Bump the npm_and_yarn group across 5 directories with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the /chittyassets directory:

Package	From	To
@anthropic-ai/claude-code	1.0.83	2.1.7
vite	5.4.19	8.0.0
brace-expansion	2.0.1	2.0.2
fast-xml-parser	4.5.3	5.5.6
glob	10.4.5	10.5.0
jws	4.0.0	4.0.1
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2

Bumps the npm_and_yarn group with 8 updates in the /chittypm directory:

Package	From	To
@anthropic-ai/claude-code	1.0.83	2.1.7
vite	5.4.19	8.0.0
brace-expansion	2.0.1	2.0.2
glob	10.4.5	10.5.0
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2

Bumps the npm_and_yarn group with 10 updates in the /chittypm/chittychain directory:

Package	From	To
vite	5.4.19	8.0.0
glob	10.4.5	10.5.0
jws	3.2.2	3.2.3
lodash	4.17.21	4.17.23
minimatch	3.1.2	3.1.5
minimatch	9.0.5	9.0.9
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2
js-yaml	4.1.0	4.1.1
multer	2.0.1	2.1.1
@smithy/config-resolver	4.1.4	4.4.11

Bumps the npm_and_yarn group with 8 updates in the /chittypm/chittyid directory:

Package	From	To
@anthropic-ai/claude-code	1.0.83	2.1.7
vite	5.4.19	8.0.0
brace-expansion	2.0.1	2.0.2
glob	10.4.5	10.5.0
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2

Bumps the npm_and_yarn group with 7 updates in the /chittypm/chittyintel directory:

Package	From	To
vite	5.4.19	8.0.0
brace-expansion	2.0.1	2.0.2
glob	10.4.5	10.5.0
lodash	4.17.21	4.17.23
minimatch	9.0.5	9.0.9
on-headers	1.0.2	1.1.0
qs	6.13.0	6.14.2

Updates @anthropic-ai/claude-code from 1.0.83 to 2.1.7

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.7

What's changed

• Added showTurnDuration setting to hide turn duration messages (e.g., "Cooked for 1m 6s")
• Added ability to provide feedback when accepting permission prompts
• Added inline display of agent's final response in task notifications, making it easier to see results without reading the full transcript file
• Fixed security vulnerability where wildcard permission rules could match compound commands containing shell operators
• Fixed false "file modified" errors on Windows when cloud sync tools, antivirus scanners, or Git touch file timestamps without changing content
• Fixed orphaned tool_result errors when sibling tools fail during streaming execution
• Fixed context window blocking limit being calculated using the full context window instead of the effective context window (which reserves space for max output tokens)
• Fixed spinner briefly flashing when running local slash commands like /model or /theme
• Fixed terminal title animation jitter by using fixed-width braille characters
• Fixed plugins with git submodules not being fully initialized when installed
• Fixed bash commands failing on Windows when temp directory paths contained characters like t or n that were misinterpreted as escape sequences
• Improved typing responsiveness by reducing memory allocation overhead in terminal rendering
• Enabled MCP tool search auto mode by default for all users. When MCP tool descriptions exceed 10% of the context window, they are automatically deferred and discovered via the MCPSearch tool instead of being loaded upfront. This reduces context usage for users with many MCP tools configured. Users can disable this by adding MCPSearch to disallowedTools in their settings.
• Changed OAuth and API Console URLs from console.anthropic.com to platform.claude.com
• [VSCode] Fixed claudeProcessWrapper setting passing the wrapper path instead of the Claude binary path

v2.1.6

What's changed

• Added search functionality to /config command for quickly filtering settings
• Added Updates section to /doctor showing auto-update channel and available npm versions (stable/latest)
• Added date range filtering to /stats command - press r to cycle between Last 7 days, Last 30 days, and All time
• Added automatic discovery of skills from nested .claude/skills directories when working with files in subdirectories
• Added context_window.used_percentage and context_window.remaining_percentage fields to status line input for easier context window display
• Added an error display when the editor fails during Ctrl+G
• Fixed permission bypass via shell line continuation that could allow blocked commands to execute
• Fixed false "File has been unexpectedly modified" errors when file watchers touch files without changing content
• Fixed text styling (bold, colors) getting progressively misaligned in multi-line responses
• Fixed the feedback panel closing unexpectedly when typing 'n' in the description field
• Fixed rate limit warning appearing at low usage after weekly reset (now requires 70% usage)
• Fixed rate limit options menu incorrectly auto-opening when resuming a previous session
• Fixed numpad keys outputting escape sequences instead of characters in Kitty keyboard protocol terminals
• Fixed Option+Return not inserting newlines in Kitty keyboard protocol terminals
• Fixed corrupted config backup files accumulating in the home directory (now only one backup is created per config file)
• Fixed mcp list and mcp get commands leaving orphaned MCP server processes
• Fixed visual artifacts in ink2 mode when nodes become hidden via display:none
• Improved the external CLAUDE.md imports approval dialog to show which files are being imported and from where
• Improved the /tasks dialog to go directly to task details when there's only one background task running
• Improved @ autocomplete with icons for different suggestion types and single-line formatting
• Updated "Help improve Claude" setting fetch to refresh OAuth and retry when it fails due to a stale OAuth token
• Changed task notification display to cap at 3 lines with overflow summary when multiple background tasks complete simultaneously
• Changed terminal title to "Claude Code" on startup for better window identification
• Removed ability to @-mention MCP servers to enable/disable - use /mcp enable <name> instead
• [VSCode] Fixed usage indicator not updating after manual compact

v2.1.5

What's changed

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.78

• Added StopFailure hook event that fires when the turn ends due to an API error (rate limit, auth failure, etc.)
• Added ${CLAUDE_PLUGIN_DATA} variable for plugin persistent state that survives plugin updates; /plugin uninstall prompts before deleting it
• Added effort, maxTurns, and disallowedTools frontmatter support for plugin-shipped agents
• Terminal notifications (iTerm2/Kitty/Ghostty popups, progress bar) now reach the outer terminal when running inside tmux with set -g allow-passthrough on
• Response text now streams line-by-line as it's generated
• Fixed git log HEAD failing with "ambiguous argument" inside sandboxed Bash on Linux, and stub files polluting git status in the working directory
• Fixed cc log and --resume silently truncating conversation history on large sessions (>5 MB) that used subagents
• Fixed infinite loop when API errors triggered stop hooks that re-fed blocking errors to the model
• Fixed deny: ["mcp__servername"] permission rules not removing MCP server tools before sending to the model, allowing it to see and attempt blocked tools
• Fixed sandbox.filesystem.allowWrite not working with absolute paths (previously required // prefix)
• Fixed /sandbox Dependencies tab showing Linux prerequisites on macOS instead of macOS-specific info
• Security: Fixed silent sandbox disable when sandbox.enabled: true is set but dependencies are missing — now shows a visible startup warning
• Fixed .git, .claude, and other protected directories being writable without a prompt in bypassPermissions mode
• Fixed ctrl+u in normal mode scrolling instead of readline kill-line (ctrl+u/ctrl+d half-page scroll moved to transcript mode only)
• Fixed voice mode modifier-combo push-to-talk keybindings (e.g. ctrl+k) requiring a hold instead of activating immediately
• Fixed voice mode not working on WSL2 with WSLg (Windows 11); WSL1/Win10 users now get a clear error
• Fixed --worktree flag not loading skills and hooks from the worktree directory
• Fixed CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS and includeGitInstructions setting not suppressing the git status section in the system prompt
• Fixed Bash tool not finding Homebrew and other PATH-dependent binaries when VS Code is launched from Dock/Spotlight
• Fixed washed-out Claude orange color in VS Code/Cursor/code-server terminals that don't advertise truecolor support
• Added ANTHROPIC_CUSTOM_MODEL_OPTION env var to add a custom entry to the /model picker, with optional _NAME and _DESCRIPTION suffixed vars for display
• Fixed ANTHROPIC_BETAS environment variable being silently ignored when using Haiku models
• Fixed queued prompts being concatenated without a newline separator
• Improved memory usage and startup time when resuming large sessions
• [VSCode] Fixed a brief flash of the login screen when opening the sidebar while already authenticated
• [VSCode] Fixed "API Error: Rate limit reached" when selecting Opus — model dropdown no longer offers 1M context variant to subscribers whose plan tier is unknown

2.1.77

• Increased default maximum output token limits for Claude Opus 4.6 to 64k tokens, and the upper bound for Opus 4.6 and Sonnet 4.6 models to 128k tokens
• Added allowRead sandbox filesystem setting to re-allow read access within denyRead regions
• /copy now accepts an optional index: /copy N copies the Nth-latest assistant response
• Fixed "Always Allow" on compound bash commands (e.g. cd src && npm test) saving a single rule for the full string instead of per-subcommand, leading to dead rules and repeated permission prompts
• Fixed auto-updater starting overlapping binary downloads when the slash-command overlay repeatedly opened and closed, accumulating tens of gigabytes of memory
• Fixed --resume silently truncating recent conversation history due to a race between memory-extraction writes and the main transcript
• Fixed PreToolUse hooks returning "allow" bypassing deny permission rules, including enterprise managed settings
• Fixed Write tool silently converting line endings when overwriting CRLF files or creating files in CRLF directories
• Fixed memory growth in long-running sessions from progress messages surviving compaction
• Fixed cost and token usage not being tracked when the API falls back to non-streaming mode
• Fixed CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS not stripping beta tool-schema fields, causing proxy gateways to reject requests
• Fixed Bash tool reporting errors for successful commands when the system temp directory path contains spaces
• Fixed paste being lost when typing immediately after pasting
• Fixed Ctrl+D in /feedback text input deleting forward instead of the second press exiting the session
• Fixed API error when dragging a 0-byte image file into the prompt
• Fixed Claude Desktop sessions incorrectly using the terminal CLI's configured API key instead of OAuth
• Fixed git-subdir plugins at different subdirectories of the same monorepo commit colliding in the plugin cache
• Fixed ordered list numbers not rendering in terminal UI
• Fixed a race condition where stale-worktree cleanup could delete an agent worktree just resumed from a previous crash

... (truncated)

Commits

• See full diff in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates vite from 5.4.19 to 8.0.0

Release notes

Sourced from vite's releases.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

v8.0.0-beta.16

Please refer to CHANGELOG.md for details.

v8.0.0-beta.15

Please refer to CHANGELOG.md for details.

v8.0.0-beta.14

Please refer to CHANGELOG.md for details.

v8.0.0-beta.13

Please refer to CHANGELOG.md for details.

v8.0.0-beta.12

Please refer to CHANGELOG.md for details.

v8.0.0-beta.11

Please refer to CHANGELOG.md for details.

v8.0.0-beta.10

Please refer to CHANGELOG.md for details.

v8.0.0-beta.9

Please refer to CHANGELOG.md for details.

v8.0.0-beta.8

Please refer to CHANGELOG.md for details.

v8.0.0-beta.7

Please refer to CHANGELOG.md for details.

v8.0.0-beta.6

Please refer to CHANGELOG.md for details.

v8.0.0-beta.5

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.0 (2026-03-12)

Today, we're thrilled to announce the release of the next Vite major:

• Vite 8.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#21382)
• update default browser target (#21193)
• the epic rolldown-vite merge (#21189)

Features

• update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)
• css: support es2025 build target for lightningcss (#21769) (08906e7)
• forward browser console logs and errors to dev server terminal (#20916) (2540ed0)
• update rolldown to 1.0.0-rc.8 (#21790) (a0c950e)
• export Visitor and ESTree from rolldown/utils (#21664) (45de31e)
• update rolldown to 1.0.0-rc.6 (#21714) (37a65f8)
• use util.inspect for CLI error display (#21668) (5f425a9)
• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)
• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)
• integrate devtools (#21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#21554) (43358e9)
• manifest: add assets field for standalone CSS entry points (#21015) (f289b9b)
• update rolldown to 1.0.0-rc.2 (#21512) (fa136a9)
• bundled-dev: support worker in initial bundle (#21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#21381) (b0dd5a9)
• shortcuts case insensitive (#21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#21463) (ff9dd7f)
• warn if envPrefix contains spaces (#21292) (9fcde3c)
• update rolldown to 1.0.0-beta.60 (#21408) (c33aa7c)
• update rolldown to 1.0.0-beta.59 (#21374) (0037943)
• add ignoreOutdatedRequests option to optimizeDeps (#21364) (b2e75aa)
• add ios to default esbuild targets (#21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#21354) (ba40cef)
• update rolldown to 1.0.0-beta.57 (#21335) (d5412ef)
• css: support es2024 build target for lightningcss (#21294) (bd33b8e)
• update rolldown to 1.0.0-beta.56 (#21323) (9847a63)
• introduce v2 native plugins and enable it by default (#21268) (42f2ab3)
• ssr: avoid errors when rewriting already rewritten stacktrace (#21269) (98d9a33)
• update rolldown to 1.0.0-beta.55 (#21300) (2c8db85)
• update rolldown to 1.0.0-beta.54 (#21267) (c751172)

... (truncated)

Commits

• ea68a88 chore(deps): update rolldown-related dependencies (#20810)
• 693d255 release: v7.1.7
• 98a3484 fix(hmr): wait for import.meta.hot.prune callbacks to complete before runni...
• 9f32b1d fix(hmr): trigger prune event when import is removed from non hmr module (#20...
• 9f2247c fix(deps): update all non-major dependencies (#20811)
• 105abe8 fix(glob): handle glob imports from folders starting with dot (#20800)
• 4c4583c fix(build): fix ssr environment emitAssets: true when `sharedConfigBuild: t...
• 9bc9d12 fix(client): use CSP nonce when rendering error overlay (#20791)
• 54377f7 release: v7.1.6
• 88af2ae fix(deps): update all non-major dependencies (#20773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.

Updates vite from 5.4.19 to 8.0.0

Release notes

Sourced from vite's releases.

create-vite@8.0.0

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0

Please refer to CHANGELOG.md for details.

v8.0.0-beta.18

Please refer to CHANGELOG.md for details.

v8.0.0-beta.17

Please refer to CHANGELOG.md for details.

v8.0.0-beta.16

Please refer to CHANGELOG.md for details.

v8.0.0-beta.15

Please refer to CHANGELOG.md for details.

v8.0.0-beta.14

Please refer to CHANGELOG.md for details.

v8.0.0-beta.13

Please refer to CHANGELOG.md for details.

v8.0.0-beta.12

Please refer to CHANGELOG.md for details.

v8.0.0-beta.11

Please refer to CHANGELOG.md for details.

v8.0.0-beta.10

Please refer to CHANGELOG.md for details.

v8.0.0-beta.9

Please refer to CHANGELOG.md for details.

v8.0.0-beta.8

Please refer to CHANGELOG.md for details.

v8.0.0-beta.7

Please refer to CHANGELOG.md for details.

v8.0.0-beta.6

Please refer to CHANGELOG.md for details.

v8.0.0-beta.5

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.0 (2026-03-12)

Today, we're thrilled to announce the release of the next Vite major:

• Vite 8.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#21382)
• update default browser target (#21193)
• the epic rolldown-vite merge (#21189)

Features

• update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)
• css: support es2025 build target for lightningcss (#21769) (08906e7)
• forward browser console logs and errors to dev server terminal (#20916) (2540ed0)
• update rolldown to 1.0.0-rc.8 (#21790) (a0c950e)
• export Visitor and ESTree from rolldown/utils (#21664) (45de31e)
• update rolldown to 1.0.0-rc.6 (#21714) (37a65f8)
• use util.inspect for CLI error display (#21668) (5f425a9)
• update rolldown to 1.0.0-rc.5 (#21660) (b3ddbc5)
• update rolldown to 1.0.0-rc.4 (#21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#21102) (216a3b5)
• integrate devtools (#21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#21554) (43358e9)
• manifest: add assets field for standalone CSS entry points (#21015) (f289b9b)
• update rolldown to 1.0.0-rc.2 (#21512) (fa136a9)
• bundled-dev: support worker in initial bundle (#21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#21381) (b0dd5a9)
• shortcuts case insensitive (#21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#21463) (ff9dd7f)
• warn if envPrefix contains spaces (#21292) (9fcde3c)
• update rolldown to 1.0.0-beta.60 (#21408) (c33aa7c)
• update rolldown to 1.0.0-beta.59 (#21374) (0037943)
• add ignoreOutdatedRequests option to optimizeDeps (#21364) (b2e75aa)
• add ios to default esbuild targets (#21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#21354) (ba40cef)
• update rolldown to 1.0.0-beta.57 (#21335) (d5412ef)
• css: support es2024 build target for lightningcss (#21294) (bd33b8e)
• update rolldown to 1.0.0-beta.56 (#21323) (9847a63)
• introduce v2 native plugins and enable it by default (#21268) (42f2ab3)
• ssr: avoid errors when rewriting already rewritten stacktrace (#21269) (98d9a33)
• update rolldown to 1.0.0-beta.55 (#21300) (2c8db85)
• update rolldown to 1.0.0-beta.54 (#21267) (c751172)

... (truncated)

Commits

• ea68a88 chore(deps): update rolldown-related dependencies (#20810)
• 693d255 release: v7.1.7
• 98a3484 fix(hmr): wait for import.meta.hot.prune callbacks to complete before runni...
• 9f32b1d fix(hmr): trigger prune event when import is removed from non hmr module (#20...
• 9f2247c fix(deps): update all non-major dependencies (#20811)
• 105abe8 fix(glob): handle glob imports from folders starting with dot (#20800)
• 4c4583c fix(build): fix ssr environment emitAssets: true when `sharedConfigBuild: t...
• 9bc9d12 fix(client): use CSP nonce when rendering error overlay (#20791)
• 54377f7 release: v7.1.6
• 88af2ae fix(deps): update all non-major dependencies (#20773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.

Updates brace-expansion from 2.0.1 to 2.0.2

Release notes

Sourced from brace-expansion's releases.

v2.0.2

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

---

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

• a3efcee 2.0.2
• 14f1d91 pkg: publish on tag 2.x
• ed7780a fmt
• 36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates fast-xml-parser from 4.5.3 to 5.5.6

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

... (truncated)

Commits

• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• e54155f update package info
• 3308fd7 handle critical properties
• 0500f6b refactor
• ea07bb2 declare Matcher & Expression as unknown
• 0a4dc92 upgrade builder
• e0a14f7 update dependency to fix typings
• Additional commits viewable in compare view

Updates glob from 10.4.5 to 10.5.0

Commits

• 56774ef 10.5.0
• 1e4e297 bin: Do not expose filenames to shell expansion
• See full diff in compare view

Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

• Code reorganization, thanks [@​fearphage]! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

• 34c45b2 Merge commit from fork
• 49bc39b version 4.0.1
• d42350c Enhance tests for HMAC streaming sign and verify
• 5cb007c Improve secretOrKey initialization in VerifyStream
• f9a2e1c Improve secret handling in SignStream
• b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
• 95b75ee Upload OpsLevel YAML
• 8857ee7 test: remove unused variable (#96)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates minimatch from 9.0.5 to 9.0.9

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Description has been truncated

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyscore	87466d7	Mar 18 2026, 12:54 AM