> which should ease the process.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/svg/svgo/commit/bbab162534d89654ac51c30dd6e62d7163b48a5e"><code>bbab162</code></a>
deps: upgrade to sax v1.5.0</li>
<li>See full diff in <a
href="https://github.com/svg/svgo/compare/v3.3.2...v3.3.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `tar` from 7.5.9 to 7.5.13
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/isaacs/node-tar/commit/d6611ae951056addb77c6e11baf7bcc9d7648e46"><code>d6611ae</code></a>
7.5.13</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/119c401f4f7efbeb112d28f9dfc9c489674c9a79"><code>119c401</code></a>
fix(extract): prevent raced symlink writes outside cwd</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/2a294d3fbb24c18dc80f31059f49dd9af15653fe"><code>2a294d3</code></a>
7.5.12</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/01082a42c3256ca6054f9627911cce4dbfe00d92"><code>01082a4</code></a>
fix: reject top promise on floating addFilesAsync rejections</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/dd1c36ab7acff26e5a34935d17f27a45bb088db3"><code>dd1c36a</code></a>
linting</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/35a1ffe73eb4aa05cd2613f8fdcfb4c9c9ed59f9"><code>35a1ffe</code></a>
doc: more clarity in security warning</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/bf776f673164215074b62749e0fe80e5834588f4"><code>bf776f6</code></a>
7.5.11</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"><code>f48b5fa</code></a>
prevent escaping symlinks with drive-relative paths</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/97cff15d3539a37a4095eb3d287147d9d77c2dc3"><code>97cff15</code></a>
docs: more security info</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/2b72abc1d47c3570e1ad95c9ab557fc4c2e6e4b1"><code>2b72abc</code></a>
7.5.10</li>
<li>Additional commits viewable in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.9...v7.5.13">compare
view</a></li>
</ul>
</details>
<br />
Updates `undici` from 6.23.0 to 6.24.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v6.24.1</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v6.24.0...v6.24.1">https://github.com/nodejs/undici/compare/v6.24.0...v6.24.1</a></p>
<h2>v6.24.0</h2>
<h1>Undici v6.24.0 Security Release Notes (LTS)</h1>
<p>This release backports fixes for security vulnerabilities affecting
the v6 line.</p>
<h2>Upgrade guidance</h2>
<p>All users on v6 should upgrade to <strong>v6.24.0</strong> or
later.</p>
<h2>Fixed advisories</h2>
<ul>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm">GHSA-2mjp-6q6p-2qxm</a>
/ CVE-2026-1525 (Medium)<br />
Inconsistent interpretation of HTTP requests (request/response smuggling
class issue).</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj">GHSA-f269-vfmq-vjvj</a>
/ CVE-2026-1528 (High)<br />
Malicious WebSocket 64-bit frame length handling could crash the
client.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq">GHSA-4992-7rv2-5pvq</a>
/ CVE-2026-1527 (Medium)<br />
CRLF injection via the <code>upgrade</code> option.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8">GHSA-v9p9-hfj2-hcw8</a>
/ CVE-2026-2229 (High)<br />
Unhandled exception from invalid <code>server_max_window_bits</code> in
WebSocket permessage-deflate negotiation.</p>
</li>
<li>
<p><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q">GHSA-vrm6-8vpv-qv8q</a>
/ CVE-2026-1526 (High)<br />
Unbounded memory consumption in WebSocket permessage-deflate
decompression.</p>
</li>
</ul>
<h2>Not applicable to v6</h2>
<ul>
<li><a
href="https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h">GHSA-phc3-fgpg-7m6h</a>
/ CVE-2026-2581 affects <code>>= 7.17.0 < 7.24.0</code> only.</li>
</ul>
<h2>Affected and patched ranges (v6)</h2>
<ul>
<li>CVE-2026-1525: affected <code>< 6.24.0</code>, patched
<code>6.24.0</code></li>
<li>CVE-2026-1528: affected <code>>= 6.0.0 < 6.24.0</code>,
patched <code>6.24.0</code></li>
<li>CVE-2026-1527: affected <code>< 6.24.0</code>, patched
<code>6.24.0</code></li>
<li>CVE-2026-2229: affected <code>< 6.24.0</code>, patched
<code>6.24.0</code></li>
<li>CVE-2026-1526: affected <code>< 6.24.0</code>, patched
<code>6.24.0</code></li>
</ul>
<h2>References</h2>
<ul>
<li>GitHub Security Advisories: <a
href="https://github.com/nodejs/undici/security/advisories">https://github.com/nodejs/undici/security/advisories</a></li>
<li>NVD CVE-2026-1525: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1525">https://nvd.nist.gov/vuln/detail/CVE-2026-1525</a></li>
<li>NVD CVE-2026-1528: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1528">https://nvd.nist.gov/vuln/detail/CVE-2026-1528</a></li>
<li>NVD CVE-2026-1527: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1527">https://nvd.nist.gov/vuln/detail/CVE-2026-1527</a></li>
<li>NVD CVE-2026-2229: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-2229">https://nvd.nist.gov/vuln/detail/CVE-2026-2229</a></li>
<li>NVD CVE-2026-1526: <a
href="https://nvd.nist.gov/vuln/detail/CVE-2026-1526">https://nvd.nist.gov/vuln/detail/CVE-2026-1526</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/c0cf656ef5e66f7372a7e57d08c6cbdd5b127e82"><code>c0cf656</code></a>
Bumped v6.24.1</li>
<li><a
href="https://github.com/nodejs/undici/commit/f5a9f0ccbe958e7d0cfd7b63a9a8d195378ac6f6"><code>f5a9f0c</code></a>
Fix v6 release workflow branch targeting</li>
<li><a
href="https://github.com/nodejs/undici/commit/af2cb8fe01320f189394bef193c2d5b441fcfe6f"><code>af2cb8f</code></a>
wqremove maxDecompressedMessageSize (<a
href="https://redirect.github.com/nodejs/undici/issues/4891">#4891</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/8873c947271faf1ebc455bdc6158ecbc022ecfa9"><code>8873c94</code></a>
Bumped v6.24.0</li>
<li><a
href="https://github.com/nodejs/undici/commit/411bd01a42e7917009bbf686f7628b99d67bbce9"><code>411bd01</code></a>
test(websocket): use node:assert for Node 18 compatibility</li>
<li><a
href="https://github.com/nodejs/undici/commit/844bf59699d778944f78a24ae819c0e8f295766e"><code>844bf59</code></a>
test: fix http2 lint regressions in backport</li>
<li><a
href="https://github.com/nodejs/undici/commit/a444e4f13e8958b4e1ac42bc0d53ace7fba0a9c1"><code>a444e4f</code></a>
test: stabilize h2 and tls-cert-leak under current test runner</li>
<li><a
href="https://github.com/nodejs/undici/commit/dc032a1050d5489b8ce9b4c22aafba98a942f87b"><code>dc032a1</code></a>
fix: h2 CI (<a
href="https://redirect.github.com/nodejs/undici/issues/4395">#4395</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/4cd3f4b3a2ef910ba728c47ae78294d956410450"><code>4cd3f4b</code></a>
test: increase bitness in <code>test/fixtures/*.pem</code> (<a
href="https://redirect.github.com/nodejs/undici/issues/3659">#3659</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/7df6442194b7a54e9ac734335e6e0a56a9bc6666"><code>7df6442</code></a>
fix: adapt websocket frame-limit handling for v6 parser</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v6.23.0...v6.24.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `yaml` from 2.8.2 to 2.8.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/eemeli/yaml/releases">yaml's
releases</a>.</em></p>
<blockquote>
<h2>v2.8.3</h2>
<ul>
<li>Add <code>trailingComma</code> ToString option for multiline flow
formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li>Catch stack overflow during node composition (1e84ebb)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eemeli/yaml/commit/ce14587484822bffb0f7d31aefedcaf2dc0d0387"><code>ce14587</code></a>
2.8.3</li>
<li><a
href="https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b"><code>1e84ebb</code></a>
fix: Catch stack overflow during node composition</li>
<li><a
href="https://github.com/eemeli/yaml/commit/6b24090280eaaab5040112bba41ccef57f39c2d5"><code>6b24090</code></a>
ci: Include Prettier check in lint action</li>
<li><a
href="https://github.com/eemeli/yaml/commit/9424dee38c85163fad53ac27533c7c4bdaf7495d"><code>9424dee</code></a>
chore: Refresh lockfile</li>
<li><a
href="https://github.com/eemeli/yaml/commit/d1aca82bc15a4c261bdc58561d32189a5d3a45ef"><code>d1aca82</code></a>
Add trailingComma ToString option for multiline flow formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/43215099f7fcdac422d778c15e70d83c691b0e41"><code>4321509</code></a>
ci: Drop the branch filter from GitHub PR actions</li>
<li><a
href="https://github.com/eemeli/yaml/commit/47207d0fc7d4f863cd5fbdcff1378637bd93e847"><code>47207d0</code></a>
chore: Update docs-slate</li>
<li><a
href="https://github.com/eemeli/yaml/commit/5212faeed5936d1fa291d2f28672e4a96e2c2c5d"><code>5212fae</code></a>
chore: Update docs-slate</li>
<li>See full diff in <a
href="https://github.com/eemeli/yaml/compare/v2.8.2...v2.8.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `ajv` from 6.12.6 to 6.14.0
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ajv-validator/ajv/commit/e3af0a723b4b7ad86eff43be355c706d31e0e915"><code>e3af0a7</code></a>
6.14.0</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/b552ed66191eb338498df3196065c777e3bb71f2"><code>b552ed6</code></a>
add regExp option to address $data exploit via a regular expression
(CVE-2025...</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/72f228665859eed5e2be3a66f8c4a7aff6b34dcf"><code>72f2286</code></a>
docs: update v7 info</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/231e52b3bca62559202b95e5fb5cee02145b226a"><code>231e52b</code></a>
Merge pull request <a
href="https://redirect.github.com/ajv-validator/ajv/issues/1320">#1320</a>
from philsturgeon/patch-1</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/d3475fc20416c33fe030c8aa3b09fa411f325bbd"><code>d3475fc</code></a>
Add spectral, an AJV util from a sponsor</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/413afe01f518ea74d1740a7cb211df787c585544"><code>413afe0</code></a>
docs: v7.0.0-beta.3</li>
<li><a
href="https://github.com/ajv-validator/ajv/commit/11e997bda2f3eecb445c1e5a07d96ef7e81c5f5d"><code>11e997b</code></a>
update readme for v7</li>
<li>See full diff in <a
href="https://github.com/ajv-validator/ajv/compare/v6.12.6...v6.14.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `brace-expansion` from 1.1.12 to 1.1.13
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/6c353caf23beb9644f858eb3fe38d43a68b82898"><code>6c353ca</code></a>
1.1.13</li>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"><code>7fd684f</code></a>
Backport fix for GHSA-f886-m6hf-6m8v (<a
href="https://redirect.github.com/juliangruber/brace-expansion/issues/95">#95</a>)</li>
<li>See full diff in <a
href="https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13">compare
view</a></li>
</ul>
</details>
<br />
Updates `lodash` from 4.17.21 to 4.17.23
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lodash/lodash/commit/dec55b7a3b382da075e2eac90089b4cd00a26cbb"><code>dec55b7</code></a>
Bump main to v4.17.23 (<a
href="https://redirect.github.com/lodash/lodash/issues/6088">#6088</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/19c9251b3631d7cf220b43bc757eb33f1084f117"><code>19c9251</code></a>
fix: setCacheHas JSDoc return type should be boolean (<a
href="https://redirect.github.com/lodash/lodash/issues/6071">#6071</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/b5e672995ae26929d111a6e94589f8d03fb8e578"><code>b5e6729</code></a>
jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (<a
href="https://redirect.github.com/lodash/lodash/issues/6062">#6062</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81"><code>edadd45</code></a>
Prevent prototype pollution on baseUnset function</li>
<li><a
href="https://github.com/lodash/lodash/commit/4879a7a7d0a4494b0e83c7fa21bcc9fc6e7f1a6d"><code>4879a7a</code></a>
doc: fix autoLink function, conversion of source links (<a
href="https://redirect.github.com/lodash/lodash/issues/6056">#6056</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/9648f692b0fc7c2f6a7a763d754377200126c2e8"><code>9648f69</code></a>
chore: remove <code>yarn.lock</code> file (<a
href="https://redirect.github.com/lodash/lodash/issues/6053">#6053</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/dfa407db0bf5b200f2c7a9e4f06830ceaf074be9"><code>dfa407d</code></a>
ci: remove legacy configuration files (<a
href="https://redirect.github.com/lodash/lodash/issues/6052">#6052</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/156e1965ae78b121a88f81178ab81632304e8d64"><code>156e196</code></a>
feat: add renovate setup (<a
href="https://redirect.github.com/lodash/lodash/issues/6039">#6039</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/933e1061b8c344d3fc742cdc400175d5ffc99bce"><code>933e106</code></a>
ci: add pipeline for Bun (<a
href="https://redirect.github.com/lodash/lodash/issues/6023">#6023</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/072a807ff7ad8ffc7c1d2c3097266e815d138e20"><code>072a807</code></a>
docs: update links related to Open JS Foundation (<a
href="https://redirect.github.com/lodash/lodash/issues/5968">#5968</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.21...4.17.23">compare
view</a></li>
</ul>
</details>
<br />
Updates `markdown-it` from 14.1.0 to 14.1.1
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md">markdown-it's
changelog</a>.</em></p>
<blockquote>
<h2>[14.1.1] - 2026-01-11</h2>
<h3>Security</h3>
<ul>
<li>Fixed regression from v13 in linkify inline rule. Specific patterns
could
cause high CPU use. Thanks to <a
href="https://github.com/ltduc147"><code>@ltduc147</code></a> for
report.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/markdown-it/markdown-it/commit/b4a9b659ef5734223731cfaa3ad5eacc6fc22918"><code>b4a9b65</code></a>
14.1.1 released</li>
<li><a
href="https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"><code>4b4bbca</code></a>
Fixed perf regression in linkify-it wrapper</li>
<li><a
href="https://github.com/markdown-it/markdown-it/commit/d2782d892a51201b25d3eeab172201ad5a53a24c"><code>d2782d8</code></a>
Add supplementary example-driven documentation (<a
href="https://redirect.github.com/markdown-it/markdown-it/issues/1092">#1092</a>)</li>
<li>See full diff in <a
href="https://github.com/markdown-it/markdown-it/compare/14.1.0...14.1.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `picomatch` from 2.3.1 to 2.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/releases">picomatch's
releases</a>.</em></p>
<blockquote>
<h2>2.3.2</h2>
<p>This is a security release fixing several security relevant
issues.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: exception when glob pattern contains constructor by <a
href="https://github.com/Jason3S"><code>@Jason3S</code></a> in <a
href="https://redirect.github.com/micromatch/picomatch/pull/144">micromatch/picomatch#144</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md">picomatch's
changelog</a>.</em></p>
<blockquote>
<h1>Release history</h1>
<p><strong>All notable changes to this project will be documented in
this file.</strong></p>
<p>The format is based on <a
href="http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>
and this project adheres to <a
href="http://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<!-- raw HTML omitted -->
<ul>
<li>Changelogs are for humans, not machines.</li>
<li>There should be an entry for every single version.</li>
<li>The same types of changes should be grouped.</li>
<li>Versions and sections should be linkable.</li>
<li>The latest version comes first.</li>
<li>The release date of each versions is displayed.</li>
<li>Mention whether you follow Semantic Versioning.</li>
</ul>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>Changelog entries are classified using the following labels <em>(from
<a href="http://keepachangelog.com/">keep-a-changelog</a></em>):</p>
<ul>
<li><code>Added</code> for new features.</li>
<li><code>Changed</code> for changes in existing functionality.</li>
<li><code>Deprecated</code> for soon-to-be removed features.</li>
<li><code>Removed</code> for now removed features.</li>
<li><code>Fixed</code> for any bug fixes.</li>
<li><code>Security</code> in case of vulnerabilities.</li>
</ul>
<!-- raw HTML omitted -->
<h2>4.0.0 (2024-02-07)</h2>
<h3>Fixes</h3>
<ul>
<li>Fix bad text values in parse <a
href="https://redirect.github.com/micromatch/picomatch/issues/126">#126</a>,
thanks to <a
href="https://github.com/connor4312"><code>@connor4312</code></a></li>
</ul>
<h3>Changed</h3>
<ul>
<li>Remove process global to work outside of node <a
href="https://redirect.github.com/micromatch/picomatch/issues/129">#129</a>,
thanks to <a
href="https://github.com/styfle"><code>@styfle</code></a></li>
<li>Add sideEffects to package.json <a
href="https://redirect.github.com/micromatch/picomatch/issues/128">#128</a>,
thanks to <a
href="https://github.com/frandiox"><code>@frandiox</code></a></li>
<li>Removed <code>os</code>, make compatible browser environment. See <a
href="https://redirect.github.com/micromatch/picomatch/issues/124">#124</a>,
thanks to <a
href="https://github.com/gwsbhqt"><code>@gwsbhqt</code></a></li>
</ul>
<h2>3.0.1</h2>
<h3>Fixes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/micromatch/picomatch/commit/81cba8d4b767cab3cb29d26eb4f691eed75b73b2"><code>81cba8d</code></a>
Publish 2.3.2</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/fc1f6b69006e9435caf8fb40d8aff378bc0b7bce"><code>fc1f6b6</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/eec17aee5428a7249e9ca5adbb8a0d28fa29619b"><code>eec17ae</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/78f8ca4362d9e66cadea97b93e292f10096452ed"><code>78f8ca4</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/156">#156</a>
from micromatch/backport-144</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/3f4f10eaa65bf3a52e8f2999674cd27e11fa3c9b"><code>3f4f10e</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/144">#144</a>
from Jason3S/jdent-object-properties</li>
<li>See full diff in <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `qs` from 6.14.0 to 6.14.2
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's
changelog</a>.</em></p>
<blockquote>
<h2><strong>6.14.2</strong></h2>
<ul>
<li>[Fix] <code>parse</code>: mark overflow objects for indexed notation
exceeding <code>arrayLimit</code> (<a
href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li>
<li>[Fix] <code>arrayLimit</code> means max count, not max index, in
<code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li>
<li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded
with indexed notation when <code>throwOnLimitExceeded</code> is true (<a
href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li>
<li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on
<code>comma</code>-parsed values</li>
<li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as
max index; remove extraneous comments (<a
href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li>
<li>[Robustness] avoid <code>.push</code>, use <code>void</code></li>
<li>[readme] document that <code>addQueryPrefix</code> does not add
<code>?</code> to empty output (<a
href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li>
<li>[readme] clarify <code>parseArrays</code> and
<code>arrayLimit</code> documentation (<a
href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li>
<li>[readme] replace runkit CI badge with shields.io check-runs
badge</li>
<li>[meta] fix changelog typo (<code>arrayLength</code> →
<code>arrayLimit</code>)</li>
<li>[actions] fix rebase workflow permissions</li>
</ul>
<h2><strong>6.14.1</strong></h2>
<ul>
<li>[Fix] ensure <code>arrayLimit</code> applies to <code>[]</code>
notation as well</li>
<li>[Fix] <code>parse</code>: when a custom decoder returns
<code>null</code> for a key, ignore that key</li>
<li>[Refactor] <code>parse</code>: extract key segment splitting
helper</li>
<li>[meta] add threat model</li>
<li>[actions] add workflow permissions</li>
<li>[Tests] <code>stringify</code>: increase coverage</li>
<li>[Dev Deps] update <code>eslint</code>,
<code>@ljharb/eslint-config</code>, <code>npmignore</code>,
<code>es-value-fixtures</code>, <code>for-each</code>,
<code>object-inspect</code></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a>
v6.14.2</li>
<li><a
href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a>
[readme] document that <code>addQueryPrefix</code> does not add
<code>?</code> to empty output</li>
<li><a
href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a>
[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code>
documentation</li>
<li><a
href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a>
[Fix] <code>parse</code>: mark overflow objects for indexed notation
exceeding <code>arrayLimit</code></li>
<li><a
href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a>
[Fix] <code>arrayLimit</code> means max count, not max index, in
<code>combine</code>/<code>merge</code>/`pars...</li>
<li><a
href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a>
[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with
indexed notation when `thr...</li>
<li><a
href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a>
[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on
<code>comma</code>-parsed values</li>
<li><a
href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a>
[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max
index; remove e...</li>
<li><a
href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a>
[actions] fix rebase workflow permissions</li>
<li><a
href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a>
[meta] fix changelog typo (<code>arrayLength</code> →
<code>arrayLimit</code>)</li>
<li>Additional commits viewable in <a
href="https://github.com/ljharb/qs/compare/v6.14.0...v6.14.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `svgo` from 3.3.2 to 3.3.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/svg/svgo/releases">svgo's
releases</a>.</em></p>
<blockquote>
<h2>v3.3.3</h2>
<h2>What's Changed</h2>
<h3>Dependencies</h3>
<ul>
<li>Migrates from our unsupported fork of sax (<a
href="https://www.npmjs.com/package/@trysound/sax"><code>@trysound/sax</code></a>)
to the upstream version of sax (<a
href="https://www.npmjs.com/package/sax">sax</a>).</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>No longer throws error when encountering comments in DTD.</li>
</ul>
<h2>Metrics</h2>
<p>Before and after of the browser bundle of each respective
version:</p>
<table>
<thead>
<tr>
<th></th>
<th>v3.3.2</th>
<th>v3.3.3</th>
<th>Delta</th>
</tr>
</thead>
<tbody>
<tr>
<td>svgo.browser.js</td>
<td>910.9 kB</td>
<td>912.9 kB</td>
<td>⬆️ 2 kB</td>
</tr>
</tbody>
</table>
<h2>Support</h2>
<p>SVGO v3 is not officially supported, please consider upgrading to
SVGO v4 instead. We've backported this fix as there are security
implications, but there is no commitment to do this for more complex
changes in future.</p>
<p>Consider reading our <a
href="https://svgo.dev/docs/migrations/migration-from-v3-to-v4/">Migration
Guide from v3 to v4</a> which should ease the process.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/svg/svgo/commit/bbab162534d89654ac51c30dd6e62d7163b48a5e"><code>bbab162</code></a>
deps: upgrade to sax v1.5.0</li>
<li>See full diff in <a
href="https://github.com/svg/svgo/compare/v3.3.2...v3.3.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `tar` from 7.5.2 to 7.5.13
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/isaacs/node-tar/commit/d6611ae951056addb77c6e11baf7bcc9d7648e46"><code>d6611ae</code></a>
7.5.13</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/119c401f4f7efbeb112d28f9dfc9c489674c9a79"><code>119c401</code></a>
fix(extract): prevent raced symlink writes outside cwd</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/2a294d3fbb24c18dc80f31059f49dd9af15653fe"><code>2a294d3</code></a>
7.5.12</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/01082a42c3256ca6054f9627911cce4dbfe00d92"><code>01082a4</code></a>
fix: reject top promise on floating addFilesAsync rejections</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/dd1c36ab7acff26e5a34935d17f27a45bb088db3"><code>dd1c36a</code></a>
linting</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/35a1ffe73eb4aa05cd2613f8fdcfb4c9c9ed59f9"><code>35a1ffe</code></a>
doc: more clarity in security warning</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/bf776f673164215074b62749e0fe80e5834588f4"><code>bf776f6</code></a>
7.5.11</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"><code>f48b5fa</code></a>
prevent escaping symlinks with drive-relative paths</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/97cff15d3539a37a4095eb3d287147d9d77c2dc3"><code>97cff15</code></a>
docs: more security info</li>
<li><a
href="https://github.com/isaacs/node-tar/commit/2b72abc1d47c3570e1ad95c9ab557fc4c2e6e4b1"><code>2b72abc</code></a>
7.5.10</li>
<li>Additional commits viewable in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.9...v7.5.13">compare
view</a></li>
</ul>
</details>
<br />
Updates `yaml` from 1.10.2 to 1.10.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/eemeli/yaml/releases">yaml's
releases</a>.</em></p>
<blockquote>
<h2>v2.8.3</h2>
<ul>
<li>Add <code>trailingComma</code> ToString option for multiline flow
formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li>Catch stack overflow during node composition (1e84ebb)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eemeli/yaml/commit/ce14587484822bffb0f7d31aefedcaf2dc0d0387"><code>ce14587</code></a>
2.8.3</li>
<li><a
href="https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b"><code>1e84ebb</code></a>
fix: Catch stack overflow during node composition</li>
<li><a
href="https://github.com/eemeli/yaml/commit/6b24090280eaaab5040112bba41ccef57f39c2d5"><code>6b24090</code></a>
ci: Include Prettier check in lint action</li>
<li><a
href="https://github.com/eemeli/yaml/commit/9424dee38c85163fad53ac27533c7c4bdaf7495d"><code>9424dee</code></a>
chore: Refresh lockfile</li>
<li><a
href="https://github.com/eemeli/yaml/commit/d1aca82bc15a4c261bdc58561d32189a5d3a45ef"><code>d1aca82</code></a>
Add trailingComma ToString option for multiline flow formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/43215099f7fcdac422d778c15e70d83c691b0e41"><code>4321509</code></a>
ci: Drop the branch filter from GitHub PR actions</li>
<li><a
href="https://github.com/eemeli/yaml/commit/47207d0fc7d4f863cd5fbdcff1378637bd93e847"><code>47207d0</code></a>
chore: Update docs-slate</li>
<li><a
href="https://github.com/eemeli/yaml/commit/5212faeed5936d1fa291d2f28672e4a96e2c2c5d"><code>5212fae</code></a>
chore: Update docs-slate</li>
<li>See full diff in <a
href="https://github.com/eemeli/yaml/compare/v2.8.2...v2.8.3">compare
view</a></li>
</ul>
</details>
<br />
Updates `path-to-regexp` from 0.1.12 to 0.1.13
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/pillarjs/path-to-regexp/releases">path-to-regexp's
releases</a>.</em></p>
<blockquote>
<h2>0.1.13</h2>
<h2>Important</h2>
<ul>
<li>Fix <a
href="https://www.cve.org/CVERecord?id=CVE-2026-4867">CVE-2026-4867</a>
(<a
href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2">GHSA-37ch-88jc-xwx2</a>)</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/pillarjs/path-to-regexp/compare/v0.1.12...v.0.1.13">https://github.com/pillarjs/path-to-regexp/compare/v0.1.12...v.0.1.13</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md">path-to-regexp's
changelog</a>.</em></p>
<blockquote>
<h1>0.1.13 / 2026-03-26</h1>
<ul>
<li>Fix <a
href="https://www.cve.org/CVERecord?id=CVE-2026-4867">CVE-2026-4867</a>
(<a
href="https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2">GHSA-37ch-88jc-xwx2</a>)</li>
</ul>
<h1>0.1.7 / 2015-07-28</h1>
<ul>
<li>Fixed regression with escaped round brackets and matching
groups.</li>
</ul>
<h1>0.1.6 / 2015-06-19</h1>
<ul>
<li>Replace <code>index</code> feature by outputting all parameters,
unnamed and named.</li>
</ul>
<h1>0.1.5 / 2015-05-08</h1>
<ul>
<li>Add an index property for position in match result.</li>
</ul>
<h1>0.1.4 / 2015-03-05</h1>
<ul>
<li>Add license information</li>
</ul>
<h1>0.1.3 / 2014-07-06</h1>
<ul>
<li>Better array support</li>
<li>Improved support for trailing slash in non-ending mode</li>
</ul>
<h1>0.1.0 / 2014-03-06</h1>
<ul>
<li>add options.end</li>
</ul>
<h1>0.0.2 / 2013-02-10</h1>
<ul>
<li>Update to match current express</li>
<li>add .license property to component.json</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/pillarjs/path-to-regexp/commit/9fd0c879f232c2464591f56dd7c7edad7f45b4e0"><code>9fd0c87</code></a>
0.1.13 (<a
href="https://redirect.github.com/pillarjs/path-to-regexp/issues/425">#425</a>)</li>
<li><a
href="https://github.com/pillarjs/path-to-regexp/commit/7ccf02cee33402f06ed2125085992ee9cd3a7c45"><code>7ccf02c</code></a>
fix: CVE-2026-4867</li>
<li>See full diff in <a
href="https://github.com/pillarjs/path-to-regexp/compare/v0.1.12...v.0.1.13">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ulisesgascon">ulisesgascon</a>, a new
releaser for path-to-regexp since your current version.</p>
</details>
<br />
Updates `webpack` from 5.103.0 to 5.105.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack/releases">webpack's
releases</a>.</em></p>
<blockquote>
<h2>v5.105.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Add <code>Module.getSourceBasicTypes</code> to distinguish basic
source types and clarify how modules with non-basic source types like
<code>remote</code> still produce JavaScript output. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20546">#20546</a>)</p>
</li>
<li>
<p>Handle <code>createRequire</code> in expressions. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20549">#20549</a>)</p>
</li>
<li>
<p>Fixed types for multi stats. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20556">#20556</a>)</p>
</li>
<li>
<p>Remove empty needless js output for normal css module. (by <a
href="https://github.com/JSerFeng"><code>@JSerFeng</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20162">#20162</a>)</p>
</li>
<li>
<p>Update <code>enhanced-resolve</code> to support new features for
<code>tsconfig.json</code>. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20555">#20555</a>)</p>
</li>
<li>
<p>Narrows export presence guard detection to explicit existence checks
on namespace imports only, i.e. patterns like "x" in ns. (by
<a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20561">#20561</a>)</p>
</li>
</ul>
<h2>v5.105.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Context modules now handle rejections correctly. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20455">#20455</a>)</p>
</li>
<li>
<p>Only mark asset modules as side-effect-free when
<code>experimental.futureDefaults</code> is set to true, so
asset-copying use cases (e.g. <code>import "./x.png"</code>)
won’t break unless the option is enabled. (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20535">#20535</a>)</p>
</li>
<li>
<p>Add the missing <strong>webpack_exports</strong> declaration in
certain cases when bundling a JS entry together with non-JS entries
(e.g., CSS entry or asset module entry). (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20463">#20463</a>)</p>
</li>
<li>
<p>Fixed HMR failure for CSS modules with <a
href="https://github.com/import"><code>@import</code></a> when
exportType !== "link". When exportType is not
"link", CSS modules now behave like JavaScript modules and
don't require special HMR handling, allowing <a
href="https://github.com/import"><code>@import</code></a> CSS to work
correctly during hot module replacement. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20514">#20514</a>)</p>
</li>
<li>
<p>Fixed an issue where empty JavaScript files were generated for
CSS-only entry points. The code now correctly checks if entry modules
have JavaScript source types before determining whether to generate a JS
file. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20454">#20454</a>)</p>
</li>
<li>
<p>Do not crash when a referenced chunk is not a runtime chunk. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20461">#20461</a>)</p>
</li>
<li>
<p>Fix some types. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20412">#20412</a>)</p>
</li>
<li>
<p>Ensure that missing module error are thrown after the interception
handler (if present), allowing module interception to customize the
module factory. (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20510">#20510</a>)</p>
</li>
<li>
<p>Added <code>createRequire</code> support for ECMA modules. (by <a
href="https://github.com/stefanbinoj"><code>@stefanbinoj</code></a> in
<a
href="https://redirect.github.com/webpack/webpack/pull/20497">#20497</a>)</p>
</li>
<li>
<p>Added category for CJS reexport dependency to fix issues with ECMA
modules. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20444">#20444</a>)</p>
</li>
<li>
<p>Implement immutable bytes for <code>bytes</code> import attribute to
match tc39 spec. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20481">#20481</a>)</p>
</li>
<li>
<p>Fixed deterministic search for graph roots regardless of edge order.
(by <a href="https://github.com/veeceey"><code>@veeceey</code></a> in
<a
href="https://redirect.github.com/webpack/webpack/pull/20452">#20452</a>)</p>
</li>
</ul>
<h2>v5.105.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>Fixed <code>WebpackPluginInstance</code> type regression. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20440">#20440</a>)</li>
</ul>
<h2>v5.105.1</h2>
<h3>Patch Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/webpack/webpack/blob/main/CHANGELOG.md">webpack's
changelog</a>.</em></p>
<blockquote>
<h2>5.105.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Add <code>Module.getSourceBasicTypes</code> to distinguish basic
source types and clarify how modules with non-basic source types like
<code>remote</code> still produce JavaScript output. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20546">#20546</a>)</p>
</li>
<li>
<p>Handle <code>createRequire</code> in expressions. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20549">#20549</a>)</p>
</li>
<li>
<p>Fixed types for multi stats. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20556">#20556</a>)</p>
</li>
<li>
<p>Remove empty needless js output for normal css module. (by <a
href="https://github.com/JSerFeng"><code>@JSerFeng</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20162">#20162</a>)</p>
</li>
<li>
<p>Update <code>enhanced-resolve</code> to support new features for
<code>tsconfig.json</code>. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20555">#20555</a>)</p>
</li>
<li>
<p>Narrows export presence guard detection to explicit existence checks
on namespace imports only, i.e. patterns like "x" in ns. (by
<a href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20561">#20561</a>)</p>
</li>
</ul>
<h2>5.105.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>Context modules now handle rejections correctly. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20455">#20455</a>)</p>
</li>
<li>
<p>Only mark asset modules as side-effect-free when
<code>experimental.futureDefaults</code> is set to true, so
asset-copying use cases (e.g. <code>import "./x.png"</code>)
won’t break unless the option is enabled. (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20535">#20535</a>)</p>
</li>
<li>
<p>Add the missing <strong>webpack_exports</strong> declaration in
certain cases when bundling a JS entry together with non-JS entries
(e.g., CSS entry or asset module entry). (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20463">#20463</a>)</p>
</li>
<li>
<p>Fixed HMR failure for CSS modules with <a
href="https://github.com/import"><code>@import</code></a> when
exportType !== "link". When exportType is not
"link", CSS modules now behave like JavaScript modules and
don't require special HMR handling, allowing <a
href="https://github.com/import"><code>@import</code></a> CSS to work
correctly during hot module replacement. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20514">#20514</a>)</p>
</li>
<li>
<p>Fixed an issue where empty JavaScript files were generated for
CSS-only entry points. The code now correctly checks if entry modules
have JavaScript source types before determining whether to generate a JS
file. (by <a
href="https://github.com/xiaoxiaojx"><code>@xiaoxiaojx</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20454">#20454</a>)</p>
</li>
<li>
<p>Do not crash when a referenced chunk is not a runtime chunk. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20461">#20461</a>)</p>
</li>
<li>
<p>Fix some types. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20412">#20412</a>)</p>
</li>
<li>
<p>Ensure that missing module error are thrown after the interception
handler (if present), allowing module interception to customize the
module factory. (by <a
href="https://github.com/hai-x"><code>@hai-x</code></a> in <a
href="https://redirect.github.com/webpack/webpack/pull/20510">#20510</a>)</p>
</li>
<li>
<p>Added <code>createRequire</code> support for ECMA modules. (by <a
href="https://github.com/stefanbinoj"><code>@stefanbinoj</code></a> in
<a
href="https://redirect.github.com/webpack/webpack/pull/20497">#20497</a>)</p>
</li>
<li>
<p>Added category for CJS reexport dependency to fix issues with ECMA
modules. (by <a href="https://github.com/hai-x"><code>@hai-x</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20444">#20444</a>)</p>
</li>
<li>
<p>Implement immutable bytes for <code>bytes</code> import attribute to
match tc39 spec. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20481">#20481</a>)</p>
</li>
<li>
<p>Fixed deterministic search for graph roots regardless of edge order.
(by <a href="https://github.com/veeceey"><code>@veeceey</code></a> in
<a
href="https://redirect.github.com/webpack/webpack/pull/20452">#20452</a>)</p>
</li>
</ul>
<h2>5.105.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>Fixed <code>WebpackPluginInstance</code> type regression. (by <a
href="https://github.com/alexander-akait"><code>@alexander-akait</code></a>
in <a
href="https://redirect.github.com/webpack/webpack/pull/20440">#20440</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/webpack/webpack/commit/27c13b44c861908793f160f9f7413b32543c0522"><code>27c13b4</code></a>
chore(release): new release (<a
href="https://redirect.github.com/webpack/webpack/issues/20550">#20550</a>)</li>
<li><a
href="https://github.com/webpack…1 parent 922d6c0 commit 5211278
2 files changed
+133
-103
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4160 | 4160 | | |
4161 | 4161 | | |
4162 | 4162 | | |
4163 | | - | |
4164 | | - | |
4165 | | - | |
4166 | | - | |
4167 | | - | |
4168 | | - | |
4169 | | - | |
4170 | 4163 | | |
4171 | 4164 | | |
4172 | 4165 | | |
| |||
4842 | 4835 | | |
4843 | 4836 | | |
4844 | 4837 | | |
| 4838 | + | |
| 4839 | + | |
| 4840 | + | |
| 4841 | + | |
| 4842 | + | |
| 4843 | + | |
| 4844 | + | |
| 4845 | + | |
| 4846 | + | |
4845 | 4847 | | |
4846 | 4848 | | |
4847 | 4849 | | |
| |||
4901 | 4903 | | |
4902 | 4904 | | |
4903 | 4905 | | |
4904 | | - | |
4905 | | - | |
| 4906 | + | |
| 4907 | + | |
4906 | 4908 | | |
4907 | 4909 | | |
4908 | 4910 | | |
4909 | 4911 | | |
4910 | 4912 | | |
4911 | | - | |
| 4913 | + | |
4912 | 4914 | | |
4913 | 4915 | | |
4914 | 4916 | | |
| |||
5306 | 5308 | | |
5307 | 5309 | | |
5308 | 5310 | | |
5309 | | - | |
5310 | | - | |
| 5311 | + | |
| 5312 | + | |
5311 | 5313 | | |
5312 | 5314 | | |
5313 | 5315 | | |
5314 | | - | |
| 5316 | + | |
5315 | 5317 | | |
5316 | 5318 | | |
5317 | 5319 | | |
| |||
5333 | 5335 | | |
5334 | 5336 | | |
5335 | 5337 | | |
5336 | | - | |
| 5338 | + | |
5337 | 5339 | | |
5338 | 5340 | | |
5339 | 5341 | | |
| |||
6729 | 6731 | | |
6730 | 6732 | | |
6731 | 6733 | | |
6732 | | - | |
6733 | | - | |
6734 | | - | |
| 6734 | + | |
| 6735 | + | |
| 6736 | + | |
6735 | 6737 | | |
6736 | 6738 | | |
6737 | | - | |
6738 | | - | |
| 6739 | + | |
| 6740 | + | |
6739 | 6741 | | |
6740 | 6742 | | |
6741 | 6743 | | |
| |||
6797 | 6799 | | |
6798 | 6800 | | |
6799 | 6801 | | |
6800 | | - | |
6801 | | - | |
6802 | | - | |
6803 | | - | |
| 6802 | + | |
| 6803 | + | |
| 6804 | + | |
| 6805 | + | |
6804 | 6806 | | |
6805 | 6807 | | |
6806 | 6808 | | |
| |||
8908 | 8910 | | |
8909 | 8911 | | |
8910 | 8912 | | |
8911 | | - | |
8912 | | - | |
8913 | | - | |
| 8913 | + | |
| 8914 | + | |
| 8915 | + | |
8914 | 8916 | | |
8915 | 8917 | | |
8916 | 8918 | | |
| |||
8998 | 9000 | | |
8999 | 9001 | | |
9000 | 9002 | | |
9001 | | - | |
9002 | | - | |
| 9003 | + | |
| 9004 | + | |
9003 | 9005 | | |
9004 | 9006 | | |
9005 | 9007 | | |
| |||
9009 | 9011 | | |
9010 | 9012 | | |
9011 | 9013 | | |
9012 | | - | |
| 9014 | + | |
9013 | 9015 | | |
9014 | 9016 | | |
9015 | 9017 | | |
| |||
10606 | 10608 | | |
10607 | 10609 | | |
10608 | 10610 | | |
10609 | | - | |
10610 | | - | |
10611 | | - | |
| 10611 | + | |
| 10612 | + | |
| 10613 | + | |
10612 | 10614 | | |
10613 | 10615 | | |
10614 | 10616 | | |
| |||
10627 | 10629 | | |
10628 | 10630 | | |
10629 | 10631 | | |
10630 | | - | |
10631 | | - | |
10632 | | - | |
| 10632 | + | |
| 10633 | + | |
| 10634 | + | |
10633 | 10635 | | |
10634 | 10636 | | |
10635 | 10637 | | |
| |||
11633 | 11635 | | |
11634 | 11636 | | |
11635 | 11637 | | |
11636 | | - | |
11637 | | - | |
| 11638 | + | |
| 11639 | + | |
11638 | 11640 | | |
11639 | 11641 | | |
11640 | | - | |
| 11642 | + | |
11641 | 11643 | | |
11642 | 11644 | | |
11643 | 11645 | | |
| |||
12357 | 12359 | | |
12358 | 12360 | | |
12359 | 12361 | | |
| 12362 | + | |
| 12363 | + | |
| 12364 | + | |
| 12365 | + | |
| 12366 | + | |
| 12367 | + | |
| 12368 | + | |
12360 | 12369 | | |
12361 | 12370 | | |
12362 | 12371 | | |
| |||
13074 | 13083 | | |
13075 | 13084 | | |
13076 | 13085 | | |
13077 | | - | |
13078 | | - | |
| 13086 | + | |
| 13087 | + | |
13079 | 13088 | | |
13080 | | - | |
13081 | 13089 | | |
13082 | 13090 | | |
13083 | 13091 | | |
13084 | 13092 | | |
13085 | 13093 | | |
13086 | 13094 | | |
| 13095 | + | |
13087 | 13096 | | |
13088 | 13097 | | |
13089 | | - | |
| 13098 | + | |
13090 | 13099 | | |
13091 | 13100 | | |
13092 | 13101 | | |
| |||
13097 | 13106 | | |
13098 | 13107 | | |
13099 | 13108 | | |
13100 | | - | |
| 13109 | + | |
13101 | 13110 | | |
13102 | 13111 | | |
13103 | 13112 | | |
13104 | 13113 | | |
13105 | 13114 | | |
13106 | 13115 | | |
13107 | 13116 | | |
13108 | | - | |
13109 | | - | |
| 13117 | + | |
| 13118 | + | |
13110 | 13119 | | |
13111 | 13120 | | |
13112 | 13121 | | |
13113 | 13122 | | |
13114 | 13123 | | |
13115 | 13124 | | |
13116 | | - | |
| 13125 | + | |
13117 | 13126 | | |
13118 | 13127 | | |
13119 | 13128 | | |
13120 | | - | |
| 13129 | + | |
| 13130 | + | |
| 13131 | + | |
| 13132 | + | |
| 13133 | + | |
| 13134 | + | |
| 13135 | + | |
| 13136 | + | |
| 13137 | + | |
| 13138 | + | |
| 13139 | + | |
| 13140 | + | |
| 13141 | + | |
| 13142 | + | |
| 13143 | + | |
| 13144 | + | |
| 13145 | + | |
| 13146 | + | |
| 13147 | + | |
| 13148 | + | |
| 13149 | + | |
| 13150 | + | |
13121 | 13151 | | |
13122 | 13152 | | |
13123 | 13153 | | |
| |||
13689 | 13719 | | |
13690 | 13720 | | |
13691 | 13721 | | |
13692 | | - | |
13693 | | - | |
13694 | | - | |
| 13722 | + | |
| 13723 | + | |
| 13724 | + | |
13695 | 13725 | | |
13696 | 13726 | | |
13697 | 13727 | | |
13698 | | - | |
| 13728 | + | |
13699 | 13729 | | |
13700 | 13730 | | |
13701 | 13731 | | |
| |||
13823 | 13853 | | |
13824 | 13854 | | |
13825 | 13855 | | |
13826 | | - | |
13827 | | - | |
13828 | | - | |
13829 | | - | |
| 13856 | + | |
| 13857 | + | |
| 13858 | + | |
| 13859 | + | |
13830 | 13860 | | |
13831 | 13861 | | |
13832 | 13862 | | |
13833 | 13863 | | |
13834 | | - | |
13835 | | - | |
| 13864 | + | |
| 13865 | + | |
13836 | 13866 | | |
13837 | 13867 | | |
13838 | 13868 | | |
13839 | 13869 | | |
13840 | 13870 | | |
13841 | 13871 | | |
13842 | 13872 | | |
13843 | | - | |
| 13873 | + | |
13844 | 13874 | | |
13845 | | - | |
| 13875 | + | |
13846 | 13876 | | |
13847 | | - | |
13848 | | - | |
| 13877 | + | |
| 13878 | + | |
13849 | 13879 | | |
13850 | 13880 | | |
13851 | 13881 | | |
| |||
13856 | 13886 | | |
13857 | 13887 | | |
13858 | 13888 | | |
13859 | | - | |
13860 | | - | |
13861 | | - | |
| 13889 | + | |
| 13890 | + | |
| 13891 | + | |
13862 | 13892 | | |
13863 | 13893 | | |
13864 | 13894 | | |
13865 | 13895 | | |
13866 | 13896 | | |
13867 | | - | |
| 13897 | + | |
13868 | 13898 | | |
13869 | 13899 | | |
13870 | 13900 | | |
| |||
14055 | 14085 | | |
14056 | 14086 | | |
14057 | 14087 | | |
14058 | | - | |
14059 | | - | |
14060 | | - | |
| 14088 | + | |
| 14089 | + | |
| 14090 | + | |
14061 | 14091 | | |
14062 | 14092 | | |
14063 | 14093 | | |
| |||
0 commit comments