Depfu

🚨 [security] Update all of nextjs 12.2.4 → 15.5.2 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (12.2.4 → 15.5.2)

Sorry, we couldn’t find anything useful about this release.

✳️ next (12.2.4 → 15.5.2) · Repo

Security Advisories 🚨

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid zhero;

Allam Yasser (inzo)

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.

The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9

Using pages router

Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router

Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)

Henry Chen

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9

Using pages router

Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router

Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)

Henry Chen

🚨 Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

Thai Vu of flyseccorp.com

Aonan Guan (@0dd), Senior Cloud Security Engineer

🚨 Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.

The Next.js application makes use of Server Actions.

The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

🚨 Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ @next/env (indirect, 12.2.4 → 15.5.2) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ @next/eslint-plugin-next (indirect, 12.2.4 → 15.5.2)

Sorry, we couldn’t find anything useful about this release.

↗️ @rushstack/eslint-patch (indirect, 1.1.4 → 1.12.0)

Sorry, we couldn’t find anything useful about this release.

↗️ @swc/helpers (indirect, 0.4.3 → 0.5.15) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ array-includes (indirect, 3.1.5 → 3.1.9) · Repo · Changelog

Release Notes

3.1.9 (from changelog)

Commits

[Deps] update call-bind, es-abstract, es-object-atoms, get-intrinsic, is-string 3b934ae

[Refactor] use call-bound and math-intrinsics directly 160ea60

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, hastrict-mode, tape 4e4c67d

[Tests] replace aud with npm audit 9c5ec1c

[Dev Deps] add missing peer dep 863d207

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ array.prototype.flat (indirect, 1.3.0 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 1afcd57

[Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables 152c437

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, function-bind npmignore, object-inspect, tape e39e33d

[Tests] replace aud with npm audit 6868723

[Dev Deps] add missing peer dep 800f3e3

1.3.2 (from changelog)

Commits

[Deps] update define-properties, es-abstract fb625eb

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 1fde275

1.3.1 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file e339ed7

[meta] add auto-changelog bb5cbd6

[Deps] update define-properties, es-abstract 8067910

[actions] update rebase action to use reusable workflow d4d9b28

[Dev Deps] update aud, object-inspect, tape d9d7300

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ array.prototype.flatmap (indirect, 1.3.0 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 8727281

[Tests] add test coverage 6e78327

[Deps] update call-bind, es-abstract e027dd1

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, object-inspect, tape 7322d84

[Dev Deps] update aud, npmignore, object-inspect, tape 958bf5c

[Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables b3698fb

[Tests] replace aud with npm audit e0461ed

[Dev Deps] add missing peer dep e7160b5

1.3.2 (from changelog)

Commits

[Deps] update define-properties, es-abstract 1737863

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 2337759

1.3.1 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 3587a34

[meta] add auto-changelog d66bdea

[Deps] update define-properties, es-abstract d64c486

[actions] update rebase action to use reusable workflow 8d657d0

[Dev Deps] update aud, object-inspect, tape aa22741

[Tests] use for-each instead of foreach 748a78d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ axe-core (indirect, 4.4.3 → 4.10.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ braces (indirect, 3.0.2 → 3.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Uncontrolled resource consumption in braces

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ call-bind (indirect, 1.0.2 → 1.0.8) · Repo · Changelog

Release Notes

1.0.8 (from changelog)

Commits

[Refactor] extract out some helpers and avoid get-intrinsic usage 407fd5e

[Refactor] replace code with extracted call-bind-apply-helpers 81018fb

[Tests] use set-function-length/env 0fc311d

[actions] split out node 10-20, and 20+ 77a0cad

[Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, gopd, object-inspect, tape a145d10

[Tests] replace aud with npm audit 30ca3dd

[Deps] update set-function-length 57c79a3

[Dev Deps] add missing peer dep 601cfa5

1.0.7 (from changelog)

Commits

[Refactor] use es-define-property 09b76a0

[Deps] update get-intrinsic, set-function-length ad5136d

1.0.6 (from changelog)

Commits

[Dev Deps] update aud, npmignore, tape d564d5c

[Deps] update get-intrinsic, set-function-length cfc2bdc

[Refactor] use es-errors, so things that only need those do not need get-intrinsic 64cd289

[meta] add missing engines.node 32a4038

1.0.5 (from changelog)

Commits

[Fix] throw an error on non-functions as early as possible f262408

[Deps] update set-function-length 3fff271

1.0.3 (from changelog)

Commits

[actions] reuse common workflows a994df6

[meta] use npmignore to autogenerate an npmignore file eef3ef2

[readme] flesh out content 1845ccf

[actions] use node/install instead of node/run; use codecov action 5b47d53

[Refactor] use set-function-length a0e165c

[Dev Deps] update @ljharb/eslint-config, aud, tape 9c50103

[meta] simplify "exports" 019c6d0

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, safe-publish-latest, tape 23bd718

[actions] update codecov uploader 62552d7

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape ec81665

[Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 35d67fc

[Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 0266d8d

[Dev Deps] update @ljharb/eslint-config, aud, tape 43a5b28

[Deps] update define-data-property, function-bind, get-intrinsic 780eb36

[Dev Deps] update aud, tape 90d50ad

[meta] use prepublishOnly script for npm 7+ 44c5433

[Deps] update get-intrinsic 86bfbfc

[Deps] update get-intrinsic 5c53354

[actions] update checkout action 4c393a8

[Deps] update get-intrinsic 4e70bde

[Deps] update get-intrinsic 55ae803

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

↗️ caniuse-lite (indirect, 1.0.30001374 → 1.0.30001737) · Repo · Changelog

↗️ debug (indirect, 4.3.4 → 4.4.1) · Repo · Changelog

Release Notes

4.4.1

What's Changed

fix(Issue-996): replace whitespaces in namespaces string with commas globally by @pdahal-cx in #997

fixes #987 fallback to localStorage.DEBUG if debug is not defined by @lzilioli in #988

New Contributors

@pdahal-cx made their first contribution in #997

@lzilioli made their first contribution in #988

Full Changelog: 4.4.0...4.4.1

4.4.0

Fixes (hopefully) the inefficient regex warnings in .enable().

Minor version as this is invariably going to break certain users who misuse the .enable() API and expected it to work with regexes, which was never supported nor documented. That's on you, sorry - that functionality won't be added back.

Full Changelog: 4.3.7...4.4.0

4.3.7

What's Changed

Upgrade ms to version 2.1.3 by @realityking in #819

Full Changelog: 4.3.6...4.3.7

4.3.6

What's Changed

Avoid using deprecated RegExp.$1 by @bluwy in #969

New Contributors

@bluwy made their first contribution in #969

Full Changelog: 4.3.5...4.3.6

4.3.5

Patch

cac39b1 Fix/debug depth (#926)

Thank you @calvintwr for the fix.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

↗️ define-properties (indirect, 1.1.4 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Commits

[Refactor] use define-data-property e7782a7

[actions] use reusable rebase action cd249c3

[Dev Deps] update @ljharb/eslint-config, aud, tape 8205f97

1.2.0 (from changelog)

Commits

[New] if the predicate is boolean true, it compares the existing value with === as the predicate d8dd6fc

[meta] add auto-changelog 7ebe2b0

[meta] use npmignore to autogenerate an npmignore file 647478a

[Dev Deps] update @ljharb/eslint-config, aud, tape e620d70

[Dev Deps] update aud, tape f1e5072

[actions] update checkout action 628b3af

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ es-abstract (indirect, 1.20.1 → 1.24.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ es-to-primitive (indirect, 1.2.1 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0 (from changelog)

Commits

[actions] reuse common workflows bb72efc

[Tests] use es-value-fixtures a912f7b

[Tests] migrate tests to Github Actions 510baf0

[New] add types 69ba1fd

[meta] remove unused Makefile 4ea66e6

[actions] use node/install instead of node/run; use codecov action 3c31937

[meta] do not publish github action workflow files 389567e

[meta] use npmignore to autogenerate an npmignore file 9f3aa76

[actions] split out node 10-20, and 20+ c60d7d8

[Tests] run nyc on all tests; use tape runner 29cbb89

[meta] add auto-changelog ea744b2

[Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, has-symbols, object-inspect, object-is, tape e5c3c79

[actions] add automatic rebasing / merge commit blocking a5a6f00

[Dev Deps] update @ljharb/eslint-config, es-value-fixtures, function.prototype.name, npmignore, object-inspect, object-is, tape 7941fd5

[Dev Deps] update eslint, @ljharb/eslint-config, aud, es-value-fixtures, foreach, object-inspect, tape eb1c79c

[Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, object-inspect, safe-publish-latest, tape 249b42f

[Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, object-inspect, object-is, tape d57d5e9

[actions] update codecov uploader 003b62c

[actions] add "Allow Edits" workflow 75ee990

[Dev Deps] update eslint, @ljharb/eslint-config, tape, object-is; add safe-publish-latest ba5da7b

[readme] remove travis badge 6f7aec7

[Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 3291fd5

[Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, has-symbols, object-inspect 53007f2

[actions] update checkout action 69640db

[Dev Deps] update eslint, @ljharb/eslint-config, object-is, tape; add aud c9d644e

[Tests] use for-each instead of foreach e9117bb

[readme] add github actions/codecov badges 53cd375

[Deps] update is-callable, is-date-object, is-symbol 8116c68

[Tests] fix test skipping for Symbol.toPrimitive e6268ef

[actions] switch Automatic Rebase workflow to pull_request_target event da41c40

[Deps] update is-callable, is-date-object 96fe13f

[Tests] replace aud with npm audit 0b53154

[meta] use prepublishOnly script for npm 7+ 9d7d485

[Deps] update is-callable 3c990b6

[Deps] update is-callable 9bcfff2

[Deps] update is-callable 1eb5478

[meta] only run aud on prod deps 1fcd896

[Deps] update is-symbol 7174a47

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ eslint-import-resolver-node (indirect, 0.3.6 → 0.3.9) · Repo · Changelog

↗️ eslint-module-utils (indirect, 2.7.3 → 2.12.1) · Repo · Changelog

Release Notes

2.12.0 (from changelog)

Added

Ignore type imports for named rule (#931, thanks @mattijsbliek)

Add documentation for no-useless-path-segments rule (#1068, thanks @manovotny)

packageDir option for no-extraneous-dependencies can be array-valued (#1085, thanks @hulkish)

2.11.0 (from changelog)

Added

Fixer for first (#1046, thanks @fengkfengk)

allow-require option for no-commonjs rule (#880, thanks @futpib)

Fixed

memory/CPU regression where ASTs were held in memory (#1058, thanks @klimashkin/@lukeapage)

2.10.0 (from changelog)

Added

Autofixer for order rule (#908, thanks @tihonove)

Add no-cycle rule: reports import cycles.

2.9.0 (from changelog)

Added

Add group-exports rule: style-guide rule to report use of multiple named exports (#721, thanks @robertrossmann)

Add no-self-import rule: forbids a module from importing itself. (#727, #449, #447, thanks @giodamelio).

Add no-default-export rule (#889, thanks @isiahmeadows)

Add no-useless-path-segments rule (#912, thanks @graingert and @danny-andrews)

... and more! check the commits for v2.9.0

2.8.0 (from changelog)

Added

exports-last rule (#620 + #632, thanks @k15a)

Changed

Case-sensitivity checking ignores working directory and ancestors. (#720 + #858, thanks @laysent)

Fixed

support scoped modules containing hyphens (#744, thanks @rosswarren)

core-modules now resolves files inside declared modules (#886 / #891, thanks @mplewis)

TypeError for missing AST fields from TypeScript (#842 / #944, thanks @alexgorbatchev)

Does any of this look wrong? Please let us know.

↗️ eslint-plugin-import (indirect, 2.26.0 → 2.32.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Release Notes

6.10.2 (from changelog)

Fixed

[patch] no-redundandant-roles: allow <img src="*.svg" role="img" /> #936

Commits

[meta] fix changelog URLs 0d01a1a

[Refactor] remove no-longer-needed es-iterator-helpers aa075bd

[Refactor] avoid spreading things that are already arrays d15d3ab

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register 5dad7c4

[Tests] aria-role: Add valid test for <svg role="img" /> daba189

[Docs] label-has-associated-control: add line breaks for readability 0bc6378

[Tests] label-has-associated-control: add additional test cases 30d2318

[Tests] Add tests to reinforce required attributes for role="heading" d92446c

6.10.1 (from changelog)

Commits

[Fix] handle interactive/noninteractive changes from aria-query 4925ba8

[Docs] Use consistent spelling of 'screen reader' cb6788c

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, auto-changelog, eslint-plugin-import, tape 518a77e

[Deps] update es-iterator-helpers, string.prototype.includes eed03a3

[meta] package.json - Update jscodeshift & remove babel-jest 2ee940c

[Docs] Remove accidental whitespace in CONTRIBUTING.md a262131

[Deps] unpin aria-query e517937

6.10.0 (from changelog)

Fixed

[New] label-has-associated-control: add additional error message #1005

[Fix] label-has-associated-control: ignore undetermined label text #966

Commits

[Tests] switch from jest to tape a284cbf

[New] add eslint 9 support deac4fd

[New] add attributes setting a1ee7f8

[New] allow polymorphic linting to be restricted 6cd1a70

[Tests] remove duplicate tests 74d5dec

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235

[readme] remove deprecated travis ci badge; add github actions badge 0be7ea9

[Tests] use npm audit instead of aud 05a5e49

[Deps] update axobject-query 912e98c

[Deps] unpin axobject-query 75147aa

[Deps] update axe-core 27ff7cb

[readme] fix jsxA11y import name ce846e0

[readme] fix typo in shareable config section in readme cca288b

6.9.0

Added

add support for Flat Config 6b5f096

no-noninteractive-element-to-interactive-role: allow menuitemradio and menuitemcheckbox on <li> c0733f9

Fixed

img-redundant-alt: fixed multibyte character support #969

Revert "[Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1" 75d5dd7

ensure summary remains non-interactive 6a048da

Changed

[meta] fix changelog links #960

[Robustness] use safe-regex-test 4c7e781

[actions] update actions/checkout 51a1ca7

[Deps] pin aria-query and axobject-query, add ls-engines test to CI 32fd82c

[Deps] remove @babel/runtime 0a98ad8

[Deps] unpin axe-core b3559cf

[Deps] move object.entries to dev deps 1be7b70

Full Changelog: v6.8.0...v6.9.0

6.8.0 (from changelog)

Merged

Allow title attribute or aria-label attribute instead of accessible child in the "anchor-has-content" rule #727

Fixed

[Docs] aria-activedescendant-has-tabindex: align with changes from #708 #924

[Fix] control-has-associated-label: don't accept whitespace as an accessible label #918

Commits

[Tests] migrate helper parsers function from eslint-plugin-react ce4d57f

[Refactor] use es-iterator-helpers 52de824

[New] mouse-events-have-key-events: add hoverInHandlers/hoverOutHandlers config db64898

[New] add polymorphicPropName setting for polymorphic components fffb05b

[Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1 64bfea6

[Refactor] use hasown instead of has 9a8edde

[actions] update used actions 10c061a

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, aud, eslint-doc-generator, eslint-plugin-import, minimist 6d5022d

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/register, eslint-doc-generator, eslint-plugin-import 4dc7f1e

[New] anchor-has-content: Allow title attribute OR aria-label attribute e6bfd5c

[patch] mouse-events-have-key-events: rport the attribute, not the node eadd70c

[Deps] update @babel/runtime, array-includes, array.prototype.flatmap, object.entries, object.fromentries 46ffbc3

[Deps] update @babel/runtime, axobject-query, jsx-ast-utils, semver 5999555

[Fix] pin aria-query and axe-core to fix failing tests on main 8d8f016

[patch] move semver from Deps to Dev Deps 4da13e7

[Deps] update ast-types-flow b755318

[Dev Deps] update eslint-plugin-import f1c976b

[Deps] unpin language-tags 3d1d26d

[Docs] no-static-element-interactions: tabIndex is written tabindex 1271153

[Deps] Upgrade ast-types-flow to mitigate Docker user namespacing problems f0d2ddb

[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 0c278f4

6.7.1 (from changelog)

Commits

[Fix] no-aria-hidden-on-focusable rule's missing export b01219e

6.7.0 (from changelog)

Merged

New rule: prefer-tag-over-role #833

Fixed

[Tests] aria-role: add now-passing test #756

[Docs] control-has-associated-label: fix metadata #892

[New] add no-aria-hidden-on-focusable rule #881

Commits

[Docs] automate docs with eslint-doc-generator 6d7a857

[Refactor] use fromEntries, flatMap, etc; better use iteration methods 3d77c84

[New] add anchor-ambiguous-text rule 7f6463e

[New] add getAccessibleChildText util 630116b

[New] Add isFocusable utils method e199d17

[Docs] update eslint-doc-generator to v1.0.0 6b9855b

[Fix] no-noninteractive-element-interactions: Ignore contenteditable elements in no-noninteractive-element-interactions 9aa878b

[New] anchor-ambiguous-text: ignore punctuation bbae2c4

[New] anchor-ambiguous-text, getAccessibleChildText: Implements check for alt tags on <img /> elements bb84abc

[meta] use npmignore to autogenerate an npmignore file 6ad2312

[meta] add auto-changelog 283817b

[Docs] missing descriptions in some rules 79b975a

[Deps] update aria-query, axobject-query 7b3cda3

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, aud, object.assign 0852947

[meta] move .eslintignore to ignorePatterns 65be35b

[Dev Deps] update @babel/cli, @babel/core, aud, eslint-doc-generator 60c2df5

[Deps] update @babel/runtime, array-includes, axe-core 4abc751

[Deps] update @babel/runtime, axe-core 89f766c

[meta] run the build in prepack, not prepublish e411ce3

[Dev Deps] update @babel/core, minimist cccdb62

[Dev Deps] update markdown-magic 3382059

[Fix] expose prefer-tag-over-role 38d52f8

[Docs] label-has-for: reran generate-list-of-rules 9a2af01

[Deps] pin language-tags to v1.0.5 f84bb74

[Dev Deps] update @babel/core cf3f8d0

[Deps] update axe-core 0a73cf4

[Deps] update @babel/runtime 053f04d

[Deps] update @babel/runtime bccf0ae

[Deps] update jsx-ast-utils c9687cc

[readme] Preventing code repetition in user's eslint config file 8b889bf

[Docs] prefer-tag-over-role: rename docs file 0bdf95b

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-react (indirect, 7.30.1 → 7.37.5) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-react-hooks (indirect, 4.6.0 → 5.2.0) · Repo · Changelog

↗️ eslint-visitor-keys (indirect, 3.3.0 → 3.4.3) · Repo · Changelog

Release Notes

3.4.3

3.4.3 (2023-08-08)

Chores

Add back add-to-triage (#59) (5ea8b12)

Remove add-to-triage (#56) (45d4c17)

standardize npm script names (#55) (0461695)

update typedef in build keys template (#58) (eb6c66d)

3.4.2

3.4.2 (2023-07-27)

Documentation

fix spelling mistakes (#50) (4ce1c17)

remove release script reference from README (#52) (4640146)

Chores

Add PRs to triage (#54) (a7b64b4)

generate provenance statements when release (#53) (7b09698)

3.4.1

3.4.1 (2023-05-05)

Bug Fixes

correct types for node16 resolution (#47) (7bd1fc1)

Chores

run tests on Node.js v20 (#45) (c982093)

set up release-please (#48) (a7fb4c7)

3.4.0

Features

6ece4bd feat: add JSXSpreadChild and tool to build keys out of AST definitions (#36) (Brett Zamir)

Bug Fixes

e9a070f fix: remove useless sourcemap url (fixes #43) (#44) (余腾靖)

Documentation

4beb7a7 docs: update badges (#37) (Milos Djermanovic)

Build Related

81c0732 build: add node v18 (#39) (唯然)

Chores

0398109 chore: add triage action (#42) (Milos Djermanovic)

bcffbe5 ci: add Node v19 (#41) (Milos Djermanovic)

c24f2e4 chore: update github actions and add funding field (#40) (Deepshika S)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ fast-glob (indirect, 3.2.11 → 3.3.1) · Repo

Release Notes

3.3.1

Full Changelog: 3.3.0...3.3.1

This release fixes a regression for cases where the ignore option is used with a string (#403, #404).

The public interface of this package does not support a string as the value for the ignore option since 2018 year (release).

So, in the next major release, we will reintroduce method implementations that do not involve strings in the ignore option.

3.3.0

Full Changelog: 3.2.12...3.3.0

🚀 Improvements

Method aliases

New methods (glob, globSync, globStream) have been added in addition to the current methods (default import, sync, stream), which eliminate the need to rename the method when importing. In addition, an async alias has been added for the default import, which makes it possible to use this packet with ESM.

Method to convert paths to globs

A new method (convertPathToPattern) has been added in this release to convert a path to a pattern. The primary goal is to enable users to avoid processing Windows paths in each location where this package is used by utilities from third-party packages.

See more details in the pull request.

🐛 Bug fixes

In the past, we mishandled patterns that contained slashes when the baseNameMatch option was enabled, which went against the documented behavior. (#312)

Several problems with matching patterns that contain brace expansion have been resolved. The primary issue solved is when the pattern has duplicate slashes after it is expanded (#394), or the micromatch package does not correctly generate a regular expression (#365).

All negative patterns will now have the dot option enabled when matching paths. Previously, the !**/* patterns did not exclude hidden files (start with a dot). (#343)

The issue that led to duplicates in the results when overlapping or duplicate patterns were present among the patterns has been fixed. At the moment, we are only talking about leading dot. Other cases are not included. For example, running with the patterns ['./file.md', 'file.md', '*'] will now only include file.md once in the results. (#190)

📖 Documentation

A clarifying note has been added for the concurrency option, which provides more detailed information about the Thread Pool utilization.

⚙️ Infrastructure

The benchmark in CI is now running on Node.js 20.

The benchmark now uses the public package bencho instead of an in-house implementation. You may want to try this solution for your packages and provide feedback.

🥇 New Contributors

@josh-hemphill made their first contribution in #383

@mairaw made their first contribution in #401

🐛 Bug fixes

Fixed an issue introduced in 3.2.7 related to incorrect application of patterns to entries with a trailing slash when the entry is not a directory.

Before changes:

fg.sync('**/!(*.md)')
// ['file.md', 'a/file.md', 'a/file.txt']

After fix:

fg.sync('**/!(*.md)')
// ['a/file.txt']

Thanks @AgentEnder for the issue (#357).

🚀 Improvements

This release includes performance improvements for the asynchronous method. For this method we now use an asynchronous directory traversal interface instead of using a streaming interface. This gives up to 15% acceleration for medium and large directories. The result depends a lot on hardware.

You can find the benchmark results for this release in CI here.

Here are a few of measurements on my laptop:

===> Benchmark pattern "*" with 100 launches (regression, async)
===> Max stdev: 7 | Retries: 3 | Options: {}

Name                   Time, ms  Time stdev, %  Memory, MB  Memory stdev, %  Entries  Errors  Retries
---------------------  --------  -------------  ----------  ---------------  -------  ------  -------
fast-glob-current.js   4.390     0.252          6.253       0.015            4        0       1
fast-glob-previous.js  5.653     0.633          6.051       0.056            4        0       1

===> Benchmark pattern "**" with 100 launches (regression, async)
===> Max stdev: 7 | Retries: 3 | Options: {}

Name                   Time, ms  Time stdev, %  Memory, MB  Memory stdev, %  Entries  Errors  Retries
---------------------  --------  -------------  ----------  ---------------  -------  ------  -------
fast-glob-current.js   34.587    1.287          10.654      0.607            11835    0       1
fast-glob-previous.js  41.972    2.086          10.236      1.224            11835    0       1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

↗️ fill-range (indirect, 7.0.1 → 7.1.1) · Repo

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ function-bind (indirect, 1.1.1 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ function.prototype.name (indirect, 1.1.5 → 1.1.8) · Repo · Changelog

Release Notes

1.1.8 (from changelog)

Commits

[actions] split out node 10-20, and 20+ b5ea555

[Refactor] use call-bound directly f6a6c64

1.1.7 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 47155b0

[Refactor] use hasown and is-callable directly, instead of es-abstract d5118d6

[Deps] update call-bind, define-properties, es-abstract cfa8b2e

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, npmignore, tape 2077d9a

[Tests] replace aud with npm audit 219e0a4

[Dev Deps] add missing peer dep 0b16b2b

1.1.6 (from changelog)

Commits

[actions] reuse common workflows 5f6bfba

[meta] use npmignore to autogenerate an npmignore file 28ea2f9

[Fix] properly recognize document.all in IE 6-8 316d676

[Fix] only return an own name d647609

[Tests] add browserstack browser tests 67ae402

[meta] better eccheck command 728df4c

[meta] add auto-changelog dbb700b

[readme] fix eclint c98fdf1

[readme] add tested browsers d41325c

[actions] update rebase action to use reusable workflow 085f340

[Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, safe-publish-latest, tape 3f071ce

[actions] update codecov uploader a187b4f

[Deps] update define-properties, es-abstract 3ca42ef

[Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 8de25d2

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 8b04da7

[Dev Deps] update @ljharb/eslint-config, aud, tape 39d8538

[meta] reorder scripts 054f96b

[Dev Deps] update eslint, @ljharb/eslint-config, tape bebee89

[Dev Deps] update aud, tape 8e68159

[Tests] handle Function.prototype in Opera 12.1 f3b8f9a

[Deps] update es-abstract, functions-have-names 6a59889

[Deps] update define-properties, es-abstract cd1c5e7

[Deps] update es-abstract 3584585

[Deps] update es-abstract 0e2f6d9

[Deps] update es-abstract b11748e

[Dev Deps] update tape d787a81

[Deps] update es-abstract 4692639

[Dev Deps] add in-publish 568e263

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ get-intrinsic (indirect, 1.1.2 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0 (from changelog)

Commits

[Dev Deps] update es-abstract, es-value-fixtures, for-each, object-inspect 9b61553

[Deps] update call-bind-apply-helpers, es-object-atoms, get-proto a341fee

[New] add Float16Array de22116

1.2.7 (from changelog)

Commits

[Refactor] use get-proto directly 00ab955

[Deps] update math-intrinsics c716cdd

[Dev Deps] update call-bound, es-abstract dc648a6

1.2.6 (from changelog)

Commits

[Refactor] use math-intrinsics 841be86

[Refactor] use es-object-atoms 42057df

[Deps] update call-bind-apply-helpers 45afa24

[Dev Deps] update call-bound 9cba9c6

1.2.5 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 6e2b9dd

[Refactor] use dunder-proto and call-bind-apply-helpers instead of has-proto c095d17

[Refactor] use gopd 9841d5b

[Dev Deps] update @ljharb/eslint-config, auto-changelog, es-abstract, es-value-fixtures, gopd, mock-property, object-inspect, tape 2d07e01

[Deps] update gopd, has-proto, has-symbols, hasown 974d8bf

[Dev Deps] update call-bind, es-abstract, tape df9dde1

[Refactor] cache es-define-property as well 43ef543

[Deps] update has-proto, has-symbols, hasown ad4949d

[Tests] use call-bound directly ad5c406

[Deps] update has-proto, hasown 45414ca

[Tests] replace aud with npm audit 18d3509

[Deps] update es-define-property aadaa3b

[Dev Deps] add missing peer dep c296a16

1.2.4 (from changelog)

Commits

[Refactor] use all 7 <+ ES6 Errors from es-errors bcac811

1.2.3 (from changelog)

Commits

[Refactor] use es-errors, so things that only need those do not need get-intrinsic f11db9c

[Dev Deps] update aud, es-abstract, mock-property, npmignore b7ac7d1

[meta] simplify exports faa0cc6

[meta] add missing engines.node 774dd0b

[Dev Deps] update tape 5828e8e

[Robustness] use null objects for lookups eb9a11f

[meta] add sideEffects flag 89bcc7a

1.2.2 (from changelog)

Commits

[Dev Deps] update @ljharb/eslint-config, aud, call-bind, es-abstract, mock-property, object-inspect, tape f51bcf2

[Refactor] use hasown instead of has 18d14b7

[Deps] update function-bind 6e109c8

1.2.1 (from changelog)

Commits

[Fix] avoid a crash in envs without __proto__ 7bad8d0

[Dev Deps] update es-abstract c60e6b7

1.2.0 (from changelog)

Commits

[actions] update checkout action ca6b12f

[Dev Deps] update @ljharb/eslint-config, es-abstract, object-inspect, tape 41a3727

[Fix] ensure Error.prototype is undeniable c511e97

[Dev Deps] update aud, es-abstract, tape 1bef8a8

[Dev Deps] update aud, es-abstract 0d41f16

[New] add BigInt64Array and BigUint64Array a6cca25

[Tests] use gopd ecf7722

1.1.3 (from changelog)

Commits

[Dev Deps] update es-abstract, es-value-fixtures, tape 07ff291

[Fix] properly check for % signs 50ac176

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 55 commits:

↗️ has-bigints (indirect, 1.0.2 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file a411cea

[actions] split out node 10-20, and 20+ 4515878

[New] add types c888241

[actions] update rebase action to use reusable workflow 6f44338

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape ffa1e4d

[Dev Deps] update aud, tape 0f5d096

[meta] add missing engines.node 3f73c71

[Tests] replace aud with npm audit b007efd

[Dev Deps] add missing peer dep 459c612

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ has-property-descriptors (indirect, 1.0.0 → 1.0.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ has-symbols (indirect, 1.0.3 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] update workflows 548c0bf

[actions] further shard; update action deps bec56bb

[meta] use npmignore to autogenerate an npmignore file ac81032

[New] add types 6469cbf

[actions] update rebase action to use reusable workflow 9c9d4d0

[Dev Deps] update eslint, @ljharb/eslint-config, aud, tape adb5887

[Dev Deps] update @ljharb/eslint-config, aud, tape 13ec198

[Dev Deps] update auto-changelog, core-js, tape 941be52

[Tests] replace aud with npm audit 74f49e9

[Dev Deps] update npmignore 9c0ac04

[Dev Deps] add missing peer dep 52337a5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ is-bigint (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 0e63a44

[meta] use npmignore to autogenerate an npmignore file 47584ee

[Tests] use for-each and es-value-fixtures f226864

[New] add types 78e2c47

[actions] split out node 10-20, and 20+ 4395a8d

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape c188501

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 5360d32

[actions] update rebase action to use reusable workflow d5c1775

[actions] update codecov uploader c7478c7

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 6fbce66

[meta] add missing engines.node 6f9ed42

[Tests] replace aud with npm audit 21846c3

[Dev Deps] remove unused has-symbols, add missing has-tostringtag b378d94

[Deps] update has-bigints f46c35b

[Dev Deps] add missing peer dep 2b9be16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-boolean-object (indirect, 1.1.2 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2 (from changelog)

Fixed

[Fix] do not be tricked by fake Booleans #25

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape, core-js a27608b

[Deps] update call-bound b19953f

1.2.1 (from changelog)

Commits

[Refactor] use call-bound directly bb5aa26

1.2.0 (from changelog)

Commits

[actions] reuse common workflows 380fa25

[meta] use npmignore to autogenerate an npmignore file befa203

[actions] split out node 10-20, and 20+ ca31663

[New] add types 6d58609

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 06cc67e

[actions] update codecov uploader 0722346

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 100acdf

[actions] update rebase action to use reusable workflow 26333ff

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape fde97ee

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f5ed3c8

[Deps] update call-bind, has-tostringtag 61912e2

[Tests] replace aud with npm audit c6a0db5

[meta] better eccheck command 3a59ec6

[Dev Deps] add missing peer dep c0e10db

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ is-callable (indirect, 1.2.4 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7 (from changelog)

Commits

[Fix] recognize document.all in IE 6-10 06c1db2

[Tests] improve logic for FF 20-35 0f7d9b9

[Fix] handle document.all in FF 27 (and +, probably) 696c661

[Tests] fix proxy tests in FF 42-63 985df0d

[readme] update tested browsers 389e919

[Fix] detect document.all in Opera 12.16 b9f1022

[Fix] HTML elements: properly report as callable in Opera 12.16 17391fe

[Tests] fix inverted logic in FF3 test 056ebd4

1.2.6 (from changelog)

Commits

[Fix] work for document.all in Firefox 3 and IE 6-8 015132a

[Test] skip function toString check for nullish values 8698116

[readme] add "supported engines" section 0442207

[Tests] skip one of the fixture objects in FF 3.6 a501141

[Tests] allow class constructor tests to fail in FF v45 - v54, which has undetectable classes b12e4a4

[Fix] Safari 4: regexes should not be considered callable 4b732ff

[Fix] properly recognize document.all in Safari 4 3193735

1.2.5 (from changelog)

Commits

[actions] reuse common workflows 5bb4b32

[meta] better eccheck command b9bd597

[meta] use npmignore to autogenerate an npmignore file 3192d38

[Fix] for HTML constructors, always use tryFunctionObject even in pre-toStringTag browsers 3076ea2

[Dev Deps] update eslint, @ljharb/eslint-config, available-typed-arrays, object-inspect, safe-publish-latest, tape 8986746

[meta] add auto-changelog 7dda9d0

[Fix] properly report document.all da90b2b

[actions] update codecov uploader c8f847c

[Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 899ae00

[Dev Deps] update eslint, @ljharb/eslint-config, es-value-fixtures, object-inspect, tape 344e913

[meta] remove greenkeeper config 737dce5

[meta] npmignore coverage output 680a883

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ is-core-module (indirect, 2.10.0 → 2.16.1) · Repo · Changelog

Release Notes

2.16.1 (from changelog)

Fixed

[Fix] node:sqlite is available in node ^22.13 #17

2.16.0 (from changelog)

Commits

[New] add node:sqlite 1ee94d2

[Dev Deps] update auto-changelog, tape aa84aa3

2.15.1 (from changelog)

Commits

[Tests] add process.getBuiltinModule tests 28c7791

[Fix] test/mock_loader is no longer exposed as of v22.7 68b08b0

[Tests] replace aud with npm audit 32f8060

[Dev Deps] update mock-property f7d3c8f

[Dev Deps] add missing peer dep eaee885

2.15.0 (from changelog)

Commits

[New] add node:sea 2819fb3

2.14.0 (from changelog)

Commits

[Dev Deps] update @ljharb/eslint-config, aud, mock-property, npmignore, tape 0e43200

[meta] add missing engines.node 4ea3af8

[New] add test/mock_loader e9fbd29

[Deps] update hasown 57f1940

2.13.1 (from changelog)

Commits

[Refactor] use hasown instead of has 0e52096

[Dev Deps] update mock-property, tape 8736b35

2.13.0 (from changelog)

Commits

[Dev Deps] update @ljharb/eslint-config, aud, semver, tape c75b263

[New] node:test/reporters and wasi/node:wasi are in v18.17 d76cbf8

2.12.1 (from changelog)

Commits

[Fix] test/reporters now requires the node: prefix as of v20.2 12183d0

2.12.0 (from changelog)

Commits

[actions] update rebase action to use reusable workflow c0a7251

[Dev Deps] update @ljharb/eslint-config, aud, tape 9ae8b7f

[New] test/reporters added in v19.9, wasi added in v20 9d5341a

[Dev Deps] add missing in-publish dep 5980245

2.11.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 3360011

[Dev Deps] update aud, tape 651c6b0

[New] inspector/promises and node:inspector/promises is now available in node 19 22d332f

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 35 commits:

↗️ is-date-object (indirect, 1.0.5 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 35c5af0

[meta] use npmignore to autogenerate an npmignore file db6113c

[New] add types 4f1d9b3

[actions] split out node 10-20, and 20+ c9a1e4f

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 35a2864

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b670bca

[actions] update rebase action to use reusable workflow d6bb341

[actions] update codecov uploader f850678

[Robustness] use call-bound 18ed326

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f0e792f

[meta] add exports field 342351f

[Tests] replace aud with npm audit 9b9b9cf

[Deps] update has-tostringtag 1bc37ab

[meta] add sideEffects flag 86d3a16

[Dev Deps] add missing peer dep fee274d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-negative-zero (indirect, 2.0.2 → 2.0.3) · Repo · Changelog

Release Notes

2.0.3 (from changelog)

Commits

add types e28f0d5

[meta] use npmignore to autogenerate an npmignore file f68ec13

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 70abff7

[actions] update rebase action to use reusable workflow 6e1356e

[Dev Deps] update @ljharb/eslint-config, aud, npmignore, tape c00d4ab

[meta] add sideEffects flag 9c45539

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ is-number-object (indirect, 1.0.7 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 00d566d

[Refactor] use call-bound directly 073d5df

[Deps] update call-bind 36c84af

1.1.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file cb8423c

[New] add types 273e406

[actions] split out node 10-20, and 20+ 3da6267

[Robustness] use call-bind 834c098

[actions] update rebase action to use reusable workflow 84a8a9f

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7275bca

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 49a83aa

[Tests] replace aud with npm audit 061492b

[Refactor] avoid an expensive check, for null 08d29a8

[Deps] update has-tostringtag 4e2ad65

[Dev Deps] add missing peer dep 8228bfa

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-regex (indirect, 1.1.4 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Commits

[Refactor] use call-bound directly dbabfe3

[Deps] update call-bind, gopd d5343a0

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig cc081eb

1.2.0 (from changelog)

Fixed

[Tests] allow tests to pass if zero traps are triggered #35

Commits

[actions] reuse common workflows be7bf6a

[New] add types 39066a4

[meta] use npmignore to autogenerate an npmignore file 8938588

[Refactor] reorganize code 2f76f26

[actions] split out node 10-20, and 20+ 8c9aedf

[meta] better eccheck command 6b39408

[Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape e38cf3c

[actions] update codecov uploader 487c75d

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, foreach, tape 0d7da87

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape c1c1198

[actions] update rebase action to use reusable workflow 213646e

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 0a44e77

[Refactor] use hasown d939332

[Deps] update call-bind, has-tostringtag 46bfdc9

[Tests] use for-each instead of foreach 138b3f2

[Tests] replace aud with npm audit 37ed80a

[Deps] update gopd 6fd4097

[Dev Deps] update core-js 97c1c60

[Dev Deps] add missing peer dep 7329b8e

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ is-string (indirect, 1.0.7 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape c1f7ef7

[Refactor] use call-bound directly ba8a78f

[Deps] update call-bind 93c352f

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 12aa75b

[meta] use npmignore to autogenerate an npmignore file 6401572

[actions] split out node 10-20, and 20+ 223540c

[New] add types 7e83d67

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape febd26e

[readme] add github actions/codecov badges; update URLs f6bf065

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, tape 8afc37a

[Robustness] use call-bind ac86dd7

[actions] update rebase action to use reusable workflow 77058c8

[actions] update codecov uploader 4312be5

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 98c3779

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7d8e0e5

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 3284ad1

[Tests] replace aud with npm audit 8cb7ea7

[Refactor] skip expensive check, for null 20fde50

[Deps] update has-tostringtag b67a78d

[meta] fix repo URL 1a2ee6b

[meta] better eccheck command 6913c75

[Dev Deps] add missing peer dep 8ac8551

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ is-symbol (indirect, 1.0.4 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[actions] re-add finishers 9b9d06f

[Deps] update call-bind, has-symbols, safe-regex-test 07f3647

[Refactor] use call-bound directly 799402d

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig 4b8b2f9

[types] remove unneeded DT packages 398abaa

1.1.0 (from changelog)

Commits

[actions] reuse common workflows acf85f0

[meta] use npmignore to autogenerate an npmignore file 77c818e

[Tests] use for-each and es-value-fixtures 93dfed0

[New] add types ed6a057

[actions] split out node 10-20, and 20+ 7f81ccc

[Robustness] use call-bind and safe-regex-test dc7e142

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 70f87c2

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 3f02ff4

[Dev Deps] update @ljharb/eslint-config, auto-changelog, has-tostringtag, npmignore, object-inspect, tape 9588872

[actions] update rebase action to use reusable workflow 59e2f68

[actions] update codecov uploader e4759f8

[Dev Deps] update eslint, auto-changelog, object-inspect, tape 33990c0

[Tests] use has-tostringtag for more robust Symbol.toStringTag detection d6154e1

[Tests] replace aud with npm audit 3215a60

[Refactor] avoid an expensive check, for primitives 59f1a42

[Deps] update has-symbols 06be1a9

[Dev Deps] add missing peer dep 799b0da

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ json5 (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in JSON5 via Parse Method

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:
const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
  if (props.isAdmin) {
    console.log('Doing dangerous thing as admin.');
  } else {
    console.log('Doing dangerous thing as user.');
  }
};

const secCheckKeysSet = (obj, searchKeys) => {
  let searchKeyFound = false;
  Object.keys(obj).forEach((key) => {
    if (searchKeys.indexOf(key) > -1) {
      searchKeyFound = true;
    }
  });
  return searchKeyFound;
};

const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
  throw new Error('Forbidden...');
}
If the user attempts to set the isAdmin key, their request will be rejected:
const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}
However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:
const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}

Release Notes

1.0.2

Fix: Properties with the name __proto__ are added to objects and arrays. ([#199]) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! ([#295]). This has been backported to v1. ([#298])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ micromatch (indirect, 4.0.5 → 4.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS) in micromatch

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to #266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ minimist (indirect, 1.2.6 → 1.2.8) · Repo · Changelog

Release Notes

1.2.8 (from changelog)

Merged

[Fix] Fix long option followed by single dash #17

[Tests] Remove duplicate test #12

[Fix] opt.string works with multiple aliases #10

Fixed

[Fix] Fix long option followed by single dash (#17) #15

[Tests] Remove duplicate test (#12) #8

[Fix] Fix long option followed by single dash #15

[Fix] opt.string works with multiple aliases (#10) #9

[Fix] Fix handling of short option with non-trivial equals #5

[Tests] Remove duplicate test #8

[Fix] opt.string works with multiple aliases #9

Commits

Merge tag 'v0.2.3' a026794

[eslint] fix indentation and whitespace 5368ca4

[eslint] fix indentation and whitespace e5f5067

[eslint] more cleanup 62fde7d

[eslint] more cleanup 36ac5d0

[meta] add auto-changelog 73923d2

[actions] add reusable workflows d80727d

[eslint] add eslint; rules to enable later are warnings 48bc06a

[eslint] fix indentation 34b0f1c

[readme] rename and add badges 5df0fe4

[Dev Deps] switch from covert to nyc a48b128

[Dev Deps] update covert, tape; remove unnecessary tap f0fb958

[meta] create FUNDING.yml; add funding in package.json 3639e0c

[meta] use npmignore to autogenerate an npmignore file be2e038

Only apps should have lockfiles 282b570

isConstructorOrProto adapted from PR ef9153f

[Dev Deps] update @ljharb/eslint-config, aud 098873c

[Dev Deps] update @ljharb/eslint-config, aud 3124ed3

[meta] add safe-publish-latest 4b927de

[Tests] add aud in posttest b32d9bd

[meta] update repo URLs f9fdfc0

[actions] Avoid 0.6 tests due to build failures ba92fe6

[Dev Deps] update tape 950eaa7

[Dev Deps] add missing npmignore dev dep 3226afa

Merge tag 'v0.2.2' 980d7ac

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ ms (indirect, 2.1.2 → 2.1.3) · Repo

Release Notes

2.1.3

Patches

Rename zeit to vercel: #151

Bump eslint from 4.12.1 to 4.18.2: #122

Add prettier as a dev dependency: #135 #153

Use GitHub Actions CI: #154

Credits

Huge thanks to @getsnoopy for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ nanoid (indirect, 3.3.4 → 3.3.11) · Repo · Changelog

Security Advisories 🚨

🚨 Predictable results in nanoid generation when given non-integer values

When nanoid is called with a fractional value, there were a number of undesirable effects:

in browser and non-secure, the code infinite loops on while (size--)

in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled

if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

Release Notes

3.3.11

Fixed React Native support.

3.3.8 (from changelog)

Fixed a way to break Nano ID by passing non-integer size (by @myndzi).

3.3.6 (from changelog)

Fixed package.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ object-inspect (indirect, 1.12.2 → 1.13.4) · Repo · Changelog

Release Notes

1.13.4 (from changelog)

Commits

[Fix] avoid being fooled by a Symbol.toStringTag fa5870d

[Tests] fix tests in node v6.0 - v6.4 2abfe1b

[Dev Deps] update es-value-fixtures, for-each, has-symbols 3edfb01

1.13.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 44395a8

[Fix] quoteStyle: properly escape only the containing quotes 5137f8f

[Refactor] clean up quoteStyle code 450680c

[Tests] add quoteStyle escaping tests e997c59

[Dev Deps] update auto-changelog, es-value-fixtures, tape d5a469c

[Tests] replace aud with npm audit fb7815f

[Dev Deps] update mock-property 11c817b

1.13.2 (from changelog)

Commits

[readme] update badges 8a51e6b

[Dev Deps] update @ljharb/eslint-config, tape ef05f58

[Dev Deps] update error-cause, has-tostringtag, tape c0c6c26

[Fix] Don't throw when global is not defined d4d0965

[meta] add missing engines.node 17a352a

[Dev Deps] update globalthis 9c08884

[Dev Deps] update error-cause 6af352d

[Dev Deps] update npmignore 94e617d

[Dev Deps] update mock-property 2ac24d7

[Dev Deps] update tape 46125e5

1.13.1 (from changelog)

Commits

[Fix] in IE 8, global can !== window despite them being prototypes of each other 30d0859

1.13.0 (from changelog)

Commits

[New] add special handling for the global object 431bab2

[Dev Deps] update @ljharb/eslint-config, aud, tape fd4f619

[Dev Deps] update mock-property, tape b453f6c

[Dev Deps] update error-cause e8ffc57

[Dev Deps] update tape 054b8b9

[Dev Deps] temporarily remove aud due to breaking change in transitive deps 2476845

[Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak 383fa5e

[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 68c244c

1.12.3 (from changelog)

Commits

[Fix] in eg FF 24, collections lack forEach 75fc226

[actions] update rebase action to use reusable workflow 250a277

[Dev Deps] update aud, es-value-fixtures, tape 66a19b3

[Dev Deps] update @ljharb/eslint-config, aud, error-cause c43d332

[Tests] add @pkgjs/support to postlint e2618d2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

↗️ object.assign (indirect, 4.1.2 → 4.1.7) · Repo · Changelog

Release Notes

4.1.7 (from changelog)

[Deps] add missing es-object-atoms (#86)

4.1.6 (from changelog)

[Refactor] use call-bound directly; use es-object-atoms

[Deps] update call-bind, has-symbols

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, hasown, mock-property, ses, tape

[actions] split out node 10-20, and 20+

[actions] remove redundant finisher

[Tests] replace aud with npm audit

4.1.5 (from changelog)

[meta] republish without testing HTML file (#85)

[Deps] update call-bind, define-properties

[Dev Deps] use hasown instead of has

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, npmignore, mock-property, tape

[actions] update rebase action

4.1.4 (from changelog)

[meta] fix npmignore integration (#83)

4.1.3 (from changelog)

[Refactor] make steps closer to actual spec

[Refactor] simplify object coercible check

[readme] remove defunct badges, add coverage and actions badges

[eslint] ignore coverage output

[meta] use npmignore to autogenerate an npmignore file

[meta] remove audit-level

[Deps] update call-bind, define-properties, has-symbols

[Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, aud, functions-have-names, safe-publish-latest, ses, tape

[actions] use node/install instead of node/run; use codecov action

[actions] reuse common workflows

[actions] update codecov uploader

[Tests] add implementation tests

[Tests] use mock-property

[Tests] disable posttest pending aud handling file: deps

[Tests] migrate remaining tests to Github Actions (#81)

[Tests] gitignore coverage output

[Tests] test node v1-v9 on Github Actions instead of travis; resume testing all minors (#80)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 63 commits:

↗️ object.entries (indirect, 1.1.5 → 1.1.9) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

Commits

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape f2edb13

[Deps] update define-properties, es-abstract 7b9daec

1.1.6 (from changelog)

Commits

[actions] reuse common workflows e6dc177

[meta] use npmignore to autogenerate an npmignore file 76b4136

[Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, safe-publish-latest, tape 2ab7fcd

[Dev Deps] update eslint, @ljharb/eslint-config, array.prototype.map, aud, auto-changelog, functions-have-names, tape 61a205e

[actions] update rebase action to use reusable workflow 3b886b0

[actions] update codecov uploader 6db30f8

[Deps] update define-properties, es-abstract fa0a9c9

Does any of this look wrong? Please let us know.

↗️ object.fromentries (indirect, 2.0.5 → 2.0.8) · Repo · Changelog

Release Notes

2.0.7 (from changelog)

Commits

[Deps] update define-properties, es-abstract dbf1467

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 495556f

2.0.6 (from changelog)

Commits

[actions] reuse common workflows 867603d

[meta] add auto-changelog 3621c90

[Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, safe-publish-latest, tape d6c3de7

[Deps] update define-properties, es-abstract a0eca66

[actions] update rebase action to use reusable workflow 91df159

[actions] update codecov uploader e7f2c96

[Dev Deps] update eslint, @ljharb/eslint-config, aud, tape ec22968

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ object.values (indirect, 1.1.5 → 1.2.1) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

Commits

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 7a52cb5

[Deps] update define-properties, es-abstract 4adc158

1.1.6 (from changelog)

Commits

[actions] reuse common workflows 4072b71

[meta] use npmignore to autogenerate an npmignore file 6881278

[Dev Deps] update eslint, @ljharb/eslint-config, @es-shims/api, array.prototype.map, safe-publish-latest, tape 28c21e6

[Dev Deps] update eslint, @ljharb/eslint-config, array.prototype.map, aud, auto-changelog, functions-have-names, tape 0e78caa

[actions] update rebase action to use reusable workflow 6f37c60

[actions] update codecov uploader d7c5f30

[Deps] update define-properties, es-abstract 911ca0e

Does any of this look wrong? Please let us know.

↗️ postcss (indirect, 8.4.14 → 8.4.31) · Repo · Changelog

Security Advisories 🚨

🚨 PostCSS line return parsing error

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.

This vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ semver (indirect, 7.3.7 → 7.7.2) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ side-channel (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[Refactor] extract implementations to side-channel-weakmap, side-channel-map, side-channel-list ada5955

[New] add channel.delete c01d2d3

[types] improve types 0c54356

[readme] add content be24868

[actions] split out node 10-20, and 20+ c4488e2

[types] use shared tsconfig 0e0d57c

[Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, @types/get-intrinsic, @types/object-inspect, @types/tape, auto-changelog, tape fb4f622

[Deps] update call-bind, get-intrinsic, object-inspect b78336b

[Tests] replace aud with npm audit ee3ab46

[Dev Deps] add missing peer dep c03e21a

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ source-map-js (indirect, 1.0.2 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1

Fix TS2306 “not a module” errors in type definitions (#16) @andersk

Ensure null source is respected (#26) @dragomirtitian

Improve ts declarations to be null-safe (#27) @dragomirtitian

1.2.0

Allow to pass options to SourceMapGenerator using SourceMapGenerator.fromSourceMap as second argument
var generator = sourceMap.SourceMapGenerator.fromSourceMap(new SourceMapConsumer(), {
  ignoreInvalidMapping: true,
});
Add generator options to fromSourceMap (#22) @ai

1.1.0

Add ignoreInvalidMapping option to SourceMapGenerator. If enabled, source-map-js will not throw an error on the incorrect previous source map. Instead, it will print warnings and ignore broken mappings.
var generator = new sourceMap.SourceMapGenerator({
  file: "my-generated-javascript-file.js",
  sourceRoot: "http://example.com/app/js/",
  ignoreInvalidMapping: true,
});
Do not throw an error since broken prev map is popular issue #20 (#20) @ai

Add ignoreInvalidMapping option (#21) @7rulnik

1.0.3

Use sourceContents when non-null, even if it's an empty string (#17) @bshepherdson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ string.prototype.matchall (indirect, 4.0.7 → 4.0.12) · Repo · Changelog

Release Notes

4.0.12 (from changelog)

Commits

[actions] split out node 10-20, and 20+ ec6bcb6

[Deps] update call-bind, es-abstract, get-intrinsic, gopd, has-symbols, internal-slot, regexp.prototype.flags, side-channel 993a80c

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, mock-property, object-inspect, object.assign, tape 50e0c52

[Refactor] use call-bound directly 72c0fe1

[Tests] replace aud with npm audit 3a4bccb

[readme] remove dead badges ae4bdb2

[Dev Deps] add missing peer dep 14ceede

4.0.10 (from changelog)

Commits

[Refactor] use set-function-name a851cbb

4.0.9 (from changelog)

Commits

[Deps] update define-properties, es-abstract, get-intrinsic, internal-slot, regexp.prototype.flags 819a5dd

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, es6-shim, object-inspect, object.entries, tape 6f479ee

4.0.8 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file a08a8a1

[Deps] update define-properties, es-abstract, get-intrinsic, regexp.prototype.flags 6273f0f

[Tests] use mock-property 94e83a3

[Dev Deps] update @ljharb/eslint-config, aud, es5-shim, functions-have-names, object-inspect, object.assign, object.entries, tape 8024497

[actions] update rebase action to use reusable workflow 028abc0

[Tests] use for-each instead of foreach f68b771

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ string.prototype.trimend (indirect, 1.0.5 → 1.0.9) · Repo · Changelog

Release Notes

1.0.9 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 7e5ffdc

[meta] sort package.json mildly 2f99c8b

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, tape 2774fe6

[Refactor] use call-bound directly 9e3bbec

[Tests] replace aud with npm audit cb9a462

[meta] add missing engines.node f46c829

[Deps] update call-bind e892c32

[Dev Deps] add missing peer dep e1a59da

1.0.7 (from changelog)

Commits

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 1a10293

[Deps] update define-properties, es-abstract 6ba2e19

1.0.6 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 1d1e717

[actions] update rebase action to use reusable workflow 83f2683

[Dev Deps] update aud, tape a3a9129

[Deps] update es-abstract a6e476d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ string.prototype.trimstart (indirect, 1.0.5 → 1.0.8) · Repo · Changelog

Release Notes

1.0.7 (from changelog)

Commits

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, tape 58e7aa6

[Deps] update define-properties, es-abstract 8d9a7bf

1.0.6 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 0838ae4

[actions] update rebase action to use reusable workflow d6bb784

[Dev Deps] update aud, tape 8734d9a

[Deps] update es-abstract 30f593f

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ styled-jsx (indirect, 5.0.2 → 5.1.6) · Repo · Changelog

Release Notes

5.1.6

5.1.6 (2024-05-24)

Bug Fixes

Move TypeScript to devDependencies (#848) (d5bd4ed)

5.1.5

5.1.5 (2024-05-24)

Bug Fixes

Correct context for declaration files (#847) (3e372f2)

5.1.4

5.1.4 (2024-05-24)

Bug Fixes

Use scoped JSX namespace (#846) (0254816)

5.1.3

5.1.3 (2024-05-07)

Bug Fixes

bump peer dep for react 19 (#844) (18ddefd)

5.1.2

5.1.2 (2023-01-25)

Bug Fixes

including global typing (#826) (5870e59)

5.1.1

5.1.1 (2022-12-15)

Bug Fixes

typo in macro typing (#822) (d0b2f75)

5.1.0

5.1.0 (2022-10-17)

Features

styled-jsx as client-only for rsc (#816) (ea0432b)

5.0.7

5.0.7 (2022-09-09)

Bug Fixes

add displayName for context (#813) (e824581)

5.0.6

5.0.6 (2022-09-05)

Bug Fixes

load babel macro dynamically (#812) (067fcd7)

5.0.5

5.0.5 (2022-09-02)

Improvements

use typeof window to detect browser (#810) (2a31e73)

Misc

Replace bundler #802

5.0.4

5.0.4 (2022-08-11)

Bug Fixes

tweak types (#806) (865ba14)

5.0.3

5.0.3 (2022-08-09)

Patches

declare module and fix conflict typing name #805

improvement: add typing for style imports #804

Documentation

docs: update typescript guide with babel plugin #801

chore: remove git.io #794

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ tsconfig-paths (indirect, 3.14.1 → 3.15.0) · Repo · Changelog

Release Notes

3.14.2 (from changelog)

Fixed

bump JSON5 from v1.0.1 to v1.0.2 in tsconfig-paths v3.14.1 to fix CVE-2022-46175 #234. See PR #234. Thanks to @mihaiplesa for this PR!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ unbox-primitive (indirect, 1.0.2 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 348a5ad

[New] add types a324230

[Tests] use es-value-fixtures a321ae5

[actions] split out node 10-20, and 20+ 04a0e0d

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, object-is, tape 7fff971

[actions] update rebase action 91d6807

[Deps] update call-bind, has-symbols, which-boxed-primitive f8b6597

[Dev Deps] update aud, object-inspect, tape b3362a1

[Refactor] use call-bound directly e29ff5f

[meta] add missing engines.node d3420bc

[Tests] replace aud with npm audit 5e6a6d0

[Deps] update which-boxed-primitive 0ff873d

[Dev Deps] update aud dd0e373

[Dev Deps] add missing peer dep 4f79b24

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ which-boxed-primitive (indirect, 1.0.2 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Deps] update is-boolean-object, is-number-object, is-string, is-symbol 5266e0c

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape a660339

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 893df44

[meta] use npmignore to autogenerate an npmignore file bab1ff8

[Tests] use es-value-fixtures and for-each ecacfa0

[New] add types ab38e78

[actions] split out node 10-20, and 20+ 7ee9c3c

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, safe-publish-latest, tape 142215a

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape 3559371

[actions] update rebase action to use reusable workflow 928901a

[Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol f7b14be

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 5296738

[Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol caa6d1c

[meta] add missing engines.node ca40880

[Tests] replace aud with npm audit b0f4069

[Dev Deps] update aud 8d0e336

[Deps] update is-number-object eafcabf

[Dev Deps] add missing peer dep ec4dd52

🚨 [security] Update all of nextjs 12.2.4 → 15.5.2 (major)

What changed?

✳️ eslint-config-next (12.2.4 → 15.5.2)

✳️ next (12.2.4 → 15.5.2) · Repo

Summary

Credits

Summary

Summary

Credit

Summary

Credit

Summary

Credit

Summary

Credit

Summary

Credit

Summary

Credit

Impact

Patches

Workaround

Credits

Impact

Patches

Workaround

Credits

Impact

Patches

Workaround

Credits

Impact

Patches

Workaround

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credits

Impact

Patches

Workarounds

Credit

Impact

Patches

Workarounds

References

Impact

Prerequisites

Patches

Workarounds

Credit

↗️ @​next/env (indirect, 12.2.4 → 15.5.2) · Repo

↗️ @​next/eslint-plugin-next (indirect, 12.2.4 → 15.5.2)

↗️ @​rushstack/eslint-patch (indirect, 1.1.4 → 1.12.0)

↗️ @​swc/helpers (indirect, 0.4.3 → 0.5.15) · Repo

↗️ @next/env (indirect, 12.2.4 → 15.5.2) · Repo

↗️ @next/eslint-plugin-next (indirect, 12.2.4 → 15.5.2)

↗️ @rushstack/eslint-patch (indirect, 1.1.4 → 1.12.0)

↗️ @swc/helpers (indirect, 0.4.3 → 0.5.15) · Repo