Bump the npm_and_yarn group across 1 directory with 24 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /editors/vscode directory: esbuild.

Updates esbuild from 0.8.0 to 0.25.12

Release notes

Sourced from esbuild's releases.

v0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @view-transition {
    navigation: auto;
    types: check;
  }
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  /* New output */
  @​view-transition {
  navigation: auto;
  types: check;

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2020

This changelog documents all esbuild versions published in the year 2020 (versions 0.3.0 through 0.8.28).

0.8.28

• Add a --summary flag that prints helpful information after a build (#631)

  Normally esbuild's CLI doesn't print anything after doing a build if nothing went wrong. This allows esbuild to be used as part of a more complex chain of tools without the output cluttering the terminal. However, sometimes it is nice to have a quick overview in your terminal of what the build just did. You can now add the --summary flag when using the CLI and esbuild will print a summary of what the build generated. It looks something like this:

  $ ./esbuild --summary --bundle src/Three.js --outfile=build/three.js --sourcemap
  build/three.js      1.0mb ⚠️
  
  build/three.js.map  1.8mb
  ⚡ Done in 43ms
  
  

• Keep unused imports in TypeScript code in one specific case (#604)

  The official TypeScript compiler always removes imported symbols that aren't used as values when converting TypeScript to JavaScript. This is because these symbols could be types and not removing them could result in a run-time module instantiation failure because of missing exports. This even happens when the tsconfig.json setting "importsNotUsedAsValues" is set to "preserve". Doing this just keeps the import statement itself but confusingly still removes the imports that aren't used as values.

  Previously esbuild always exactly matched the behavior of the official TypeScript compiler regarding import removal. However, that is problematic when trying to use esbuild to compile a partial module such as when converting TypeScript to JavaScript inside a file written in the Svelte programming language. Here is an example:

  <script lang="ts">
    import Counter from './Counter.svelte';
    export let name: string = 'world';
  </script>
  <main>
    <h1>Hello {name}!</h1>
    <Counter />
  </main>

  The current Svelte compiler plugin for TypeScript only provides esbuild with the contents of the <script> tag so to esbuild, the import Counter appears to be unused and is removed.

  In this release, esbuild deliberately deviates from the behavior of the official TypeScript compiler if all of these conditions are met:

  • The "importsNotUsedAsValues" field in tsconfig.json must be present and must not be set to "remove". This is necessary because this is the only case where esbuild can assume that all imports are values instead of types. Any imports that are types will cause a type error when the code is run through the TypeScript type checker. To import types when the importsNotUsedAsValues setting is active, you must use the TypeScript-specific import type syntax instead.

  • You must not be using esbuild as a bundler. When bundling, esbuild needs to assume that it's not seeing a partial file because the bundling process requires renaming symbols to avoid cross-file name collisions.

  • You must not have identifier minification enabled. It's useless to preserve unused imports in this case because referencing them by name won't work anyway. And keeping the unused imports would be counter-productive to minification since they would be extra unnecessary data in the output file.

  This should hopefully allow esbuild to be used as a TypeScript-to-JavaScript converter for programming languages such as Svelte, at least in many cases. The build pipeline in esbuild wasn't designed for compiling partial modules and this still won't be a fully robust solution (e.g. some variables may be renamed to avoid name collisions in rare cases). But it's possible that these cases are very unlikely to come up in practice. Basically this change to keep unused imports in this case should be useful at best and harmless at worst.

0.8.27

... (truncated)

Commits

• 208f539 publish 0.25.12 to npm
• 5f03afd update release notes
• 6b2ee78 minify: remove css rules containing empty :is()
• f361deb add some additional known static methods
• 07aa646 automatically mark "RegExp.escape()" calls as pure
• 9039c46 simplify some call expression checks
• 188944d add some additional known static methods
• d3c67f9 fix #4310: add Iterator and other known globals
• 4a51f0b fix: escape dev server breadcrumb hrefs properly (#4316)
• 26b29ed fix #4315: @media deduplication bug edge case
• Additional commits viewable in compare view

Updates @azure/identity from 0.8.0 to 4.13.1

Commits

• See full diff in compare view

Updates ajv from 0.8.0 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

v8.17.1

What's Changed

• bump version to 8.17.1 by @​jasoniangreen in ajv-validator/ajv#2472

Full Changelog: ajv-validator/ajv@v8.17.0...v8.17.1

Plus everything in 8.17.0 which failed to release

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

Revert "Revert fast-uri change (ajv-validator/ajv#2444)" by @​gurgunday in ajv-validator/ajv#2448 fix: ignore new eslint error for @​typescript-eslint/no-extraneous-class by @​jasoniangreen in ajv-validator/ajv#2455 docs: clarify behaviour of addVocabulary by @​jasoniangreen in ajv-validator/ajv#2454 docs: refactor to improve legibility by @​blottn in ajv-validator/ajv#2432 Fix grammatical typo in managing-schemas.md by @​wetneb in ajv-validator/ajv#2305 docs: Fix broken strict-mode link by @​alexanderjsx in ajv-validator/ajv#2459 feat: add test for encoded refs and bump fast-uri by @​jasoniangreen in ajv-validator/ajv#2449 fix: changes for @​typescript-eslint/array-type rule by @​jasoniangreen in ajv-validator/ajv#2467 fixes ajv-validator/ajv#2217 - clarify custom keyword naming by @​jasoniangreen in ajv-validator/ajv#2457

v8.17.0

What's Changed

The only functional change is to switch from uri-js (which is no longer supported), to fast-uri. This is the second attempt and the team on fast-uri have been really helpful addressing the issues we found last time.

• Revert "Revert fast-uri change (#2444)" by @​gurgunday in ajv-validator/ajv#2448
• fix: ignore new eslint error for @​typescript-eslint/no-extraneous-class by @​jasoniangreen in ajv-validator/ajv#2455
• docs: clarify behaviour of addVocabulary by @​jasoniangreen in ajv-validator/ajv#2454
• docs: refactor to improve legibility by @​blottn in ajv-validator/ajv#2432
• Fix grammatical typo in managing-schemas.md by @​wetneb in ajv-validator/ajv#2305
• docs: Fix broken strict-mode link by @​alexanderjsx in ajv-validator/ajv#2459
• feat: add test for encoded refs and bump fast-uri by @​jasoniangreen in ajv-validator/ajv#2449
• fix: changes for @​typescript-eslint/array-type rule by @​jasoniangreen in ajv-validator/ajv#2467
• fixes #2217 - clarify custom keyword naming by @​jasoniangreen in ajv-validator/ajv#2457

... (truncated)

Commits

• See full diff in compare view

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates bl from 0.8.0 to 4.1.0

Release notes

Sourced from bl's releases.

v4.0.3

Fix unintialized memory access

v4.0.1

• Remove false-positive Apache-exploit (Fixes #79). #80

v3.0.1

Fix unintialized memory access

v3.0.0

• readable-stream@3 #57

v2.2.1

Fix unintialized memory access

v2.2.0

• Add indexOf docs #60
• fix empty shallowSlice return #65

v2.1.2

• use ES3 only #62

v2.1.1

• Use native indexOf whenever possible #61

v2.1.0

• Added indexOf #59

v2.0.1

• Use require('readable-stream').Duplex #56

v2.0.0

• Added support for readUIntLE and companions #55

v1.2.2

• use safe-buffer #51

v1.2.1

• Fix shallowSlice when the offset are not at the beginning of an internal buffer #44

Changelog

Sourced from bl's changelog.

6.1.6 (2025-12-04)

Trivial Changes

• deps: bump actions/setup-node from 6.0.0 to 6.1.0 (#163) (c51e63d)

6.1.5 (2025-11-24)

Trivial Changes

• deps: bump actions/checkout from 5 to 6 (#162) (823100e)

6.1.4 (2025-10-15)

Trivial Changes

• deps: bump actions/setup-node from 5.0.0 to 6.0.0 (#161) (4f23fa9)

6.1.3 (2025-09-05)

Trivial Changes

• deps: bump actions/setup-node from 4.2.0 to 5.0.0 (#159) (530e36f)

6.1.2 (2025-08-12)

Trivial Changes

• deps: bump actions/checkout from 4 to 5 (#158) (28a3852)

6.1.1 (2025-08-01)

Trivial Changes

• deps-dev: bump typescript from 5.8.3 to 5.9.2 (#157) (70f4e16)

6.1.0 (2025-03-11)

Features

• Added prepend and getBuffers methods. (#154) (e9eda95)

6.0.20 (2025-03-03)

Trivial Changes

• deps-dev: bump typescript from 5.7.3 to 5.8.2 (#153) (9291cf9)

6.0.19 (2025-01-28)

... (truncated)

Commits

• 75052a5 4.1.0
• 88f4f43 Add default read offsets for Node Buffer compatibility (#99)
• bd6fea1 4.0.4
• 83f5f04 test: add v15 to travis
• 9aa0b02 Adds travis jobs on ppc64le
• 4aada6d fix: duplicate license field (#92)
• 449a545 test all branches
• f659836 Bumped v4.0.3
• 7a4ae7f Node v14
• d3e240e Fix unintialized memory access
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by matteo.collina, a new releaser for bl since your current version.

Updates braces from 0.8.0 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed
• Require Node.js >= 8.3

Non-breaking changes

• Caching was removed

[2.3.2] - 2018-04-08

• start refactoring

... (truncated)

Commits

• See full diff in compare view

Updates chownr from 0.8.0 to 1.1.4

Commits

• See full diff in compare view

Updates form-data from 0.8.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

... (truncated)

Commits

• See full diff in compare view

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.

Updates fsevents from 0.8.0 to 2.3.3

Release notes

Sourced from fsevents's releases.

Release v2.3.3

Released to npm as v2.3.3

Release v2.3.2

Released to npm as v2.3.2

Release v2.3.1

Released to npm as v2.3.1

Release contains universal binary for x86 & amd64 (m1) chips

Release v2.2.2

Released to npm as v2.2.2

Universal Binary Support x86-64 & amd64(m1)

Release v2.2.0

Electron Enabled (no static functions/variables)

Release v1.2.3

No release notes provided.

Release v2.1.2

No release notes provided.

2.1.0

Latest stable release

Release NAPI v2.0.6

Include essential files only.

Release NAPI v2.0.5

No release notes provided.

Release NAPI v2.0.4

No release notes provided.

Release NAPI v2.0.3

Moved NAPI version out of experimental.

NAPI release

No release notes provided.

deprecated

Fixing the API for chokidar since it was calling FSEvents as a constructor

deprecated

We have upgraded to N-API. For that reason we have also dropped support for node < 6.

For that reason, we have made this a major version bump so dependents have to opt in. The actual API remains entirely the same, so if you are depending on fsevents, it should be as simple as changing the version number in your package.json.

... (truncated)

Commits

• See full diff in compare view

Install script changes

This version adds install script that runs during installation. Review the package contents before updating.

Updates minimatch from 0.8.0 to 3.1.5

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• See full diff in compare view

Updates https-proxy-agent from 0.8.0 to 7.0.6

Release notes

Sourced from https-proxy-agent's releases.

https-proxy-agent@7.0.6

Patch Changes

• 913a49a: Only overwrite servername in tls connect when host is not an IP address
• Updated dependencies [1699a09]
  • agent-base@7.1.2

https-proxy-agent@7.0.5

Patch Changes

• 5908e84: Remove net.isIP() check for TLS servername

https-proxy-agent@7.0.4

Patch Changes

• b88ab46: Import url instead of node:url 🤷‍♂️

https-proxy-agent@7.0.3

Patch Changes

• c3c405e: Add missing URL type import

https-proxy-agent@7.0.2

Patch Changes

• e625d10: Support SNI for proxy servers

https-proxy-agent@7.0.1

Patch Changes

• 23fe1e3: Correct the header parsing logic to stop before the response content to avoid generating an exception.

https-proxy-agent@7.0.0

Major Changes

• b3860aa: Remove secureProxy getter

  It was not meant to be a public property. If you were using it, just use agent.proxy.protocol === 'https:' instead.

https-proxy-agent@6.2.1

Patch Changes

• 0b8a0b7: Properly reject errors during proxy CONNECT response

https-proxy-agent@6.2.0

Minor Changes

• 8ff9faa: "headers" option can now be a function

Patch Changes

... (truncated)

Changelog

Sourced from https-proxy-agent's changelog.

7.0.6

Patch Changes

• 913a49a: Only overwrite servername in tls connect when host is not an IP address
• Updated dependencies [1699a09]
  • agent-base@7.1.2

7.0.5

Patch Changes

• 5908e84: Remove net.isIP() check for TLS servername

7.0.4

Patch Changes

• b88ab46: Import url instead of node:url 🤷‍♂️

7.0.3

Patch Changes

• c3c405e: Add missing URL type import

7.0.2

Patch Changes

• e625d10: Support SNI for proxy servers

7.0.1

Patch Changes

• 23fe1e3: Correct the header parsing logic to stop before the response content to avoid generating an exception.

7.0.0

Major Changes

• b3860aa: Remove secureProxy getter

  It was not meant to be a public property. If you were using it, just use agent.proxy.protocol === 'https:' instead.

6.2.1

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Updates ini from 0.8.0 to 1.3.8

Commits

• See full diff in compare view

Updates js-yaml from 0.8.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

... (truncated)

Commits

• See full diff in compare view

Updates json5 from 0.8.0 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1

• New: package.json and package.json5 include a module property so bundlers like webpack, rollup and parcel can take advantage of the ES Module build. (#208)
• Fix: stringify outputs \0 as \\x00 when followed by a digit. (#210)
• Fix: Spelling mistakes have been fixed. (#196)

v2.1.0

• New: The index.mjs and index.min.mjs browser builds in the dist directory support ES6 modules. (#187)

v2.0.1

• Fix: The browser builds in the dist directory support ES5. (#182)

v2.0.0

• Major: JSON5 officially supports Node.js v6 and later. Support for Node.js v4 has been dropped. Since Node.js v6 supports ES5 features, the code has been rewritten in native ES5, and the dependence on Babel has been eliminated.

• New: Support for Unicode 10 has been added.

• New: The test framework has been migrated from Mocha to Tap.

• New: The browser build at dist/index.js is no longer minified by default. A minified version is available at dist/index.min.js. (#181)

• Fix: The warning has been made clearer when line and paragraph separators are

... (truncated)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

v2.2.0 [code, diff]

• New: Accurate and documented TypeScript declarations are now included. There is no need to install @types/json5. (#236, #244)

v2.1.3 [code, diff]

• Fix: An out of memory bug when parsing numbers has been fixed. (#228, #229)

v2.1.2 [code, diff]

• Fix: Bump minimist to v1.2.5. (#222)

v2.1.1 [code, [diff][d2.1.1]]

... (truncated)

Commits

• See full diff in compare view

Updates jsonwebtoken from 0.8.0 to 9.0.3

Changelog

Sourced from jsonwebtoken's changelog.

9.0.3 - 2025-12-04

• updates jws version to 4.0.1.

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]auth0/node-jsonwebtoken@8345030)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]auth0/node-jsonwebtoken@ecdf6cc)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

... (truncated)

Commits

• See full diff in compare view

Updates jws from 0.8.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

v4.0.0

No release notes provided.

v3.2.3

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

v3.2.2

No release notes provided.

v3.2.1

No release notes provided.

v3.2.0

No release notes provided.

v3.1.5

No release notes provided.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

• Code reorganization, thanks [@​fearphage]! (7880050Description has been truncated

[cloudflare-workers-and-pages]

Deploying ctx with    Cloudflare Pages

Latest commit:	fd0266e
Status:	✅  Deploy successful!
Preview URL:	https://7e877688.ctx-bhl.pages.dev
Branch Preview URL:	https://dependabot-npm-and-yarn-edit-3d71.ctx-bhl.pages.dev

View logs