Commit e537e06
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore(deps): bump the npm_and_yarn group across 3 directories with 11 updates (#1155)
Bumps the npm_and_yarn group with 5 updates in the /components/frontend
directory:
| Package | From | To |
| --- | --- | --- |
| [file-type](https://github.com/sindresorhus/file-type) | `21.3.0` |
`21.3.2` |
| [next](https://github.com/vercel/next.js) | `16.1.5` | `16.2.2` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` |
`3.4.2` |
| [undici](https://github.com/nodejs/undici) | `7.22.0` | `7.24.7` |
Bumps the npm_and_yarn group with 4 updates in the /docs directory:
[devalue](https://github.com/sveltejs/devalue),
[h3](https://github.com/h3js/h3),
[smol-toml](https://github.com/squirrelchat/smol-toml) and
[svgo](https://github.com/svg/svgo).
Bumps the npm_and_yarn group with 2 updates in the /e2e directory:
[lodash](https://github.com/lodash/lodash) and
[qs](https://github.com/ljharb/qs).
Updates `file-type` from 21.3.0 to 21.3.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sindresorhus/file-type/releases">file-type's
releases</a>.</em></p>
<blockquote>
<h2>v21.3.2</h2>
<ul>
<li>Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v)
a155cd7</li>
<li>Fix bound recursive BOM and ID3 detection 370ed91</li>
</ul>
<hr />
<p><a
href="https://github.com/sindresorhus/file-type/compare/v21.3.1...v21.3.2">https://github.com/sindresorhus/file-type/compare/v21.3.1...v21.3.2</a></p>
<h2>v21.3.1</h2>
<ul>
<li>Fix infinite loop in ASF parser on malformed input (<a
href="https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473">https://github.com/sindresorhus/file-type/security/advisories/GHSA-5v7r-6r5c-r473</a>)
319abf8</li>
</ul>
<hr />
<p><a
href="https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1">https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sindresorhus/file-type/commit/e18028c3cc19441477c3459991fee9770d88c218"><code>e18028c</code></a>
21.3.2</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/a155cd71323279de173c54e8c530d300d3854fdd"><code>a155cd7</code></a>
Fix ZIP bomb in known-size ZIP probing</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/69548179cca2c0ab6a0cc93af59392f8c351cab1"><code>6954817</code></a>
Harden parser more</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/370ed9185d112eea4d989fecb843597b1d94cf09"><code>370ed91</code></a>
Fix bound recursive BOM and ID3 detection</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/d2ecea187c47b944a9c001ae7637f02baed0825a"><code>d2ecea1</code></a>
Add a few more safeguards</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/41fcff5de64cfb53da6b2b9c048ebea8213f32c2"><code>41fcff5</code></a>
Update readme</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/a8f6934ddd93c3e12cc4ecb0cfc3e8d816d4b9fd"><code>a8f6934</code></a>
Fix CI</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/ad5857e5384874e853cc9c4c29b867f1135a7c30"><code>ad5857e</code></a>
21.3.1</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/5d2fedf104dc5067b51a1f31410aa60052c74f64"><code>5d2fedf</code></a>
Harden parser</li>
<li><a
href="https://github.com/sindresorhus/file-type/commit/319abf871b50ba2fa221b4a7050059f1ae096f4f"><code>319abf8</code></a>
Fix infinite loop in ASF parser on malformed input</li>
<li>Additional commits viewable in <a
href="https://github.com/sindresorhus/file-type/compare/v21.3.0...v21.3.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `next` from 16.1.5 to 16.2.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/vercel/next.js/releases">next's
releases</a>.</em></p>
<blockquote>
<h2>v16.2.2</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>backport: Move expanded adapters docs to API reference (<a
href="https://redirect.github.com/vercel/next.js/issues/92115">#92115</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/92129">#92129</a>)</li>
<li>Backport: TypeScript v6 deprecations for baseUrl and
moduleResolution (<a
href="https://redirect.github.com/vercel/next.js/issues/92130">#92130</a>)</li>
<li>[create-next-app] Skip interactive prompts when CLI flags are
provided (<a
href="https://redirect.github.com/vercel/next.js/issues/91840">#91840</a>)</li>
<li>next.config.js: Accept an option for serverFastRefresh (<a
href="https://redirect.github.com/vercel/next.js/issues/91968">#91968</a>)</li>
<li>Turbopack: enable server HMR for app route handlers (<a
href="https://redirect.github.com/vercel/next.js/issues/91466">#91466</a>)</li>
<li>Turbopack: exclude metadata routes from server HMR (<a
href="https://redirect.github.com/vercel/next.js/issues/92034">#92034</a>)</li>
<li>Fix CI for glibc linux builds</li>
<li>Backport: disable bmi2 in qfilter <a
href="https://redirect.github.com/vercel/next.js/issues/92177">#92177</a></li>
<li>[backport] Fix CSS HMR on Safari (<a
href="https://redirect.github.com/vercel/next.js/issues/92174">#92174</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/nextjs-bot"><code>@nextjs-bot</code></a>, <a
href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a
href="https://github.com/ijjk"><code>@ijjk</code></a>, <a
href="https://github.com/gaojude"><code>@gaojude</code></a>, <a
href="https://github.com/wbinnssmith"><code>@wbinnssmith</code></a>, <a
href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>,
and <a href="https://github.com/bgw"><code>@bgw</code></a> for
helping!</p>
<h2>v16.2.1</h2>
<blockquote>
<p>[!NOTE]
This release is backporting bug fixes. It does <strong>not</strong>
include all pending features/changes on canary.</p>
</blockquote>
<h3>Core Changes</h3>
<ul>
<li>docs: post release amends (<a
href="https://redirect.github.com/vercel/next.js/issues/91715">#91715</a>)</li>
<li>docs: fix broken Activity Patterns demo link in preserving UI state
guide (<a
href="https://redirect.github.com/vercel/next.js/issues/91698">#91698</a>)</li>
<li>Fix adapter outputs for dynamic metadata routes (<a
href="https://redirect.github.com/vercel/next.js/issues/91680">#91680</a>)</li>
<li>Turbopack: fix webpack loader runner layer (<a
href="https://redirect.github.com/vercel/next.js/issues/91727">#91727</a>)</li>
<li>Fix server actions in standalone mode with
<code>cacheComponents</code> (<a
href="https://redirect.github.com/vercel/next.js/issues/91711">#91711</a>)</li>
<li>turbo-persistence: remove Unmergeable mmap advice (<a
href="https://redirect.github.com/vercel/next.js/issues/91713">#91713</a>)</li>
<li>Fix layout segment optimization: move app-page imports to
server-utility transition (<a
href="https://redirect.github.com/vercel/next.js/issues/91701">#91701</a>)</li>
<li>Turbopack: lazy require metadata and handle TLA (<a
href="https://redirect.github.com/vercel/next.js/issues/91705">#91705</a>)</li>
<li>[turbopack] Respect <code>{eval:true}</code> in worker_threads
constructors (<a
href="https://redirect.github.com/vercel/next.js/issues/91666">#91666</a>)</li>
</ul>
<h3>Credits</h3>
<p>Huge thanks to <a
href="https://github.com/icyJoseph"><code>@icyJoseph</code></a>, <a
href="https://github.com/abhishekmardiya"><code>@abhishekmardiya</code></a>,
<a href="https://github.com/ijjk"><code>@ijjk</code></a>, <a
href="https://github.com/mischnic"><code>@mischnic</code></a>, <a
href="https://github.com/unstubbable"><code>@unstubbable</code></a>, <a
href="https://github.com/sokra"><code>@sokra</code></a>, and <a
href="https://github.com/lukesandberg"><code>@lukesandberg</code></a>
for helping!</p>
<h2>v16.2.1-canary.17</h2>
<h3>Core Changes</h3>
<ul>
<li>Improve revalidateTag JSDoc to include guidance about required
second parameter: <a
href="https://redirect.github.com/vercel/next.js/issues/92176">#92176</a></li>
<li>partial fallbacks: adapter support for intermediate shells: <a
href="https://redirect.github.com/vercel/next.js/issues/91902">#91902</a></li>
<li>docs: clarify id, filePath, and pathname in STATIC_FILE adapter
output: <a
href="https://redirect.github.com/vercel/next.js/issues/92227">#92227</a></li>
<li>feat: add NEXT_HASH_SALT env var for content-hash filename salting:
<a
href="https://redirect.github.com/vercel/next.js/issues/91871">#91871</a></li>
<li>Generate a CLI warning if using Rosetta 2 on Apple Silicon: <a
href="https://redirect.github.com/vercel/next.js/issues/92220">#92220</a></li>
</ul>
<h3>Misc Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/vercel/next.js/commit/52faae3d94641584e13691238df5be158d0f00fb"><code>52faae3</code></a>
v16.2.2</li>
<li><a
href="https://github.com/vercel/next.js/commit/8d0f77bfa210691875c264fdf83cfee4e9ae418f"><code>8d0f77b</code></a>
Backport: <a
href="https://redirect.github.com/vercel/next.js/issues/92177">#92177</a></li>
<li><a
href="https://github.com/vercel/next.js/commit/e151e5f84285ac569cf2ec311873200511eea8b3"><code>e151e5f</code></a>
Fix CI for glibc linux builds</li>
<li><a
href="https://github.com/vercel/next.js/commit/1a319ea4dc564974371f9e7ff0f3693512fa018c"><code>1a319ea</code></a>
[backport] Fix CSS HMR on Safari (<a
href="https://redirect.github.com/vercel/next.js/issues/92174">#92174</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/c0edad2762d309cf9125c1dee361227c0f4327d1"><code>c0edad2</code></a>
Turbopack: exclude metadata routes from server HMR (<a
href="https://redirect.github.com/vercel/next.js/issues/92034">#92034</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/d6446990d929c5560d652ce76634b450be057b4e"><code>d644699</code></a>
Turbopack: enable server HMR for app route handlers (<a
href="https://redirect.github.com/vercel/next.js/issues/91466">#91466</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/34de2cac2918aa570a4c12c6e3ae9ed3d70d1f7a"><code>34de2ca</code></a>
next.config.js: Accept an option for serverFastRefresh (<a
href="https://redirect.github.com/vercel/next.js/issues/91968">#91968</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/c4779d1b085a563f39faea86f7b84d5d9adc4f72"><code>c4779d1</code></a>
[create-next-app] Skip interactive prompts when CLI flags are provided
(<a
href="https://redirect.github.com/vercel/next.js/issues/91840">#91840</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/edcf19ae132b5853bb9f9c41888887f7830c19ad"><code>edcf19a</code></a>
Backport: TypeScript v6 deprecations for baseUrl and moduleResolution
(<a
href="https://redirect.github.com/vercel/next.js/issues/92130">#92130</a>)</li>
<li><a
href="https://github.com/vercel/next.js/commit/eee3f524e9f7b322cbd82999fb0f4b90585cc7bf"><code>eee3f52</code></a>
backport: Move expanded adapters docs to API reference (<a
href="https://redirect.github.com/vercel/next.js/issues/92115">#92115</a>)
(<a
href="https://redirect.github.com/vercel/next.js/issues/92129">#92129</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/vercel/next.js/compare/v16.1.5...v16.2.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `minimatch` from 3.1.2 to 3.1.5
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/isaacs/minimatch/commit/7bba97888a27a6162983056bcce2a6e28f668712"><code>7bba978</code></a>
3.1.5</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/bd259425b2ca17b42897997f93e890314155522d"><code>bd25942</code></a>
docs: add warning about ReDoS</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/1a9c27c75725474dbde57db2995b6281b267756d"><code>1a9c27c</code></a>
fix partial matching of globstar patterns</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/1a2e084af579731af66c221214e3ca8222c9bf23"><code>1a2e084</code></a>
3.1.4</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/ae24656237c3d58067442f790ce17eff84463a47"><code>ae24656</code></a>
update lockfile</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/b1003749228b2a79e1f237963a0d559ef7a0941e"><code>b100374</code></a>
limit recursion for **, improve perf considerably</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/26ffeaa091b9f660833e23f42e07165b33e85c13"><code>26ffeaa</code></a>
lockfile update</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/9eca892a4e5dbb20534f9f30483b85cdeee6c2eb"><code>9eca892</code></a>
lock node version to 14</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/00c323b188b704e5d4bc534ecec2268cfa70a32a"><code>00c323b</code></a>
3.1.3</li>
<li><a
href="https://github.com/isaacs/minimatch/commit/30486b2048929264f44d18822891cfffa02af78b"><code>30486b2</code></a>
update CI matrix and actions</li>
<li>Additional commits viewable in <a
href="https://github.com/isaacs/minimatch/compare/v3.1.2...v3.1.5">compare
view</a></li>
</ul>
</details>
<br />
Updates `flatted` from 3.3.3 to 3.4.2
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/WebReflection/flatted/commit/3bf09091c3562e17a0647bc06710dd6097079cf7"><code>3bf0909</code></a>
3.4.2</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/885ddcc33cf9657caf38c57c7be45ae1c5272802"><code>885ddcc</code></a>
fix CWE-1321</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/0bdba705d130f00892b1b8fcc80cf4cdea0631e3"><code>0bdba70</code></a>
added flatted-view to the benchmark</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/2a02dce7c641dec31194c67663f9b0b12e62da20"><code>2a02dce</code></a>
3.4.1</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/fba4e8f2e113665da275b19cd0f695f3d98e9416"><code>fba4e8f</code></a>
Merge pull request <a
href="https://redirect.github.com/WebReflection/flatted/issues/89">#89</a>
from WebReflection/python-fix</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/5fe86485e6df7f7f34a07a2a85498bd3e17384e7"><code>5fe8648</code></a>
added "when in Rome" also a test for PHP</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/53517adbefe724fe472b2f9ebcdb01910d0ae3f0"><code>53517ad</code></a>
some minor improvement</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/b3e2a0c387bf446435fec45ad7f05299f012346f"><code>b3e2a0c</code></a>
Fixing recursion issue in Python too</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/c4b46dbcbf782326e54ea1b65d3ebb1dc7a23fad"><code>c4b46db</code></a>
Add SECURITY.md for security policy and reporting</li>
<li><a
href="https://github.com/WebReflection/flatted/commit/f86d071e0f70de5a7d8200198824a3f07fc9c988"><code>f86d071</code></a>
Create dependabot.yml for version updates</li>
<li>Additional commits viewable in <a
href="https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2">compare
view</a></li>
</ul>
</details>
<br />
Updates `undici` from 7.22.0 to 7.24.7
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/nodejs/undici/releases">undici's
releases</a>.</em></p>
<blockquote>
<h2>v7.24.7</h2>
<h2>What's Changed</h2>
<ul>
<li>docs: update broken links in file "Dispatcher.md" by <a
href="https://github.com/samuel871211"><code>@samuel871211</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4924">nodejs/undici#4924</a></li>
<li>doc: remove unused parameter <code>redirectionLimitReached</code> by
<a
href="https://github.com/samuel871211"><code>@samuel871211</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4933">nodejs/undici#4933</a></li>
<li>test: skip flaky macOS Node 20 cookie fetch cases by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4932">nodejs/undici#4932</a></li>
<li>fix(types): align Response with DOM fetch types by <a
href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4867">nodejs/undici#4867</a></li>
<li>fix(types): Fix clone method type declaration to be an instance
method rather than instance property by <a
href="https://github.com/mistval"><code>@mistval</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4925">nodejs/undici#4925</a></li>
<li>test: skip IPv6 tests when IPv6 is not available by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4939">nodejs/undici#4939</a></li>
<li>fix: correctly handle multi-value rawHeaders in fetch by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4938">nodejs/undici#4938</a></li>
<li>ignore AGENTS.md by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4942">nodejs/undici#4942</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/samuel871211"><code>@samuel871211</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/4924">nodejs/undici#4924</a></li>
<li><a href="https://github.com/mistval"><code>@mistval</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/4925">nodejs/undici#4925</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v7.24.6...v7.24.7">https://github.com/nodejs/undici/compare/v7.24.6...v7.24.7</a></p>
<h2>v7.24.6</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(test): client wasm compatible with clang 22 by <a
href="https://github.com/rozzilla"><code>@rozzilla</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4909">nodejs/undici#4909</a></li>
<li>fix(mock): improve error message when intercepts are exhausted by <a
href="https://github.com/travisbreaks"><code>@travisbreaks</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4912">nodejs/undici#4912</a></li>
<li>fix(websocket): support open diagnostics over h2 by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4921">nodejs/undici#4921</a></li>
<li>fix: assume http/https scheme for scheme-less proxy env vars by <a
href="https://github.com/travisbreaks"><code>@travisbreaks</code></a>
in <a
href="https://redirect.github.com/nodejs/undici/pull/4914">nodejs/undici#4914</a></li>
<li>fix(cache): check Authorization on request headers per RFC 9111 §3.5
by <a href="https://github.com/metalix2"><code>@metalix2</code></a> in
<a
href="https://redirect.github.com/nodejs/undici/pull/4911">nodejs/undici#4911</a></li>
<li>fix: wrap kConnector call in try/catch to prevent client hang by <a
href="https://github.com/veeceey"><code>@veeceey</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4834">nodejs/undici#4834</a></li>
<li>docs: clarify fetch and FormData pairing by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4922">nodejs/undici#4922</a></li>
<li>fix: support Connection header with connection-specific header names
per RFC 7230 by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4775">nodejs/undici#4775</a></li>
<li>fix: avoid prototype collisions in parseHeaders by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4923">nodejs/undici#4923</a></li>
<li>build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/nodejs/undici/pull/4926">nodejs/undici#4926</a></li>
<li>test: auto-init WPT submodule by <a
href="https://github.com/mcollina"><code>@mcollina</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4930">nodejs/undici#4930</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/rozzilla"><code>@rozzilla</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/4909">nodejs/undici#4909</a></li>
<li><a href="https://github.com/veeceey"><code>@veeceey</code></a> made
their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/4834">nodejs/undici#4834</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v7.24.5...v7.24.6">https://github.com/nodejs/undici/compare/v7.24.5...v7.24.6</a></p>
<h2>v7.24.5</h2>
<h2>What's Changed</h2>
<ul>
<li>Formdata tests by <a
href="https://github.com/KhafraDev"><code>@KhafraDev</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4902">nodejs/undici#4902</a></li>
<li>test: add unexpected disconnect guards to more client test files by
<a href="https://github.com/samayer12"><code>@samayer12</code></a> in
<a
href="https://redirect.github.com/nodejs/undici/pull/4844">nodejs/undici#4844</a></li>
<li>fix(cache): only apply 1-year deleteAt for immutable responses by <a
href="https://github.com/metalix2"><code>@metalix2</code></a> in <a
href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/metalix2"><code>@metalix2</code></a>
made their first contribution in <a
href="https://redirect.github.com/nodejs/undici/pull/4913">nodejs/undici#4913</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5">https://github.com/nodejs/undici/compare/v7.24.4...v7.24.5</a></p>
<h2>v7.24.4</h2>
<h2>What's Changed</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/nodejs/undici/commit/84f23e2a19cd0f585579c4257d801e4ec2d65dbd"><code>84f23e2</code></a>
Bumped v7.24.7 (<a
href="https://redirect.github.com/nodejs/undici/issues/4947">#4947</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/a770b1033201984b9e8082a9bf955414bff5dc2e"><code>a770b10</code></a>
ignore AGENTS.md (<a
href="https://redirect.github.com/nodejs/undici/issues/4942">#4942</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/6acd19beaf67c1a2d07bcd38f40d0b751a81e7cc"><code>6acd19b</code></a>
fix: correctly handle multi-value rawHeaders in fetch (<a
href="https://redirect.github.com/nodejs/undici/issues/4938">#4938</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/1da1c747c7d6e01b93ab295e0efb86623f3c8e06"><code>1da1c74</code></a>
test: skip IPv6 tests when IPv6 is not available (<a
href="https://redirect.github.com/nodejs/undici/issues/4939">#4939</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/04cb77327f7ada95c2e5b67424cddcb22d7bf882"><code>04cb773</code></a>
fix(types): Fix clone method type declaration to be an instance method
rather...</li>
<li><a
href="https://github.com/nodejs/undici/commit/5145a7c47080d1715b2723591def3a75b0c3ba63"><code>5145a7c</code></a>
fix(types): align Response with DOM fetch types (<a
href="https://redirect.github.com/nodejs/undici/issues/4867">#4867</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/ec236203064cf014667a5a5900c8a467adbdf7d6"><code>ec23620</code></a>
test: skip flaky macOS Node 20 cookie fetch cases</li>
<li><a
href="https://github.com/nodejs/undici/commit/555923591b2c91935835a23efd91ffed189a9378"><code>5559235</code></a>
doc: remove unused parameter <code>redirectionLimitReached</code> (<a
href="https://redirect.github.com/nodejs/undici/issues/4933">#4933</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/a4e4b84d42140db8128369b53120382ffaff9ce0"><code>a4e4b84</code></a>
docs: update broken links in file "Dispatcher.md" (<a
href="https://redirect.github.com/nodejs/undici/issues/4924">#4924</a>)</li>
<li><a
href="https://github.com/nodejs/undici/commit/38eab360daff8f72927dd6083e755ca37d6d624e"><code>38eab36</code></a>
Bumped v7.24.6 (<a
href="https://redirect.github.com/nodejs/undici/issues/4931">#4931</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/nodejs/undici/compare/v7.22.0...v7.24.7">compare
view</a></li>
</ul>
</details>
<br />
Updates `devalue` from 5.6.3 to 5.6.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/devalue/releases">devalue's
releases</a>.</em></p>
<blockquote>
<h2>v5.6.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed
<code>Object</code> wrapper payloads</p>
<p>This validates the <code>"Object"</code> parse path and
throws when the wrapped value has an own <code>__proto__</code> key.</p>
</li>
<li>
<p>40f1db1: fix: ensure sparse array indices are integers</p>
</li>
<li>
<p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype
object parsing</p>
<p>This disallows <code>__proto__</code> keys in the
<code>"null"</code> parse path so null-prototype object
hydration cannot carry that key through parse/unflatten.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md">devalue's
changelog</a>.</em></p>
<blockquote>
<h2>5.6.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>87c1f3c: fix: reject <code>__proto__</code> keys in malformed
<code>Object</code> wrapper payloads</p>
<p>This validates the <code>"Object"</code> parse path and
throws when the wrapped value has an own <code>__proto__</code> key.</p>
</li>
<li>
<p>40f1db1: fix: ensure sparse array indices are integers</p>
</li>
<li>
<p>87c1f3c: fix: disallow <code>__proto__</code> keys in null-prototype
object parsing</p>
<p>This disallows <code>__proto__</code> keys in the
<code>"null"</code> parse path so null-prototype object
hydration cannot carry that key through parse/unflatten.</p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sveltejs/devalue/commit/6cbb3f51258e01d7769e2b3d77b6ce9ed060804b"><code>6cbb3f5</code></a>
Version Packages (<a
href="https://redirect.github.com/sveltejs/devalue/issues/133">#133</a>)</li>
<li><a
href="https://github.com/sveltejs/devalue/commit/40f1db13afdd65c8e2ebd02f684276c273ef81b0"><code>40f1db1</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d"><code>87c1f3c</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/sveltejs/devalue/compare/v5.6.3...v5.6.4">compare
view</a></li>
</ul>
</details>
<br />
Updates `h3` from 1.15.5 to 1.15.11
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/h3js/h3/releases">h3's
releases</a>.</em></p>
<blockquote>
<h2>v1.15.11</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.10...v1.15.11">compare
changes</a></p>
<h3>🏡 Chore</h3>
<ul>
<li>Update defu to 6.1.6 (<a
href="https://github.com/h3js/h3/commit/6125485">6125485</a>)</li>
<li>Update deps (<a
href="https://github.com/h3js/h3/commit/4998dd8">4998dd8</a>)</li>
<li>Update cookie-es (<a
href="https://github.com/h3js/h3/commit/d166186">d166186</a>)</li>
</ul>
<h2>v1.15.10</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.9...v1.15.10">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li>Preserve percent-encoded req.url in app event handler (<a
href="https://redirect.github.com/h3js/h3/pull/1355">#1355</a>)</li>
</ul>
<h3>❤️ Contributors</h3>
<ul>
<li>Sergio Azócar (<a
href="https://github.com/sergioazoc"><code>@sergioazoc</code></a>)</li>
</ul>
<h2>v1.15.9</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.7...v1.15.9">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li>Preserve <code>%25</code> in pathname (<a
href="https://github.com/h3js/h3/commit/1103df6">1103df6</a>)</li>
<li><strong>static:</strong> Prevent path traversal via double-encoded
dot segments (<code>%252e%252e</code>) (<a
href="https://github.com/h3js/h3/commit/c56683d">c56683d</a>)</li>
<li><strong>sse:</strong> Sanitize carriage returns in event stream data
and comments (<a
href="https://github.com/h3js/h3/commit/ba3c3fe">ba3c3fe</a>)</li>
</ul>
<h2>v1.15.8</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.7...v1.15.8">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li>Preserve <code>%25</code> in pathname (<a
href="https://github.com/h3js/h3/commit/1103df6">1103df6</a>)</li>
</ul>
<h2>v1.15.7</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.6...v1.15.7">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li><strong>static:</strong> Narrow path traversal check to match
<code>..</code> as a path segment only (<a
href="https://github.com/h3js/h3/commit/c049dc0">c049dc0</a>)</li>
<li><strong>app:</strong> Decode percent-encoded path segments to
prevent auth bypass (<a
href="https://github.com/h3js/h3/commit/313ea52">313ea52</a>)</li>
</ul>
<h3>💅 Refactors</h3>
<ul>
<li>Remove implicit event handler conversion warning (<a
href="https://redirect.github.com/h3js/h3/pull/1340">#1340</a>)</li>
</ul>
<h3>❤️ Contributors</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/h3js/h3/blob/v1.15.11/CHANGELOG.md">h3's
changelog</a>.</em></p>
<blockquote>
<h2>v1.15.11</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.10...v1.15.11">compare
changes</a></p>
<h3>🏡 Chore</h3>
<ul>
<li>Update defu to 6.1.6 (<a
href="https://github.com/h3js/h3/commit/6125485">6125485</a>)</li>
<li>Update deps (<a
href="https://github.com/h3js/h3/commit/4998dd8">4998dd8</a>)</li>
<li>Update cookie-es (<a
href="https://github.com/h3js/h3/commit/d166186">d166186</a>)</li>
</ul>
<h3>❤️ Contributors</h3>
<ul>
<li>Pooya Parsa (<a
href="https://github.com/pi0"><code>@pi0</code></a>)</li>
</ul>
<h2>v1.15.10</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.9...v1.15.10">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li>Preserve percent-encoded req.url in app event handler (<a
href="https://redirect.github.com/h3js/h3/pull/1355">#1355</a>)</li>
</ul>
<h3>🏡 Chore</h3>
<ul>
<li>Update deps (<a
href="https://github.com/h3js/h3/commit/26fec6f">26fec6f</a>)</li>
</ul>
<h3>❤️ Contributors</h3>
<ul>
<li>Pooya Parsa (<a
href="https://github.com/pi0"><code>@pi0</code></a>)</li>
<li>Sergio Azócar (<a
href="https://github.com/sergioazoc"><code>@sergioazoc</code></a>)</li>
</ul>
<h2>v1.15.9</h2>
<p><a
href="https://github.com/h3js/h3/compare/v1.15.7...v1.15.9">compare
changes</a></p>
<h3>🩹 Fixes</h3>
<ul>
<li>Preserve <code>%25</code> in pathname (<a
href="https://github.com/h3js/h3/commit/1103df6">1103df6</a>)</li>
<li><strong>static:</strong> Prevent path traversal via double-encoded
dot segments (<code>%252e%252e</code>) (<a
href="https://github.com/h3js/h3/commit/c56683d">c56683d</a>)</li>
<li><strong>sse:</strong> Sanitize carriage returns in event stream data
and comments (<a
href="https://github.com/h3js/h3/commit/ba3c3fe">ba3c3fe</a>)</li>
</ul>
<h3>🏡 Chore</h3>
<ul>
<li><strong>release:</strong> V1.15.8 (<a
href="https://github.com/h3js/h3/commit/e3b9c9e">e3b9c9e</a>)</li>
<li>Update deps (<a
href="https://github.com/h3js/h3/commit/23045df">23045df</a>)</li>
</ul>
<h3>❤️ Contributors</h3>
<ul>
<li>Pooya Parsa (<a
href="https://github.com/pi0"><code>@pi0</code></a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/h3js/h3/commit/7b9f41fda6038d26a367c2a26a07ed83ee1dbaac"><code>7b9f41f</code></a>
chore(release): v1.15.11</li>
<li><a
href="https://github.com/h3js/h3/commit/d166186ed63de5a21fa4bb0aede4f4574994a3b5"><code>d166186</code></a>
chore: update cookie-es</li>
<li><a
href="https://github.com/h3js/h3/commit/4998dd8de60ddd6a182948e543143eaa56927399"><code>4998dd8</code></a>
chore: update deps</li>
<li><a
href="https://github.com/h3js/h3/commit/612548586357cbf0bad27bcb1b1615f4c40b1560"><code>6125485</code></a>
chore: update defu to 6.1.6</li>
<li><a
href="https://github.com/h3js/h3/commit/b72bb57060cf68e627575e0c350742f4fa8206fa"><code>b72bb57</code></a>
chore(release): v1.15.10</li>
<li><a
href="https://github.com/h3js/h3/commit/d8ef318fa9ce086036588443d683f97f9bb9faf8"><code>d8ef318</code></a>
remove resolutions for h3</li>
<li><a
href="https://github.com/h3js/h3/commit/26fec6ff549e646bef284b8df4e267ddb8fc0b67"><code>26fec6f</code></a>
chore: update deps</li>
<li><a
href="https://github.com/h3js/h3/commit/51ca9b3750a2a1426257c96e5a81001e3ec3bb42"><code>51ca9b3</code></a>
fix: preserve percent-encoded req.url in app event handler (<a
href="https://redirect.github.com/h3js/h3/issues/1355">#1355</a>)</li>
<li><a
href="https://github.com/h3js/h3/commit/4e8d43a7703d0d5c8bbc09748db1d8b9f3c51b42"><code>4e8d43a</code></a>
chore(release): v1.15.9</li>
<li><a
href="https://github.com/h3js/h3/commit/23045df515a67f00182b5f7ca126cbec40efda4d"><code>23045df</code></a>
chore: update deps</li>
<li>Additional commits viewable in <a
href="https://github.com/h3js/h3/compare/v1.15.5...v1.15.11">compare
view</a></li>
</ul>
</details>
<br />
Updates `smol-toml` from 1.6.0 to 1.6.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/squirrelchat/smol-toml/releases">smol-toml's
releases</a>.</em></p>
<blockquote>
<h2>v1.6.1</h2>
<p>This release addresses a minor security vulnerability where an
attacker-controlled TOML document can exploit an unrestricted recustion
and cause a stack overflow error with a document that contains thousands
of sucessive commented lines. Security advisory: <a
href="https://github.com/advisories/GHSA-v3rj-xjv7-4jmq">GHSA-v3rj-xjv7-4jmq</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/squirrelchat/smol-toml/commit/072b64fd0094b1d7d3bb1a124d282828069a7aa0"><code>072b64f</code></a>
chore: version bump</li>
<li><a
href="https://github.com/squirrelchat/smol-toml/commit/19a5dc74cb49f9fe809dd73c2b8934b4192b8393"><code>19a5dc7</code></a>
chore: upgrade dependencies and actions</li>
<li><a
href="https://github.com/squirrelchat/smol-toml/commit/f286f87778200504061a428b24d5e27ef5e1f360"><code>f286f87</code></a>
fix: don't use recursion in skipVoid</li>
<li>See full diff in <a
href="https://github.com/squirrelchat/smol-toml/compare/v1.6.0...v1.6.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `svgo` from 4.0.0 to 4.0.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/svg/svgo/releases">svgo's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.1</h2>
<h2>What's Changed</h2>
<h3>Dependencies</h3>
<ul>
<li>Sets minimum version of <a
href="https://www.npmjs.com/package/sax">sax</a> (XML parser) to v1.5.0,
which improves built-in guards against entity expansion.</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li><a
href="https://svgo.dev/docs/plugins/removeEmptyContainers/">removeEmptyContainers</a>,
removed leftover <code><use></code> elements referencing an empty
container that were removed. By <a
href="https://github.com/johnkenny54"><code>@johnkenny54</code></a> in
<a
href="https://redirect.github.com/svg/svgo/pull/2051">svg/svgo#2051</a></li>
<li><a
href="https://svgo.dev/docs/plugins/removeUnknownsAndDefaults/">removeUnknownsAndDefaults</a>,
don't remove attributes if they're referenced in attribute selectors
(CSS). By <a
href="https://github.com/SethFalco"><code>@SethFalco</code></a> in <a
href="https://redirect.github.com/svg/svgo/pull/2144">svg/svgo#2144</a></li>
</ul>
<h3>Performance</h3>
<ul>
<li><a
href="https://svgo.dev/docs/plugins/convertPathData/">convertPathData</a>,
refactor to reduce redundant equality checks. By <a
href="https://github.com/Lorfdail"><code>@Lorfdail</code></a> in <a
href="https://redirect.github.com/svg/svgo/pull/1764">svg/svgo#1764</a>
and <a
href="https://redirect.github.com/svg/svgo/pull/2135">svg/svgo#2135</a></li>
<li><a
href="https://svgo.dev/docs/plugins/removeHiddenElems/">removeHiddenElems</a>,
compute styles lazily. By <a
href="https://github.com/Lorfdail"><code>@Lorfdail</code></a> in <a
href="https://redirect.github.com/svg/svgo/pull/1764">svg/svgo#1764</a>
and <a
href="https://redirect.github.com/svg/svgo/pull/2135">svg/svgo#2135</a></li>
</ul>
<h3>Other Changes</h3>
<ul>
<li>Plugins no longer include if they are enabled or disabled by
default, as this was written inconsistently. The
<code>--show-plugins</code> argument appends the presets a plugin is in
to the end of the line. By <a
href="https://github.com/viralcodex"><code>@viralcodex</code></a> in <a
href="https://redirect.github.com/svg/svgo/pull/2174">svg/svgo#2174</a></li>
<li>Plugin/preset types to enforce the name start with
<code>preset-</code> if it is a preset (collection of plugins). By <a
href="https://github.com/SethFalco"><code>@SethFalco</code></a> in <a
href="https://redirect.github.com/svg/svgo/pull/2178">svg/svgo#2178</a></li>
</ul>
<h2>Metrics</h2>
<p>Before and after of the browser bundle of each respective
version:</p>
<table>
<thead>
<tr>
<th></th>
<th>v4.0.0</th>
<th>v4.0.1</th>
<th>Delta</th>
</tr>
</thead>
<tbody>
<tr>
<td>svgo.browser.js</td>
<td>780.2 kB</td>
<td>781.5 kB</td>
<td>⬆️ 1.3 kB</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/svg/svgo/commit/e691f5f85d9ff6c8f3bc75dc5150181d314b7f2d"><code>e691f5f</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/svg/svgo/commit/b1d9f1a5dd018ffcbd52b96678019ccf4312b22d"><code>b1d9f1a</code></a>
chore(deps): bump actions/upload-artifact from 6 to 7 (<a
href="https://redirect.github.com/svg/svgo/issues/2202">#2202</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/d724af1b75d9a76ffd0ff4aef95047a045deb2b6"><code>d724af1</code></a>
chore(deps): bump actions/checkout from 5 to 6 (<a
href="https://redirect.github.com/svg/svgo/issues/2195">#2195</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/4114b3236f4ee5d2e0db6506e09e2633d55bfab6"><code>4114b32</code></a>
chore(deps): bump actions/upload-artifact from 4 to 6 (<a
href="https://redirect.github.com/svg/svgo/issues/2196">#2196</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/c06d8f6899788defae9594537063c2f4307803e4"><code>c06d8f6</code></a>
chore: upgrade js-yaml and glob (<a
href="https://redirect.github.com/svg/svgo/issues/2191">#2191</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/26e86e5d722fbc1937446b23d53a1bf8e3f01e39"><code>26e86e5</code></a>
fix: remove unused <use> elements when deleting empty symbols (<a
href="https://redirect.github.com/svg/svgo/issues/2051">#2051</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/50c326bbff8eda6589f09504f87197b693ac6854"><code>50c326b</code></a>
perf: optimiztions to reduce regression test runtime (<a
href="https://redirect.github.com/svg/svgo/issues/2135">#2135</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/1f33cbe3aea1fd04d8272860d0356a5b107fd6cf"><code>1f33cbe</code></a>
ci: separate regression tests and write delta report (<a
href="https://redirect.github.com/svg/svgo/issues/2190">#2190</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/79a2167dc93aaff982686ec65846db714aae3e76"><code>79a2167</code></a>
ci: save test reports to artifacts (<a
href="https://redirect.github.com/svg/svgo/issues/2189">#2189</a>)</li>
<li><a
href="https://github.com/svg/svgo/commit/0ae52a02a5cc021e37d227a8d6ca68cf6ca28679"><code>0ae52a0</code></a>
chore(deps): bump actions/setup-node from 5 to 6 (<a
href="https://redirect.github.com/svg/svgo/issues/2187">#2187</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/svg/svgo/compare/v4.0.0...v4.0.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `lodash` from 4.17.23 to 4.18.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lodash/lodash/releases">lodash's
releases</a>.</em></p>
<blockquote>
<h2>4.18.1</h2>
<h2>Bugs</h2>
<p>Fixes a <code>ReferenceError</code> issue in <code>lodash</code>
<code>lodash-es</code> <code>lodash-amd</code> and
<code>lodash.template</code> when using the <code>template</code> and
<code>fromPairs</code> functions from the modular builds. See <a
href="https://redirect.github.com/lodash/lodash/issues/6167#issuecomment-4165269769">lodash/lodash#6167</a></p>
<p>These defects were related to how lodash distributions are built from
the main branch using <a
href="https://github.com/lodash-archive/lodash-cli">https://github.com/lodash-archive/lodash-cli</a>.
When internal dependencies change inside lodash functions, equivalent
updates need to be made to a mapping in the lodash-cli. (hey, it was
ahead of its time once upon a time!). We know this, but we missed it in
the last release. It's the kind of thing that passes in CI, but fails bc
the build is not the same thing you tested.</p>
<p>There is no diff on main for this, but you can see the diffs for each
of the npm packages on their respective branches:</p>
<ul>
<li><code>lodash</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm">https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm</a></li>
<li><code>lodash-es</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es">https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es</a></li>
<li><code>lodash-amd</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd">https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd</a></li>
<li><code>lodash.template</code><a
href="https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages">https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages</a></li>
</ul>
<h2>4.18.0</h2>
<h2>v4.18.0</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.0">https://github.com/lodash/lodash/compare/4.17.23...4.18.0</a></p>
<h3>Security</h3>
<p><strong><code>_.unset</code> / <code>_.omit</code></strong>: Fixed
prototype pollution via <code>constructor</code>/<code>prototype</code>
path traversal (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh">GHSA-f23m-r3pf-42rh</a>,
<a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b">fe8d32e</a>).
Previously, array-wrapped path segments and primitive roots could bypass
the existing guards, allowing deletion of properties from built-in
prototypes. Now <code>constructor</code> and <code>prototype</code> are
blocked unconditionally as non-terminal path keys, matching
<code>baseSet</code>. Calls that previously returned <code>true</code>
and deleted the property now return <code>false</code> and leave the
target untouched.</p>
<p><strong><code>_.template</code></strong>: Fixed code injection via
<code>imports</code> keys (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc">GHSA-r5fr-rjxr-66jc</a>,
CVE-2026-4800, <a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6">879aaa9</a>).
Fixes an incomplete patch for CVE-2021-23337. The <code>variable</code>
option was validated against <code>reForbiddenIdentifierChars</code> but
<code>importsKeys</code> was left unguarded, allowing code injection via
the same <code>Function()</code> constructor sink. <code>imports</code>
keys containing forbidden identifier characters now throw
<code>"Invalid imports option passed into
_.template"</code>.</p>
<h3>Docs</h3>
<ul>
<li>Add security notice for <code>_.template</code> in threat model and
API docs (<a
href="https://redirect.github.com/lodash/lodash/pull/6099">#6099</a>)</li>
<li>Document <code>lower > upper</code> behavior in
<code>_.random</code> (<a
href="https://redirect.github.com/lodash/lodash/pull/6115">#6115</a>)</li>
<li>Fix quotes in <code>_.compact</code> jsdoc (<a
href="https://redirect.github.com/lodash/lodash/pull/6090">#6090</a>)</li>
</ul>
<h3><code>lodash.*</code> modular packages</h3>
<p><a
href="https://redirect.github.com/lodash/lodash/pull/6157">Diff</a></p>
<p>We have also regenerated and published a select number of the
<code>lodash.*</code> modular packages.</p>
<p>These modular packages had fallen out of sync significantly from the
minor/patch updates to lodash. Specifically, we have brought the
following packages up to parity w/ the latest lodash release because
they have had CVEs on them in the past:</p>
<ul>
<li><a
href="https://www.npmjs.com/package/lodash.orderby">lodash.orderby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.tonumber">lodash.tonumber</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trim">lodash.trim</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trimend">lodash.trimend</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.sortedindexby">lodash.sortedindexby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.zipobjectdeep">lodash.zipobjectdeep</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.unset">lodash.unset</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.omit">lodash.omit</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.template">lodash.template</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lodash/lodash/commit/cb0b9b9212521c08e3eafe7c8cb0af1b42b6649e"><code>cb0b9b9</code></a>
release(patch): bump main to 4.18.1 (<a
href="https://redirect.github.com/lodash/lodash/issues/6177">#6177</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/75535f57883b7225adb96de1cfc1cd4169cfcb51"><code>75535f5</code></a>
chore: prune stale advisory refs (<a
href="https://redirect.github.com/lodash/lodash/issues/6170">#6170</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/62e91bc6a39c98d85b9ada8c44d40593deaf82a4"><code>62e91bc</code></a>
docs: remove n_ Node.js < 6 REPL note from README (<a
href="https://redirect.github.com/lodash/lodash/issues/6165">#6165</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/59be2de61f8aa9461c7856533b51d31b7d8babc4"><code>59be2de</code></a>
release(minor): bump to 4.18.0 (<a
href="https://redirect.github.com/lodash/lodash/issues/6161">#6161</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/af634573030f979194871da7c68f79420992f53d"><code>af63457</code></a>
fix: broken tests for _.template 879aaa9</li>
<li><a
href="https://github.com/lodash/lodash/commit/1073a7693e1727e0cf3641e5f71f75ddcf8de7c0"><code>1073a76</code></a>
fix: linting issues</li>
<li><a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6"><code>879aaa9</code></a>
fix: validate imports keys in _.template</li>
<li><a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b"><code>fe8d32e</code></a>
fix: block prototype pollution in baseUnset via constructor/prototype
traversal</li>
<li><a
href="https://github.com/lodash/lodash/commit/18ba0a32f42fd02117f096b032f89c984173462d"><code>18ba0a3</code></a>
refactor(fromPairs): use baseAssignValue for consistent assignment (<a
href="https://redirect.github.com/lodash/lodash/issues/6153">#6153</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/b8190803d48d60b8c80ad45d39125f32fa618cb2"><code>b819080</code></a>
ci: add dist sync validation workflow (<a
href="https://redirect.github.com/lodash/lodash/issues/6137">#6137</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.1">compare
view</a></li>
</ul>
</details>
<br />
Updates `qs` from 6.14.1 to 6.14.2
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ljharb/qs/blob/main/CHANGELOG.md">qs's
changelog</a>.</em></p>
<blockquote>
<h2><strong>6.14.2</strong></h2>
<ul>
<li>[Fix] <code>parse</code>: mark overflow objects for indexed notation
exceeding <code>arrayLimit</code> (<a
href="https://redirect.github.com/ljharb/qs/issues/546">#546</a>)</li>
<li>[Fix] <code>arrayLimit</code> means max count, not max index, in
<code>combine</code>/<code>merge</code>/<code>parseArrayValue</code></li>
<li>[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded
with indexed notation when <code>throwOnLimitExceeded</code> is true (<a
href="https://redirect.github.com/ljharb/qs/issues/529">#529</a>)</li>
<li>[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on
<code>comma</code>-parsed values</li>
<li>[Fix] <code>parse</code>: fix error message to reflect arrayLimit as
max index; remove extraneous comments (<a
href="https://redirect.github.com/ljharb/qs/issues/545">#545</a>)</li>
<li>[Robustness] avoid <code>.push</code>, use <code>void</code></li>
<li>[readme] document that <code>addQueryPrefix</code> does not add
<code>?</code> to empty output (<a
href="https://redirect.github.com/ljharb/qs/issues/418">#418</a>)</li>
<li>[readme] clarify <code>parseArrays</code> and
<code>arrayLimit</code> documentation (<a
href="https://redirect.github.com/ljharb/qs/issues/543">#543</a>)</li>
<li>[readme] replace runkit CI badge with shields.io check-runs
badge</li>
<li>[meta] fix changelog typo (<code>arrayLength</code> →
<code>arrayLimit</code>)</li>
<li>[actions] fix rebase workflow permissions</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ljharb/qs/commit/bdcf0c7f82387c18ac8fabfccd2f440645cef47b"><code>bdcf0c7</code></a>
v6.14.2</li>
<li><a
href="https://github.com/ljharb/qs/commit/294db90c812ddbe7d7a35d5687c505fd21a2d6a2"><code>294db90</code></a>
[readme] document that <code>addQueryPrefix</code> does not add
<code>?</code> to empty output</li>
<li><a
href="https://github.com/ljharb/qs/commit/5c308e5516c270a78caa6f278465914090f91ec6"><code>5c308e5</code></a>
[readme] clarify <code>parseArrays</code> and <code>arrayLimit</code>
documentation</li>
<li><a
href="https://github.com/ljharb/qs/commit/6addf8cf738d529c54d91f6f3ffb6c1be91bbfdc"><code>6addf8c</code></a>
[Fix] <code>parse</code>: mark overflow objects for indexed notation
exceeding <code>arrayLimit</code></li>
<li><a
href="https://github.com/ljharb/qs/commit/cfc108f662326d6ab540f3545ef0b832baf83cdf"><code>cfc108f</code></a>
[Fix] <code>arrayLimit</code> means max count, not max index, in
<code>combine</code>/<code>merge</code>/`pars...</li>
<li><a
href="https://github.com/ljharb/qs/commit/febb64442a80e49200211fa38d3c96b58024ac77"><code>febb644</code></a>
[Fix] <code>parse</code>: throw on <code>arrayLimit</code> exceeded with
indexed notation when `thr...</li>
<li><a
href="https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482"><code>f6a7abf</code></a>
[Fix] <code>parse</code>: enforce <code>arrayLimit</code> on
<code>comma</code>-parsed values</li>
<li><a
href="https://github.com/ljharb/qs/commit/fbc5206c25b4d1851cea683f02c10756c521d15a"><code>fbc5206</code></a>
[Fix] <code>parse</code>: fix error message to reflect arrayLimit as max
index; remove e...</li>
<li><a
href="https://github.com/ljharb/qs/commit/1b9a8b4e78c6aff4c22fa559107227f02fd0216a"><code>1b9a8b4</code></a>
[actions] fix rebase workflow permissions</li>
<li><a
href="https://github.com/ljharb/qs/commit/2a35775614e0fb46ac8a3060201a32a7c23a7fda"><code>2a35775</code></a>
[meta] fix changelog typo (<code>arrayLength</code> →
<code>arrayLimit</code>)</li>
<li>Additional commits viewable in <a
href="https://github.com/ljharb/qs/compare/v6.14.1...v6.14.2">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/ambient-code/platform/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 1c28cc2 commit e537e06
5 files changed
Lines changed: 268 additions & 260 deletions
File tree
- components/frontend
- docs
- e2e
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
42 | | - | |
| 42 | + | |
43 | 43 | | |
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments