build(deps): bump the npm_and_yarn group across 1 directory with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 13 updates in the / directory:

Package	From	To
vitest	2.1.8	2.1.9
js-yaml	4.1.0	4.1.1
@strapi/strapi	5.9.0	5.24.2
qs	6.13.1	6.14.1
@sveltejs/kit	2.15.2	2.49.5
vite	5.4.11	5.4.21
@babel/helpers	7.26.0	7.28.6
brace-expansion	1.1.11	1.1.12
dompurify	3.2.3	3.3.1
form-data	4.0.1	4.0.5
formidable	2.1.2	2.1.5
jws	3.2.2	3.2.3
tar-fs	2.1.1	2.1.4

Updates vitest from 2.1.8 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @strapi/strapi from 5.9.0 to 5.24.2

Release notes

Sourced from @​strapi/strapi's releases.

v5.24.2

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

5.24.2 (2025-09-29)

🚀 New feature

• Advanced Session Configuration (#24346)

🔥 Bug fix

• database is corrupt with orphaned relations (#24316)
• assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)
• support auth.options config in sessions (#24460)
• stop repair script from running automatically (#24470)

❤️ Thank You

• @​jhoward1994
• @​markkaylor
• @​Bassel17
• @​innerdvations
• Ziyi @​butcherZ
• Special thanks to @​laurenskling for all the help debugging and testing!

⚠️ Notice on Admin JWT Changes

This release fundamentally changes how Admin Panel login and register JWTs work from 5.23.6.

If your project or plugins rely on undocumented functionality or internal behavior related to the Admin JWT, those implementations are very likely to break after upgrading and affect your ability to log in to the Strapi Admin Panel.

For more information on the new feature configuration settings, please see the configuration docs for Users and Permissions and Admin Panel

v5.24.1

⚠️ This version is deprecated. Please use 5.24.2 🙏

5.24.1 (2025-09-25)

includes release notes from deprecated 5.24.0

🚀 New feature

• Advanced Session Configuration (#24346)

🔥 Bug fix

• database is corrupt with orphaned relations (#24316)
• assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)

... (truncated)

Commits

• 69554ba release: 5.24.2
• 5a0234f ci: use betnami legacy
• a8cea31 fix: stop repair script from running automatically (#24470)
• 723a2f0 fix: support auth.options config in sessions (#24460)
• ff1eac6 release: 5.24.1
• a1b9cf7 fix: assert admin.auth.secret on bootstrap instead of init
• 43c849d Merge pull request #24446 from strapi/releases/5.24.0
• 628d1ac release: 5.24.0
• d23f148 feat: Advanced Session Configuration (#24346)
• 536eed0 fix: database is corrupt with orphaned relations (#24316)
• Additional commits viewable in compare view

Updates qs from 6.13.1 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

Commits

• 3fa11a5 v6.14.1
• a626704 [Dev Deps] update npmignore
• 3086902 [Fix] ensure arrayLength applies to [] notation as well
• fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
• 0b06aac [Dev Deps] update @ljharb/eslint-config
• 64951f6 [Refactor] parse: extract key segment splitting helper
• e1bd259 [Dev Deps] update @ljharb/eslint-config
• f4b3d39 [eslint] add eslint 9 optional peer dep
• 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
• 973dc3c [actions] add workflow permissions
• Additional commits viewable in compare view

Updates @sveltejs/kit from 2.15.2 to 2.49.5

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.49.5

Patch Changes

• fix: avoid overriding Vite default base when running Vitest 4 (#14866)

• fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

• fix: add length checks to remote forms (8ed8155)

@​sveltejs/kit@​2.49.4

Patch Changes

• fix: support instrumentation for vite preview (#15105)

• fix: support for URLSearchParams.has(name, value) overload (#15076)

• fix: put forking behind experimental.forkPreloads (#15135)

@​sveltejs/kit@​2.49.3

Patch Changes

• fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#15121)

• fix: add typescript as an optional peer dependency (#15074)

• fix: use hasOwn check when deep-setting object properties (#15127)

@​sveltejs/kit@​2.49.2

Patch Changes

• fix: Stop re-loading already-loaded CSS during server-side route resolution (#15014)

• fix: posixify the instrumentation file import on Windows (#14993)

• fix: Correctly handle shared memory when decoding binary form data (#15028)

@​sveltejs/kit@​2.49.1

Patch Changes

• fix: suppress state_referenced_locally warnings in .svelte-kit/generated/root.svelte (#15013)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.49.5

Patch Changes

• fix: avoid overriding Vite default base when running Vitest 4 (#14866)

• fix: ensure url decoded pathnames are not mistaken as rerouted requests (d9ae9b0)

• fix: add length checks to remote forms (8ed8155)

2.49.4

Patch Changes

• fix: support instrumentation for vite preview (#15105)

• fix: support for URLSearchParams.has(name, value) overload (#15076)

• fix: put forking behind experimental.forkPreloads (#15135)

2.49.3

Patch Changes

• fix: avoid false-positive Vite config overridden warning when using Vitest 4 (#15121)

• fix: add typescript as an optional peer dependency (#15074)

• fix: use hasOwn check when deep-setting object properties (#15127)

2.49.2

Patch Changes

• fix: Stop re-loading already-loaded CSS during server-side route resolution (#15014)

• fix: posixify the instrumentation file import on Windows (#14993)

• fix: Correctly handle shared memory when decoding binary form data (#15028)

2.49.1

Patch Changes

... (truncated)

Commits

• 80ffb53 Version Packages (#15162)
• 8ed8155 Merge commit from fork
• d9ae9b0 Merge commit from fork
• ec4596a chore: Upgrade devalue (#15172)
• 81cd545 fix: avoid overriding Vite default base when running Vitest 4 (#14866)
• 6cf9491 chore: remove unused is_http_method helper and method set to (#15152)
• 3305022 Revert "breaking: remove buttonProps from experimental remote form function...
• 4f9870d breaking: remove buttonProps from experimental remote form functions (#14622)
• c8e4017 Version Packages (#15129)
• 50bf727 chore: fix prettier ignoring source code in with build in the name (#15133)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/kit since your current version.

Updates vite from 5.4.11 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates @babel/helpers from 7.26.0 to 7.28.6

Release notes

Sourced from @​babel/helpers's releases.

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • #17555 perf: Use lighter traversal for jsx __source,__self (@​liuxingbaoyu)

Committers: 7

• Babel Bot (@​babel-bot)
• Eliot Pontarelli (@​kolvian)
• Huáng Jùnliàng (@​JLHwung)
• Kadhirash Sivakumar (@​kadhirash)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)

v7.28.5 (2025-10-23)

Thank you @​CO0Ki3, @​Olexandr88, and @​youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

Changelog

Tags:

• 💥 [Breaking Change]
• 👓 [Spec Compliance]
• 🚀 [New Feature]
• 🐛 [Bug Fix]
• 📝 [Documentation]
• 🏠 [Internal]
• 💅 [Polish]

Note: Gaps between patch versions are faulty, broken or test releases.

This file contains the changelog starting from v7.15.0.

• See CHANGELOG - v7.0.0 to v7.14.9 for v7.0.0 to v7.14.9 changes.
• See CHANGELOG - v7 prereleases for v7.0.0-alpha.1 to v7.0.0-rc.4 changes.
• See CHANGELOG - v4, CHANGELOG - v5, and CHANGELOG - v6 for v4.x-v6.x changes.
• See CHANGELOG - 6to5 for the pre-4.0.0 version changelog.
• See Babylon's CHANGELOG for the Babylon pre-7.0.0-beta.29 version changelog.
• See babel-eslint's releases for the changelog before @babel/eslint-parser 7.8.0.
• See eslint-plugin-babel's releases for the changelog before @babel/eslint-plugin 7.8.0.

v7.28.5 (2025-10-23)

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring
  • #17519 fix: rest correctly returns plain array (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types
  • #17503 Fix JSXIdentifier handling in isReferencedIdentifier (@​JLHwung)
• babel-traverse
  • #17504 fix: ensure scope.push register in anonymous fn (@​JLHwung)

🏠 Internal

• babel-types
  • #17494 Type checking babel-types scripts (@​JLHwung)

... (truncated)

Commits

• d7f4008 v7.28.6
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c1b55f6 Use eslint.config.mts (#17573)
• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/helpers since your current version.

Updates @strapi/core from 5.9.0 to 5.34.0

Release notes

Sourced from @​strapi/core's releases.

v5.34.0

5.34.0 (2026-01-28)

🚀 New feature

• update german translations for various components (#24143)
• upload: add retroactive ai metadata generation (#25066)

🔥 Bug fix

• add missing labels to IT locale (#25217)
• form elements mobile adjustments (#25202)
• responsive cm header (#25203)
• run orphan removal for the 'related_type' column (#24833)
• adjust padding for cm subnav (#25253)
• admin: format input error message with values (#23932)
• i18n: ai translation losing unsupported fields (#25247)
• menu: render external links as anchors (#25269)

📚 Documentation Changes

• clarify strapi installation instructions in README (#25016)
• CONTRIBUTING: set link to latest version of .commitlintrc.ts (#25224)

⚙️ Chore

• update pinned elliptic (#25206)
• remove unused imports from react and @​strapi/design-system (#25222)
• update pinned dependencies express, qs, body-parser (#25209)
• remove in-app marketplace (#24958)
• update lodash to 4.17.23 (#25244)
• deps: bump lodash-es from 4.17.21 to 4.17.23 (#25239)
• upload: setup future flag for media lib redesign work (#25229)
• ‎.github/workflows: bump outdated GitHub Actions versions (#25233)

💅 Enhancement

• responsiveness consistency for subnav (#25107)

🚨 Security

• update pinned mdast-utils (#25227)
• update pinned js-yaml, node-forge, tmp, and more (#25228)

❤️ Thank You

• Adrien L
• Ben Irvin
• Boaz Poolman
• Jair Ortiz @​JairOrtizGutierrez

... (truncated)

Commits

• 47cff8e release: 5.34.0
• 482213f fix(menu): render external links as anchors (#25269)
• b624d87 fix(i18n): ai translation losing unsupported fields (#25247)
• cd57115 fix: adjust padding for cm subnav (#25253)
• 0a35ab3 fix(admin): format input error message with values (#23932)
• 2ad0f21 chore(‎.github/workflows): bump outdated GitHub Actions versions (#25233)
• 7aeba25 chore(deps): bump lodash-es from 4.17.21 to 4.17.23 (#25239)
• 168539f chore: update lodash to 4.17.23 (#25244)
• 732dcee feat(upload): add retroactive ai metadata generation (#25066)
• a25fbda fix: run orphan removal for the 'related_type' column (#24833)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bassel17, a new releaser for @​strapi/core since your current version.

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates devalue from 5.1.1 to 5.6.2

Release notes

Sourced from devalue's releases.

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

• 0623a47: fix: disallow array method access when parsing
• 0623a47: fix: disallow __proto__ properties on objects

v5.3.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

5.3.2

... (truncated)

Commits

• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• 83de81d Version Packages (#127)
• a3d09d4 Add value and root properties in DevalueError instances (#126)
• f4b37f3 Version Packages (#124)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates dompurify from 3.2.3 to 3.3.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

Commits

• 6fc446aDescription has been truncated

[dependabot]

Superseded by #856.