chore(deps): update all-minor-updates #9

Open

renovate-bot wants to merge 1 commits from renovate/minor into main

pull from: renovate/minor

merge into: lucasoskorep:main

lucasoskorep:main

lucasoskorep:renovate/major-major

lucasoskorep:renovate/all

lucasoskorep:fix/end-station-bug

lucasoskorep:feat/readme-and-examples

lucasoskorep:feat/refactor-to-use-protobufs

Conversation 0 Commits 1 Files Changed 4

+1209 -941

renovate-bot commented 2026-04-20 05:15:02 -04:00

Collaborator

Copy Link

Copy Source

This PR contains the following updates:

Package	Type	Update	Change
@types/node (source)	devDependencies	minor	25.5.0 → 25.9.3
@types/react (source)	devDependencies	patch	19.2.14 → 19.2.17
autoprefixer	dependencies	minor	10.4.27 → 10.5.0
axios (source)	dependencies	minor	1.14.0 → 1.18.0
eslint (source)	devDependencies	minor	10.1.0 → 10.5.0
eslint-config-next (source)	devDependencies	patch	16.2.1 → 16.2.9
next (source)	dependencies	patch	16.2.1 → 16.2.9
node (source)		minor	25.8.2 → 25.9.0
pnpm (source)	packageManager	minor	10.33.0 → 10.34.3
postcss (source)	dependencies	patch	8.5.8 → 8.5.15
react (source)	dependencies	patch	19.2.4 → 19.2.7
react-dom (source)	dependencies	patch	19.2.4 → 19.2.7
vitest (source)	devDependencies	patch	4.1.2 → 4.1.9
yarn (source)	packageManager	minor	4.13.0 → 4.17.0

---

Release Notes

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

axios/axios (axios)

v1.18.0

Compare Source

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#​10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#​11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#​10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#​10984, #​10988, #​10992, #​10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#​10989, #​10996, #​10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#​11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#​10984)
• @​eyupcanakman (#​10899)
• @​Adi-Beker (#​10995)

Full Changelog

v1.17.0

Compare Source

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

v1.16.1

Compare Source

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

v1.16.0

Compare Source

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

v1.15.1

Compare Source

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

v1.15.0

Compare Source

Bug Fixes

• headers: fixed & optimized clear method; (#​5507) (9915635)
• http: add zlib headers if missing (#​5497) (65e8d1e)

Features

• fomdata: added support for spec-compliant FormData & Blob types; (#​5316) (6ac574e)

Contributors to this release

• Dmitriy Mozgovoy
• ItsNotGoodName

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

• headers: added missed Authorization accessor; (#​5502) (342c0ba)
• types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#​5503) (5a3d0a3)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

• types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#​5499) (580f1e8)

Contributors to this release

• Dmitriy Mozgovoy
• Elliot Ford

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

• types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#​5486) (2a71f49)
• types: fix AxiosRequestConfig generic; (#​5478) (9bce81b)

Contributors to this release

• Dmitriy Mozgovoy
• Daniel Hillmann

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

• types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#​5420) (0811963)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

• fix(ci): fix release script inputs #​5392
• fix(ci): prerelease scipts #​5377
• fix(ci): release scripts #​5376
• fix(ci): typescript tests #​5375
• fix: Brotli decompression #​5353
• fix: add missing HttpStatusCode #​5345

Chores

• chore(ci): set conventional-changelog header config #​5406
• chore(ci): fix automatic contributors resolving #​5403
• chore(ci): improved logging for the contributors list generator #​5398
• chore(ci): fix release action #​5397
• chore(ci): fix version bump script by adding bump argument for target version #​5393
• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #​5342
• chore(ci): GitHub Actions Release script #​5384
• chore(ci): release scripts #​5364

Contributors to this release

• Dmitriy Mozgovoy
• Winnie

[1.2.1] - 2022-12-05

Changed

• feat(exports): export mergeConfig #​5151

Fixed

• fix(CancelledError): include config #​4922
• fix(general): removing multiple/trailing/leading whitespace #​5022
• fix(headers): decompression for responses without Content-Length header #​5306
• fix(webWorker): exception to sending form data in web worker #​5139

Refactors

• refactor(types): AxiosProgressEvent.event type to any #​5308
• refactor(types): add missing types for static AxiosError.from method #​4956

Chores

• chore(docs): remove README link to non-existent upgrade guide #​5307
• chore(docs): typo in issue template name #​5159

Contributors to this release

• Dmitriy Mozgovoy
• Zachary Lysobey
• Kevin Ennis
• Philipp Loose
• secondl1ght
• wenzheng
• Ivan Barsukov
• Arthur Fiorette

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

• changed: refactored module exports #​5162
• change: re-added support for loading Axios with require('axios').default #​5225

Fixed

• fix: improve AxiosHeaders class #​5224
• fix: TypeScript type definitions for commonjs #​5196
• fix: type definition of use method on AxiosInterceptorManager to match the README #​5071
• fix: __dirname is not defined in the sandbox #​5269
• fix: AxiosError.toJSON method to avoid circular references #​5247
• fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #​5250

Refactors

• refactor: allowing adapters to be loaded by name #​5277

Chores

• chore: force CI restart #​5243
• chore: update ECOSYSTEM.md #​5077
• chore: update get/index.html #​5116
• chore: update Sandbox UI/UX #​5205
• chore:(actions): remove git credentials after checkout #​5235
• chore(actions): bump actions/dependency-review-action from 2 to 3 #​5266
• chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #​5295
• chore(packages): bump engine.io from 6.2.0 to 6.2.1 #​5294
• chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #​5241
• chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #​5245
• chore(docs): update Resources links in README #​5119
• chore(docs): update the link for JSON url #​5265
• chore(docs): fix broken links #​5218
• chore(docs): update and rename UPGRADE_GUIDE.md to MIGRATION_GUIDE.md #​5170
• chore(docs): typo fix line #​856 and #​920 #​5194
• chore(docs): typo fix #​800 #​5193
• chore(docs): fix typos #​5184
• chore(docs): fix punctuation in README.md #​5197
• chore(docs): update readme in the Handling Errors section - issue reference #​5260 #​5261
• chore: remove \b from filename #​5207
• chore(docs): update CHANGELOG.md #​5137
• chore: add sideEffects false to package.json #​5025

Contributors to this release

• Maddy Miller
• Amit Saini
• ecyrbe
• Ikko Ashimine
• Geeth Gunnampalli
• Shreem Asati
• Frieder Bluemle
• 윤세영
• Claudio Busatto
• Remco Haszing
• Dmitriy Mozgovoy
• Csaba Maulis
• MoPaMo
• Daniel Fjeldstad
• Adrien Brunet
• Frazer Smith
• HaiTao
• AZM
• relbns

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.3] - 2022-10-15

Added

• Added custom params serializer support #​5113

Fixed

• Fixed top-level export to keep them in-line with static properties #​5109
• Stopped including null values to query string. #​5108
• Restored proxy config backwards compatibility with 0.x #​5097
• Added back AxiosHeaders in AxiosHeaderValue #​5103
• Pin CDN install instructions to a specific version #​5060
• Handling of array values fixed for AxiosHeaders #​5085

Chores

• docs: match badge style, add link to them #​5046
• chore: fixing comments typo #​5054
• chore: update issue template #​5061
• chore: added progress capturing section to the docs; #​5084

Contributors to this release

• Jason Saayman
• scarf
• Lenz Weber-Tronic
• Arvindh
• Félix Legrelle
• Patrick Petrovic
• Dmitriy Mozgovoy
• littledian
• ChronosMasterOfAllTime

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.2] - 2022-10-07

Fixed

• Fixed broken exports for UMD builds.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.1] - 2022-10-07

Fixed

• Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.0] - 2022-10-06

Fixed

• Fixed missing exports in type definition index.d.ts #​5003
• Fixed query params composing #​5018
• Fixed GenericAbortSignal interface by making it more generic #​5021
• Fixed adding "clear" to AxiosInterceptorManager #​5010
• Fixed commonjs & umd exports #​5030
• Fixed inability to access response headers when using axios 1.x with Jest #​5036

Contributors to this release

• Trim21
• Dmitriy Mozgovoy
• shingo.sasaki
• Ivan Pepelko
• Richard Kořínek

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.0.0] - 2022-10-04

Added

• Added stack trace to AxiosError #​4624
• Add AxiosError to AxiosStatic #​4654
• Replaced Rollup as our build runner #​4596
• Added generic TS types for the exposed toFormData helper #​4668
• Added listen callback function #​4096
• Added instructions for installing using PNPM #​4207
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill #​4229
• Added axios-url-template in ECOSYSTEM.md #​4238
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #​4248
• Added react hook plugin #​4319
• Adding HTTP status code for transformResponse #​4580
• Added blob to the list of protocols supported by the browser #​4678
• Resolving proxy from env on redirect #​4436
• Added enhanced toFormData implementation with additional options 4704
• Adding Canceler parameters config and request #​4711
• Added automatic payload serialization to application/x-www-form-urlencoded #​4714
• Added the ability for webpack users to overwrite built-ins #​4715
• Added string[] to AxiosRequestHeaders type #​4322
• Added the ability for the url-encoded-form serializer to respect the formSerializer config #​4721
• Added isCancel type assert #​4293
• Added data URL support for node.js #​4725
• Adding types for progress event callbacks #​4675
• URL params serializer #​4734
• Added axios.formToJSON method #​4735
• Bower platform add data protocol #​4804
• Use WHATWG URL API instead of url.parse() #​4852
• Add ENUM containing Http Status Codes to typings #​4903
• Improve typing of timeout in index.d.ts #​4934

Changed

• Updated AxiosError.config to be optional in the type definition #​4665
• Updated README emphasizing the URLSearchParam built-in interface over other solutions #​4590
• Include request and config when creating a CanceledError instance #​4659
• Changed func-names eslint rule to as-needed #​4492
• Replacing deprecated substr() with slice() as substr() is deprecated #​4468
• Updating HTTP links in README.md to use HTTPS #​4387
• Updated to a better trim() polyfill #​4072
• Updated types to allow specifying partial default headers on instance create #​4185
• Expanded isAxiosError types #​4344
• Updated type definition for axios instance methods #​4224
• Updated eslint config #​4722
• Updated Docs #​4742
• Refactored Axios to use ES2017 #​4787

Deprecated

• There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

Removed

• Removed incorrect argument for NetworkError constructor #​4656
• Removed Webpack #​4596
• Removed function that transform arguments to array #​4544

Fixed

• Fixed grammar in README #​4649
• Fixed code error in README #​4599
• Optimized the code that checks cancellation #​4587
• Fix url pointing to defaults.js in README #​4532
• Use type alias instead of interface for AxiosPromise #​4505
• Fix some word spelling and lint style in code comments #​4500
• Edited readme with 3 updated browser icons of Chrome, FireFox and Safari #​4414
• Bump follow-redirects from 1.14.9 to 1.15.0 #​4673
• Fixing http tests to avoid hanging when assertions fail #​4435
• Fix TS definition for AxiosRequestTransformer #​4201
• Fix grammatical issues in README #​4232
• Fixing instance.defaults.headers type #​4557
• Fixed race condition on immediate requests cancellation #​4261
• Fixing Z_BUF_ERROR when no content #​4701
• Fixing proxy beforeRedirect regression #​4708
• Fixed AxiosError status code type #​4717
• Fixed AxiosError stack capturing #​4718
• Fixing AxiosRequestHeaders typings #​4334
• Fixed max body length defaults #​4731
• Fixed toFormData Blob issue on node>v17 #​4728
• Bump grunt from 1.5.2 to 1.5.3 #​4743
• Fixing content-type header repeated #​4745
• Fixed timeout error message for http 4738
• Request ignores false, 0 and empty string as body values #​4785
• Added back missing minified builds #​4805
• Fixed a type error #​4815
• Fixed a regression bug with unsubscribing from cancel token; #​4819
• Remove repeated compression algorithm #​4820
• The error of calling extend to pass parameters #​4857
• SerializerOptions.indexes allows boolean | null | undefined #​4862
• Require interceptors to return values #​4874
• Removed unused imports #​4949
• Allow null indexes on formSerializer and paramsSerializer #​4960

Chores

• Set permissions for GitHub actions #​4765
• Included githubactions in the dependabot config #​4770
• Included dependency review #​4771
• Update security.md #​4784
• Remove unnecessary spaces #​4854
• Simplify the import path of AxiosError #​4875
• Fix Gitpod dead link #​4941
• Enable syntax highlighting for a code block #​4970
• Using Logo Axios in Readme.md #​4993
• Fix markup for note in README #​4825
• Fix typo and formatting, add colons #​4853
• Fix typo in readme #​4942

Security

• Update SECURITY.md #​4687

Contributors to this release

• Bertrand Marron

• Dmitriy Mozgovoy

• Dan Mooney

• Michael Li

• aong

• Des Preston

• Ted Robertson

• zhoulixiang

• Arthur Fiorette

• Kumar Shanu

• JALAL

• Jingyi Lin

• Philipp Loose

• Alexander Shchukin

• Dave Cardwell

• Cat Scarlet

• Luca Pizzini

• Kai

• Maxime Bargiel

• Brian Helba

• reslear

• Jamie Slome

• Landro3

• rafw87

• Afzal Sayed

• Koki Oyatsu

• Dave

• 暴走老七

• Spencer

• Adrian Wieprzkowicz

• Jamie Telin

• 毛呆

• Kirill Shakirov

• Rraji Abdelbari

• Jelle Schutter

• Tom Ceuppens

• Johann Cooper

• Dimitris Halatsis

• chenjigeng

• João Gabriel Quaresma

• Victor Augusto

• neilnaveen

• Pavlos

• Kiryl Valkovich

• Naveen

• wenzheng

• hcwhan

• Bassel Rachid

• Grégoire Pineau

• felipedamin

• Karl Horky

• Yue JIN

• Usman Ali Siddiqui

• WD

• Günther Foidl

• Stephen Jennings

• C.T.Lin

• mia-z

• Parth Banathia

• parth0105pluang

• Marco Weber

• Luca Pizzini

• Willian Agostini

• Huyen Nguyen

eslint/eslint (eslint)

v10.5.0

Compare Source

Features

• 5ca8c52 feat: correct stack tracking in max-nested-callbacks (#​20973) (Pixel998)
• b565783 feat: report no-with violations at the with keyword (#​20971) (Pixel998)
• 2ce032f feat: report max-lines-per-function violations at function head (#​20966) (Pixel998)
• 732cb3e feat: report max-nested-callbacks violations at function head (#​20967) (Pixel998)
• f9c138a feat: report max-depth violations on keywords (#​20943) (Pixel998)
• bdb496c feat: correct max-depth handling for else-if chains (#​20944) (Pixel998)
• c296873 feat: update error loc in max-statements to function header (#​20907) (Taejin Kim)

Documentation

• 8ae1b5b docs: Update README (GitHub Actions Bot)
• ca7eb90 docs: update Node.js prerequisites to include ICU support (#​20962) (Francesco Trotta)
• f99b47a docs: Update README (GitHub Actions Bot)
• acf03d4 docs: clarify precedence of parserOptions over languageOptions (#​20926) (sethamus)

Chores

• b18bf58 chore: update ecosystem plugins (#​20959) (ESLint Bot)
• c2d1444 refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#​20951) (Taejin Kim)
• 243b8c5 chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#​20788) (kuldeep kumar)
• 217b2a9 test: add unit tests for ParserService (#​20949) (Taejin Kim)
• 72003e7 test: add location information to error messages in max-statements (#​20945) (lumir)
• 7797c26 refactor: deduplicate isAnySegmentReachable across rules (#​20890) (Taejin Kim)
• 67c46fa chore: update ecosystem plugins (#​20938) (ESLint Bot)
• 95d8c7a chore: update dependency @​eslint/json to v2 (#​20934) (renovate[bot])
• cf9e496 chore: update @​arethetypeswrong/cli to 0.18.3 (#​20933) (Pixel998)
• fb6d396 test: run type tests with TypeScript 7 (#​20868) (sethamus)

v10.4.1

Compare Source

Bug Fixes

• e557467 fix: update @eslint/plugin-kit version to 0.7.2 (#​20930) (Francesco Trotta)
• d4ce898 fix: propagate failures from delegated commands (#​20917) (Minh Vu)
• f4f3507 fix: prefer-arrow-callback invalid autofix with newline after async (#​20916) (kuldeep kumar)
• c5bc78b fix: false positive for reference in finally block (#​20655) (Tanuj Kanti)
• 27538c0 fix: add missing CodePath and CodePathSegment types (#​20853) (Pixel998)

Documentation

• 61b0add docs: remove deprecated rule from related rules of max-params (#​20921) (Tanuj Kanti)
• 305d5b9 docs: remove deprecated rules from related rules section (#​20911) (Tanuj Kanti)
• 49b0202 docs: fix display: none of ad (#​20901) (Tanuj Kanti)
• 9067f94 docs: switch build to Node.js 24 (#​20893) (Milos Djermanovic)
• c91b041 docs: Update README (GitHub Actions Bot)
• e349265 docs: clarify semver strings in rule deprecation objects (#​20885) (Milos Djermanovic)

Chores

• b0e466b test: add data property to invalid tests cases for rules (#​20924) (Tanuj Kanti)
• f78838b test: add CodePath type coverage (#​20904) (Pixel998)
• 1daa4bd chore: update eslint-plugin-eslint-comments test data to latest commit (#​20922) (Francesco Trotta)
• 002942c ci: declare contents:read on update-readme workflow (#​20919) (Arpit Jain)
• 64bca24 chore: update ecosystem plugins (#​20912) (ESLint Bot)
• 6d7c832 chore: ignore fflate updates in renovate (#​20908) (Pixel998)
• b2c8638 ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#​20889) (dependabot[bot])
• a9b8d7f chore: increase maxBuffer for ecosystem tests (#​20881) (sethamus)
• b702ead chore: update ecosystem update PR settings (#​20884) (Pixel998)
• 507f60e chore: update ecosystem plugins (#​20882) (ESLint Bot)
• 92f5c5b test: add unit test for message-count (#​20878) (kuldeep kumar)
• df32108 chore: add @​eslint/markdown and typescript-eslint ecosystem tests (#​20837) (sethamus)
• 327f91d chore: use includeIgnoreFile internally (#​20876) (Kirk Waiblinger)
• f0dc4bd chore: pin fflate@​0.8.2 (#​20877) (Milos Djermanovic)
• 0f4bd25 ci: run Discord alert for ecosystem test failures (#​20873) (Copilot)

v10.4.0

Compare Source

Features

• 1a45ec5 feat: check sequence expressions in for-direction (#​20701) (kuldeep kumar)
• 450040b feat: add includeIgnoreFile() to eslint/config (#​20735) (Kirk Waiblinger)

Bug Fixes

• 544c0c3 fix: escape code path DOT labels in debug output (#​20866) (Pixel998)
• 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#​20850) (renovate[bot])
• f078fef fix: handle non-array deprecated rule replacements (#​20825) (xbinaryx)

Documentation

• 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#​20869) (Pavel)
• db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#​20865) (Kirk Waiblinger)
• 9084664 docs: Update README (GitHub Actions Bot)
• 9cc7387 docs: Update README (GitHub Actions Bot)
• 3d7b548 docs: Update README (GitHub Actions Bot)
• 191ec3c docs: Update README (GitHub Actions Bot)

Chores

• 6616856 chore: upgrade knip to v6 (#​20875) (Pixel998)
• d13b084 ci: ensure auto-created PRs run CI (#​20860) (lumir)
• e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#​20862) (dependabot[bot])
• d84393d test: add unit tests for SuppressionsService.applySuppressions() (#​20863) (kuldeep kumar)
• 24db8cb test: add tests for SuppressionsService.save() (#​20802) (kuldeep kumar)
• 2ef0549 chore: update ecosystem plugins (#​20857) (github-actions[bot])
• a429791 ci: remove eslint-webpack-plugin types integration test (#​20668) (Milos Djermanovic)
• 9e37386 chore: replace recast with range approach in code-sample-minimizer (#​20682) (Copilot)
• 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#​20845) (Francesco Trotta)
• 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#​20716) (Pixel998)
• 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#​20800) (xbinaryx)
• f1dfbc9 chore: update ecosystem plugins (#​20836) (github-actions[bot])
• c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#​20843) (dependabot[bot])
• 5b817d6 test: add unit tests for lib/shared/ast-utils (#​20838) (kuldeep kumar)
• 1c13ae3 test: add unit tests for lib/shared/severity (#​20835) (kuldeep kumar)

v10.3.0

Compare Source

Features

• 379571a feat: add suggestions for no-unused-private-class-members (#​20773) (sethamus)

Bug Fixes

• b6ae5cf fix: handle unavailable require cache (#​20812) (Simon Podlipsky)
• 6fb3685 fix: rule suggestions cause continuation in class body (#​20787) (Milos Djermanovic)

Documentation

• 32cc7ab docs: fix typos in docs and comments (#​20809) (Tanuj Kanti)
• 7f47937 docs: Update README (GitHub Actions Bot)

Chores

• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#​20826) (Francesco Trotta)
• 3ffb14e chore: clean up typos in comments and JSDoc (#​20821) (Pixel998)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#​20818) (Josh Goldberg ✨)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#​20815) (dependabot[bot])
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#​20811) (renovate[bot])
• 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#​20810) (renovate[bot])
• 77add7f chore: add initial ecosystem plugin tests workflow (#​19643) (Josh Goldberg ✨)
• 4023b55 test: Add unit tests for SuppressionsService.prune() (#​20797) (kuldeep kumar)
• 54080da test: add unit tests for ForkContext (#​20778) (kuldeep kumar)
• f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#​20765) (kuldeep kumar)
• a7f0b94 chore: update dependency prettier to v3.8.3 (#​20782) (renovate[bot])
• 7bf93d9 chore: update TypeScript to v6 (#​20677) (sethamus)
• b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#​20781) (dependabot[bot])
• 2b252be test: add unit tests for IdGenerator (#​20775) (kuldeep kumar)

v10.2.1

Compare Source

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#​20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#​20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#​20729) (Pixel998)
• e251b89 fix: update eslint (#​20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#​20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#​20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#​20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#​20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#​20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#​20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#​20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#​20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#​20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#​20762) (renovate[bot])
• 51080eb test: processor service (#​20731) (kuldeep kumar)
• e7e1889 chore: remove stale babel-eslint10 fixture and test (#​20727) (kuldeep kumar)
• 4e1a87c test: remove redundant async/await in flat config array tests (#​20722) (Pixel998)
• 066eabb test: add rule metadata coverage for languages and docs.dialects (#​20717) (Pixel998)

v10.2.0

Compare Source

Features

• 586ec2f feat: Add meta.languages support to rules (#​20571) (Copilot)
• 14207de feat: add Temporal to no-obj-calls (#​20675) (Pixel998)
• bbb2c93 feat: add Temporal to ES2026 globals (#​20672) (Pixel998)

Bug Fixes

• 542cb3e fix: update first-party dependencies (#​20714) (Francesco Trotta)

Documentation

• a2af743 docs: add language to configuration objects (#​20712) (Francesco Trotta)
• 845f23f docs: Update README (GitHub Actions Bot)
• 5fbcf59 docs: remove sourceType from ts playground link (#​20477) (Tanuj Kanti)
• 8702a47 docs: Update README (GitHub Actions Bot)
• ddeaded docs: Update README (GitHub Actions Bot)
• 2b44966 docs: add Major Releases section to Manage Releases (#​20269) (Milos Djermanovic)
• eab65c7 docs: update eslint versions in examples (#​20664) (루밀LuMir)
• 3e4a299 docs: update ESM Dependencies policies with note for own-usage packages (#​20660) (Milos Djermanovic)

Chores

• 8120e30 refactor: extract no unmodified loop condition (#​20679) (kuldeep kumar)
• 46e8469 chore: update dependency markdownlint-cli2 to ^0.22.0 (#​20697) (renovate[bot])
• 01ed3aa test: add unit tests for unicode utilities (#​20622) (Manish chaudhary)
• 811f493 ci: remove --legacy-peer-deps from types integration tests (#​20667) (Milos Djermanovic)
• 6b86fcf chore: update dependency npm-run-all2 to v8 (#​20663) (renovate[bot])
• 632c4f8 chore: add prettier update commit to .git-blame-ignore-revs (#​20662) (루밀LuMir)
• b0b0f21 chore: update dependency eslint-plugin-regexp to ^3.1.0 (#​20659) (Milos Djermanovic)
• 228a2dd chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#​20661) (Milos Djermanovic)
• 3ab4d7e test: Add tests for eslintrc-style keys (#​20645) (kuldeep kumar)

vercel/next.js (eslint-config-next)

v16.2.9

Compare Source

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Compare Source

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport documentation fixes for v16.2 (#​93804)
• [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#​93920)
• [backport] Fix dev mode hydration failure when page is served from HTTP cache (#​93492)
• [backport] Fix catch-all router.query corruption with basePath + rewrites (#​93917)
• [backport] Encode non-ASCII characters in cache tags at construction (#​93918)
• [backport] Fix server action forwarding loop with middleware rewrites (#​93919)
• [backport] Turbopack: switch from base40 to base38 hash encoding (#​93932)
• [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#​94164)
• [backport] Fix "type: module" in project dir when using standalone or adapters (#​94050)
• [backport] Propagate adapter preferred regions (#​94200)
• [16.2.x] Don't drop FormData entries (#​94240)
• [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#​94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
• Fix fallback route params case in app-page handler (#​91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
• Patch setHeader for direct route handlers (#​93101)
• Include deployment id in cacheHandlers keys (#​93453)
• Fix double-encoding of URL pathname parts in client param parsing (#​93491)

v16.2.5

Compare Source

[!NOTE]
This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#​92231)
• Fix fallback route params case in app-page handler (#​91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#​91541)
• Patch setHeader for direct route handlers (#​93101)
• Include deployment id in cacheHandlers keys (#​93453)
• Fix double-encoding of URL pathname parts in client param parsing (#​93491)

v16.2.4

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#​92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#​92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#​92580)
• Compiler: Support boolean and number primtives in next.config defines (#​92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#​92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#​92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#​92828)
• Adding more system info to the 'initialize project' trace (#​92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

Compare Source

[!NOTE]
This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#​92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#​91981 through #​92273)
• Deduplicate output assets and detect content conflicts on emit (#​92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#​92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#​92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#​92115) (#​92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#​92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#​91840)
• next.config.js: Accept an option for serverFastRefresh (#​91968)
• Turbopack: enable server HMR for app route handlers (#​91466)
• Turbopack: exclude metadata routes from server HMR (#​92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #​92177
• [backport] Fix CSS HMR on Safari (#​92174)

Credits

Huge thanks to @​nextjs-bot, @​icyJoseph, @​ijjk, @​gaojude, @​wbinnssmith, @​lukesandberg, and @​bgw for helping!

nodejs/node (node)

v25.9.0: 2026-04-01, Version 25.9.0 (Current), @​aduh95

Compare Source

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @​nodejs/mock-module-exports

Contributed by sangwook in #​61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #​62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #​62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #​61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #​62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #​62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #​62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #​62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #​62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #​62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #​61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #​62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #​62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #​62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [95c7fc67ba] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #​62051
• [180c150122] - deps: V8: cherry-pick cf1bce4 (Richard Lau) #​62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #​62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62 (Yagiz Nizipli) #​62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #​62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [a9703d194a] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #​62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #​62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #​62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #​62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #​62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #​62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #​62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #​62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #​62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #​62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #​62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #​62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #​62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #​62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #​62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #​62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #​62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #​62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #​62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #​62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #​62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #​61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #​62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #​62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #​62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #​62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #​62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #​62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #​62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #​62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #​62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #​62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #​62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #​62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #​62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #​62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #​62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d (Node.js GitHub Bot) #​62483
• [ad8309415b] - test: update WPT for url to fc3e651 (Node.js GitHub Bot) #​62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #​62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #​62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #​62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #​62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #​62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #​62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545 (Node.js GitHub Bot) #​62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #​61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #​59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #​62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #​62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #​62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #​62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #​62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #​62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #​62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #​62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #​62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #​62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #​62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #​62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #​62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #​62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #​62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #​61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #​62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #​62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #​62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

pnpm/pnpm (pnpm)

v10.34.3: pnpm 10.34.3

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

• the project/workspace .npmrc — registry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
• registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

• Improved the warning printed when a project .npmrc uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running pnpm config set "<key>" <value> to store it in the global config, or by keeping the ${...} line in the user-level ~/.npmrc — with a link to https://pnpm.io/npmrc.
• A repository-controlled project or workspace .npmrc can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set userconfig, globalconfig, or prefix to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set tokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace .npmrc files are read. Fixed by upgrading @pnpm/npm-conf to 3.0.3.

Platinum Sponsors

Gold Sponsors

v10.34.2: pnpm 10.34.2

Compare Source

⚠️ Security fix — environment variables in a project .npmrc (action may be required)

Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:

• the project/workspace .npmrc — registry, @scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken, _auth, _password, username, tokenHelper, cert, key);
• registry URLs in pnpm-workspace.yaml.

This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).

Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.

If your authentication broke after upgrading, move the token out of the committed .npmrc:

# Writes to your user/global config, not the repository:
pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN"

Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.

See https://pnpm.io/npmrc for full migration details.

Patch Changes

• Package-manager bootstrap traffic is now resolved through trusted registries and trusted network config. When pnpm downloads the pnpm version requested by a repository's packageManager field, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global .npmrc — defaulting to the public npm registry, instead of the repository's project/workspace settings.
• pnpm now verifies the npm registry signature of a package-manager binary before spawning it. When the packageManager field (or pnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exact name@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip.
• Environment variable expansion is now trust-aware for registry/auth config and request destinations. Repository-controlled config files (the project and workspace .npmrc and pnpm-workspace.yaml) can no longer expand ${...} placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.
• Reject reserved manifest bin names ("", ".", "..", and scoped forms such as @scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.
• Require trusted package identity before package-name onlyBuiltDependencies (and allowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.
• pnpm now verifies the detached OpenPGP signature of a Node.js release's SHASUMS256.txt against the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel> in .npmrc), and the integrity check previously trusted a SHASUMS256.txt fetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only the release channel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.

Platinum Sponsors

Gold Sponsors

v10.34.1: pnpm 10.34.1

Compare Source

Patch Changes

• Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.

Platinum Sponsors

Gold Sponsors

v10.34.0: pnpm 10.34

Compare Source

Minor Changes

• Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.

  pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.

  The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.

  --force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

Patch Changes

• Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
• Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
• Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
• Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
• Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir> #​11535.
• Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.

Platinum Sponsors

Gold Sponsors

v10.33.4: pnpm 10.33.4

Compare Source

Patch Changes

• Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.

  A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

• Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root #​11341.

Platinum Sponsors

Gold Sponsors

v10.33.3: pnpm 10.33.3

Compare Source

Patch Changes

• When self-updating from v10's @pnpm/exe to v11+ on Intel macOS (darwin-x64), pnpm self-update now transparently switches to the JS-only pnpm package on npm instead of installing @pnpm/exe@v11+ (which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #​11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no working pnpm binary. The new install requires Node.js to be available on PATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.
• pnpm self-update (with no version argument) no longer downgrades pnpm when the registry's latest dist-tag points to an older release than the currently active version. Run pnpm self-update latest to force a downgrade #​11418.

Platinum Sponsors

Gold Sponsors

v10.33.2: pnpm 10.33.2

Compare Source

Patch Changes

• Globally-installed bins no longer fail with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when pnpm was installed via the standalone @pnpm/exe binary (e.g. curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, when which('node') failed during pnpm add --global, pnpm fell back to process.execPath, which in @pnpm/exe is the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #​11291, #​4645.

• Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g. npm install -g pnpm@A) and run inside a project whose package.json selected a different pnpm version via the packageManager field (e.g. pnpm@B), while a pnpm-workspace.yaml also existed at the project root.

  The child's environment is now forced to manage-package-manager-versions=false (v10) and pm-on-fail=ignore (v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.

  Fixes #​11337.

Platinum Sponsors

Gold Sponsors

v10.33.1: pnpm 10.33.1

Compare Source

Patch Changes

• When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3 #​11328.

Platinum Sponsors

Gold Sponsors

postcss/postcss (postcss)

v8.5.15

Compare Source

• Fixed declaration parsing performance (by @​homanp).

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

v8.5.13

Compare Source

• Fixed postcss-scss commend regression.

v8.5.12

Compare Source

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

• Fixed nested brackets parsing performance (by @​offset).

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

facebook/react (react)

v19.2.7: 19.2.7 (June 1st, 2026)

Compare Source

React Server Components

• Fixed missing FormData entries in Server Actions which regressed in 19.2.6
  (#​36566 by @​unstubbable)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (#​36425 by @​eps1lon and @​unstubbable)

v19.2.5: 19.2.5 (April 8th, 2026)

Compare Source

React Server Components

• Add more cycle protections (#​36236 by @​eps1lon and @​unstubbable)

vitest-dev/vitest (vitest)

v4.1.8

Compare Source

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in #​10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in #​10474 (675b4)

    View changes on GitHub

v4.1.7

Compare Source

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in #​10384 (4f0f2)

    View changes on GitHub

v4.1.6

Compare Source

   🐞 Bug Fixes

• browser: Provide project reference in ToMatchScreenshotResolvePath  -  by @​macarie and @​sheremet-va in #​10138 (31882)
• Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options  -  by @​hi-ogawa, Codex and @​sheremet-va in #​10196 (2847d)
• browser: Simplify orchestrator otel carrier  -  by @​hi-ogawa in #​10285 (18af9)

   🏎 Performance

• Stringify diff objects only once  -  by @​sheremet-va in #​10276 (9f7b1)

    View changes on GitHub

v4.1.5

Compare Source

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in #​10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in #​10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in #​10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in #​10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in #​10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in #​8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in #​8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in #​10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in #​10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in #​10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in #​10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in #​9927 and #​10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in #​10154 (6abd5)

    View changes on GitHub

v4.1.4

Compare Source

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in #​10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in #​10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in #​9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in #​10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in #​10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in #​10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in #​10093 and #​10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in #​10049 (65c9d)

    View changes on GitHub

v4.1.3

Compare Source

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in #​10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in #​10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in #​9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in #​9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in #​10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in #​10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in #​9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in #​10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in #​10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in #​10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in #​10024 (9dbf4)

    View changes on GitHub

yarnpkg/berry (yarn)

v4.17.0: v4.17.0

Compare Source

What's Changed

• Adds support for package map generation by @​arcanis in #​7184
• fix: add catalog settings to yarnrc schema by @​cyphercodes in #​7179
• docs: clarify background job exit codes by @​StantonMatt in #​7167
• fix: explain peer-default dependencies in why by @​StantonMatt in #​7168
• Docs: fix npmMinimalAgeGate default by @​clemyan in #​7181
• feat(plugin-npm): allow npmMinimalAgeGate per npmScope by @​erlandasz in #​7156

New Contributors

• @​cyphercodes made their first contribution in #​7179
• @​StantonMatt made their first contribution in #​7167
• @​erlandasz made their first contribution in #​7156

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.16.0...@​yarnpkg/cli/4.17.0

v4.16.0: v4.16.0

Compare Source

What's Changed

• PnP: Include Node 22.22.3 in fstat workaround by @​junjuny0227 in #​7141
• Implements yarn npm stage by @​arcanis in #​7147
• fix: Stop using EBADF workaround for Node 24.16.0+ by @​MJDSys in #​7152
• Bumps eslint-plugin-arca by @​arcanis in #​7163
• Enables staged publishing by @​arcanis in #​7164
• feat: Add editor SDK support for oxc (oxfmt & oxlint) by @​slainless in #​7078
• docs: fix npmMinimalAgeGate default value. by @​ryanfox1985 in #​7125

New Contributors

• @​junjuny0227 made their first contribution in #​7141
• @​MJDSys made their first contribution in #​7152
• @​slainless made their first contribution in #​7078
• @​ryanfox1985 made their first contribution in #​7125

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.15.0...@​yarnpkg/cli/4.16.0

v4.15.0: v4.15.0

Compare Source

What's Changed

• Fix Next.JS e2e test by @​brandonbothell in #​7115
• perf(plugin-nm): cache install state across workspaces by @​sophiebits in #​7126
• fix(patch) Correctly handle Unicode paths by @​liuxingbaoyu in #​7123
• fix(plugin-npm-cli): enable OIDC publish on CircleCI by @​joshuayoes in #​7122
• fix(core): ignore legacy YARN_IGNORE_SCRIPTS env var by @​KimHyeongRae0 in #​7120
• fix: Reject dependency names with leading/trailing whitespace (fixes duplicate installs) by @​muskaanshraogi in #​7124
• feat(plugin-pnpm): make pnpm install concurrency configurable by @​lennartschoch in #​7118
• PnP: Stop using EDABF solution for Node 26.1.0+ by @​clemyan in #​7133
• Makes npmMinimalAgeGate: 1d the default by @​arcanis in #​7135

New Contributors

• @​brandonbothell made their first contribution in #​7115
• @​sophiebits made their first contribution in #​7126
• @​liuxingbaoyu made their first contribution in #​7123
• @​joshuayoes made their first contribution in #​7122
• @​KimHyeongRae0 made their first contribution in #​7120
• @​muskaanshraogi made their first contribution in #​7124
• @​lennartschoch made their first contribution in #​7118

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.1...@​yarnpkg/cli/4.15.0

v4.14.1: v4.14.1

Compare Source

What's Changed

• fix: Widen EBADF fstat version gate to include Node 24.15+ by @​rfoel in #​7104

New Contributors

• @​rfoel made their first contribution in #​7104

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.0...@​yarnpkg/cli/4.14.1

v4.14.0: v4.14.0

Compare Source

What's Changed

• Add Re-release workflow to republish artifacts from a specific commit SHA by @​Copilot in #​7079
• fix: Node 25.7+ EBADF by reading CJS source of zip files by @​NormalGaussian in #​7070
• PnP: Fix watch mode for files required under PnP by @​clemyan in #​7077
• feat(plugin-npm): support OIDC auth for CircleCI by @​blimmer in #​7075
• Makes enableScripts: false the default by @​arcanis in #​7089
• Makes the exec: protocol respect enableScripts by @​arcanis in #​7090
• Adds approvedGitRepositories by @​arcanis in #​7091
• Fix: Names the Experimental ESM support warning by @​NormalGaussian in #​7069
• feat(why): allow specifying a version or range by @​remypar5 in #​6992

New Contributors

• @​Copilot made their first contribution in #​7079
• @​NormalGaussian made their first contribution in #​7070
• @​remypar5 made their first contribution in #​6992

Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.13.0...@​yarnpkg/cli/4.14.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | minor | [`25.5.0` → `25.9.3`](https://renovatebot.com/diffs/npm/@types%2fnode/25.5.0/25.9.3) | | [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)) | devDependencies | patch | [`19.2.14` → `19.2.17`](https://renovatebot.com/diffs/npm/@types%2freact/19.2.14/19.2.17) | | [autoprefixer](https://github.com/postcss/autoprefixer) | dependencies | minor | [`10.4.27` → `10.5.0`](https://renovatebot.com/diffs/npm/autoprefixer/10.4.27/10.5.0) | | [axios](https://axios-http.com) ([source](https://github.com/axios/axios)) | dependencies | minor | [`1.14.0` → `1.18.0`](https://renovatebot.com/diffs/npm/axios/1.14.0/1.18.0) | | [eslint](https://eslint.org) ([source](https://github.com/eslint/eslint)) | devDependencies | minor | [`10.1.0` → `10.5.0`](https://renovatebot.com/diffs/npm/eslint/10.1.0/10.5.0) | | [eslint-config-next](https://nextjs.org/docs/app/api-reference/config/eslint) ([source](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next)) | devDependencies | patch | [`16.2.1` → `16.2.9`](https://renovatebot.com/diffs/npm/eslint-config-next/16.2.1/16.2.9) | | [next](https://nextjs.org) ([source](https://github.com/vercel/next.js)) | dependencies | patch | [`16.2.1` → `16.2.9`](https://renovatebot.com/diffs/npm/next/16.2.1/16.2.9) | | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | | minor | `25.8.2` → `25.9.0` | | [pnpm](https://pnpm.io) ([source](https://github.com/pnpm/pnpm/tree/HEAD/pnpm)) | packageManager | minor | [`10.33.0` → `10.34.3`](https://renovatebot.com/diffs/npm/pnpm/10.33.0/10.34.3) | | [postcss](https://postcss.org/) ([source](https://github.com/postcss/postcss)) | dependencies | patch | [`8.5.8` → `8.5.15`](https://renovatebot.com/diffs/npm/postcss/8.5.8/8.5.15) | | [react](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react)) | dependencies | patch | [`19.2.4` → `19.2.7`](https://renovatebot.com/diffs/npm/react/19.2.4/19.2.7) | | [react-dom](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react-dom)) | dependencies | patch | [`19.2.4` → `19.2.7`](https://renovatebot.com/diffs/npm/react-dom/19.2.4/19.2.7) | | [vitest](https://vitest.dev) ([source](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest)) | devDependencies | patch | [`4.1.2` → `4.1.9`](https://renovatebot.com/diffs/npm/vitest/4.1.2/4.1.9) | | [yarn](https://github.com/yarnpkg/berry) ([source](https://github.com/yarnpkg/berry/tree/HEAD/packages/yarnpkg-cli)) | packageManager | minor | [`4.13.0` → `4.17.0`](https://renovatebot.com/diffs/npm/yarn/4.13.0/4.17.0) | --- ### Release Notes <details> <summary>postcss/autoprefixer (autoprefixer)</summary> ### [`v10.5.0`](https://github.com/postcss/autoprefixer/blob/HEAD/CHANGELOG.md#1050-Each-Endeavouring-All-Achieving) [Compare Source](https://github.com/postcss/autoprefixer/compare/10.4.27...10.5.0) - Added `mask-position-x` and `mask-position-y` support (by [@&#8203;toporek](https://github.com/toporek)). </details> <details> <summary>axios/axios (axios)</summary> ### [`v1.18.0`](https://github.com/axios/axios/releases/tag/v1.18.0) [Compare Source](https://github.com/axios/axios/compare/v1.17.0...v1.18.0) #### v1.18.0 — June 13, 2026 This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata. #### 🔒 Security Fixes - **Redirect Header Safety:** Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (**[#&#8203;10892](https://github.com/axios/axios/issues/10892)**) - **URL And Request Hardening:** Rejects malformed `http:` and `https:` URLs that omit `//` with `ERR_INVALID_URL`, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local `NO_PROXY` matching. (**[#&#8203;11000](https://github.com/axios/axios/issues/11000)**) #### 🐛 Bug Fixes - **Status Validation:** Added `transitional.validateStatusUndefinedResolves` so applications can opt in to treating `validateStatus: undefined` like the option was omitted, while `validateStatus: null` remains the explicit way to accept every status. (**[#&#8203;10899](https://github.com/axios/axios/issues/10899)**) #### 🔧 Maintenance & Chores - **Documentation:** Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the `proxy` request config as Node.js-only in the advanced docs. (**[#&#8203;10984](https://github.com/axios/axios/issues/10984)**, **[#&#8203;10988](https://github.com/axios/axios/issues/10988)**, **[#&#8203;10992](https://github.com/axios/axios/issues/10992)**, **[#&#8203;10995](https://github.com/axios/axios/issues/10995)**) - **Dependencies:** Bumped `@babel/core`, `@babel/preset-env`, `@commitlint/cli`, `@commitlint/config-conventional`, `@rollup/plugin-babel`, `@rollup/plugin-commonjs`, `@vitest/browser`, `@vitest/browser-playwright`, `eslint`, `lint-staged`, `rollup`, `vitest`, and `actions/checkout`. (**[#&#8203;10989](https://github.com/axios/axios/issues/10989)**, **[#&#8203;10996](https://github.com/axios/axios/issues/10996)**, **[#&#8203;10997](https://github.com/axios/axios/issues/10997)**) - **Release Metadata:** Prepared the 1.18.0 release by updating package metadata and the runtime `VERSION` value. (**[#&#8203;11003](https://github.com/axios/axios/issues/11003)**) #### 🌟 New Contributors We are thrilled to welcome our new contributors. Thank you for helping improve axios: - **[@&#8203;drori12](https://github.com/drori12)** (**[#&#8203;10984](https://github.com/axios/axios/issues/10984)**) - **[@&#8203;eyupcanakman](https://github.com/eyupcanakman)** (**[#&#8203;10899](https://github.com/axios/axios/issues/10899)**) - **[@&#8203;Adi-Beker](https://github.com/Adi-Beker)** (**[#&#8203;10995](https://github.com/axios/axios/issues/10995)**) [Full Changelog](https://github.com/axios/axios/compare/v1.17.0...v1.18.0) ### [`v1.17.0`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#v1170--June-1-2026) [Compare Source](https://github.com/axios/axios/compare/v1.16.1...v1.17.0) This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions. ### [`v1.16.1`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#v1161--May-13-2026) [Compare Source](https://github.com/axios/axios/compare/v1.16.0...v1.16.1) This release ships a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements. ### [`v1.16.0`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#v1160--May-2-2026) [Compare Source](https://github.com/axios/axios/compare/v1.15.2...v1.16.0) This release adds support for the QUERY HTTP method and a new `ECONNREFUSED` error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors. ### [`v1.15.2`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#v1152---April-21-2026) [Compare Source](https://github.com/axios/axios/compare/v1.15.1...v1.15.2) This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in `allowedSocketPaths` allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs. ### [`v1.15.1`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#v1151---April-19-2026) [Compare Source](https://github.com/axios/axios/compare/v1.15.0...v1.15.1) This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates. ### [`v1.15.0`](https://github.com/axios/axios/blob/HEAD/CHANGELOG.md#130-2023-01-31) [Compare Source](https://github.com/axios/axios/compare/v1.14.0...v1.15.0) ##### Bug Fixes - **headers:** fixed & optimized clear method; ([#&#8203;5507](https://github.com/axios/axios/issues/5507)) ([9915635](https://github.com/axios/axios/commit/9915635c69d0ab70daca5738488421f67ca60959)) - **http:** add zlib headers if missing ([#&#8203;5497](https://github.com/axios/axios/issues/5497)) ([65e8d1e](https://github.com/axios/axios/commit/65e8d1e28ce829f47a837e45129730e541950d3c)) ##### Features - **fomdata:** added support for spec-compliant FormData & Blob types; ([#&#8203;5316](https://github.com/axios/axios/issues/5316)) ([6ac574e](https://github.com/axios/axios/commit/6ac574e00a06731288347acea1e8246091196953)) ##### Contributors to this release - <img src="https://avatars.githubusercontent.com/u/12586868?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+352/-67 (#&#8203;5514 #&#8203;5512 #&#8203;5510 #&#8203;5509 #&#8203;5508 #&#8203;5316 #&#8203;5507 )") - <img src="https://avatars.githubusercontent.com/u/35015993?v&#x3D;4&amp;s&#x3D;18" alt="avatar" width="18"/> [ItsNotGoodName](https://github.com/ItsNotGoodName "+43/-2 (#&#8203;5497 )") ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### [1.2.6](https://github.com/axios/axios/compare/v1.2.5...v1.2.6) (2023-01-28) ##### Bug Fixes - **headers:** added missed Authorization accessor; ([#&#8203;5502](https://github.com/axios/axios/issues/5502)) ([342c0ba](https://github.com/axios/axios/commit/342c0ba9a16ea50f5ed7d2366c5c1a2c877e3f26)) - **types:** fixed `CommonRequestHeadersList` & `CommonResponseHeadersList` types to be private in commonJS; ([#&#8203;5503](https://github.com/axios/axios/issues/5503)) ([5a3d0a3](https://github.com/axios/axios/commit/5a3d0a3234d77361a1bc7cedee2da1e11df08e2c)) ##### Contributors to this release -  [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+24/-9 (#&#8203;5503 #&#8203;5502 )") ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### [1.2.5](https://github.com/axios/axios/compare/v1.2.4...v1.2.5) (2023-01-26) ##### Bug Fixes - **types:** fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; ([#&#8203;5499](https://github.com/axios/axios/issues/5499)) ([580f1e8](https://github.com/axios/axios/commit/580f1e8033a61baa38149d59fd16019de3932c22)) ##### Contributors to this release -  [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+82/-54 (#&#8203;5499 )") -  [Elliot Ford](https://github.com/EFord36 "+1/-1 (#&#8203;5462 )") ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### [1.2.4](https://github.com/axios/axios/compare/v1.2.3...v1.2.4) (2023-01-22) ##### Bug Fixes - **types:** renamed `RawAxiosRequestConfig` back to `AxiosRequestConfig`; ([#&#8203;5486](https://github.com/axios/axios/issues/5486)) ([2a71f49](https://github.com/axios/axios/commit/2a71f49bc6c68495fa419003a3107ed8bd703ad0)) - **types:** fix `AxiosRequestConfig` generic; ([#&#8203;5478](https://github.com/axios/axios/issues/5478)) ([9bce81b](https://github.com/axios/axios/commit/186ea062da8b7d578ae78b1a5c220986b9bce81b)) ##### Contributors to this release -  [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+242/-108 (#&#8203;5486 #&#8203;5482 )") -  [Daniel Hillmann](https://github.com/hilleer "+1/-1 (#&#8203;5478 )") ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### [1.2.3](https://github.com/axios/axios/compare/1.2.2...1.2.3) (2023-01-10) ##### Bug Fixes - **types:** fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; ([#&#8203;5420](https://github.com/axios/axios/issues/5420)) ([0811963](https://github.com/axios/axios/commit/08119634a22f1d5b19f5c9ea0adccb6d3eebc3bc)) ##### Contributors to this release -  [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS "+938/-442 (#&#8203;5456 #&#8203;5455 #&#8203;5453 #&#8203;5451 #&#8203;5449 #&#8203;5447 #&#8203;5446 #&#8203;5443 #&#8203;5442 #&#8203;5439 #&#8203;5420 )") ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.2.2] - 2022-12-29 ##### Fixed - fix(ci): fix release script inputs [#&#8203;5392](https://github.com/axios/axios/pull/5392) - fix(ci): prerelease scipts [#&#8203;5377](https://github.com/axios/axios/pull/5377) - fix(ci): release scripts [#&#8203;5376](https://github.com/axios/axios/pull/5376) - fix(ci): typescript tests [#&#8203;5375](https://github.com/axios/axios/pull/5375) - fix: Brotli decompression [#&#8203;5353](https://github.com/axios/axios/pull/5353) - fix: add missing HttpStatusCode [#&#8203;5345](https://github.com/axios/axios/pull/5345) ##### Chores - chore(ci): set conventional-changelog header config [#&#8203;5406](https://github.com/axios/axios/pull/5406) - chore(ci): fix automatic contributors resolving [#&#8203;5403](https://github.com/axios/axios/pull/5403) - chore(ci): improved logging for the contributors list generator [#&#8203;5398](https://github.com/axios/axios/pull/5398) - chore(ci): fix release action [#&#8203;5397](https://github.com/axios/axios/pull/5397) - chore(ci): fix version bump script by adding bump argument for target version [#&#8203;5393](https://github.com/axios/axios/pull/5393) - chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 [#&#8203;5342](https://github.com/axios/axios/pull/5342) - chore(ci): GitHub Actions Release script [#&#8203;5384](https://github.com/axios/axios/pull/5384) - chore(ci): release scripts [#&#8203;5364](https://github.com/axios/axios/pull/5364) ##### Contributors to this release -  [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) -  [Winnie](https://github.com/winniehell) #### \[1.2.1] - 2022-12-05 ##### Changed - feat(exports): export mergeConfig [#&#8203;5151](https://github.com/axios/axios/pull/5151) ##### Fixed - fix(CancelledError): include config [#&#8203;4922](https://github.com/axios/axios/pull/4922) - fix(general): removing multiple/trailing/leading whitespace [#&#8203;5022](https://github.com/axios/axios/pull/5022) - fix(headers): decompression for responses without Content-Length header [#&#8203;5306](https://github.com/axios/axios/pull/5306) - fix(webWorker): exception to sending form data in web worker [#&#8203;5139](https://github.com/axios/axios/pull/5139) ##### Refactors - refactor(types): AxiosProgressEvent.event type to any [#&#8203;5308](https://github.com/axios/axios/pull/5308) - refactor(types): add missing types for static AxiosError.from method [#&#8203;4956](https://github.com/axios/axios/pull/4956) ##### Chores - chore(docs): remove README link to non-existent upgrade guide [#&#8203;5307](https://github.com/axios/axios/pull/5307) - chore(docs): typo in issue template name [#&#8203;5159](https://github.com/axios/axios/pull/5159) ##### Contributors to this release - [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) - [Zachary Lysobey](https://github.com/zachlysobey) - [Kevin Ennis](https://github.com/kevincennis) - [Philipp Loose](https://github.com/phloose) - [secondl1ght](https://github.com/secondl1ght) - [wenzheng](https://github.com/0x30) - [Ivan Barsukov](https://github.com/ovarn) - [Arthur Fiorette](https://github.com/arthurfiorette) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.2.0] - 2022-11-10 ##### Changed - changed: refactored module exports [#&#8203;5162](https://github.com/axios/axios/pull/5162) - change: re-added support for loading Axios with require('axios').default [#&#8203;5225](https://github.com/axios/axios/pull/5225) ##### Fixed - fix: improve AxiosHeaders class [#&#8203;5224](https://github.com/axios/axios/pull/5224) - fix: TypeScript type definitions for commonjs [#&#8203;5196](https://github.com/axios/axios/pull/5196) - fix: type definition of use method on AxiosInterceptorManager to match the README [#&#8203;5071](https://github.com/axios/axios/pull/5071) - fix: \_\_dirname is not defined in the sandbox [#&#8203;5269](https://github.com/axios/axios/pull/5269) - fix: AxiosError.toJSON method to avoid circular references [#&#8203;5247](https://github.com/axios/axios/pull/5247) - fix: Z\_BUF\_ERROR when content-encoding is set but the response body is empty [#&#8203;5250](https://github.com/axios/axios/pull/5250) ##### Refactors - refactor: allowing adapters to be loaded by name [#&#8203;5277](https://github.com/axios/axios/pull/5277) ##### Chores - chore: force CI restart [#&#8203;5243](https://github.com/axios/axios/pull/5243) - chore: update ECOSYSTEM.md [#&#8203;5077](https://github.com/axios/axios/pull/5077) - chore: update get/index.html [#&#8203;5116](https://github.com/axios/axios/pull/5116) - chore: update Sandbox UI/UX [#&#8203;5205](https://github.com/axios/axios/pull/5205) - chore:(actions): remove git credentials after checkout [#&#8203;5235](https://github.com/axios/axios/pull/5235) - chore(actions): bump actions/dependency-review-action from 2 to 3 [#&#8203;5266](https://github.com/axios/axios/pull/5266) - chore(packages): bump loader-utils from 1.4.1 to 1.4.2 [#&#8203;5295](https://github.com/axios/axios/pull/5295) - chore(packages): bump engine.io from 6.2.0 to 6.2.1 [#&#8203;5294](https://github.com/axios/axios/pull/5294) - chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 [#&#8203;5241](https://github.com/axios/axios/pull/5241) - chore(packages): bump loader-utils from 1.4.0 to 1.4.1 [#&#8203;5245](https://github.com/axios/axios/pull/5245) - chore(docs): update Resources links in README [#&#8203;5119](https://github.com/axios/axios/pull/5119) - chore(docs): update the link for JSON url [#&#8203;5265](https://github.com/axios/axios/pull/5265) - chore(docs): fix broken links [#&#8203;5218](https://github.com/axios/axios/pull/5218) - chore(docs): update and rename UPGRADE\_GUIDE.md to MIGRATION\_GUIDE.md [#&#8203;5170](https://github.com/axios/axios/pull/5170) - chore(docs): typo fix line [#&#8203;856](https://github.com/axios/axios/issues/856) and [#&#8203;920](https://github.com/axios/axios/issues/920) [#&#8203;5194](https://github.com/axios/axios/pull/5194) - chore(docs): typo fix [#&#8203;800](https://github.com/axios/axios/issues/800) [#&#8203;5193](https://github.com/axios/axios/pull/5193) - chore(docs): fix typos [#&#8203;5184](https://github.com/axios/axios/pull/5184) - chore(docs): fix punctuation in README.md [#&#8203;5197](https://github.com/axios/axios/pull/5197) - chore(docs): update readme in the Handling Errors section - issue reference [#&#8203;5260](https://github.com/axios/axios/issues/5260) [#&#8203;5261](https://github.com/axios/axios/pull/5261) - chore: remove \b from filename [#&#8203;5207](https://github.com/axios/axios/pull/5207) - chore(docs): update CHANGELOG.md [#&#8203;5137](https://github.com/axios/axios/pull/5137) - chore: add sideEffects false to package.json [#&#8203;5025](https://github.com/axios/axios/pull/5025) ##### Contributors to this release - [Maddy Miller](https://github.com/me4502) - [Amit Saini](https://github.com/amitsainii) - [ecyrbe](https://github.com/ecyrbe) - [Ikko Ashimine](https://github.com/eltociear) - [Geeth Gunnampalli](https://github.com/thetechie7) - [Shreem Asati](https://github.com/shreem-123) - [Frieder Bluemle](https://github.com/friederbluemle) - [윤세영](https://github.com/yunseyeong) - [Claudio Busatto](https://github.com/cjcbusatto) - [Remco Haszing](https://github.com/remcohaszing) - [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) - [Csaba Maulis](https://github.com/om4csaba) - [MoPaMo](https://github.com/MoPaMo) - [Daniel Fjeldstad](https://github.com/w3bdesign) - [Adrien Brunet](https://github.com/adrien-may) - [Frazer Smith](https://github.com/Fdawgs) - [HaiTao](https://github.com/836334258) - [AZM](https://github.com/aziyatali) - [relbns](https://github.com/relbns) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.1.3] - 2022-10-15 ##### Added - Added custom params serializer support [#&#8203;5113](https://github.com/axios/axios/pull/5113) ##### Fixed - Fixed top-level export to keep them in-line with static properties [#&#8203;5109](https://github.com/axios/axios/pull/5109) - Stopped including null values to query string. [#&#8203;5108](https://github.com/axios/axios/pull/5108) - Restored proxy config backwards compatibility with 0.x [#&#8203;5097](https://github.com/axios/axios/pull/5097) - Added back AxiosHeaders in AxiosHeaderValue [#&#8203;5103](https://github.com/axios/axios/pull/5103) - Pin CDN install instructions to a specific version [#&#8203;5060](https://github.com/axios/axios/pull/5060) - Handling of array values fixed for AxiosHeaders [#&#8203;5085](https://github.com/axios/axios/pull/5085) ##### Chores - docs: match badge style, add link to them [#&#8203;5046](https://github.com/axios/axios/pull/5046) - chore: fixing comments typo [#&#8203;5054](https://github.com/axios/axios/pull/5054) - chore: update issue template [#&#8203;5061](https://github.com/axios/axios/pull/5061) - chore: added progress capturing section to the docs; [#&#8203;5084](https://github.com/axios/axios/pull/5084) ##### Contributors to this release - [Jason Saayman](https://github.com/jasonsaayman) - [scarf](https://github.com/scarf005) - [Lenz Weber-Tronic](https://github.com/phryneas) - [Arvindh](https://github.com/itsarvindh) - [Félix Legrelle](https://github.com/FelixLgr) - [Patrick Petrovic](https://github.com/ppati000) - [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) - [littledian](https://github.com/littledian) - [ChronosMasterOfAllTime](https://github.com/ChronosMasterOfAllTime) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.1.2] - 2022-10-07 ##### Fixed - Fixed broken exports for UMD builds. ##### Contributors to this release - [Jason Saayman](https://github.com/jasonsaayman) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.1.1] - 2022-10-07 ##### Fixed - Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful. ##### Contributors to this release - [Jason Saayman](https://github.com/jasonsaayman) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.1.0] - 2022-10-06 ##### Fixed - Fixed missing exports in type definition index.d.ts [#&#8203;5003](https://github.com/axios/axios/pull/5003) - Fixed query params composing [#&#8203;5018](https://github.com/axios/axios/pull/5018) - Fixed GenericAbortSignal interface by making it more generic [#&#8203;5021](https://github.com/axios/axios/pull/5021) - Fixed adding "clear" to AxiosInterceptorManager [#&#8203;5010](https://github.com/axios/axios/pull/5010) - Fixed commonjs & umd exports [#&#8203;5030](https://github.com/axios/axios/pull/5030) - Fixed inability to access response headers when using axios 1.x with Jest [#&#8203;5036](https://github.com/axios/axios/pull/5036) ##### Contributors to this release - [Trim21](https://github.com/trim21) - [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) - [shingo.sasaki](https://github.com/s-sasaki-0529) - [Ivan Pepelko](https://github.com/ivanpepelko) - [Richard Kořínek](https://github.com/risa) ##### PRs - CVE 2023 45857 ( [#&#8203;6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` #### \[1.0.0] - 2022-10-04 ##### Added - Added stack trace to AxiosError [#&#8203;4624](https://github.com/axios/axios/pull/4624) - Add AxiosError to AxiosStatic [#&#8203;4654](https://github.com/axios/axios/pull/4654) - Replaced Rollup as our build runner [#&#8203;4596](https://github.com/axios/axios/pull/4596) - Added generic TS types for the exposed toFormData helper [#&#8203;4668](https://github.com/axios/axios/pull/4668) - Added listen callback function [#&#8203;4096](https://github.com/axios/axios/pull/4096) - Added instructions for installing using PNPM [#&#8203;4207](https://github.com/axios/axios/pull/4207) - Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill [#&#8203;4229](https://github.com/axios/axios/pull/4229) - Added axios-url-template in ECOSYSTEM.md [#&#8203;4238](https://github.com/axios/axios/pull/4238) - Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance [#&#8203;4248](https://github.com/axios/axios/pull/4248) - Added react hook plugin [#&#8203;4319](https://github.com/axios/axios/pull/4319) - Adding HTTP status code for transformResponse [#&#8203;4580](https://github.com/axios/axios/pull/4580) - Added blob to the list of protocols supported by the browser [#&#8203;4678](https://github.com/axios/axios/pull/4678) - Resolving proxy from env on redirect [#&#8203;4436](https://github.com/axios/axios/pull/4436) - Added enhanced toFormData implementation with additional options [4704](https://github.com/axios/axios/pull/4704) - Adding Canceler parameters config and request [#&#8203;4711](https://github.com/axios/axios/pull/4711) - Added automatic payload serialization to application/x-www-form-urlencoded [#&#8203;4714](https://github.com/axios/axios/pull/4714) - Added the ability for webpack users to overwrite built-ins [#&#8203;4715](https://github.com/axios/axios/pull/4715) - Added string\[] to AxiosRequestHeaders type [#&#8203;4322](https://github.com/axios/axios/pull/4322) - Added the ability for the url-encoded-form serializer to respect the formSerializer config [#&#8203;4721](https://github.com/axios/axios/pull/4721) - Added isCancel type assert [#&#8203;4293](https://github.com/axios/axios/pull/4293) - Added data URL support for node.js [#&#8203;4725](https://github.com/axios/axios/pull/4725) - Adding types for progress event callbacks [#&#8203;4675](https://github.com/axios/axios/pull/4675) - URL params serializer [#&#8203;4734](https://github.com/axios/axios/pull/4734) - Added axios.formToJSON method [#&#8203;4735](https://github.com/axios/axios/pull/4735) - Bower platform add data protocol [#&#8203;4804](https://github.com/axios/axios/pull/4804) - Use WHATWG URL API instead of url.parse() [#&#8203;4852](https://github.com/axios/axios/pull/4852) - Add ENUM containing Http Status Codes to typings [#&#8203;4903](https://github.com/axios/axios/pull/4903) - Improve typing of timeout in index.d.ts [#&#8203;4934](https://github.com/axios/axios/pull/4934) ##### Changed - Updated AxiosError.config to be optional in the type definition [#&#8203;4665](https://github.com/axios/axios/pull/4665) - Updated README emphasizing the URLSearchParam built-in interface over other solutions [#&#8203;4590](https://github.com/axios/axios/pull/4590) - Include request and config when creating a CanceledError instance [#&#8203;4659](https://github.com/axios/axios/pull/4659) - Changed func-names eslint rule to as-needed [#&#8203;4492](https://github.com/axios/axios/pull/4492) - Replacing deprecated substr() with slice() as substr() is deprecated [#&#8203;4468](https://github.com/axios/axios/pull/4468) - Updating HTTP links in README.md to use HTTPS [#&#8203;4387](https://github.com/axios/axios/pull/4387) - Updated to a better trim() polyfill [#&#8203;4072](https://github.com/axios/axios/pull/4072) - Updated types to allow specifying partial default headers on instance create [#&#8203;4185](https://github.com/axios/axios/pull/4185) - Expanded isAxiosError types [#&#8203;4344](https://github.com/axios/axios/pull/4344) - Updated type definition for axios instance methods [#&#8203;4224](https://github.com/axios/axios/pull/4224) - Updated eslint config [#&#8203;4722](https://github.com/axios/axios/pull/4722) - Updated Docs [#&#8203;4742](https://github.com/axios/axios/pull/4742) - Refactored Axios to use ES2017 [#&#8203;4787](https://github.com/axios/axios/pull/4787) ##### Deprecated - There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case. ##### Removed - Removed incorrect argument for NetworkError constructor [#&#8203;4656](https://github.com/axios/axios/pull/4656) - Removed Webpack [#&#8203;4596](https://github.com/axios/axios/pull/4596) - Removed function that transform arguments to array [#&#8203;4544](https://github.com/axios/axios/pull/4544) ##### Fixed - Fixed grammar in README [#&#8203;4649](https://github.com/axios/axios/pull/4649) - Fixed code error in README [#&#8203;4599](https://github.com/axios/axios/pull/4599) - Optimized the code that checks cancellation [#&#8203;4587](https://github.com/axios/axios/pull/4587) - Fix url pointing to defaults.js in README [#&#8203;4532](https://github.com/axios/axios/pull/4532) - Use type alias instead of interface for AxiosPromise [#&#8203;4505](https://github.com/axios/axios/pull/4505) - Fix some word spelling and lint style in code comments [#&#8203;4500](https://github.com/axios/axios/pull/4500) - Edited readme with 3 updated browser icons of Chrome, FireFox and Safari [#&#8203;4414](https://github.com/axios/axios/pull/4414) - Bump follow-redirects from 1.14.9 to 1.15.0 [#&#8203;4673](https://github.com/axios/axios/pull/4673) - Fixing http tests to avoid hanging when assertions fail [#&#8203;4435](https://github.com/axios/axios/pull/4435) - Fix TS definition for AxiosRequestTransformer [#&#8203;4201](https://github.com/axios/axios/pull/4201) - Fix grammatical issues in README [#&#8203;4232](https://github.com/axios/axios/pull/4232) - Fixing instance.defaults.headers type [#&#8203;4557](https://github.com/axios/axios/pull/4557) - Fixed race condition on immediate requests cancellation [#&#8203;4261](https://github.com/axios/axios/pull/4261) - Fixing Z\_BUF\_ERROR when no content [#&#8203;4701](https://github.com/axios/axios/pull/4701) - Fixing proxy beforeRedirect regression [#&#8203;4708](https://github.com/axios/axios/pull/4708) - Fixed AxiosError status code type [#&#8203;4717](https://github.com/axios/axios/pull/4717) - Fixed AxiosError stack capturing [#&#8203;4718](https://github.com/axios/axios/pull/4718) - Fixing AxiosRequestHeaders typings [#&#8203;4334](https://github.com/axios/axios/pull/4334) - Fixed max body length defaults [#&#8203;4731](https://github.com/axios/axios/pull/4731) - Fixed toFormData Blob issue on node>v17 [#&#8203;4728](https://github.com/axios/axios/pull/4728) - Bump grunt from 1.5.2 to 1.5.3 [#&#8203;4743](https://github.com/axios/axios/pull/4743) - Fixing content-type header repeated [#&#8203;4745](https://github.com/axios/axios/pull/4745) - Fixed timeout error message for http [4738](https://github.com/axios/axios/pull/4738) - Request ignores false, 0 and empty string as body values [#&#8203;4785](https://github.com/axios/axios/pull/4785) - Added back missing minified builds [#&#8203;4805](https://github.com/axios/axios/pull/4805) - Fixed a type error [#&#8203;4815](https://github.com/axios/axios/pull/4815) - Fixed a regression bug with unsubscribing from cancel token; [#&#8203;4819](https://github.com/axios/axios/pull/4819) - Remove repeated compression algorithm [#&#8203;4820](https://github.com/axios/axios/pull/4820) - The error of calling extend to pass parameters [#&#8203;4857](https://github.com/axios/axios/pull/4857) - SerializerOptions.indexes allows boolean | null | undefined [#&#8203;4862](https://github.com/axios/axios/pull/4862) - Require interceptors to return values [#&#8203;4874](https://github.com/axios/axios/pull/4874) - Removed unused imports [#&#8203;4949](https://github.com/axios/axios/pull/4949) - Allow null indexes on formSerializer and paramsSerializer [#&#8203;4960](https://github.com/axios/axios/pull/4960) ##### Chores - Set permissions for GitHub actions [#&#8203;4765](https://github.com/axios/axios/pull/4765) - Included githubactions in the dependabot config [#&#8203;4770](https://github.com/axios/axios/pull/4770) - Included dependency review [#&#8203;4771](https://github.com/axios/axios/pull/4771) - Update security.md [#&#8203;4784](https://github.com/axios/axios/pull/4784) - Remove unnecessary spaces [#&#8203;4854](https://github.com/axios/axios/pull/4854) - Simplify the import path of AxiosError [#&#8203;4875](https://github.com/axios/axios/pull/4875) - Fix Gitpod dead link [#&#8203;4941](https://github.com/axios/axios/pull/4941) - Enable syntax highlighting for a code block [#&#8203;4970](https://github.com/axios/axios/pull/4970) - Using Logo Axios in Readme.md [#&#8203;4993](https://github.com/axios/axios/pull/4993) - Fix markup for note in README [#&#8203;4825](https://github.com/axios/axios/pull/4825) - Fix typo and formatting, add colons [#&#8203;4853](https://github.com/axios/axios/pull/4853) - Fix typo in readme [#&#8203;4942](https://github.com/axios/axios/pull/4942) ##### Security - Update SECURITY.md [#&#8203;4687](https://github.com/axios/axios/pull/4687) ##### Contributors to this release - [Bertrand Marron](https://github.com/tusbar) - [Dmitriy Mozgovoy](https://github.com/DigitalBrainJS) - [Dan Mooney](https://github.com/danmooney) - [Michael Li](https://github.com/xiaoyu-tamu) - [aong](https://github.com/yxwzaxns) - [Des Preston](https://github.com/despreston) - [Ted Robertson](https://github.com/tredondo) - [zhoulixiang](https://github.com/zh-lx) - [Arthur Fiorette](https://github.com/arthurfiorette) - [Kumar Shanu](https://github.com/Kr-Shanu) - [JALAL](https://github.com/JLL32) - [Jingyi Lin](https://github.com/MageeLin) - [Philipp Loose](https://github.com/phloose) - [Alexander Shchukin](https://github.com/sashsvamir) - [Dave Cardwell](https://github.com/davecardwell) - [Cat Scarlet](https://github.com/catscarlet) - [Luca Pizzini](https://github.com/lpizzinidev) - [Kai](https://github.com/Schweinepriester) - [Maxime Bargiel](https://github.com/mbargiel) - [Brian Helba](https://github.com/brianhelba) - [reslear](https://github.com/reslear) - [Jamie Slome](https://github.com/JamieSlome) - [Landro3](https://github.com/Landro3) - [rafw87](https://github.com/rafw87) - [Afzal Sayed](https://github.com/afzalsayed96) - [Koki Oyatsu](https://github.com/kaishuu0123) - [Dave](https://github.com/wangcch) - [暴走老七](https://github.com/baozouai) - [Spencer](https://github.com/spalger) - [Adrian Wieprzkowicz](https://github.com/Argeento) - [Jamie Telin](https://github.com/lejahmie) - [毛呆](https://github.com/aweikalee) - [Kirill Shakirov](https://github.com/turisap) - [Rraji Abdelbari](https://github.com/estarossa0) - [Jelle Schutter](https://github.com/jelleschutter) - [Tom Ceuppens](https://github.com/KyorCode) - [Johann Cooper](https://github.com/JohannCooper) - [Dimitris Halatsis](https://github.com/mitsos1os) - [chenjigeng](https://github.com/chenjigeng) - [João Gabriel Quaresma](https://github.com/joaoGabriel55) - [Victor Augusto](https://github.com/VictorAugDB) - [neilnaveen](https://github.com/neilnaveen) - [Pavlos](https://github.com/psmoros) - [Kiryl Valkovich](https://github.com/visortelle) - [Naveen](https://github.com/naveensrinivasan) - [wenzheng](https://github.com/0x30) - [hcwhan](https://github.com/hcwhan) - [Bassel Rachid](https://github.com/basselworkforce) - [Grégoire Pineau](https://github.com/lyrixx) - [felipedamin](https://github.com/felipedamin) - [Karl Horky](https://github.com/karlhorky) - [Yue JIN](https://github.com/kingyue737) - [Usman Ali Siddiqui](https://github.com/usman250994) - [WD](https://github.com/techbirds) - [Günther Foidl](https://github.com/gfoidl) - [Stephen Jennings](https://github.com/jennings) - [C.T.Lin](https://github.com/chentsulin) - [mia-z](https://github.com/mia-z) - [Parth Banathia](https://github.com/Parth0105) - [parth0105pluang](https://github.com/parth0105pluang) - [Marco Weber](https://github.com/mrcwbr) - [Luca Pizzini](https://github.com/lpizzinidev) - [Willian Agostini](https://github.com/WillianAgostini) - [Huyen Nguyen](https://github.com/huyenltnguyen) </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.5.0`](https://github.com/eslint/eslint/releases/tag/v10.5.0) [Compare Source](https://github.com/eslint/eslint/compare/v10.4.1...v10.5.0) #### Features - [`5ca8c52`](https://github.com/eslint/eslint/commit/5ca8c5278edea1fd84d3ba83d8ea3f52fb3831ad) feat: correct stack tracking in max-nested-callbacks ([#&#8203;20973](https://github.com/eslint/eslint/issues/20973)) (Pixel998) - [`b565783`](https://github.com/eslint/eslint/commit/b5657837604fa5e8cf1278074782025cadd34b6c) feat: report no-with violations at the with keyword ([#&#8203;20971](https://github.com/eslint/eslint/issues/20971)) (Pixel998) - [`2ce032f`](https://github.com/eslint/eslint/commit/2ce032fbc72a1a80c024c084a4f382fb6dece684) feat: report max-lines-per-function violations at function head ([#&#8203;20966](https://github.com/eslint/eslint/issues/20966)) (Pixel998) - [`732cb3e`](https://github.com/eslint/eslint/commit/732cb3e09d5b8b809b5f461d118a5d9fdcd6427f) feat: report max-nested-callbacks violations at function head ([#&#8203;20967](https://github.com/eslint/eslint/issues/20967)) (Pixel998) - [`f9c138a`](https://github.com/eslint/eslint/commit/f9c138a0ba7d8e37aed39aef4a3ff1cae8c669f7) feat: report max-depth violations on keywords ([#&#8203;20943](https://github.com/eslint/eslint/issues/20943)) (Pixel998) - [`bdb496c`](https://github.com/eslint/eslint/commit/bdb496cc0d54b6d0a023aef9abd5f040ccff2101) feat: correct max-depth handling for else-if chains ([#&#8203;20944](https://github.com/eslint/eslint/issues/20944)) (Pixel998) - [`c296873`](https://github.com/eslint/eslint/commit/c29687354a7f96093f57f7d73eecb866ad5e2953) feat: update error loc in `max-statements` to function header ([#&#8203;20907](https://github.com/eslint/eslint/issues/20907)) (Taejin Kim) #### Documentation - [`8ae1b5b`](https://github.com/eslint/eslint/commit/8ae1b5b856dc031cd6c701d89a4df7da4772cd56) docs: Update README (GitHub Actions Bot) - [`ca7eb90`](https://github.com/eslint/eslint/commit/ca7eb90127dcad917188bb1342623f02a272e781) docs: update Node.js prerequisites to include ICU support ([#&#8203;20962](https://github.com/eslint/eslint/issues/20962)) (Francesco Trotta) - [`f99b47a`](https://github.com/eslint/eslint/commit/f99b47a6799be25321552402a49303bb06a43fe4) docs: Update README (GitHub Actions Bot) - [`acf03d4`](https://github.com/eslint/eslint/commit/acf03d4eed31d259c7dc62af5b9640629784f7cc) docs: clarify precedence of parserOptions over languageOptions ([#&#8203;20926](https://github.com/eslint/eslint/issues/20926)) (sethamus) #### Chores - [`b18bf58`](https://github.com/eslint/eslint/commit/b18bf58c5ac748415ffffdff2d96980fbd6a57e8) chore: update ecosystem plugins ([#&#8203;20959](https://github.com/eslint/eslint/issues/20959)) (ESLint Bot) - [`c2d1444`](https://github.com/eslint/eslint/commit/c2d1444df77cb42e5a0b89ab70496879d180a54d) refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable ([#&#8203;20951](https://github.com/eslint/eslint/issues/20951)) (Taejin Kim) - [`243b8c5`](https://github.com/eslint/eslint/commit/243b8c56014bbbe63771185b0731d8dd4d1316e9) chore: enhance config-rule to support oneOf, anyOf, and nested schemas ([#&#8203;20788](https://github.com/eslint/eslint/issues/20788)) (kuldeep kumar) - [`217b2a9`](https://github.com/eslint/eslint/commit/217b2a91f46137c5ffd693965e71306c4c15ea6b) test: add unit tests for ParserService ([#&#8203;20949](https://github.com/eslint/eslint/issues/20949)) (Taejin Kim) - [`72003e7`](https://github.com/eslint/eslint/commit/72003e781d76bd4ee0d98a6601730d0b829070f9) test: add location information to error messages in `max-statements` ([#&#8203;20945](https://github.com/eslint/eslint/issues/20945)) (lumir) - [`7797c26`](https://github.com/eslint/eslint/commit/7797c266977b0bc4971aa79721813d480de72cd1) refactor: deduplicate isAnySegmentReachable across rules ([#&#8203;20890](https://github.com/eslint/eslint/issues/20890)) (Taejin Kim) - [`67c46fa`](https://github.com/eslint/eslint/commit/67c46fa6e4f34e88cc6bc82f8a0dcc917c65d257) chore: update ecosystem plugins ([#&#8203;20938](https://github.com/eslint/eslint/issues/20938)) (ESLint Bot) - [`95d8c7a`](https://github.com/eslint/eslint/commit/95d8c7a99f991abd8ab618d0ee2cbd4f58effc29) chore: update dependency [@&#8203;eslint/json](https://github.com/eslint/json) to v2 ([#&#8203;20934](https://github.com/eslint/eslint/issues/20934)) (renovate\[bot]) - [`cf9e496`](https://github.com/eslint/eslint/commit/cf9e496205142cd4971b9f98aed85866d1010b9c) chore: update [@&#8203;arethetypeswrong/cli](https://github.com/arethetypeswrong/cli) to 0.18.3 ([#&#8203;20933](https://github.com/eslint/eslint/issues/20933)) (Pixel998) - [`fb6d396`](https://github.com/eslint/eslint/commit/fb6d3960cacc51fc12383fa5ded2382adbf90c1c) test: run type tests with TypeScript 7 ([#&#8203;20868](https://github.com/eslint/eslint/issues/20868)) (sethamus) ### [`v10.4.1`](https://github.com/eslint/eslint/releases/tag/v10.4.1) [Compare Source](https://github.com/eslint/eslint/compare/v10.4.0...v10.4.1) #### Bug Fixes - [`e557467`](https://github.com/eslint/eslint/commit/e557467db7496220eebcbe2ac5ea6d38c12bb1ec) fix: update `@eslint/plugin-kit` version to 0.7.2 ([#&#8203;20930](https://github.com/eslint/eslint/issues/20930)) (Francesco Trotta) - [`d4ce898`](https://github.com/eslint/eslint/commit/d4ce898796ca22c3b96aa70d3014cb85f4bac1cd) fix: propagate failures from delegated commands ([#&#8203;20917](https://github.com/eslint/eslint/issues/20917)) (Minh Vu) - [`f4f3507`](https://github.com/eslint/eslint/commit/f4f3507460bc016b5be979c05d2969793f570cbf) fix: prefer-arrow-callback invalid autofix with newline after `async` ([#&#8203;20916](https://github.com/eslint/eslint/issues/20916)) (kuldeep kumar) - [`c5bc78b`](https://github.com/eslint/eslint/commit/c5bc78b37e08b9054a11f0cc2d81808bb24acb85) fix: false positive for reference in `finally` block ([#&#8203;20655](https://github.com/eslint/eslint/issues/20655)) (Tanuj Kanti) - [`27538c0`](https://github.com/eslint/eslint/commit/27538c01f5df4e9306f6f4ba867b2dd6307fae59) fix: add missing CodePath and CodePathSegment types ([#&#8203;20853](https://github.com/eslint/eslint/issues/20853)) (Pixel998) #### Documentation - [`61b0add`](https://github.com/eslint/eslint/commit/61b0add61ffc52665562be7bb96f526690a78b30) docs: remove deprecated rule from related rules of `max-params` ([#&#8203;20921](https://github.com/eslint/eslint/issues/20921)) (Tanuj Kanti) - [`305d5b9`](https://github.com/eslint/eslint/commit/305d5b91aeac24d36fde42f75625a8f183d4ce43) docs: remove deprecated rules from related rules section ([#&#8203;20911](https://github.com/eslint/eslint/issues/20911)) (Tanuj Kanti) - [`49b0202`](https://github.com/eslint/eslint/commit/49b0202d01918b8061720d586dffd7c68047090c) docs: fix `display: none` of ad ([#&#8203;20901](https://github.com/eslint/eslint/issues/20901)) (Tanuj Kanti) - [`9067f94`](https://github.com/eslint/eslint/commit/9067f9492ec998afc5b4f057a477ecf6ebd45e44) docs: switch build to Node.js 24 ([#&#8203;20893](https://github.com/eslint/eslint/issues/20893)) (Milos Djermanovic) - [`c91b041`](https://github.com/eslint/eslint/commit/c91b0417e3420c76807ce1fa2aea76e2de87ab86) docs: Update README (GitHub Actions Bot) - [`e349265`](https://github.com/eslint/eslint/commit/e349265cb37f3ebc837e178e48a725bb782bd870) docs: clarify semver strings in rule deprecation objects ([#&#8203;20885](https://github.com/eslint/eslint/issues/20885)) (Milos Djermanovic) #### Chores - [`b0e466b`](https://github.com/eslint/eslint/commit/b0e466b6ab47bfc7de43d8de0c315d8ee83aa584) test: add `data` property to invalid tests cases for rules ([#&#8203;20924](https://github.com/eslint/eslint/issues/20924)) (Tanuj Kanti) - [`f78838b`](https://github.com/eslint/eslint/commit/f78838bc4c86d487e1bcc7cede260c4467721c46) test: add CodePath type coverage ([#&#8203;20904](https://github.com/eslint/eslint/issues/20904)) (Pixel998) - [`1daa4bd`](https://github.com/eslint/eslint/commit/1daa4bd734b79a62e317d0394394a6b38cff49f9) chore: update `eslint-plugin-eslint-comments` test data to latest commit ([#&#8203;20922](https://github.com/eslint/eslint/issues/20922)) (Francesco Trotta) - [`002942c`](https://github.com/eslint/eslint/commit/002942ce988ea28b78e0a2f3b074081e638b552c) ci: declare contents:read on update-readme workflow ([#&#8203;20919](https://github.com/eslint/eslint/issues/20919)) (Arpit Jain) - [`64bca24`](https://github.com/eslint/eslint/commit/64bca24e7bed35bc3c864fc625cb2d89eca87d5b) chore: update ecosystem plugins ([#&#8203;20912](https://github.com/eslint/eslint/issues/20912)) (ESLint Bot) - [`6d7c832`](https://github.com/eslint/eslint/commit/6d7c832950d5e92499d88e504080661f888f8f56) chore: ignore fflate updates in renovate ([#&#8203;20908](https://github.com/eslint/eslint/issues/20908)) (Pixel998) - [`b2c8638`](https://github.com/eslint/eslint/commit/b2c86382164d87c6203b78d52068cd6a2a6ffe30) ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 ([#&#8203;20889](https://github.com/eslint/eslint/issues/20889)) (dependabot\[bot]) - [`a9b8d7f`](https://github.com/eslint/eslint/commit/a9b8d7f74c50211701cfc49710fa541fd91b2aa5) chore: increase maxBuffer for ecosystem tests ([#&#8203;20881](https://github.com/eslint/eslint/issues/20881)) (sethamus) - [`b702ead`](https://github.com/eslint/eslint/commit/b702ead5e1ed7cb9f28238a454797662efb37396) chore: update ecosystem update PR settings ([#&#8203;20884](https://github.com/eslint/eslint/issues/20884)) (Pixel998) - [`507f60e`](https://github.com/eslint/eslint/commit/507f60e9a78c9a902bc8759f066ae17a1ea6cd81) chore: update ecosystem plugins ([#&#8203;20882](https://github.com/eslint/eslint/issues/20882)) (ESLint Bot) - [`92f5c5b`](https://github.com/eslint/eslint/commit/92f5c5bb6bf3a5d167c8ee53a430833410295c6d) test: add unit test for message-count ([#&#8203;20878](https://github.com/eslint/eslint/issues/20878)) (kuldeep kumar) - [`df32108`](https://github.com/eslint/eslint/commit/df321080af5758b1fa25e4b9a40e26135642dd6e) chore: add [@&#8203;eslint/markdown](https://github.com/eslint/markdown) and typescript-eslint ecosystem tests ([#&#8203;20837](https://github.com/eslint/eslint/issues/20837)) (sethamus) - [`327f91d`](https://github.com/eslint/eslint/commit/327f91d36aa49f2a50ded931d841a16374fd875f) chore: use includeIgnoreFile internally ([#&#8203;20876](https://github.com/eslint/eslint/issues/20876)) (Kirk Waiblinger) - [`f0dc4bd`](https://github.com/eslint/eslint/commit/f0dc4bd893fb3a9f44e4ddc3ad7063ffb0beacd3) chore: pin fflate\@&#8203;0.8.2 ([#&#8203;20877](https://github.com/eslint/eslint/issues/20877)) (Milos Djermanovic) - [`0f4bd25`](https://github.com/eslint/eslint/commit/0f4bd257a67a082b756de746d9e0c4842ab764ca) ci: run Discord alert for ecosystem test failures ([#&#8203;20873](https://github.com/eslint/eslint/issues/20873)) (Copilot) ### [`v10.4.0`](https://github.com/eslint/eslint/releases/tag/v10.4.0) [Compare Source](https://github.com/eslint/eslint/compare/v10.3.0...v10.4.0) #### Features - [`1a45ec5`](https://github.com/eslint/eslint/commit/1a45ec596af1dd5f880e6874cb8f24dafb6a7ecf) feat: check sequence expressions in `for-direction` ([#&#8203;20701](https://github.com/eslint/eslint/issues/20701)) (kuldeep kumar) - [`450040b`](https://github.com/eslint/eslint/commit/450040bd89b989b3531824c6be45feb5fe3d936b) feat: add `includeIgnoreFile()` to `eslint/config` ([#&#8203;20735](https://github.com/eslint/eslint/issues/20735)) (Kirk Waiblinger) #### Bug Fixes - [`544c0c3`](https://github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be) fix: escape code path DOT labels in debug output ([#&#8203;20866](https://github.com/eslint/eslint/issues/20866)) (Pixel998) - [`6799431`](https://github.com/eslint/eslint/commit/6799431203f2579632d0870f98ba132067f4040c) fix: update dependency [@&#8203;eslint/config-helpers](https://github.com/eslint/config-helpers) to ^0.6.0 ([#&#8203;20850](https://github.com/eslint/eslint/issues/20850)) (renovate\[bot]) - [`f078fef`](https://github.com/eslint/eslint/commit/f078fef5005dceb14fc162aab7c7200e027688dd) fix: handle non-array deprecated rule replacements ([#&#8203;20825](https://github.com/eslint/eslint/issues/20825)) (xbinaryx) #### Documentation - [`7e52a71`](https://github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f) docs: add mention of `@eslint-react/eslint-plugin` ([#&#8203;20869](https://github.com/eslint/eslint/issues/20869)) (Pavel) - [`db3468b`](https://github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08) docs: tweak wording around ambiguous CJS-vs-ESM config ([#&#8203;20865](https://github.com/eslint/eslint/issues/20865)) (Kirk Waiblinger) - [`9084664`](https://github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a) docs: Update README (GitHub Actions Bot) - [`9cc7387`](https://github.com/eslint/eslint/commit/9cc73875046e3c4b8313644cbb1e99e26b36bd3f) docs: Update README (GitHub Actions Bot) - [`3d7b548`](https://github.com/eslint/eslint/commit/3d7b5484407403817aa9071a394d336d8ea96eb5) docs: Update README (GitHub Actions Bot) - [`191ec3c`](https://github.com/eslint/eslint/commit/191ec3c0a3f94ce0f110df761f0b2b8949011ccb) docs: Update README (GitHub Actions Bot) #### Chores - [`6616856`](https://github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf) chore: upgrade knip to v6 ([#&#8203;20875](https://github.com/eslint/eslint/issues/20875)) (Pixel998) - [`d13b084`](https://github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554) ci: ensure auto-created PRs run CI ([#&#8203;20860](https://github.com/eslint/eslint/issues/20860)) (lumir) - [`e71c7af`](https://github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594) ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 ([#&#8203;20862](https://github.com/eslint/eslint/issues/20862)) (dependabot\[bot]) - [`d84393d`](https://github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99) test: add unit tests for SuppressionsService.applySuppressions() ([#&#8203;20863](https://github.com/eslint/eslint/issues/20863)) (kuldeep kumar) - [`24db8cb`](https://github.com/eslint/eslint/commit/24db8cb8e6f07fba667121777a15b1785486be94) test: add tests for SuppressionsService.save() ([#&#8203;20802](https://github.com/eslint/eslint/issues/20802)) (kuldeep kumar) - [`2ef0549`](https://github.com/eslint/eslint/commit/2ef0549cac4a9537e4c3a26b9f3edd4c99476bf6) chore: update ecosystem plugins ([#&#8203;20857](https://github.com/eslint/eslint/issues/20857)) (github-actions\[bot]) - [`a429791`](https://github.com/eslint/eslint/commit/a4297918d264d229a06cd96051ef9b91c7b86732) ci: remove `eslint-webpack-plugin` types integration test ([#&#8203;20668](https://github.com/eslint/eslint/issues/20668)) (Milos Djermanovic) - [`9e37386`](https://github.com/eslint/eslint/commit/9e37386aa7f2ce220b2ef74a6afbac5f6b3527c5) chore: replace `recast` with range approach in code-sample-minimizer ([#&#8203;20682](https://github.com/eslint/eslint/issues/20682)) (Copilot) - [`0dd1f9f`](https://github.com/eslint/eslint/commit/0dd1f9ffc9a07704d46e2a4c8d4ccc0d0908b0c0) test: disable warning for `vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER` ([#&#8203;20845](https://github.com/eslint/eslint/issues/20845)) (Francesco Trotta) - [`9da3c7b`](https://github.com/eslint/eslint/commit/9da3c7bc92d9579f8db19ecb56e718538d09db2b) refactor: remove deprecated `meta.language` and migrate `meta.dialects` ([#&#8203;20716](https://github.com/eslint/eslint/issues/20716)) (Pixel998) - [`2099ed1`](https://github.com/eslint/eslint/commit/2099ed12a0a74c3d7f0808514362af2499b4fe2b) refactor: add `meta.defaultOptions` to more rules, enable linting ([#&#8203;20800](https://github.com/eslint/eslint/issues/20800)) (xbinaryx) - [`f1dfbc9`](https://github.com/eslint/eslint/commit/f1dfbc9ca57196de7092e1888cc99427bd6fe06e) chore: update ecosystem plugins ([#&#8203;20836](https://github.com/eslint/eslint/issues/20836)) (github-actions\[bot]) - [`c759413`](https://github.com/eslint/eslint/commit/c75941390c14728806cd4baef4f6072f6de78318) ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 ([#&#8203;20843](https://github.com/eslint/eslint/issues/20843)) (dependabot\[bot]) - [`5b817d6`](https://github.com/eslint/eslint/commit/5b817d6fdc9ae2c35b528dc662b2eca8f40f64aa) test: add unit tests for lib/shared/ast-utils ([#&#8203;20838](https://github.com/eslint/eslint/issues/20838)) (kuldeep kumar) - [`1c13ae3`](https://github.com/eslint/eslint/commit/1c13ae3934c198c494e5958fa3a68b33244ff06a) test: add unit tests for lib/shared/severity ([#&#8203;20835](https://github.com/eslint/eslint/issues/20835)) (kuldeep kumar) ### [`v10.3.0`](https://github.com/eslint/eslint/releases/tag/v10.3.0) [Compare Source](https://github.com/eslint/eslint/compare/v10.2.1...v10.3.0) #### Features - [`379571a`](https://github.com/eslint/eslint/commit/379571a975f2b24d88037b9de2e72ec61d004130) feat: add suggestions for no-unused-private-class-members ([#&#8203;20773](https://github.com/eslint/eslint/issues/20773)) (sethamus) #### Bug Fixes - [`b6ae5cf`](https://github.com/eslint/eslint/commit/b6ae5cf07b9b51802367539cb24b245b61eaa37c) fix: handle unavailable require cache ([#&#8203;20812](https://github.com/eslint/eslint/issues/20812)) (Simon Podlipsky) - [`6fb3685`](https://github.com/eslint/eslint/commit/6fb3685bcbe9a6f72fd7dfb9129686b6fb96b0bd) fix: rule suggestions cause continuation in class body ([#&#8203;20787](https://github.com/eslint/eslint/issues/20787)) (Milos Djermanovic) #### Documentation - [`32cc7ab`](https://github.com/eslint/eslint/commit/32cc7ab4ec653ce89da92deb5c40a9f4fc707fe5) docs: fix typos in docs and comments ([#&#8203;20809](https://github.com/eslint/eslint/issues/20809)) (Tanuj Kanti) - [`7f47937`](https://github.com/eslint/eslint/commit/7f479376a2fa463d823ab762db6bb37ce8d2ee8f) docs: Update README (GitHub Actions Bot) #### Chores - [`d32235e`](https://github.com/eslint/eslint/commit/d32235ec19ceea211fa86452afa383ca05f5c2f9) ci: use pnpm in `eslint-flat-config-utils` type integration test ([#&#8203;20826](https://github.com/eslint/eslint/issues/20826)) (Francesco Trotta) - [`3ffb14e`](https://github.com/eslint/eslint/commit/3ffb14ea517de750ed1181579ef844af342e4096) chore: clean up typos in comments and JSDoc ([#&#8203;20821](https://github.com/eslint/eslint/issues/20821)) (Pixel998) - [`22eb58a`](https://github.com/eslint/eslint/commit/22eb58a21cbde2fbd53a1fae99453d408672de50) chore: add missing continue-on-error to ecosystem-tests.yml ([#&#8203;20818](https://github.com/eslint/eslint/issues/20818)) (Josh Goldberg ✨) - [`88bf002`](https://github.com/eslint/eslint/commit/88bf0024cb36caebf2880516d9a1f81aa75dafe2) ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 ([#&#8203;20815](https://github.com/eslint/eslint/issues/20815)) (dependabot\[bot]) - [`97c8c33`](https://github.com/eslint/eslint/commit/97c8c330beae9557ad24e19f94eebc8d08d1a722) chore: update ilshidur/action-discord action to v0.4.0 ([#&#8203;20811](https://github.com/eslint/eslint/issues/20811)) (renovate\[bot]) - [`2f58136`](https://github.com/eslint/eslint/commit/2f58136dd47364a4cae7054a64f7bf1e79693813) chore: pin peter-evans/create-pull-request action to [`5f6978f`](https://github.com/eslint/eslint/commit/5f6978f) ([#&#8203;20810](https://github.com/eslint/eslint/issues/20810)) (renovate\[bot]) - [`77add7f`](https://github.com/eslint/eslint/commit/77add7f1bc91ed17bba3be3289928a9146c5f5a1) chore: add initial ecosystem plugin tests workflow ([#&#8203;19643](https://github.com/eslint/eslint/issues/19643)) (Josh Goldberg ✨) - [`4023b55`](https://github.com/eslint/eslint/commit/4023b55490fae55e464fe35530ef038cdf5d79a5) test: Add unit tests for SuppressionsService.prune() ([#&#8203;20797](https://github.com/eslint/eslint/issues/20797)) (kuldeep kumar) - [`54080da`](https://github.com/eslint/eslint/commit/54080dad4f77bb39a1a843933d4ff3a2b7c175e2) test: add unit tests for ForkContext ([#&#8203;20778](https://github.com/eslint/eslint/issues/20778)) (kuldeep kumar) - [`f0e2bcc`](https://github.com/eslint/eslint/commit/f0e2bcc4bf19253aaebfbd7df87824b0ca4a151f) test: add unit tests for SuppressionsService.suppress() method ([#&#8203;20765](https://github.com/eslint/eslint/issues/20765)) (kuldeep kumar) - [`a7f0b94`](https://github.com/eslint/eslint/commit/a7f0b94743a99bcdf8d07cff15ffbfa6a6c5f927) chore: update dependency prettier to v3.8.3 ([#&#8203;20782](https://github.com/eslint/eslint/issues/20782)) (renovate\[bot]) - [`7bf93d9`](https://github.com/eslint/eslint/commit/7bf93d9e79f6dbf77242cbb9a9b8be834730fccd) chore: update TypeScript to v6 ([#&#8203;20677](https://github.com/eslint/eslint/issues/20677)) (sethamus) - [`b42dd72`](https://github.com/eslint/eslint/commit/b42dd72e76e7f90e7f0be9458288d93353052adc) ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 ([#&#8203;20781](https://github.com/eslint/eslint/issues/20781)) (dependabot\[bot]) - [`2b252be`](https://github.com/eslint/eslint/commit/2b252be80f362cca7be3326a6dbe958680fdfe9a) test: add unit tests for IdGenerator ([#&#8203;20775](https://github.com/eslint/eslint/issues/20775)) (kuldeep kumar) ### [`v10.2.1`](https://github.com/eslint/eslint/releases/tag/v10.2.1) [Compare Source](https://github.com/eslint/eslint/compare/v10.2.0...v10.2.1) #### Bug Fixes - [`14be92b`](https://github.com/eslint/eslint/commit/14be92b6d1fa0923b8923830f2208e5e2705b002) fix: model generator yield resumption paths in code path analysis ([#&#8203;20665](https://github.com/eslint/eslint/issues/20665)) (sethamus) - [`84a19d2`](https://github.com/eslint/eslint/commit/84a19d2c32255db6b9cfc08644a607aae6d5cb62) fix: no-async-promise-executor false positives for shadowed Promise ([#&#8203;20740](https://github.com/eslint/eslint/issues/20740)) (xbinaryx) - [`af764af`](https://github.com/eslint/eslint/commit/af764af0ec38225755fbf8a6f207f0c77b595a8d) fix: clarify language and processor validation errors ([#&#8203;20729](https://github.com/eslint/eslint/issues/20729)) (Pixel998) - [`e251b89`](https://github.com/eslint/eslint/commit/e251b89a38280973e468a4a9386c138f4f55d10d) fix: update eslint ([#&#8203;20715](https://github.com/eslint/eslint/issues/20715)) (renovate\[bot]) #### Documentation - [`ca92ca0`](https://github.com/eslint/eslint/commit/ca92ca0fb4599e8de1e2fb914e695fe7397cbe63) docs: reuse markdown-it instance for markdown filter ([#&#8203;20768](https://github.com/eslint/eslint/issues/20768)) (Amaresh S M) - [`57d2ee2`](https://github.com/eslint/eslint/commit/57d2ee213305cee0cb55ef08e0480b57396269a9) docs: Enable Eleventy incremental mode for watch ([#&#8203;20767](https://github.com/eslint/eslint/issues/20767)) (Amaresh S M) - [`c1621b9`](https://github.com/eslint/eslint/commit/c1621b915742276e5f4b25efe790ca62296330dc) docs: fix typos in code-path-analyzer.js ([#&#8203;20700](https://github.com/eslint/eslint/issues/20700)) (Ayush Shukla) - [`1418d52`](https://github.com/eslint/eslint/commit/1418d522d10bde1960f4942afb548bc7160ec49e) docs: Update README (GitHub Actions Bot) - [`39771e6`](https://github.com/eslint/eslint/commit/39771e6e600f0b0617fdeafff6dd07e4211ffde6) docs: Update README (GitHub Actions Bot) - [`71e0469`](https://github.com/eslint/eslint/commit/71e04693def2df57268f08f3072a2749df6bf438) docs: fix incomplete JSDoc param description in no-shadow rule ([#&#8203;20728](https://github.com/eslint/eslint/issues/20728)) (kuldeep kumar) - [`22119ce`](https://github.com/eslint/eslint/commit/22119ceb93e28f62262fc1d98ff1b1442d6e2dbf) docs: clarify scope of for-direction rule with dead code examples ([#&#8203;20723](https://github.com/eslint/eslint/issues/20723)) (Amaresh S M) - [`8f3fb77`](https://github.com/eslint/eslint/commit/8f3fb77f122a5641d1833cad5d93f3f54fa3be0b) docs: document `meta.docs.dialects` ([#&#8203;20718](https://github.com/eslint/eslint/issues/20718)) (Pixel998) #### Chores - [`7ddfea9`](https://github.com/eslint/eslint/commit/7ddfea9c4f62add1588c5c0b0da568c299246383) chore: update dependency prettier to v3.8.2 ([#&#8203;20770](https://github.com/eslint/eslint/issues/20770)) (renovate\[bot]) - [`fac40e1`](https://github.com/eslint/eslint/commit/fac40e1de2ba7646cc7cd2d3f93fbdd1f8819001) ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 ([#&#8203;20763](https://github.com/eslint/eslint/issues/20763)) (dependabot\[bot]) - [`7246f92`](https://github.com/eslint/eslint/commit/7246f923332522d8b3d46b6ee646fce88535f3fb) test: add tests for SuppressionsService.load() error handling ([#&#8203;20734](https://github.com/eslint/eslint/issues/20734)) (kuldeep kumar) - [`4f34b1e`](https://github.com/eslint/eslint/commit/4f34b1e592b0f63d766d9903998e8e36eb49d3aa) chore: update pnpm/action-setup action to v5 ([#&#8203;20762](https://github.com/eslint/eslint/issues/20762)) (renovate\[bot]) - [`51080eb`](https://github.com/eslint/eslint/commit/51080eb5c98d619434e4835dbe9f1c6654aca3b8) test: processor service ([#&#8203;20731](https://github.com/eslint/eslint/issues/20731)) (kuldeep kumar) - [`e7e1889`](https://github.com/eslint/eslint/commit/e7e1889fca9b6044e08f41b38df20a1ce45808c8) chore: remove stale babel-eslint10 fixture and test ([#&#8203;20727](https://github.com/eslint/eslint/issues/20727)) (kuldeep kumar) - [`4e1a87c`](https://github.com/eslint/eslint/commit/4e1a87cb8fb90e309524bc36bc5f31b9f9cfaa76) test: remove redundant async/await in flat config array tests ([#&#8203;20722](https://github.com/eslint/eslint/issues/20722)) (Pixel998) - [`066eabb`](https://github.com/eslint/eslint/commit/066eabb3643b12931f991594969bcc0028f71a5f) test: add rule metadata coverage for `languages` and `docs.dialects` ([#&#8203;20717](https://github.com/eslint/eslint/issues/20717)) (Pixel998) ### [`v10.2.0`](https://github.com/eslint/eslint/releases/tag/v10.2.0) [Compare Source](https://github.com/eslint/eslint/compare/v10.1.0...v10.2.0) #### Features - [`586ec2f`](https://github.com/eslint/eslint/commit/586ec2f43092779acc957866db4abe999112d1e1) feat: Add `meta.languages` support to rules ([#&#8203;20571](https://github.com/eslint/eslint/issues/20571)) (Copilot) - [`14207de`](https://github.com/eslint/eslint/commit/14207dee3939dc87cfa8b2fcfc271fff2cfd6471) feat: add `Temporal` to `no-obj-calls` ([#&#8203;20675](https://github.com/eslint/eslint/issues/20675)) (Pixel998) - [`bbb2c93`](https://github.com/eslint/eslint/commit/bbb2c93a2b31bd30924f32fe69a9acf41f9dfe35) feat: add Temporal to ES2026 globals ([#&#8203;20672](https://github.com/eslint/eslint/issues/20672)) (Pixel998) #### Bug Fixes - [`542cb3e`](https://github.com/eslint/eslint/commit/542cb3e6442a4e6ee3457c799e2a0ee23bef0c6a) fix: update first-party dependencies ([#&#8203;20714](https://github.com/eslint/eslint/issues/20714)) (Francesco Trotta) #### Documentation - [`a2af743`](https://github.com/eslint/eslint/commit/a2af743ea60f683d0e0de9d98267c1e7e4f5e412) docs: add `language` to configuration objects ([#&#8203;20712](https://github.com/eslint/eslint/issues/20712)) (Francesco Trotta) - [`845f23f`](https://github.com/eslint/eslint/commit/845f23f1370892bf07d819497ac518c9e65090d6) docs: Update README (GitHub Actions Bot) - [`5fbcf59`](https://github.com/eslint/eslint/commit/5fbcf5958b897cc4df5d652924d18428db37f7ee) docs: remove `sourceType` from ts playground link ([#&#8203;20477](https://github.com/eslint/eslint/issues/20477)) (Tanuj Kanti) - [`8702a47`](https://github.com/eslint/eslint/commit/8702a474659be786b6b1392e5e7c0c56355ae4a4) docs: Update README (GitHub Actions Bot) - [`ddeaded`](https://github.com/eslint/eslint/commit/ddeaded2ab36951383ff67c60fb64ec68d29a46a) docs: Update README (GitHub Actions Bot) - [`2b44966`](https://github.com/eslint/eslint/commit/2b4496691266547784a7f7ad1989ce53381bab91) docs: add Major Releases section to Manage Releases ([#&#8203;20269](https://github.com/eslint/eslint/issues/20269)) (Milos Djermanovic) - [`eab65c7`](https://github.com/eslint/eslint/commit/eab65c700ebb16a6e790910c720450c9908961fd) docs: update `eslint` versions in examples ([#&#8203;20664](https://github.com/eslint/eslint/issues/20664)) (루밀LuMir) - [`3e4a299`](https://github.com/eslint/eslint/commit/3e4a29903bf31f0998e45ad9128a265bce1edc56) docs: update ESM Dependencies policies with note for own-usage packages ([#&#8203;20660](https://github.com/eslint/eslint/issues/20660)) (Milos Djermanovic) #### Chores - [`8120e30`](https://github.com/eslint/eslint/commit/8120e30f833474f47acc061d24d164e9f022264f) refactor: extract no unmodified loop condition ([#&#8203;20679](https://github.com/eslint/eslint/issues/20679)) (kuldeep kumar) - [`46e8469`](https://github.com/eslint/eslint/commit/46e8469786be1b2bbb522100e1d44624d98d3745) chore: update dependency markdownlint-cli2 to ^0.22.0 ([#&#8203;20697](https://github.com/eslint/eslint/issues/20697)) (renovate\[bot]) - [`01ed3aa`](https://github.com/eslint/eslint/commit/01ed3aa68477f81a7188e1498cf4906e02015b7c) test: add unit tests for unicode utilities ([#&#8203;20622](https://github.com/eslint/eslint/issues/20622)) (Manish chaudhary) - [`811f493`](https://github.com/eslint/eslint/commit/811f4930f82ee2b6ac8eae75cade9bed63de0781) ci: remove `--legacy-peer-deps` from types integration tests ([#&#8203;20667](https://github.com/eslint/eslint/issues/20667)) (Milos Djermanovic) - [`6b86fcf`](https://github.com/eslint/eslint/commit/6b86fcfc5c75d6a3b8a2cf7bcdb3ef60635a9a03) chore: update dependency npm-run-all2 to v8 ([#&#8203;20663](https://github.com/eslint/eslint/issues/20663)) (renovate\[bot]) - [`632c4f8`](https://github.com/eslint/eslint/commit/632c4f83bf32b77981c7d395cacddd1bb172ee25) chore: add `prettier` update commit to `.git-blame-ignore-revs` ([#&#8203;20662](https://github.com/eslint/eslint/issues/20662)) (루밀LuMir) - [`b0b0f21`](https://github.com/eslint/eslint/commit/b0b0f21927e03ba092400e3c70d7058f537765c8) chore: update dependency eslint-plugin-regexp to ^3.1.0 ([#&#8203;20659](https://github.com/eslint/eslint/issues/20659)) (Milos Djermanovic) - [`228a2dd`](https://github.com/eslint/eslint/commit/228a2dd4b272c17f516ee3541f1dd69eca0a8ab0) chore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 ([#&#8203;20661](https://github.com/eslint/eslint/issues/20661)) (Milos Djermanovic) - [`3ab4d7e`](https://github.com/eslint/eslint/commit/3ab4d7e244df244102de9d0d250b2ff12456a785) test: Add tests for eslintrc-style keys ([#&#8203;20645](https://github.com/eslint/eslint/issues/20645)) (kuldeep kumar) </details> <details> <summary>vercel/next.js (eslint-config-next)</summary> ### [`v16.2.9`](https://github.com/vercel/next.js/releases/tag/v16.2.9) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.8...v16.2.9) Empty release to ensure `next@latest` points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing. ### [`v16.2.8`](https://github.com/vercel/next.js/releases/tag/v16.2.8) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.7...v16.2.8) Release with no changes in an attempt to fix `next@latest` pointing at a prerelease version. ### [`v16.2.7`](https://github.com/vercel/next.js/releases/tag/v16.2.7) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.6...v16.2.7) > \[!NOTE] > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - Backport documentation fixes for v16.2 ([#&#8203;93804](https://github.com/vercel/next.js/issues/93804)) - \[backport] Patch `playwright-core` to resolve `_finishedPromise` on `requestFailed` ([#&#8203;93920](https://github.com/vercel/next.js/issues/93920)) - \[backport] Fix dev mode hydration failure when page is served from HTTP cache ([#&#8203;93492](https://github.com/vercel/next.js/issues/93492)) - \[backport] Fix catch-all `router.query` corruption with `basePath` + `rewrites` ([#&#8203;93917](https://github.com/vercel/next.js/issues/93917)) - \[backport] Encode non-ASCII characters in cache tags at construction ([#&#8203;93918](https://github.com/vercel/next.js/issues/93918)) - \[backport] Fix server action forwarding loop with middleware rewrites ([#&#8203;93919](https://github.com/vercel/next.js/issues/93919)) - \[backport] Turbopack: switch from base40 to base38 hash encoding ([#&#8203;93932](https://github.com/vercel/next.js/issues/93932)) - \[ci] Disable hanging node 24 typescript tests on 16.2 backport branch ([#&#8203;94164](https://github.com/vercel/next.js/issues/94164)) - \[backport] Fix "type: module" in project dir when using standalone or adapters ([#&#8203;94050](https://github.com/vercel/next.js/issues/94050)) - \[backport] Propagate adapter preferred regions ([#&#8203;94200](https://github.com/vercel/next.js/issues/94200)) - \[16.2.x] Don't drop `FormData` entries ([#&#8203;94240](https://github.com/vercel/next.js/issues/94240)) - \[backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution ([#&#8203;94284](https://github.com/vercel/next.js/issues/94284)) ##### Credits Huge thanks to [@&#8203;eps1lon](https://github.com/eps1lon), [@&#8203;icyJoseph](https://github.com/icyJoseph), [@&#8203;unstubbable](https://github.com/unstubbable), [@&#8203;mischnic](https://github.com/mischnic), [@&#8203;bgw](https://github.com/bgw), [@&#8203;timneutkens](https://github.com/timneutkens), and [@&#8203;lukesandberg](https://github.com/lukesandberg) for helping! ### [`v16.2.6`](https://github.com/vercel/next.js/releases/tag/v16.2.6) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.5...v16.2.6) > \[!NOTE] > This release contains security fixes and backported bug fixes. It does **not** include all pending features/changes on canary. ##### Security Fixes The following advisories have been addressed: **High:** - [GHSA-8h8q-6873-q5fj: Denial of Service with Server Components](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) - [GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) - [GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - **Incomplete Fix Follow-Up**](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) - [GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) - [GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) - [GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) - [GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) **Moderate:** - [GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) - [GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) - [GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) - [GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) **Low:** - [GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) - [GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) ##### Core Changes - fix: preserve HTTP access fallbacks during prerender recovery ([#&#8203;92231](https://github.com/vercel/next.js/issues/92231)) - Fix fallback route params case in app-page handler ([#&#8203;91737](https://github.com/vercel/next.js/issues/91737)) - Fix invalid HTML response for route-level RSC requests in deployment adapter ([#&#8203;91541](https://github.com/vercel/next.js/issues/91541)) - Patch setHeader for direct route handlers ([#&#8203;93101](https://github.com/vercel/next.js/issues/93101)) - Include deployment id in `cacheHandlers` keys ([#&#8203;93453](https://github.com/vercel/next.js/issues/93453)) - Fix double-encoding of URL pathname parts in client param parsing ([#&#8203;93491](https://github.com/vercel/next.js/issues/93491)) ### [`v16.2.5`](https://github.com/vercel/next.js/releases/tag/v16.2.5) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.4...v16.2.5) > \[!NOTE] > This release contains security fixes and backported bug fixes. It does **not** include all pending features/changes on canary. ##### Security Fixes The following advisories have been addressed: **High:** - [GHSA-8h8q-6873-q5fj: Denial of Service with Server Components](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) - [GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) - [GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) - [GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) - [GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) - [GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) **Moderate:** - [GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) - [GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) - [GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) - [GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) **Low:** - [GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) - [GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) ##### Core Changes - fix: preserve HTTP access fallbacks during prerender recovery ([#&#8203;92231](https://github.com/vercel/next.js/issues/92231)) - Fix fallback route params case in app-page handler ([#&#8203;91737](https://github.com/vercel/next.js/issues/91737)) - Fix invalid HTML response for route-level RSC requests in deployment adapter ([#&#8203;91541](https://github.com/vercel/next.js/issues/91541)) - Patch setHeader for direct route handlers ([#&#8203;93101](https://github.com/vercel/next.js/issues/93101)) - Include deployment id in `cacheHandlers` keys ([#&#8203;93453](https://github.com/vercel/next.js/issues/93453)) - Fix double-encoding of URL pathname parts in client param parsing ([#&#8203;93491](https://github.com/vercel/next.js/issues/93491)) ### [`v16.2.4`](https://github.com/vercel/next.js/releases/tag/v16.2.4) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.3...v16.2.4) > \[!NOTE] > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) ([#&#8203;92713](https://github.com/vercel/next.js/issues/92713)) - Turbopack: fix filesystem watcher config not applying follow\_symlinks(false) ([#&#8203;92631](https://github.com/vercel/next.js/issues/92631)) - Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) ([#&#8203;92580](https://github.com/vercel/next.js/issues/92580)) - Compiler: Support boolean and number primtives in next.config defines ([#&#8203;92731](https://github.com/vercel/next.js/issues/92731)) - turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation ([#&#8203;92725](https://github.com/vercel/next.js/issues/92725)) - Turbopack: shorter error for ChunkGroupInfo::get\_index\_of ([#&#8203;92814](https://github.com/vercel/next.js/issues/92814)) - Turbopack: shorter error message for ModuleBatchesGraph::get\_entry\_index ([#&#8203;92828](https://github.com/vercel/next.js/issues/92828)) - Adding more system info to the 'initialize project' trace ([#&#8203;92427](https://github.com/vercel/next.js/issues/92427)) ##### Credits Huge thanks to [@&#8203;Badbird5907](https://github.com/Badbird5907), [@&#8203;lukesandberg](https://github.com/lukesandberg), [@&#8203;andrewimm](https://github.com/andrewimm), [@&#8203;sokra](https://github.com/sokra), and [@&#8203;mischnic](https://github.com/mischnic) for helping! ### [`v16.2.3`](https://github.com/vercel/next.js/releases/tag/v16.2.3) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.2...v16.2.3) > \[!NOTE] > This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see <https://vercel.com/changelog/summary-of-cve-2026-23869>. The release does **not** include all pending features/changes on canary. ##### Core Changes - Ensure app-page reports stale ISR revalidation errors via onRequestError ([#&#8203;92282](https://github.com/vercel/next.js/issues/92282)) - Fix \[Bug]: manifest.ts breaks HMR in Next.js 16.2 ([#&#8203;91981](https://github.com/vercel/next.js/issues/91981) through [#&#8203;92273](https://github.com/vercel/next.js/issues/92273)) - Deduplicate output assets and detect content conflicts on emit ([#&#8203;92292](https://github.com/vercel/next.js/issues/92292)) - Fix styled-jsx race condition: styles lost due to concurrent rendering ([#&#8203;92459](https://github.com/vercel/next.js/issues/92459)) - turbo-tasks-backend: stability fixes for task cancellation and error handling ([#&#8203;92254](https://github.com/vercel/next.js/issues/92254)) ##### Credits Huge thanks to [@&#8203;icyJoseph](https://github.com/icyJoseph), [@&#8203;sokra](https://github.com/sokra), [@&#8203;wbinnssmith](https://github.com/wbinnssmith), [@&#8203;eps1lon](https://github.com/eps1lon) and [@&#8203;ztanner](https://github.com/ztanner) for helping! ### [`v16.2.2`](https://github.com/vercel/next.js/releases/tag/v16.2.2) [Compare Source](https://github.com/vercel/next.js/compare/v16.2.1...v16.2.2) > \[!NOTE] > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - backport: Move expanded adapters docs to API reference ([#&#8203;92115](https://github.com/vercel/next.js/issues/92115)) ([#&#8203;92129](https://github.com/vercel/next.js/issues/92129)) - Backport: TypeScript v6 deprecations for baseUrl and moduleResolution ([#&#8203;92130](https://github.com/vercel/next.js/issues/92130)) - \[create-next-app] Skip interactive prompts when CLI flags are provided ([#&#8203;91840](https://github.com/vercel/next.js/issues/91840)) - next.config.js: Accept an option for serverFastRefresh ([#&#8203;91968](https://github.com/vercel/next.js/issues/91968)) - Turbopack: enable server HMR for app route handlers ([#&#8203;91466](https://github.com/vercel/next.js/issues/91466)) - Turbopack: exclude metadata routes from server HMR ([#&#8203;92034](https://github.com/vercel/next.js/issues/92034)) - Fix CI for glibc linux builds - Backport: disable bmi2 in qfilter [#&#8203;92177](https://github.com/vercel/next.js/issues/92177) - \[backport] Fix CSS HMR on Safari ([#&#8203;92174](https://github.com/vercel/next.js/issues/92174)) ##### Credits Huge thanks to [@&#8203;nextjs-bot](https://github.com/nextjs-bot), [@&#8203;icyJoseph](https://github.com/icyJoseph), [@&#8203;ijjk](https://github.com/ijjk), [@&#8203;gaojude](https://github.com/gaojude), [@&#8203;wbinnssmith](https://github.com/wbinnssmith), [@&#8203;lukesandberg](https://github.com/lukesandberg), and [@&#8203;bgw](https://github.com/bgw) for helping! </details> <details> <summary>nodejs/node (node)</summary> ### [`v25.9.0`](https://github.com/nodejs/node/releases/tag/v25.9.0): 2026-04-01, Version 25.9.0 (Current), @&#8203;aduh95 [Compare Source](https://github.com/nodejs/node/compare/v25.8.2...v25.9.0) ##### Notable Changes ##### Test runner module mocking improvements `MockModuleOptions.defaultExport` and `MockModuleOptions.namedExports` have been consolidated into a single option `MockModuleOptions.exports` to align with user expectations and other test runners. A `default` property on `MockModuleOptions.exports` represents the default export, and own enumerable properties are treated as named exports. An automated migration is available to update user code: <https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports> ```bash npx codemod @&#8203;nodejs/mock-module-exports ``` Contributed by sangwook in [#&#8203;61727](https://github.com/nodejs/node/pull/61727). ##### Other notable changes - \[[`312476cb84`](https://github.com/nodejs/node/commit/312476cb84)] - **(SEMVER-MINOR)** **async\_hooks**: add using scopes to `AsyncLocalStorage` (Stephen Belanger) [#&#8203;61674](https://github.com/nodejs/node/pull/61674) - \[[`62d2cd473b`](https://github.com/nodejs/node/commit/62d2cd473b)] - **(SEMVER-MINOR)** **cli**: add `--max-heap-size` option (tannal) [#&#8203;58708](https://github.com/nodejs/node/pull/58708) - \[[`d0ebf0e44b`](https://github.com/nodejs/node/commit/d0ebf0e44b)] - **(SEMVER-MINOR)** **crypto**: add `TurboSHAKE` and `KangarooTwelve` Web Cryptography algorithms (Filip Skokan) [#&#8203;62183](https://github.com/nodejs/node/pull/62183) - \[[`f85b9d9fa8`](https://github.com/nodejs/node/commit/f85b9d9fa8)] - **(SEMVER-MINOR)** **repl**: add customizable error handling (Anna Henningsen) [#&#8203;62188](https://github.com/nodejs/node/pull/62188) - \[[`67b854d407`](https://github.com/nodejs/node/commit/67b854d407)] - **(SEMVER-MINOR)** **repl**: remove dependency on `node:domain` (Matteo Collina) [#&#8203;61227](https://github.com/nodejs/node/pull/61227) - \[[`966b700623`](https://github.com/nodejs/node/commit/966b700623)] - **(SEMVER-MINOR)** **sea**: support code cache for ESM entrypoint in SEA (Joyee Cheung) [#&#8203;62158](https://github.com/nodejs/node/pull/62158) - \[[`e1f0d2a014`](https://github.com/nodejs/node/commit/e1f0d2a014)] - **(SEMVER-MINOR)** **stream**: add stream/iter Implementation (James M Snell) [#&#8203;62066](https://github.com/nodejs/node/pull/62066) ##### Commits - \[[`312476cb84`](https://github.com/nodejs/node/commit/312476cb84)] - **(SEMVER-MINOR)** **async\_hooks**: add using scopes to AsyncLocalStorage (Stephen Belanger) [#&#8203;61674](https://github.com/nodejs/node/pull/61674) - \[[`bfff8cb2ab`](https://github.com/nodejs/node/commit/bfff8cb2ab)] - **(SEMVER-MINOR)** **benchmark**: add benchmarks for experimental stream/iter (James M Snell) [#&#8203;62066](https://github.com/nodejs/node/pull/62066) - \[[`c721d68502`](https://github.com/nodejs/node/commit/c721d68502)] - **benchmark**: fix destructuring in dgram/single-buffer (Ali Hassan) [#&#8203;62084](https://github.com/nodejs/node/pull/62084) - \[[`e2f03c8e92`](https://github.com/nodejs/node/commit/e2f03c8e92)] - **buffer**: improve performance of multiple Buffer operations (Ali Hassan) [#&#8203;61871](https://github.com/nodejs/node/pull/61871) - \[[`2fcd07f1ba`](https://github.com/nodejs/node/commit/2fcd07f1ba)] - **build**: support empty libname flags in `configure.py` (Antoine du Hamel) [#&#8203;62477](https://github.com/nodejs/node/pull/62477) - \[[`b800c57fce`](https://github.com/nodejs/node/commit/b800c57fce)] - **build**: fix timezone-update path references (Chengzhong Wu) [#&#8203;62280](https://github.com/nodejs/node/pull/62280) - \[[`7dc5a1e9b4`](https://github.com/nodejs/node/commit/7dc5a1e9b4)] - **build**: skip dockit on IBMi (SRAVANI GUNDEPALLI) [#&#8203;62189](https://github.com/nodejs/node/pull/62189) - \[[`f0eea0f905`](https://github.com/nodejs/node/commit/f0eea0f905)] - **build**: fix --node-builtin-modules-path (Filip Skokan) [#&#8203;62115](https://github.com/nodejs/node/pull/62115) - \[[`62d2cd473b`](https://github.com/nodejs/node/commit/62d2cd473b)] - **(SEMVER-MINOR)** **cli**: add --max-heap-size option (tannal) [#&#8203;58708](https://github.com/nodejs/node/pull/58708) - \[[`ac4b485698`](https://github.com/nodejs/node/commit/ac4b485698)] - **crypto**: update root certificates to NSS 3.121 (Node.js GitHub Bot) [#&#8203;62485](https://github.com/nodejs/node/pull/62485) - \[[`d0ebf0e44b`](https://github.com/nodejs/node/commit/d0ebf0e44b)] - **(SEMVER-MINOR)** **crypto**: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) [#&#8203;62183](https://github.com/nodejs/node/pull/62183) - \[[`3009980d9d`](https://github.com/nodejs/node/commit/3009980d9d)] - **crypto**: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) [#&#8203;62254](https://github.com/nodejs/node/pull/62254) - \[[`f5725ca81d`](https://github.com/nodejs/node/commit/f5725ca81d)] - **crypto**: reject ML-KEM/ML-DSA [PKCS#8](https://github.com/PKCS/node/issues/8) import without seed in SubtleCrypto (Filip Skokan) [#&#8203;62218](https://github.com/nodejs/node/pull/62218) - \[[`f69ed4bc3f`](https://github.com/nodejs/node/commit/f69ed4bc3f)] - **crypto**: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) [#&#8203;61875](https://github.com/nodejs/node/pull/61875) - \[[`4d96e53570`](https://github.com/nodejs/node/commit/4d96e53570)] - **crypto**: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) [#&#8203;62169](https://github.com/nodejs/node/pull/62169) - \[[`93d77719e8`](https://github.com/nodejs/node/commit/93d77719e8)] - **crypto**: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) [#&#8203;62170](https://github.com/nodejs/node/pull/62170) - \[[`3d2e23a981`](https://github.com/nodejs/node/commit/3d2e23a981)] - **deps**: update ada to 3.4.4 (Node.js GitHub Bot) [#&#8203;62414](https://github.com/nodejs/node/pull/62414) - \[[`176d6d2205`](https://github.com/nodejs/node/commit/176d6d2205)] - **deps**: update timezone to 2026a (Node.js GitHub Bot) [#&#8203;62164](https://github.com/nodejs/node/pull/62164) - \[[`95c7fc67ba`](https://github.com/nodejs/node/commit/95c7fc67ba)] - **deps**: update googletest to [`2461743`](https://github.com/nodejs/node/commit/2461743991f9aa53e9a3625eafcbacd81a3c74cd) (Node.js GitHub Bot) [#&#8203;62484](https://github.com/nodejs/node/pull/62484) - \[[`e5e9f2044a`](https://github.com/nodejs/node/commit/e5e9f2044a)] - **deps**: update simdjson to 4.5.0 (Node.js GitHub Bot) [#&#8203;62382](https://github.com/nodejs/node/pull/62382) - \[[`905b94266a`](https://github.com/nodejs/node/commit/905b94266a)] - **deps**: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) [#&#8203;62051](https://github.com/nodejs/node/pull/62051) - \[[`180c150122`](https://github.com/nodejs/node/commit/180c150122)] - **deps**: V8: cherry-pick [`cf1bce4`](https://github.com/nodejs/node/commit/cf1bce40a5ef) (Richard Lau) [#&#8203;62449](https://github.com/nodejs/node/pull/62449) - \[[`bc265aa003`](https://github.com/nodejs/node/commit/bc265aa003)] - **deps**: upgrade npm to 11.12.1 (npm team) [#&#8203;62448](https://github.com/nodejs/node/pull/62448) - \[[`f1b28612c4`](https://github.com/nodejs/node/commit/f1b28612c4)] - **deps**: V8: cherry-pick [`b25cd62`](https://github.com/nodejs/node/commit/b25cd62c7ba2) (Yagiz Nizipli) [#&#8203;62354](https://github.com/nodejs/node/pull/62354) - \[[`757719d2af`](https://github.com/nodejs/node/commit/757719d2af)] - **deps**: disable rust icu compiled\_data features (Chengzhong Wu) [#&#8203;62284](https://github.com/nodejs/node/pull/62284) - \[[`3bdc955b63`](https://github.com/nodejs/node/commit/3bdc955b63)] - **deps**: update sqlite to 3.51.3 (Node.js GitHub Bot) [#&#8203;62256](https://github.com/nodejs/node/pull/62256) - \[[`a9703d194a`](https://github.com/nodejs/node/commit/a9703d194a)] - **deps**: update googletest to [`73a63ea`](https://github.com/nodejs/node/commit/73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1) (Node.js GitHub Bot) [#&#8203;61927](https://github.com/nodejs/node/pull/61927) - \[[`85138935cb`](https://github.com/nodejs/node/commit/85138935cb)] - **deps**: update merve to 1.2.2 (Node.js GitHub Bot) [#&#8203;62213](https://github.com/nodejs/node/pull/62213) - \[[`231521e75e`](https://github.com/nodejs/node/commit/231521e75e)] - **diagnostics\_channel**: add diagnostics channels for web locks (Ilyas Shabi) [#&#8203;62123](https://github.com/nodejs/node/pull/62123) - \[[`0093863664`](https://github.com/nodejs/node/commit/0093863664)] - **doc**: deprecate `module.register()` (DEP0205) (Geoffrey Booth) [#&#8203;62395](https://github.com/nodejs/node/pull/62395) - \[[`0b96ece6be`](https://github.com/nodejs/node/commit/0b96ece6be)] - **doc**: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) [#&#8203;62456](https://github.com/nodejs/node/pull/62456) - \[[`8d3ea975f5`](https://github.com/nodejs/node/commit/8d3ea975f5)] - **doc**: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) [#&#8203;62492](https://github.com/nodejs/node/pull/62492) - \[[`08ff16e0ba`](https://github.com/nodejs/node/commit/08ff16e0ba)] - **doc**: move sqlite type conversion section to correct level (René) [#&#8203;62482](https://github.com/nodejs/node/pull/62482) - \[[`61cc747dd8`](https://github.com/nodejs/node/commit/61cc747dd8)] - **doc**: add Rafael to last security release steward (Rafael Gonzaga) [#&#8203;62423](https://github.com/nodejs/node/pull/62423) - \[[`64cfa5a6fa`](https://github.com/nodejs/node/commit/64cfa5a6fa)] - **doc**: use npm-published version of doc-kit (Aviv Keller) [#&#8203;62139](https://github.com/nodejs/node/pull/62139) - \[[`1020321fb0`](https://github.com/nodejs/node/commit/1020321fb0)] - **doc**: fix overstated Date header requirement in response.sendDate (Kit Dallege) [#&#8203;62206](https://github.com/nodejs/node/pull/62206) - \[[`9caa7855b2`](https://github.com/nodejs/node/commit/9caa7855b2)] - **doc**: fix guaranteed typo (lilianakatrina684-a11y) [#&#8203;62374](https://github.com/nodejs/node/pull/62374) - \[[`e254f65306`](https://github.com/nodejs/node/commit/e254f65306)] - **doc**: enhance clarification about the main field (Mowafak Almahaini) [#&#8203;62302](https://github.com/nodejs/node/pull/62302) - \[[`9e724b53f8`](https://github.com/nodejs/node/commit/9e724b53f8)] - **doc**: remove spawn with shell example from bat/cmd section (Kit Dallege) [#&#8203;62243](https://github.com/nodejs/node/pull/62243) - \[[`7f37c17516`](https://github.com/nodejs/node/commit/7f37c17516)] - **doc**: minor typo fix (Jeff Matson) [#&#8203;62358](https://github.com/nodejs/node/pull/62358) - \[[`eb0ca98f01`](https://github.com/nodejs/node/commit/eb0ca98f01)] - **doc**: add path to vulnerabilities.json mention (Rafael Gonzaga) [#&#8203;62355](https://github.com/nodejs/node/pull/62355) - \[[`198b6e0932`](https://github.com/nodejs/node/commit/198b6e0932)] - **doc**: deprecate CryptoKey use in node:crypto (Filip Skokan) [#&#8203;62321](https://github.com/nodejs/node/pull/62321) - \[[`17e5aee6c5`](https://github.com/nodejs/node/commit/17e5aee6c5)] - **doc**: fix small environment\_variables typo (chris) [#&#8203;62279](https://github.com/nodejs/node/pull/62279) - \[[`193d629895`](https://github.com/nodejs/node/commit/193d629895)] - **doc**: test and test-only targets do not run linter (Xavier Stouder) [#&#8203;62120](https://github.com/nodejs/node/pull/62120) - \[[`4a1f20ec4a`](https://github.com/nodejs/node/commit/4a1f20ec4a)] - **doc**: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) [#&#8203;62208](https://github.com/nodejs/node/pull/62208) - \[[`f976c9214d`](https://github.com/nodejs/node/commit/f976c9214d)] - **doc**: clarify that any truthy value of `shell` is part of DEP0190 (Antoine du Hamel) [#&#8203;62249](https://github.com/nodejs/node/pull/62249) - \[[`4d83972681`](https://github.com/nodejs/node/commit/4d83972681)] - **doc**: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) [#&#8203;62202](https://github.com/nodejs/node/pull/62202) - \[[`71f2eada5b`](https://github.com/nodejs/node/commit/71f2eada5b)] - **doc**: add throwIfNoEntry version history to fs.stat (kovan) [#&#8203;62204](https://github.com/nodejs/node/pull/62204) - \[[`670c80893b`](https://github.com/nodejs/node/commit/670c80893b)] - **doc**: add note (and caveat) for `mock.module` about customization hooks (Jacob Smith) [#&#8203;62075](https://github.com/nodejs/node/pull/62075) - \[[`2ff5cb13f5`](https://github.com/nodejs/node/commit/2ff5cb13f5)] - **doc,test**: clarify --eval syntax for leading '-' scripts (kovan) [#&#8203;62244](https://github.com/nodejs/node/pull/62244) - \[[`6c6c9004c4`](https://github.com/nodejs/node/commit/6c6c9004c4)] - **esm**: fix typo in worker loader hook comment (jakecastelli) [#&#8203;62475](https://github.com/nodejs/node/pull/62475) - \[[`1cdd23c9f3`](https://github.com/nodejs/node/commit/1cdd23c9f3)] - **esm**: fix source phase identity bug in loadCache eviction (Guy Bedford) [#&#8203;62415](https://github.com/nodejs/node/pull/62415) - \[[`4f4ff15794`](https://github.com/nodejs/node/commit/4f4ff15794)] - **esm**: fix path normalization in `finalizeResolution` (Antoine du Hamel) [#&#8203;62080](https://github.com/nodejs/node/pull/62080) - \[[`088167d102`](https://github.com/nodejs/node/commit/088167d102)] - **events**: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) [#&#8203;62261](https://github.com/nodejs/node/pull/62261) - \[[`0250b436ee`](https://github.com/nodejs/node/commit/0250b436ee)] - **fs**: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) [#&#8203;61950](https://github.com/nodejs/node/pull/61950) - \[[`b67a8fb171`](https://github.com/nodejs/node/commit/b67a8fb171)] - **inspector**: add Target.getTargets and extract TargetManager (Kohei) [#&#8203;62487](https://github.com/nodejs/node/pull/62487) - \[[`ffcc5a5722`](https://github.com/nodejs/node/commit/ffcc5a5722)] - **lib**: make SubtleCrypto.supports enumerable (Filip Skokan) [#&#8203;62307](https://github.com/nodejs/node/pull/62307) - \[[`92ef2ad8fa`](https://github.com/nodejs/node/commit/92ef2ad8fa)] - **lib**: prefer primordials in SubtleCrypto (Filip Skokan) [#&#8203;62226](https://github.com/nodejs/node/pull/62226) - \[[`40a43ac4d0`](https://github.com/nodejs/node/commit/40a43ac4d0)] - **module**: fix coverage of mocked CJS modules imported from ESM (Marco) [#&#8203;62133](https://github.com/nodejs/node/pull/62133) - \[[`3ef0a5b90e`](https://github.com/nodejs/node/commit/3ef0a5b90e)] - **quic**: remove CryptoKey support from session keys option (Filip Skokan) [#&#8203;62335](https://github.com/nodejs/node/pull/62335) - \[[`3c8dd8eb8e`](https://github.com/nodejs/node/commit/3c8dd8eb8e)] - **repl**: use vm DONT\_CONTEXTIFY context (Chengzhong Wu) [#&#8203;62371](https://github.com/nodejs/node/pull/62371) - \[[`f85b9d9fa8`](https://github.com/nodejs/node/commit/f85b9d9fa8)] - **(SEMVER-MINOR)** **repl**: add customizable error handling (Anna Henningsen) [#&#8203;62188](https://github.com/nodejs/node/pull/62188) - \[[`e4c164e045`](https://github.com/nodejs/node/commit/e4c164e045)] - **repl**: handle exceptions from async context after close (Anna Henningsen) [#&#8203;62165](https://github.com/nodejs/node/pull/62165) - \[[`67b854d407`](https://github.com/nodejs/node/commit/67b854d407)] - **(SEMVER-MINOR)** **repl**: remove dependency on domain module (Matteo Collina) [#&#8203;61227](https://github.com/nodejs/node/pull/61227) - \[[`966b700623`](https://github.com/nodejs/node/commit/966b700623)] - **(SEMVER-MINOR)** **sea**: support code cache for ESM entrypoint in SEA (Joyee Cheung) [#&#8203;62158](https://github.com/nodejs/node/pull/62158) - \[[`fe82baf970`](https://github.com/nodejs/node/commit/fe82baf970)] - **src**: improve EC JWK import performance (Filip Skokan) [#&#8203;62396](https://github.com/nodejs/node/pull/62396) - \[[`d490b171e0`](https://github.com/nodejs/node/commit/d490b171e0)] - **src**: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) [#&#8203;62343](https://github.com/nodejs/node/pull/62343) - \[[`0e4af848bc`](https://github.com/nodejs/node/commit/0e4af848bc)] - **src**: convert context\_frame field in AsyncWrap to internal field (Anna Henningsen) [#&#8203;62103](https://github.com/nodejs/node/pull/62103) - \[[`02980b8c8f`](https://github.com/nodejs/node/commit/02980b8c8f)] - **src**: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) [#&#8203;62410](https://github.com/nodejs/node/pull/62410) - \[[`064f7c2fa6`](https://github.com/nodejs/node/commit/064f7c2fa6)] - **src**: use stack allocation in indexOf latin1 path (Mert Can Altin) [#&#8203;62268](https://github.com/nodejs/node/pull/62268) - \[[`ede52bc2dc`](https://github.com/nodejs/node/commit/ede52bc2dc)] - **src,sqlite**: fix filterFunc dangling reference (Edy Silva) [#&#8203;62281](https://github.com/nodejs/node/pull/62281) - \[[`e1f0d2a014`](https://github.com/nodejs/node/commit/e1f0d2a014)] - **(SEMVER-MINOR)** **stream**: add stream/iter Implementation (James M Snell) [#&#8203;62066](https://github.com/nodejs/node/pull/62066) - \[[`03839fb087`](https://github.com/nodejs/node/commit/03839fb087)] - **stream**: preserve error over AbortError in pipeline (Marco) [#&#8203;62113](https://github.com/nodejs/node/pull/62113) - \[[`0000d2f011`](https://github.com/nodejs/node/commit/0000d2f011)] - **stream**: replace bind with arrow function for onwrite callback (Ali Hassan) [#&#8203;62087](https://github.com/nodejs/node/pull/62087) - \[[`3796a73719`](https://github.com/nodejs/node/commit/3796a73719)] - **test**: update WPT for WebCryptoAPI to [`2cb332d`](https://github.com/nodejs/node/commit/2cb332d710) (Node.js GitHub Bot) [#&#8203;62483](https://github.com/nodejs/node/pull/62483) - \[[`ad8309415b`](https://github.com/nodejs/node/commit/ad8309415b)] - **test**: update WPT for url to [`fc3e651`](https://github.com/nodejs/node/commit/fc3e651593) (Node.js GitHub Bot) [#&#8203;62379](https://github.com/nodejs/node/pull/62379) - \[[`bed89b037e`](https://github.com/nodejs/node/commit/bed89b037e)] - **test**: wait for reattach before initial break on restart (Yuya Inoue) [#&#8203;62471](https://github.com/nodejs/node/pull/62471) - \[[`c9ffffcc55`](https://github.com/nodejs/node/commit/c9ffffcc55)] - **test**: disable flaky WPT Blob test on AIX (James M Snell) [#&#8203;62470](https://github.com/nodejs/node/pull/62470) - \[[`fd41ef31f6`](https://github.com/nodejs/node/commit/fd41ef31f6)] - **(SEMVER-MINOR)** **test**: add tests for experimental stream/iter implementation (James M Snell) [#&#8203;62066](https://github.com/nodejs/node/pull/62066) - \[[`1b9d8d3eec`](https://github.com/nodejs/node/commit/1b9d8d3eec)] - **test**: avoid flaky run wait in debugger restart test (Yuya Inoue) [#&#8203;62112](https://github.com/nodejs/node/pull/62112) - \[[`cb08a29d51`](https://github.com/nodejs/node/commit/cb08a29d51)] - **test**: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) [#&#8203;62238](https://github.com/nodejs/node/pull/62238) - \[[`abea0af8a9`](https://github.com/nodejs/node/commit/abea0af8a9)] - **test**: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) [#&#8203;62226](https://github.com/nodejs/node/pull/62226) - \[[`47a2132269`](https://github.com/nodejs/node/commit/47a2132269)] - **test**: update WPT for WebCryptoAPI to [`6a1c545`](https://github.com/nodejs/node/commit/6a1c545d77) (Node.js GitHub Bot) [#&#8203;62187](https://github.com/nodejs/node/pull/62187) - \[[`2c63d3006c`](https://github.com/nodejs/node/commit/2c63d3006c)] - **test\_runner**: add exports option for module mocks (sangwook) [#&#8203;61727](https://github.com/nodejs/node/pull/61727) - \[[`44ac0e1302`](https://github.com/nodejs/node/commit/44ac0e1302)] - **test\_runner**: make it compatible with fake timers (Matteo Collina) [#&#8203;59272](https://github.com/nodejs/node/pull/59272) - \[[`1865691275`](https://github.com/nodejs/node/commit/1865691275)] - **test\_runner**: set non-zero exit code when suite errors occur (Edy Silva) [#&#8203;62282](https://github.com/nodejs/node/pull/62282) - \[[`0252b2bab8`](https://github.com/nodejs/node/commit/0252b2bab8)] - **tools**: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot\[bot]) [#&#8203;62439](https://github.com/nodejs/node/pull/62439) - \[[`3368155267`](https://github.com/nodejs/node/commit/3368155267)] - **tools**: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot\[bot]) [#&#8203;62437](https://github.com/nodejs/node/pull/62437) - \[[`5e47c359f5`](https://github.com/nodejs/node/commit/5e47c359f5)] - **tools**: adopt the `--check-for-duplicates` NCU flag (Antoine du Hamel) [#&#8203;62478](https://github.com/nodejs/node/pull/62478) - \[[`4a604e82d0`](https://github.com/nodejs/node/commit/4a604e82d0)] - **tools**: bump picomatch in /tools/doc (dependabot\[bot]) [#&#8203;62438](https://github.com/nodejs/node/pull/62438) - \[[`d1a98b4ddb`](https://github.com/nodejs/node/commit/d1a98b4ddb)] - **tools**: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot\[bot]) [#&#8203;62375](https://github.com/nodejs/node/pull/62375) - \[[`c32daa1ab4`](https://github.com/nodejs/node/commit/c32daa1ab4)] - **tools**: bump eslint deps (Huáng Jùnliàng) [#&#8203;62356](https://github.com/nodejs/node/pull/62356) - \[[`7a2fcc6d41`](https://github.com/nodejs/node/commit/7a2fcc6d41)] - **tools**: do not swallow error in `lint-nix` workflow (Antoine du Hamel) [#&#8203;62292](https://github.com/nodejs/node/pull/62292) - \[[`c41a2871b5`](https://github.com/nodejs/node/commit/c41a2871b5)] - **tools**: add eslint-plugin-regexp (Huáng Jùnliàng) [#&#8203;62093](https://github.com/nodejs/node/pull/62093) - \[[`56dfeb06df`](https://github.com/nodejs/node/commit/56dfeb06df)] - **tools**: fix timeout errors in `lint-nix` job (Antoine du Hamel) [#&#8203;62265](https://github.com/nodejs/node/pull/62265) - \[[`22fc8078e8`](https://github.com/nodejs/node/commit/22fc8078e8)] - **tools**: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot\[bot]) [#&#8203;62255](https://github.com/nodejs/node/pull/62255) - \[[`409b0663bd`](https://github.com/nodejs/node/commit/409b0663bd)] - **tools**: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot\[bot]) [#&#8203;62250](https://github.com/nodejs/node/pull/62250) - \[[`67c69750f4`](https://github.com/nodejs/node/commit/67c69750f4)] - **tools**: validate all commits that are pushed to `main` (Antoine du Hamel) [#&#8203;62246](https://github.com/nodejs/node/pull/62246) - \[[`7d9db8cd21`](https://github.com/nodejs/node/commit/7d9db8cd21)] - **tools**: keep GN files when updating Merve (Antoine du Hamel) [#&#8203;62167](https://github.com/nodejs/node/pull/62167) - \[[`6c8fa42ba2`](https://github.com/nodejs/node/commit/6c8fa42ba2)] - **typings**: rationalise TypedArray types (René) [#&#8203;62174](https://github.com/nodejs/node/pull/62174) - \[[`531c64d04e`](https://github.com/nodejs/node/commit/531c64d04e)] - **url**: enable simdutf for ada (Yagiz Nizipli) [#&#8203;61477](https://github.com/nodejs/node/pull/61477) - \[[`2000caccde`](https://github.com/nodejs/node/commit/2000caccde)] - **util**: allow color aliases in styleText (sangwook) [#&#8203;62180](https://github.com/nodejs/node/pull/62180) - \[[`0aed332ab4`](https://github.com/nodejs/node/commit/0aed332ab4)] - **wasm**: support js string constant esm import (Guy Bedford) [#&#8203;62198](https://github.com/nodejs/node/pull/62198) - \[[`d3fd4a978b`](https://github.com/nodejs/node/commit/d3fd4a978b)] - **worker**: heap profile optimizations (Ilyas Shabi) [#&#8203;62201](https://github.com/nodejs/node/pull/62201) - \[[`e992a34a18`](https://github.com/nodejs/node/commit/e992a34a18)] - **zlib**: fix use-after-free when reset() is called during write (Matteo Collina) [#&#8203;62325](https://github.com/nodejs/node/pull/62325) </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v10.34.3`](https://github.com/pnpm/pnpm/releases/tag/v10.34.3): pnpm 10.34.3 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.34.2...v10.34.3) ##### ⚠️ Security fix — environment variables in a project `.npmrc` (action may be required) Following [GHSA-3qhv-2rgh-x77r](https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r), pnpm no longer expands `${ENV_VAR}` placeholders that come from a **repository-controlled** config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to: - the project/workspace `.npmrc` — `registry`, `@scope:registry`, proxy URLs, URL-scoped keys (`//host/…`), and credential values (`_authToken`, `_auth`, `_password`, `username`, `tokenHelper`, `cert`, `key`); - registry URLs in `pnpm-workspace.yaml`. This release also closes a bypass where a project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to make pnpm load a repo-supplied file as *trusted* config (via `@pnpm/npm-conf@3.0.3`). Environment variables are **still** expanded in trusted config: your user-level `~/.npmrc`, the global config, CLI options, and environment config. **If your authentication broke after upgrading**, move the token out of the committed `.npmrc`: ```sh # Writes to your user/global config, not the repository: pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN" ``` Or keep the `${NPM_TOKEN}` line but put it in your user-level `~/.npmrc` instead of the repo. In **GitHub Actions**, `actions/setup-node` with `registry-url` already writes a user-level `.npmrc`, so `NODE_AUTH_TOKEN` keeps working. For other CI where editing each pipeline is hard, set `NPM_CONFIG_USERCONFIG=.npmrc` in the CI environment to declare the project `.npmrc` trusted. See <https://pnpm.io/npmrc> for full migration details. #### Patch Changes - Improved the warning printed when a project `.npmrc` uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running `pnpm config set "<key>" <value>` to store it in the global config, or by keeping the `${...}` line in the user-level `~/.npmrc` — with a link to <https://pnpm.io/npmrc>. - A repository-controlled project or workspace `.npmrc` can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set `userconfig`, `globalconfig`, or `prefix` to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set `tokenHelper`. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace `.npmrc` files are read. Fixed by upgrading `@pnpm/npm-conf` to `3.0.3`. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.34.2`](https://github.com/pnpm/pnpm/releases/tag/v10.34.2): pnpm 10.34.2 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.34.1...v10.34.2) ##### ⚠️ Security fix — environment variables in a project `.npmrc` (action may be required) Following [GHSA-3qhv-2rgh-x77r](https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r), pnpm no longer expands `${ENV_VAR}` placeholders that come from a **repository-controlled** config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to: - the project/workspace `.npmrc` — `registry`, `@scope:registry`, proxy URLs, URL-scoped keys (`//host/…`), and credential values (`_authToken`, `_auth`, `_password`, `username`, `tokenHelper`, `cert`, `key`); - registry URLs in `pnpm-workspace.yaml`. This release also closes a bypass where a project `.npmrc` could set `userconfig`, `globalconfig`, or `prefix` to make pnpm load a repo-supplied file as *trusted* config (via `@pnpm/npm-conf@3.0.3`). Environment variables are **still** expanded in trusted config: your user-level `~/.npmrc`, the global config, CLI options, and environment config. **If your authentication broke after upgrading**, move the token out of the committed `.npmrc`: ```sh # Writes to your user/global config, not the repository: pnpm config set "//registry.npmjs.org/:_authToken" "$NPM_TOKEN" ``` Or keep the `${NPM_TOKEN}` line but put it in your user-level `~/.npmrc` instead of the repo. In **GitHub Actions**, `actions/setup-node` with `registry-url` already writes a user-level `.npmrc`, so `NODE_AUTH_TOKEN` keeps working. For other CI where editing each pipeline is hard, set `NPM_CONFIG_USERCONFIG=.npmrc` in the CI environment to declare the project `.npmrc` trusted. See <https://pnpm.io/npmrc> for full migration details. #### Patch Changes - Package-manager bootstrap traffic is now resolved through trusted registries and trusted network config. When pnpm downloads the pnpm version requested by a repository's `packageManager` field, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global `.npmrc` — defaulting to the public npm registry, instead of the repository's project/workspace settings. - pnpm now verifies the npm registry signature of a package-manager binary before spawning it. When the `packageManager` field (or `pnpm self-update`) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exact `name@version`, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip. - Environment variable expansion is now trust-aware for registry/auth config and request destinations. Repository-controlled config files (the project and workspace `.npmrc` and `pnpm-workspace.yaml`) can no longer expand `${...}` placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work. - Reject reserved manifest `bin` names (`""`, `"."`, `".."`, and scoped forms such as `@scope/..`) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted. - Require trusted package identity before package-name `onlyBuiltDependencies` (and `allowBuilds`) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (`name@semver`) is backed by a git, directory, or git-hosted tarball resolution (`ERR_PNPM_RESOLUTION_SHAPE_MISMATCH`), so the dependency path is a reliable artifact identity by the time scripts can run. - pnpm now verifies the detached OpenPGP signature of a Node.js release's `SHASUMS256.txt` against the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (`node-mirror:<channel>` in `.npmrc`), and the integrity check previously trusted a `SHASUMS256.txt` fetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only the `release` channel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.34.1`](https://github.com/pnpm/pnpm/releases/tag/v10.34.1): pnpm 10.34.1 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.34.0...v10.34.1) #### Patch Changes - Reject `pnpm-lock.yaml` entries whose remote tarball `resolution:` block is missing the `integrity` field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips `integrity:`) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under `--frozen-lockfile`. pnpm now fails closed at lockfile-read time with `ERR_PNPM_MISSING_TARBALL_INTEGRITY`. Git-hosted tarballs (`gitHosted: true` or a URL on codeload.github.com / bitbucket.org / gitlab.com) and `file:` tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.34.0`](https://github.com/pnpm/pnpm/releases/tag/v10.34.0): pnpm 10.34 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.4...v10.34.0) #### Minor Changes - Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, `pnpm install` (non-frozen) would log `ERR_PNPM_TARBALL_INTEGRITY`, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile. `pnpm install` now exits with `ERR_PNPM_TARBALL_INTEGRITY` and a hint pointing at the new opt-in flag. The only opt-in is **`pnpm install --update-checksums`** — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable. `--force` and `pnpm update` deliberately do **not** bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. `--frozen-lockfile` behavior is unchanged. `--fix-lockfile` keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass. #### Patch Changes - Pin unscoped per-registry settings (`_authToken`, `_auth`, `username`/`_password`, `tokenHelper`, inline `cert`/`key`) to the registry declared in the same config source at load time, so a later layer overriding `registry=` (workspace `.npmrc`, `pnpm-workspace.yaml`, CLI `--registry`) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU. - Fixed `minimumReleaseAge` handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version `time` field) by default, which made the maturity check throw `ERR_PNPM_MISSING_TIME` whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when `minimumReleaseAge` is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets `ERR_PNPM_MISSING_TIME` from the cache fast-path fall through to the network fetch even under strict mode. - Reject git resolutions whose `commit` field is not a 40-character hexadecimal SHA before invoking `git`. A malicious lockfile could otherwise smuggle a value such as `--upload-pack=<command>` through `git fetch` / `git checkout`, which on SSH or local-file transports executes the supplied command. - Reject patch files whose `diff --git` headers reference paths outside the patched package directory. Previously a malicious `.patch` file added via a pull request could write, delete, or rename arbitrary files reachable by the user running `pnpm install`. - Fixed `--prefix=<dir>` not being honored when locating the workspace root. The `--prefix → dir` rename was applied after workspace detection, so workspace settings declared in `<dir>/pnpm-workspace.yaml` were not loaded when pnpm was invoked from outside `<dir>` [#&#8203;11535](https://github.com/pnpm/pnpm/issues/11535). - Reject dependency aliases that contain path-traversal segments (such as `@x/../../../../../.git/hooks`) when reading them from a package manifest or symlinking them into `node_modules`. A malicious registry package could otherwise use a transitive dependency key to make `pnpm install` create symlinks at attacker-chosen paths outside the intended `node_modules` directory. <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.33.4`](https://github.com/pnpm/pnpm/releases/tag/v10.33.4): pnpm 10.33.4 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.3...v10.33.4) #### Patch Changes - Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. - Fix a regression where `pnpm --recursive --filter '!<pkg>' run/exec/test/add` would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative `--filter` arguments are provided, matching the [documented behavior](https://pnpm.io/cli/recursive). To include the root, pass `--include-workspace-root` [#&#8203;11341](https://github.com/pnpm/pnpm/issues/11341). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.33.3`](https://github.com/pnpm/pnpm/releases/tag/v10.33.3): pnpm 10.33.3 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.2...v10.33.3) #### Patch Changes - When self-updating from v10's `@pnpm/exe` to v11+ on Intel macOS (darwin-x64), `pnpm self-update` now transparently switches to the JS-only `pnpm` package on npm instead of installing `@pnpm/exe@v11+` (which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see [#&#8203;11423](https://github.com/pnpm/pnpm/issues/11423) and [nodejs/node#62893](https://github.com/nodejs/node/issues/62893)). Without this, the self-update would silently leave the user with no working `pnpm` binary. The new install requires Node.js to be available on `PATH`; a warning is printed when the swap happens. All other host/version combinations are unchanged. - `pnpm self-update` (with no version argument) no longer downgrades pnpm when the registry's `latest` dist-tag points to an older release than the currently active version. Run `pnpm self-update latest` to force a downgrade [#&#8203;11418](https://github.com/pnpm/pnpm/issues/11418). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.33.2`](https://github.com/pnpm/pnpm/releases/tag/v10.33.2): pnpm 10.33.2 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.1...v10.33.2) #### Patch Changes - Globally-installed bins no longer fail with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when pnpm was installed via the standalone `@pnpm/exe` binary (e.g. `curl -fsSL https://get.pnpm.io/install.sh | sh -`) on a system without a separate Node.js installation. Previously, when `which('node')` failed during `pnpm add --global`, pnpm fell back to `process.execPath`, which in `@pnpm/exe` is the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node [#&#8203;11291](https://github.com/pnpm/pnpm/issues/11291), [#&#8203;4645](https://github.com/pnpm/pnpm/issues/4645). - Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g. `npm install -g pnpm@A`) and run inside a project whose `package.json` selected a different pnpm version via the `packageManager` field (e.g. `pnpm@B`), while a `pnpm-workspace.yaml` also existed at the project root. The child's environment is now forced to `manage-package-manager-versions=false` (v10) and `pm-on-fail=ignore` (v11+), which disables the package-manager-version handling in whichever pnpm runs as the child. Fixes [#&#8203;11337](https://github.com/pnpm/pnpm/issues/11337). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> ### [`v10.33.1`](https://github.com/pnpm/pnpm/releases/tag/v10.33.1): pnpm 10.33.1 [Compare Source](https://github.com/pnpm/pnpm/compare/v10.33.0...v10.33.1) #### Patch Changes - When a project's `packageManager` field selects pnpm v11 or newer, commands that v10 would have passed through to npm (`version`, `login`, `logout`, `publish`, `unpublish`, `deprecate`, `dist-tag`, `docs`, `ping`, `search`, `star`, `stars`, `unstar`, `whoami`, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, `pnpm version --help` print npm's help on a project with `packageManager: pnpm@11.0.0-rc.3` [#&#8203;11328](https://github.com/pnpm/pnpm/issues/11328). <!-- sponsors --> #### Platinum Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://bit.cloud/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/bit.svg" width="80" alt="Bit"></a> </td> </tr> </tbody> </table> #### Gold Sponsors <table> <tbody> <tr> <td align="center" valign="middle"> <a href="https://sanity.io/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/sanity.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/sanity_light.svg" /> <img src="https://pnpm.io/img/users/sanity.svg" width="120" alt="Sanity" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://discord.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/discord.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/discord_light.svg" /> <img src="https://pnpm.io/img/users/discord.svg" width="220" alt="Discord" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://vite.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"><img src="https://pnpm.io/img/users/vitejs.svg" width="42" alt="Vite"></a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://serpapi.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/serpapi_dark.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/serpapi_light.svg" /> <img src="https://pnpm.io/img/users/serpapi_dark.svg" width="160" alt="SerpApi" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://coderabbit.ai/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/coderabbit.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/coderabbit_light.svg" /> <img src="https://pnpm.io/img/users/coderabbit.svg" width="220" alt="CodeRabbit" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://stackblitz.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/stackblitz.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/stackblitz_light.svg" /> <img src="https://pnpm.io/img/users/stackblitz.svg" width="190" alt="Stackblitz" /> </picture> </a> </td> </tr> <tr> <td align="center" valign="middle"> <a href="https://workleap.com/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/workleap.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/workleap_light.svg" /> <img src="https://pnpm.io/img/users/workleap.svg" width="190" alt="Workleap" /> </picture> </a> </td> <td align="center" valign="middle"> <a href="https://nx.dev/?utm_source=pnpm&utm_medium=release_notes" target="_blank"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://pnpm.io/img/users/nx.svg" /> <source media="(prefers-color-scheme: dark)" srcset="https://pnpm.io/img/users/nx_light.svg" /> <img src="https://pnpm.io/img/users/nx.svg" width="50" alt="Nx" /> </picture> </a> </td> </tr> </tbody> </table> <!-- sponsors end --> </details> <details> <summary>postcss/postcss (postcss)</summary> ### [`v8.5.15`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8515) [Compare Source](https://github.com/postcss/postcss/compare/8.5.14...8.5.15) - Fixed declaration parsing performance (by [@&#8203;homanp](https://github.com/homanp)). ### [`v8.5.14`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8514) [Compare Source](https://github.com/postcss/postcss/compare/8.5.13...8.5.14) - Fixed custom syntax regression (by [@&#8203;43081j](https://github.com/43081j)). ### [`v8.5.13`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8513) [Compare Source](https://github.com/postcss/postcss/compare/8.5.12...8.5.13) - Fixed `postcss-scss` commend regression. ### [`v8.5.12`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8512) [Compare Source](https://github.com/postcss/postcss/compare/8.5.11...8.5.12) - Fixed reading any file via user-generated CSS. - Added `opts.unsafeMap` to disable checks. ### [`v8.5.11`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8511) [Compare Source](https://github.com/postcss/postcss/compare/8.5.10...8.5.11) - Fixed nested brackets parsing performance (by [@&#8203;offset](https://github.com/offset)). ### [`v8.5.10`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8510) [Compare Source](https://github.com/postcss/postcss/compare/8.5.9...8.5.10) - Fixed XSS via unescaped `</style>` in non-bundler cases (by [@&#8203;TharVid](https://github.com/TharVid)). ### [`v8.5.9`](https://github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#859) [Compare Source](https://github.com/postcss/postcss/compare/8.5.8...8.5.9) - Speed up source map encoding paring in case of the error. </details> <details> <summary>facebook/react (react)</summary> ### [`v19.2.7`](https://github.com/react/react/releases/tag/v19.2.7): 19.2.7 (June 1st, 2026) [Compare Source](https://github.com/facebook/react/compare/v19.2.6...v19.2.7) ##### React Server Components - Fixed missing `FormData` entries in Server Actions which regressed in 19.2.6 ([#&#8203;36566](https://github.com/facebook/react/pull/36566) by [@&#8203;unstubbable](https://github.com/unstubbable)) ### [`v19.2.6`](https://github.com/react/react/releases/tag/v19.2.6): 19.2.6 (May 6th, 2026) [Compare Source](https://github.com/facebook/react/compare/v19.2.5...v19.2.6) ##### React Server Components - Type hardening and performance improvements ([#&#8203;36425](https://github.com/facebook/react/pull/36425) by [@&#8203;eps1lon](https://github.com/eps1lon) and [@&#8203;unstubbable](https://github.com/unstubbable)) ### [`v19.2.5`](https://github.com/react/react/releases/tag/v19.2.5): 19.2.5 (April 8th, 2026) [Compare Source](https://github.com/facebook/react/compare/v19.2.4...v19.2.5) ##### React Server Components - Add more cycle protections ([#&#8203;36236](https://github.com/facebook/react/pull/36236) by [@&#8203;eps1lon](https://github.com/eps1lon) and [@&#8203;unstubbable](https://github.com/unstubbable)) </details> <details> <summary>vitest-dev/vitest (vitest)</summary> ### [`v4.1.8`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.8) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) #####    🐞 Bug Fixes - **browser**: - Disable client `cdp` API when `allowWrite/allowExec: false` \[backport to v4]  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Codex** in [#&#8203;10450](https://github.com/vitest-dev/vitest/issues/10450) [<samp>(e4067)</samp>](https://github.com/vitest-dev/vitest/commit/e4067b3b1) - Remove orphaned Playwright route when same module is mocked via multiple ids \[backport to v4]  -  by [@&#8203;toxik](https://github.com/toxik) and [@&#8203;Zelys-DFKH](https://github.com/Zelys-DFKH) in [#&#8203;10474](https://github.com/vitest-dev/vitest/issues/10474) [<samp>(675b4)</samp>](https://github.com/vitest-dev/vitest/commit/675b4343f) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.7...v4.1.8) ### [`v4.1.7`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.7) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) #####    🐞 Bug Fixes - **runner**: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10384](https://github.com/vitest-dev/vitest/issues/10384) [<samp>(4f0f2)</samp>](https://github.com/vitest-dev/vitest/commit/4f0f2a1ee) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.6...v4.1.7) ### [`v4.1.6`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.6) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) #####    🐞 Bug Fixes - **browser**: Provide project reference in `ToMatchScreenshotResolvePath`  -  by [@&#8203;macarie](https://github.com/macarie) and [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10138](https://github.com/vitest-dev/vitest/issues/10138) [<samp>(31882)</samp>](https://github.com/vitest-dev/vitest/commit/31882607c) - Global `sequence.concurrent: true` with top-level `test(..., { concurrent: false })` + depreacte `sequential` test API and options  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa), **Codex** and [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10196](https://github.com/vitest-dev/vitest/issues/10196) [<samp>(2847d)</samp>](https://github.com/vitest-dev/vitest/commit/2847dfa2a) - **browser**: Simplify orchestrator otel carrier  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10285](https://github.com/vitest-dev/vitest/issues/10285) [<samp>(18af9)</samp>](https://github.com/vitest-dev/vitest/commit/18af98cee) #####    🏎 Performance - Stringify diff objects only once  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10276](https://github.com/vitest-dev/vitest/issues/10276) [<samp>(9f7b1)</samp>](https://github.com/vitest-dev/vitest/commit/9f7b1528c) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.5...v4.1.6) ### [`v4.1.5`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.5) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.4...v4.1.5) #####    🚀 Experimental Features - **coverage**: Istanbul to support `instrumenter` option  -  by [@&#8203;BartWaardenburg](https://github.com/BartWaardenburg) and [@&#8203;AriPerkkio](https://github.com/AriPerkkio) in [#&#8203;10119](https://github.com/vitest-dev/vitest/issues/10119) [<samp>(0e0ff)</samp>](https://github.com/vitest-dev/vitest/commit/0e0ff41c7) #####    🐞 Bug Fixes - \--project negation excludes browser instances  -  by [@&#8203;felamaslen](https://github.com/felamaslen) in [#&#8203;10131](https://github.com/vitest-dev/vitest/issues/10131) [<samp>(9423d)</samp>](https://github.com/vitest-dev/vitest/commit/9423dc084) - Project color label on html reporter  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10142](https://github.com/vitest-dev/vitest/issues/10142) [<samp>(596f7)</samp>](https://github.com/vitest-dev/vitest/commit/596f73986) - Fix `vi.defineHelper` called as object method  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10163](https://github.com/vitest-dev/vitest/issues/10163) [<samp>(122c2)</samp>](https://github.com/vitest-dev/vitest/commit/122c25b5b) - Alias `agent` reporter to `minimal`  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10157](https://github.com/vitest-dev/vitest/issues/10157) [<samp>(663b9)</samp>](https://github.com/vitest-dev/vitest/commit/663b99fe3) - Respect diff config options in soft assertions  -  by [@&#8203;Copilot](https://github.com/Copilot), **sheremet-va** and [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;8696](https://github.com/vitest-dev/vitest/issues/8696) [<samp>(9787d)</samp>](https://github.com/vitest-dev/vitest/commit/9787dedad) - Respect diff config options in soft assertions "  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;8696](https://github.com/vitest-dev/vitest/issues/8696) [<samp>(7dc6d)</samp>](https://github.com/vitest-dev/vitest/commit/7dc6d54fd) - **ast-collect**: Recognize \_*vi\_import* prefix in static test discovery  -  by [@&#8203;Yejneshwar](https://github.com/Yejneshwar) in [#&#8203;10129](https://github.com/vitest-dev/vitest/issues/10129) [<samp>(32546)</samp>](https://github.com/vitest-dev/vitest/commit/325463ab2) - **coverage**: Descriptive error message when reports directory is removed during test run  -  by [@&#8203;DaveT1991](https://github.com/DaveT1991) and [@&#8203;AriPerkkio](https://github.com/AriPerkkio) in [#&#8203;10117](https://github.com/vitest-dev/vitest/issues/10117) [<samp>(14133)</samp>](https://github.com/vitest-dev/vitest/commit/1413382e1) - **snapshot**: Increase default snapshot max output length  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Codex** in [#&#8203;10150](https://github.com/vitest-dev/vitest/issues/10150) [<samp>(21e66)</samp>](https://github.com/vitest-dev/vitest/commit/21e66ff63) - **ui**: Fix jsx/tsx syntax highlight  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10152](https://github.com/vitest-dev/vitest/issues/10152) [<samp>(f1b1f)</samp>](https://github.com/vitest-dev/vitest/commit/f1b1f6c7b) - **web-worker**: Support MessagePort objects referenced inside postMessage data  -  by [@&#8203;whitphx](https://github.com/whitphx) and **Claude Opus 4.6 (1M context)** in [#&#8203;9927](https://github.com/vitest-dev/vitest/issues/9927) and [#&#8203;10124](https://github.com/vitest-dev/vitest/issues/10124) [<samp>(7ad7d)</samp>](https://github.com/vitest-dev/vitest/commit/7ad7d39af) - **api**: Make test-specification options writable  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10154](https://github.com/vitest-dev/vitest/issues/10154) [<samp>(6abd5)</samp>](https://github.com/vitest-dev/vitest/commit/6abd557b7) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.4...v4.1.5) ### [`v4.1.4`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.4) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.3...v4.1.4) #####    🚀 Experimental Features - **coverage**: - Default to text reporter `skipFull` if agent detected  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10018](https://github.com/vitest-dev/vitest/issues/10018) [<samp>(53757)</samp>](https://github.com/vitest-dev/vitest/commit/53757804c) - **experimental**: - Expose `assertion` as a public field  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10095](https://github.com/vitest-dev/vitest/issues/10095) [<samp>(a120e)</samp>](https://github.com/vitest-dev/vitest/commit/a120e3ab8) - Support aria snapshot  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa), **Claude Opus 4.6 (1M context)**, [@&#8203;AriPerkkio](https://github.com/AriPerkkio), **Codex** and [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;9668](https://github.com/vitest-dev/vitest/issues/9668) [<samp>(d4fbb)</samp>](https://github.com/vitest-dev/vitest/commit/d4fbb5cc9) - **reporter**: - Add filterMeta option to json reporter  -  by [@&#8203;nami8824](https://github.com/nami8824) and [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10078](https://github.com/vitest-dev/vitest/issues/10078) [<samp>(b77de)</samp>](https://github.com/vitest-dev/vitest/commit/b77de968e) #####    🐞 Bug Fixes - Use "black" foreground for labeled terminal message to ensure contrast  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10076](https://github.com/vitest-dev/vitest/issues/10076) [<samp>(203f0)</samp>](https://github.com/vitest-dev/vitest/commit/203f07af7) - Make `expect(..., message)` consistent as error message prefix  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Codex** in [#&#8203;10068](https://github.com/vitest-dev/vitest/issues/10068) [<samp>(a1b5f)</samp>](https://github.com/vitest-dev/vitest/commit/a1b5f0f4f) - Do not hoist imports whose names match class properties .  -  by [@&#8203;SunsetFi](https://github.com/SunsetFi) in [#&#8203;10093](https://github.com/vitest-dev/vitest/issues/10093) and [#&#8203;10094](https://github.com/vitest-dev/vitest/issues/10094) [<samp>(0fc4b)</samp>](https://github.com/vitest-dev/vitest/commit/0fc4b47e0) - **browser**: Spread user server options into browser Vite server in project  -  by [@&#8203;GoldStrikeArch](https://github.com/GoldStrikeArch) in [#&#8203;10049](https://github.com/vitest-dev/vitest/issues/10049) [<samp>(65c9d)</samp>](https://github.com/vitest-dev/vitest/commit/65c9d55eb) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.3...v4.1.4) ### [`v4.1.3`](https://github.com/vitest-dev/vitest/releases/tag/v4.1.3) [Compare Source](https://github.com/vitest-dev/vitest/compare/v4.1.2...v4.1.3) #####    🚀 Experimental Features - Add `experimental.preParse` flag  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10070](https://github.com/vitest-dev/vitest/issues/10070) [<samp>(78273)</samp>](https://github.com/vitest-dev/vitest/commit/7827363bd) - Support `browser.locators.exact` option  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10013](https://github.com/vitest-dev/vitest/issues/10013) [<samp>(48799)</samp>](https://github.com/vitest-dev/vitest/commit/487990a19) - Add `TestAttachment.bodyEncoding`  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;9969](https://github.com/vitest-dev/vitest/issues/9969) [<samp>(89ca0)</samp>](https://github.com/vitest-dev/vitest/commit/89ca0e254) - Support custom snapshot matcher  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa), **Claude Sonnet 4.6** and **Codex** in [#&#8203;9973](https://github.com/vitest-dev/vitest/issues/9973) [<samp>(59b0e)</samp>](https://github.com/vitest-dev/vitest/commit/59b0e6411) #####    🐞 Bug Fixes - Advance fake timers with `expect.poll` interval  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Claude Sonnet 4.6** in [#&#8203;10022](https://github.com/vitest-dev/vitest/issues/10022) [<samp>(3f5bf)</samp>](https://github.com/vitest-dev/vitest/commit/3f5bfa365) - Add `@vitest/coverage-v8` and `@vitest/coverage-istanbul` as optional dependency  -  by [@&#8203;alan-agius4](https://github.com/alan-agius4) in [#&#8203;10025](https://github.com/vitest-dev/vitest/issues/10025) [<samp>(146d4)</samp>](https://github.com/vitest-dev/vitest/commit/146d4f0a0) - Fix `defineHelper` for webkit async stack trace + update playwright 1.59.0  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;10036](https://github.com/vitest-dev/vitest/issues/10036) [<samp>(5a5fa)</samp>](https://github.com/vitest-dev/vitest/commit/5a5fa49fe) - Fix suite hook throwing errors for unused auto test-scoped fixture  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Claude Sonnet 4.6** in [#&#8203;10035](https://github.com/vitest-dev/vitest/issues/10035) [<samp>(39865)</samp>](https://github.com/vitest-dev/vitest/commit/398657e8d) - **expect**: - Remove `JestExtendError.context` from verbose error reporting  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) in [#&#8203;9983](https://github.com/vitest-dev/vitest/issues/9983) [<samp>(66751)</samp>](https://github.com/vitest-dev/vitest/commit/66751c9e8) - Don't leak "runner" types  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10004](https://github.com/vitest-dev/vitest/issues/10004) [<samp>(ec204)</samp>](https://github.com/vitest-dev/vitest/commit/ec2045543) - **snapshot**: - Fix flagging obsolete snapshots for snapshot properties mismatch  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Claude Sonnet 4.6** in [#&#8203;9986](https://github.com/vitest-dev/vitest/issues/9986) [<samp>(6b869)</samp>](https://github.com/vitest-dev/vitest/commit/6b869156b) - Export custom snapshot matcher helper from `vitest`  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Codex** in [#&#8203;10042](https://github.com/vitest-dev/vitest/issues/10042) [<samp>(691d3)</samp>](https://github.com/vitest-dev/vitest/commit/691d341fd) - **ui**: - Don't leak vite types  -  by [@&#8203;sheremet-va](https://github.com/sheremet-va) in [#&#8203;10005](https://github.com/vitest-dev/vitest/issues/10005) [<samp>(fdff1)</samp>](https://github.com/vitest-dev/vitest/commit/fdff1bf9a) - **vm**: - Fix external module resolve error with deps optimizer query  -  by [@&#8203;hi-ogawa](https://github.com/hi-ogawa) and **Claude Sonnet 4.6** in [#&#8203;10024](https://github.com/vitest-dev/vitest/issues/10024) [<samp>(9dbf4)</samp>](https://github.com/vitest-dev/vitest/commit/9dbf47786) #####     [View changes on GitHub](https://github.com/vitest-dev/vitest/compare/v4.1.2...v4.1.3) </details> <details> <summary>yarnpkg/berry (yarn)</summary> ### [`v4.17.0`](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg/cli/4.17.0): v4.17.0 [Compare Source](https://github.com/yarnpkg/berry/compare/5761b03feb2146da8ce8cefeba6482f3cb6edb79...2d9ef22423bee7824327272ebdd60f336a3cf82c) #### What's Changed - Adds support for package map generation by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7184](https://github.com/yarnpkg/berry/pull/7184) - fix: add catalog settings to yarnrc schema by [@&#8203;cyphercodes](https://github.com/cyphercodes) in [#&#8203;7179](https://github.com/yarnpkg/berry/pull/7179) - docs: clarify background job exit codes by [@&#8203;StantonMatt](https://github.com/StantonMatt) in [#&#8203;7167](https://github.com/yarnpkg/berry/pull/7167) - fix: explain peer-default dependencies in why by [@&#8203;StantonMatt](https://github.com/StantonMatt) in [#&#8203;7168](https://github.com/yarnpkg/berry/pull/7168) - Docs: fix npmMinimalAgeGate default by [@&#8203;clemyan](https://github.com/clemyan) in [#&#8203;7181](https://github.com/yarnpkg/berry/pull/7181) - feat(plugin-npm): allow npmMinimalAgeGate per npmScope by [@&#8203;erlandasz](https://github.com/erlandasz) in [#&#8203;7156](https://github.com/yarnpkg/berry/pull/7156) #### New Contributors - [@&#8203;cyphercodes](https://github.com/cyphercodes) made their first contribution in [#&#8203;7179](https://github.com/yarnpkg/berry/pull/7179) - [@&#8203;StantonMatt](https://github.com/StantonMatt) made their first contribution in [#&#8203;7167](https://github.com/yarnpkg/berry/pull/7167) - [@&#8203;erlandasz](https://github.com/erlandasz) made their first contribution in [#&#8203;7156](https://github.com/yarnpkg/berry/pull/7156) **Full Changelog**: <https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.16.0...@&#8203;yarnpkg/cli/4.17.0> ### [`v4.16.0`](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg/cli/4.16.0): v4.16.0 [Compare Source](https://github.com/yarnpkg/berry/compare/1c018491889b40f4f36d36dee2c7a9032fb862d9...5761b03feb2146da8ce8cefeba6482f3cb6edb79) #### What's Changed - PnP: Include Node 22.22.3 in fstat workaround by [@&#8203;junjuny0227](https://github.com/junjuny0227) in [#&#8203;7141](https://github.com/yarnpkg/berry/pull/7141) - Implements yarn npm stage by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7147](https://github.com/yarnpkg/berry/pull/7147) - fix: Stop using EBADF workaround for Node 24.16.0+ by [@&#8203;MJDSys](https://github.com/MJDSys) in [#&#8203;7152](https://github.com/yarnpkg/berry/pull/7152) - Bumps eslint-plugin-arca by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7163](https://github.com/yarnpkg/berry/pull/7163) - Enables staged publishing by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7164](https://github.com/yarnpkg/berry/pull/7164) - feat: Add editor SDK support for oxc (oxfmt & oxlint) by [@&#8203;slainless](https://github.com/slainless) in [#&#8203;7078](https://github.com/yarnpkg/berry/pull/7078) - docs: fix npmMinimalAgeGate default value. by [@&#8203;ryanfox1985](https://github.com/ryanfox1985) in [#&#8203;7125](https://github.com/yarnpkg/berry/pull/7125) #### New Contributors - [@&#8203;junjuny0227](https://github.com/junjuny0227) made their first contribution in [#&#8203;7141](https://github.com/yarnpkg/berry/pull/7141) - [@&#8203;MJDSys](https://github.com/MJDSys) made their first contribution in [#&#8203;7152](https://github.com/yarnpkg/berry/pull/7152) - [@&#8203;slainless](https://github.com/slainless) made their first contribution in [#&#8203;7078](https://github.com/yarnpkg/berry/pull/7078) - [@&#8203;ryanfox1985](https://github.com/ryanfox1985) made their first contribution in [#&#8203;7125](https://github.com/yarnpkg/berry/pull/7125) **Full Changelog**: <https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.15.0...@&#8203;yarnpkg/cli/4.16.0> ### [`v4.15.0`](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg/cli/4.15.0): v4.15.0 [Compare Source](https://github.com/yarnpkg/berry/compare/72b4aa5d62a6c42dc765710ea66b6dd0f63f4941...1c018491889b40f4f36d36dee2c7a9032fb862d9) #### What's Changed - Fix Next.JS e2e test by [@&#8203;brandonbothell](https://github.com/brandonbothell) in [#&#8203;7115](https://github.com/yarnpkg/berry/pull/7115) - perf(plugin-nm): cache install state across workspaces by [@&#8203;sophiebits](https://github.com/sophiebits) in [#&#8203;7126](https://github.com/yarnpkg/berry/pull/7126) - fix(patch) Correctly handle Unicode paths by [@&#8203;liuxingbaoyu](https://github.com/liuxingbaoyu) in [#&#8203;7123](https://github.com/yarnpkg/berry/pull/7123) - fix(plugin-npm-cli): enable OIDC publish on CircleCI by [@&#8203;joshuayoes](https://github.com/joshuayoes) in [#&#8203;7122](https://github.com/yarnpkg/berry/pull/7122) - fix(core): ignore legacy YARN\_IGNORE\_SCRIPTS env var by [@&#8203;KimHyeongRae0](https://github.com/KimHyeongRae0) in [#&#8203;7120](https://github.com/yarnpkg/berry/pull/7120) - fix: Reject dependency names with leading/trailing whitespace (fixes duplicate installs) by [@&#8203;muskaanshraogi](https://github.com/muskaanshraogi) in [#&#8203;7124](https://github.com/yarnpkg/berry/pull/7124) - feat(plugin-pnpm): make pnpm install concurrency configurable by [@&#8203;lennartschoch](https://github.com/lennartschoch) in [#&#8203;7118](https://github.com/yarnpkg/berry/pull/7118) - PnP: Stop using EDABF solution for Node 26.1.0+ by [@&#8203;clemyan](https://github.com/clemyan) in [#&#8203;7133](https://github.com/yarnpkg/berry/pull/7133) - Makes `npmMinimalAgeGate: 1d` the default by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7135](https://github.com/yarnpkg/berry/pull/7135) #### New Contributors - [@&#8203;brandonbothell](https://github.com/brandonbothell) made their first contribution in [#&#8203;7115](https://github.com/yarnpkg/berry/pull/7115) - [@&#8203;sophiebits](https://github.com/sophiebits) made their first contribution in [#&#8203;7126](https://github.com/yarnpkg/berry/pull/7126) - [@&#8203;liuxingbaoyu](https://github.com/liuxingbaoyu) made their first contribution in [#&#8203;7123](https://github.com/yarnpkg/berry/pull/7123) - [@&#8203;joshuayoes](https://github.com/joshuayoes) made their first contribution in [#&#8203;7122](https://github.com/yarnpkg/berry/pull/7122) - [@&#8203;KimHyeongRae0](https://github.com/KimHyeongRae0) made their first contribution in [#&#8203;7120](https://github.com/yarnpkg/berry/pull/7120) - [@&#8203;muskaanshraogi](https://github.com/muskaanshraogi) made their first contribution in [#&#8203;7124](https://github.com/yarnpkg/berry/pull/7124) - [@&#8203;lennartschoch](https://github.com/lennartschoch) made their first contribution in [#&#8203;7118](https://github.com/yarnpkg/berry/pull/7118) **Full Changelog**: <https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.1...@&#8203;yarnpkg/cli/4.15.0> ### [`v4.14.1`](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg/cli/4.14.1): v4.14.1 [Compare Source](https://github.com/yarnpkg/berry/compare/38ebf0014ba8c0356168d4bbd23c09dbb2bdc9ba...72b4aa5d62a6c42dc765710ea66b6dd0f63f4941) #### What's Changed - fix: Widen EBADF fstat version gate to include Node 24.15+ by [@&#8203;rfoel](https://github.com/rfoel) in [#&#8203;7104](https://github.com/yarnpkg/berry/pull/7104) #### New Contributors - [@&#8203;rfoel](https://github.com/rfoel) made their first contribution in [#&#8203;7104](https://github.com/yarnpkg/berry/pull/7104) **Full Changelog**: <https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.0...@&#8203;yarnpkg/cli/4.14.1> ### [`v4.14.0`](https://github.com/yarnpkg/berry/releases/tag/%40yarnpkg/cli/4.14.0): v4.14.0 [Compare Source](https://github.com/yarnpkg/berry/compare/81f3e15d2b6259cb64245411220fa1bf61242526...38ebf0014ba8c0356168d4bbd23c09dbb2bdc9ba) #### What's Changed - Add Re-release workflow to republish artifacts from a specific commit SHA by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;7079](https://github.com/yarnpkg/berry/pull/7079) - fix: Node 25.7+ EBADF by reading CJS source of zip files by [@&#8203;NormalGaussian](https://github.com/NormalGaussian) in [#&#8203;7070](https://github.com/yarnpkg/berry/pull/7070) - PnP: Fix watch mode for files `require`d under PnP by [@&#8203;clemyan](https://github.com/clemyan) in [#&#8203;7077](https://github.com/yarnpkg/berry/pull/7077) - feat(plugin-npm): support OIDC auth for CircleCI by [@&#8203;blimmer](https://github.com/blimmer) in [#&#8203;7075](https://github.com/yarnpkg/berry/pull/7075) - Makes `enableScripts: false` the default by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7089](https://github.com/yarnpkg/berry/pull/7089) - Makes the `exec:` protocol respect `enableScripts` by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7090](https://github.com/yarnpkg/berry/pull/7090) - Adds `approvedGitRepositories` by [@&#8203;arcanis](https://github.com/arcanis) in [#&#8203;7091](https://github.com/yarnpkg/berry/pull/7091) - Fix: Names the Experimental ESM support warning by [@&#8203;NormalGaussian](https://github.com/NormalGaussian) in [#&#8203;7069](https://github.com/yarnpkg/berry/pull/7069) - feat(why): allow specifying a version or range by [@&#8203;remypar5](https://github.com/remypar5) in [#&#8203;6992](https://github.com/yarnpkg/berry/pull/6992) #### New Contributors - [@&#8203;Copilot](https://github.com/Copilot) made their first contribution in [#&#8203;7079](https://github.com/yarnpkg/berry/pull/7079) - [@&#8203;NormalGaussian](https://github.com/NormalGaussian) made their first contribution in [#&#8203;7070](https://github.com/yarnpkg/berry/pull/7070) - [@&#8203;remypar5](https://github.com/remypar5) made their first contribution in [#&#8203;6992](https://github.com/yarnpkg/berry/pull/6992) **Full Changelog**: <https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.13.0...@&#8203;yarnpkg/cli/4.14.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyNC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate-bot force-pushed renovate/minor from 991c822f2d to 7731a4c8d7 2026-05-03 22:13:20 -04:00 Compare

renovate-bot force-pushed renovate/minor from 7731a4c8d7 to 558035b53a 2026-05-04 05:14:04 -04:00 Compare

renovate-bot force-pushed renovate/minor from 558035b53a to 587fa1d358 2026-05-11 05:14:06 -04:00 Compare

renovate-bot force-pushed renovate/minor from 587fa1d358 to aaf51c0940 2026-05-18 05:14:22 -04:00 Compare

renovate-bot added 1 commit 2026-06-15 05:14:33 -04:00

chore(deps): update all-minor-updates 924ffa5dcc

renovate-bot force-pushed renovate/minor from aaf51c0940 to 924ffa5dcc 2026-06-15 05:14:33 -04:00 Compare

Some checks are pending

Hide all checks

Build and Push Docker Image / build (pull_request) Failing after 0s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/minor:renovate/minor

git checkout renovate/minor

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

renovate-bot lucasoskorep (Lucas Oskorep)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lucasoskorep/mta-sign#9