Bump the npm_and_yarn group across 5 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 10 updates in the / directory:

Package	From	To
astro	5.13.7	5.17.3
fast-xml-parser	5.2.5	5.3.7
vitest	2.1.6	2.1.9
wrangler	4.48.0	4.59.1
undici	6.21.1	6.23.0
form-data	4.0.1	4.0.5
js-yaml	3.14.1	3.14.2
mdast-util-to-hast	13.2.0	13.2.1
tar	6.2.1	7.5.9
tmp	0.0.33	0.2.5

Bumps the npm_and_yarn group with 2 updates in the /.github/actions/assign-pr directory: cross-spawn and esbuild.
Bumps the npm_and_yarn group with 2 updates in the /.github/actions/issue-label-assign directory: cross-spawn and esbuild.
Bumps the npm_and_yarn group with 1 update in the /.github/actions/label-products directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /.github/actions/label-size directory: esbuild.

Updates astro from 5.13.7 to 5.17.3

Release notes

Sourced from astro's releases.

astro@5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

astro@5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

astro@5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

astro@5.17.0

Minor Changes

• #14932 b19d816 Thanks @​patrickarlt! - Adds support for returning a Promise from the parser() option of the file() loader

  This enables you to run asynchronous code such as fetching remote data or using async parsers when loading files with the Content Layer API.

  For example:

  import { defineCollection } from 'astro:content';
  import { file } from 'astro/loaders';
  const blog = defineCollection({
  loader: file('src/data/blog.json', {
  parser: async (text) => {
  const data = JSON.parse(text);
    // Perform async operations like fetching additional data
    const enrichedData = await fetch(`https://api.example.com/enrich`, {
      method: 'POST',
      body: JSON.stringify(data),
    }).then((res) => res.json());

... (truncated)

Changelog

Sourced from astro's changelog.

5.17.3

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15569 e01e98b Thanks @​matthewp! - Respect image allowlists when inferring remote image sizes and reject remote redirects.

5.17.2

Patch Changes

• c13b536 Thanks @​matthewp! - Improves Host header handling for SSR deployments behind proxies

5.17.1

Patch Changes

• #15334 d715f1f Thanks @​florian-lefebvre! - BREAKING CHANGE to the experimental Fonts API only

  Removes the getFontBuffer() helper function exported from astro:assets when using the experimental Fonts API

  This experimental feature introduced in v15.6.13 ended up causing significant memory usage during build. This feature has been removed and will be reintroduced after further exploration and testing.

  If you were relying on this function, you can replicate the previous behavior manually:

  • On prerendered routes, read the file using node:fs
  • On server rendered routes, fetch files using URLs from fontData and context.url

5.17.0

Minor Changes

• #14932 b19d816 Thanks @​patrickarlt! - Adds support for returning a Promise from the parser() option of the file() loader

  This enables you to run asynchronous code such as fetching remote data or using async parsers when loading files with the Content Layer API.

  For example:

  import { defineCollection } from 'astro:content';
  import { file } from 'astro/loaders';
  const blog = defineCollection({
  loader: file('src/data/blog.json', {
  parser: async (text) => {
  const data = JSON.parse(text);
    // Perform async operations like fetching additional data
    const enrichedData = await fetch(`https://api.example.com/enrich`, {
      method: 'POST',

... (truncated)

Commits

• e0f1a2b [ci] release (#15571)
• 522f880 Limit action request body size (#15564)
• 436962a chore: Upgrade Vite and esbuild (#15554)
• e01e98b Respect remote image allowlists (#15569)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• 2bf965c update esbuild (#15193)
• 1c6c9fc [ci] release (#15339)
• d715f1f fix(fonts): remove getFontBuffer() (#15334)
• 08d38c6 [ci] release (#15325)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates fast-xml-parser from 5.2.5 to 5.3.7

Release notes

Sourced from fast-xml-parser's releases.

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

Entity security and performance

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

v5.3.5

What's Changed

• Add missing exports to fxp commonjs types by @​jeremymeng in NaturalIntelligence/fast-xml-parser#782
• fix: Escape regex char in entity name
• update strnum to 2.1.2

New Contributors

• @​jeremymeng made their first contribution in NaturalIntelligence/fast-xml-parser#782

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.4...v5.3.5

fix: handle HTML numeric and hex entities when out of range

No release notes provided.

bug fix and performance improvements

• fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
• Performance improvement for stopNodes (By Maciek Lamberski)

Replace Buffer with Uint8Array

• Launched Separate CLI module
• Replace Buffer with Uint8Array

Changelog

Sourced from fast-xml-parser's changelog.

5.3.7 5.3.7 / 2026-02-20

• fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

• fix: Escape regex char in entity name
• update strnum to 2.1.2
• add missing exports in CJS typings

5.3.4 / 2026-01-30

• fix: handle HTML numeric and hex entities when out of range

5.3.3 / 2025-12-12

• fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

• fix for import statement for v6

5.3.1 / 2025-11-03

• Performance improvement for stopNodes (By Maciek Lamberski)

5.3.0 / 2025-10-03

• Use Uint8Array in place of Buffer in Parser

5.2.5 / 2025-06-08

• Inform user to use fxp-cli instead of in-built CLI feature
• Export typings for direct use

5.2.4 / 2025-06-06

• fix (#747): fix EMPTY and ANY with ELEMENT in DOCTYPE

5.2.3 / 2025-05-11

• fix (#747): support EMPTY and ANY with ELEMENT in DOCTYPE

5.2.2 / 2025-05-05

• fix (#746): update strnum to fix parsing issues related to enotations

5.2.1 / 2025-04-22

• fix: read DOCTYPE entity value correctly

... (truncated)

Commits

• fc97a55 update relese info
• b9aef04 Unexport X2jOptions at declaration site (#787)
• c20fbd6 remove unused code
• ecb2ca1 update release info
• 910dae5 fix entities performance & security issues
• fe9a852 update strnum and release detail
• 943ef0e fix: Escape regex char in entity name
• ddcd0ac Escape regex char in entity name
• 341b582 Add missing exports to fxp commonjs types (#782)
• 753e770 update release details
• Additional commits viewable in compare view

Updates vitest from 2.1.6 to 2.1.9

Release notes

Sourced from vitest's releases.

v2.1.9

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v2 - by @​hi-ogawa in vitest-dev/vitest#7318
• (backport #7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in vitest-dev/vitest#7343

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

• Support Node 21  -  by @​sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
  • This introduced some breaking changes (vitest-dev/vitest#6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

Commits

• c9e59a0 chore: release v2.1.9
• e0fe1d8 fix: backport #7317 to v2 (#7318)
• d69cc75 bump: 2.1.8
• 92f7a2a fix: support Node 21
• 81ed45b chore: release v2.1.7
• fbe5c39 fix: revert support for Vite 6
• See full diff in compare view

Updates wrangler from 4.48.0 to 4.59.1

Release notes

Sourced from wrangler's releases.

wrangler@4.59.1

Patch Changes

• #11889 99b1f32 Thanks @​emily-shen! - Use argument array when executing git commands with wrangler pages deploy

  Pass user provided values from --commit-hash safely to underlying git command.

wrangler@4.59.0

Minor Changes

• #11852 ad65efa Thanks @​NuroDev! - Add --check flag to wrangler types command

  The new --check flag allows you to verify that your generated types file is up-to-date without regenerating it. This is useful for CI/CD pipelines, pre-commit hooks, or any scenario where you want to ensure types have been committed after configuration changes.

  When types are up-to-date, the command exits with code 0:

  $ wrangler types --check
  ✨ Types at worker-configuration.d.ts are up to date.

  When types are out-of-date, the command exits with code 1:

  $ wrangler types --check
  ✘ [ERROR] Types at worker-configuration.d.ts are out of date. Run `wrangler types` to regenerate.

  You can also use it with a custom output path:

  $ wrangler types ./custom-types.d.ts --check

• #11529 43d5363 Thanks @​matthewdavidrodgers! - Add ability to enable higher asset count limits for Pages deployments

  Wrangler can now read asset count limits from JWT claims during Pages deployments, allowing users to be enabled for higher limits (up to 100,000 assets) on a per-account basis. The default limit remains at 20,000 assets.

• #11755 0f8d69d Thanks @​nikitassharma! - Users can now specify constraints.tiers for their container applications. tier is deprecated in favor of tiers. If left unset, we will default to tiers: [1, 2]. Note that constraints is an experimental feature.

Patch Changes

• #11820 b0e54b2 Thanks @​MattieTK! - Add AI agent detection to analytics events

  Wrangler now detects when commands are executed by AI coding agents (such as Claude Code, Cursor, GitHub Copilot, etc.) using the am-i-vibing library. This information is included as an agent property in all analytics events, helping Cloudflare understand how developers interact with Wrangler through AI assistants.

... (truncated)

Commits

• 37a8607 Version Packages (#11890)
• 99b1f32 fix: execute git commands in pages deploy safely (#11889)
• e98c95a Version Packages (#11836)
• ad65efa Add --check flag to wrangler types (#11852)
• beb96af feat(unenv-preset): add support for native node:sqlite module (#11841)
• b0e54b2 [wrangler] Add AI agent detection to analytics events (#11820)
• 2203af4 Add Node.js 24 and 25 compatibility to the test suites for Miniflare, Wrangle...
• b6148ed chore(deps): bump the workerd-and-workers-types group with 2 updates (#11872)
• 0eb973d Do not warn user when using a redirected config that came from a config with ...
• 0f8d69d containers: users can set multiple tiers for constraints (#11755)
• Additional commits viewable in compare view

Updates undici from 6.21.1 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in nodejs/undici#4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in nodejs/undici#4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180) by @​metcoder95 in nodejs/undici#4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#4180) (#4340) by @​metcoder95 in nodejs/undici#4445
• Backport 4472 to v6.x by @​Uzlopak in nodejs/undici#4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

What's Changed

• [Backport v6.x] append crlf to formdata body by @​github-actions in nodejs/undici#4210

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in nodejs/undici#4024
• [v6.x] fix wpts on windows by @​mcollina in nodejs/undici#4093
• Removed clients with unrecoverable errors from the Pool nodejs/undici#4088

New Contributors

• @​slagiewka made their first contribution in nodejs/undici#4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

Commits

• fbc31e2 Bumped v6.23.0
• 3477c94 chore: release flow using provenance
• d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• f9c9185 Bumped v6.22.0
• f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
• 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
• 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
• 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
• 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
• da0e823 Bumped v6.21.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Updates devalue from 5.3.2 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates form-data from 4.0.1 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

... (truncated)

Commits

• 68ff7dd v4.0.5
• 5822467 [Dev Deps] update @ljharb/eslint-config, eslint
• 76d0dee [Fix] set Symbol.toStringTag in the proper place
• 16e0076 [Tests] Switch to newer v8 prediction library; enable node 24 testing
• 41996f5 v4.0.4
• 316c82b [meta] actually ensure the readme backup isn’t published
• 2300ca1 [meta] fix readme capitalization
• 811f682 [meta] add auto-changelog
• 5e34080 [Tests] fix linting errors
• 1d11a76 [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• Additional commits viewable in compare view

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Updates h3 from 1.15.4 to 1.15.5

Release notes

Sourced from h3's releases.

v1.15.5

compare changes

[!IMPORTANT] Security: Fixed a bug in readBody(event) and readRawBody(event) utils where certain Transfer-Encoding header formats could cause the request body to be ignored.

In some deployments (for example, behind TCP load balancers or non-normalizing proxies), this could allow request smuggling. The handling is now safe and fully compliant. (read more)

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

Changelog

Sourced from h3's changelog.

v1.15.5

compare changes

🩹 Fixes

• readRawBody: Fix case-sensitive Transfer-Encoding check causing request smuggling risk (618ccf4)

🏡 Chore

• Update deps (e2462ec)
• Update ci (c934599)
• Add test:types script (0a4a115)
• Update ci (b4dce71)
• Update publish tag to 1.x (589625c)
• Fix ts issue (c9ebf80)
• Update deps (d18c074)
• Fix more ts/lint issues (bd92b74)

🤖 CI

• Fix publish tag (401c9b8)

❤️ Contributors

• Pooya Parsa (@​pi0)

Commits

• 24231b9 chore(release): v1.15.5
• bd92b74 chore: fix more ts/lint issues
• d18c074 chore: update deps
• c9ebf80 chore: fix ts issue
• 618ccf4 fix(readRawBody): fix case-sensitive Transfer-Encoding check causing reques...
• 401c9b8 ci: fix publish tag
• 589625c chore: update publish tag to 1.x
• b4dce71 chore: update ci
• 0a4a115 chore: add test:types script
• c934599 chore: update ci
• Additional commits viewable in compare view

Updates mdast-util-to-hast from 13.2.0 to 13.2.1

Release notes

Sourced from mdast-util-to-hast's releases.

13.2.1

Fix

• ab3a795 Fix support for spaces in class names

Types

• efb5312 Refactor to use @imports
• a5bc210 Add declaration ...

  Description has been truncated