Depfu

🚨 [security] Update all of nextjs 12.3.4 → 16.2.6 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (12.3.1 → 16.2.6)

Sorry, we couldn’t find anything useful about this release.

✳️ next (12.3.4 → 16.2.6) · Repo

Security Advisories 🚨

🚨 Next.js has a Denial of Service in the Image Optimization API

Impact

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

If you are using images.localPatterns, only the patterns in that array are impacted.

If you are using images.unoptimized: true, you are NOT impacted.

If you are using images.loader: 'custom', you are NOT impacted.

If you are using Vercel, you are NOT impacted.

Fix

We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory.

This can be adjusted using the images.maximumResponseBody configuration.

Workarounds

If you cannot upgrade immediately, avoid routing large local assets through /_next/image, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge.

You can disable using the images.localPatterns: [] configuration. This will still allow fetching remote images (which is not impacted).

🚨 Next.js's Middleware / Proxy redirects can be cache-poisoned

Impact

Next.js uses the x-nextjs-data request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.

When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients.

If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged.

Affected scenarios

This affects applications that:

use middleware or proxy redirects

are deployed behind a caching CDN or reverse proxy

allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests

Fix

The fix stops trusting x-nextjs-data by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.

Workarounds

Before upgrading, users can reduce risk by:

configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses

🚨 Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Impact

App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.

Fix

We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context.

Workarounds

If you cannot upgrade immediately, strip inbound Content-Security-Policy request headers from untrusted traffic.

🚨 Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Impact

App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.

Fix

We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context.

Workarounds

If you cannot upgrade immediately, strip inbound Content-Security-Policy request headers from untrusted traffic.

🚨 Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Impact

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

Fix

We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.

Workarounds

If you cannot upgrade immediately, ensure intermediary caches correctly honor Vary for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

🚨 Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Impact

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

Fix

We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries.

Workarounds

If you cannot upgrade immediately, ensure intermediary caches correctly honor Vary for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

🚨 Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.

Workarounds

If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

🚨 Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Impact

Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.

Fix

We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.

Workarounds

If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the Next-Resume header at the edge.

🚨 Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Impact

Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.

Fix

We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.

Workarounds

If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the Next-Resume header at the edge.

🚨 Next.js has a Denial of Service in the Image Optimization API

Impact

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

If you are using images.localPatterns, only the patterns in that array are impacted.

If you are using images.unoptimized: true, you are NOT impacted.

If you are using images.loader: 'custom', you are NOT impacted.

If you are using Vercel, you are NOT impacted.

Fix

We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory.

This can be adjusted using the images.maximumResponseBody configuration.

Workarounds

If you cannot upgrade immediately, avoid routing large local assets through /_next/image, disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge.

You can disable using the images.localPatterns: [] configuration. This will still allow fetching remote images (which is not impacted).

🚨 Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact

Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected.

Fix

We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites.

Workarounds

If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.

🚨 Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Impact

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

Fix

We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.

Workarounds

If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

🚨 Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Impact

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

Fix

We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.

Workarounds

If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

🚨 Next.js vulnerable to cache poisoning in React Server Component responses

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.

Workarounds

If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors Vary, or disable shared caching for affected App Router and RSC responses.

🚨 Next.js vulnerable to cache poisoning in React Server Component responses

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.

Workarounds

If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors Vary, or disable shared caching for affected App Router and RSC responses.

🚨 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

🚨 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

🚨 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

🚨 Next.js Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23870.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

🚨 Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.

Workarounds

If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

🚨 Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact

Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected.

Fix

We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites.

Workarounds

If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.

🚨 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

🚨 Next.js Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23870.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

🚨 Next.js has a Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

🚨 Next.js has a Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

🚨 Next.js: HTTP request smuggling in rewrites

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.

Enforce authentication/authorization on backend routes per our security guidance.

🚨 Next.js: HTTP request smuggling in rewrites

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.

Enforce authentication/authorization on backend routes per our security guidance.

🚨 Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

Periodically clean .next/cache/images.

Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

🚨 Next.js: Unbounded postponed resume buffering can lead to DoS

Summary

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

Impact

In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

Patches

Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.

Workarounds

If upgrade is not immediately possible:

Block requests containing the next-resume header, as this is never valid to be sent from an untrusted client.

🚨 Next.js: null origin can bypass dev HMR websocket CSRF checks

Summary

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

Impact

If a developer visits attacker-controlled content while running an affected next dev server with allowedDevOrigins configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.

This issue affects development mode only. It does not affect next start, and it does not expose internal debugging functionality to the network by default.

Patches

Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins on internal development endpoints.

Workarounds

If upgrade is not immediately possible:

Do not expose next dev to untrusted networks.

If you use allowedDevOrigins, reject requests and websocket upgrades with Origin: null for internal dev endpoints at your proxy.

🚨 Next.js: null origin can bypass Server Actions CSRF checks

Summary

origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.

Workarounds

If upgrade is not immediately possible:

Add CSRF tokens for sensitive Server Actions.

Prefer SameSite=Strict on sensitive auth cookies.

Do not allow 'null' in serverActions.allowedOrigins unless intentionally required and additionally protected.

🚨 Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

Periodically clean .next/cache/images.

Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

react-server-dom-parcel

react-server-dom-turbopack

react-server-dom-webpack

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid zhero;

Allam Yasser (inzo)

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3

For Next.js 14.x, this issue is fixed in 14.2.25

For Next.js 13.x, this issue is fixed in 13.5.9

For Next.js 12.x, this issue is fixed in 12.3.5

For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

Allam Rachid (zhero;)

Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.

The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9

Using pages router

Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router

Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)

Henry Chen

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9

Using pages router

Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

Deployments using only app router

Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

Allam Rachid (zhero_)

Henry Chen

🚨 Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

Thai Vu of flyseccorp.com

Aonan Guan (@0dd), Senior Cloud Security Engineer

🚨 Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.

The Next.js application makes use of Server Actions.

The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

🚨 Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ @babel/code-frame (indirect, 7.22.13 → 7.29.0) · Repo · Changelog

Release Notes

7.29.0

v7.29.0 (2026-01-31)

Thanks @simbahax for your first PR!

🚀 New Feature

babel-types

#17750 [7.x backport] Add attributes import declaration builder (@JLHwung)

babel-standalone

#17663 [7.x backport] feat(standalone): export async transform (@JLHwung)

#17725 [7.x backport] feat: read standalone targets from data-targets (@JLHwung)

🐛 Bug Fix

babel-parser

#17765 fix(parser): correctly parse type assertions in extends clause (@nicolo-ribaudo)

#17723 [7.x backport] fix(parser): improve super type argument parsing (@JLHwung)

babel-traverse

#17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@simbahax)

babel-plugin-transform-block-scoping, babel-traverse

#17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@magic-akari)

🏃‍♀️ Performance

babel-generator, babel-runtime-corejs3

#17642 [Babel 7] Improve generator performance (@liuxingbaoyu)

Committers: 6

David (@simbahax)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

babel-parser

#17254 Allow using of as lexical declaration within for (@JLHwung)

#17230 Disallow get/set in TSPropertySignature (@JLHwung)

babel-parser, babel-types

#17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse

#17137 fix: do expressions should allow early exit (@kermanx)

babel-helper-wrap-function, babel-plugin-transform-async-to-generator

#17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)

babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator

#17231 fix apply()/call() annotated as pure (@Lacsw)

babel-helper-fixtures, babel-parser

#17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)

babel-generator, babel-parser

#17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)

babel-parser

#17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)

#17080 Fix start of TSParameterProperty (@JLHwung)

babel-compat-data, babel-preset-env

#17228 Update firefox bugfix compat data (@JLHwung)

babel-traverse

#17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)

babel-generator

#17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse

#17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)

babel-compat-data, babel-preset-env

#17256 Tune plugin compat data (@JLHwung)

babel-compat-data, babel-standalone

#17236 migrate babel-compat-data build script to mjs (@JLHwung)

babel-register

#16844 Migrate @babel/register to cts (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)

All packages

#17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3

#16538 Reduce interopRequireWildcard size (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

Aryan Bharti (@woaitsAryan)

Babel Bot (@babel-bot)

Frolov Roman (@Lacsw)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

_Kerman (@kermanx)

fisker Cheung (@fisker)

7.26.2

v7.26.2 (2024-10-30)

🐛 Bug Fix

babel-parser

#16903 fix: Parse placeholder for TS namespace (@liuxingbaoyu)

#16937 fix: Account for offsets when creating new Position instances (@DylanPiercey)

babel-generator

#16948 Fix mapping of tokens with generated nodes in between (@nicolo-ribaudo)

Committers: 6

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

fisker Cheung (@fisker)

7.26.0

v7.26.0 (2024-10-25)

Thanks @timofei-iatsenko for your first PR!

You can find the release blog post with some highlights at https://babeljs.io/blog/2024/10/25/7.26.0.

🚀 New Feature

babel-core, babel-generator, babel-parser, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-preset-env, babel-standalone, babel-types

#16850 Enable import attributes parsing by default (@nicolo-ribaudo)

babel-core

#16862 feat: support async plugin's pre/post (@timofei-iatsenko)

babel-compat-data, babel-plugin-proposal-regexp-modifiers, babel-plugin-transform-regexp-modifiers, babel-preset-env, babel-standalone

#16692 Add transform-regexp-modifiers to preset-env (@JLHwung)

babel-parser

#16849 feat: add startIndex parser option (@DylanPiercey)

babel-generator, babel-parser, babel-plugin-syntax-flow

#16841 Always enable parsing of Flow enums (@nicolo-ribaudo)

babel-helpers, babel-preset-typescript, babel-runtime-corejs3

#16794 Support import() in rewriteImportExtensions (@liuxingbaoyu)

babel-generator, babel-parser

#16708 Add experimental format-preserving mode to @babel/generator (@nicolo-ribaudo)

🐛 Bug Fix

babel-core

#16928 Workaround Node.js bug for parallel loading of TLA modules (@nicolo-ribaudo)

#16926 Fix loading of modules with TLA in Node.js 23 (@nicolo-ribaudo)

💅 Polish

babel-plugin-proposal-json-modules, babel-plugin-transform-json-modules, babel-standalone

#16924 Rename proposal-json-modules to transform-json-modules (@nicolo-ribaudo)

🏠 Internal

babel-code-frame, babel-highlight

#16896 Inline @babel/highlight in @babel/code-frame (@nicolo-ribaudo)

babel-generator, babel-parser, babel-types

#16732 Add kind to TSModuleDeclaration (@liuxingbaoyu)

🏃‍♀️ Performance

babel-helper-module-transforms, babel-plugin-transform-modules-commonjs

#16882 perf: Improve module transforms (@liuxingbaoyu)

Committers: 5

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Timofei Iatsenko (@timofei-iatsenko)

@liuxingbaoyu

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.24.2

v7.24.2 (2024-03-19)

🐛 Bug Fix

babel-code-frame, babel-highlight

#16362 Restore previous FORCE_COLOR=0 behavior (@nicolo-ribaudo)

Committers: 1

Nicolò Ribaudo (@nicolo-ribaudo)

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16350 Fix decorated class computed keys ordering (@JLHwung)

#16344 Fix decorated class static field private access (@JLHwung)

babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env

#16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties

#16331 Fix decorator memoiser binding kind (@JLHwung)

babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

#16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

#16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

babel-code-frame, babel-highlight

#16359 Replace chalk with picocolors (@nicolo-ribaudo)

babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow

#16352 Run Babel transform tests on old node if possible (@JLHwung)

babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx

#16349 Support merging imports in import injector (@nicolo-ribaudo)

Other

#16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime

#16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)

babel-plugin-transform-class-properties, babel-plugin-transform-classes

#16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)

babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse

#16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)

babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env

#16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

7.23.5

v7.23.5 (2023-11-29)

👓 Spec Compliance

babel-plugin-proposal-decorators

#16138 Class binding is in TDZ during decorators initialization (@nicolo-ribaudo)

babel-helpers, babel-plugin-proposal-decorators

#16132 Allow addInitializer in field decorator context (@JLHwung)

🐛 Bug Fix

babel-traverse, babel-types

#16131 Do not remove bindings when removing assignment expression path (@nicolo-ribaudo)

babel-plugin-transform-classes

#16135 Require class properties transform when compiling class with private fields (@nicolo-ribaudo)

babel-generator

#16122 fix: Missing parentheses after line break (@liuxingbaoyu)

babel-helpers

#16130 Fix helpers internal fns names conflict resolution (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties, babel-plugin-transform-typescript

#16123 Simplify class fields injetion after super() (@nicolo-ribaudo)

babel-generator, babel-plugin-transform-modules-commonjs, babel-plugin-transform-parameters, babel-plugin-transform-typescript, babel-traverse

#16110 fix: Unexpected duplication of comments (@liuxingbaoyu)

babel-eslint-plugin

#16023 Add @babel/eslint-plugin/no-undef to fix no-undef with accessor props (@nicolo-ribaudo)

🔬 Output optimization

babel-helpers

#16129 Optimize decorator helper size (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

7.23.4

v7.23.4 (2023-11-20)

🐛 Bug Fix

babel-generator

#16104 fix: Pure comments missing parentheses (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/compat-data (indirect, 7.23.2 → 7.29.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/core (indirect, 7.23.2 → 7.29.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/generator (indirect, 7.23.0 → 7.29.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/helper-compilation-targets (indirect, 7.22.15 → 7.28.6) · Repo · Changelog

Release Notes

7.27.2 (from changelog)

🐛 Bug Fix

babel-parser

#17289 fix: @babel/parser/bin/index.js contains node: protocol require (@liuxingbaoyu)

#17291 fix: Private class method not found when TS and estree (@liuxingbaoyu)

babel-plugin-transform-object-rest-spread

#17281 Fix: improve object rest handling in array pattern (@JLHwung)

babel-plugin-transform-modules-commonjs, babel-template

#17284 fix(babel-template): Properly handle empty string replacements (@magic-akari)

🏃‍♀️ Performance

babel-cli

#17285 Enable Node compile cache for @babel/cli (@JLHwung)

7.27.0

v7.27.0 (2025-03-24)

Thanks @ishchhabra and @vovkasm for your first PRs!

👓 Spec Compliance

babel-generator, babel-parser

#16977 Default importAttributesKeyword to with (@JLHwung)

🚀 New Feature

babel-helper-create-class-features-plugin, babel-traverse, babel-types

#17169 Allow traverseFast to exit early (@liuxingbaoyu)

babel-parser, babel-types

#17110 Add ImportAttributes to Standardized and move its parser test fixtures (@JLHwung)

babel-generator

#17100 fix(babel-generator): add named export of generate function (@vovkasm)

babel-parser, babel-template

#17149 Add allowYieldOutsideFunction to parser (@liuxingbaoyu)

babel-plugin-transform-typescript, babel-traverse

#17102 feat: Add upToScope parameter to hasBinding (@liuxingbaoyu)

babel-parser

#17082 Support ESTree AccessorProperty (@JLHwung)

babel-types

#17162 feat(babel-types): Add support for BigInt literal conversion in valueToNode (@ishchhabra)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16816 fix: Class reference in type throws error (@liuxingbaoyu)

babel-traverse

#17170 fix: Reset child scopes when scope.crawl() (@liuxingbaoyu)

babel-helpers, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17118 Fix: align behaviour to tsc rewriteRelativeImportExtensions (@JLHwung)

babel-cli

#17182 fix: @babel/cli generates duplicate inline source maps (@liuxingbaoyu)

babel-plugin-transform-named-capturing-groups-regex, babel-types

#17175 Generate computed proto key (@JLHwung)

🏃‍♀️ Performance

babel-types

#16870 perf: Improve builders of @babel/types (@liuxingbaoyu)

babel-helper-create-regexp-features-plugin

#17176 fix: improve duplicate named groups check (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Ish Chhabra (@ishchhabra)

Vladimir Timofeev (@vovkasm)

@liuxingbaoyu

7.26.5

v7.26.5 (2025-01-10)

👓 Spec Compliance

babel-parser

#17011 Allow the dynamic import.defer() form of import defer (@babel-bot)

🐛 Bug Fix

babel-plugin-transform-block-scoped-functions

#17024 chore: Avoid calling isInStrictMode in Babel 7 (@liuxingbaoyu)

babel-plugin-transform-typescript

#17026 fix: Correctly generate exported const enums in namespace (@liuxingbaoyu)

babel-parser

#17045 [estree] Unify method type parameters handling (@JLHwung)

#17013 fix: Correctly set position for @(a.b)() (@liuxingbaoyu)

#16996 [estree] Adjust the start loc of class methods with type params (@nicolo-ribaudo)

babel-generator, babel-parser, babel-plugin-transform-flow-strip-types, babel-types

#17028 Support flow jsx opening element type arguments (@JLHwung)

babel-compat-data, babel-preset-env

#17031 fix: More accurate transform-typeof-symbol compat data (@liuxingbaoyu)

babel-generator, babel-parser, babel-types

#17019 Fix incomplete visitor keys (@JLHwung)

🔬 Output optimization

babel-plugin-transform-nullish-coalescing-operator

#16612 Improve nullish coalescing operator output (@liuxingbaoyu)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.25.2

v7.25.2 (2024-07-30)

🐛 Bug Fix

babel-core, babel-traverse

#16695 Ensure that requeueComputedKeyAndDecorators is available (@nicolo-ribaudo)

Committers: 2

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

7.24.8

v7.24.8 (2024-07-11)

Thanks @H0onnn, @jkup and @SreeXD for your first pull requests!

👓 Spec Compliance

babel-parser

#16567 Do not use strict mode in TS declare (@liuxingbaoyu)

🐛 Bug Fix

babel-generator

#16630 Correctly print parens around in in for heads (@nicolo-ribaudo)

#16626 Fix printing of comments in await using (@nicolo-ribaudo)

#16591 fix typescript code generation for yield expression inside type expre… (@SreeXD)

babel-parser

#16613 Disallow destructuring assignment in using declarations (@H0onnn)

#16490 fix: do not add .value: undefined to regexp literals (@liuxingbaoyu)

babel-types

#16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@nicolo-ribaudo)

babel-plugin-transform-typescript

#16566 fix: Correctly handle export import x = (@liuxingbaoyu)

💅 Polish

babel-generator

#16625 Avoid unnecessary parens around async in for await (@nicolo-ribaudo)

babel-traverse

#16619 Avoid checking Scope.globals multiple times (@liuxingbaoyu)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jon Kuperman (@jkup)

Nagendran N (@SreeXD)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@H0onnn

@liuxingbaoyu

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.23.6

v7.23.6 (2023-12-11)

Thanks @martinez-hugo and @odinho for your first pull requests!

👓 Spec Compliance

babel-generator, babel-parser, babel-types

#16154 Remove TSPropertySignature.initializer (@fisker)

babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-types

#16139 Apply toPropertyKey on decorator context name (@JLHwung)

🐛 Bug Fix

babel-generator

#16166 fix: Correctly indenting when retainLines is enabled (@liuxingbaoyu)

babel-helpers, babel-plugin-proposal-explicit-resource-management

#16150 using: Allow looking up Symbol.dispose on a function (@odinho)

babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

#16161 Ensure the [[@@toPrimitive]] call of a decorated class member key is invoked once (@JLHwung)

#16148 Support named evaluation for decorated anonymous class exp (@JLHwung)

babel-plugin-transform-for-of, babel-preset-env

#16011 fix: for of with iterableIsArray and shadowing variable (@liuxingbaoyu)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16144 Set function name for decorated private non-field elements (@JLHwung)

babel-plugin-transform-typescript

#16137 Fix references to enum values with merging (@nicolo-ribaudo)

🔬 Output optimization

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16159 Reuse computed key memoiser (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators

#16160 Optimize decorator helper size (@liuxingbaoyu)

Committers: 7

Babel Bot (@babel-bot)

Hugo Martinez (@martinez-hugo)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Odin Hørthe-Omdal Urdland (@odinho)

@liuxingbaoyu

fisker Cheung (@fisker)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/helper-module-imports (indirect, 7.22.15 → 7.28.6) · Repo · Changelog

Release Notes

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

babel-parser

#17254 Allow using of as lexical declaration within for (@JLHwung)

#17230 Disallow get/set in TSPropertySignature (@JLHwung)

babel-parser, babel-types

#17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse

#17137 fix: do expressions should allow early exit (@kermanx)

babel-helper-wrap-function, babel-plugin-transform-async-to-generator

#17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)

babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator

#17231 fix apply()/call() annotated as pure (@Lacsw)

babel-helper-fixtures, babel-parser

#17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)

babel-generator, babel-parser

#17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)

babel-parser

#17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)

#17080 Fix start of TSParameterProperty (@JLHwung)

babel-compat-data, babel-preset-env

#17228 Update firefox bugfix compat data (@JLHwung)

babel-traverse

#17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)

babel-generator

#17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse

#17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)

babel-compat-data, babel-preset-env

#17256 Tune plugin compat data (@JLHwung)

babel-compat-data, babel-standalone

#17236 migrate babel-compat-data build script to mjs (@JLHwung)

babel-register

#16844 Migrate @babel/register to cts (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)

All packages

#17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3

#16538 Reduce interopRequireWildcard size (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

Aryan Bharti (@woaitsAryan)

Babel Bot (@babel-bot)

Frolov Roman (@Lacsw)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

_Kerman (@kermanx)

fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.24.3

v7.24.3 (2024-03-20)

🐛 Bug Fix

babel-helper-module-imports

#16370 fix: do not inject the same imported identifier multiple times (@ota-meshi)

Committers: 2

Nicolò Ribaudo (@nicolo-ribaudo)

Yosuke Ota (@ota-meshi)

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16350 Fix decorated class computed keys ordering (@JLHwung)

#16344 Fix decorated class static field private access (@JLHwung)

babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env

#16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties

#16331 Fix decorator memoiser binding kind (@JLHwung)

babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

#16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

#16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

babel-code-frame, babel-highlight

#16359 Replace chalk with picocolors (@nicolo-ribaudo)

babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow

#16352 Run Babel transform tests on old node if possible (@JLHwung)

babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx

#16349 Support merging imports in import injector (@nicolo-ribaudo)

Other

#16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime

#16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)

babel-plugin-transform-class-properties, babel-plugin-transform-classes

#16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)

babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse

#16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)

babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env

#16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/helper-module-transforms (indirect, 7.23.0 → 7.28.6) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/helper-string-parser (indirect, 7.22.5 → 7.27.1) · Repo · Changelog

Release Notes

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

babel-parser

#17254 Allow using of as lexical declaration within for (@JLHwung)

#17230 Disallow get/set in TSPropertySignature (@JLHwung)

babel-parser, babel-types

#17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse

#17137 fix: do expressions should allow early exit (@kermanx)

babel-helper-wrap-function, babel-plugin-transform-async-to-generator

#17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)

babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator

#17231 fix apply()/call() annotated as pure (@Lacsw)

babel-helper-fixtures, babel-parser

#17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)

babel-generator, babel-parser

#17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)

babel-parser

#17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)

#17080 Fix start of TSParameterProperty (@JLHwung)

babel-compat-data, babel-preset-env

#17228 Update firefox bugfix compat data (@JLHwung)

babel-traverse

#17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)

babel-generator

#17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse

#17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)

babel-compat-data, babel-preset-env

#17256 Tune plugin compat data (@JLHwung)

babel-compat-data, babel-standalone

#17236 migrate babel-compat-data build script to mjs (@JLHwung)

babel-register

#16844 Migrate @babel/register to cts (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)

All packages

#17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3

#16538 Reduce interopRequireWildcard size (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

Aryan Bharti (@woaitsAryan)

Babel Bot (@babel-bot)

Frolov Roman (@Lacsw)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

_Kerman (@kermanx)

fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.24.8

v7.24.8 (2024-07-11)

Thanks @H0onnn, @jkup and @SreeXD for your first pull requests!

👓 Spec Compliance

babel-parser

#16567 Do not use strict mode in TS declare (@liuxingbaoyu)

🐛 Bug Fix

babel-generator

#16630 Correctly print parens around in in for heads (@nicolo-ribaudo)

#16626 Fix printing of comments in await using (@nicolo-ribaudo)

#16591 fix typescript code generation for yield expression inside type expre… (@SreeXD)

babel-parser

#16613 Disallow destructuring assignment in using declarations (@H0onnn)

#16490 fix: do not add .value: undefined to regexp literals (@liuxingbaoyu)

babel-types

#16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@nicolo-ribaudo)

babel-plugin-transform-typescript

#16566 fix: Correctly handle export import x = (@liuxingbaoyu)

💅 Polish

babel-generator

#16625 Avoid unnecessary parens around async in for await (@nicolo-ribaudo)

babel-traverse

#16619 Avoid checking Scope.globals multiple times (@liuxingbaoyu)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jon Kuperman (@jkup)

Nagendran N (@SreeXD)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@H0onnn

@liuxingbaoyu

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16350 Fix decorated class computed keys ordering (@JLHwung)

#16344 Fix decorated class static field private access (@JLHwung)

babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env

#16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties

#16331 Fix decorator memoiser binding kind (@JLHwung)

babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

#16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

#16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

babel-code-frame, babel-highlight

#16359 Replace chalk with picocolors (@nicolo-ribaudo)

babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow

#16352 Run Babel transform tests on old node if possible (@JLHwung)

babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx

#16349 Support merging imports in import injector (@nicolo-ribaudo)

Other

#16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime

#16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)

babel-plugin-transform-class-properties, babel-plugin-transform-classes

#16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)

babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse

#16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)

babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env

#16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

7.23.4

v7.23.4 (2023-11-20)

🐛 Bug Fix

babel-generator

#16104 fix: Pure comments missing parentheses (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 63 commits:

↗️ @babel/helper-validator-identifier (indirect, 7.22.20 → 7.28.5) · Repo · Changelog

Release Notes

7.28.5

v7.28.5 (2025-10-23)

Thank you @CO0Ki3, @Olexandr88, and @youthfulhps for your first PRs!

👓 Spec Compliance

babel-parser

#17446 Allow Runtime Errors for Function Call Assignment Targets (@liuxingbaoyu)

babel-helper-validator-identifier

#17501 fix: update identifier to unicode 17 (@fisker)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private

#17534 Allow mixing private destructuring and rest (@CO0Ki3)

babel-parser

#17521 Improve @babel/parser error typing (@JLHwung)

#17491 fix: improve ts-only declaration parsing (@JLHwung)

babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring

#17519 fix: rest correctly returns plain array (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types

#17503 Fix JSXIdentifier handling in isReferencedIdentifier (@JLHwung)

babel-traverse

#17504 fix: ensure scope.push register in anonymous fn (@JLHwung)

🏠 Internal

babel-types

#17494 Type checking babel-types scripts (@JLHwung)

🏃‍♀️ Performance

babel-core

#17490 Faster finding of locations in buildCodeFrameError (@liuxingbaoyu)

Committers: 8

Babel Bot (@babel-bot)

Byeongho Yoo (@youthfulhps)

Huáng Jùnliàng (@JLHwung)

Hyeon Dokko (@CO0Ki3)

Nicolò Ribaudo (@nicolo-ribaudo)

@Olexandr88

@liuxingbaoyu

fisker Cheung (@fisker)

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

babel-parser

#17254 Allow using of as lexical declaration within for (@JLHwung)

#17230 Disallow get/set in TSPropertySignature (@JLHwung)

babel-parser, babel-types

#17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse

#17137 fix: do expressions should allow early exit (@kermanx)

babel-helper-wrap-function, babel-plugin-transform-async-to-generator

#17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)

babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator

#17231 fix apply()/call() annotated as pure (@Lacsw)

babel-helper-fixtures, babel-parser

#17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)

babel-generator, babel-parser

#17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)

babel-parser

#17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)

#17080 Fix start of TSParameterProperty (@JLHwung)

babel-compat-data, babel-preset-env

#17228 Update firefox bugfix compat data (@JLHwung)

babel-traverse

#17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)

babel-generator

#17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse

#17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)

babel-compat-data, babel-preset-env

#17256 Tune plugin compat data (@JLHwung)

babel-compat-data, babel-standalone

#17236 migrate babel-compat-data build script to mjs (@JLHwung)

babel-register

#16844 Migrate @babel/register to cts (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)

All packages

#17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3

#16538 Reduce interopRequireWildcard size (@liuxingbaoyu)

babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

#17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

Aryan Bharti (@woaitsAryan)

Babel Bot (@babel-bot)

Frolov Roman (@Lacsw)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

_Kerman (@kermanx)

fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.24.5

v7.24.5 (2024-04-29)

Thanks @romgrk and @sossost for your first PRs!

🐛 Bug Fix

babel-plugin-transform-classes, babel-traverse

#16377 fix: TypeScript annotation affects output (@liuxingbaoyu)

babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

#16440 Fix suppressed error order (@sossost)

#16408 Await nullish async disposable (@JLHwung)

💅 Polish

babel-parser

#16407 Recover from exported using declaration (@JLHwung)

🏠 Internal

Other

#16414 Relax ESLint peerDependency constraint to allow v9 (@liuxingbaoyu)

babel-parser

#16425 Improve @babel/parser AST types (@nicolo-ribaudo)

#16417 Always pass type argument to .startNode (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse

#16439 Make NodePath<T | U> distributive (@nicolo-ribaudo)

babel-plugin-proposal-partial-application, babel-types

#16421 Remove JSXNamespacedName from valid CallExpression args (@nicolo-ribaudo)

babel-plugin-transform-class-properties, babel-preset-env

#16406 Do not load unnecessary Babel 7 syntax plugins in Babel 8 (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-helpers, babel-preset-env, babel-runtime-corejs3

#16357 Performance: improve objectWithoutPropertiesLoose on V8 (@romgrk)

Committers: 6

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Rom Grk (@romgrk)

@liuxingbaoyu

ynnsuis (@sossost)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/helpers (indirect, 7.23.2 → 7.29.2) · Repo · Changelog

Security Advisories 🚨

🚨 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

You use Babel to compile regular expression named capturing groups

You use the .replace method on a regular expression that contains named capturing groups

Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23

you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in #17173.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/parser (indirect, 7.23.0 → 7.29.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/template (indirect, 7.22.15 → 7.28.6) · Repo · Changelog

Release Notes

7.27.2 (from changelog)

🐛 Bug Fix

babel-parser

#17289 fix: @babel/parser/bin/index.js contains node: protocol require (@liuxingbaoyu)

#17291 fix: Private class method not found when TS and estree (@liuxingbaoyu)

babel-plugin-transform-object-rest-spread

#17281 Fix: improve object rest handling in array pattern (@JLHwung)

babel-plugin-transform-modules-commonjs, babel-template

#17284 fix(babel-template): Properly handle empty string replacements (@magic-akari)

🏃‍♀️ Performance

babel-cli

#17285 Enable Node compile cache for @babel/cli (@JLHwung)

7.27.0

v7.27.0 (2025-03-24)

Thanks @ishchhabra and @vovkasm for your first PRs!

👓 Spec Compliance

babel-generator, babel-parser

#16977 Default importAttributesKeyword to with (@JLHwung)

🚀 New Feature

babel-helper-create-class-features-plugin, babel-traverse, babel-types

#17169 Allow traverseFast to exit early (@liuxingbaoyu)

babel-parser, babel-types

#17110 Add ImportAttributes to Standardized and move its parser test fixtures (@JLHwung)

babel-generator

#17100 fix(babel-generator): add named export of generate function (@vovkasm)

babel-parser, babel-template

#17149 Add allowYieldOutsideFunction to parser (@liuxingbaoyu)

babel-plugin-transform-typescript, babel-traverse

#17102 feat: Add upToScope parameter to hasBinding (@liuxingbaoyu)

babel-parser

#17082 Support ESTree AccessorProperty (@JLHwung)

babel-types

#17162 feat(babel-types): Add support for BigInt literal conversion in valueToNode (@ishchhabra)

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16816 fix: Class reference in type throws error (@liuxingbaoyu)

babel-traverse

#17170 fix: Reset child scopes when scope.crawl() (@liuxingbaoyu)

babel-helpers, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#17118 Fix: align behaviour to tsc rewriteRelativeImportExtensions (@JLHwung)

babel-cli

#17182 fix: @babel/cli generates duplicate inline source maps (@liuxingbaoyu)

babel-plugin-transform-named-capturing-groups-regex, babel-types

#17175 Generate computed proto key (@JLHwung)

🏃‍♀️ Performance

babel-types

#16870 perf: Improve builders of @babel/types (@liuxingbaoyu)

babel-helper-create-regexp-features-plugin

#17176 fix: improve duplicate named groups check (@JLHwung)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Ish Chhabra (@ishchhabra)

Vladimir Timofeev (@vovkasm)

@liuxingbaoyu

7.26.9

v7.26.9 (2025-02-14)

🐛 Bug Fix

babel-types

#17103 fix: Definition for TSPropertySignature.kind (@liuxingbaoyu)

babel-generator, babel-types

#17062 Print TypeScript optional/definite in ClassPrivateProperty (@jamiebuilds-signal)

🏠 Internal

babel-types

#17130 Use .ts files with explicit reexports to solve name conflicts (@nicolo-ribaudo)

babel-core

#17127 Do not depend on @types/gensync in Babel 7 (@nicolo-ribaudo)

Committers: 5

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Jamie Kyle (@jamiebuilds-signal)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

7.26.8

v7.26.8 (2025-02-08)

🏠 Internal

babel-preset-env

#17097 Update dependency babel-plugin-polyfill-corejs3 to ^0.11.0

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

babel-parser, babel-template, babel-types

#16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)

babel-helper-compilation-targets, babel-preset-env

#16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)

Other

#16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16914 remove test options flaky (@JLHwung)

Every package

#16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser, babel-types

#16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Viktar Vaŭčkievič (@victorenator)

@liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

babel-helper-validator-identifier

#16825 fix: update identifier to unicode 16 (@JLHwung)

babel-traverse

#16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)

babel-plugin-transform-classes

#16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)

babel-generator

#16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)

#16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)

#16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

babel-types

#16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

babel-core

#16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)

babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env

#16858 Add browserslist config to external dependency (@JLHwung)

babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone

#16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)

babel-generator

#16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-plugin-transform-typescript

#16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)

babel-types

#16842 perf: Improve @babel/types builders (@liuxingbaoyu)

#16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

Babel Bot (@babel-bot)

Dylan Piercey (@DylanPiercey)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

coderaiser (@coderaiser)

fisker Cheung (@fisker)

hwook (@YuHyeonWook)

7.25.0

v7.25.0 (2024-07-26)

Thanks @davidtaylorhq and @slatereax for your first PR!

You can find the release blog post with some highlights at https://babeljs.io/blog/2024/07/26/7.25.0.

👓 Spec Compliance

babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

#16537 await using normative updates (@JLHwung)

babel-plugin-transform-typescript

#16602 Ensure enum members syntactically determinable to be strings do not get reverse mappings (@liuxingbaoyu)

🚀 New Feature

babel-helper-create-class-features-plugin, babel-helper-function-name, babel-helper-plugin-utils, babel-helper-wrap-function, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-preset-env, babel-traverse, babel-types

#16658 Move ensureFunctionName to NodePath.prototype (@nicolo-ribaudo)

babel-helper-hoist-variables, babel-helper-plugin-utils, babel-plugin-proposal-async-do-expressions, babel-plugin-transform-modules-systemjs, babel-traverse

#16644 Move hoistVariables to Scope.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-split-export-declaration, babel-plugin-transform-classes, babel-traverse, babel-types

#16645 Move splitExportDeclaration to NodePath.prototype (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helper-environment-visitor, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-remap-async-to-generator, babel-helper-replace-supers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-transform-async-generator-functions, babel-plugin-transform-classes, babel-traverse

#16649 Move environment-visitor helper into @babel/traverse (@nicolo-ribaudo)

babel-core, babel-parser

#16480 Expose wether a module has TLA or not as .extra.async (@nicolo-ribaudo)

babel-compat-data, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-preset-env

#16569 Introduce bugfix-safari-class-field-initializer-scope (@davidtaylorhq)

babel-plugin-transform-block-scoping, babel-traverse, babel-types

#16551 Add NodePath#getAssignmentIdentifiers (@JLHwung)

babel-helper-import-to-platform-api, babel-plugin-proposal-json-modules

#16579 Add uncheckedRequire option for JSON imports to CJS (@nicolo-ribaudo)

babel-helper-transform-fixture-test-runner, babel-node

#16642 Allow using custom config in babel-node --eval (@slatereax)

babel-compat-data, babel-helper-create-regexp-features-plugin, babel-plugin-proposal-duplicate-named-capturing-groups-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-preset-env, babel-standalone

#16445 Add duplicate-named-capturing-groups-regex to preset-env (@JLHwung)

🐛 Bug Fix

babel-generator

#16678 Print parens around as expressions on the LHS (@nicolo-ribaudo)

babel-template, babel-types

#15286 fix: Props are lost when the template replaces the node (@liuxingbaoyu)

🏠 Internal

Other

#16674 bump gulp to 5 (@JLHwung)

babel-generator

#16651 Simplify the printing logic for ( before ambiguous tokens (@nicolo-ribaudo)

babel-helper-function-name, babel-plugin-transform-arrow-functions, babel-plugin-transform-function-name, babel-preset-env, babel-traverse

#16652 Simplify helper-function-name logic (@nicolo-ribaudo)

🏃‍♀️ Performance

babel-parser, babel-plugin-proposal-pipeline-operator

#16461 Some minor parser performance improvements for ts (@liuxingbaoyu)

🔬 Output optimization

babel-plugin-transform-classes

#16670 Reduce redundant assertThisInitialized (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-object-super, babel-plugin-transform-private-methods, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16374 Improve super.x output (@liuxingbaoyu)

babel-plugin-transform-class-properties, babel-plugin-transform-classes

#16656 Simplify output for anonymous classes with no methods (@nicolo-ribaudo)

Committers: 6

Artem (@slatereax)

Babel Bot (@babel-bot)

David Taylor (@davidtaylorhq)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

babel-node

#16554 Allow extra flags in babel-node (@nicolo-ribaudo)

babel-traverse

#16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)

babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

#16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16525 Delete unused array helpers (@blakewilson)

Committers: 7

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

@liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties

#16514 Fix source maps for private member expressions (@nicolo-ribaudo)

babel-core, babel-generator, babel-plugin-transform-modules-commonjs

#16515 Fix source maps for template literals (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16485 Support undecorated static accessor in anonymous classes (@JLHwung)

#16484 Fix decorator bare yield await (@JLHwung)

babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3

#16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)

babel-parser, babel-plugin-transform-typescript

#16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16501 Generate helper metadata at build time (@nicolo-ribaudo)

babel-helpers

#16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)

babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16495 Move all runtime helpers to individual files (@nicolo-ribaudo)

babel-parser, babel-traverse

#16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)

Other

#16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

Amjad Yahia Robeen Hassan (@amjed-98)

Babel Bot (@babel-bot)

Blake Wilson (@blakewilson)

Huáng Jùnliàng (@JLHwung)

Lucas Coelho (@coelhucas)

Nicolò Ribaudo (@nicolo-ribaudo)

Sukka (@SukkaW)

Zzzen (@Zzzen)

@liuxingbaoyu

7.24.0

v7.24.0 (2024-02-28)

Thanks @ajihyf for your first PR!

Release post with summary and highlights: https://babeljs.io/7.24.0

🚀 New Feature

babel-standalone

#11696 Export babel tooling packages in @babel/standalone (@ajihyf)

babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties

#16267 Implement noUninitializedPrivateFieldAccess assumption (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16242 Support decorator 2023-11 normative updates (@JLHwung)

babel-preset-flow

#16309 [babel 7] Allow setting ignoreExtensions in Flow preset (@nicolo-ribaudo)

#16284 Add experimental_useHermesParser option in preset-flow (@liuxingbaoyu)

babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone

#16172 Add transform support for JSON modules imports (@nicolo-ribaudo)

babel-plugin-transform-runtime

#16241 Add back moduleName option to @babel/plugin-transform-runtime (@nicolo-ribaudo)

babel-parser, babel-types

#16277 Allow import attributes for TSImportType (@sosukesuzuki)

🐛 Bug Fix

babel-plugin-proposal-do-expressions, babel-traverse

#16305 fix: avoid popContext on unvisited node paths (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object

#16312 Fix class private properties when privateFieldsAsSymbols (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods

#16307 Fix the support of arguments in private get/set method (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators

#16287 Reduce decorator static property size (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16281 Fix evaluation order of decorators with cached receiver (@nicolo-ribaudo)

#16279 Fix decorator this memoization (@JLHwung)

#16266 Preserve static on decorated private accessor (@nicolo-ribaudo)

#16258 fix: handle decorated async private method and generator (@JLHwung)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env

#16275 Fix class private properties when privateFieldsAsProperties (@liuxingbaoyu)

babel-helpers

#16268 Do not consider arguments in a helper as a global reference (@nicolo-ribaudo)

babel-helpers, babel-plugin-proposal-decorators

#16270 Handle symbol key class elements decoration (@JLHwung)

#16265 Do not define access.get for public setter decorators (@nicolo-ribaudo)

💅 Polish

babel-core, babel-helper-create-class-features-plugin, babel-preset-env

#12428 Suggest using BABEL_SHOW_CONFIG_FOR for config problems (@nicolo-ribaudo)

🏠 Internal

babel-helper-transform-fixture-test-runner

#16278 Continue writing output.js when exec.js throws (@liuxingbaoyu)

🔬 Output optimization

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16306 Avoid intermediate functions for private accessors with decs (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties

#16294 More aggressively inline decorators in the static block (@nicolo-ribaudo)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-private-methods

#16283 Do not use classPrivateMethodGet (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators

#16287 Reduce decorator static property size (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

#16280 Reduce element decorator temp variables (@JLHwung)

babel-helper-create-class-features-plugin, babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-optional-chaining-assign, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#16261 Do not use descriptors for private class elements (@nicolo-ribaudo)

babel-helpers, babel-plugin-proposal-decorators

#16263 Reduce helper size for decorator 2023-11 (@liuxingbaoyu)

Committers: 7

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

SUZUKI Sosuke (@sosukesuzuki)

Yarden Shoham (@yardenshoham)

@liuxingbaoyu

flyafly (@ajihyf)

7.23.9

v7.23.9 (2024-01-25)

🐛 Bug Fix

babel-helper-transform-fixture-test-runner, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-preset-env

#16225 fix: systemjs re-traverses helpers (@liuxingbaoyu)

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

#16226 Improve decorated private method check (@JLHwung)

babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-runtime, babel-preset-env

#16224 Properly sort core-js@3 imports (@nicolo-ribaudo)

babel-traverse

#15383 fix: Don't throw in getTypeAnnotation when using TS+inference (@liuxingbaoyu)

Other

#16210 [eslint] Fix no-use-before-define for class ref in fields (@nicolo-ribaudo)

🏠 Internal

babel-core, babel-parser, babel-template

#16222 Migrate eslint-parser to cts (@liuxingbaoyu)

babel-types

#16213 Remove @babel/types props that are not produced by the parser (@liuxingbaoyu)

🏃‍♀️ Performance

babel-parser

#16072 perf: Improve parser performance for typescript (@liuxingbaoyu)

🔬 Output optimization

babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-new-target, babel-plugin-transform-parameters, babel-plugin-transform-private-methods, babel-preset-env

#16218 Improve temporary variables for decorators (@liuxingbaoyu)

babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

#15959 Improve output of using (@liuxingbaoyu)

Committers: 4

Babel Bot (@babel-bot)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/traverse (indirect, 7.23.2 → 7.29.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @babel/types (indirect, 7.23.0 → 7.29.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @jridgewell/gen-mapping (indirect, 0.3.3 → 0.3.13) · Repo · Changelog

Release Notes

0.3.5

What's Changed

Add ignoreList support: 9add0c2

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

Does any of this look wrong? Please let us know.

↗️ @jridgewell/sourcemap-codec (indirect, 1.4.15 → 1.5.5) · Repo · Changelog

↗️ @jridgewell/trace-mapping (indirect, 0.3.20 → 0.3.31) · Repo · Changelog

Release Notes

0.3.24

What's Changed

Add ignoreList (and x_google_ignoreList) support: 1027ce6

Full Changelog: v0.3.23...v0.3.24

0.3.23

Full Changelog: v0.3.22...v0.3.23

0.3.22

What's Changed

Specify all exported types to unbreak TS v4.* by @jridgewell in #34

Full Changelog: v0.3.21...v0.3.22

0.3.21

What's Changed

Use export type * by @jridgewell in #32

Full Changelog: v0.3.20...v0.3.21

Does any of this look wrong? Please let us know.

↗️ @next/env (indirect, 12.3.4 → 16.2.6) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ @next/eslint-plugin-next (indirect, 12.3.1 → 16.2.6)

Sorry, we couldn’t find anything useful about this release.

↗️ @swc/helpers (indirect, 0.4.11 → 0.5.15) · Repo · Changelog

↗️ @typescript-eslint/parser (indirect, 5.62.0 → 8.59.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ @typescript-eslint/scope-manager (indirect, 5.62.0 → 8.59.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ @typescript-eslint/types (indirect, 5.62.0 → 8.59.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ @typescript-eslint/typescript-estree (indirect, 5.62.0 → 8.59.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ @typescript-eslint/visitor-keys (indirect, 5.62.0 → 8.59.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ array-includes (indirect, 3.1.7 → 3.1.9) · Repo · Changelog

Release Notes

3.1.9 (from changelog)

Commits

[Deps] update call-bind, es-abstract, es-object-atoms, get-intrinsic, is-string 3b934ae

[Refactor] use call-bound and math-intrinsics directly 160ea60

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, hastrict-mode, tape 4e4c67d

[Tests] replace aud with npm audit 9c5ec1c

[Dev Deps] add missing peer dep 863d207

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ array.prototype.flat (indirect, 1.3.2 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 1afcd57

[Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables 152c437

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, function-bind npmignore, object-inspect, tape e39e33d

[Tests] replace aud with npm audit 6868723

[Dev Deps] add missing peer dep 800f3e3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ array.prototype.flatmap (indirect, 1.3.2 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 8727281

[Tests] add test coverage 6e78327

[Deps] update call-bind, es-abstract e027dd1

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, object-inspect, tape 7322d84

[Dev Deps] update aud, npmignore, object-inspect, tape 958bf5c

[Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables b3698fb

[Tests] replace aud with npm audit e0461ed

[Dev Deps] add missing peer dep e7160b5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ array.prototype.tosorted (indirect, 1.1.2 → 1.1.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ available-typed-arrays (indirect, 1.0.5 → 1.0.7) · Repo · Changelog

Release Notes

1.0.7 (from changelog)

Commits

[Refactor] use possible-typed-array-names ac86abf

1.0.6 (from changelog)

Commits

[actions] reuse common workflows 1850353

[meta] use npmignore to autogenerate an npmignore file 5c7de12

[patch] add types fcfb0ea

[actions] update codecov uploader d844945

[Dev Deps] update eslint, @ljharb/eslint-config, array.prototype.every, safe-publish-latest, tape a2be6f4

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b283a3e

[actions] update rebase action to use reusable workflow 0ad1f2d

[Dev Deps] update @ljharb/eslint-config, array.prototype.every, aud, tape cd36e81

[meta] simplify "exports" f696e5f

[Dev Deps] update aud, npmignore, tape bf20080

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

↗️ axe-core (indirect, 4.7.0 → 4.11.4) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ balanced-match (indirect, 2.0.0 → 4.0.4) · Repo

Release Notes

3.0.1

package.json: Switch from "main" to "exports" (#50) b704dff

Create CODE_OF_CONDUCT.md 7e7530b

Bump minimist from 1.2.5 to 1.2.8 (#49) 56630b9

v3.0.0...v3.0.1

3.0.0

Major change because this is an ESM now 👋 Nothing else major changed.

pkg: add engines d59077b

update standard, remove prettier-standard 7f569d3

modernize 436bcdd

add github actions ci (#48) dfbd94f

docs: update badges 37fe34f

Bump got and np (#47) 6bce041

Bump word-wrap from 1.2.3 to 1.2.4 (#46) eaa266f

Bump http-cache-semantics from 4.1.0 to 4.1.1 (#44) 4d80db3

Bump ansi-regex (#43) ebfcd39

Bump json5 from 1.0.1 to 1.0.2 (#42) ee6f172

Bump normalize-url from 4.5.0 to 4.5.1 (#38) 0d22310

Bump hosted-git-info from 2.8.8 to 2.8.9 (#39) 0063a93

Bump path-parse from 1.0.6 to 1.0.7 (#40) fffa66b

Bump trim-newlines from 3.0.0 to 3.0.1 (#37) 97bd4dd

added jsdoc (#35) 7e45d61

Update .npmignore (#34) 10eec4f

v2.0.0...v3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

↗️ browserslist (indirect, 4.22.1 → 4.28.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ call-bind (indirect, 1.0.5 → 1.0.9) · Repo · Changelog

Release Notes

1.0.9 (from changelog)

Commits

[Fix] correct .length computation when partial args exceed function arity 95c406d

[Dev Deps] update @ljharb/eslint-config, es-value-fixtures, eslint, for-each, has-strict-mode, npmignore, object-inspect 06a4e21

[Deps] update call-bind-apply-helpers, es-define-property, get-intrinsic 3fea81e

[readme] replace runkit CI badge with shields.io check-runs badge 23437d4

1.0.8 (from changelog)

Commits

[Refactor] extract out some helpers and avoid get-intrinsic usage 407fd5e

[Refactor] replace code with extracted call-bind-apply-helpers 81018fb

[Tests] use set-function-length/env 0fc311d

[actions] split out node 10-20, and 20+ 77a0cad

[Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, gopd, object-inspect, tape a145d10

[Tests] replace aud with npm audit 30ca3dd

[Deps] update set-function-length 57c79a3

[Dev Deps] add missing peer dep 601cfa5

1.0.7 (from changelog)

Commits

[Refactor] use es-define-property 09b76a0

[Deps] update get-intrinsic, set-function-length ad5136d

1.0.6 (from changelog)

Commits

[Dev Deps] update aud, npmignore, tape d564d5c

[Deps] update get-intrinsic, set-function-length cfc2bdc

[Refactor] use es-errors, so things that only need those do not need get-intrinsic 64cd289

[meta] add missing engines.node 32a4038

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ caniuse-lite (indirect, 1.0.30001559 → 1.0.30001792) · Repo · Changelog

↗️ debug (indirect, 4.3.4 → 4.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

https://www.ox.security/blog/npm-packages-compromised/

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social

debug repository, tracking issue (applies to all packages affected in the breach): #1005

Release Notes

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

4.4.1

What's Changed

fix(Issue-996): replace whitespaces in namespaces string with commas globally by @pdahal-cx in #997

fixes #987 fallback to localStorage.DEBUG if debug is not defined by @lzilioli in #988

New Contributors

@pdahal-cx made their first contribution in #997

@lzilioli made their first contribution in #988

Full Changelog: 4.4.0...4.4.1

4.4.0

Fixes (hopefully) the inefficient regex warnings in .enable().

Minor version as this is invariably going to break certain users who misuse the .enable() API and expected it to work with regexes, which was never supported nor documented. That's on you, sorry - that functionality won't be added back.

Full Changelog: 4.3.7...4.4.0

4.3.7

What's Changed

Upgrade ms to version 2.1.3 by @realityking in #819

Full Changelog: 4.3.6...4.3.7

4.3.6

What's Changed

Avoid using deprecated RegExp.$1 by @bluwy in #969

New Contributors

@bluwy made their first contribution in #969

Full Changelog: 4.3.5...4.3.6

4.3.5

Patch

cac39b1 Fix/debug depth (#926)

Thank you @calvintwr for the fix.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ define-data-property (indirect, 1.1.1 → 1.1.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 17 commits:

↗️ detect-libc (indirect, 2.0.2 → 2.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ electron-to-chromium (indirect, 1.4.576 → 1.5.353) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ es-abstract (indirect, 1.22.3 → 1.24.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ es-set-tostringtag (indirect, 2.0.2 → 2.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ es-to-primitive (indirect, 1.2.1 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0 (from changelog)

Commits

[actions] reuse common workflows bb72efc

[Tests] use es-value-fixtures a912f7b

[Tests] migrate tests to Github Actions 510baf0

[New] add types 69ba1fd

[meta] remove unused Makefile 4ea66e6

[actions] use node/install instead of node/run; use codecov action 3c31937

[meta] do not publish github action workflow files 389567e

[meta] use npmignore to autogenerate an npmignore file 9f3aa76

[actions] split out node 10-20, and 20+ c60d7d8

[Tests] run nyc on all tests; use tape runner 29cbb89

[meta] add auto-changelog ea744b2

[Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, has-symbols, object-inspect, object-is, tape e5c3c79

[actions] add automatic rebasing / merge commit blocking a5a6f00

[Dev Deps] update @ljharb/eslint-config, es-value-fixtures, function.prototype.name, npmignore, object-inspect, object-is, tape 7941fd5

[Dev Deps] update eslint, @ljharb/eslint-config, aud, es-value-fixtures, foreach, object-inspect, tape eb1c79c

[Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, object-inspect, safe-publish-latest, tape 249b42f

[Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, object-inspect, object-is, tape d57d5e9

[actions] update codecov uploader 003b62c

[actions] add "Allow Edits" workflow 75ee990

[Dev Deps] update eslint, @ljharb/eslint-config, tape, object-is; add safe-publish-latest ba5da7b

[readme] remove travis badge 6f7aec7

[Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 3291fd5

[Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, has-symbols, object-inspect 53007f2

[actions] update checkout action 69640db

[Dev Deps] update eslint, @ljharb/eslint-config, object-is, tape; add aud c9d644e

[Tests] use for-each instead of foreach e9117bb

[readme] add github actions/codecov badges 53cd375

[Deps] update is-callable, is-date-object, is-symbol 8116c68

[Tests] fix test skipping for Symbol.toPrimitive e6268ef

[actions] switch Automatic Rebase workflow to pull_request_target event da41c40

[Deps] update is-callable, is-date-object 96fe13f

[Tests] replace aud with npm audit 0b53154

[meta] use prepublishOnly script for npm 7+ 9d7d485

[Deps] update is-callable 3c990b6

[Deps] update is-callable 9bcfff2

[Deps] update is-callable 1eb5478

[meta] only run aud on prod deps 1fcd896

[Deps] update is-symbol 7174a47

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ escalade (indirect, 3.1.1 → 3.2.0) · Repo

Release Notes

3.2.0

Patches

Declare separate ESM and CommonJS TypeScript definitions: a72e1c3
Previously, only ESM definitions were shipped but were exported in a way that could cause tool/resolution ambiguity.

Chores

Update Node.js version matrix in CI suite: a8c6820

Full Changelog: v3.1.2...v3.2.0

3.1.2

Patches

Support TypeScript’s nodenext module resolution mode (#10): d872fbd

Thank you @NMinhNguyen

Chores

Add licenses.dev badge to README: 02dcb8b

Update CI matrix versions: 3c916b2

Full Changelog: v3.1.1...v3.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ eslint-import-resolver-node (indirect, 0.3.9 → 0.3.10) · Repo · Changelog

Release Notes

0.3.10

Added rule no-reassign, made some mistakes publishing to npm. 😳

Does any of this look wrong? Please let us know.

↗️ eslint-import-resolver-typescript (indirect, 2.7.1 → 3.10.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-module-utils (indirect, 2.8.0 → 2.12.1) · Repo · Changelog

Release Notes

2.12.0 (from changelog)

Added

Ignore type imports for named rule (#931, thanks @mattijsbliek)

Add documentation for no-useless-path-segments rule (#1068, thanks @manovotny)

packageDir option for no-extraneous-dependencies can be array-valued (#1085, thanks @hulkish)

2.11.0 (from changelog)

Added

Fixer for first (#1046, thanks @fengkfengk)

allow-require option for no-commonjs rule (#880, thanks @futpib)

Fixed

memory/CPU regression where ASTs were held in memory (#1058, thanks @klimashkin/@lukeapage)

2.10.0 (from changelog)

Added

Autofixer for order rule (#908, thanks @tihonove)

Add no-cycle rule: reports import cycles.

2.9.0 (from changelog)

Added

Add group-exports rule: style-guide rule to report use of multiple named exports (#721, thanks @robertrossmann)

Add no-self-import rule: forbids a module from importing itself. (#727, #449, #447, thanks @giodamelio).

Add no-default-export rule (#889, thanks @isiahmeadows)

Add no-useless-path-segments rule (#912, thanks @graingert and @danny-andrews)

... and more! check the commits for v2.9.0

Does any of this look wrong? Please let us know.

↗️ eslint-plugin-import (indirect, 2.29.0 → 2.32.0) · Repo · Changelog

Release Notes

2.32.0

Added

add enforce-node-protocol-usage rule and import/node-version setting (#3024, thanks @GoldStrikeArch and @sevenc-nanashi)

add TypeScript types (#3097, thanks @G-Rath)

extensions: add `pathGroupOverrides to allow enforcement decision overrides based on specifier (#3105, thanks @Xunnamius)

order: add sortTypesGroup option to allow intragroup sorting of type-only imports (#3104, thanks @Xunnamius)

order: add newlines-between-types option to control intragroup sorting of type-only imports (#3127, thanks @Xunnamius)

order: add consolidateIslands option to collapse excess spacing for aesthetically pleasing imports (#3129, thanks @Xunnamius)

Fixed

no-unused-modules: provide more meaningful error message when no .eslintrc is present (#3116, thanks @michaelfaith)

configs: added missing name attribute for eslint config inspector (#3151, thanks @NishargShah)

order: ensure arcane imports do not cause undefined behavior (#3128, thanks @Xunnamius)

order: resolve undefined property access issue when using named ordering (#3166, thanks @Xunnamius)

enforce-node-protocol-usage: avoid a crash with some TS code (#3173, thanks @ljharb)

order: codify invariants from docs into config schema (#3152, thanks @Xunnamius)

Changed

[Docs] extensions, order: improve documentation (#3106, thanks @Xunnamius)

[Docs] add flat config guide for using tseslint.config() (#3125, thanks @lnuvy)

[Docs] add missing comma (#3122, thanks @RyanGst)

[readme] Update flatConfig example to include typescript config (#3138, thanks @intellix)

[Refactor] order: remove unnecessary negative check (#3167, thanks @JounQin)

[Docs] no-unused-modules: add missing double quote (#3191, thanks @albertpastrana)

[Docs] no-restricted-paths: clarify wording and fix errors (#3172, thanks @greim)

2.31.0

Added

support eslint v9 (#2996, thanks @G-Rath @michaelfaith)

order: allow validating named imports (#3043, thanks @manuth)

extensions: add the checkTypeImports option (#2817, thanks @phryneas)

Fixed

ExportMap / flat config: include languageOptions in context (#3052, thanks @michaelfaith)

no-named-as-default: Allow using an identifier if the export is both a named and a default export (#3032, thanks @akwodkiewicz)

export: False positive for exported overloaded functions in TS (#3065, thanks @liuxingbaoyu)

exportMap: export map cache is tainted by unreliable parse results (#3062, thanks @michaelfaith)

exportMap: improve cacheKey when using flat config (#3072, thanks @michaelfaith)

adjust "is source type module" checks for flat config (#2996, thanks @G-Rath)

Changed

[Docs] no-relative-packages: fix typo (#3066, thanks @joshuaobrien)

[Performance] no-cycle: dont scc for each linted file (#3068, thanks @soryy708)

[Docs] no-cycle: add disableScc to docs (#3070, thanks @soryy708)

[Tests] use re-exported RuleTester (#3071, thanks @G-Rath)

[Docs] no-restricted-paths: fix grammar (#3073, thanks @unbeauvoyage)

[Tests] no-default-export, no-named-export: add test case (thanks @G-Rath)

2.30.0

Added

dynamic-import-chunkname: add allowEmpty option to allow empty leading comments (#2942, thanks @JiangWeixian)

dynamic-import-chunkname: Allow empty chunk name when webpackMode: 'eager' is set; add suggestions to remove name in eager mode (#3004, thanks @amsardesai)

no-unused-modules: Add ignoreUnusedTypeExports option (#3011, thanks @silverwind)

add support for Flat Config (#3018, thanks @michaelfaith)

Fixed

no-extraneous-dependencies: allow wrong path (#3012, thanks @chabb)

no-cycle: use scc algorithm to optimize (#2998, thanks @soryy708)

no-duplicates: Removing duplicates breaks in TypeScript (#3033, thanks @yesl-kim)

newline-after-import: fix considerComments option when require (#2952, thanks @developer-bandi)

order: do not compare first path segment for relative paths (#2682) (#2885, thanks @mihkeleidast)

Changed

[Docs] no-extraneous-dependencies: Make glob pattern description more explicit (#2944, thanks @mulztob)

no-unused-modules: add console message to help debug #2866

[Refactor] ExportMap: make procedures static instead of monkeypatching exportmap (#2982, thanks @soryy708)

[Refactor] ExportMap: separate ExportMap instance from its builder logic (#2985, thanks @soryy708)

[Docs] order: Add a quick note on how unbound imports and --fix (#2640, thanks @minervabot)

[Tests] appveyor -> GHA (run tests on Windows in both pwsh and WSL + Ubuntu) (#2987, thanks @joeyguerra)

[actions] migrate OSX tests to GHA (ljharb#37, thanks @aks-)

[Refactor] exportMapBuilder: avoid hoisting (#2989, thanks @soryy708)

[Refactor] ExportMap: extract "builder" logic to separate files (#2991, thanks @soryy708)

[Docs] order: update the description of the pathGroupsExcludedImportTypes option (#3036, thanks @liby)

[readme] Clarify how to install the plugin (#2993, thanks @jwbth)

2.29.1

Full Changelog: v2.29.0...v2.29.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Release Notes

6.10.2 (from changelog)

Fixed

[patch] no-redundandant-roles: allow <img src="*.svg" role="img" /> #936

Commits

[meta] fix changelog URLs 0d01a1a

[Refactor] remove no-longer-needed es-iterator-helpers aa075bd

[Refactor] avoid spreading things that are already arrays d15d3ab

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register 5dad7c4

[Tests] aria-role: Add valid test for <svg role="img" /> daba189

[Docs] label-has-associated-control: add line breaks for readability 0bc6378

[Tests] label-has-associated-control: add additional test cases 30d2318

[Tests] Add tests to reinforce required attributes for role="heading" d92446c

6.10.1 (from changelog)

Commits

[Fix] handle interactive/noninteractive changes from aria-query 4925ba8

[Docs] Use consistent spelling of 'screen reader' cb6788c

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, auto-changelog, eslint-plugin-import, tape 518a77e

[Deps] update es-iterator-helpers, string.prototype.includes eed03a3

[meta] package.json - Update jscodeshift & remove babel-jest 2ee940c

[Docs] Remove accidental whitespace in CONTRIBUTING.md a262131

[Deps] unpin aria-query e517937

6.10.0 (from changelog)

Fixed

[New] label-has-associated-control: add additional error message #1005

[Fix] label-has-associated-control: ignore undetermined label text #966

Commits

[Tests] switch from jest to tape a284cbf

[New] add eslint 9 support deac4fd

[New] add attributes setting a1ee7f8

[New] allow polymorphic linting to be restricted 6cd1a70

[Tests] remove duplicate tests 74d5dec

[Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235

[readme] remove deprecated travis ci badge; add github actions badge 0be7ea9

[Tests] use npm audit instead of aud 05a5e49

[Deps] update axobject-query 912e98c

[Deps] unpin axobject-query 75147aa

[Deps] update axe-core 27ff7cb

[readme] fix jsxA11y import name ce846e0

[readme] fix typo in shareable config section in readme cca288b

6.9.0

Added

add support for Flat Config 6b5f096

no-noninteractive-element-to-interactive-role: allow menuitemradio and menuitemcheckbox on <li> c0733f9

Fixed

img-redundant-alt: fixed multibyte character support #969

Revert "[Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1" 75d5dd7

ensure summary remains non-interactive 6a048da

Changed

[meta] fix changelog links #960

[Robustness] use safe-regex-test 4c7e781

[actions] update actions/checkout 51a1ca7

[Deps] pin aria-query and axobject-query, add ls-engines test to CI 32fd82c

[Deps] remove @babel/runtime 0a98ad8

[Deps] unpin axe-core b3559cf

[Deps] move object.entries to dev deps 1be7b70

Full Changelog: v6.8.0...v6.9.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 55 commits:

↗️ eslint-plugin-react (indirect, 7.33.2 → 7.37.5) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-react-hooks (indirect, 4.6.0 → 7.1.1) · Repo · Changelog

↗️ for-each (indirect, 0.3.3 → 0.3.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ function.prototype.name (indirect, 1.1.6 → 1.1.8) · Repo · Changelog

Release Notes

1.1.8 (from changelog)

Commits

[actions] split out node 10-20, and 20+ b5ea555

[Refactor] use call-bound directly f6a6c64

1.1.7 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 47155b0

[Refactor] use hasown and is-callable directly, instead of es-abstract d5118d6

[Deps] update call-bind, define-properties, es-abstract cfa8b2e

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, npmignore, tape 2077d9a

[Tests] replace aud with npm audit 219e0a4

[Dev Deps] add missing peer dep 0b16b2b

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ get-intrinsic (indirect, 1.2.2 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0 (from changelog)

Commits

[Dev Deps] update es-abstract, es-value-fixtures, for-each, object-inspect 9b61553

[Deps] update call-bind-apply-helpers, es-object-atoms, get-proto a341fee

[New] add Float16Array de22116

1.2.7 (from changelog)

Commits

[Refactor] use get-proto directly 00ab955

[Deps] update math-intrinsics c716cdd

[Dev Deps] update call-bound, es-abstract dc648a6

1.2.6 (from changelog)

Commits

[Refactor] use math-intrinsics 841be86

[Refactor] use es-object-atoms 42057df

[Deps] update call-bind-apply-helpers 45afa24

[Dev Deps] update call-bound 9cba9c6

1.2.5 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 6e2b9dd

[Refactor] use dunder-proto and call-bind-apply-helpers instead of has-proto c095d17

[Refactor] use gopd 9841d5b

[Dev Deps] update @ljharb/eslint-config, auto-changelog, es-abstract, es-value-fixtures, gopd, mock-property, object-inspect, tape 2d07e01

[Deps] update gopd, has-proto, has-symbols, hasown 974d8bf

[Dev Deps] update call-bind, es-abstract, tape df9dde1

[Refactor] cache es-define-property as well 43ef543

[Deps] update has-proto, has-symbols, hasown ad4949d

[Tests] use call-bound directly ad5c406

[Deps] update has-proto, hasown 45414ca

[Tests] replace aud with npm audit 18d3509

[Deps] update es-define-property aadaa3b

[Dev Deps] add missing peer dep c296a16

1.2.4 (from changelog)

Commits

[Refactor] use all 7 <+ ES6 Errors from es-errors bcac811

1.2.3 (from changelog)

Commits

[Refactor] use es-errors, so things that only need those do not need get-intrinsic f11db9c

[Dev Deps] update aud, es-abstract, mock-property, npmignore b7ac7d1

[meta] simplify exports faa0cc6

[meta] add missing engines.node 774dd0b

[Dev Deps] update tape 5828e8e

[Robustness] use null objects for lookups eb9a11f

[meta] add sideEffects flag 89bcc7a

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

↗️ globals (indirect, 11.12.0 → 16.4.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ globalthis (indirect, 1.0.3 → 1.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ gopd (indirect, 1.0.1 → 1.2.0) · Repo · Changelog

Release Notes

1.2.0 (from changelog)

Commits

[New] add gOPD entry point; remove get-intrinsic 5b61232

1.1.0 (from changelog)

Commits

[New] add types f585e39

[Dev Deps] update @ljharb/eslint-config, auto-changelog, tape 0b8e4fd

[Dev Deps] update aud, npmignore, tape 48378b2

[Dev Deps] update @ljharb/eslint-config, aud, tape 78099ee

[Tests] replace aud with npm audit 4e0d0ac

[meta] add missing engines.node 1443316

[Deps] update get-intrinsic eee5f51

[Deps] update get-intrinsic 550c378

[Dev Deps] add missing peer dep 8c2ecf8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ has-property-descriptors (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ has-proto (indirect, 1.0.1 → 1.2.0) · Repo · Changelog

Release Notes

1.2.0 (from changelog)

Commits

[Refactor] use dunder-proto instead of call-bind 6e5e76c

[actions] split out node 10-20, and 20+ 3b8e9e6

[Dev Deps] update @ljharb/tsconfig, gopd 57bcd00

[actions] skip npm ls in node < 10 ce3a4d7

1.1.0 (from changelog)

Commits

[New] add accessor and mutator endpoints 144f6a9

[types] use shared config 8b597cf

[Refactor] cache result at module level 88418bd

[Dev Deps] update @ljharb/eslint-config, auto-changelog, tape d246200

[Deps] update gopd, reflect.getprototypeof 6f72364

[Tests] add @arethetypeswrong/cli 8194e1a

[Tests] replace aud with npm audit fd7ad11

[Dev Deps] update @types/tape 2695808

[Dev Deps] add missing peer dep fa4b2f7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ has-symbols (indirect, 1.0.3 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] update workflows 548c0bf

[actions] further shard; update action deps bec56bb

[meta] use npmignore to autogenerate an npmignore file ac81032

[New] add types 6469cbf

[actions] update rebase action to use reusable workflow 9c9d4d0

[Dev Deps] update eslint, @ljharb/eslint-config, aud, tape adb5887

[Dev Deps] update @ljharb/eslint-config, aud, tape 13ec198

[Dev Deps] update auto-changelog, core-js, tape 941be52

[Tests] replace aud with npm audit 74f49e9

[Dev Deps] update npmignore 9c0ac04

[Dev Deps] add missing peer dep 52337a5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ has-tostringtag (indirect, 1.0.0 → 1.0.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ hasown (indirect, 2.0.0 → 2.0.3) · Repo · Changelog

Release Notes

2.0.3 (from changelog)

Commits

[actions] update workflows fb837b8

[Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/tape, auto-changelog, eslint, mock-property, npmignore, tape f4b279b

[Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config 7e415ce

[Dev Deps] update eslint ef313da

[meta] use npm audit instead of aud d5c6d4d

[types] add overload that narrows the key cc03a09

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ is-bigint (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 0e63a44

[meta] use npmignore to autogenerate an npmignore file 47584ee

[Tests] use for-each and es-value-fixtures f226864

[New] add types 78e2c47

[actions] split out node 10-20, and 20+ 4395a8d

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape c188501

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 5360d32

[actions] update rebase action to use reusable workflow d5c1775

[actions] update codecov uploader c7478c7

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 6fbce66

[meta] add missing engines.node 6f9ed42

[Tests] replace aud with npm audit 21846c3

[Dev Deps] remove unused has-symbols, add missing has-tostringtag b378d94

[Deps] update has-bigints f46c35b

[Dev Deps] add missing peer dep 2b9be16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-boolean-object (indirect, 1.1.2 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2 (from changelog)

Fixed

[Fix] do not be tricked by fake Booleans #25

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape, core-js a27608b

[Deps] update call-bound b19953f

1.2.1 (from changelog)

Commits

[Refactor] use call-bound directly bb5aa26

1.2.0 (from changelog)

Commits

[actions] reuse common workflows 380fa25

[meta] use npmignore to autogenerate an npmignore file befa203

[actions] split out node 10-20, and 20+ ca31663

[New] add types 6d58609

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 06cc67e

[actions] update codecov uploader 0722346

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 100acdf

[actions] update rebase action to use reusable workflow 26333ff

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape fde97ee

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f5ed3c8

[Deps] update call-bind, has-tostringtag 61912e2

[Tests] replace aud with npm audit c6a0db5

[meta] better eccheck command 3a59ec6

[Dev Deps] add missing peer dep c0e10db

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ is-core-module (indirect, 2.13.1 → 2.16.2) · Repo · Changelog

Release Notes

2.16.2 (from changelog)

Commits

[Tests] increase coverage 1fc59fe

[actions] update workflows 0f6217b

[Fix] node 26 drops stream* modules 3acff68

[Dev Deps] update @ljharb/eslint-config, eslint, npmignore f06678c

[Deps] update hasown d9eae68

[Dev Deps] update @ljharb/eslint-config 8273701

[readme] replace runkit CI badge with shields.io check-runs badge 6b86754

2.16.1 (from changelog)

Fixed

[Fix] node:sqlite is available in node ^22.13 #17

2.16.0 (from changelog)

Commits

[New] add node:sqlite 1ee94d2

[Dev Deps] update auto-changelog, tape aa84aa3

2.15.1 (from changelog)

Commits

[Tests] add process.getBuiltinModule tests 28c7791

[Fix] test/mock_loader is no longer exposed as of v22.7 68b08b0

[Tests] replace aud with npm audit 32f8060

[Dev Deps] update mock-property f7d3c8f

[Dev Deps] add missing peer dep eaee885

2.15.0 (from changelog)

Commits

[New] add node:sea 2819fb3

2.14.0 (from changelog)

Commits

[Dev Deps] update @ljharb/eslint-config, aud, mock-property, npmignore, tape 0e43200

[meta] add missing engines.node 4ea3af8

[New] add test/mock_loader e9fbd29

[Deps] update hasown 57f1940

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ is-date-object (indirect, 1.0.5 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 35c5af0

[meta] use npmignore to autogenerate an npmignore file db6113c

[New] add types 4f1d9b3

[actions] split out node 10-20, and 20+ c9a1e4f

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 35a2864

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape b670bca

[actions] update rebase action to use reusable workflow d6bb341

[actions] update codecov uploader f850678

[Robustness] use call-bound 18ed326

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape f0e792f

[meta] add exports field 342351f

[Tests] replace aud with npm audit 9b9b9cf

[Deps] update has-tostringtag 1bc37ab

[meta] add sideEffects flag 86d3a16

[Dev Deps] add missing peer dep fee274d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-negative-zero (indirect, 2.0.2 → 2.0.3) · Repo · Changelog

Release Notes

2.0.3 (from changelog)

Commits

add types e28f0d5

[meta] use npmignore to autogenerate an npmignore file f68ec13

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape 70abff7

[actions] update rebase action to use reusable workflow 6e1356e

[Dev Deps] update @ljharb/eslint-config, aud, npmignore, tape c00d4ab

[meta] add sideEffects flag 9c45539

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ is-number-object (indirect, 1.0.7 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 00d566d

[Refactor] use call-bound directly 073d5df

[Deps] update call-bind 36c84af

1.1.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file cb8423c

[New] add types 273e406

[actions] split out node 10-20, and 20+ 3da6267

[Robustness] use call-bind 834c098

[actions] update rebase action to use reusable workflow 84a8a9f

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7275bca

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 49a83aa

[Tests] replace aud with npm audit 061492b

[Refactor] avoid an expensive check, for null 08d29a8

[Deps] update has-tostringtag 4e2ad65

[Dev Deps] add missing peer dep 8228bfa

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ is-regex (indirect, 1.1.4 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

Commits

[Refactor] use call-bound directly dbabfe3

[Deps] update call-bind, gopd d5343a0

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig cc081eb

1.2.0 (from changelog)

Fixed

[Tests] allow tests to pass if zero traps are triggered #35

Commits

[actions] reuse common workflows be7bf6a

[New] add types 39066a4

[meta] use npmignore to autogenerate an npmignore file 8938588

[Refactor] reorganize code 2f76f26

[actions] split out node 10-20, and 20+ 8c9aedf

[meta] better eccheck command 6b39408

[Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape e38cf3c

[actions] update codecov uploader 487c75d

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, foreach, tape 0d7da87

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape c1c1198

[actions] update rebase action to use reusable workflow 213646e

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 0a44e77

[Refactor] use hasown d939332

[Deps] update call-bind, has-tostringtag 46bfdc9

[Tests] use for-each instead of foreach 138b3f2

[Tests] replace aud with npm audit 37ed80a

[Deps] update gopd 6fd4097

[Dev Deps] update core-js 97c1c60

[Dev Deps] add missing peer dep 7329b8e

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ is-string (indirect, 1.0.7 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape c1f7ef7

[Refactor] use call-bound directly ba8a78f

[Deps] update call-bind 93c352f

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 12aa75b

[meta] use npmignore to autogenerate an npmignore file 6401572

[actions] split out node 10-20, and 20+ 223540c

[New] add types 7e83d67

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape febd26e

[readme] add github actions/codecov badges; update URLs f6bf065

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, core-js, tape 8afc37a

[Robustness] use call-bind ac86dd7

[actions] update rebase action to use reusable workflow 77058c8

[actions] update codecov uploader 4312be5

[Dev Deps] update eslint, @ljharb/eslint-config, aud, core-js, tape 98c3779

[Dev Deps] update @ljharb/eslint-config, auto-changelog, core-js, npmignore, tape 7d8e0e5

[Dev Deps] update eslint, @ljharb/eslint-config, core-js, safe-publish-latest, tape 3284ad1

[Tests] replace aud with npm audit 8cb7ea7

[Refactor] skip expensive check, for null 20fde50

[Deps] update has-tostringtag b67a78d

[meta] fix repo URL 1a2ee6b

[meta] better eccheck command 6913c75

[Dev Deps] add missing peer dep 8ac8551

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ is-symbol (indirect, 1.0.4 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[actions] re-add finishers 9b9d06f

[Deps] update call-bind, has-symbols, safe-regex-test 07f3647

[Refactor] use call-bound directly 799402d

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig 4b8b2f9

[types] remove unneeded DT packages 398abaa

1.1.0 (from changelog)

Commits

[actions] reuse common workflows acf85f0

[meta] use npmignore to autogenerate an npmignore file 77c818e

[Tests] use for-each and es-value-fixtures 93dfed0

[New] add types ed6a057

[actions] split out node 10-20, and 20+ 7f81ccc

[Robustness] use call-bind and safe-regex-test dc7e142

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, tape 70f87c2

[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, safe-publish-latest, tape 3f02ff4

[Dev Deps] update @ljharb/eslint-config, auto-changelog, has-tostringtag, npmignore, object-inspect, tape 9588872

[actions] update rebase action to use reusable workflow 59e2f68

[actions] update codecov uploader e4759f8

[Dev Deps] update eslint, auto-changelog, object-inspect, tape 33990c0

[Tests] use has-tostringtag for more robust Symbol.toStringTag detection d6154e1

[Tests] replace aud with npm audit 3215a60

[Refactor] avoid an expensive check, for primitives 59f1a42

[Deps] update has-symbols 06be1a9

[Dev Deps] add missing peer dep 799b0da

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ is-typed-array (indirect, 1.1.12 → 1.1.15) · Repo · Changelog

Release Notes

1.1.15 (from changelog)

Commits

[types] improve types d934b49

[Dev Deps] update @types/tape da26511

1.1.14 (from changelog)

Commits

[types] use shared config eafa7fa

[actions] split out node 10-20, and 20+ cd6d5a3

[types] use which-typed-array’s TypedArray type; re-export it d7d9fcd

[Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/node, @types/object-inspect, @types/tape, auto-changelog, object-inspect, tape 65afb42

[Dev Deps] update @types/node, has-tostringtag, tape 9e27ddd

[Tests] replace aud with npm audit ad4defe

[Tests] use @arethetypeswrong/cli ac4bcca

[Deps] update which-typed-array c298129

[Deps] update which-typed-array 744c29a

[Dev Deps] add missing peer dep 94d2f5a

1.1.13 (from changelog)

Commits

[patch] add types 8a8a679

[Dev Deps] update aud, has-tostringtag, npmignore, object-inspect, tape 8146b60

[actions] optimize finishers 34f875a

[Deps] update which-typed-array 19c974f

[meta] add sideEffects flag 0b68e5e

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ jsesc (indirect, 2.5.2 → 3.1.0) · Repo

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ ms (indirect, 2.1.2 → 2.1.3) · Repo

Release Notes

2.1.3

Patches

Rename zeit to vercel: #151

Bump eslint from 4.12.1 to 4.18.2: #122

Add prettier as a dev dependency: #135 #153

Use GitHub Actions CI: #154

Credits

Huge thanks to @getsnoopy for helping!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ node-releases (indirect, 2.0.13 → 2.0.38) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object-inspect (indirect, 1.13.1 → 1.13.4) · Repo · Changelog

Release Notes

1.13.4 (from changelog)

Commits

[Fix] avoid being fooled by a Symbol.toStringTag fa5870d

[Tests] fix tests in node v6.0 - v6.4 2abfe1b

[Dev Deps] update es-value-fixtures, for-each, has-symbols 3edfb01

1.13.3 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 44395a8

[Fix] quoteStyle: properly escape only the containing quotes 5137f8f

[Refactor] clean up quoteStyle code 450680c

[Tests] add quoteStyle escaping tests e997c59

[Dev Deps] update auto-changelog, es-value-fixtures, tape d5a469c

[Tests] replace aud with npm audit fb7815f

[Dev Deps] update mock-property 11c817b

1.13.2 (from changelog)

Commits

[readme] update badges 8a51e6b

[Dev Deps] update @ljharb/eslint-config, tape ef05f58

[Dev Deps] update error-cause, has-tostringtag, tape c0c6c26

[Fix] Don't throw when global is not defined d4d0965

[meta] add missing engines.node 17a352a

[Dev Deps] update globalthis 9c08884

[Dev Deps] update error-cause 6af352d

[Dev Deps] update npmignore 94e617d

[Dev Deps] update mock-property 2ac24d7

[Dev Deps] update tape 46125e5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ object.assign (indirect, 4.1.4 → 4.1.7) · Repo · Changelog

Release Notes

4.1.7 (from changelog)

[Deps] add missing es-object-atoms (#86)

4.1.6 (from changelog)

[Refactor] use call-bound directly; use es-object-atoms

[Deps] update call-bind, has-symbols

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, hasown, mock-property, ses, tape

[actions] split out node 10-20, and 20+

[actions] remove redundant finisher

[Tests] replace aud with npm audit

4.1.5 (from changelog)

[meta] republish without testing HTML file (#85)

[Deps] update call-bind, define-properties

[Dev Deps] use hasown instead of has

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, npmignore, mock-property, tape

[actions] update rebase action

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

↗️ object.entries (indirect, 1.1.7 → 1.1.9) · Repo · Changelog

↗️ object.fromentries (indirect, 2.0.7 → 2.0.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ object.values (indirect, 1.1.7 → 1.2.1) · Repo · Changelog

↗️ picocolors (indirect, 1.0.0 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1

What's new?

Moved TypeScript declarations to a d.ts file #82

Reworked color detection algorithm to properly work with empty strings in NO_COLOR and FORCE_COLOR env variables #87

Eliminated require() call to make the package compatible with some tools #87

1.1.0

What's new?

Added bright color variants #55

1.0.1

What's new?

Updated color detection mechanism to work properly on Vercel Edge Runtime #64

Remove use of recursion to avoid possible stack overflow for very long inputs #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

↗️ resolve (indirect, 2.0.0-next.5 → 2.0.0-next.6) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ safe-regex-test (indirect, 1.0.0 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[actions] split out node 10-20, and 20+ b4a46bb

[New] add types 5cb24eb

[Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, object-inspect, tape e225ca0

[Refactor] use call-bound directly 9be3cd2

[Deps] update call-bind, is-regex 524b736

[Tests] replace aud with npm audit f3cd537

[Dev Deps] add missing peer dep 14da559

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ set-function-length (indirect, 1.1.1 → 1.2.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 17 commits:

↗️ side-channel (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[Refactor] extract implementations to side-channel-weakmap, side-channel-map, side-channel-list ada5955

[New] add channel.delete c01d2d3

[types] improve types 0c54356

[readme] add content be24868

[actions] split out node 10-20, and 20+ c4488e2

[types] use shared tsconfig 0e0d57c

[Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, @types/get-intrinsic, @types/object-inspect, @types/tape, auto-changelog, tape fb4f622

[Deps] update call-bind, get-intrinsic, object-inspect b78336b

[Tests] replace aud with npm audit ee3ab46

[Dev Deps] add missing peer dep c03e21a

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ string.prototype.matchall (indirect, 4.0.10 → 4.0.12) · Repo · Changelog

Release Notes

4.0.12 (from changelog)

Commits

[actions] split out node 10-20, and 20+ ec6bcb6

[Deps] update call-bind, es-abstract, get-intrinsic, gopd, has-symbols, internal-slot, regexp.prototype.flags, side-channel 993a80c

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, mock-property, object-inspect, object.assign, tape 50e0c52

[Refactor] use call-bound directly 72c0fe1

[Tests] replace aud with npm audit 3a4bccb

[readme] remove dead badges ae4bdb2

[Dev Deps] add missing peer dep 14ceede

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

↗️ string.prototype.trim (indirect, 1.2.8 → 1.2.10) · Repo · Changelog

Release Notes

1.2.10 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 335d99a

[Refactor] use define-data-property and has-property-descriptors directly 2e0c2e9

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, tape 138d3db

[Deps] update call-bind, es-abstract 3a06731

[Refactor] use call-bound directly 9499206

[Tests] replace aud with npm audit c88a935

[Dev Deps] add missing dev dep 9667c7d

[Dev Deps] add missing peer dep 6417c72

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ string.prototype.trimend (indirect, 1.0.7 → 1.0.9) · Repo · Changelog

Release Notes

1.0.9 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 7e5ffdc

[meta] sort package.json mildly 2f99c8b

[Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, tape 2774fe6

[Refactor] use call-bound directly 9e3bbec

[Tests] replace aud with npm audit cb9a462

[meta] add missing engines.node f46c829

[Deps] update call-bind e892c32

[Dev Deps] add missing peer dep e1a59da

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

↗️ string.prototype.trimstart (indirect, 1.0.7 → 1.0.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 6 commits:

↗️ styled-jsx (indirect, 5.0.7 → 5.1.6) · Repo · Changelog

Release Notes

5.1.6

5.1.6 (2024-05-24)

Bug Fixes

Move TypeScript to devDependencies (#848) (d5bd4ed)

5.1.5

5.1.5 (2024-05-24)

Bug Fixes

Correct context for declaration files (#847) (3e372f2)

5.1.4

5.1.4 (2024-05-24)

Bug Fixes

Use scoped JSX namespace (#846) (0254816)

5.1.3

5.1.3 (2024-05-07)

Bug Fixes

bump peer dep for react 19 (#844) (18ddefd)

5.1.2

5.1.2 (2023-01-25)

Bug Fixes

including global typing (#826) (5870e59)

5.1.1

5.1.1 (2022-12-15)

Bug Fixes

typo in macro typing (#822) (d0b2f75)

5.1.0

5.1.0 (2022-10-17)

Features

styled-jsx as client-only for rsc (#816) (ea0432b)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ tsconfig-paths (indirect, 3.14.2 → 3.15.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ unbox-primitive (indirect, 1.0.2 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

Commits

[meta] use npmignore to autogenerate an npmignore file 348a5ad

[New] add types a324230

[Tests] use es-value-fixtures a321ae5

[actions] split out node 10-20, and 20+ 04a0e0d

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, object-is, tape 7fff971

[actions] update rebase action 91d6807

[Deps] update call-bind, has-symbols, which-boxed-primitive f8b6597

[Dev Deps] update aud, object-inspect, tape b3362a1

[Refactor] use call-bound directly e29ff5f

[meta] add missing engines.node d3420bc

[Tests] replace aud with npm audit 5e6a6d0

[Deps] update which-boxed-primitive 0ff873d

[Dev Deps] update aud dd0e373

[Dev Deps] add missing peer dep 4f79b24

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ update-browserslist-db (indirect, 1.0.13 → 1.2.3) · Repo · Changelog

Release Notes

1.2.3

Fixed bun support (by @cehenriques).

1.2.2

Fixed update on depth in pnpm config.

1.2.1

Fix ERR_PNPM_NO_PACKAGE_IN_DEPENDENCIES error on pnpm with old Browserslist.

1.2.0

Add Baseline data updating too.

1.1.4

Fixed package.json changes on pnpm update.

1.1.3

Fixed Bun support.

1.1.2

Use less aggressive message on browsers diff error.

1.1.1

Fixed types.

1.0.16

Fixed old Node.js support.

1.0.15

Fixed warning on missed browserslist in direct dependencies.

1.0.14

Another way to fix yarn and Hadoop CLI conflict (by Al Amin Ahamed).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ which-boxed-primitive (indirect, 1.0.2 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

Commits

[Deps] update is-boolean-object, is-number-object, is-string, is-symbol 5266e0c

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape a660339

1.1.0 (from changelog)

Commits

[actions] reuse common workflows 893df44

[meta] use npmignore to autogenerate an npmignore file bab1ff8

[Tests] use es-value-fixtures and for-each ecacfa0

[New] add types ab38e78

[actions] split out node 10-20, and 20+ 7ee9c3c

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, object-inspect, safe-publish-latest, tape 142215a

[Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, has-symbols, object-inspect, tape 3559371

[actions] update rebase action to use reusable workflow 928901a

[Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol f7b14be

[Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, object-inspect, tape 5296738

[Deps] update is-bigint, is-boolean-object, is-number-object, is-string, is-symbol caa6d1c

[meta] add missing engines.node ca40880

[Tests] replace aud with npm audit b0f4069

[Dev Deps] update aud 8d0e336

[Deps] update is-number-object eafcabf

[Dev Deps] add missing peer dep ec4dd52

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ which-typed-array (indirect, 1.1.13 → 1.1.20) · Repo · Changelog

Release Notes

1.1.20 (from changelog)

Commits

[types] add Float16Array to TypedArray b04301f

[Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, eslint, make-generator-function, npmignore 215b3a1

[readme] replace runkit CI badge with shields.io check-runs badge 32def83

1.1.19 (from changelog)

Commits

[Refactor] use get-proto, improve types e05d535

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 0dade9c

[Deps] update call-bound, for-each 490791a

[Tests] skip npm ls in older nodes f83aaca

[Dev Deps] update @ljharb/tsconfig 63c4795

1.1.18 (from changelog)

Commits

[types] improve types 4b57173

[Dev Deps] update @types/tape 81853b0

1.1.17 (from changelog)

Commits

[types] improve types 86bc612

[Dev Deps] update @arethetypeswrong/cli, @ljharb/tsconfig, @types/tape 2e9bed6

[Deps] update call-bind, gopd 34579df

[Refactor] use call-bound directly 2a2d84e

1.1.16 (from changelog)

Commits

[actions] split out node 10-20, and 20+ 8e289a9

[Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @types/node, @types/tape, auto-changelog, tape 3d4a678

[Tests] replace aud with npm audit 6fbada9

[types] add an additional overload db5a791

[Dev Deps] remove an unused DT package 6bfff4c

[Dev Deps] add missing peer dep 05fd582

1.1.15 (from changelog)

Commits

[types] use a namespace; improve type f42bec3

[types] use shared config 464a9e3

[actions] remove redundant finisher; use reusable workflow d114ee8

[Dev Deps] update @types/node, tape, typescript; add @arethetypeswrong/cli 9cc63d8

[types] add a helpful hover description 29ccf8d

[Deps] update available-typed-arrays, call-bind, has-tostringtag 7ecfd8e

1.1.14 (from changelog)

Commits

[patch] add types 49c4d4c

[Dev Deps] update aud, npmignore, tape e5fab7b

[Deps] update available-typed-arrays, call-bind 97e2b44

[Deps] update has-tostringtag 1efa8bf