chore(deps): bump the npm_and_yarn group across 1 directory with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 19 updates in the / directory:

Package	From	To
@sentry/node	10.26.0	10.27.0
axios	1.13.2	1.15.0
multer	2.0.2	2.1.1
undici	7.16.0	7.25.0
brace-expansion	1.1.12	1.1.14
minimatch	3.1.2	3.1.5
defu	6.1.4	6.1.7
effect	3.18.4	3.21.0
fast-xml-parser	4.5.3	4.5.6
flatted	3.3.3	3.4.2
follow-redirects	1.15.11	1.16.0
jws	3.2.2	3.2.3
protobufjs	7.5.4	7.5.5
music-metadata	11.10.3	11.12.3
path-to-regexp	0.1.12	0.1.13
picomatch	2.3.1	2.3.2
qs	6.13.0	6.14.2
rollup	4.53.3	4.60.1
socket.io-parser	4.2.4	4.2.6

Updates @sentry/node from 10.26.0 to 10.27.0

Release notes

Sourced from @​sentry/node's releases.

10.27.0

Important Changes

• feat(deps): Bump OpenTelemetry (#18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler(). The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#18241)
• feat(core): Add scope attribute APIs (#18165)
• feat(core): Re-add _experiments.enableLogs option (#18299)
• feat(core): Use maxValueLength on error messages (#18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#18271)
• feat(node): Add tracing support for AzureOpenAI (#18281)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.27.0

Important Changes

• feat(deps): Bump OpenTelemetry (#18239)

  • Bump @​opentelemetry/context-async-hooks from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/core from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/resources from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-base from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/sdk-trace-node from ^2.1.0 to ^2.2.0
  • Bump @​opentelemetry/instrumentation from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-amqplib from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-aws-sdk from 0.59.0 to 0.64.0
  • Bump @​opentelemetry/instrumentation-connect from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-dataloader from 0.22.0 to 0.26.0
  • Bump @​opentelemetry/instrumentation-express from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-fs from 0.24.0 to 0.28.0
  • Bump @​opentelemetry/instrumentation-generic-pool from 0.48.0 to 0.52.0
  • Bump @​opentelemetry/instrumentation-graphql from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-hapi from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-http from 0.204.0 to 0.208.0
  • Bump @​opentelemetry/instrumentation-ioredis from 0.52.0 to 0.56.0
  • Bump @​opentelemetry/instrumentation-kafkajs from 0.14.0 to 0.18.0
  • Bump @​opentelemetry/instrumentation-knex from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-koa from 0.52.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-lru-memoizer from 0.49.0 to 0.53.0
  • Bump @​opentelemetry/instrumentation-mongodb from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-mongoose from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-mysql from 0.50.0 to 0.54.0
  • Bump @​opentelemetry/instrumentation-mysql2 from 0.51.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-nestjs-core from 0.50.0 to 0.55.0
  • Bump @​opentelemetry/instrumentation-pg from 0.57.0 to 0.61.0
  • Bump @​opentelemetry/instrumentation-redis from 0.53.0 to 0.57.0
  • Bump @​opentelemetry/instrumentation-tedious from 0.23.0 to 0.27.0
  • Bump @​opentelemetry/instrumentation-undici from 0.15.0 to 0.19.0
  • Bump @​prisma/instrumentation from 6.15.0 to 6.19.0

• feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)

  Adds the manual lifecycle mode for UI profiling (the default mode), allowing profiles to be captured manually with Sentry.uiProfiler.startProfiler() and Sentry.uiProfiler.stopProfiler(). The previous transaction-based profiling is with profilesSampleRate is now deprecated in favor of the new UI Profiling with profileSessionSampleRate.

Other Changes

• feat(core): Add gibibyte and pebibyte to InformationUnit type (#18241)
• feat(core): Add scope attribute APIs (#18165)
• feat(core): Re-add _experiments.enableLogs option (#18299)
• feat(core): Use maxValueLength on error messages (#18301)
• feat(deps): bump @​sentry/bundler-plugin-core from 4.3.0 to 4.6.1 (#18273)
• feat(deps): bump @​sentry/cli from 2.56.0 to 2.58.2 (#18271)

... (truncated)

Commits

• 0b0151d release: 10.27.0
• 930863e Merge pull request #18312 from getsentry/prepare-release/10.27.0
• 02aa2ea meta(changelog): Update changelog for 10.27.0
• 6ce620e fix(core): Always redact content of sensitive headers regardless of `sendDefa...
• 235c865 feat(core): Re-add _experiments.enableLogs option (#18299)
• 4b92c64 fix(nextjs): universal random tunnel path support (#18257)
• 6240191 feat(core): Use maxValueLength on error messages (#18301)
• 1525603 feat(browserprofiling): Add manual mode and deprecate old profiling (#18189)
• 3d48cc6 chore: Add external contributor to CHANGELOG.md (#18300)
• b8127fb doc(sveltekit): Update documentation link for SvelteKit guide (#18298)
• Additional commits viewable in compare view

Updates axios from 1.13.2 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

• Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Updates undici from 7.16.0 to 7.25.0

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in nodejs/undici#5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in nodejs/undici#4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in nodejs/undici#4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in nodejs/undici#4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in nodejs/undici#4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in nodejs/undici#4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in nodejs/undici#4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in nodejs/undici#4938
• ignore AGENTS.md by @​mcollina in nodejs/undici#4942

New Contributors

• @​samuel871211 made their first contribution in nodejs/undici#4924
• @​mistval made their first contribution in nodejs/undici#4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in nodejs/undici#4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in nodejs/undici#4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in nodejs/undici#4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in nodejs/undici#4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in nodejs/undici#4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in nodejs/undici#4834
• docs: clarify fetch and FormData pairing by @​mcollina in nodejs/undici#4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in nodejs/undici#4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in nodejs/undici#4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in nodejs/undici#4926
• test: auto-init WPT submodule by @​mcollina in nodejs/undici#4930

New Contributors

• @​rozzilla made their first contribution in nodejs/undici#4909
• @​veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits

• 12d9045 Bumped v7.25.0 (#5025)
• 7a6f7fe Bumped v7.24.8 (#5020)
• 1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
• c661067 chore: update v7.x maintenance release flow
• 84f23e2 Bumped v7.24.7 (#4947)
• a770b10 ignore AGENTS.md (#4942)
• 6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
• 1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
• 04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
• 5145a7c fix(types): align Response with DOM fetch types (#4867)
• Additional commits viewable in compare view

Updates brace-expansion from 1.1.12 to 1.1.14

Commits

• 10c05fc 1.1.14
• 1afa1b2 Add opt-in { max } mitigation to v1 legacy line (#103)
• 2fbb6a2 Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)
• 0d7652e Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)
• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

• Correct the types export entry (#160)
• Export Defu types (#157)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

✅ Tests

• Add more tests for plain objects (b65f603)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#157)

📦 Build

• Correct the types export entry (#160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

• 80c0146 chore(release): v6.1.7
• 40d7ef4 fix(defu.d.cts): export Defu types (#157)
• 3d3a7c8 build: correct the types export entry (#160)
• 001c290 chore(release): v6.1.6
• 407b516 build: fix mixed types
• 23e59e6 chore(release): v6.1.5
• 11ba022 fix: ignore inherited enumerable properties
• 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
• d3ef16d chore(deps): update actions/checkout action to v6 (#151)
• 869a053 chore(deps): update actions/setup-node action to v6 (#149)
• Additional commits viewable in compare view

Updates effect from 3.18.4 to 3.21.0

Release notes

Sourced from effect's releases.

effect@3.21.0

Minor Changes

• #5780 f7bb09b Thanks @​kitlangton! - Add Cron.prev and reverse iteration support, aligning next/prev lookup tables, fixing DST handling symmetry, and expanding cron backward/forward test coverage.

• #5780 bd7552a Thanks @​mattiamanzati! - Add type-level utils to asserting layer types

• #5780 ad1a7eb Thanks @​schickling! - RcMap: support dynamic idleTimeToLive values per key

  The idleTimeToLive option can now be a function that receives the key and returns a duration, allowing different TTL values for different resources.

  const map =
    yield *
    RcMap.make({
      lookup: (key: string) => acquireResource(key),
      idleTimeToLive: (key: string) => {
        if (key.startsWith("premium:")) return Duration.minutes(10)
        return Duration.minutes(1)
      }
    })

• #5780 0d32048 Thanks @​mikearnaldi! - Fix annotateCurrentSpan, add Effect.currentPropagatedSpan

Patch Changes

• #5780 0d32048 Thanks @​mikearnaldi! - Add logs to first propagated span, in the following case before this fix the log would not be added to the p span because Effect.fn adds a fake span for the purpose of adding a stack frame.

  import { Effect } from "effect"
  const f = Effect.fn(function* () {
  yield* Effect.logWarning("FooBar")
  return yield* Effect.fail("Oops")
  })
  const p = f().pipe(Effect.withSpan("p"))

effect@3.20.1

Patch Changes

• #6133 add06f4 Thanks @​aniravi24! - Fix Equal.equals crash when comparing null values inside structuralRegion. Added null guard before Object.getPrototypeOf calls to prevent TypeError: Cannot convert undefined or null to object.

• #6093