Bump the npm_and_yarn group across 1 directory with 16 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
@babel/helpers	7.21.5	7.28.6
brace-expansion	1.1.11	1.1.12
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
express	4.19.2	4.22.1
http-proxy-middleware	2.0.6	2.0.9
lodash	4.17.21	4.17.23
micromatch	4.0.5	4.0.8
nanoid	3.3.7	3.3.11
node-forge	1.3.1	1.3.3
prismjs	1.29.0	1.30.0
webpack	5.81.0	5.105.4

Updates @babel/helpers from 7.21.5 to 7.28.6

Release notes

Sourced from @​babel/helpers's releases.

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • #17555 perf: Use lighter traversal for jsx __source,__self (@​liuxingbaoyu)

Committers: 7

• Babel Bot (@​babel-bot)
• Eliot Pontarelli (@​kolvian)
• Huáng Jùnliàng (@​JLHwung)
• Kadhirash Sivakumar (@​kadhirash)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)

v7.28.5 (2025-10-23)

Thank you @​CO0Ki3, @​Olexandr88, and @​youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Commits

• d7f4008 v7.28.6
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c1b55f6 Use eslint.config.mts (#17573)
• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/helpers since your current version.

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 4.22.1 by @​UlisesGascon in expressjs/express#6934

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits

• 12fae14 4.22.1
• 5ddf311 Revert "sec: security patch for CVE-2024-51999"
• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates http-proxy-middleware from 2.0.6 to 2.0.9

Release notes

Sourced from http-proxy-middleware's releases.

v2.0.9

What's Changed

• fix(fixRequestBody): check readableLength by @​chimurai in chimurai/http-proxy-middleware#1097
• chore(package): v2.0.9 by @​chimurai in chimurai/http-proxy-middleware#1099

Full Changelog: chimurai/http-proxy-middleware@v2.0.8...v2.0.9

v2.0.8

What's Changed

• fix(fixRequestBody): prevent multiple .write() calls by @​chimurai in chimurai/http-proxy-middleware#1090
• fix(fixRequestBody): handle invalid request by @​chimurai in chimurai/http-proxy-middleware#1091
• chore(package): v2.0.8 by @​chimurai in chimurai/http-proxy-middleware#1094

Full Changelog: chimurai/http-proxy-middleware@v2.0.7...v2.0.8

v2.0.7

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7

v2.0.7-beta.1

Full Changelog: chimurai/http-proxy-middleware@v2.0.7-beta.0...v2.0.7-beta.1

v2.0.7-beta.0

Full Changelog: chimurai/http-proxy-middleware@v2.0.6...v2.0.7-beta.0

Changelog

Sourced from http-proxy-middleware's changelog.

v2.0.9

• fix(fixRequestBody): check readableLength

v2.0.8

• fix(fixRequestBody): prevent multiple .write() calls
• fix(fixRequestBody): handle invalid request

v2.0.7

• ci(github actions): add publish.yml
• fix(filter): handle errors

Commits

• 617a7c9 chore(package): v2.0.9 (#1099)
• d22d587 fix(fixRequestBody): check readableLength (#1097)
• d03d51b chore(package): v2.0.8 (#1094)
• c50dd06 fix(fixRequestBody): handle invalid request (#1091)
• 76a9d8d fix(fixRequestBody): prevent multiple .write() calls (#1090)
• 1e92339 ci(github-actions): fix npm tag
• 90afb7c chore(package): v2.0.7
• 0b4274e fix(filter): handle errors
• 1bd6dd5 ci(github actions): add publish.yml
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates nanoid from 3.3.7 to 3.3.11

Release notes

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Changelog

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

Commits

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Updates node-forge from 1.3.1 to 1.3.3

Changelog

Sourced from node-forge's changelog.

1.3.3 - 2025-12-02

Fixed

• [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues introduced in 1.3.2.

1.3.2 - 2025-11-25

Security

• HIGH: ASN.1 Validator Desynchronization
  • An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-12816
  • GHSA ID: GHSA-5gfm-wpxj-wjgq
• HIGH: ASN.1 Unbounded Recursion
  • An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66031
  • GHSA ID: GHSA-554w-wpv2-vw27
• MODERATE: ASN.1 OID Integer Truncation
  • An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions.
  • Reported by Hunter Wodzenski.
  • CVE ID: CVE-2025-66030
  • GHSA ID: GHSA-65ch-62r8-g69g

Fixed

• [asn1] Fix for vulnerability identified by CVE-2025-12816 PKCS#12 MAC verification bypass due to missing macData enforcement and improper asn1.validate routine.
• [asn1] Add fromDer() max recursion depth check.
  • Add a asn1.maxDepth global configurable maximum depth of 256.
  • Add a asn1.fromDer() per-call maxDepth option.
  • NOTE: The default maximum is assumed to be higher than needed for valid data. If this assumption is false then this could be a breaking change. Please file an issue if there are use cases that need a higher maximum.
  • NOTE: The per-call maxDepth parameter has not been exposed up through all of the API stack due to the complexities involved. Please file an issue if there are use cases that require this instead of changing the default

... (truncated)

Commits

• 1cea0af Release 1.3.3.
• 5265989 Update changelog.
• e4f3961 Fix changelog for release.
• 503979b Update changelog.
• c3b3b32 Make digestAlgorithm parameters optional
• 6f70043 Update CVE details.
• f547b0d Start 1.3.3-0.
• 235ad3e Release 1.3.2.
• 2598244 Update changelog.
• 0032dd0 Fix typos.
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

• Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• 640e694 0.1.12
• f01c26a Merge commit from fork
• 0c71192 0.1.11
• 8f09549 Add error on bad input values
• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• Additional commits viewable in compare view

Updates prismjs from 1.29.0 to 1.30.0

Release notes

Sourced from prismjs's releases.

v1.30.0

What's Changed

• check that currentScript is set by a script tag by @​lkuechler in PrismJS/prism#3863

New Contributors

• @​lkuechler made their first contribution in PrismJS/prism#3863

Full Changelog: PrismJS/prism@v1.29.0...v1.30.0

Changelog

Sourced from prismjs's changelog.

Prism Changelog

Commits

• 76dde18 Release 1.30.0
• 93cca40 npm pkg fix
• 99c5ca9 Add release script
• 8e8b935 check that currentScript is set by a script tag (#3863)
• f894dc2 Fix logo in the footer
• ac38dce Delete CNAME
• 9b5b09a Enable CORS
• See full diff in compare view

Maintainer changes

This version was pushed to npm by dmitrysharabin, a new releaser for prismjs since your current version.

Updates qs from 6.11.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates send from 0.18.0 to 0.19.2

Release notes

Sourced from send's releases.

0.19.2

What's Changed

• deps: use tilde notation and update certain dependencies by @​Phillip9587 in pillarjs/send#279
• Release: 0.19.2 by @​UlisesGascon in pillarjs/send#280

Full Changelog: pillarjs/send@0.19.1...0.19.2

0.19.1

What's Changed

• fix(deps): encodeurl@~2.0.0 by @​wesleytodd in pillarjs/send#240

Full Changelog: pillarjs/send@0.19.0...0.19.1

0.19.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

• @​UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.2 / 2025-12-15

• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: statuses@~2.0.2

0.19.1 / 2024-10-09

• deps: encodeurl@~2.0.0

0.19.0 / 2024-09-10

• Remove link renderization in html while redirecting

Commits

• 34ba03b 0.19.2 (#280)
• e53e4e5 deps: use tilde notation and update certain dependencies (#279)
• 19efaa3 0.19.1
• 0a9fa80 fix(deps): encodeurl@~2.0.0 (#240)
• 9d2db99 0.19.0
• ae4f298 Merge commit from fork
• See full diff in compare view

Maintainer changes

This vers...

Description has been truncated