chore(deps): update node dependencies

[loopingz]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
@adobe/css-tools	dependencies	patch	^4.4.1 → ^4.4.4
@hono/node-server	dependencies	patch	^1.19.5 → ^1.19.14
@hono/node-server@<1.19.10	pnpm.overrides	patch	^1.19.10 → ^1.19.14
@hono/vite-dev-server	devDependencies	patch	^0.25.1 → ^0.25.3
@napi-rs/keyring	optionalDependencies	minor	^1.2.0 → ^1.3.0
@rollup/plugin-commonjs (source)	devDependencies	patch	^28.0.8 → ^28.0.9
@rollup/plugin-commonjs (source)	devDependencies	patch	^28.0.3 → ^28.0.9
@rollup/plugin-node-resolve (source)	devDependencies	patch	^16.0.1 → ^16.0.3
@rollup/plugin-replace (source)	devDependencies	patch	^6.0.2 → ^6.0.3
@rollup/plugin-typescript (source)	devDependencies	patch	^12.1.2 → ^12.3.0
@types/micromatch (source)	devDependencies	patch	^4.0.9 → ^4.0.10
@types/node (source)	devDependencies	patch	^24.1.0 → ^24.12.4
@types/node (source)	dependencies	patch	^24.1.0 → ^24.12.4
@types/node (source)	devDependencies	minor	^24.1.0 → ^24.12.4
@types/node (source)	pnpm.overrides	minor	^24.1.0 → ^24.12.4
@types/papaparse (source)	devDependencies	patch	^5.5.1 → ^5.5.2
@types/tar-stream (source)	devDependencies	patch	^3.1.3 → ^3.1.4
@vertesia/client (source)	dependencies	patch	0.82.1 → 0.82.4
ajv (source)	dependencies	minor	^8.17.1 → ^8.20.0
ajv@>=6.0.0 <6.14.0 (source)	pnpm.overrides	minor	[^6.14.0 → ^6.15.0](https://renovatebot.com/diffs/npm/ajv@>=6.0.0 <6.14.0/6.14.0/6.15.0)
ajv@>=7.0.0 <8.18.0 (source)	pnpm-workspace.overrides	minor	[^8.18.0 → ^8.20.0](https://renovatebot.com/diffs/npm/ajv@>=7.0.0 <8.18.0/8.18.0/8.20.0)
ansi-escapes	dependencies	patch	^6.2.0 → ^6.2.1
brace-expansion@<5.0.5	pnpm.overrides	patch	^5.0.5 → ^5.0.6
brace-expansion@>=1.0.0 <2.0.0	pnpm.overrides	patch	[^1.1.12 → ^1.1.14](https://renovatebot.com/diffs/npm/brace-expansion@>=1.0.0 <2.0.0/1.1.12/1.1.14)
brace-expansion@>=2.0.0 <3.0.0	pnpm.overrides	minor	[^2.0.2 → ^2.1.0](https://renovatebot.com/diffs/npm/brace-expansion@>=2.0.0 <3.0.0/2.0.2/2.1.0)
chalk	dependencies	patch	^5.3.0 → ^5.6.2
chalk	dependencies	patch	^5.4.1 → ^5.6.2
cli-spinners	dependencies	patch	^2.9.1 → ^2.9.2
commander	dependencies	patch	^14.0.2 → ^14.0.3
commander	dependencies	patch	^14.0.2 → ^14.0.3
concurrently	devDependencies	patch	^9.1.2 → ^9.2.1
dayjs (source)	dependencies	patch	^1.11.19 → ^1.11.20
diff@>=6.0.0 <8.0.3	pnpm.overrides	patch	[^8.0.3 → ^8.0.4](https://renovatebot.com/diffs/npm/diff@>=6.0.0 <8.0.3/8.0.3/8.0.4)
dompurify	dependencies	patch	^3.3.2 → ^3.4.3
dompurify@<=3.3.3	pnpm.overrides	patch	^3.4.0 → ^3.4.3
dotenv	dependencies	minor	^17.2.3 → ^17.4.2
esbuild@<0.25.0	pnpm.overrides	minor	^0.27.1 → ^0.28.0
eventsource	dependencies	patch	^3.0.6 → ^3.0.7
eventsource-parser	dependencies	patch	^1.1.1 → ^1.1.2
fast-xml-parser	dependencies	minor	^5.7.2 → ^5.8.0
fast-xml-parser@<5.7.2	pnpm.overrides	minor	^5.7.2 → ^5.8.0
firebase (source, changelog)	dependencies	patch	^10.12.2 → ^10.14.1
globals	devDependencies	minor	^17.3.0 → ^17.6.0
globals	devDependencies	minor	^17.3.0 → ^17.6.0
hono (source)	dependencies	patch	^4.10.3 → ^4.12.18
hono@<4.12.14 (source)	pnpm.overrides	patch	^4.12.14 → ^4.12.18
i18next (source)	dependencies	minor	^26.0.1 → ^26.1.0
i18next-cli	devDependencies	minor	^1.51.5 → ^1.56.12
is-generator-function	pnpm.overrides	minor	1.0.10 → 1.1.2
jose	dependencies	minor	^6.0.11 → ^6.2.3
katex (source)	dependencies	patch	^0.16.28 → ^0.16.45
lodash-es (source)	dependencies	patch	^4.17.23 → ^4.18.1
log-symbols	dependencies	patch	^7.0.0 → ^7.0.1
mime	dependencies	patch	^4.0.0 → ^4.1.0
mime	dependencies	patch	^4.0.4 → ^4.1.0
minimatch@>=10.0.0 <11.0.0	pnpm.overrides	patch	[^10.2.4 → ^10.2.5](https://renovatebot.com/diffs/npm/minimatch@>=10.0.0 <11.0.0/10.2.4/10.2.5)
mocha (source)	devDependencies	patch	^10.2.0 → ^10.8.2
monaco-editor	dependencies	minor	^0.52.2 → ^0.55.1
ms	dependencies	patch	3.0.0-canary.1 → 3.0.0-canary.202508261828
open	dependencies	patch	^10.1.0 → ^10.2.0
prettier (source)	devDependencies	minor	3.5.3 → 3.8.3
qs@>=6.0.0 <6.14.0	pnpm.overrides	minor	[^6.14.1 → ^6.15.1](https://renovatebot.com/diffs/npm/qs@>=6.0.0 <6.14.0/6.14.1/6.15.1)
remark-github-blockquote-alert (source)	dependencies	minor	^2.0.0 → ^2.1.0
rimraf	devDependencies	patch	^6.1.2 → ^6.1.3
rimraf	devDependencies	patch	^5.0.5 → ^5.0.10
rollup (source)	devDependencies	patch	^4.60.1 → ^4.60.3
rollup (source)	devDependencies	patch	^4.59.0 → ^4.60.3
rollup (source)	peerDependencies	minor	^4.59.0 → ^4.60.3
sharp (source, changelog)	dependencies	minor	^0.33.4 → ^0.34.5
sharp (source, changelog)	dependencies	minor	^0.33.5 → ^0.34.5
tar-stream	dependencies	minor	^3.1.7 → ^3.2.0
tmp	dependencies	patch	^0.2.4 → ^0.2.5
tsx (source)	devDependencies	patch	^4.8.1 → ^4.21.0
turbo (source)	devDependencies	patch	^2.8.10 → ^2.9.12
typescript (source)	devDependencies	patch	^6.0.2 → ^6.0.3
typescript (source)	dependencies	patch	^6.0.2 → ^6.0.3
typescript (source)	devDependencies	patch	^6.0.2 → ^6.0.3
typescript (source)	dependencies	patch	^6.0.2 → ^6.0.3
undici@>=6.0.0 <6.21.3 (source)	pnpm.overrides	minor	[^7.24.1 → ^7.25.0](https://renovatebot.com/diffs/npm/undici@>=6.0.0 <6.21.3/7.24.1/7.25.0)
unist-util-visit	dependencies	patch	^5.0.0 → ^5.1.0
vega-lite (source)	dependencies	patch	^6.4.1 → ^6.4.3
yaml (source)	dependencies	minor	^2.6.0 → ^2.9.0
yaml@>=2.0.0 <2.8.3 (source)	pnpm-workspace.overrides	minor	[^2.8.3 → ^2.9.0](https://renovatebot.com/diffs/npm/yaml@>=2.0.0 <2.8.3/2.8.3/2.9.0)
yaml@>=2.0.0 <2.8.3 (source)	pnpm.overrides	minor	[^2.8.3 → ^2.9.0](https://renovatebot.com/diffs/npm/yaml@>=2.0.0 <2.8.3/2.8.3/2.9.0)
zod (source)	dependencies	minor	^4.3.5 → ^4.4.3
zod (source)	dependencies	patch	^3.24.1 → ^3.25.76

---

Release Notes

honojs/node-server (@​hono/node-server)

v1.19.14

Compare Source

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in #​340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

honojs/vite-plugins (@​hono/vite-dev-server)

v0.25.3

Compare Source

Patch Changes

• #​355 cbb97d65ee8ea143a842128cd36735d856f6c7b8 Thanks @​yusukebe! - fix: correct exporting adapters

v0.25.2

Compare Source

Patch Changes

• #​353 81c9cbe1bae1d864a8a246480b234ff266058fa3 Thanks @​yuintei! - fix: use public ssrModule getter in handleHotUpdate

Brooooooklyn/keyring-node (@​napi-rs/keyring)

v1.3.0

Compare Source

What's Changed

• chore: bump up actions/setup-node action to v5 by @​renovate[bot] in #​97
• chore: bump up Rust crate windows to 0.62 by @​renovate[bot] in #​98
• chore: bump up Yarn to v4.10.3 by @​renovate[bot] in #​100
• chore: bump up actions/setup-node action to v6 by @​renovate[bot] in #​101
• chore: bump up GitHub Artifact Actions (major) by @​renovate[bot] in #​102
• chore: bump up all non-major dependencies by @​renovate[bot] in #​104
• chore: bump up @​oxc-node/core version to ^0.0.34 by @​renovate[bot] in #​105
• chore: bump up Yarn to v4.12.0 by @​renovate[bot] in #​107
• chore: bump up actions/checkout action to v6 by @​renovate[bot] in #​106
• chore: bump up @​oxc-node/core version to ^0.0.35 by @​renovate[bot] in #​108
• chore: bump up actions/cache action to v5 by @​renovate[bot] in #​109
• chore: bump up GitHub Artifact Actions (major) by @​renovate[bot] in #​110
• chore: bump up cross-platform-actions/action action to v0.31.0 by @​renovate[bot] in #​111
• chore: bump up cross-platform-actions/action action to v0.32.0 by @​renovate[bot] in #​112
• chore: bump up GitHub Artifact Actions (major) by @​renovate[bot] in #​113
• chore: bump up ava version to v7 by @​renovate[bot] in #​114
• chore: bump up Yarn to v4.13.0 by @​renovate[bot] in #​115
• chore: bump up typescript version to v6 by @​renovate[bot] in #​116
• chore: bump up @​oxc-node/core version to ^0.1.0 by @​renovate[bot] in #​117
• chore: bump up cross-platform-actions/action action to v1 by @​renovate[bot] in #​118
• chore: upgrade Node version to 24 in publish CI by @​Claude in #​119
• chore: bump up Yarn to v4.14.1 by @​renovate[bot] in #​120
• chore: bump up Rust crate keyring to v4 by @​renovate[bot] in #​121
• chore: bump up ava version to v8 by @​renovate[bot] in #​122

New Contributors

• @​Claude made their first contribution in #​119

Full Changelog: Brooooooklyn/keyring-node@v1.2.0...v1.3.0

vertesia/composableai (@​vertesia/client)

v0.82.4

Compare Source

v0.82.3

Compare Source

v0.82.2

Compare Source

ajv-validator/ajv (ajv)

v8.20.0

Compare Source

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in #​2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in #​2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

juliangruber/brace-expansion (brace-expansion@<5.0.5)

v5.0.6

Compare Source

tj/commander.js (commander)

v14.0.3

Compare Source

Added

• Release Policy document ([#​2462])

Changes

• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date ([#​2462])
• clarify typing for deprecated callback parameter to .outputHelp() ([#​2427])
• simple readability improvements to README ([#​2465])

iamkun/dayjs (dayjs)

v1.11.20

Compare Source

Bug Fixes

• Update locale km.js to support meridiem (#​3017) (9d2b6a1)
• update updateLocale plugin to merge nested object properties instead of replacing (#​3012) (99691c5), closes #​1118

kpdecker/jsdiff (diff@>=6.0.0 <8.0.3)

v8.0.4

Compare Source

• #​667 - fix another bug in diffWords when used with an Intl.Segmenter. If the text to be diffed included a combining mark after a whitespace character (i.e. roughly speaking, an accented space), diffWords would previously crash. Now this case is handled correctly.

cure53/DOMPurify (dompurify)

v3.4.3: DOMPurify 3.4.3

Compare Source

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

v3.4.2: DOMPurify 3.4.2

Compare Source

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

v3.4.1: DOMPurify 3.4.1

Compare Source

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

motdotla/dotenv (dotenv)

v17.4.2

Compare Source

Changed

• Improved skill files - tightened up details (#​1009)

v17.4.1

Compare Source

Changed

• Change text injecting to injected (#​1005)

v17.4.0

Compare Source

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#​1003)

evanw/esbuild (esbuild@<0.25.0)

v0.28.0

Compare Source

• Add support for with { type: 'text' } imports (#​4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#​4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

v0.27.7

Compare Source

• Fix lowering of define semantics for TypeScript parameter properties (#​4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  
  // Old output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      this.x = x;
      __publicField(this, "y", 2);
    }
    x;
  }
  
  // New output (with --loader=ts --target=es2021)
  class Foo {
    constructor(x = 1) {
      __publicField(this, "x", x);
      __publicField(this, "y", 2);
    }
  }

v0.27.5

Compare Source

• Fix for an async generator edge case (#​4401, #​4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#​4420, #​4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#​4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  
  // Old output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
  }
  
  // New output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
    x;
  }

• Allow es2025 as a target in tsconfig.json (#​4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2025"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

v0.27.4

Compare Source

• Fix a regression with CSS media queries (#​4395, #​4405, #​4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
    a {
      color: red;
    }
  }
  
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a {
      color: red;
    }
  }

• Fix an edge case with the inject feature (#​4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#​4329, #​4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

  The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

  However, hitting this case is potentially a sign that something else is wrong. Ideally you wouldn't be building something so enormous that the build metadata can't even fit inside a JavaScript string. You may want to consider optimizing your project, or breaking up your project into multiple parts that are built independently. Another option could potentially be to use esbuild's command-line API instead of its JavaScript API, which is more efficient (although of course then you can't use JavaScript plugins, so it may not be an option).

v0.27.3

Compare Source

• Preserve URL fragments in data URLs (#​4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

• Parse and print CSS @scope rules (#​4322)

  This release includes dedicated support for parsing @scope rules in CSS. These rules include optional "start" and "end" selector lists. One important consequence of this is that the local/global status of names in selector lists is now respected, which improves the correctness of esbuild's support for CSS modules. Minification of selectors inside @scope rules has also improved slightly.

  Here's an example:

  /* Original code */
  @​scope (:global(.foo)) to (:local(.bar)) {
    .bar {
      color: red;
    }
  }
  
  /* Old output (with --loader=local-css --minify) */
  @​scope (:global(.foo)) to (:local(.bar)){.o{color:red}}
  
  /* New output (with --loader=local-css --minify) */
  @​scope(.foo)to (.o){.o{color:red}}

• Fix a minification bug with lowering of for await (#​4378, #​4385)

  This release fixes a bug where the minifier would incorrectly strip the variable in the automatically-generated catch clause of lowered for await loops. The code that generated the loop previously failed to mark the internal variable references as used.

• Update the Go compiler from v1.25.5 to v1.25.7 (#​4383, #​4388)

  This PR was contributed by @​MikeWillCook.

v0.27.2

Compare Source

• Allow import path specifiers starting with #/ (#​4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#​4357, #​4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  
  /* Old output (with --target=chrome110) */
  main {
    mask: url(x.png) center/5rem no-repeat;
  }
  
  /* New output (with --target=chrome110) */
  main {
    -webkit-mask: url(x.png) center/5rem no-repeat;
    mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#​4176, #​4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }
  
  // Old output (with --minify)
  switch(x){case 0:foo();break;case 1:default:bar()}
  
  // New output (with --minify)
  x===0?foo():bar();

• Forbid using declarations inside switch clauses (#​4323)

  This is a rare change to remove something that was previously possible. The Explicit Resource Management proposal introduced using declarations. These were previously allowed inside case and default clauses in switch statements. This had well-defined semantics and was already widely implemented (by V8, SpiderMonkey, TypeScript, esbuild, and others). However, it was considered to be too confusing because of how scope works in switch statements, so it has been removed from the specification. This edge case will now be a syntax error. See tc39/proposal-explicit-resource-management#215 and rbuckton/ecma262#14 for details.

  Here is an example of code that is no longer allowed:

  switch (mode) {
    case 'read':
      using readLock = db.read()
      return readAll(readLock)
  
    case 'write':
      using writeLock = db.write()
      return writeAll(writeLock)
  }

  That code will now have to be modified to look like this instead (note the additional { and } block statements around each case body):

  switch (mode) {
    case 'read': {
      using readLock = db.read()
      return readAll(readLock)
    }
    case 'write': {
      using writeLock = db.write()
      return writeAll(writeLock)
    }
  }

  This is not being released in one of esbuild's breaking change releases since this feature hasn't been finalized yet, and esbuild always tracks the current state of the specification (so esbuild's previous behavior was arguably incorrect).

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.8.0: update strnum, FXB. Use xml-naming for DOCTYPE

Compare Source

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is by deault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

v5.7.3: fix minor old bugs and update builder

Compare Source

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

sindresorhus/globals (globals)

v17.6.0

Compare Source

• Update globals (2026-05-01) (#​343) 00a4dd9

---

v17.5.0

Compare Source

• Update globals (2026-04-12) (#​342) 5d84602

---

honojs/hono (hono@<4.12.14)

v4.12.18

Compare Source

Security fixes

This release includes fixes for the following security issues:

Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Affects: Cache Middleware. Fixes missing cache-skip handling for Vary: Authorization and Vary: Cookie, where a response cached for one authenticated user could be served to other users. GHSA-p77w-8qqv-26rm

CSS Declaration Injection via Style Object Values in JSX SSR

Affects: hono/jsx. Fixes a missing CSS-context escape for style object values and property names, where untrusted input could inject additional CSS declarations. The impact is limited to CSS and does not allow JavaScript execution. GHSA-qp7p-654g-cw7p

Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Affects: hono/utils/jwt. Fixes improper validation of exp, nbf, and iat claims, where falsy, non-finite, or non-numeric values could silently bypass time-based checks instead of being rejected per RFC 7519. GHSA-hm8q-7f3q-5f36

---

Users who use the JWT helper, hono/jsx, or the Cache middleware are strongly encouraged to upgrade to this version.

v4.12.17

Compare Source

What's Changed

• fix(jsx): normalize SVG attributes on the root element by @​kfly8 in #​4893
• fix(ssg): add atom+xml and rss+xml to defaultExtensionMap by @​yuintei in #​4899
• fix(cors): make origin optional in CORSOptions by @​truffle-dev in #​4905
• fix(types): propagate middleware response types to app.on overloads by @​T4ko0522 in #​4906

New Contributors

• @​kfly8 made their first contribution in #​4893
• @​truffle-dev made their first contribution in #​4905

Full Changelog: honojs/hono@v4.12.16...v4.12.17

v4.12.16

Compare Source

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML In

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Wednesday (* * * * 3)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[loopingz]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 18 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 26, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/vertesia/composableai/packages/ui:
 ERR_PNPM_NO_MATURE_MATCHING_VERSION  Version 1.56.12 (released 2 days ago) of i18next-cli does not meet the minimumReleaseAge constraint

This error happened while installing a direct dependency of /tmp/renovate/repos/github/vertesia/composableai/packages/ui

The latest release of i18next-cli is "1.56.12". Published at 5/11/2026

If you need the full list of all 268 published versions run "pnpm view i18next-cli versions".

If you want to install the matched version ignoring the time it was published, you can add the package name to the minimumReleaseAgeExclude setting. Read more about it: https://pnpm.io/settings#minimumreleaseageexclude