🚨 Astro's `X-Forwarded-Host` is reflected without validation

Summary

When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an X-Forwarded-Host header that is reflected when using the recommended Astro.url property as there is no validation that the value is safe.

Details

Astro reflects the value in X-Forwarded-Host in output when using Astro.url without any validation.

It is common for web servers such as nginx to route requests via the Host header, and forward on other request headers. As such as malicious request can be sent with both a Host header and an X-Forwarded-Host header where the values do not match and the X-Forwarded-Host header is malicious. Astro will then return the malicious value.

This could result in any usages of the Astro.url value in code being manipulated by a request. For example if a user follows guidance and uses Astro.url for a canonical link the canonical link can be manipulated to another site. It is not impossible to imagine that the value could also be used as a login/registration or other form URL as well, resulting in potential redirecting of login credentials to a malicious party.

As this is a per-request attack vector the surface area would only be to the malicious user until one considers that having a caching proxy is a common setup, in which case any page which is cached could persist the malicious value for subsequent users.

Many other frameworks have an allowlist of domains to validate against, or do not have a case where the headers are reflected to avoid such issues.

PoC

• Check out the minimal Astro example found here: https://github.com/Chisnet/minimal_dynamic_astro_server
• nvm use
• yarn run build
• node ./dist/server/entry.mjs
• curl --location 'http://localhost:4321/' --header 'X-Forwarded-Host: www.evil.com' --header 'Host: www.example.com'
• Observe that the response reflects the malicious X-Forwarded-Host header

For the more advanced / dangerous attack vector deploy the application behind a caching proxy, e.g. Cloudflare, set a non-zero cache time, perform the above curl request a few times to establish a cache, then perform the request without the malicious headers and observe that the malicious data is persisted.

Impact

This could affect anyone using Astro in an on-demand/dynamic rendering mode behind a caching proxy.

🚨 Astro allows unauthorized third-party images in _image endpoint

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project (astro@5.13.0).

2. Configure it to use the Node adapter (@astrojs/node@9.1.0 — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

🚨 Astro allows unauthorized third-party images in _image endpoint

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project (astro@5.13.0).

2. Configure it to use the Node adapter (@astrojs/node@9.1.0 — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

🚨 Astros's duplicate trailing slash feature leads to an open redirection security issue

Summary

There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks.

This affects Astro >=5.2.0 sites that use on-demand rendering (SSR) with the Node or Cloudflare adapter. It does not affect static sites, or sites deployed to Netlify or Vercel.

Background

Astro performs automatic redirection to the canonical URL, either adding or removing trailing slashes according to the value of the trailingSlash configuration option. It follows the following rules:

• If trailingSlash is set to "never", https://example.com/page/ will redirect to https://example.com/page
• If trailingSlash is set to "always", https://example.com/page will redirect to https://example.com/page/

It also collapses multiple trailing slashes, according to the following rules:

• If trailingSlash is set to "always" or "ignore" (the default), https://example.com/page// will redirect to https://example.com/page/
• If trailingSlash is set to "never", https://example.com/page// will redirect to https://example.com/page

It does this by returning a 301 redirect to the target path. The vulnerability occurs because it uses a relative path for the redirect. To redirect from https://example.com/page to https://example.com/page/, it sending a 301 response with the header Location: /page/. The browser resolves this URL relative to the original page URL and redirects to https://example.com/page/

Details

The vulnerability occurs if the target path starts with //. A request for https://example.com//page will send the header Location: //page/. The browser interprets this as a protocol-relative URL, so instead of redirecting to https://example.com//page/, it will attempt to redirect to https://page/. This is unlikely to resolve, but by crafting a URL in the form https://example.com//target.domain/subpath, it will send the header Location: //target.domain/subpath/, which the browser translates as a redirect to https://target.domain/subpath/. The subpath part is required because otherwise Astro will interpret /target.domain as a file download, which skips trailing slash handling.

This leads to an Open Redirect vulnerability.

The URL needed to trigger the vulnerability varies according to the trailingSlash setting.

• If trailingSlash is set to "never", a URL in the form https://example.com//target.domain/subpath/
• If trailingSlash is set to "always", a URL in the form https://example.com//target.domain/subpath
• For any config value, a URL in the form https://example.com//target.domain/subpath//

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Mitigation

You can test if your site is affected by visiting https://yoursite.com//docs.astro.build/en//. If you are redirected to the Astro docs then your site is affected and must be updated.

Upgrade your site to Astro 5.12.8. To mitigate at the network level, block outgoing redirect responses with a Location header value that starts with //.

🚨 Astro's server source code is exposed to the public if sourcemaps are enabled

Summary

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Details

During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.

astro/packages/astro/src/core/build/static-build.ts

Line 139 in 176fe9f

await ssrMoveAssets(opts, ssrOutputAssetNames);

Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.

While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.

PoC

Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map

The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.

The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro

The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):

path:astro.config.mjs @sentry/astro

This vulnerability is the root cause of #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.

Impact

All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.7.

Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.8, and backported to Astro v4 in astro@4.16.18.

The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.

There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .

There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.

• Network attack vector.
• Low attack complexity.
• No privileges required.
• No interaction required from an authorized user.
• Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.

Remediation

The fix for server-output projects was released in astro@5.0.7, and the fix for static-output projects was released in astro@5.0.8 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

🚨 Astro's server source code is exposed to the public if sourcemaps are enabled

Summary

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Details

During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder.

astro/packages/astro/src/core/build/static-build.ts

Line 139 in 176fe9f

await ssrMoveAssets(opts, ssrOutputAssetNames);

Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.

While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.

PoC

Here is one example of an affected open-source website:
https://creatorsgarten.org/pages/index.astro.mjs.map

The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.

The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro

The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):

path:astro.config.mjs @sentry/astro

This vulnerability is the root cause of #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.

Impact

All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.7.

Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.8, and backported to Astro v4 in astro@4.16.18.

The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.

There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .

There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.

• Network attack vector.
• Low attack complexity.
• No privileges required.
• No interaction required from an authorized user.
• Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.

Remediation

The fix for server-output projects was released in astro@5.0.7, and the fix for static-output projects was released in astro@5.0.8 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.

🚨 Atro CSRF Middleware Bypass (security.checkOrigin)

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the Content-Type

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without Content-Type header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

Note

Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

🚨 DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

astro/packages/astro/src/transitions/router.ts

Lines 135 to 156 in 7814a6c

	function runScripts() {
	let wait = Promise.resolve();
	for (const script of Array.from(document.scripts)) {
	if (script.dataset.astroExec === '') continue;
	const type = script.getAttribute('type');
	if (type && type !== 'module' && type !== 'text/javascript') continue;
	const newScript = document.createElement('script');
	newScript.innerHTML = script.innerHTML;
	for (const attr of script.attributes) {
	if (attr.name === 'src') {
	const p = new Promise((r) => {
	newScript.onload = newScript.onerror = r;
	});
	wait = wait.then(() => p as any);
	}
	newScript.setAttribute(attr.name, attr.value);
	}
	newScript.dataset.astroExec = '';
	script.replaceWith(newScript);
	}
	return wait;
	}

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->
    
    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:

• Webpack (CVE-2024-43788)
• Vite (CVE-2024-45812)
• layui (CVE-2024-47075)

Too many releases to show here. View the full release notes.

🚨 Astro allows unauthorized third-party images in _image endpoint

Summary

In affected versions of astro, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served.

Details

On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images.

The /_image endpoint is restricted to processing local images bundled with the site and also supports remote images from domains the site developer has manually authorized (using the image.domains or image.remotePatterns options).

However, a bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png.

Proof of Concept

1. Create a new minimal Astro project (astro@5.13.0).

2. Configure it to use the Node adapter (@astrojs/node@9.1.0 — newer versions are not impacted):

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@astrojs/node';
   
   export default defineConfig({
   	adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.

4. Run the server, e.g. with astro preview.

5. Append /_image?href=//placehold.co/600x400 to the preview URL, e.g. http://localhost:4321/_image?href=//placehold.co/600x400

6. The site will serve the image from the unauthorized placehold.co origin.

Impact

Allows a non-authorized third-party to create URLs on an impacted site’s origin that serve unauthorized image content.
In the case of SVG images, this could include the risk of cross-site scripting (XSS) if a user followed a link to a maliciously crafted SVG.

🚨 @astrojs/node's trailing slash handling causes open redirect issue

Summary

Following GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios.

Details

Astro 5.12.8 fixed a case where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press.

Proof of Concept

1. Create a new minimal Astro project (astro@5.12.8)
2. Configure it to use the Node adapter (@astrojs/node@9.4.0) and force trailing slashes:

   // astro.config.mjs
   import { defineConfig } from 'astro/config';
   import node from '@astrojs/node';
   
   export default defineConfig({
     trailingSlash: 'always',
     adapter: node({ mode: 'standalone' }),
   });

3. Build the site by running astro build.
4. Run the server, e.g. with astro preview.
5. Append //astro.build/press to the preview URL, e.g. http://localhost:4321//astro.build/press
6. The site will redirect to the external Astro Build origin.

Example reproduction

1. Open this StackBlitz reproduction.
2. Open the preview in a separate window so the StackBlitz embed doesn't cause security errors.
3. Append //astro.build/press to the preview URL, e.g. https://x.local-corp.webcontainer.io//astro.build/press.
4. See it redirect to the external Astro Build origin.

Impact

This is classified as an Open Redirection vulnerability (CWE-601). It affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks.

No authentication is required to exploit this vulnerability. Any unauthenticated user can trigger the redirect by clicking a malicious link.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 56 commits:

• Version Packages (#423)
• fix: try to fix GitHub Actions
• chore: update compiler
• Version Packages (#418)
• [FEAT] Add option to skip formatting the Frontmatter (#417)
• Version Packages (#401)
• fix: rewrite readme (#400)
• fix: hug when needed for components and fragments (#397)
• Version Packages (#393)
• fix: regression with self-closing tags text (#394)
• fix: format JSX expressions with 3+ roots (#392)
• Fix: typo in `CONTRIBUTING.md` and broken links on `elements.ts` (#391)
• Version Packages (#385)
• Fix attributes using optional chaining not formatting correctly (#384)
• ci: run CI on latest Node versions (#380)
• Version Packages (#379)
• fix(embed): Replace all instances of invalid characters inside expressions (#378)
• Readme: Clarify filename of prettierrc (#376)
• Version Packages (#371)
• Do not delete line breaks and indentation of lines in class attribute (#369)
• Format doctype as lowercase to match Prettier 3.0 (#370)
• Version Packages (#363)
• docs: update README for Prettier 3 ESM configs (#366)
• chore(package.json): remove pnpm from engines (#362)
• Add congrats bot (#357)
• Version Packages (#356)
• feat: support for Prettier 3 (#355)
• Version Packages (#350)
• feat: use sync version of the compiler (#349)
• Version Packages (#348)
• fix: prevent parsing empty script tags (#347)
• [ci] format
• Version Packages (#343)
• docs: rewrite README (#344)
• feat(embed): Add support for formatting JSON, Markdown etc script tags (#342)
• [ci] format
• Use `babel-ts` to parse the frontmatter (#341)
• Version Packages (#327)
• Correctly pass options to embedded parsers (#339)
• Add compatibility for other plugins parsing top-level returns in Astro frontmatter (#336)
• fix: treat offset as bytes (#324)
• Version Packages (#321)
• Add support for formatting spread attributes (#320)
• fix(css): Add support for formatting LESS style blocks (#319)
• config(prettier): Add lockfile to .prettierignore
• [ci] format
• chore(deps): Upgrade dependencies
• ci(node): Remove Node 14 in favor of Node 18 (#314)
• Version Packages (#313)
• fix: Remove only-allow
• Version Packages (#307)
• Migrate to pnpm (#303)
• Fix node not hugging their end when the last children was a node (#312)
• Add test for ignoring self-closing tag + upgrade compiler (#310)
• chore: upgrade compiler (#305)
• chore: use .cjs instead of .js (#304)

Too many releases to show here. View the full release notes.

3.3.0 (from changelog)

Minor Changes

• #13809 3c3b492 Thanks @ascorbic! - Increases minimum Node.js version to 18.20.8

  Node.js 18 has now reached end-of-life and should not be used. For now, Astro will continue to support Node.js 18.20.8, which is the final LTS release of Node.js 18, as well as Node.js 20 and Node.js 22 or later. We will drop support for Node.js 18 in a future release, so we recommend upgrading to Node.js 22 as soon as possible. See Astro's Node.js support policy for more details.

  ⚠️ Important note for users of Cloudflare Pages: The current build image for Cloudflare Pages uses Node.js 18.17.1 by default, which is no longer supported by Astro. If you are using Cloudflare Pages you should override the default Node.js version to Node.js 22. This does not affect users of Cloudflare Workers, which uses Node.js 22 by default.

3.2.1 (from changelog)

Patch Changes

• #13591 5dd2d3f Thanks @florian-lefebvre! - Removes unused code

3.2.0 (from changelog)

Minor Changes

• #12539 827093e Thanks @bluwy! - Drops node 21 support

3.1.0 (from changelog)

Minor Changes

• #10689 683d51a5eecafbbfbfed3910a3f1fbf0b3531b99 Thanks @ematipico! - Deprecate support for versions of Node.js older than v18.17.1 for Node.js 18, older than v20.0.3 for Node.js 20, and the complete Node.js v19 release line.

  This change is in line with Astro's Node.js support policy.

3.0.4 (from changelog)

Patch Changes

• #8900 341ef6578 Thanks @FredKSchott! - Track if the Astro CLI is running in a TTY context.

  This information helps us better understand scripted use of Astro vs. direct terminal use of Astro CLI by a user, especially the astro dev command.

3.0.3 (from changelog)

Patch Changes

• #8737 6f60da805 Thanks @ematipico! - Add provenance statement when publishing the library from CI

• #8729 21e0757ea Thanks @lilnasy! - Removed an unnecessary dependency.

3.0.2 (from changelog)

Patch Changes

• #8600 ed54d4644 Thanks @FredKSchott! - Improve config info telemetry

3.0.1 (from changelog)

Patch Changes

• #8363 0ce0720c7 Thanks @natemoo-re! - Wrap JSON.parse in try/catch

3.0.0 (from changelog)

Major Changes

• #8188 d0679a666 Thanks @ematipico! - Remove support for Node 16. The lowest supported version by Astro and all integrations is now v18.14.1. As a reminder, Node 16 will be deprecated on the 11th September 2023.

• #8179 6011d52d3 Thanks @matthewp! - Astro 3.0 Release Candidate

Patch Changes

• #8234 0c7b42dc6 Thanks @natemoo-re! - Update telemetry notice

• #8130 3e834293d Thanks @Princesseuh! - Add some polyfills for Stackblitz until they support Node 18. Running Astro on Node 16 is still not officially supported, however.

• #8188 b675acb2a Thanks @ematipico! - Remove undici dependency

2.1.1 (from changelog)

Patch Changes

• #6929 ac57b5549 Thanks @bluwy! - Upgrade undici to v5.22.0

2.1.0 (from changelog)

Minor Changes

• #6213 afbbc4d5b Thanks @Princesseuh! - Updated compilation settings to disable downlevelling for Node 14

2.0.1 (from changelog)

Patch Changes

• #6355 5aa6580f7 Thanks @ematipico! - Update undici to v5.20.0

Does any of this look wrong? Please let us know.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 14 commits:

• v7.28.4
• fix: allow `d` and `v` flag in `regExpLiteral` builder (#17495)
• Update test262 (#17496)
• Update Jest to v30.1.1 (#17493)
• Improve @babel/traverse typings (#17485)
• Update compat data (#17487)
• Update test262 (#17488)
• Do not enable default plugins in `@babel/standalone` (#17421)
• chore: Clean up `transform-regenerator` (#17455)
• Improve @babel/core typings (#17471)
• Update test262 (#17481)
• [Babel 8] Align TSMappedType AST (#17479)
• Switch to @jridgewell/remapping (#17474)
• Add v7.28.3 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 14 commits:

• v7.28.4
• fix: allow `d` and `v` flag in `regExpLiteral` builder (#17495)
• Update test262 (#17496)
• Update Jest to v30.1.1 (#17493)
• Improve @babel/traverse typings (#17485)
• Update compat data (#17487)
• Update test262 (#17488)
• Do not enable default plugins in `@babel/standalone` (#17421)
• chore: Clean up `transform-regenerator` (#17455)
• Improve @babel/core typings (#17471)
• Update test262 (#17481)
• [Babel 8] Align TSMappedType AST (#17479)
• Switch to @jridgewell/remapping (#17474)
• Add v7.28.3 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 10 commits:

• v7.27.2
• fix: `@babel/parser/bin/index.js` contains `node:` protocol require (#17289)
• fix: Private class method not found when ts and estree parser plugins are enabled (#17291)
• Fix: improve object rest handling in array pattern (#17281)
• Use `.d.ts` in import when importing a `.d.ts` file (#17288)
• [Babel 8] Directly export the JSON files from `@babel/compat-data` (#17267)
• Enable Node compile cache for `@babel/cli` (#17285)
• Update test262 (#17286)
• fix(babel-template): Properly handle empty string replacements (#17284)
• Add v7.27.1 to CHANGELOG.md [skip ci]

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.3

v7.24.3 (2024-03-20)

🐛 Bug Fix

• babel-helper-module-imports
  • #16370 fix: do not inject the same imported identifier multiple times (@ota-meshi)

Committers: 2

• Nicolò Ribaudo (@nicolo-ribaudo)
• Yosuke Ota (@ota-meshi)

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16350 Fix decorated class computed keys ordering (@JLHwung)
  • #16344 Fix decorated class static field private access (@JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #16331 Fix decorator memoiser binding kind (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

• #16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #16359 Replace chalk with picocolors (@nicolo-ribaudo)
• babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow
  • #16352 Run Babel transform tests on old node if possible (@JLHwung)
• babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx
  • #16349 Support merging imports in import injector (@nicolo-ribaudo)
• Other
  • #16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

• babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime
  • #16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)
• babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • #16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)
• babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse
  • #16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)
• babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env
  • #16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.15

v7.22.15 (2023-09-04)

🐛 Bug Fix

• babel-core
  • #15923 Only perform config loading re-entrancy check for cjs (@nicolo-ribaudo)

🏠 Internal

• Every package
  • #15892 Add explicit .ts/.js extension to all imports in src (@nicolo-ribaudo)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

• babel-preset-env, babel-standalone
  • #15675 Fix using syntax-unicode-sets-regex in standalone (@nicolo-ribaudo)

💅 Polish

• babel-core
  • #15683 Suggest -transform- when resolving missing plugins (@nicolo-ribaudo)

Committers: 4

• Avery (@nullableVoidPtr)
• Babel Bot (@babel-bot)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.21.4

v7.21.4 (2023-03-31)

🐛 Bug Fix

• babel-core, babel-helper-module-imports, babel-preset-typescript
  • #15478 Fix support for import/export in .cts files (@liuxingbaoyu)
• babel-generator
  • #15496 Fix compact printing of non-null assertion operators (@rtsao)

💅 Polish

• babel-helper-create-class-features-plugin, babel-plugin-proposal-class-properties, babel-plugin-transform-typescript, babel-traverse
  • #15427 Fix moving comments of removed nodes (@nicolo-ribaudo)

🏠 Internal

• Other
  • #15519 Update Prettier integration test (@fisker)
• babel-parser
  • #15510 refactor: introduce lookaheadInLineCharCode (@JLHwung)
• babel-code-frame, babel-highlight
  • #15499 Polish babel-code-frame highlight test (@JLHwung)

Committers: 6

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Ryan Tsao (@rtsao)
• @liuxingbaoyu
• fisker Cheung (@fisker)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 63 commits:

• v7.27.1
• Bumped picocolors to 1.1.1 (#17279)
• Rebuild Makefile.mjs (#17275)
• Allow `using of` as lexical declaration within for (#17254)
• fix invalid gulp watch usage (#17273)
• Update actions/checkout action to v4 (#17269)
• [babel 8] Remove unnecessary CJS ESM wrapper (#17261)
• Remove unused `regenerator-runtime` dep in `@babel/runtime` (#17263)
• [babel 8] Drop CJS support from `@babel/parser` (#17265)
• Update Yarn to 4.9.1 (#17266)
• Update fixture (#17264)
• Update fixture
• fix: do expressions should allow early exit (#17137)
• Include Babel 8 in coverage report (#17260)
• Ignore browser-only files in coverage reports (#17262)
• Update test262 (#17259)
• Fix: propagate argument evaluation errors through async promise chain (#17251)
• Tune plugin compat data (#17256)
• chore: bump compat-data sources (#17253)
• [Babel 8] perf: Improve traverse performance (#16965)
• Update error stack test (#17252)
• Update test262 (#17248)
• [Babel 8]: Remove record and tuple syntax support (#17242)
• Update `jest-light-runner` to v0.7.0 (#17245)
• Fix build script on Windows (#17244)
• fix `apply()`/`call()` annotated as pure (#17231)
• Reduce `interopRequireWildcard` size (#16538)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 3) (#17235)
• Create ChainExpression within TSInstantiationExpression (#17233)
• Stricter TSImportType options parsing (#17193)
• migrate babel-compat-data build script to mjs (#17236)
• Update test262 (#17234)
• Bump typescript-eslint to 8.29.1 (#17232)
• Disallow get/set in TSPropertySignature (#17230)
• Use `class` and add type definitions for `regenerator` (#17220)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (#17226)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (#17224)
• Update firefox bugfix compat data (#17228)
• Migrate `@babel/register` to cts (#16844)
• test: add basic typescript-eslint integration tests (#17219)
• Harden variable declarator validations (#17217)
• Reduce generated names size for the 10th-11th (#17221)
• fix: Objects and arrays with multiple references should not be evaluated (#17156)
• Reduce `regeneratorRuntime` size (#17213)
• build(deps): bump @babel/helpers from 7.24.4 to 7.27.0 (#17218)
• Enforce node protocol import (#17207)
• Use esm for makefile js (#17214)
• add require-esm babel-register test (#17206)
• Fix: support const type parameter in generator (#17216)
• Babel 8 cleanup (#17211)
• Run tests imported from regenerator (#17205)
• Use imported regenerator transform files (#17205)
• Re-convert regeneratorRuntime to helper format (#17205)
• Delete remaining original regenerator files (#17205)
• Move regenerator files to the relevant packages (#17205)
• Remove bundled regeneratorRuntime helper (#17205)
• Prepare LICENSE files for incorporating regenerator (#17205)
• Merge remote-tracking branch 'regenerator/main'
• Update test262 (#17208)
• Fix start of TSParameterProperty (#17080)
• [Babel 8] Bump nodejs requirements to `^20.19.0 || >= 22.12.0` (#17204)
• [babel 8] Deprecate uppercase builders (#17133)
• Add v7.27.0 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 21 commits:

• v7.28.3
• fix(parser/typescript): parse `import("./a", {with:{},})` (#17465)
• chore: fix various typos across codebase (#17476)
• chore: fix typos in release.yml (#17475)
• fix(parser): stop subscript parsing on async arrow (#17478)
• chore: update node flags (#17477)
• build(Babel 8): disable JSON module transform (#17468)
• [babel 8] Add `@types/jsesc` as a dep of `@babel/generator` (#17459)
• Update test262 (#17462)
• Misc: Cleanup Babel 8 tasks (#17429)
• export PartialConfig and NormalizedOptions (#17470)
• chore: update browser compat libs (#17469)
• Type-check `.d.ts` file with `strict: true` (#17461)
• Enable type checking for `scripts` and `babel-worker.cjs` (#17454)
• Type check gulp&jest config (#17453)
• [static blocks] Do not inject new static fields after static code (#17443)
• Do not save last yield in call in temp var (#17363)
• Optimize do expression output (#17444)
• Update test262 (#17449)
• move eslint-{parser,plugin} docs to the website (#17448)
• Add v7.28.2 to CHANGELOG.md [skip ci]

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.26.5

v7.26.5 (2025-01-10)

👓 Spec Compliance

• babel-parser
  • #17011 Allow the dynamic import.defer() form of import defer (@babel-bot)

🐛 Bug Fix

• babel-plugin-transform-block-scoped-functions
  • #17024 chore: Avoid calling isInStrictMode in Babel 7 (@liuxingbaoyu)
• babel-plugin-transform-typescript
  • #17026 fix: Correctly generate exported const enums in namespace (@liuxingbaoyu)
• babel-parser
  • #17045 [estree] Unify method type parameters handling (@JLHwung)
  • #17013 fix: Correctly set position for @(a.b)() (@liuxingbaoyu)
  • #16996 [estree] Adjust the start loc of class methods with type params (@nicolo-ribaudo)
• babel-generator, babel-parser, babel-plugin-transform-flow-strip-types, babel-types
  • #17028 Support flow jsx opening element type arguments (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17031 fix: More accurate transform-typeof-symbol compat data (@liuxingbaoyu)
• babel-generator, babel-parser, babel-types
  • #17019 Fix incomplete visitor keys (@JLHwung)

🔬 Output optimization

• babel-plugin-transform-nullish-coalescing-operator
  • #16612 Improve nullish coalescing operator output (@liuxingbaoyu)

Committers: 5

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.8

v7.24.8 (2024-07-11)

Thanks @H0onnn, @jkup and @SreeXD for your first pull requests!

👓 Spec Compliance

• babel-parser
  • #16567 Do not use strict mode in TS declare (@liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #16630 Correctly print parens around in in for heads (@nicolo-ribaudo)
  • #16626 Fix printing of comments in await using (@nicolo-ribaudo)
  • #16591 fix typescript code generation for yield expression inside type expre… (@SreeXD)
• babel-parser
  • #16613 Disallow destructuring assignment in using declarations (@H0onnn)
  • #16490 fix: do not add .value: undefined to regexp literals (@liuxingbaoyu)
• babel-types
  • #16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #16566 fix: Correctly handle export import x = (@liuxingbaoyu)

💅 Polish

• babel-generator
  • #16625 Avoid unnecessary parens around async in for await (@nicolo-ribaudo)
• babel-traverse
  • #16619 Avoid checking Scope.globals multiple times (@liuxingbaoyu)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Jon Kuperman (@jkup)
• Nagendran N (@SreeXD)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @H0onnn
• @liuxingbaoyu

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.5

v7.24.5 (2024-04-29)

Thanks @romgrk and @sossost for your first PRs!

🐛 Bug Fix

• babel-plugin-transform-classes, babel-traverse
  • #16377 fix: TypeScript annotation affects output (@liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #16440 Fix suppressed error order (@sossost)
  • #16408 Await nullish async disposable (@JLHwung)

💅 Polish

• babel-parser
  • #16407 Recover from exported using declaration (@JLHwung)

🏠 Internal

• Other
  • #16414 Relax ESLint peerDependency constraint to allow v9 (@liuxingbaoyu)
• babel-parser
  • #16425 Improve @babel/parser AST types (@nicolo-ribaudo)
  • #16417 Always pass type argument to .startNode (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • #16439 Make NodePath<T | U> distributive (@nicolo-ribaudo)
• babel-plugin-proposal-partial-application, babel-types
  • #16421 Remove JSXNamespacedName from valid CallExpression args (@nicolo-ribaudo)
• babel-plugin-transform-class-properties, babel-preset-env
  • #16406 Do not load unnecessary Babel 7 syntax plugins in Babel 8 (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #16357 Performance: improve objectWithoutPropertiesLoose on V8 (@romgrk)

Committers: 6

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Rom Grk (@romgrk)
• @liuxingbaoyu
• ynnsuis (@sossost)

7.24.0

v7.24.0 (2024-02-28)

Thanks @ajihyf for your first PR!

Release post with summary and highlights: https://babeljs.io/7.24.0

🚀 New Feature

• babel-standalone
  • #11696 Export babel tooling packages in @babel/standalone (@ajihyf)
• babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties
  • #16267 Implement noUninitializedPrivateFieldAccess assumption (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16242 Support decorator 2023-11 normative updates (@JLHwung)
• babel-preset-flow
  • #16309 [babel 7] Allow setting ignoreExtensions in Flow preset (@nicolo-ribaudo)
  • #16284 Add experimental_useHermesParser option in preset-flow (@liuxingbaoyu)
• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone
  • #16172 Add transform support for JSON modules imports (@nicolo-ribaudo)
• babel-plugin-transform-runtime
  • #16241 Add back moduleName option to @babel/plugin-transform-runtime (@nicolo-ribaudo)
• babel-parser, babel-types
  • #16277 Allow import attributes for TSImportType (@sosukesuzuki)

🐛 Bug Fix

• babel-plugin-proposal-do-expressions, babel-traverse
  • #16305 fix: avoid popContext on unvisited node paths (@JLHwung)
• babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object
  • #16312 Fix class private properties when privateFieldsAsSymbols (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods
  • #16307 Fix the support of arguments in private get/set method (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • #16287 Reduce decorator static property size (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16281 Fix evaluation order of decorators with cached receiver (@nicolo-ribaudo)
  • #16279 Fix decorator this memoization (@JLHwung)
  • #16266 Preserve static on decorated private accessor (@nicolo-ribaudo)
  • #16258 fix: handle decorated async private method and generator (@JLHwung)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env
  • #16275 Fix class private properties when privateFieldsAsProperties (@liuxingbaoyu)
• babel-helpers
  • #16268 Do not consider arguments in a helper as a global reference (@nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-decorators
  • #16270 Handle symbol key class elements decoration (@JLHwung)
  • #16265 Do not define access.get for public setter decorators (@nicolo-ribaudo)

💅 Polish

• babel-core, babel-helper-create-class-features-plugin, babel-preset-env
  • #12428 Suggest using BABEL_SHOW_CONFIG_FOR for config problems (@nicolo-ribaudo)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16278 Continue writing output.js when exec.js throws (@liuxingbaoyu)

🔬 Output optimization

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16306 Avoid intermediate functions for private accessors with decs (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #16294 More aggressively inline decorators in the static block (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-private-methods
  • #16283 Do not use classPrivateMethodGet (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • #16287 Reduce decorator static property size (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #16280 Reduce element decorator temp variables (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-optional-chaining-assign, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16261 Do not use descriptors for private class elements (@nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-decorators
  • #16263 Reduce helper size for decorator 2023-11 (@liuxingbaoyu)

Committers: 7

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• SUZUKI Sosuke (@sosukesuzuki)
• Yarden Shoham (@yardenshoham)
• @liuxingbaoyu
• flyafly (@ajihyf)

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

• babel-preset-env, babel-standalone
  • #15675 Fix using syntax-unicode-sets-regex in standalone (@nicolo-ribaudo)

💅 Polish

• babel-core
  • #15683 Suggest -transform- when resolving missing plugins (@nicolo-ribaudo)

Committers: 4

• Avery (@nullableVoidPtr)
• Babel Bot (@babel-bot)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.21.5

v7.21.5 (2023-04-28)

👓 Spec Compliance

• babel-generator, babel-parser, babel-types
  • #15539 fix: Remove mixins and implements for DeclareInterface and InterfaceDeclaration (@liuxingbaoyu)

🐛 Bug Fix

• babel-core, babel-generator, babel-plugin-transform-modules-commonjs, babel-plugin-transform-react-jsx
  • #15515 fix: ) position with createParenthesizedExpressions (@liuxingbaoyu)
• babel-preset-env
  • #15580 Add syntax import meta to preset env (@JLHwung)

💅 Polish

• babel-types
  • #15546 Improve the layout of generated validators (@liuxingbaoyu)
• babel-core
  • #15535 Use lt instead of lte to check TS version for .cts config (@nicolo-ribaudo)

🏠 Internal

• babel-core
  • #15575 Use synchronous import.meta.resolve (@nicolo-ribaudo)
• babel-helper-fixtures, babel-preset-typescript
  • #15568 Handle .overrides and .env when resolving plugins/presets from fixture options (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-create-regexp-features-plugin
  • #15548 Use semver package to compare versions (@nicolo-ribaudo)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 63 commits:

• v7.27.1
• Bumped picocolors to 1.1.1 (#17279)
• Rebuild Makefile.mjs (#17275)
• Allow `using of` as lexical declaration within for (#17254)
• fix invalid gulp watch usage (#17273)
• Update actions/checkout action to v4 (#17269)
• [babel 8] Remove unnecessary CJS ESM wrapper (#17261)
• Remove unused `regenerator-runtime` dep in `@babel/runtime` (#17263)
• [babel 8] Drop CJS support from `@babel/parser` (#17265)
• Update Yarn to 4.9.1 (#17266)
• Update fixture (#17264)
• Update fixture
• fix: do expressions should allow early exit (#17137)
• Include Babel 8 in coverage report (#17260)
• Ignore browser-only files in coverage reports (#17262)
• Update test262 (#17259)
• Fix: propagate argument evaluation errors through async promise chain (#17251)
• Tune plugin compat data (#17256)
• chore: bump compat-data sources (#17253)
• [Babel 8] perf: Improve traverse performance (#16965)
• Update error stack test (#17252)
• Update test262 (#17248)
• [Babel 8]: Remove record and tuple syntax support (#17242)
• Update `jest-light-runner` to v0.7.0 (#17245)
• Fix build script on Windows (#17244)
• fix `apply()`/`call()` annotated as pure (#17231)
• Reduce `interopRequireWildcard` size (#16538)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 3) (#17235)
• Create ChainExpression within TSInstantiationExpression (#17233)
• Stricter TSImportType options parsing (#17193)
• migrate babel-compat-data build script to mjs (#17236)
• Update test262 (#17234)
• Bump typescript-eslint to 8.29.1 (#17232)
• Disallow get/set in TSPropertySignature (#17230)
• Use `class` and add type definitions for `regenerator` (#17220)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (#17226)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (#17224)
• Update firefox bugfix compat data (#17228)
• Migrate `@babel/register` to cts (#16844)
• test: add basic typescript-eslint integration tests (#17219)
• Harden variable declarator validations (#17217)
• Reduce generated names size for the 10th-11th (#17221)
• fix: Objects and arrays with multiple references should not be evaluated (#17156)
• Reduce `regeneratorRuntime` size (#17213)
• build(deps): bump @babel/helpers from 7.24.4 to 7.27.0 (#17218)
• Enforce node protocol import (#17207)
• Use esm for makefile js (#17214)
• add require-esm babel-register test (#17206)
• Fix: support const type parameter in generator (#17216)
• Babel 8 cleanup (#17211)
• Run tests imported from regenerator (#17205)
• Use imported regenerator transform files (#17205)
• Re-convert regeneratorRuntime to helper format (#17205)
• Delete remaining original regenerator files (#17205)
• Move regenerator files to the relevant packages (#17205)
• Remove bundled regeneratorRuntime helper (#17205)
• Prepare LICENSE files for incorporating regenerator (#17205)
• Merge remote-tracking branch 'regenerator/main'
• Update test262 (#17208)
• Fix start of TSParameterProperty (#17080)
• [Babel 8] Bump nodejs requirements to `^20.19.0 || >= 22.12.0` (#17204)
• [babel 8] Deprecate uppercase builders (#17133)
• Add v7.27.0 to CHANGELOG.md [skip ci]

🚨 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

• You use Babel to compile regular expression named capturing groups
• You use the .replace method on a regular expression that contains named capturing groups
• Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

• you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
• you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in #17173.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 14 commits:

• v7.28.4
• fix: allow `d` and `v` flag in `regExpLiteral` builder (#17495)
• Update test262 (#17496)
• Update Jest to v30.1.1 (#17493)
• Improve @babel/traverse typings (#17485)
• Update compat data (#17487)
• Update test262 (#17488)
• Do not enable default plugins in `@babel/standalone` (#17421)
• chore: Clean up `transform-regenerator` (#17455)
• Improve @babel/core typings (#17471)
• Update test262 (#17481)
• [Babel 8] Align TSMappedType AST (#17479)
• Switch to @jridgewell/remapping (#17474)
• Add v7.28.3 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 6 commits:

• publish 0.25.10 to npm
• refactor: use strings.Builder (#4290)
• run `make update-compat-table`
• fix #4287: marked the wrong issue as fixed
• fix #4286: minifier panic due to identity function
• fix #4265: `@supports` nested inside `::pseudo`

0.3.5

What's Changed

• Add ignoreList support: 9add0c2

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

0.3.3

Full Changelog: v0.3.2...v0.3.3

0.3.2

Internal

• [meta] fix "exports" for node 13.0-13.6 by @ljharb in #4
• Fix built sources paths

New Contributors

• @ljharb made their first contribution in #4

Full Changelog: v0.3.1...v0.3.2

Does any of this look wrong? Please let us know.

2.0.1 (from changelog)

Fixed

• Fix issue with process.argv when used with interpreters (coffee, ts-node, etc.), #150.

2.0.0 (from changelog)

Changed

• Full rewrite. Now port from python 3.9.0 & more precise following. See doc for difference and migration info.
• node.js 10+ required
• Removed most of local docs in favour of original ones.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 15 commits:

• 2.0.1 released
• Always assume process.argv[0] is interpreter
• Add more migration docs
• 2.0.0 released
• Implement argparse.js version 2.0
• Add 2.0 configs & docs
• Drop old sources (2.0 is full rewrite)
• Merge pull request #145 from lpinca/document/version-option
• Add documentation for the version option
• readme: update titelift info
• changelog format update
• Add Tidelift link & fix headers formatting
• Create FUNDING.yml
• Merge pull request #129 from marcin-mazurek/patch-1
• Fix require statements in README examples

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @Marukome0743).

10.4.20

• Fixed fit-content prefix for Firefox.

10.4.19

• Removed end value has mixed support, consider using flex-end warning since end/start now have good support.

10.4.18

• Fixed removing -webkit-box-orient on -webkit-line-clamp (@Goodwine).

10.4.17

• Fixed user-select: contain prefixes.

10.4.16

• Improved performance (by @romainmenke).
• Fixed docs (by @coliff).

10.4.15 (from changelog)

• Fixed ::backdrop prefixes (by 一丝).
• Fixed docs (by Christian Oliff).

10.4.14

• Improved startup time and reduced JS bundle size (by @Knagis).

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 49 commits:

• Release 10.4.21 version
• Update dependencies and sort imports
• Update Node.js and pnpm on CI
• fix: replace `:-moz-placeholder-shown` with `:-moz-placeholder` (#1532)
• Release 10.4.20 version
• Fix fit-content for Firefox
• Update dependencies
• Move to pnpm 9
• Release 10.4.19 version
• Remove end→flex-end warning
• Update dependencies
• Move to flat ESLint config
• Update dependencies
• Release 10.4.18 version
• Update dependencies
• Update c8 config
• Add Node.js 21 to CI
• Automate release creation
• Update actions
• Preserve -webkit-box-orient when -webkit-line-clamp is present (#1511)
• Release 10.4.17 version
• Update dependencies
• Fix user-select: contain
• Update dependencies
• Release 10.4.16 version
• Update dependencies
• Update CI
• improve performance (#1500)
• Update dependencies
• Remove deprecated browsers from README (#1499)
• Release 10.4.15 version
• Run tests in parallel
• Update dependencies
• feat: `::backdrop` using `@mdn/browser-compat-data` (#1498)
• Update dependencies and code style
• Move to pnpm 8
• Use Node.js 20 on CI
• Lock pnpm
• Update dependencies
• Add funding option
• HTTPS and update URLS in README (#1494)
• Release 10.4.14 version
• Update dependencies
• Improves startup time by requiring specific caniuse files (#1492) (#1493)
• Fix package manager info (#1489)
• Update dependencies
• Remove old CI config
• Update dependencies
• update postcss to 8.4.19 (#1485)

8.0.1

• Downgrade cli-boxes (#102) 3cf4ea9
  • It turned out to not be compatible with the currently targeted Node.js version.

v8.0.0...v8.0.1

8.0.0

Breaking

• Require Node.js 18 (#96) 3a9c751

Improvements

• Update dependencies (#97) 8f6ed57

v7.1.1...v8.0.0

7.1.1

• Fix borderStyle: 'none' (#89) ef5c987

v7.1.0...v7.1.1

7.1.0

• Allow border to be optional (#88) 1f9c8e2

v7.0.2...v7.1.0

7.0.2

• Fix the Spacing TypeScript type (#86) cb31d0d

v7.0.1...v7.0.2

7.0.1

• Use newline as line separator in all cases (#81) a94569b

v7.0.0...v7.0.1

7.0.0

Breaking

• Require Node.js 14 c393023

Improvements

• Add height and fullscreen option (#75) d6b4b32

v6.2.1...v7.0.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 22 commits:

• 8.0.1
• Downgrade cli-boxes (#102)
• 8.0.0
• Meta tweaks
• Update dependencies (#97)
• Bump minimum version to Node.js 18 (#96)
• Remove bloat code (#91)
• 7.1.1
• Fix `borderStyle: 'none'` (#89)
• Readme tweak
• 7.1.0
• Meta tweaks
• Allow border to be optional (#88)
• 7.0.2
• Fix the `Spacing` TypeScript type (#86)
• 7.0.1
• Now using newline as line separator in all cases (#81)
• Fix typo (#78)
• Fix typo (#77)
• 7.0.0
• Require Node.js 14
• Add `height` and `fullscreen` option (#75)

See the full diff on Github. The new version differs by 5 commits:

• 2.0.0
• feat(BREAKING): Replace mapFileDir argument with a function for reading the source map (#76)
• feat!: Support URI encoded source maps (#75)
• feat: Make comment RegExps non-greedy to prevent some max call stack errors (#65)
• chore: Drop support for node below v4 (#78)

See the full diff on Github. The new version differs by 47 commits:

• 5.2.0 release (#483)
• Add myself to the list of maintainers (#482)
• Add examples to docs of creating and applying patches (importantly including the fairly fiddly `applyPatches` function) (#481)
• Modify node_example.js to support showing added/deleted spaces (#479)
• Add `timeout` option (#478)
• Replace broken link to Myers's paper in the README with a working one (#476)
• Add note to README about setting `context` to Infinity or MAX_SAFE_INTEGER. (#473)
• Fix mistake in README (#471)
• Bump follow-redirects from 1.14.8 to 1.15.4 (#470)
• Migrate to DABH's fork of colors (#469)
• Fix more gaps in the docs (#466)
• Document that applyPatch can return false (#459)
• Flesh out the README a bit and fix some errors and omissions (#458)
• Add function to reverse a patch (#450)
• Expose `formatPatch` on `diff` object and document (#451)
• Consistently capitalize "jsdiff" in all-lowercase in docs (#449)
• Speed up algorithm by not considering diagonals that take us off the edge of the graph (#448)
• Flip core algorithm so everything is no longer the mirror image of Myers's paper (#440)
• Add test showing patch from bug #177 is handled correctly now (#447)
• Add release notes for @oBusk's PR #344 (#445)
• Option to strip trailing CR (#344)
• Write release notes for PRs already merged to master (#444)
• Update release-notes.md with content on npm that never got pushed to GitHub, relating to the 5.1.0 release (#443)
• Fix typo / grammar error in CONTRIBUTING.md (#442)
• Update CONTRIBUTING.md to use yarn (#441)
• Fix bug that leads to worse time complexity and cripplingly slow performance in some cases (#411)
• Default value of line delimiters when a patch is applied (#228) (#393)
• Fix a typo (#433)
• Document in a comment in web_example.html that you need to run a build first (#431)
• Update comment in index.js to reflect JsDiff->Diff rename in 5.0.0 (#430)
• Remove index.html from master (#429)
• Fix `exports` field in `package.json` (#351)
• Document diffJson() options (#332)
• readme: add links to section: change objects (#316)
• chore: update license file (#331)
• Move demo link to the top of the README (#370)
• Bump qs from 6.7.0 to 6.11.0 (#426)
• Bump more dependencies to please Dependabot (#425)
• Update package.json version to 5.1.0 (#422)
• yarn eslint . --fix (#421)
• Bump karma from 5.1.1 to 6.3.16 (#357)
• Upgrade packages that Dependabot has open PRs about (#415)
• Fix assorted trivial capitalisation typos (#410)
• Bump terser from 4.8.0 to 4.8.1 (#380)
• Bump socket.io from 2.3.0 to 2.5.0 (#379)
• Bump eventsource from 1.0.7 to 1.1.1 (#374)
• Bump socket.io-parser from 3.3.0 to 3.3.2 (#369)

🚨 dset Prototype Pollution vulnerability

Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.

3.1.3

Patches

• Add "types" export conditions for TypeScript "nodenext"/"node16" resolution: #40
  Thank you @Akkuma

---

Full Changelog: v3.1.2...v3.1.3

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 4 commits:

• 3.1.4
• fix: prevent __proto__ assignment via implicit string
• 3.1.3
• chore: add "types" conditions for TS "nodenext" resolution (#40)

5.0.0

Breaking

• Require Node.js 12 aebb6e8
• This package is now pure ESM. Please read this.

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 4 commits:

• 5.0.0
• Require Node.js 12 and move to ESM
• Move to GitHub Actions (#31)
• Fix code comment

2.0.0

What's Changed

• Use ESM by @wooorm in #43
  breaking: please read this guide
• Add types by @wooorm in #44
  breaking: tiny chance of breaking, use a new version of TS and it’ll work

Full Changelog: v1.5.0...2.0.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 11 commits:

• 2.0.0
• Add `1.5.0` realse to `CHANGELOG.md`
• Refactor some more
• Update Node in Actions
• Use top-level await in scripts
• Update tests a bit
• Fix typo
• Add link
• Fix typo
• Add types
• Use ESM

8.0.3

• 6fe681d Update property-information

Full Changelog: 8.0.2...8.0.3

8.0.2

Miscellaneous

• c25d628 Update hastscript
  by @albinekb in #14

Types

• f401100 Refactor types
• 19e59f5 Refactor to use @imports
• 029fcd7 Add declaration maps

Full Changelog: 8.0.1...8.0.2

8.0.1

Fix

• 3c42476 Fix type of optional option

Full Changelog: 8.0.0...8.0.1

8.0.0

Change

• cc4e5c5 Update @types/hast, utilities
  migrate: update too
• 0c76e8a Change to require Node.js 16
  migrate: update too
• a227695 Change to use exports
  migrate: don’t use private APIs
• 81cde21 Remove support for passing file directly
  migrate: x -> {file: x}

Types

• c6bd56c Add types of data fields
  expect values to be typed :)

Full Changelog: 7.1.2...8.0.0

7.1.2

Fix

• 78ff3b5 Fix some props

Full Changelog: 7.1.1...7.1.2

7.1.1

Misc

• 00413a1 3bd13d7 Add improved docs
• ab3559e Add export of Space type
• 5e813f0 b344419 Update types and tests for changes in parse5

Full Changelog: 7.1.0...7.1.1

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 50 commits:

• 8.0.3
• Refactor docs
• Update `property-information`
• Update dev-dependencies
• 8.0.2
• Refactor types
• Refactor to use `@import`s
• Add declaration maps
• Refactor `package.json`
• Remove license year
• Refactor `.editorconfig`
• Update Actions
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies
• Update `hastscript`
• 8.0.1
• Fix type of optional option
• 8.0.0
• Change to require Node.js 16
• Change to use `exports`
• Refactor docs
• Add types of `data` fields
• Remove support for passing `file` directly
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/hast`, utilities
• Update dev-dependencies
• 7.1.2
• Fix some props
• Fix internal type error
• 7.1.1
• Fix typo
• Add improved docs
• Add tests for exposed identifiers
• Add export of `Space` type
• Use Node test runner
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Fix tests for change in `parse5`
• Update dev-dependencies
• Add reference to `hast-util-from-html`
• Add improved docs
• Refactor code-style
• Update types and tests for changes in `parse5`
• Update dev-dependencies
• add `ignore-scripts` to `.npmrc`
• Update `unist-util-visit`

3.0.0

Change

• a16a694 Update @types/hast, utilities
  migrate: update too
• 6f20167 Change to require Node.js 16
  migrate: update too
• 864ab64 Change to use exports
  migrate: don’t use private APIs
• 0a5de58 Change types to work w/o explicit type parameter
  migrate: don’t pass an explicit type parameter;
  replace AssertAnything, AssertPredicate -> Check;
  TestFunctionAnything, TestFunctionPredicate -> TestFunction;
  PredicateTest -> Test

Full Changelog: 2.1.3...3.0.0

2.1.3

Misc

• 8d20faa c26a78d Add improved docs

Full Changelog: 2.1.2...2.1.3

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 25 commits:

• 3.0.0
• Change to require Node.js 16
• Change to use `exports`
• Refactor docs
• Change types to work w/o explicit type parameter
• Refactor to move implementation to `lib/`
• Update `@types/hast`, utilities
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update dev-dependencies
• Refactor tests for exposed identifiers
• Add `ignore-scripts` to `.npmrc`
• Use Node 16 in Actions
• 2.1.3
• Add improved docs
• Add tests for exposed identifiers
• Use Node test runner
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Add improved docs
• Refactor code-style
• Update dev-dependencies

4.0.0

Change

• b64572f Update @types/hast
  migrate: update too
• 7075bc4 Change to require Node.js 16
  migrate: update too
• 6363e82 Remove support for TS 4.1
  migrate: update too
• 339b417 Change to use exports
  migrate: don’t use private APIs

Full Changelog: 3.1.1...4.0.0

3.1.1

Misc

• d2bf5af Add improved docs

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 30 commits:

• 4.0.0
• Change to require Node.js 16
• Change to use `exports`
• Refactor docs
• Refactor code-style
• Remove support for TS 4.1
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/hast`
• Update dev-dependencies
• Use Node 16 in Actions
• 3.1.1
• Fix typo
• Add improved docs
• Add tests for exposed identifiers
• Refactor to move implementation to `lib/`
• Use Node test runner
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Add missing section
• Add improved docs
• Update dev-dependencies
• Add `ignore-scripts` to `.npmrc`
• Update `xo`
• Update `tsd`
• Add `strict` to `tsconfig.json`
• Refactor code-style
• Use `pull_request_target` in bb

9.1.0

Add

• 91cfb6d Add tagfilter option

Types

• 95687c8 Refactor to use @imports

Full Changelog: 9.0.4...9.1.0

9.0.4

• eda8d15 Fix crash on unfinished HTML in raw

Full Changelog: 9.0.3...9.0.4

9.0.3

• 57c9910 Fix non-lowercase SVG elements not closing

Full Changelog: 9.0.2...9.0.3

9.0.2

• 325160a Update dependencies

Full Changelog: 9.0.1...9.0.2

9.0.1

• 98e979e Add missing types dependency
  by @Methuselah96 in #21

Full Changelog: 9.0.0...9.0.1

9.0.0

Change

• f0ceab5 Update @types/hast, utilities
  migrate: update too
• 40ae4fa Change to require Node.js 16
  migrate: update too
• 4edde89 Change to use exports
  migrate: don’t use private APIs
• 246c313 Remove Raw type
  migrate: import it from mdast-util-to-hast
• ae7296e Add smarter types for passThrough
  migrate: make sure to register custom nodes

Full Changelog: 8.0.0...9.0.0

8.0.0

Migrate

• Node.js 12 is no longer supported, use Node 14.14+ or later
• if you passed a file, please pass it in options: {file: file}
• if you used complex-types.d.ts, please use index.d.ts instead

Change

• 5414bb6 Update to parse5@7
  by @wooorm in #17
• 409ad69 Replace complex-types.d.ts with index.d.ts
• d1d95a1 Remove support for file as parameter

Fix

• b83ec5f Fix to reexport Raw from mdast-util-to-hast
• e66705a Fix rcdata, rawtext, script data, and plaintext states
• 8e7f703 Add improved error message for MDX nodes
• 9910e6b Fix to deep clone unknown nodes

Misc

• 2ff6c95 Add improved docs

Full Changelog: 7.2.3...8.0.0

7.2.3

• 9bbc7f3 Fix HTML in SVG in HTML

Full Changelog: 7.2.2...7.2.3

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 58 commits:

• 9.1.0
• Add `tagfilter` option
• Refactor `package.json`
• Refactor code-style
• Remove license year
• Refactor `.editorconfig`
• Refactor Actions
• Refactor `.gitignore`
• Update dev-dependencies
• Refactor to use `@import`s
• 9.0.4
• Fix crash on unfinished HTML in raw
• Update dev-dependencies
• 9.0.3
• Add `remark-api` to dev-dependencies
• Add declaration maps
• Fix non-lowercase SVG elements not closing
• Update dev-dependencies
• 9.0.2
• Update dependencies
• Update dev-dependencies
• 9.0.1
• Update dev-dependencies
• Add missing types dependency
• Update dev-dependencies
• 9.0.0
• Change to require Node.js 16
• Change to use `exports`
• Refactor docs
• Remove `Raw` type
• Add smarter types for `passThrough`
• Replace dependency
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/hast`, utilities
• Update dev-dependencies
• 8.0.0
• Add improved docs
• Fix to reexport `Raw` from `mdast-util-to-hast`
• Fix rcdata, rawtext, script data, and plaintext states
• Replace `complex-types.d.ts` with `index.d.ts`
• Add improved error message for MDX nodes
• Remove support for `file` as parameter
• Fix to deep clone unknown nodes
• Refactor tests
• Add tests for exposed identifiers
• Add `ignore-scripts` to `.npmrc`
• Use Node test runner
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Update to `parse5@7`
• 7.2.3
• Fix HTML in SVG in HTML
• Remove unneeded `ts-expect-error`
• Update dev-dependencies

9.0.5

• 329625e Update property-information

Full Changelog: 9.0.4...9.0.5

9.0.4

Fix

• 6000808 Fix to allow other strings for boolean attributes
  by @hesxenon in #46

Miscellaneous

• aa36aa6 5692e42 Refactor code-style

Full Changelog: 9.0.3...9.0.4

9.0.3

• 1c938b9 Fix head opening tag omission w/o title

Full Changelog: 9.0.2...9.0.3

9.0.2

Types

• 9d7a2f7 Add declaration maps

Misc

• 0a30b45 Remove unused dependency
  by @bluwy in #42

Full Changelog: 9.0.1...9.0.2

9.0.1

Performance

• 6af3709 Refactor to improve performance w/ hoisted regex
  by @bluwy in #39

Full Changelog: 9.0.0...9.0.1

9.0.0

Change

• 23a91fc Update @types/hast, utilities
  migrate: update too
• 8c32af8 Change to require Node.js 16
  migrate: update too
• 320b2ff Change to use exports
  migrate: don’t use private APIs
• 15b1618 Remove entities option, use characterReferences
  migrate: options.entities -> options.characterReferences

Full Changelog: 8.0.4...9.0.0

8.0.4

Misc

• 5b04870 d672d24 Add improved docs
• 97417a4 Refactor code-style

Full Changelog: 8.0.3...8.0.4

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 52 commits:

• 9.0.5
• Refactor `package.json`
• Refactor docs
• Update `property-information`
• Update dev-dependencies
• 9.0.4
• Refactor code-style
• Update Actions
• Remove license year
• Refactor `.gitignore`
• Refactor `.editorconfig`
• Refactor code-style
• Update dev-dependencies
• Fix to allow other strings for boolean attributes
• 9.0.3
• Fix `head` opening tag omission w/o title
• Add `.tsbuildinfo` to `.gitignore`
• 9.0.2
• Refactor to use `@import`s
• Update dev-dependencies
• Remove unused dependency
• Add declaration maps
• Update dev-dependencies
• 9.0.1
• Update dev-dependencies
• Refactor to improve performance w/ hoisted regex
• 9.0.0
• Change to require Node.js 16
• Change to use `exports`
• Refactor docs
• Remove `entities` option, use `characterReferences`
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/hast`, utilities
• Update dev-dependencies
• Use Node 16 in Actions
• Add `ignore-scripts` to `.npmrc`
• Fix links
• 8.0.4
• Add improved docs
• Add tests for exposed identifiers
• Use Node test runner
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Add reference to `hast-util-from-html`
• Fix typo
• Add improved docs
• Refactor code-style
• Update dev-dependencies

9.0.1

• 91f71e3 Update property-information

Full Changelog: 9.0.0...9.0.1

9.0.0

Breaking

• 8a5f97e Add better custom element support by tightening overload detection
  (tiny chance of breaking, you’re most likely fine)

8.0.0

change

• 04a40a5 Update @types/hast, utilities
  migrate: update too
• 234405b Change to require Node.js 16
  migrate: update too
• 7e27d65 Remove hastscript/html (auto runtime) from exports
  migrate: use hastscript
• 6976cbb Remove hastscript/html, hastscript/svg from exports
  migrate: use hastscript

Full Changelog: 7.2.0...8.0.0

7.2.0

Add

• f06247f Add JSX dev runtime

Misc

• e4f646e Add improved docs
• 9551cf0 Add more docs to types
• 53361dd Update tsconfig.json

Full Changelog: 7.1.0...7.2.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 49 commits:

• 9.0.1
• Refactor docs
• Fix TypeScript generating broken types
• Refactor code-style
• Refactor `package.json`
• Remove license year
• Refactor `.prettierignore`
• Refactor `.editorconfig`
• Add `.tsbuildinfo` to `.gitignore`
• Update actions
• Update `property-information`
• Update dev-dependencies
• 9.0.0
• Add better custom element support by tightening overload detection
• Update dev-dependencies
• 8.0.0
• Add script to build
• Change to require Node.js 16
• Refactor docs
• Refactor to reorganize files
• Remove `hastscript/html` (auto runtime) from `exports`
• Remove `hastscript/html`, `hastscript/svg` from `exports`
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/hast`, utilities
• Update dev-dependencies
• Update `xo`
• Fix typo
• Add some links
• Refactor tests for exposed identifiers
• Remove example
• Use Node 16 in Actions
• Fix typos
• Fix typo
• 7.2.0
• Refactor phrasing
• Add improved docs
• Add JSX dev runtime
• Add tests for exposed identifiers
• Add more docs to types
• Add `tsd` back
• Use Node test runner
• Refactor code-style
• Remove superfluous dev-dependencies
• Update `tsconfig.json`
• Update Actions
• Remove classic Babel test
• Update dev-dependencies

3.0.0

Change

• 7b5cb87 Remove elements that are no longer void
  by @mohd-akram in #7
  (tiny chance of breaking, you probably don’t depend on stuff like nextid)

Full Changelog: 2.0.1...3.0.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 9 commits:

• 3.0.0
• Remove elements that are no longer void
• Update dev-dependencies
• Refactor some docs
• Refactor build script
• Use Node test runner
• Refactor `tsconfig.json`
• Update dev-dependencies
• Replace skypack w/ esm.sh

4.2.0

Types

• 4598fbe Add declaration maps

Fix

• 2514cb5 Fix default conditions for moduleResolve
  by @JounQin in #32

resolve/pull/32

Full Changelog: 4.1.0...4.2.0

4.1.0

Misc

• d363b81 Refactor to hide deprecation warning
• dbb53a5 Backport changes from Node
• 66b952b Refactor tests to not assume name of project folder
  by @kapouer in #25

Full Changelog: 4.0.0...4.1.0

4.0.0

• 4ba7a54 Backport changes from Node

Full Changelog: https://github.com/wooorm/import-meta-resolve/compare/3.1.0...4.0.0

3.0.0

• dcaeda3 breaking: change to make resolve sync
  this changes the return type from Promise<string> to string
  migrate: change await resolve(x) to resolve(x)
  by @giltayar in #15
• c6aa7d5 Backport changes from Node

Notice: This release drops support for Node 16. Migrate by using Node 18 or later.

Full Changelog: 2.2.2...3.0.0

2.2.2

Fix

• db5db1d Fix circular dependency
  by @brawaru in #13

Full Changelog: 2.2.1...2.2.2

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 46 commits:

• 4.2.0
• Update Node in Actions
• Update actions
• Refactor `tsconfig.json`
• Add declaration maps
• Refactor `package.json`
• Remove copyright year
• Refactor to use `@import`s
• Refactor `.prettierignore`
• Add `ignore-scripts` to `.npmrc`
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies
• Fix default `conditions` for `moduleResolve`
• Fix dates
• 4.1.0
• Fix Actions
• Update Actions
• Refactor to hide deprecation warning
• Backport changes from Node
• Update dev-dependencies
• Refactor tests to not assume name of project folder
• Fix tests for newest Node
• Update dev-dependencies
• 4.0.0
• 3.1.0
• Backport changes from Node
• Fix tests for changes in Node
• Update dev-dependencies
• Fix version in readme
• Fix Node version
• Add Node 16 to actions again
• 3.0.0
• Update `tsconfig.json`
• Add improved docs
• Add tests for exposed identifiers
• Refactor types
• Backport changes from Node
• Update dev-dependencies
• Change to make `resolve` sync
• 2.2.2
• Fix circular dependency in `lib/get-format.js`
• 2.2.1
• Update Actions
• Add improved docs
• Remove codecov patch status
• Backport changes from Node

4.1.0 (from changelog)

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

4.0.0 (from changelog)

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

• Astral characters are no longer encoded by dump(), #587.
• "duplicate mapping key" exception now points at the correct column, #452.
• Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception instead of producing null, #321.
• __proto__ key no longer overrides object prototype, #164.
• Removed bower.json.
• Tags are now url-decoded in load() and url-encoded in dump() (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
• Anchors now work correctly with empty nodes, #301.
• Fix incorrect parsing of invalid block mapping syntax, #418.
• Throw an error if block sequence/mapping indent contains a tab, #80.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by more commits than we can show here.

3.0.4

Types

• 9f9497c Add declaration maps

Miscellaneous

• 6dab0ba Refactor code-style

Full Changelog: 3.0.3...3.0.4

3.0.3

• 0107259 Use ReadonlyArray type in options, parameters
  by @bmish in #30
• d91f3ad Refactor some docs

Full Changelog: 3.0.2...3.0.3

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 19 commits:

• 3.0.4
• Remove license year
• Refactor code-style
• Add declaration maps
• Refactor `package.json`
• Refactor `.prettierignore`
• Add `ignore-scripts` to `.npmrc`
• Refactor `.editorconfig`
• Update Actions
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies
• Update dev-dependencies
• 3.0.3
• Use `ReadonlyArray` type in options, parameters
• Refactor some docs
• Use Node test runner
• Refactor `tsconfig.json`
• Update dev-dependencies
• Replace skypack w/ esm.sh

6.0.0

Change

• 900cf9a Update @types/mdast
  migrate: update too
• 79d4d61 Change to require Node.js 16
  migrate: update too
• 9e02a5b Change to use export map
  migrate: don’t use private APIs
• 4a93553 Change to return undefined, not null
  migrate: expect undefined

Full Changelog: 5.1.2...6.0.0

5.1.2

Misc

• cd7e943 Add improved docs
• a98ca64 44a9f62 Refactor code-style
• 56b5be5 Update tsconfig.json

Full Changelog: 5.1.1...5.1.2

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 20 commits:

• 6.0.0
• Change to require Node.js 16
• Change to use `export` map
• Refactor docs
• Refactor to use `Map`
• Change to return `undefined`, not `null`
• Refactor code-style
• Refactor `.npmrc`
• Refactor `package.json`, `tsconfig.json`
• Update `@types/mdast`
• Update dev-dependencies
• 5.1.2
• Add improved docs
• Add tests for exposed identifiers
• Use Node test runner
• Refactor code-style
• Refactor to move implementation to `lib/`
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies

2.0.2

Types

• 2454165 Refactor types
• caf7d6a Refactor to use @imports

Full Changelog: 2.0.1...2.0.2

2.0.1

Fix

• 4aa8425 Fix end point of texts ending in character reference

Types

• 1120df9 Add declaration maps

Full Changelog: 2.0.0...2.0.1

2.0.0

Change

• 843e046 Update @types/mdast and friends
  migrate: update too
• 12a5622 Update micromark, change buffers to Uint8Arrays
  migrate: see micromark@4.
  only really changes Buffer -> Uint8Array, so use encodings supported by TextDecoder
• 4cbea5a Change to require Node.js 16
  migrate: update too

Change (when you make extensions)

• 03581b3 Change to replace getter/setters with raw data
  migrate: this.getData('x') -> this.data.x, this.setData('x', 1) -> this.data.x = 1
• 18f4bb0 Change to return undefined from enter, exit
  migrate: keep the node you pass to enter around; get the node yourself before exit
• 88969a4 Remove deprecated OnError type
  migrate: OnError -> OnEnterError

Full Changelog: 1.3.1...2.0.0

1.3.1

• 13430aa Update types for changes in micromark-util-types

Full Changelog: 1.3.0...1.3.1

1.3.0

Types

• a034fa6 Add CompileData type to track custom data

Full Changelog: 1.2.1...1.3.0

1.2.1

Misc

• c05e153 05875cd 0e70e0a ded1a8e d9a0849 Add improved docs
• 817f24e 4a1a05e Refactor code-style
• 223bf98 Update tsconfig.json

Full Changelog: 1.2.0...1.2.1

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 53 commits:

• 2.0.2
• Refactor types
• Refactor to use `@import`s
• Update Node in Actions
• Refactor `package.json`
• Remove license year
• Refactor `.editorconfig`
• Add `.tsbuildinfo` to `.gitignore`
• Update dev-dependencies
• 2.0.1
• Fix end point of texts ending in character reference
• Add declaration maps
• Update `commonmark.json`
• Update Actions
• Update dev-dependencies
• Update dev-dependencies
• 2.0.0
• Change to replace getter/setters with raw data
• Change to return `undefined` from `enter`, `exit`
• Fix links
• Change to require Node.js 16
• Add script to test in production
• Remove unneeded `main`, `types` fields
• Refactor docs
• Remove deprecated `OnError` type
• Refactor code-style
• Refactor `.npmrc`
• Update `@types/mdast` and friends
• Replace dependency
• Update `micromark`, change buffers to `Uint8Array`s
• Refactor `package.json`, `tsconfig.json`
• Update dev-dependencies
• 1.3.1
• Update types for changes in `micromark-util-types`
• Update dev-dependencies
• 1.3.0
• Add `CompileData` type to track custom data
• 1.2.1
• Add improved docs
• Add tests for exposed identifiers
• Use Node test runner
• Add `ignore-scripts` to `.npmrc`
• Refactor code-style
• Refactor tests
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Refactor some docs
• Update dev-dependencies
• Fix typo
• Replace skypack w/ esm.sh
• Add improved docs
• Update dev-dependencies

3.1.0

Add

• e111719 Add support for passing footnote options

Types

• c913fa3 Add declaration maps
• 45ece81 Refactor to use @imports

Full Changelog: 3.0.0...3.1.0

3.0.0

Change

• d40848e Update @types/mdast, mdast utilities
  migrate: update too
• 3f1a762 Change to require Node.js 16
  migrate: update too
• 812337d Change to use exports
  migrate: don’t use private APIs

Full Changelog: 2.0.2...3.0.0

2.0.2

Misc

• 599ae04 2ee5cdc Add improved docs
• fcf0b74 Refactor code-style
• e521fb5 Update tsconfig.json

Full Changelog: 2.0.1...2.0.2

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 39 commits:

• 3.1.0
• Refactor code-style
• Add declaration maps
• Refactor to use `@import`s
• Add support for passing footnote options
• Refactor `package.json`
• Remove license year
• Refactor `.prettierignore`
• Refactor `.editorconfig`
• Add `.tsbuildinfo` to `.gitignore`
• Update Actions
• Update dev-dependencies
• Update dev-dependencies
• Update dev-dependencies
• 3.0.0
• Change to require Node.js 16
• Change to use `exports`
• Add npm script to test in production
• Refactor docs
• Refactor code-style
• Refactor `.npmrc`
• Refactor to reorganize fixtures
• Regenerate tests
• Refactor `package.json`, `tsconfig.json`
• Update `@types/mdast`, mdast utilities
• Update dev-dependencies
• Fix typo
• 2.0.2
• Add improved docs
• Add tests for exposed identifiers
• Use Node test runner
• Add `ignore-scripts` to `.npmrc`
• Refactor code-style
• Update `tsconfig.json`
• Update Actions
• Update dev-dependencies
• Add improved docs
• Update dev-dependencies
• Add `.gitattributes`

13.2.0

Types

• 24f4576 Add type for data.meta on elements to hast

Full Changelog: 13.1.0...13.2.0

13.1.0