chore(deps): bump the npm_and_yarn group across 1 directory with 21 updates

[dependabot]

Bumps the npm_and_yarn group with 18 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	1.25.3	1.26.0
express-rate-limit	8.2.1	8.5.1
markdown-it	14.1.0	14.1.1
undici	7.19.0	7.25.0
yaml	2.8.2	2.8.4
@hono/node-server	1.19.9	1.19.14
@isaacs/brace-expansion	5.0.0	5.0.1
ajv	6.12.6	6.15.0
protobufjs	7.5.4	7.5.6
minimatch	3.1.2	3.1.5
esbuild	0.21.5	0.27.2
fast-xml-parser	5.2.5	5.7.2
flatted	3.3.3	3.4.2
hono	4.11.7	4.12.18
picomatch	2.3.1	2.3.2
path-to-regexp	8.3.0	8.4.2
qs	6.14.1	6.15.1
rollup	4.55.1	4.60.3

Updates @modelcontextprotocol/sdk from 1.25.3 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• See full diff in compare view

Updates express-rate-limit from 8.2.1 to 8.5.1

Release notes

Sourced from express-rate-limit's releases.

v8.5.1

You can view the changelog here.

v8.5.0

You can view the changelog here.

v8.4.1

You can view the changelog here.

v8.4.0

You can view the changelog here.

v8.3.2

You can view the changelog here.

v8.3.1

You can view the changelog here.

v8.3.0

You can view the changelog here.

Commits

• 50cc3f6 8.5.1
• 92c8e3e chore: bump ip-address library to latest (#626)
• 807e383 8.5.0
• b844137 v8.5.0 changelog
• ceaffab feat: async store init (#621)
• 69568d4 8.4.1
• c686acd v8.4.1 changelog
• ba71353 test: bump timeout in flakey skipFailedRequests test (#618)
• dd4c894 feat: allow usage of custom logger (#616)
• 2bb343c resolve Jest timeout for server-based tests (#617)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for express-rate-limit since your current version.

Updates markdown-it from 14.1.0 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

• Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.

Commits

• b4a9b65 14.1.1 released
• 4b4bbca Fixed perf regression in linkify-it wrapper
• d2782d8 Add supplementary example-driven documentation (#1092)
• See full diff in compare view

Updates undici from 7.19.0 to 7.25.0

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in nodejs/undici#5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in nodejs/undici#4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in nodejs/undici#4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in nodejs/undici#4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in nodejs/undici#4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in nodejs/undici#4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in nodejs/undici#4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in nodejs/undici#4938
• ignore AGENTS.md by @​mcollina in nodejs/undici#4942

New Contributors

• @​samuel871211 made their first contribution in nodejs/undici#4924
• @​mistval made their first contribution in nodejs/undici#4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in nodejs/undici#4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in nodejs/undici#4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in nodejs/undici#4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in nodejs/undici#4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in nodejs/undici#4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in nodejs/undici#4834
• docs: clarify fetch and FormData pairing by @​mcollina in nodejs/undici#4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in nodejs/undici#4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in nodejs/undici#4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in nodejs/undici#4926
• test: auto-init WPT submodule by @​mcollina in nodejs/undici#4930

New Contributors

• @​rozzilla made their first contribution in nodejs/undici#4909
• @​veeceey made their first contribution in nodejs/undici#4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits

• 12d9045 Bumped v7.25.0 (#5025)
• 7a6f7fe Bumped v7.24.8 (#5020)
• 1f85ae4 fix: avoid 401 failures for stream-backed request bodies (#4941) (#5006)
• c661067 chore: update v7.x maintenance release flow
• 84f23e2 Bumped v7.24.7 (#4947)
• a770b10 ignore AGENTS.md (#4942)
• 6acd19b fix: correctly handle multi-value rawHeaders in fetch (#4938)
• 1da1c74 test: skip IPv6 tests when IPv6 is not available (#4939)
• 04cb773 fix(types): Fix clone method type declaration to be an instance method rather...
• 5145a7c fix(types): align Response with DOM fetch types (#4867)
• Additional commits viewable in compare view

Updates yaml from 2.8.2 to 2.8.4

Release notes

Sourced from yaml's releases.

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• 0f226a3 docs: Add trailingComma ToString option
• ce14587 2.8.3
• 1e84ebb fix: Catch stack overflow during node composition
• 6b24090 ci: Include Prettier check in lint action
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• 2f8ca36 1.19.10
• Additional commits viewable in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates ajv from 6.12.6 to 6.15.0

Commits

• 184bc32 6.15.0
• fea46af test/fix prototype pollution via $data ref with format keyword (#2606)
• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates protobufjs from 7.5.4 to 7.5.6

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

Changelog

Sourced from protobufjs's changelog.

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

Commits

• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• 8af8d7c chore(ci): Fix 7.x release please configuration (#2169)
• e92ca42 chore(ci): Enable release-please for 7.x (#2166)
• b7bdfaf chore: release 7.5.5
• ff7b2af fix: filter invalid characters from the type name (#2127)
• 086b19d fix: do not allow setting proto in Message constructor (#2126)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates esbuild from 0.21.5 to 0.27.2

Release notes

Sourced from esbuild's releases.

v0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  // New output (with --minify)

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• cd83297 publish 0.27.2 to npm
• 2759721 additional tests for switch with break
• fd2b4b3 update release notes
• c8d93a7 fix #4357: -webkit- prefix for mask shorthand (#4358)
• 92ff12c compat table: update @types/node
• a35eceb compat table: fix a type error with the new types
• f598984 fix make compat-table to install dependencies
• f7f6df0 release notes for #4361
• 6f8ec15 fix: allow subpath imports that start with #/ (#4361)
• f7ae61f minify some switch statements to if-else statement
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates fast-xml-parser from 5.2.5 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

5.5.12 / 2026-04-13

• Performance Improvement: update path-expression-matcher
  • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

... (truncated)

Commits

• b1d5b90 update releas info
• 78571ae tests for long tag expression
• ebaedc0 allow numerical external entities for backward compatibility
• 91245eb update changelog
• 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
• d6bce3b allow long attribute expressions
• 9a2561b remove unnecessary
• 0f08303 fix typo
• f529642 update to release v5.7.0
• 52a8583 Revert "improve performance of attributes reading"
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates hono from 4.11.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.18

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in honojs/hono#4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in honojs/hono#4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in honojs/hono#4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in honojs/hono#4906

New Contributors

• @​kfly8 made their first contribution in honojs/hono#4893
• @​truffle-dev made their first contribution in honojs/hono#4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

... (truncated)

Commits

• f10dee8 4.12.18
• a5bd9eb Merge commit from fork
• 58d3d3a Merge commit from fork
• 568c2ec Merge commit from fork
• ff2b3d3 4.12.17
• 52aaaf9 fix(types): propagate middleware response types to app.on overloads (#4906)
• 76d5589 fix(cors): make origin optional in CORSOptions (#4905)
• 8f027e5 fix(ssg): add atom+xml and rss+xml to defaultExtensionMap (#4899)
• bfba97c fix(jsx): normalize SVG attributes on the <svg> root element (#4893)
• 90d4182 4.12.16
• Additional commits viewable in compare view

Updates ip-address from 10.0.1 to 10.2.0

Commits

• See full diff in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request