🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

• Allam Rachid zhero;
• Allam Yasser (inzo)

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 6 commits:

• v16.1.6
• [backport][ci] Make gh auth status optional when triggering a release (#89100)
• Backport/docs fixes jan 25 16.1.x (#89124)
• tweak LRU sentinel cache key (#89123)
• backport: implement LRU cache with invocation ID scoping for minimal mode response cache (#89122)
• [backport] Upgrade to swc 54 (#88207) (#89103)

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.26.2

v7.26.2 (2024-10-30)

🐛 Bug Fix

• babel-parser
  • #16903 fix: Parse placeholder for TS namespace (@liuxingbaoyu)
  • #16937 fix: Account for offsets when creating new Position instances (@DylanPiercey)
• babel-generator
  • #16948 Fix mapping of tokens with generated nodes in between (@nicolo-ribaudo)

Committers: 6

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• fisker Cheung (@fisker)

7.26.0

v7.26.0 (2024-10-25)

Thanks @timofei-iatsenko for your first PR!

You can find the release blog post with some highlights at https://babeljs.io/blog/2024/10/25/7.26.0.

🚀 New Feature

• babel-core, babel-generator, babel-parser, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-preset-env, babel-standalone, babel-types
  • #16850 Enable import attributes parsing by default (@nicolo-ribaudo)
• babel-core
  • #16862 feat: support async plugin's pre/post (@timofei-iatsenko)
• babel-compat-data, babel-plugin-proposal-regexp-modifiers, babel-plugin-transform-regexp-modifiers, babel-preset-env, babel-standalone
  • #16692 Add transform-regexp-modifiers to preset-env (@JLHwung)
• babel-parser
  • #16849 feat: add startIndex parser option (@DylanPiercey)
• babel-generator, babel-parser, babel-plugin-syntax-flow
  • #16841 Always enable parsing of Flow enums (@nicolo-ribaudo)
• babel-helpers, babel-preset-typescript, babel-runtime-corejs3
  • #16794 Support import() in rewriteImportExtensions (@liuxingbaoyu)
• babel-generator, babel-parser
  • #16708 Add experimental format-preserving mode to @babel/generator (@nicolo-ribaudo)

🐛 Bug Fix

• babel-core
  • #16928 Workaround Node.js bug for parallel loading of TLA modules (@nicolo-ribaudo)
  • #16926 Fix loading of modules with TLA in Node.js 23 (@nicolo-ribaudo)

💅 Polish

• babel-plugin-proposal-json-modules, babel-plugin-transform-json-modules, babel-standalone
  • #16924 Rename proposal-json-modules to transform-json-modules (@nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #16896 Inline @babel/highlight in @babel/code-frame (@nicolo-ribaudo)
• babel-generator, babel-parser, babel-types
  • #16732 Add kind to TSModuleDeclaration (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-helper-module-transforms, babel-plugin-transform-modules-commonjs
  • #16882 perf: Improve module transforms (@liuxingbaoyu)

Committers: 5

• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Timofei Iatsenko (@timofei-iatsenko)
• @liuxingbaoyu

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.2

v7.24.2 (2024-03-19)

🐛 Bug Fix

• babel-code-frame, babel-highlight
  • #16362 Restore previous FORCE_COLOR=0 behavior (@nicolo-ribaudo)

Committers: 1

• Nicolò Ribaudo (@nicolo-ribaudo)

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16350 Fix decorated class computed keys ordering (@JLHwung)
  • #16344 Fix decorated class static field private access (@JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #16331 Fix decorator memoiser binding kind (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

• #16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #16359 Replace chalk with picocolors (@nicolo-ribaudo)
• babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow
  • #16352 Run Babel transform tests on old node if possible (@JLHwung)
• babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx
  • #16349 Support merging imports in import injector (@nicolo-ribaudo)
• Other
  • #16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

• babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime
  • #16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)
• babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • #16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)
• babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse
  • #16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)
• babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env
  • #16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.23.5

v7.23.5 (2023-11-29)

👓 Spec Compliance

• babel-plugin-proposal-decorators
  • #16138 Class binding is in TDZ during decorators initialization (@nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-decorators
  • #16132 Allow addInitializer in field decorator context (@JLHwung)

🐛 Bug Fix

• babel-traverse, babel-types
  • #16131 Do not remove bindings when removing assignment expression path (@nicolo-ribaudo)
• babel-plugin-transform-classes
  • #16135 Require class properties transform when compiling class with private fields (@nicolo-ribaudo)
• babel-generator
  • #16122 fix: Missing parentheses after line break (@liuxingbaoyu)
• babel-helpers
  • #16130 Fix helpers internal fns names conflict resolution (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties, babel-plugin-transform-typescript
  • #16123 Simplify class fields injetion after super() (@nicolo-ribaudo)
• babel-generator, babel-plugin-transform-modules-commonjs, babel-plugin-transform-parameters, babel-plugin-transform-typescript, babel-traverse
  • #16110 fix: Unexpected duplication of comments (@liuxingbaoyu)
• babel-eslint-plugin
  • #16023 Add @babel/eslint-plugin/no-undef to fix no-undef with accessor props (@nicolo-ribaudo)

🔬 Output optimization

• babel-helpers
  • #16129 Optimize decorator helper size (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.23.4

v7.23.4 (2023-11-20)

🐛 Bug Fix

• babel-generator
  • #16104 fix: Pure comments missing parentheses (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

7.28.5

v7.28.5 (2025-10-23)

Thank you @CO0Ki3, @Olexandr88, and @youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring
  • #17519 fix: rest correctly returns plain array (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types
  • #17503 Fix JSXIdentifier handling in isReferencedIdentifier (@JLHwung)
• babel-traverse
  • #17504 fix: ensure scope.push register in anonymous fn (@JLHwung)

🏠 Internal

• babel-types
  • #17494 Type checking babel-types scripts (@JLHwung)

🏃‍♀️ Performance

• babel-core
  • #17490 Faster finding of locations in buildCodeFrameError (@liuxingbaoyu)

Committers: 8

• Babel Bot (@babel-bot)
• Byeongho Yoo (@youthfulhps)
• Huáng Jùnliàng (@JLHwung)
• Hyeon Dokko (@CO0Ki3)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @Olexandr88
• @liuxingbaoyu
• fisker Cheung (@fisker)

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.5

v7.24.5 (2024-04-29)

Thanks @romgrk and @sossost for your first PRs!

🐛 Bug Fix

• babel-plugin-transform-classes, babel-traverse
  • #16377 fix: TypeScript annotation affects output (@liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #16440 Fix suppressed error order (@sossost)
  • #16408 Await nullish async disposable (@JLHwung)

💅 Polish

• babel-parser
  • #16407 Recover from exported using declaration (@JLHwung)

🏠 Internal

• Other
  • #16414 Relax ESLint peerDependency constraint to allow v9 (@liuxingbaoyu)
• babel-parser
  • #16425 Improve @babel/parser AST types (@nicolo-ribaudo)
  • #16417 Always pass type argument to .startNode (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • #16439 Make NodePath<T | U> distributive (@nicolo-ribaudo)
• babel-plugin-proposal-partial-application, babel-types
  • #16421 Remove JSXNamespacedName from valid CallExpression args (@nicolo-ribaudo)
• babel-plugin-transform-class-properties, babel-preset-env
  • #16406 Do not load unnecessary Babel 7 syntax plugins in Babel 8 (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #16357 Performance: improve objectWithoutPropertiesLoose on V8 (@romgrk)

Committers: 6

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Rom Grk (@romgrk)
• @liuxingbaoyu
• ynnsuis (@sossost)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

0.3.5

What's Changed

• Add ignoreList support: 9add0c2

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

Does any of this look wrong? Please let us know.

0.3.24

What's Changed

• Add ignoreList (and x_google_ignoreList) support: 1027ce6

Full Changelog: v0.3.23...v0.3.24

0.3.23

Full Changelog: v0.3.22...v0.3.23

0.3.22

What's Changed

• Specify all exported types to unbreak TS v4.* by @jridgewell in #34

Full Changelog: v0.3.21...v0.3.22

0.3.21

What's Changed

• Use export type * by @jridgewell in #32

Full Changelog: v0.3.20...v0.3.21

0.3.20

What's Changed

• Fix handling of sectioned source maps missing 'names' array by @RandomByte in #29

New Contributors

• @RandomByte made their first contribution in #29

Full Changelog: v0.3.19...v0.3.20

Does any of this look wrong? Please let us know.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 6 commits:

• v16.1.6
• [backport][ci] Make gh auth status optional when triggering a release (#89100)
• Backport/docs fixes jan 25 16.1.x (#89124)
• tweak LRU sentinel cache key (#89123)
• backport: implement LRU cache with invocation ID scoping for minimal mode response cache (#89122)
• [backport] Upgrade to swc 54 (#88207) (#89103)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 18 commits:

• chore(release): publish 8.54.0
• feat(eslint-plugin-internal): add prefer-tsutils-methods rule (#11974)
• feat(typescript-estree): add shortcut methods to ParserServicesWithTypeInformation (#11965)
• test(eslint-plugin): skip rules tests in windows ci (#11988)
• fix(scope-manager): prevent misidentification of `"use strict"` directives (#11995)
• chore(deps): update dependency knip to v5.81.0 (#11986)
• chore(deps): update dependency @babel/code-frame to v7.28.6 (#11977)
• chore(deps): update dependency @eslint-community/eslint-plugin-eslint-comments to v4.6.0 (#11983)
• test(eslint-plugin): improve vitest performance with isolate: false (#11754)
• feat(scope-manager): support ScopeManager#addGlobals (#11914)
• fix(utils): handle missing `FlatESLint` and `LegacyESLint` (#11958)
• fix(eslint-plugin): [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967)
• fix(deps): update dependency prettier to v3.8.0 (#11991)
• fix(scope-manager): fix catch clause scopes `def.name` (#11982)
• fix(eslint-plugin): [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• docs: document expectations around AI use (#11836)
• chore(repo): enable no-unused-vars import autofix internally (#11979)
• chore: update snapshots for no-unused-vars identifier (#11976)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 18 commits:

• chore(release): publish 8.54.0
• feat(eslint-plugin-internal): add prefer-tsutils-methods rule (#11974)
• feat(typescript-estree): add shortcut methods to ParserServicesWithTypeInformation (#11965)
• test(eslint-plugin): skip rules tests in windows ci (#11988)
• fix(scope-manager): prevent misidentification of `"use strict"` directives (#11995)
• chore(deps): update dependency knip to v5.81.0 (#11986)
• chore(deps): update dependency @babel/code-frame to v7.28.6 (#11977)
• chore(deps): update dependency @eslint-community/eslint-plugin-eslint-comments to v4.6.0 (#11983)
• test(eslint-plugin): improve vitest performance with isolate: false (#11754)
• feat(scope-manager): support ScopeManager#addGlobals (#11914)
• fix(utils): handle missing `FlatESLint` and `LegacyESLint` (#11958)
• fix(eslint-plugin): [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967)
• fix(deps): update dependency prettier to v3.8.0 (#11991)
• fix(scope-manager): fix catch clause scopes `def.name` (#11982)
• fix(eslint-plugin): [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• docs: document expectations around AI use (#11836)
• chore(repo): enable no-unused-vars import autofix internally (#11979)
• chore: update snapshots for no-unused-vars identifier (#11976)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 18 commits:

• chore(release): publish 8.54.0
• feat(eslint-plugin-internal): add prefer-tsutils-methods rule (#11974)
• feat(typescript-estree): add shortcut methods to ParserServicesWithTypeInformation (#11965)
• test(eslint-plugin): skip rules tests in windows ci (#11988)
• fix(scope-manager): prevent misidentification of `"use strict"` directives (#11995)
• chore(deps): update dependency knip to v5.81.0 (#11986)
• chore(deps): update dependency @babel/code-frame to v7.28.6 (#11977)
• chore(deps): update dependency @eslint-community/eslint-plugin-eslint-comments to v4.6.0 (#11983)
• test(eslint-plugin): improve vitest performance with isolate: false (#11754)
• feat(scope-manager): support ScopeManager#addGlobals (#11914)
• fix(utils): handle missing `FlatESLint` and `LegacyESLint` (#11958)
• fix(eslint-plugin): [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967)
• fix(deps): update dependency prettier to v3.8.0 (#11991)
• fix(scope-manager): fix catch clause scopes `def.name` (#11982)
• fix(eslint-plugin): [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• docs: document expectations around AI use (#11836)
• chore(repo): enable no-unused-vars import autofix internally (#11979)
• chore: update snapshots for no-unused-vars identifier (#11976)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 18 commits:

• chore(release): publish 8.54.0
• feat(eslint-plugin-internal): add prefer-tsutils-methods rule (#11974)
• feat(typescript-estree): add shortcut methods to ParserServicesWithTypeInformation (#11965)
• test(eslint-plugin): skip rules tests in windows ci (#11988)
• fix(scope-manager): prevent misidentification of `"use strict"` directives (#11995)
• chore(deps): update dependency knip to v5.81.0 (#11986)
• chore(deps): update dependency @babel/code-frame to v7.28.6 (#11977)
• chore(deps): update dependency @eslint-community/eslint-plugin-eslint-comments to v4.6.0 (#11983)
• test(eslint-plugin): improve vitest performance with isolate: false (#11754)
• feat(scope-manager): support ScopeManager#addGlobals (#11914)
• fix(utils): handle missing `FlatESLint` and `LegacyESLint` (#11958)
• fix(eslint-plugin): [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967)
• fix(deps): update dependency prettier to v3.8.0 (#11991)
• fix(scope-manager): fix catch clause scopes `def.name` (#11982)
• fix(eslint-plugin): [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• docs: document expectations around AI use (#11836)
• chore(repo): enable no-unused-vars import autofix internally (#11979)
• chore: update snapshots for no-unused-vars identifier (#11976)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 18 commits:

• chore(release): publish 8.54.0
• feat(eslint-plugin-internal): add prefer-tsutils-methods rule (#11974)
• feat(typescript-estree): add shortcut methods to ParserServicesWithTypeInformation (#11965)
• test(eslint-plugin): skip rules tests in windows ci (#11988)
• fix(scope-manager): prevent misidentification of `"use strict"` directives (#11995)
• chore(deps): update dependency knip to v5.81.0 (#11986)
• chore(deps): update dependency @babel/code-frame to v7.28.6 (#11977)
• chore(deps): update dependency @eslint-community/eslint-plugin-eslint-comments to v4.6.0 (#11983)
• test(eslint-plugin): improve vitest performance with isolate: false (#11754)
• feat(scope-manager): support ScopeManager#addGlobals (#11914)
• fix(utils): handle missing `FlatESLint` and `LegacyESLint` (#11958)
• fix(eslint-plugin): [no-unnecessary-type-assertion] check both base constraint and actual type for non-null assertions (#11967)
• fix(deps): update dependency prettier to v3.8.0 (#11991)
• fix(scope-manager): fix catch clause scopes `def.name` (#11982)
• fix(eslint-plugin): [no-unused-private-class-members] private destructured class member is defined but used (#11785)
• docs: document expectations around AI use (#11836)
• chore(repo): enable no-unused-vars import autofix internally (#11979)
• chore: update snapshots for no-unused-vars identifier (#11976)

3.1.9 (from changelog)

Commits

• [Deps] update call-bind, es-abstract, es-object-atoms, get-intrinsic, is-string 3b934ae
• [Refactor] use call-bound and math-intrinsics directly 160ea60
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, hastrict-mode, tape 4e4c67d
• [Tests] replace aud with npm audit 9c5ec1c
• [Dev Deps] add missing peer dep 863d207

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 15 commits:

• v3.1.9
• [Refactor] use `call-bound` and `math-intrinsics` directly
• [Deps] update `call-bind`, `es-abstract`, `es-object-atoms`, `get-intrinsic`, `is-string`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `hastrict-mode`, `tape`
• [Tests] replace `aud` with `npm audit`
• v3.1.8
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `get-intrinsic`
• [Refactor] use `es-object-atoms` where possible
• [Dev Deps] update `aud`, `npmignore`, `tape`
• [Tests] use `call-bind` instead of `function-bind`
• [actions] remove redundant finisher
• v3.1.7
• [Deps] update `define-properties`, `es-abstract`, `get-intrinsic`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `tape`

1.3.3 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 1afcd57
• [Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables 152c437
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, function-bind npmignore, object-inspect, tape e39e33d
• [Tests] replace aud with npm audit 6868723
• [Dev Deps] add missing peer dep 800f3e3

1.3.2 (from changelog)

Commits

• [Deps] update define-properties, es-abstract fb625eb
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 1fde275

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 9 commits:

• v1.3.3
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `es-shim-unscopables`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `function-bind` `npmignore`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• v1.3.2
• [Deps] update `define-properties`, `es-abstract`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`

1.3.3 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 8727281
• [Tests] add test coverage 6e78327
• [Deps] update call-bind, es-abstract e027dd1
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, object-inspect, tape 7322d84
• [Dev Deps] update aud, npmignore, object-inspect, tape 958bf5c
• [Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables b3698fb
• [Tests] replace aud with npm audit e0461ed
• [Dev Deps] add missing peer dep e7160b5

1.3.2 (from changelog)

Commits

• [Deps] update define-properties, es-abstract 1737863
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 2337759

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 12 commits:

• v1.3.3
• [Deps] update `call-bind`, `es-abstract`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `es-shim-unscopables`
• [Dev Deps] update `aud`, `npmignore`, `object-inspect`, `tape`
• [Tests] add test coverage
• v1.3.2
• [Deps] update `define-properties`, `es-abstract`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`

1.0.7 (from changelog)

Commits

• [Refactor] use possible-typed-array-names ac86abf

1.0.6 (from changelog)

Commits

• [actions] reuse common workflows 1850353
• [meta] use npmignore to autogenerate an npmignore file 5c7de12
• [patch] add types fcfb0ea
• [actions] update codecov uploader d844945
• [Dev Deps] update eslint, @ljharb/eslint-config, array.prototype.every, safe-publish-latest, tape a2be6f4
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b283a3e
• [actions] update rebase action to use reusable workflow 0ad1f2d
• [Dev Deps] update @ljharb/eslint-config, array.prototype.every, aud, tape cd36e81
• [meta] simplify "exports" f696e5f
• [Dev Deps] update aud, npmignore, tape bf20080

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 13 commits:

• v1.0.7
• [Refactor] use `possible-typed-array-names`
• v1.0.6
• [patch] add types
• [Dev Deps] update `aud`, `npmignore`, `tape`
• [Dev Deps] update `@ljharb/eslint-config`, `array.prototype.every`, `aud`, `tape`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] update rebase action to use reusable workflow
• [actions] reuse common workflows
• [meta] simplify "exports"
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `array.prototype.every`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.0.8 (from changelog)

Commits

• [Refactor] extract out some helpers and avoid get-intrinsic usage 407fd5e
• [Refactor] replace code with extracted call-bind-apply-helpers 81018fb
• [Tests] use set-function-length/env 0fc311d
• [actions] split out node 10-20, and 20+ 77a0cad
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, gopd, object-inspect, tape a145d10
• [Tests] replace aud with npm audit 30ca3dd
• [Deps] update set-function-length 57c79a3
• [Dev Deps] add missing peer dep 601cfa5

1.0.7 (from changelog)

Commits

• [Refactor] use es-define-property 09b76a0
• [Deps] update get-intrinsic, set-function-length ad5136d

1.0.6 (from changelog)

Commits

• [Dev Deps] update aud, npmignore, tape d564d5c
• [Deps] update get-intrinsic, set-function-length cfc2bdc
• [Refactor] use es-errors, so things that only need those do not need get-intrinsic 64cd289
• [meta] add missing engines.node 32a4038

1.0.5 (from changelog)

Commits

• [Fix] throw an error on non-functions as early as possible f262408
• [Deps] update set-function-length 3fff271

1.0.3 (from changelog)

Commits

• [actions] reuse common workflows a994df6
• [meta] use npmignore to autogenerate an npmignore file eef3ef2
• [readme] flesh out content 1845ccf
• [actions] use node/install instead of node/run; use codecov action 5b47d53
• [Refactor] use set-function-length a0e165c
• [Dev Deps] update @ljharb/eslint-config, aud, tape 9c50103
• [meta] simplify "exports" 019c6d0
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, safe-publish-latest, tape 23bd718
• [actions] update codecov uploader 62552d7
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape ec81665
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 35d67fc
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 0266d8d
• [Dev Deps] update @ljharb/eslint-config, aud, tape 43a5b28
• [Deps] update define-data-property, function-bind, get-intrinsic 780eb36
• [Dev Deps] update aud, tape 90d50ad
• [meta] use prepublishOnly script for npm 7+ 44c5433
• [Deps] update get-intrinsic 86bfbfc
• [Deps] update get-intrinsic 5c53354
• [actions] update checkout action 4c393a8
• [Deps] update get-intrinsic 4e70bde
• [Deps] update get-intrinsic 55ae803

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 43 commits:

• v1.0.8
• [Refactor] replace code with extracted `call-bind-apply-helpers`
• [Tests] use `set-function-length/env`
• [Refactor] extract out some helpers and avoid get-intrinsic usage
• [Deps] update `set-function-length`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `es-value-fixtures`, `gopd`, `object-inspect`, `tape`
• [Tests] replace `aud` with `npm audit`
• [actions] split out node 10-20, and 20+
• v1.0.7
• [Refactor] use `es-define-property`
• [Deps] update `get-intrinsic`, `set-function-length`
• v1.0.6
• [Refactor] use `es-errors`, so things that only need those do not need `get-intrinsic`
• [meta] add missing `engines.node`
• [Deps] update `get-intrinsic`, `set-function-length`
• [Dev Deps] update `aud`, `npmignore`, `tape`
• v1.0.5
• [Deps] update `set-function-length`
• [Fix] throw an error on non-functions as early as possible
• v1.0.4
• v1.0.3
• [Refactor] use `set-function-length`
• [Deps] update `define-data-property`, `function-bind`, `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `aud`, `tape`
• [actions] update checkout action
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [Deps] update `get-intrinsic`
• [actions] reuse common workflows
• [meta] simplify "exports"
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [readme] flesh out content
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [Deps] update `get-intrinsic`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+

1.2.1 (from changelog)

Commits

• [Refactor] use define-data-property e7782a7
• [actions] use reusable rebase action cd249c3
• [Dev Deps] update @ljharb/eslint-config, aud, tape 8205f97

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 4 commits:

• v1.2.1
• [actions] use reusable rebase action
• [Refactor] use `define-data-property`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`

See the full diff on Github. The new version differs by 2 commits:

• 1.5.279
• generate new version

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 22 commits:

• v2.1.0
• [Dev Deps] add missing peer dep
• [New] add `nonConfigurable` option
• [readme] document `force` option
• [Tests] add coverage
• [Fix] validate boolean option argument
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/eslint-config`, `@ljharb/tsconfig`, `@types/get-intrinsic`, `@types/tape`, `auto-changelog`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [types] use shared config
• [Deps] update `hasown`
• [Tests] use `@arethetypeswrong/cli`
• v2.0.3
• add types
• [Deps] update `get-intrinsic`, `has-tostringtag`, `hasown`
• [Dev Deps] update `aud`, `npmignore`, `tape`
• [Tests] fix hasOwn require
• v2.0.2
• [Refactor] use `hasown` instead of `has`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`

1.3.0 (from changelog)

Commits

• [actions] reuse common workflows bb72efc
• [Tests] use es-value-fixtures a912f7b
• [Tests] migrate tests to Github Actions 510baf0
• [New] add types 69ba1fd
• [meta] remove unused Makefile 4ea66e6
• [actions] use node/install instead of node/run; use codecov action 3c31937
• [meta] do not publish github action workflow files 389567e
• [meta] use npmignore to autogenerate an npmignore file 9f3aa76
• [actions] split out node 10-20, and 20+ c60d7d8
• [Tests] run nyc on all tests; use tape runner 29cbb89
• [meta] add auto-changelog ea744b2
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, has-symbols, object-inspect, object-is, tape e5c3c79
• [actions] add automatic rebasing / merge commit blocking a5a6f00
• [Dev Deps] update @ljharb/eslint-config, es-value-fixtures, function.prototype.name, npmignore, object-inspect, object-is, tape 7941fd5
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, es-value-fixtures, foreach, object-inspect, tape eb1c79c
• [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, object-inspect, safe-publish-latest, tape 249b42f
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, object-inspect, object-is, tape d57d5e9
• [actions] update codecov uploader 003b62c
• [actions] add "Allow Edits" workflow 75ee990
• [Dev Deps] update eslint, @ljharb/eslint-config, tape, object-is; add safe-publish-latest ba5da7b
• [readme] remove travis badge 6f7aec7
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 3291fd5
• [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, has-symbols, object-inspect 53007f2
• [actions] update checkout action 69640db
• [Dev Deps] update eslint, @ljharb/eslint-config, object-is, tape; add aud c9d644e
• [Tests] use for-each instead of foreach e9117bb
• [readme] add github actions/codecov badges 53cd375
• [Deps] update is-callable, is-date-object, is-symbol 8116c68
• [Tests] fix test skipping for Symbol.toPrimitive e6268ef
• [actions] switch Automatic Rebase workflow to pull_request_target event da41c40
• [Deps] update is-callable, is-date-object 96fe13f
• [Tests] replace aud with npm audit 0b53154
• [meta] use prepublishOnly script for npm 7+ 9d7d485
• [Deps] update is-callable 3c990b6
• [Deps] update is-callable 9bcfff2
• [Deps] update is-callable 1eb5478
• [meta] only run aud on prod deps 1fcd896
• [Deps] update is-symbol 7174a47

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 39 commits:

• v1.3.0
• [meta] add `auto-changelog`
• [New] add types
• [Tests] fix test skipping for `Symbol.toPrimitive`
• [actions] split out node 10-20, and 20+
• [Deps] update `is-callable`
• [Dev Deps] update `@ljharb/eslint-config`, `es-value-fixtures`, `function.prototype.name`, `npmignore`, `object-inspect`, `object-is`, `tape`
• [Tests] replace `aud` with `npm audit`
• [Tests] use `for-each` instead of `foreach`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `es-value-fixtures`, `foreach`, `object-inspect`, `tape`
• [actions] update checkout action
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `function.prototype.name`, `object-inspect`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [meta] do not publish github action workflow files
• [Tests] use `es-value-fixtures`
• [readme] add github actions/codecov badges
• [Deps] update `is-callable`, `is-date-object`, `is-symbol`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`
• [Deps] update `is-callable`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `function.prototype.name`, `has-symbols`, `object-inspect`, `object-is`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• [Deps] update `is-callable`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `function.prototype.name`, `object-inspect`, `object-is`, `tape`
• [readme] remove travis badge
• [Tests] migrate tests to Github Actions
• [Tests] run `nyc` on all tests; use `tape` runner
• [actions] add "Allow Edits" workflow
• [actions] switch Automatic Rebase workflow to `pull_request_target` event
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `object-is`, `tape`; add `aud`
• [meta] only run `aud` on prod deps
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`, `object-is`; add `safe-publish-latest`
• [Deps] update `is-callable`, `is-date-object`
• [Deps] update `is-symbol`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `function.prototype.name`, `has-symbols`, `object-inspect`
• [meta] remove unused Makefile
• [actions] add automatic rebasing / merge commit blocking

3.2.0

Patches

• Declare separate ESM and CommonJS TypeScript definitions: a72e1c3
  Previously, only ESM definitions were shipped but were exported in a way that could cause tool/resolution ambiguity.

Chores

• Update Node.js version matrix in CI suite: a8c6820

---

Full Changelog: v3.1.2...v3.2.0

3.1.2

Patches

• Support TypeScript’s nodenext module resolution mode (#10): d872fbd

  Thank you @NMinhNguyen

Chores

• Add licenses.dev badge to README: 02dcb8b
• Update CI matrix versions: 3c916b2

---

Full Changelog: v3.1.1...v3.1.2

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 7 commits:

• 3.2.0
• fix: separate CJS vs ESM type defs
• chore(ci): update matrix & images
• 3.1.2
• fix: add "types" conditions (#10)
• fix(ci): update versions
• chore: add licenses badge

2.12.0 (from changelog)

Added

• Ignore type imports for named rule (#931, thanks @mattijsbliek)
• Add documentation for no-useless-path-segments rule (#1068, thanks @manovotny)
• packageDir option for no-extraneous-dependencies can be array-valued (#1085, thanks @hulkish)

2.11.0 (from changelog)

Added

• Fixer for first (#1046, thanks @fengkfengk)
• allow-require option for no-commonjs rule (#880, thanks @futpib)

Fixed

• memory/CPU regression where ASTs were held in memory (#1058, thanks @klimashkin/@lukeapage)

2.10.0 (from changelog)

Added

• Autofixer for order rule (#908, thanks @tihonove)
• Add no-cycle rule: reports import cycles.

2.9.0 (from changelog)

Added

• Add group-exports rule: style-guide rule to report use of multiple named exports (#721, thanks @robertrossmann)
• Add no-self-import rule: forbids a module from importing itself. (#727, #449, #447, thanks @giodamelio).
• Add no-default-export rule (#889, thanks @isiahmeadows)
• Add no-useless-path-segments rule (#912, thanks @graingert and @danny-andrews)
• ... and more! check the commits for v2.9.0

Does any of this look wrong? Please let us know.

2.32.0

Added

• add enforce-node-protocol-usage rule and import/node-version setting (#3024, thanks @GoldStrikeArch and @sevenc-nanashi)
• add TypeScript types (#3097, thanks @G-Rath)
• extensions: add `pathGroupOverrides to allow enforcement decision overrides based on specifier (#3105, thanks @Xunnamius)
• order: add sortTypesGroup option to allow intragroup sorting of type-only imports (#3104, thanks @Xunnamius)
• order: add newlines-between-types option to control intragroup sorting of type-only imports (#3127, thanks @Xunnamius)
• order: add consolidateIslands option to collapse excess spacing for aesthetically pleasing imports (#3129, thanks @Xunnamius)

Fixed

• no-unused-modules: provide more meaningful error message when no .eslintrc is present (#3116, thanks @michaelfaith)
• configs: added missing name attribute for eslint config inspector (#3151, thanks @NishargShah)
• order: ensure arcane imports do not cause undefined behavior (#3128, thanks @Xunnamius)
• order: resolve undefined property access issue when using named ordering (#3166, thanks @Xunnamius)
• enforce-node-protocol-usage: avoid a crash with some TS code (#3173, thanks @ljharb)
• order: codify invariants from docs into config schema (#3152, thanks @Xunnamius)

Changed

• [Docs] extensions, order: improve documentation (#3106, thanks @Xunnamius)
• [Docs] add flat config guide for using tseslint.config() (#3125, thanks @lnuvy)
• [Docs] add missing comma (#3122, thanks @RyanGst)
• [readme] Update flatConfig example to include typescript config (#3138, thanks @intellix)
• [Refactor] order: remove unnecessary negative check (#3167, thanks @JounQin)
• [Docs] no-unused-modules: add missing double quote (#3191, thanks @albertpastrana)
• [Docs] no-restricted-paths: clarify wording and fix errors (#3172, thanks @greim)

2.31.0

Added

• support eslint v9 (#2996, thanks @G-Rath @michaelfaith)
• order: allow validating named imports (#3043, thanks @manuth)
• extensions: add the checkTypeImports option (#2817, thanks @phryneas)

Fixed

• ExportMap / flat config: include languageOptions in context (#3052, thanks @michaelfaith)
• no-named-as-default: Allow using an identifier if the export is both a named and a default export (#3032, thanks @akwodkiewicz)
• export: False positive for exported overloaded functions in TS (#3065, thanks @liuxingbaoyu)
• exportMap: export map cache is tainted by unreliable parse results (#3062, thanks @michaelfaith)
• exportMap: improve cacheKey when using flat config (#3072, thanks @michaelfaith)
• adjust "is source type module" checks for flat config (#2996, thanks @G-Rath)

Changed

• [Docs] no-relative-packages: fix typo (#3066, thanks @joshuaobrien)
• [Performance] no-cycle: dont scc for each linted file (#3068, thanks @soryy708)
• [Docs] no-cycle: add disableScc to docs (#3070, thanks @soryy708)
• [Tests] use re-exported RuleTester (#3071, thanks @G-Rath)
• [Docs] no-restricted-paths: fix grammar (#3073, thanks @unbeauvoyage)
• [Tests] no-default-export, no-named-export: add test case (thanks @G-Rath)

2.30.0

Added

• dynamic-import-chunkname: add allowEmpty option to allow empty leading comments (#2942, thanks @JiangWeixian)
• dynamic-import-chunkname: Allow empty chunk name when webpackMode: 'eager' is set; add suggestions to remove name in eager mode (#3004, thanks @amsardesai)
• no-unused-modules: Add ignoreUnusedTypeExports option (#3011, thanks @silverwind)
• add support for Flat Config (#3018, thanks @michaelfaith)

Fixed

• no-extraneous-dependencies: allow wrong path (#3012, thanks @chabb)
• no-cycle: use scc algorithm to optimize (#2998, thanks @soryy708)
• no-duplicates: Removing duplicates breaks in TypeScript (#3033, thanks @yesl-kim)
• newline-after-import: fix considerComments option when require (#2952, thanks @developer-bandi)
• order: do not compare first path segment for relative paths (#2682) (#2885, thanks @mihkeleidast)

Changed

• [Docs] no-extraneous-dependencies: Make glob pattern description more explicit (#2944, thanks @mulztob)
• no-unused-modules: add console message to help debug #2866
• [Refactor] ExportMap: make procedures static instead of monkeypatching exportmap (#2982, thanks @soryy708)
• [Refactor] ExportMap: separate ExportMap instance from its builder logic (#2985, thanks @soryy708)
• [Docs] order: Add a quick note on how unbound imports and --fix (#2640, thanks @minervabot)
• [Tests] appveyor -> GHA (run tests on Windows in both pwsh and WSL + Ubuntu) (#2987, thanks @joeyguerra)
• [actions] migrate OSX tests to GHA (ljharb#37, thanks @aks-)
• [Refactor] exportMapBuilder: avoid hoisting (#2989, thanks @soryy708)
• [Refactor] ExportMap: extract "builder" logic to separate files (#2991, thanks @soryy708)
• [Docs] order: update the description of the pathGroupsExcludedImportTypes option (#3036, thanks @liby)
• [readme] Clarify how to install the plugin (#2993, thanks @jwbth)

2.29.1

Full Changelog: v2.29.0...v2.29.1

2.29.0

Full Changelog: v2.28.1...v2.29.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

6.10.2 (from changelog)

Fixed

• [patch] no-redundandant-roles: allow <img src="*.svg" role="img" /> #936

Commits

• [meta] fix changelog URLs 0d01a1a
• [Refactor] remove no-longer-needed es-iterator-helpers aa075bd
• [Refactor] avoid spreading things that are already arrays d15d3ab
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register 5dad7c4
• [Tests] aria-role: Add valid test for <svg role="img" /> daba189
• [Docs] label-has-associated-control: add line breaks for readability 0bc6378
• [Tests] label-has-associated-control: add additional test cases 30d2318
• [Tests] Add tests to reinforce required attributes for role="heading" d92446c

6.10.1 (from changelog)

Commits

• [Fix] handle interactive/noninteractive changes from aria-query 4925ba8
• [Docs] Use consistent spelling of 'screen reader' cb6788c
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, auto-changelog, eslint-plugin-import, tape 518a77e
• [Deps] update es-iterator-helpers, string.prototype.includes eed03a3
• [meta] package.json - Update jscodeshift & remove babel-jest 2ee940c
• [Docs] Remove accidental whitespace in CONTRIBUTING.md a262131
• [Deps] unpin aria-query e517937

6.10.0 (from changelog)

Fixed

• [New] label-has-associated-control: add additional error message #1005
• [Fix] label-has-associated-control: ignore undetermined label text #966

Commits

• [Tests] switch from jest to tape a284cbf
• [New] add eslint 9 support deac4fd
• [New] add attributes setting a1ee7f8
• [New] allow polymorphic linting to be restricted 6cd1a70
• [Tests] remove duplicate tests 74d5dec
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235
• [readme] remove deprecated travis ci badge; add github actions badge 0be7ea9
• [Tests] use npm audit instead of aud 05a5e49
• [Deps] update axobject-query 912e98c
• [Deps] unpin axobject-query 75147aa
• [Deps] update axe-core 27ff7cb
• [readme] fix jsxA11y import name ce846e0
• [readme] fix typo in shareable config section in readme cca288b

6.9.0

Added

• add support for Flat Config 6b5f096
• no-noninteractive-element-to-interactive-role: allow menuitemradio and menuitemcheckbox on <li> c0733f9

Fixed

• img-redundant-alt: fixed multibyte character support #969
• Revert "[Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1" 75d5dd7
• ensure summary remains non-interactive 6a048da

Changed

• [meta] fix changelog links #960
• [Robustness] use safe-regex-test 4c7e781
• [actions] update actions/checkout 51a1ca7
• [Deps] pin aria-query and axobject-query, add ls-engines test to CI 32fd82c
• [Deps] remove @babel/runtime 0a98ad8
• [Deps] unpin axe-core b3559cf
• [Deps] move object.entries to dev deps 1be7b70

Full Changelog: v6.8.0...v6.9.0

6.8.0 (from changelog)

Merged

• Allow title attribute or aria-label attribute instead of accessible child in the "anchor-has-content" rule #727

Fixed

• [Docs] aria-activedescendant-has-tabindex: align with changes from #708 #924
• [Fix] control-has-associated-label: don't accept whitespace as an accessible label #918

Commits

• [Tests] migrate helper parsers function from eslint-plugin-react ce4d57f
• [Refactor] use es-iterator-helpers 52de824
• [New] mouse-events-have-key-events: add hoverInHandlers/hoverOutHandlers config db64898
• [New] add polymorphicPropName setting for polymorphic components fffb05b
• [Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1 64bfea6
• [Refactor] use hasown instead of has 9a8edde
• [actions] update used actions 10c061a
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, aud, eslint-doc-generator, eslint-plugin-import, minimist 6d5022d
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/register, eslint-doc-generator, eslint-plugin-import 4dc7f1e
• [New] anchor-has-content: Allow title attribute OR aria-label attribute e6bfd5c
• [patch] mouse-events-have-key-events: rport the attribute, not the node eadd70c
• [Deps] update @babel/runtime, array-includes, array.prototype.flatmap, object.entries, object.fromentries 46ffbc3
• [Deps] update @babel/runtime, axobject-query, jsx-ast-utils, semver 5999555
• [Fix] pin aria-query and axe-core to fix failing tests on main 8d8f016
• [patch] move semver from Deps to Dev Deps 4da13e7
• [Deps] update ast-types-flow b755318
• [Dev Deps] update eslint-plugin-import f1c976b
• [Deps] unpin language-tags 3d1d26d
• [Docs] no-static-element-interactions: tabIndex is written tabindex 1271153
• [Deps] Upgrade ast-types-flow to mitigate Docker user namespacing problems f0d2ddb
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 0c278f4

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 19 commits:

• v0.3.5
• [New] add types
• v0.3.4
• [meta] use `auto-changelog`
• [meta] consolidate eslintrc files
• [meta] use `npmignore`
• [meta] add missing `engines.node`
• [Deps] update `is-callable`
• [Tests] add github actions
• [Tests] add `nyc`
• [meta] add `funding` field and `FUNDING.yml`
• [meta] remove unnecessary `licenses` key
• [Dev Deps] update `tape`
• [Dev Deps] update eslint things
• [Tests] use `npm audit` instead of long-dead `nsp`
• [meta] delete `.travis.yml`
• Update README.md
• [meta] create SECURITY.md
• [Tests] up to `node` `v10`; use `nvm install-latest-npm`

See the full diff on Github. The new version differs by 26 commits:

• v1.1.2
• [meta] add `auto-changelog`
• [Robustness] remove runtime dependency on all builtins except `.apply`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [meta] add `funding` field; create FUNDING.yml
• [Tests] use `aud` instead of `npm audit`
• [meta] update `.gitignore`
• [Tests] switch to nyc for coverage
• [meta] add `safe-publish-latest`
• [Dev Deps] update `@ljharb/eslint-config`, `tape`
• [actions] fix permissions
• Revert "Point to the correct file"
• Merge pull request #16 from svedova/patch-1
• Point to the correct file
• [readme] update badges
• [meta] use `npmignore` to autogenerate an npmignore file
• [Tests] migrate tests to Github Actions
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`
• [meta] create SECURITY.md
• [Tests] fix eslint errors from #15
• [Dev Deps] update `@ljharb/eslint‑config`, `eslint`, `tape`
• [Tests] up to `node` `v11.10`, `v10.15`, `v9.11`, `v8.15`, `v6.16`, `v4.9`; use `nvm install-latest-npm`; run audit script in tests
• [Tests] add `npm run audit`
• [Tests] remove `jscs`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `covert`, `tape`
• Docs: enable badges; update wording

1.1.8 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ b5ea555
• [Refactor] use call-bound directly f6a6c64

1.1.7 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 47155b0
• [Refactor] use hasown and is-callable directly, instead of es-abstract d5118d6
• [Deps] update call-bind, define-properties, es-abstract cfa8b2e
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, npmignore, tape 2077d9a
• [Tests] replace aud with npm audit 219e0a4
• [Dev Deps] add missing peer dep 0b16b2b

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 10 commits:

• v1.1.8
• [Refactor] use `call-bound` directly
• [actions] split out node 10-20, and 20+
• v1.1.7
• [Refactor] use `hasown` and `is-callable` directly, instead of `es-abstract`
• [Deps] update `call-bind`, `define-properties`, `es-abstract`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`

1.3.0 (from changelog)

Commits

• [Dev Deps] update es-abstract, es-value-fixtures, for-each, object-inspect 9b61553
• [Deps] update call-bind-apply-helpers, es-object-atoms, get-proto a341fee
• [New] add Float16Array de22116

1.2.7 (from changelog)

Commits

• [Refactor] use get-proto directly 00ab955
• [Deps] update math-intrinsics c716cdd
• [Dev Deps] update call-bound, es-abstract dc648a6

1.2.6 (from changelog)

Commits

• [Refactor] use math-intrinsics 841be86
• [Refactor] use es-object-atoms 42057df
• [Deps] update call-bind-apply-helpers 45afa24
• [Dev Deps] update call-bound 9cba9c6

1.2.5 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 6e2b9dd
• [Refactor] use dunder-proto and call-bind-apply-helpers instead of has-proto c095d17
• [Refactor] use gopd 9841d5b
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, es-abstract, es-value-fixtures, gopd, mock-property, object-inspect, tape 2d07e01
• [Deps] update gopd, has-proto, has-symbols, hasown 974d8bf
• [Dev Deps] update call-bind, es-abstract, tape df9dde1
• [Refactor] cache es-define-property as well 43ef543
• [Deps] update has-proto, has-symbols, hasown ad4949d
• [Tests] use call-bound directly ad5c406
• [Deps] update has-proto, hasown 45414ca
• [Tests] replace aud with npm audit 18d3509
• [Deps] update es-define-property aadaa3b
• [Dev Deps] add missing peer dep c296a16

1.2.4 (from changelog)

Commits

• [Refactor] use all 7 <+ ES6 Errors from es-errors bcac811

1.2.3 (from changelog)

Commits

• [Refactor] use es-errors, so things that only need those do not need get-intrinsic f11db9c
• [Dev Deps] update aud, es-abstract, mock-property, npmignore b7ac7d1
• [meta] simplify exports faa0cc6
• [meta] add missing engines.node 774dd0b
• [Dev Deps] update tape 5828e8e
• [Robustness] use null objects for lookups eb9a11f
• [meta] add sideEffects flag 89bcc7a

1.2.2 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, call-bind, es-abstract, mock-property, object-inspect, tape f51bcf2
• [Refactor] use hasown instead of has 18d14b7
• [Deps] update function-bind 6e109c8

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 41 commits:

• v1.3.0
• [New] add `Float16Array`
• [Deps] update `call-bind-apply-helpers`, `es-object-atoms`, `get-proto`
• [Dev Deps] update `es-abstract`, `es-value-fixtures`, `for-each`, `object-inspect`
• v1.2.7
• [Deps] update `math-intrinsics`
• [Dev Deps] update `call-bound`, `es-abstract`
• [Refactor] use `get-proto` directly
• v1.2.6
• [Refactor] use `math-intrinsics`
• [Deps] update `call-bind-apply-helpers`
• [Dev Deps] update `call-bound`
• [Refactor] use `es-object-atoms`
• v1.2.5
• [Deps] update `es-define-property`
• [actions] split out node 10-20, and 20+
• [Refactor] use `dunder-proto` and `call-bind-apply-helpers` instead of `has-proto`
• [Refactor] cache `es-define-property` as well
• [Tests] use `call-bound` directly
• [Deps] update `gopd`, `has-proto`, `has-symbols`, `hasown`
• [Refactor] use `gopd`
• [Deps] update `has-proto`, `has-symbols`, `hasown`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `es-abstract`, `es-value-fixtures`, `gopd`, `mock-property`, `object-inspect`, `tape`
• [Tests] replace `aud` with `npm audit`
• [Deps] update `has-proto`, `hasown`
• [Dev Deps] update `call-bind`, `es-abstract`, `tape`
• v1.2.4
• [Refactor] use all 7 <+ ES6 Errors from `es-errors`
• v1.2.3
• [Refactor] use `es-errors`, so things that only need those do not need `get-intrinsic`
• [Dev Deps] update `tape`
• [meta] add missing `engines.node`
• [Robustness] use null objects for lookups
• [Dev Deps] update `aud`, `es-abstract`, `mock-property`, `npmignore`
• [meta] simplify `exports`
• [meta] add `sideEffects` flag
• v1.2.2
• [Refactor] use `hasown` instead of `has`
• [Deps] update `function-bind`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `call-bind`, `es-abstract`, `mock-property`, `object-inspect`, `tape`

See the full diff on Github. The new version differs by 9 commits:

• v1.0.4
• [Dev Deps] add missing `npmignore` dep
• [actions] remove redundant finisher
• [Refactor] use `gopd`
• [Deps] update `define-properties`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `define-properties`
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow

1.2.0 (from changelog)

Commits

• [New] add gOPD entry point; remove get-intrinsic 5b61232

1.1.0 (from changelog)

Commits

• [New] add types f585e39
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape 0b8e4fd
• [Dev Deps] update aud, npmignore, tape 48378b2
• [Dev Deps] update @ljharb/eslint-config, aud, tape 78099ee
• [Tests] replace aud with npm audit 4e0d0ac
• [meta] add missing engines.node 1443316
• [Deps] update get-intrinsic eee5f51
• [Deps] update get-intrinsic 550c378
• [Dev Deps] add missing peer dep 8c2ecf8

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 12 commits:

• v1.2.0
• [New] add `gOPD` entry point; remove `get-intrinsic`
• v1.1.0
• [New] add types
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `tape`
• [Tests] replace `aud` with `npm audit`
• [meta] add missing `engines.node`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `aud`, `npmignore`, `tape`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`

1.1.0 (from changelog)

Commits

• [meta] use npmignore to autogenerate an npmignore file a411cea
• [actions] split out node 10-20, and 20+ 4515878
• [New] add types c888241
• [actions] update rebase action to use reusable workflow 6f44338
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape ffa1e4d
• [Dev Deps] update aud, tape 0f5d096
• [meta] add missing engines.node 3f73c71
• [Tests] replace aud with npm audit b007efd
• [Dev Deps] add missing peer dep 459c612

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 10 commits:

• v1.1.0
• [meta] add missing `engines.node`
• [New] add types
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow

See the full diff on Github. The new version differs by 11 commits:

• v1.0.2
• [Refactor] use `es-define-property`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `aud`, `npmignore`, `tape`
• v1.0.1
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `get-intrinsic`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow

1.2.0 (from changelog)

Commits

• [Refactor] use dunder-proto instead of call-bind 6e5e76c
• [actions] split out node 10-20, and 20+ 3b8e9e6
• [Dev Deps] update @ljharb/tsconfig, gopd 57bcd00
• [actions] skip npm ls in node < 10 ce3a4d7

1.1.0 (from changelog)

Commits

• [New] add accessor and mutator endpoints 144f6a9
• [types] use shared config 8b597cf
• [Refactor] cache result at module level 88418bd
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape d246200
• [Deps] update gopd, reflect.getprototypeof 6f72364
• [Tests] add @arethetypeswrong/cli 8194e1a
• [Tests] replace aud with npm audit fd7ad11
• [Dev Deps] update @types/tape 2695808
• [Dev Deps] add missing peer dep fa4b2f7

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 22 commits:

• v1.2.0
• [actions] split out node 10-20, and 20+
• [Dev Deps] update `@ljharb/tsconfig`, `gopd`
• [Refactor] use `dunder-proto` instead of `call-bind`
• [actions] skip `npm ls` in node < 10
• v1.1.0
• [Deps] update `gopd`, `reflect.getprototypeof`
• [New] add `accessor` and `mutator` endpoints
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@types/tape`
• [Refactor] cache result at module level
• [Tests] add `@arethetypeswrong/cli`
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `tape`
• [Tests] replace `aud` with `npm audit`
• [types] use shared config
• v1.0.3
• [types] add missing declaration file
• v1.0.2
• [meta] add `sideEffects` flag
• add types
• [Refactor] tiny cleanup
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `npmignore`, `tape`

1.1.0 (from changelog)

Commits

• [actions] update workflows 548c0bf
• [actions] further shard; update action deps bec56bb
• [meta] use npmignore to autogenerate an npmignore file ac81032
• [New] add types 6469cbf
• [actions] update rebase action to use reusable workflow 9c9d4d0
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape adb5887
• [Dev Deps] update @ljharb/eslint-config, aud, tape 13ec198
• [Dev Deps] update auto-changelog, core-js, tape 941be52
• [Tests] replace aud with npm audit 74f49e9
• [Dev Deps] update npmignore 9c0ac04
• [Dev Deps] add missing peer dep 52337a5

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 12 commits:

• v1.1.0
• [New] add types
• [Dev Deps] add missing peer dep
• [Dev Deps] update `auto-changelog`, `core-js`, `tape`
• [actions] update workflows
• [Tests] replace `aud` with `npm audit`
• [actions] further shard; update action deps
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `npmignore`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [actions] update rebase action to use reusable workflow

See the full diff on Github. The new version differs by 14 commits:

• v1.0.2
• [Fix] move `has-symbols` back to prod deps
• v1.0.1
• [Tests] remove staging tests since they fail on modern node
• [patch] add types
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `npmignore`, `tape`
• [Deps] update `has-symbols`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] update rebase action to use reusable workflow
• [Tests] generate coverage
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

1.1.0 (from changelog)

Commits

• [actions] reuse common workflows 0e63a44
• [meta] use npmignore to autogenerate an npmignore file 47584ee
• [Tests] use for-each and es-value-fixtures f226864
• [New] add types 78e2c47
• [actions] split out node 10-20, and 20+ 4395a8d
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape c188501
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 5360d32
• [actions] update rebase action to use reusable workflow d5c1775
• [actions] update codecov uploader c7478c7
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 6fbce66
• [meta] add missing engines.node 6f9ed42
• [Tests] replace aud with npm audit 21846c3
• [Dev Deps] remove unused has-symbols, add missing has-tostringtag b378d94
• [Deps] update has-bigints f46c35b
• [Dev Deps] add missing peer dep 2b9be16

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 16 commits:

• v1.1.0
• [Dev Deps] remove unused `has-symbols`, add missing `has-tostringtag`
• [meta] add missing `engines.node`
• [New] add types
• [Tests] use `for-each` and `es-value-fixtures`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `npmignore`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [Deps] update `has-bigints`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `has-symbols`, `object-inspect`, `tape`
• [actions] update rebase action to use reusable workflow
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `object-inspect`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

1.2.2 (from changelog)

Fixed

• [Fix] do not be tricked by fake Booleans #25

Commits

• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape, core-js a27608b
• [Deps] update call-bound b19953f

1.2.1 (from changelog)

Commits

• [Refactor] use call-bound directly bb5aa26

1.2.0 (from changelog)

Commits

• [actions] reuse common workflows 380fa25
• [meta] use npmignore to autogenerate an npmignore file befa203
• [actions] split out node 10-20, and 20+ ca31663
• [New] add types 6d58609
• [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 06cc67e
• [actions] update codecov uploader 0722346
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 100acdf
• [actions] update rebase action to use reusable workflow 26333ff
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape fde97ee
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f5ed3c8
• [Deps] update call-bind, has-tostringtag 61912e2
• [Tests] replace aud with npm audit c6a0db5
• [meta] better eccheck command 3a59ec6
• [Dev Deps] add missing peer dep c0e10db

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 21 commits:

• v1.2.2
• [Fix] do not be tricked by fake Booleans
• [Deps] update `call-bound`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/tsconfig`, `@types/tape`, `core-js`
• v1.2.1
• [Refactor] use `call-bound` directly
• v1.2.0
• [New] add types
• [Deps] update `call-bind`, `has-tostringtag`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] update rebase action to use reusable workflow
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `core-js`, `tape`
• [meta] better `eccheck` command
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `core-js`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

2.16.1 (from changelog)

Fixed

• [Fix] node:sqlite is available in node ^22.13 #17

2.16.0 (from changelog)

Commits

• [New] add node:sqlite 1ee94d2
• [Dev Deps] update auto-changelog, tape aa84aa3

2.15.1 (from changelog)

Commits

• [Tests] add process.getBuiltinModule tests 28c7791
• [Fix] test/mock_loader is no longer exposed as of v22.7 68b08b0
• [Tests] replace aud with npm audit 32f8060
• [Dev Deps] update mock-property f7d3c8f
• [Dev Deps] add missing peer dep eaee885

2.15.0 (from changelog)

Commits

• [New] add node:sea 2819fb3

2.14.0 (from changelog)

Commits

• [Dev Deps] update @ljharb/eslint-config, aud, mock-property, npmignore, tape 0e43200
• [meta] add missing engines.node 4ea3af8
• [New] add test/mock_loader e9fbd29
• [Deps] update hasown 57f1940

2.13.1 (from changelog)

Commits

• [Refactor] use hasown instead of has 0e52096
• [Dev Deps] update mock-property, tape 8736b35

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 21 commits:

• v2.16.1
• [Fix] `node:sqlite` is available in node ^22.13
• v2.16.0
• [New] add `node:sqlite`
• [Dev Deps] update `auto-changelog`, `tape`
• v2.15.1
• [Dev Deps] add missing peer dep
• [Fix] `test/mock_loader` is no longer exposed as of v22.7
• [Dev Deps] update `mock-property`
• [Tests] replace `aud` with `npm audit`
• [Tests] add `process.getBuiltinModule` tests
• v2.15.0
• [New] add `node:sea`
• v2.14.0
• [meta] add missing `engines.node`
• [New] add `test/mock_loader`
• [Deps] update `hasown`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `mock-property`, `npmignore`, `tape`
• v2.13.1
• [Refactor] use `hasown` instead of `has`
• [Dev Deps] update `mock-property`, `tape`

1.1.0 (from changelog)

Commits

• [actions] reuse common workflows 35c5af0
• [meta] use npmignore to autogenerate an npmignore file db6113c
• [New] add types 4f1d9b3
• [actions] split out node 10-20, and 20+ c9a1e4f
• [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 35a2864
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b670bca
• [actions] update rebase action to use reusable workflow d6bb341
• [actions] update codecov uploader f850678
• [Robustness] use call-bound 18ed326
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f0e792f
• [meta] add exports field 342351f
• [Tests] replace aud with npm audit 9b9b9cf
• [Deps] update has-tostringtag 1bc37ab
• [meta] add sideEffects flag 86d3a16
• [Dev Deps] add missing peer dep fee274d

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 16 commits:

• v1.1.0
• [meta] add `exports` field
• [New] add types
• [Robustness] use `call-bound`
• [meta] add `sideEffects` flag
• [Deps] update `has-tostringtag`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] update rebase action to use reusable workflow
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `core-js`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

1.1.2 (from changelog)

Fixed

• [Fix] fix broken logic #45

Commits

• [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-cig, @ljharb/tsconfig, @types/tape, for-each 9638da4
• [Deps] update call-bound, get-proto d5e41c1

1.1.1 (from changelog)

Commits

• [Refactor] use generator-function 5477ff1

1.1.0 (from changelog)

Commits

• [actions] reuse common workflows 7301651
• [actions] split out node 10-20, and 20+ 40f30a5
• [meta] use npmignore to autogenerate an npmignore file ec843a4
• [New] add types 6dd27c4
• [actions] update codecov uploader 717f85e
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 4280e62
• [actions] update rebase action to use reusable workflow 895c2d0
• [Tests] use for-each 3caee87
• [Robustness] use call-bound 1eb55de
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 5bbd4cd
• [Robustness] use safe-regex-test 5f8b992
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape c730f4c
• [Robustness] use get-proto 6dfff38
• [Tests] replace aud with npm audit 725db70
• [Deps] update has-tostringtag 5cc3c2d
• [Dev Deps] add missing peer dep 869a507

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 23 commits:

• v1.1.2
• [Fix] fix broken logic
• [Deps] update `call-bound`, `get-proto`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/eslint-cig`, `@ljharb/tsconfig`, `@types/tape`, `for-each`
• v1.1.1
• [Refactor] use `generator-function`
• v1.1.0
• [New] add types
• [Tests] use `for-each`
• [Robustness] use `call-bound`
• [Robustness] use `safe-regex-test`
• [Robustness] use `get-proto`
• [Deps] update `has-tostringtag`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `object-inspect`, `tape`
• [actions] update rebase action to use reusable workflow
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

2.0.3 (from changelog)

Commits

• add types e28f0d5
• [meta] use npmignore to autogenerate an npmignore file f68ec13
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 70abff7
• [actions] update rebase action to use reusable workflow 6e1356e
• [Dev Deps] update @ljharb/eslint-config, aud, npmignore, tape c00d4ab
• [meta] add sideEffects flag 9c45539

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 7 commits:

• v2.0.3
• [meta] add `sideEffects` flag
• add types
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `npmignore`, `tape`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [actions] update rebase action to use reusable workflow

1.1.1 (from changelog)

Commits

• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 00d566d
• [Refactor] use call-bound directly 073d5df
• [Deps] update call-bind 36c84af

1.1.0 (from changelog)

Commits

• [meta] use npmignore to autogenerate an npmignore file cb8423c
• [New] add types 273e406
• [actions] split out node 10-20, and 20+ 3da6267
• [Robustness] use call-bind 834c098
• [actions] update rebase action to use reusable workflow 84a8a9f
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7275bca
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 49a83aa
• [Tests] replace aud with npm audit 061492b
• [Refactor] avoid an expensive check, for null 08d29a8
• [Deps] update has-tostringtag 4e2ad65
• [Dev Deps] add missing peer dep 8228bfa

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 16 commits:

• v1.1.1
• [Refactor] use `call-bound` directly
• [Deps] update `call-bind`
• [Dev Deps] update `@arethetypeswrong/cli`,` @ljharb/tsconfig`, `@types/tape`
• v1.1.0
• [New] add types
• [Refactor] avoid an expensive check, for null
• [Robustness] use `call-bind`
• [Deps] update `has-tostringtag`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `core-js`, `tape`
• [actions] update rebase action to use reusable workflow

1.2.1 (from changelog)

Commits

• [Refactor] use call-bound directly dbabfe3
• [Deps] update call-bind, gopd d5343a0
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig cc081eb

1.2.0 (from changelog)

Fixed

• [Tests] allow tests to pass if zero traps are triggered #35

Commits

• [actions] reuse common workflows be7bf6a
• [New] add types 39066a4
• [meta] use npmignore to autogenerate an npmignore file 8938588
• [Refactor] reorganize code 2f76f26
• [actions] split out node 10-20, and 20+ 8c9aedf
• [meta] better eccheck command 6b39408
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape e38cf3c
• [actions] update codecov uploader 487c75d
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, foreach, tape 0d7da87
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape c1c1198
• [actions] update rebase action to use reusable workflow 213646e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 0a44e77
• [Refactor] use hasown d939332
• [Deps] update call-bind, has-tostringtag 46bfdc9
• [Tests] use for-each instead of foreach 138b3f2
• [Tests] replace aud with npm audit 37ed80a
• [Deps] update gopd 6fd4097
• [Dev Deps] update core-js 97c1c60
• [Dev Deps] add missing peer dep 7329b8e

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 25 commits:

• v1.2.1
• [Refactor] use `call-bound` directly
• [Deps] update `call-bind`, `gopd`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/tsconfig`
• v1.2.0
• [New] add types
• [Deps] update `gopd`
• [Dev Deps] update `core-js`
• [Refactor] reorganize code
• [Refactor] use `hasown`
• [actions] split out node 10-20, and 20+
• [Dev Deps] add missing peer dep
• [Tests] allow tests to pass if zero traps are triggered
• [Deps] update `call-bind`, `has-tostringtag`
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Tests] use `for-each` instead of `foreach`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `core-js`, `foreach`, `tape`
• [actions] update rebase action to use reusable workflow
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `core-js`, `tape`
• [meta] better `eccheck` command
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader

1.1.1 (from changelog)

Commits

• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape c1f7ef7
• [Refactor] use call-bound directly ba8a78f
• [Deps] update call-bind 93c352f

1.1.0 (from changelog)

Commits

• [actions] reuse common workflows 12aa75b
• [meta] use npmignore to autogenerate an npmignore file 6401572
• [actions] split out node 10-20, and 20+ 223540c
• [New] add types 7e83d67
• [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape febd26e
• [readme] add github actions/codecov badges; update URLs f6bf065
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, tape 8afc37a
• [Robustness] use call-bind ac86dd7
• [actions] update rebase action to use reusable workflow 77058c8
• [actions] update codecov uploader 4312be5
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 98c3779
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7d8e0e5
• [Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 3284ad1
• [Tests] replace aud with npm audit 8cb7ea7
• [Refactor] skip expensive check, for null 20fde50
• [Deps] update has-tostringtag b67a78d
• [meta] fix repo URL 1a2ee6b
• [meta] better eccheck command 6913c75
• [Dev Deps] add missing peer dep 8ac8551

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 24 commits:

• v1.1.1
• [Refactor] use `call-bound` directly
• [Deps] update `call-bind`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/tsconfig`, `@types/tape`
• v1.1.0
• [New] add types
• [Robustness] use `call-bind`
• [Refactor] skip expensive check, for null
• [Deps] update `has-tostringtag`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `core-js`, `npmignore`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `core-js`, `tape`
• [actions] update rebase action to use reusable workflow
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `core-js`, `tape`
• [meta] fix repo URL
• [meta] better `eccheck` command
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `core-js`, `safe-publish-latest`, `tape`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `core-js`, `safe-publish-latest`, `tape`
• [readme] add github actions/codecov badges; update URLs
• [actions] update codecov uploader

1.1.1 (from changelog)

Commits

• [actions] re-add finishers 9b9d06f
• [Deps] update call-bind, has-symbols, safe-regex-test 07f3647
• [Refactor] use call-bound directly 799402d
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig 4b8b2f9
• [types] remove unneeded DT packages 398abaa

1.1.0 (from changelog)

Commits

• [actions] reuse common workflows acf85f0
• [meta] use npmignore to autogenerate an npmignore file 77c818e
• [Tests] use for-each and es-value-fixtures 93dfed0
• [New] add types ed6a057
• [actions] split out node 10-20, and 20+ 7f81ccc
• [Robustness] use call-bind and safe-regex-test dc7e142
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 70f87c2
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 3f02ff4
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, has-tostringtag, npmignore, object-inspect, tape 9588872
• [actions] update rebase action to use reusable workflow 59e2f68
• [actions] update codecov uploader e4759f8
• [Dev Deps] update eslint, auto-changelog, object-inspect, tape 33990c0
• [Tests] use has-tostringtag for more robust Symbol.toStringTag detection d6154e1
• [Tests] replace aud with npm audit 3215a60
• [Refactor] avoid an expensive check, for primitives 59f1a42
• [Deps] update has-symbols 06be1a9
• [Dev Deps] add missing peer dep 799b0da

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 24 commits:

• v1.1.1
• [types] remove unneeded DT packages
• [Refactor] use `call-bound` directly
• [Deps] update `call-bind`, `has-symbols`, `safe-regex-test`
• [Dev Deps] update `@arethetypeswrong/cli`, `@ljharb/tsconfig`
• [actions] re-add finishers
• v1.1.0
• [New] add types
• [Tests] use `for-each` and `es-value-fixtures`
• [Refactor] avoid an expensive check, for primitives
• [Robustness] use `call-bind` and `safe-regex-test`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `has-tostringtag`, `npmignore`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [Deps] update `has-symbols`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `object-inspect`, `tape`
• [actions] update rebase action to use reusable workflow
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `object-inspect`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [Dev Deps] update `eslint`, `auto-changelog`, `object-inspect`, `tape`
• [Tests] use `has-tostringtag` for more robust Symbol.toStringTag detection