Merged
Conversation
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.1</h2> <h2>What's Changed</h2> <ul> <li>Support for CJK characters in the artifact name by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/471">actions/download-artifact#471</a></li> <li>Add a regression test for artifact name + content-type mismatches by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/472">actions/download-artifact#472</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v8...v8.0.1">https://github.com/actions/download-artifact/compare/v8...v8.0.1</a></p> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).</p> </blockquote> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>true</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"><code>3e5f45b</code></a> Add regression tests for CJK characters (<a href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/e6d03f67377d4412c7aa56a8e2e4988e6ec479dd"><code>e6d03f6</code></a> Add a regression test for artifact name + content-type mismatches (<a href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a> Add change docs</li> <li><a href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the npm-low-risk group with 8 updates: | Package | From | To | | --- | --- | --- | | [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env) | `7.29.0` | `7.29.2` | | [@babel/runtime-corejs3](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime-corejs3) | `7.29.0` | `7.29.2` | | [core-js](https://github.com/zloirock/core-js/tree/HEAD/packages/core-js) | `3.48.0` | `3.49.0` | | [globals](https://github.com/sindresorhus/globals) | `17.3.0` | `17.4.0` | | [lint-staged](https://github.com/lint-staged/lint-staged) | `16.2.7` | `16.4.0` | | [serve-handler](https://github.com/vercel/serve-handler) | `6.1.6` | `6.1.7` | | [sinon](https://github.com/sinonjs/sinon) | `21.0.1` | `21.0.3` | | [start-server-and-test](https://github.com/bahmutov/start-server-and-test) | `2.1.3` | `2.1.5` | Updates `@babel/preset-env` from 7.29.0 to 7.29.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases"><code>@babel/preset-env</code>'s releases</a>.</em></p> <blockquote> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17789">#17789</a> [7.x backport] preset-env include/exclude should accept bugfix plugins (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:house: Internal</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17813">#17813</a> chore: update eslint peer deps (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h4>Committers: 2</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.1 (2026-02-04)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-standalone</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17771">#17771</a> [7.x backport] fix: ensure <code>targets.esmodules</code> is validated (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17776">#17776</a> [7.x backport] Fix undefined when 64 indents (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> </ul> <h4>Committers: 2</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/37d5595fca9f188f0534458180611f2e776acd31"><code>37d5595</code></a> v7.29.2</li> <li><a href="https://github.com/babel/babel/commit/1c0a08d95ae7e1c788c7e1ae3a10ee53f7c86864"><code>1c0a08d</code></a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env/issues/17805">#17805</a>)</li> <li><a href="https://github.com/babel/babel/commit/061bf95142132ce4200f863f891a8e3a727cd844"><code>061bf95</code></a> [7.x backport] preset-env include/exclude should accept bugfix plugins (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env/issues/17789">#17789</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.2/packages/babel-preset-env">compare view</a></li> </ul> </details> <br /> Updates `@babel/runtime-corejs3` from 7.29.0 to 7.29.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases"><code>@babel/runtime-corejs3</code>'s releases</a>.</em></p> <blockquote> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17789">#17789</a> [7.x backport] preset-env include/exclude should accept bugfix plugins (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:house: Internal</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17813">#17813</a> chore: update eslint peer deps (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h4>Committers: 2</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.1 (2026-02-04)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-standalone</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17771">#17771</a> [7.x backport] fix: ensure <code>targets.esmodules</code> is validated (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-generator</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17776">#17776</a> [7.x backport] Fix undefined when 64 indents (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> </ul> <h4>Committers: 2</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/37d5595fca9f188f0534458180611f2e776acd31"><code>37d5595</code></a> v7.29.2</li> <li><a href="https://github.com/babel/babel/commit/1c0a08d95ae7e1c788c7e1ae3a10ee53f7c86864"><code>1c0a08d</code></a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-runtime-corejs3/issues/17805">#17805</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.2/packages/babel-runtime-corejs3">compare view</a></li> </ul> </details> <br /> Updates `core-js` from 3.48.0 to 3.49.0 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/zloirock/core-js/blob/master/CHANGELOG.md">core-js's changelog</a>.</em></p> <blockquote> <h3><a href="https://github.com/zloirock/core-js/releases/tag/v3.49.0">3.49.0 - 2026.03.16</a></h3> <ul> <li>Changes <a href="https://github.com/zloirock/core-js/compare/v3.48.0...v3.49.0">v3.48.0...v3.49.0</a> (373 commits)</li> <li><a href="https://github.com/tc39/proposal-iterator.range"><code>Iterator.range</code></a> updated following the actual spec version <ul> <li>Throw a <code>RangeError</code> on <code>NaN</code> <code>start</code> / <code>end</code> / <code>step</code></li> <li>Allow <code>null</code> as <code>optionOrStep</code></li> </ul> </li> <li>Improved accuracy of <code>Math.{ asinh, atanh }</code> polyfills with big and small values</li> <li>Improved accuracy of <code>Number.prototype.toExponential</code> polyfills with big and small values</li> <li>Improved performance of <code>atob</code>, <code>btoa</code>, <code>Uint8Array.fromHex</code>, <code>Uint8Array.prototype.setFromHex</code>, and <code>Uint8Array.prototype.toHex</code>, <a href="https://redirect.github.com/zloirock/core-js/issues/1503">#1503</a>, <a href="https://redirect.github.com/zloirock/core-js/issues/1464">#1464</a>, <a href="https://redirect.github.com/zloirock/core-js/issues/1510">#1510</a>, thanks <a href="https://github.com/johnzhou721"><strong><code>@johnzhou721</code></strong></a></li> <li>Minor performance optimization polyfills of methods from <a href="https://github.com/tc39/proposal-upsert"><code>Map</code> upsert proposal</a></li> <li>Polyfills of methods from <a href="https://github.com/tc39/proposal-upsert"><code>Map</code> upsert proposal</a> from the pure version made generic to make it work with polyfilled and native collections</li> <li>Wrap <code>Symbol.for</code> in <code>Symbol.prototype.description</code> polyfill for correct handling of empty string descriptions</li> <li>Fixed <a href="https://bugs.webkit.org/show_bug.cgi?id=309342">a modern Safari bug</a> in <code>Array.prototype.includes</code> with sparse arrays and <code>fromIndex</code></li> <li>Fixed one more case (<code>Iterator.prototype.take</code>) of a V8 ~ Chromium < 126 <a href="https://issues.chromium.org/issues/336839115">bug</a></li> <li>Forced replacement of <code>Iterator.{ concat, zip, zipKeyed }</code> in the pure version for ensuring proper wrapped <code>Iterator</code> instances as the result</li> <li>Fixed proxying <code>.return()</code> on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator</li> <li>Fixed double <code>.return()</code> calling in case of throwing error in this method in the internal <code>iterate</code> helper that affected some polyfills</li> <li>Fixed closing iterator on <code>IteratorValue</code> errors in the internal <code>iterate</code> helper that affected some polyfills</li> <li>Fixed iterator closing in <code>Array.from</code> polyfill on failure to create array property</li> <li>Fixed order of arguments validation in <code>Array.fromAsync</code> polyfill</li> <li>Fixed a lack of counter validation on <code>MAX_SAFE_INTEGER</code> in <code>Array.fromAsync</code> polyfill</li> <li>Fixed order of arguments validation in <code>Array.prototype.flat</code> polyfill</li> <li>Fixed handling strings as iterables in <code>Iterator.{ zip, zipKeyed }</code> polyfills</li> <li>Fixed some cases of iterators closing in <code>Iterator.{ zip, zipKeyed }</code> polyfills</li> <li>Fixed validation of iterators <code>.next()</code> results an objects in <code>Iterator.{ zip, zipKeyed }</code> polyfills</li> <li>Fixed a lack of early error in <code>Iterator.concat</code> polyfill on primitive as an iterator</li> <li>Fixed buffer mutation exposure in <code>Iterator.prototype.windows</code> polyfill</li> <li>Fixed iterator closing in <code>Set.prototype.{ isDisjointFrom, isSupersetOf }</code> polyfill</li> <li>Fixed (updated following the final spec) one more case <code>Set.prototype.difference</code> polyfill with updating <code>this</code></li> <li>Fixed <code>DataView.prototype.setFloat16</code> polyfill in (0, 1) range</li> <li>Fixed order of arguments validation in <code>String.prototype.{ padStart, padEnd }</code> polyfills</li> <li>Fixed order of arguments validation in <code>String.prototype.{ startsWith, endsWith }</code> polyfills</li> <li>Fixed some cases of <code>Infinity</code> handling in <code>String.prototype.substr</code> polyfill</li> <li>Fixed <code>String.prototype.repeat</code> polyfill with a counter exceeding 2 ** 32</li> <li>Fixed some cases of chars case in <code>escape</code> polyfill</li> <li>Fixed named backreferences in <code>RegExp</code> NCG polyfill</li> <li>Fixed some cases of <code>RegExp</code> NCG polyfill in combination with other types of groups</li> <li>Fixed some cases of <code>RegExp</code> NCG polyfill in combination with <code>dotAll</code></li> <li>Fixed <code>String.prototype.replace</code> with <code>sticky</code> polyfill, <a href="https://redirect.github.com/zloirock/core-js/issues/810">#810</a>, <a href="https://redirect.github.com/zloirock/core-js/issues/1514">#1514</a></li> <li>Fixed <code>RegExp</code> <code>sticky</code> polyfill with alternation</li> <li>Fixed handling of some line terminators in case of <code>multiline</code> + <code>sticky</code> mode in <code>RegExp</code> polyfill</li> <li>Fixed <code>.input</code> slicing on result object with <code>RegExp</code> <code>sticky</code> mode polyfill</li> <li>Fixed handling of empty groups with <code>global</code> and <code>unicode</code> modes in polyfills</li> <li>Fixed <code>URLSearchParam.prototype.delete</code> polyfill with duplicate key-value pairs</li> <li>Fixed possible removal of unnecessary entries in <code>URLSearchParam.prototype.delete</code> polyfill with second argument</li> <li>Fixed an error in some cases of non-special URLs without a path in the <code>URL</code> polyfill</li> <li>Fixed some percent encode cases / character sets in the <code>URL</code> polyfill</li> <li>Fixed parsing of non-IPv4 hosts ends in a number in the <code>URL</code> polyfill</li> <li>Fixed some cases of <code>''</code> and <code>null</code> host handling in the <code>URL</code> polyfill</li> <li>Fixed host parsing with <code>hostname = host:port</code> in the <code>URL</code> polyfill</li> <li>Fixed host inheritance in some cases of file scheme in the <code>URL</code> polyfill</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zloirock/core-js/commit/80adfc415fa74e5e4f6ba2de6425aa577e3ad439"><code>80adfc4</code></a> v3.49.0</li> <li><a href="https://github.com/zloirock/core-js/commit/0ad3e0035b87ac941ccadc643397bb7825d4e694"><code>0ad3e00</code></a> fix a modern Safari bug in <code>Array.prototype.includes</code> with sparse arrays and ...</li> <li><a href="https://github.com/zloirock/core-js/commit/853bfa4906ea01ad18791f1fccb2b67440ffacf9"><code>853bfa4</code></a> update some links</li> <li><a href="https://github.com/zloirock/core-js/commit/b4d723fbb277d9805c78c75bb529e7f175e9af0f"><code>b4d723f</code></a> fix a lack of counter validation on <code>MAX_SAFE_INTEGER</code> in <code>Array.fromAsync</code> p...</li> <li><a href="https://github.com/zloirock/core-js/commit/e27667656589bb1ff058e1a2afbdd866e3872d51"><code>e276676</code></a> fix parsing of non-IPv4 hosts ends in a number in the <code>URL</code> polyfill</li> <li><a href="https://github.com/zloirock/core-js/commit/dd1cfba7cf2076f1e088a23af03f7124abdd91b0"><code>dd1cfba</code></a> fix order of arguments validation in <code>String.prototype.{ padStart, padEnd }</code> ...</li> <li><a href="https://github.com/zloirock/core-js/commit/b952c5faef9092b20d0f9833b0b282a91ede8914"><code>b952c5f</code></a> add an extra protection to configurator</li> <li><a href="https://github.com/zloirock/core-js/commit/e490cafd755a14ae150db2d7515af51175d5e421"><code>e490caf</code></a> Fix for <a href="https://github.com/zloirock/core-js/tree/HEAD/packages/core-js/issues/810">#810</a> (<a href="https://github.com/zloirock/core-js/tree/HEAD/packages/core-js/issues/1514">#1514</a>)</li> <li><a href="https://github.com/zloirock/core-js/commit/10b4e86e3ce7d0675fd19b9028118162510307b9"><code>10b4e86</code></a> drop an unneeded comment</li> <li><a href="https://github.com/zloirock/core-js/commit/28cf2e9b16f45430f35ef8658c7a461d50cca69e"><code>28cf2e9</code></a> feat: Improve performance of Uint8Array Hex functions (<a href="https://github.com/zloirock/core-js/tree/HEAD/packages/core-js/issues/1510">#1510</a>)</li> <li>Additional commits viewable in <a href="https://github.com/zloirock/core-js/commits/v3.49.0/packages/core-js">compare view</a></li> </ul> </details> <br /> Updates `globals` from 17.3.0 to 17.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sindresorhus/globals/releases">globals's releases</a>.</em></p> <blockquote> <h2>v17.4.0</h2> <ul> <li>Update globals (2026-03-01) (<a href="https://redirect.github.com/sindresorhus/globals/issues/338">#338</a>) d43a051</li> </ul> <hr /> <p><a href="https://github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0">https://github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sindresorhus/globals/commit/a9cfd7493fb701474d4dc946283c7b9d63d64134"><code>a9cfd74</code></a> 17.4.0</li> <li><a href="https://github.com/sindresorhus/globals/commit/d43a051c48fbb8c549bb98a7cf294ba84680a7a1"><code>d43a051</code></a> Update globals (2026-03-01) (<a href="https://redirect.github.com/sindresorhus/globals/issues/338">#338</a>)</li> <li>See full diff in <a href="https://github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0">compare view</a></li> </ul> </details> <br /> Updates `lint-staged` from 16.2.7 to 16.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lint-staged/lint-staged/releases">lint-staged's releases</a>.</em></p> <blockquote> <h2>v16.4.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1739">#1739</a> <a href="https://github.com/lint-staged/lint-staged/commit/687fc9069a312ac83ca48f035a1bbf453db91814"><code>687fc90</code></a> Thanks <a href="https://github.com/hyperz111"><code>@hyperz111</code></a>! - Replace <code>micromatch</code> with <code>picomatch</code> to reduce dependencies.</li> </ul> <h2>v16.3.4</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1742">#1742</a> <a href="https://github.com/lint-staged/lint-staged/commit/9d6e827b0c55da5b091c989111f6c55dd76539d9"><code>9d6e827</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Update dependencies, including <a href="https://github.com/tinylibs/tinyexec/releases/tag/1.0.4"><code>tinyexec@1.0.4</code></a> to make sure local <code>node_modules/.bin</code> are preferred to global locations (released in <a href="https://github.com/tinylibs/tinyexec/releases/tag/1.0.3"><code>tinyexec@1.0.3</code></a>).</li> </ul> <h2>v16.3.3</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1740">#1740</a> <a href="https://github.com/lint-staged/lint-staged/commit/0109e8d1507409d950dab0d65ce27bd40b1137c7"><code>0109e8d</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.</li> </ul> <h2>v16.3.2</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1735">#1735</a> <a href="https://github.com/lint-staged/lint-staged/commit/2adaf6c3a76152abddbf23b749dfa5d62982f3cf"><code>2adaf6c</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Hide the extra <code>cmd</code> window on Windows by spawning tasks without the <code>detached</code> option.</li> </ul> <h2>v16.3.1</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1729">#1729</a> <a href="https://github.com/lint-staged/lint-staged/commit/cd5d762c288bcfe36274c32f018cea97dfe11280"><code>cd5d762</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Remove <code>nano-spawn</code> as a dependency from <code>package.json</code> as it was replaced with <code>tinyexec</code> and is no longer used.</li> </ul> <h2>v16.3.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1698">#1698</a> <a href="https://github.com/lint-staged/lint-staged/commit/feda37aa590789e847f32a4aabc346af1d79c547"><code>feda37a</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Run external processes with <a href="https://github.com/tinylibs/tinyexec"><code>tinyexec</code></a> instead of <a href="https://github.com/sindresorhus/nano-spawn"><code>nano-spawn</code></a>. <code>nano-spawn</code> replaced <a href="https://github.com/sindresorhus/execa"><code>execa</code></a> in <em>lint-staged</em> version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope <code>tinyexec</code> improves the situation.</p> </li> <li> <p><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1699">#1699</a> <a href="https://github.com/lint-staged/lint-staged/commit/1346d16387e188911ef64e8bad6b8a6252cb6d71"><code>1346d16</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Remove <code>pidtree</code> as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the <code>taskkill</code> command on Windows.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1726">#1726</a> <a href="https://github.com/lint-staged/lint-staged/commit/87467aaa76e1edc2547f3f3d462a4495afa5337d"><code>87467aa</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Incorrect brace expansions like <code>*.{js}</code> (<em>nothing to expand</em>) are detected exhaustively, instead of just a single pass.</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md">lint-staged's changelog</a>.</em></p> <blockquote> <h2>16.4.0</h2> <h3>Minor Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1739">#1739</a> <a href="https://github.com/lint-staged/lint-staged/commit/687fc9069a312ac83ca48f035a1bbf453db91814"><code>687fc90</code></a> Thanks <a href="https://github.com/hyperz111"><code>@hyperz111</code></a>! - Replace <code>micromatch</code> with <code>picomatch</code> to reduce dependencies.</li> </ul> <h2>16.3.4</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1742">#1742</a> <a href="https://github.com/lint-staged/lint-staged/commit/9d6e827b0c55da5b091c989111f6c55dd76539d9"><code>9d6e827</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Update dependencies, including <a href="https://github.com/tinylibs/tinyexec/releases/tag/1.0.4"><code>tinyexec@1.0.4</code></a> to make sure local <code>node_modules/.bin</code> are preferred to global locations (released in <a href="https://github.com/tinylibs/tinyexec/releases/tag/1.0.3"><code>tinyexec@1.0.3</code></a>).</li> </ul> <h2>16.3.3</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1740">#1740</a> <a href="https://github.com/lint-staged/lint-staged/commit/0109e8d1507409d950dab0d65ce27bd40b1137c7"><code>0109e8d</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Make sure Git's warning about CRLF line-endings doesn't interfere with creating initial backup stash.</li> </ul> <h2>16.3.2</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1735">#1735</a> <a href="https://github.com/lint-staged/lint-staged/commit/2adaf6c3a76152abddbf23b749dfa5d62982f3cf"><code>2adaf6c</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Hide the extra <code>cmd</code> window on Windows by spawning tasks without the <code>detached</code> option.</li> </ul> <h2>16.3.1</h2> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1729">#1729</a> <a href="https://github.com/lint-staged/lint-staged/commit/cd5d762c288bcfe36274c32f018cea97dfe11280"><code>cd5d762</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Remove <code>nano-spawn</code> as a dependency from <code>package.json</code> as it was replaced with <code>tinyexec</code> and is no longer used.</li> </ul> <h2>16.3.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1698">#1698</a> <a href="https://github.com/lint-staged/lint-staged/commit/feda37aa590789e847f32a4aabc346af1d79c547"><code>feda37a</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Run external processes with <a href="https://github.com/tinylibs/tinyexec"><code>tinyexec</code></a> instead of <a href="https://github.com/sindresorhus/nano-spawn"><code>nano-spawn</code></a>. <code>nano-spawn</code> replaced <a href="https://github.com/sindresorhus/execa"><code>execa</code></a> in <em>lint-staged</em> version 16 to limit the amount of npm dependencies required, but caused some unknown issues related to spawning tasks. Let's hope <code>tinyexec</code> improves the situation.</p> </li> <li> <p><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1699">#1699</a> <a href="https://github.com/lint-staged/lint-staged/commit/1346d16387e188911ef64e8bad6b8a6252cb6d71"><code>1346d16</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Remove <code>pidtree</code> as a dependency. When a task fails, its sub-processes are killed more efficiently via the process group on Unix systems, and the <code>taskkill</code> command on Windows.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li><a href="https://redirect.github.com/lint-staged/lint-staged/pull/1726">#1726</a> <a href="https://github.com/lint-staged/lint-staged/commit/87467aaa76e1edc2547f3f3d462a4495afa5337d"><code>87467aa</code></a> Thanks <a href="https://github.com/iiroj"><code>@iiroj</code></a>! - Incorrect brace expansions like <code>*.{js}</code> (<em>nothing to expand</em>) are detected exhaustively, instead of just a single pass.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lint-staged/lint-staged/commit/445f9dd042b88528c798b2e25c21c9adbc69a732"><code>445f9dd</code></a> chore(changeset): release</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/d91be60800d59565cb601c4802ed35253bce5b2a"><code>d91be60</code></a> docs: update readme to use picomatch</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/b392a9ffecd9cfeb167bd2273c6496b8b3c41b47"><code>b392a9f</code></a> refactor: extract <code>matchFiles</code> and add unit tests</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/687fc9069a312ac83ca48f035a1bbf453db91814"><code>687fc90</code></a> refactor: replace micromatch with picomatch</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/26dadf9a0472d283112d6cfaaa1fb1f040fd6760"><code>26dadf9</code></a> chore(changeset): release</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/9d6e827b0c55da5b091c989111f6c55dd76539d9"><code>9d6e827</code></a> build(deps): update dependencies</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/8aea986068501841a5741868e0895fef2a7618c3"><code>8aea986</code></a> chore(changeset): release</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/0109e8d1507409d950dab0d65ce27bd40b1137c7"><code>0109e8d</code></a> fix: strip Git CRLF warning from output</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/dfd6a7a4afa1147c9b6ad7d441b1f6278da499c5"><code>dfd6a7a</code></a> chore(changeset): release</li> <li><a href="https://github.com/lint-staged/lint-staged/commit/2adaf6c3a76152abddbf23b749dfa5d62982f3cf"><code>2adaf6c</code></a> fix(Windows): do not spawn tasks as detached since it opens a cmd window on ...</li> <li>Additional commits viewable in <a href="https://github.com/lint-staged/lint-staged/compare/v16.2.7...v16.4.0">compare view</a></li> </ul> </details> <br /> Updates `serve-handler` from 6.1.6 to 6.1.7 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/vercel/serve-handler/releases">serve-handler's releases</a>.</em></p> <blockquote> <h2>6.1.7</h2> <h3>Patches</h3> <ul> <li>Fix: update minimatch to 3.1.5 to resolve security vulnerabilities: <a href="https://redirect.github.com/vercel/serve-handler/issues/228">#228</a></li> </ul> <h3>Credits</h3> <p>Huge thanks to <a href="https://github.com/ParakhJaggi"><code>@ParakhJaggi</code></a> for helping!</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vercel/serve-handler/commit/5158ae776863f0d597187e11260d963e7a78c6a0"><code>5158ae7</code></a> 6.1.7</li> <li><a href="https://github.com/vercel/serve-handler/commit/754d1dcb5bb6dbd164667368be5e1b1278f1da60"><code>754d1dc</code></a> fix: update minimatch to 3.1.5 to resolve security vulnerabilities (<a href="https://redirect.github.com/vercel/serve-handler/issues/228">#228</a>)</li> <li><a href="https://github.com/vercel/serve-handler/commit/8b357fad752db5e9439e92513286970f68ed953e"><code>8b357fa</code></a> Revert "chore(deps): upgrade minimatch to v10.2.4 (<a href="https://redirect.github.com/vercel/serve-handler/issues/226">#226</a>)"</li> <li><a href="https://github.com/vercel/serve-handler/commit/8df54ef09a5497641403cd4a888525a4831f4208"><code>8df54ef</code></a> chore(deps): upgrade minimatch to v10.2.4 (<a href="https://redirect.github.com/vercel/serve-handler/issues/226">#226</a>)</li> <li>See full diff in <a href="https://github.com/vercel/serve-handler/compare/6.1.6...6.1.7">compare view</a></li> </ul> </details> <br /> Updates `sinon` from 21.0.1 to 21.0.3 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sinonjs/sinon/blob/main/docs/changelog.md">sinon's changelog</a>.</em></p> <blockquote> <h2>21.0.3</h2> <ul> <li><a href="https://github.com/sinonjs/sinon/commit/0494251bc54c56e7e79258586238db88f0d191b3"><code>0494251b</code></a> fix(<a href="https://redirect.github.com/sinonjs/sinon/issues/2678">#2678</a>): upgrade samsam to fix buffer comparisons (Carl-Erik Kopseng)</li> </ul> <p><em>Released by <a href="https://github.com/fatso83">Carl-Erik Kopseng</a> on 2026-03-16.</em></p> <h2>21.0.2</h2> <ul> <li><a href="https://github.com/sinonjs/sinon/commit/024321c48e670de35098b2555173e25f024db90d"><code>024321c4</code></a> fix: skip Node specific tests in browser env (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/b836fccb8adabd3d116338b19ae1f6a4ccfc7d3e"><code>b836fccb</code></a> fix: js-yaml breaking change from v3 to v4 (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/ebf0c4313f41edfdf71f206c826a8ce7d56f2d2c"><code>ebf0c431</code></a> docs: add how-to article for stubbing ES module imports (<a href="https://redirect.github.com/sinonjs/sinon/issues/1832">#1832</a>) (<a href="https://redirect.github.com/sinonjs/sinon/issues/2676">#2676</a>) (Eduard Barrera) <blockquote> <ul> <li>docs: add how-to article for stubbing ES module imports with esm package</li> </ul> <p>Adds a comprehensive How-To guide that addresses issue <a href="https://redirect.github.com/sinonjs/sinon/issues/1832">#1832</a>, documenting how to configure Node.js to allow Sinon stubs to work with ES modules.</p> <ul> <li>Explains why ES module namespace bindings are immutable by spec</li> <li>Shows how to use the 'esm' npm package with mutableNamespace: true</li> <li>Provides a complete working example with project layout, package.json, loader file, source modules, and a full test suite</li> <li>Documents limitations (destructured imports, non-standard behavior)</li> <li>Replaces the TODO comment in link-seams-commonjs.md with a cross-reference</li> </ul> <p>Closes <a href="https://redirect.github.com/sinonjs/sinon/issues/1832">#1832</a> Co-authored-by: Eduard Barrera <a href="mailto:eduardbar@users.noreply.github.com">eduardbar@users.noreply.github.com</a> Co-authored-by: Carl-Erik Kopseng <a href="mailto:carlerik@gmail.com">carlerik@gmail.com</a></p> </blockquote> </li> <li><a href="https://github.com/sinonjs/sinon/commit/ebcd506cbb55df6c7d2bda558f58386a218df9be"><code>ebcd506c</code></a> Fix spies not being reset properly (<a href="https://redirect.github.com/sinonjs/sinon/issues/2673">#2673</a>) (simon-id)</li> <li><a href="https://github.com/sinonjs/sinon/commit/3beab2ba97fe74cdb0f495420ac06652e59835aa"><code>3beab2ba</code></a> Make doc tests pass with new jQuery (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/766715c68a94fd66e9ca79f62c23d07fd1645d4c"><code>766715c6</code></a> build: reduce transitive audit findings (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/92aaf5c9d1686a9b4a025c31cb3b0813e7fd2350"><code>92aaf5c9</code></a> build: upgrade eslint config and replace dependency-check (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/c6aaa8719ea831c43112ff0d0727a35e6bf92731"><code>c6aaa871</code></a> chore: ignore project worktrees (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/ef387e8ec6eb692f63844130b4590d018729a723"><code>ef387e8e</code></a> Upgrade most deps (Carl-Erik Kopseng)</li> <li><a href="https://github.com/sinonjs/sinon/commit/3cf4e77d2c20a63a27c0ac14e0186f45761a0b77"><code>3cf4e77d</code></a> docs: improve writing of documentation (<a href="https://redirect.github.com/sinonjs/sinon/issues/2675">#2675</a>) (Eduardo de la Cruz Palacios)</li> <li><a href="https://github.com/sinonjs/sinon/commit/6349032fc42f01c302e05d3146e489d92fc9dbf9"><code>6349032f</code></a> Check login status before publishing steps are performed (Carl-Erik Kopseng)</li> </ul> <p><em>Released by <a href="https://github.com/fatso83">Carl-Erik Kopseng</a> on 2026-03-04.</em></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sinonjs/sinon/commit/138148233c549cb7eeaa8e84d857912fd3a349d5"><code>1381482</code></a> 21.0.3</li> <li><a href="https://github.com/sinonjs/sinon/commit/0494251bc54c56e7e79258586238db88f0d191b3"><code>0494251</code></a> fix(<a href="https://redirect.github.com/sinonjs/sinon/issues/2678">#2678</a>): upgrade samsam to fix buffer comparisons</li> <li><a href="https://github.com/sinonjs/sinon/commit/2d93d686b1d240d6a3463f6105c56244f7a1fc92"><code>2d93d68</code></a> 21.0.2</li> <li><a href="https://github.com/sinonjs/sinon/commit/3af394efc1ed16843d9e8e8c69c736c90b53b0b8"><code>3af394e</code></a> lint-staged -> 16.3.2</li> <li><a href="https://github.com/sinonjs/sinon/commit/2948314cc4289bae0a27fabdd263565e07c3ba68"><code>2948314</code></a> prettier</li> <li><a href="https://github.com/sinonjs/sinon/commit/024321c48e670de35098b2555173e25f024db90d"><code>024321c</code></a> fix: skip Node specific tests in browser env</li> <li><a href="https://github.com/sinonjs/sinon/commit/b836fccb8adabd3d116338b19ae1f6a4ccfc7d3e"><code>b836fcc</code></a> fix: js-yaml breaking change from v3 to v4</li> <li><a href="https://github.com/sinonjs/sinon/commit/ebf0c4313f41edfdf71f206c826a8ce7d56f2d2c"><code>ebf0c43</code></a> docs: add how-to article for stubbing ES module imports (<a href="https://redirect.github.com/sinonjs/sinon/issues/1832">#1832</a>) (<a href="https://redirect.github.com/sinonjs/sinon/issues/2676">#2676</a>)</li> <li><a href="https://github.com/sinonjs/sinon/commit/ebcd506cbb55df6c7d2bda558f58386a218df9be"><code>ebcd506</code></a> Fix spies not being reset properly (<a href="https://redirect.github.com/sinonjs/sinon/issues/2673">#2673</a>)</li> <li><a href="https://github.com/sinonjs/sinon/commit/3beab2ba97fe74cdb0f495420ac06652e59835aa"><code>3beab2b</code></a> Make doc tests pass with new jQuery</li> <li>Additional commits viewable in <a href="https://github.com/sinonjs/sinon/compare/v21.0.1...v21.0.3">compare view</a></li> </ul> </details> <br /> Updates `start-server-and-test` from 2.1.3 to 2.1.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/bahmutov/start-server-and-test/releases">start-server-and-test's releases</a>.</em></p> <blockquote> <h2>v2.1.5</h2> <h2><a href="https://github.com/bahmutov/start-server-and-test/compare/v2.1.4...v2.1.5">2.1.5</a> (2026-02-24)</h2> <h3>Bug Fixes</h3> <ul> <li>formatting the message in the constructor of Error object (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/395">#395</a>) (<a href="https://github.com/bahmutov/start-server-and-test/commit/9d135de85e49f3c727302d3ca5dad774b16e322b">9d135de</a>)</li> </ul> <h2>v2.1.4</h2> <h2><a href="https://github.com/bahmutov/start-server-and-test/compare/v2.1.3...v2.1.4">2.1.4</a> (2026-02-24)</h2> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> update dependency wait-on to v9.0.4 (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/413">#413</a>) (<a href="https://github.com/bahmutov/start-server-and-test/commit/f06f2a208641ae3de7d6f1690cbcf0b49f978f38">f06f2a2</a>)</li> <li>the release process (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/415">#415</a>) (<a href="https://github.com/bahmutov/start-server-and-test/commit/59b32564c3c486730abfc3103822123b5e4b181b">59b3256</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/bahmutov/start-server-and-test/commit/9d135de85e49f3c727302d3ca5dad774b16e322b"><code>9d135de</code></a> fix: formatting the message in the constructor of Error object (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/395">#395</a>)</li> <li><a href="https://github.com/bahmutov/start-server-and-test/commit/59b32564c3c486730abfc3103822123b5e4b181b"><code>59b3256</code></a> fix: the release process (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/415">#415</a>)</li> <li><a href="https://github.com/bahmutov/start-server-and-test/commit/f06f2a208641ae3de7d6f1690cbcf0b49f978f38"><code>f06f2a2</code></a> fix(deps): update dependency wait-on to v9.0.4 (<a href="https://redirect.github.com/bahmutov/start-server-and-test/issues/413">#413</a>)</li> <li>See full diff in <a href="https://github.com/bahmutov/start-server-and-test/compare/v2.1.3...v2.1.5">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for start-server-and-test since your current version.</p> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…cs and channelIds (#5062) Updated `frame-messenger` and `respondable` modules to use `Object.create(null)` for message and topic handler stores. ### Description The current implementation uses plain objects (`{}`) which are susceptible to prototype pollution if untrusted strings like `"__proto__"` are passed as `channelId` or `topic`. By using `Object.create(null)`, these stores become "pure" maps without a prototype, ensuring security and robustness in cross-frame communication. This change is backward compatible and adheres to standard security practices for high-performance JavaScript libraries. Closes: #5062
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug Fixes