Bump the npm_and_yarn group across 16 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the /compiler/internal/vm/foundation/test directory:

Package	From	To
@astrojs/node	9.1.3	10.0.0
astro	5.5.5	5.18.1
axios	1.6.8	1.13.5
devalue	5.1.1	5.6.4
fastify	5.2.2	5.8.3
happy-dom	17.0.3	20.8.8
hono	4.7.2	4.12.7
rollup	4.4.1	4.59.0
undici	5.20.0	6.24.0
webpack	5.88.0	5.104.1

Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test directory: minimatch, fastify and next.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/blog directory: next.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/packages/blog directory: next.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/packages/stripe directory: fastify.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/stripe directory: fastify.
Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/foundation/test/cli/install/migration/yarn/yarn-cli-repo directory: js-yaml, minimatch and tar.
Bumps the npm_and_yarn group with 2 updates in the /compiler/internal/vm/foundation/test/integration/vite-build/the-test-app directory: kysely and svelte.
Bumps the npm_and_yarn group with 2 updates in the /compiler/internal/vm/foundation/test/js/third_party/astro directory: @astrojs/node and astro.
Bumps the npm_and_yarn group with 6 updates in the /compiler/internal/vm/libconsepts/dynamic_bitset/doc directory:

Package	From	To
js-yaml	4.1.0	4.1.1
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
picomatch	4.0.2	4.0.4
axios	1.12.2	1.13.6
fast-xml-parser	4.5.3	5.5.9
convict	6.2.4	6.2.5

Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/msm/doc directory: js-yaml, picomatch, axios and fast-xml-parser.
Bumps the npm_and_yarn group with 6 updates in the /compiler/internal/vm/libconsepts/openmethod/doc directory:

Package	From	To
js-yaml	4.1.0	4.1.1
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
picomatch	4.0.3	4.0.4
axios	1.13.2	1.13.6
fast-xml-parser	5.3.2	5.5.9
convict	6.2.4	6.2.5

Bumps the npm_and_yarn group with 5 updates in the /compiler/internal/vm/libconsepts/redis/doc directory:

Package	From	To
js-yaml	4.1.0	4.1.1
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
picomatch	4.0.2	4.0.4
axios	1.10.0	1.13.6
convict	6.2.4	6.2.5

Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/unordered/doc directory: js-yaml, minimatch, picomatch and convict.
Bumps the npm_and_yarn group with 6 updates in the /compiler/internal/vm/libconsepts/url/doc directory:

Package	From	To
js-yaml	4.1.0	4.1.1
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
picomatch	4.0.3	4.0.4
axios	1.12.2	1.13.6
fast-xml-parser	4.5.3	5.5.9
convict	6.2.4	6.2.5

Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/static_core/plugins/ets/tools/declgen_ts2sts directory: webpack.

Updates @astrojs/node from 9.1.3 to 10.0.0

Release notes

Sourced from @​astrojs/node's releases.

@​astrojs/node@​10.0.0

Major Changes

• #15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

  What should I do?

  If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

  // astro.config.mjs
  import { defineConfig } from 'astro/config'
  import node from '@astrojs/node'
  export default defineConfig({
  adapter: node({
  mode: 'standalone',
  
  experimentalErrorPageHost: 'http://localhost:4321'
  })
  })

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';
export const onRequest = defineMiddleware(async (ctx, next) => {
const response = await next();
if (response.status === 404 || response.status === 500) {
return fetch(http://localhost:4321/${response.status}.html);
}
return response;
});

Minor Changes

• #15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true
  +    staticHeaders: true

... (truncated)

Changelog

Sourced from @​astrojs/node's changelog.

10.0.0

Major Changes

• #15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

  What should I do?

  If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

  // astro.config.mjs
  import { defineConfig } from 'astro/config'
  import node from '@astrojs/node'
  export default defineConfig({
  adapter: node({
  mode: 'standalone',
  
  experimentalErrorPageHost: 'http://localhost:4321'
  })
  })

You can replicate the previous behavior by checking the response status in a middleware and fetching the prerendered page yourself:

// src/middleware.ts
import { defineMiddleware } from 'astro:middleware';
export const onRequest = defineMiddleware(async (ctx, next) => {
const response = await next();
if (response.status === 404 || response.status === 500) {
return fetch(http://localhost:4321/${response.status}.html);
}
return response;
});

Minor Changes

• #15258 d339a18 Thanks @​ematipico! - Stabilizes the adapter feature experimentalStatiHeaders. If you were using this feature in any of the supported adapters, you'll need to change the name of the flag:

  export default defineConfig({
    adapter: netlify({
  -    experimentalStaticHeaders: true

... (truncated)

Commits

• 48e5c4d [ci] release (#15808)
• 2ce9e74 chore: update docs links (#15732)
• 25560db [ci] release (beta) (#15773)
• 39ff2a5 Harden Node adapter HTTP server defaults and request body handling (#15759)
• 6414732 Spelling (#15601)
• 1567e8c Normalize static file paths before evaluating dotfile access rules (#15763)
• 02e24d9 Harden origin check port handling for consistency (#15777)
• 9b0def6 [ci] release (beta) (#15758)
• 3885e8d [ci] release (beta) (#15687)
• 20b05c0 fix(node): harden static file handler path resolution (#15745)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​astrojs/node since your current version.

Updates astro from 5.5.5 to 5.18.1

Release notes

Sourced from astro's releases.

astro@5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

Changelog

Sourced from astro's changelog.

5.18.1

Patch Changes

• Updated dependencies [c2cd371]:
  • @​astrojs/internal-helpers@​0.7.6
  • @​astrojs/markdown-remark@​6.3.11

5.18.0

Minor Changes

• #15589 b7dd447 Thanks @​qzio! - Adds a new security.actionBodySizeLimit option to configure the maximum size of Astro Actions request bodies.

  This lets you increase the default 1 MB limit when your actions need to accept larger payloads. For example, actions that handle file uploads or large JSON payloads can now opt in to a higher limit.

  If you do not set this option, Astro continues to enforce the 1 MB default to help prevent abuse.

  // astro.config.mjs
  export default defineConfig({
    security: {
      actionBodySizeLimit: 10 * 1024 * 1024, // set to 10 MB
    },
  });

Patch Changes

• #15594 efae11c Thanks @​qzio! - Fix X-Forwarded-Proto validation when allowedDomains includes both protocol and hostname fields. The protocol check no longer fails due to hostname mismatch against the hardcoded test URL.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

... (truncated)

Commits

• 434d9cc [ci] release (#15829)
• c2cd371 fix(helpers): Backport remote patterns segments fix (#15828)
• 011f061 [ci] release (#15597)
• efae11c fix: X-Forwarded-Proto rejected when allowedDomains includes protocol… (#15594)
• 751ccf0 Update actionBodySizeLimit changeset and make minor (#15600)
• b7dd447 make actionBodySizeLimit configurable (#15589)
• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates axios from 1.6.8 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates fastify from 5.2.2 to 5.8.3

Release notes

Sourced from fastify's releases.

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in fastify/fastify#6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in fastify/fastify#6566
• test: use fastify.test in test case by @​climba03003 in fastify/fastify#6568
• docs: use fastify.example in documentation by @​climba03003 in fastify/fastify#6567
• docs: add common performance degradation guidance by @​maxpetrusenko in fastify/fastify#6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in fastify/fastify#6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in fastify/fastify#6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in fastify/fastify#6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in fastify/fastify#6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in fastify/fastify#6582
• docs: replace redirected npm.im http-errors link by @​mcollina in fastify/fastify#6588
• types: Allow port to be null in request type definition by @​TristanBarlow in fastify/fastify#6589
• docs: update links by @​Tony133 in fastify/fastify#6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in fastify/fastify#6592

New Contributors

• @​kyrylchenko made their first contribution in fastify/fastify#6566
• @​maxpetrusenko made their first contribution in fastify/fastify#6520
• @​Deepvamja made their first contribution in fastify/fastify#6530
• @​barba-rossa made their first contribution in fastify/fastify#6535
• @​mahmoodhamdi made their first contribution in fastify/fastify#6582
• @​TristanBarlow made their first contribution in fastify/fastify#6589

Full Changelog: fastify/fastify@v5.8.2...v5.8.3

v5.8.2

What's Changed

• docs(ecosystem): add @​yeliex/fastify-problem-details by @​yeliex in fastify/fastify#6546
• Revert "chore: upgrade borp to v1.0.0" by @​climba03003 in fastify/fastify#6564
• docs: document body validation with custom content type parsers by @​mcollina in fastify/fastify#6556
• docs(ecosystem): add fastify-file-router by @​bhouston in fastify/fastify#6441
• docs: add fastify-svelte-view to Ecosystem list by @​matths in fastify/fastify#6453
• fix: anchor keyValuePairsReg to prevent quadratic backtracking by @​mcollina in fastify/fastify#6558
• docs: added note on handling of invalid URLs in setNotFoundHandler by @​leftieFriele in fastify/fastify#5661
• docs(guides): update codemod links by @​OluchiEzeifedikwa in fastify/fastify#6479
• docs: add @​glidemq/fastify to community plugins by @​avifenesh in fastify/fastify#6560

New Contributors

• @​yeliex made their first contribution in fastify/fastify#6546
• @​matths made their first contribution in fastify/fastify#6453
• @​leftieFriele made their first contribution in fastify/fastify#5661
• @​OluchiEzeifedikwa made their first contribution in fastify/fastify#6479
• @​avifenesh made their first contribution in fastify/fastify#6560

... (truncated)

Commits

• a3e77ce Bumped v5.8.3
• 4e1db5b fix: gate host and protocol getters on proxy trust function
• a22217f ci(lock-threads): use shared lock-threads workflow (#6592)
• 1851f20 docs: update links (#6593)
• 9cc5187 types: Allow port to be null in request type definition (#6589)
• 722d83b docs: replace redirected npm.im http-errors link (#6588)
• a1413de docs: fix incorrect code examples in Reply and Request reference (#6582)
• d7f01b6 docs: clarify content-type parser/schema mismatch is outside threat model (#6...
• a0649e9 docs: update syntax markdown, absolute paths and links (#6569)
• d477915 ci(link-checker): fix root-relative links resolution (#6535)
• Additional commits viewable in compare view

Updates happy-dom from 17.0.3 to 20.8.8

Release notes

Sourced from happy-dom's releases.

v20.8.8

👷‍♂️ Patch fixes

• Fixes issue where export names can be interpolated as executable code in ESM - By @​capricorn86 in task #2113
  • A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it may be possible to escape the VM context and get access to process level functionality in unsafe environments using CommonJS. Big thanks to @​tndud042713 for reporting this!

v20.8.7

👷‍♂️ Patch fixes

• Replace implementing Node.js Console with common IConsole interface to support latest version of Bun - By @​YevheniiKotyrlo in task #1845

v20.8.6

👷‍♂️ Patch fixes

• Request.formData() should honor "Content-Type" header - By @​brianhelba in task #2106

v20.8.5

👷‍♂️ Patch fixes

• Fixes error thrown when modifying DOM structure in connectedCallback() - By @​capricorn86 in task #2110

v20.8.4

👷‍♂️ Patch fixes

• Replace ConsoleConstructor import with indexed access type - By @​YevheniiKotyrlo in task #1845

v20.8.3

👷‍♂️ Patch fixes

• Throw error if event is not of type Event in EventTarget.dispatchEvent() - By @​capricorn86 in task #2054

v20.8.2

👷‍♂️ Patch fixes

• Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @​capricorn86 in task #2090

v20.8.1

👷‍♂️ Patch fixes

• Make "inert" attribute block focus interactions - By @​coffeeandwork in task #1422

v20.8.0

🎨 Features

• Adds support for setPointerCapture, hasPointerCapture, and releasePointerCapture to Element - By @​coffeeandwork in task #1733

v20.7.2

👷‍♂️ Patch fixes

• Properly decode CSS escape sequences in attribute selector values - By @​silverwind

v20.7.1

👷‍♂️ Patch fixes

• Fixes issue related to parsing direct descendants (>) and universal (*) query selectors - By @​Cherry in task #2078

v20.7.0

🎨 Features

• Adds support for Window.getScreenDetails() - By @​TrevorBurnham in task #1923
• Extends Screen from EventTarget - By @​TrevorBurnham in task #1923

... (truncated)

Commits

• 5437fdf fix: #2113 Fixes issue where export names can be interpolated as executable...
• 7e97acb fix: #1845 Replace implementing Node js Console with common IConsole interf...
• 3373929 fix: #2106 Request.formData() should honor Content-Type header (#2107)
• 55c17ba fix: #2110 Fixes error thrown when modifying DOM structure in connectedCall...
• 82a0888 fix: #1845 Replace ConsoleConstructor import with indexed access type (#2095)
• 5998eea fix: #2054 Throw error if event is not of type Event in dispatchEvent (#2092)
• 7a11238 fix: #2090 Resets cancelBubble and defaultPrevented when calling initEvent ...
• 7d27984 fix: #1422 Make inert attribute block focus interactions (#2083)
• 53e4ec9 feat: #1733 Adds support for setPointerCapture, hasPointerCapture, and rele...
• 1c73c3f fix: Properly decode CSS escape sequences in attribute selector values (#2080)
• Additional commits viewable in compare view

Updates hono from 4.7.2 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in honojs/hono#4792
• chore(builld): tsconfig project references by @​BarryThePenguin in honojs/hono#4797
• chore: add tsconfig.spec.json by @​yusukebe in honojs/hono#4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in honojs/hono#4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in honojs/hono#4782

New Contributors

• @​t0waxx made their first contribution in