build(deps): bump the npm_and_yarn group across 2 directories with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the / directory:

Package	From	To
vitest	2.1.8	2.1.9
js-yaml	4.1.0	4.1.1
@strapi/strapi	5.9.0	5.24.2
qs	6.13.1	6.14.2
@sveltejs/kit	2.15.2	2.52.2
svelte	4.2.19	5.51.5
vite	5.4.11	5.4.21
@babel/helpers	7.26.0	7.28.6
@isaacs/brace-expansion	5.0.0	5.0.1
brace-expansion	1.1.11	1.1.12
dompurify	3.2.3	3.3.1
form-data	4.0.1	4.0.5
formidable	2.1.2	2.1.5
jws	3.2.2	3.2.3
tar-fs	2.1.1	2.1.4
webpack	5.97.1	5.105.2

Bumps the npm_and_yarn group with 1 update in the /frontend directory: svelte.

Updates vitest from 2.1.8 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• See full diff in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates @strapi/strapi from 5.9.0 to 5.24.2

Release notes

Sourced from @​strapi/strapi's releases.

v5.24.2

⚠️ Security Warning and Notice ⚠️

Strapi was made aware of a vulnerably that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.

5.24.2 (2025-09-29)

🚀 New feature

• Advanced Session Configuration (#24346)

🔥 Bug fix

• database is corrupt with orphaned relations (#24316)
• assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)
• support auth.options config in sessions (#24460)
• stop repair script from running automatically (#24470)

❤️ Thank You

• @​jhoward1994
• @​markkaylor
• @​Bassel17
• @​innerdvations
• Ziyi @​butcherZ
• Special thanks to @​laurenskling for all the help debugging and testing!

⚠️ Notice on Admin JWT Changes

This release fundamentally changes how Admin Panel login and register JWTs work from 5.23.6.

If your project or plugins rely on undocumented functionality or internal behavior related to the Admin JWT, those implementations are very likely to break after upgrading and affect your ability to log in to the Strapi Admin Panel.

For more information on the new feature configuration settings, please see the configuration docs for Users and Permissions and Admin Panel

v5.24.1

⚠️ This version is deprecated. Please use 5.24.2 🙏

5.24.1 (2025-09-25)

includes release notes from deprecated 5.24.0

🚀 New feature

• Advanced Session Configuration (#24346)

🔥 Bug fix

• database is corrupt with orphaned relations (#24316)
• assert admin.auth.secret on bootstrap instead of init (a1b9cf7971)

... (truncated)

Commits

• 69554ba release: 5.24.2
• 5a0234f ci: use betnami legacy
• a8cea31 fix: stop repair script from running automatically (#24470)
• 723a2f0 fix: support auth.options config in sessions (#24460)
• ff1eac6 release: 5.24.1
• a1b9cf7 fix: assert admin.auth.secret on bootstrap instead of init
• 43c849d Merge pull request #24446 from strapi/releases/5.24.0
• 628d1ac release: 5.24.0
• d23f148 feat: Advanced Session Configuration (#24346)
• 536eed0 fix: database is corrupt with orphaned relations (#24316)
• Additional commits viewable in compare view

Updates qs from 6.13.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates @sveltejs/kit from 2.15.2 to 2.52.2

Release notes

Sourced from @​sveltejs/kit's releases.

@​sveltejs/kit@​2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

@​sveltejs/kit@​2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

@​sveltejs/kit@​2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

  Navigation callbacks (beforeNavigate, onNavigate, and afterNavigate) now include scroll position information via the scroll property on from and to targets:

  • from.scroll: The scroll position at the moment navigation was triggered
  • to.scroll: In beforeNavigate and onNavigate, this is populated for popstate navigations (back/forward) with the scroll position that will be restored, and null for other navigation types. In afterNavigate, this is always the final scroll position after navigation completed.

  This enables use cases like animating transitions based on the target scroll position when using browser back/forward navigation.

• feat: hydratable's injected script now works with CSP (#15048)

Patch Changes

• fix: put preloads before styles (#15232)

• fix: suppress false-positive inner content warning when children prop is forwarded to a child component (#15269)

• fix: fetch not working when URL is same host but different than paths.base (#15291)

• fix: navigate to hash link when base element is present (#15236)

... (truncated)

Changelog

Sourced from @​sveltejs/kit's changelog.

2.52.2

Patch Changes

• fix: validate form file information to prevent amplification attacks (3e607b3)

• chore: upgrade devalue and svelte (#15339)

• fix: parse file offset table more strictly (f47c01b)

2.52.1

Patch Changes

• fix: clear stale preflight issues on subsequent valid form submissions (#15281)

• chore: remove dependency on sade (#15272)

• fix: include .txt files in precompression (#15259)

• fix: escape backticks and dollar signs when creating inlined css (#15320)

• fix: increment form.pending count before preflight validation (#15279)

2.52.0

Minor Changes

• feat: match function to map a path back to a route id and params (#14997)

Patch Changes

• fix: respect scroll-margin when navigating to a url-supplied anchor (#15246)

• fix: resolve will narrow types to follow trailing slash page settings (#15027)

2.51.0

Minor Changes

• feat: add scroll property to NavigationTarget in navigation callbacks (#15248)

... (truncated)

Commits

• 9c4a737 Version Packages (#15338)
• 3e607b3 Merge commit from fork
• 62991c8 chore: upgrade devalue and svelte (#15339)
• f47c01b Merge commit from fork
• 6f69ded Version Packages (#15321)
• e87efba fix: clear stale preflight issues on subsequent valid form submissions (#15281)
• 4f367d5 chore: fix Node 18 CI by changing .remote.js import to .remote.ts (#15331)
• 20dfadf fix: escape backticks and dollar signs before creating interpolated string (#...
• 8c2384a fix: increment form.pending count before preflight validation (#15279)
• 71ddbc7 chore: remove dependency on sade (#15272)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​sveltejs/kit since your current version.

Updates svelte from 4.2.19 to 5.51.5

Release notes

Sourced from svelte's releases.

svelte@5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

svelte@5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#17732)

svelte@5.51.3

Patch Changes

• fix: prevent event delegation logic conflicting between svelte instances (#17728)

• fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#17712)

• fix: locate Rollup annontaion friendly to JS downgraders (#17724)

• fix: run effects in pending snippets (#17719)

svelte@5.51.2

Patch Changes

• fix: take async into consideration for dev delegated handlers (#17710)

• fix: emit state_referenced_locally warning for non-destructured props (#17708)

svelte@5.51.1

Patch Changes

• fix: don't crash on undefined document.contentType (#17707)

• fix: use symbols for encapsulated event delegation (#17703)

svelte@5.51.0

Minor Changes

... (truncated)

Changelog

Sourced from svelte's changelog.

5.51.5

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#17739)

5.51.4

Patch Changes

• chore: proactively defer effects in pending boundary (#17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#17732)

5.51.3

Patch Changes

• fix: prevent event delegation logic conflicting between svelte instances (#17728)

• fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#17712)

• fix: locate Rollup annontaion friendly to JS downgraders (#17724)

• fix: run effects in pending snippets (#17719)

5.51.2

Patch Changes

• fix: take async into consideration for dev delegated handlers (#17710)

• fix: emit state_referenced_locally warning for non-destructured props (#17708)

5.51.1

Patch Changes

• fix: don't crash on undefined document.contentType (#17707)

... (truncated)

Commits

• 8ea33bf Version Packages (#17740)
• f855a0b fix: misc option escaping and backwards compatibility (#17741)
• 781052e chore: upgrade devalue (#17739)
• f7c80da Merge commit from fork
• a0c7f28 Merge commit from fork
• 73098bb Merge commit from fork
• f89c7dd Merge commit from fork
• b8f2b86 Version Packages (#17733)
• c83aa06 chore: proactively defer effects in pending boundary (#17734)
• 2287ad0 fix: detect and error on non-idempotent each block keys in dev mode (#17732)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for svelte since your current version.

Updates vite from 5.4.11 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates @babel/helpers from 7.26.0 to 7.28.6

Release notes

Sourced from @​babel/helpers's releases.

v7.28.6 (2026-01-12)

Thanks @​kadhirash and @​kolvian for your first PRs!

🐛 Bug Fix

• babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types
  • #17589 Improve Unicode handling in code-frame tokenizer (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17556 fix: transform-regenerator correctly handles scope (@​liuxingbaoyu)
• babel-plugin-transform-react-jsx
  • #17538 fix: Keep jsx comments (@​liuxingbaoyu)

💅 Polish

• babel-core, babel-standalone
  • #17606 Polish(standalone): improve message on invalid preset/plugin (@​JLHwung)

🏠 Internal

• babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex
  • #17580 Allow Babel 8 in compatible Babel 7 plugins (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-react-jsx
  • #17555 perf: Use lighter traversal for jsx __source,__self (@​liuxingbaoyu)

Committers: 7

• Babel Bot (@​babel-bot)
• Eliot Pontarelli (@​kolvian)
• Huáng Jùnliàng (@​JLHwung)
• Kadhirash Sivakumar (@​kadhirash)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu
• coderaiser (@​coderaiser)

v7.28.5 (2025-10-23)

Thank you @​CO0Ki3, @​Olexandr88, and @​youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@​liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@​fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@​CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@​JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@​JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

... (truncated)

Commits

• d7f4008 v7.28.6
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c1b55f6 Use eslint.config.mts (#17573)
• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​babel/helpers since your current version.

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates @strapi/core from 5.9.0 to 5.36.1

Release notes

Sourced from @​strapi/core's releases.

v5.36.1

5.36.1 (2026-02-18)

🔥 Bug fix

• handle undefined tours property (#25290)
• core: handle negative and zero min/max validation for number fields (#25409)
• history: improve error handling and batch deletion in cron jobs (#25425)
• migrations: speed up discard-drafts with bulk batches (#25293)
• ts: ignore generated .strapi folder (#25086)
• utils: bump preferred-pm to fix npm workspace detection (#25406)

⚙️ Chore

• add --no-build-admin option to 'strapi develop' command (#25415)
• */vitest: introduce Vitest and vitest-config package (#25286)
• ci: redirect question issues to GitHub Discussions (#25441)
• deps: bump @​casl/ability from 6.5.0 to 6.7.5 (#25430)
• deps: bump qs from 6.14.1 to 6.14.2 (#25444)

🚨 Security

• upgrade to tar 7 (#25380)
• update react-router (#25391)
• deps: upgrade axios from v1.12.2 to v1.13.5 (#25427)

❤️ Thank You

• Andrei L @​unrevised6419
• Bassel Kanso @​Bassel17
• Ben Irvin
• DMehaffy
• Florent Baldino @​Baldinof
• Jamie Howard @​jhoward1994
• Jonas Thelemann
• Josh Stuible
• Nico André
• SARGUNESH S V @​sargunesh25
• Simen @​Eventyret

v5.36.0

5.36.0 (2026-02-11)

🚀 New feature

• persistent list view settings (#24246)
• strapi/create: type strapi configs (#21859)
• upload-aws-s3: add extended configuration for S3-compatible providers (#25263)

🔥 Bug fix

... (truncated)

Commits

• 6187e8a release: 5.36.1
• 761c7ba Fix placeholder/default issues in color picker custom field (#23855)
• cf7633d future(upload): small chores (#25470)
• 6fd7554 security(deps): upgrade axios from v1.12.2 to v1.13.5 (#25427)
• 1095610 fix(history): improve error handling and batch deletion in cron jobs (#25425)
• e5475e9 future(upload): add upload progress dialog (#25378)
• b4c6343 fix: handle undefined tours property (#25290)
• 07f9531 chore(deps): bump qs from 6.14.1 to 6.14.2 (#25444)
• 6c7927e test(api): remove the expiresin warnings (again) (#25440)
• 2a81484 chore(ci): redirect question issues to GitHub Discussions (#25441)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bassel17, a new releaser for @​strapi/core since your current version.

Updates brace-expansion from 1.1.11 to 1.1.12

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates devalue from 5.1.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)