Bump the npm_and_yarn group across 1 directory with 13 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the / directory: astro and tar-fs.

Updates astro from 5.4.2 to 6.4.6

Release notes

Sourced from astro's releases.

astro@6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

astro@6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

astro@6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

astro@6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

• #16899 239c469 Thanks @​matthewp! - Fixes a false "does not call the middleware() handler" warning when using astro() in a custom src/app.ts and the first request is a redirect route.

• #16887 493acdb Thanks @​astrobot-houston! - Fixes redirectToDefaultLocale not working after the Advanced Routing refactoring.

... (truncated)

Changelog

Sourced from astro's changelog.

6.4.6

Patch Changes

• #16765 b10e86e Thanks @​fkatsuhiro! - Fixes an issue where renaming an image file while the dev server is running triggers a build error. Now Astro correctly hot-reloads the image without crashing.

• #17026 add3df1 Thanks @​matthewp! - Hardens addAttribute to drop attribute names containing characters that are invalid per the HTML spec (", ', >, /, =, whitespace)

• #17033 ffda27b Thanks @​matthewp! - Validates the request origin against allowedDomains before fetching prerendered error pages. When allowedDomains is configured and the Host header matches, the original origin is used. Otherwise, the fetch falls back to localhost.

6.4.5

Patch Changes

• #16985 4ecff32 Thanks @​maximslo! - Fixes the experimental.logger destination not being used for the "Server listening on..." startup message. The logger is now resolved before the server starts listening, and adapterLogger re-creates itself when the underlying logger changes so the startup message uses the correct destination.

• #16947 e0703a6 Thanks @​ematipico! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

• #16997 dc45246 Thanks @​matthewp! - Reverts a change to isNode runtime detection that caused a significant build time regression for Cloudflare adapter users with large prerendered sites

6.4.4

Patch Changes

• #16926 1b39ae8 Thanks @​narendraio! - Prevents App.match() from throwing on request paths that contain an invalid percent-sequence.

• #16924 2c0bc94 Thanks @​astrobot-houston! - Fixes an issue where editing a client-side component (e.g. with client:idle, client:load, etc.) caused an unnecessary full program reload of the backend during development.

• #16958 2c1d50f Thanks @​fkatsuhiro! - Fixes a bug where static file endpoints using getStaticPaths with .html in dynamic param values (e.g. { path: 'file.html' }) would fail with a NoMatchingStaticPathFound error during build. The .html suffix is no longer incorrectly stripped from endpoint route pathnames.

• #16855 c610cda Thanks @​astrobot-houston! - Fixes dynamic routes returning 500 "TypeError: Missing parameter" when using domain-based i18n routing in SSR.

• #16946 606c37b Thanks @​ematipico! - Fixes Astro.routePattern to preserve original casing of dynamic parameter names from filenames. Previously, a file at src/pages/blog/[postId].astro would return /blog/[postid] for Astro.routePattern due to an internal .toLowerCase() call. It now correctly returns /blog/[postId].

• #16720 16d49b6 Thanks @​thomas-callahan-collibra! - Fix an issue where dynamic routes would return the string [object Object] instead of the expected content, in certain runtimes.

• #16703 17390a6 Thanks @​henrybrewer00-dotcom! - Fixes styles being stripped when the project root is started with a path whose case differs from the actual filesystem case (e.g. running astro dev from d:\dev\app while the folder on disk is D:\dev\app).

• #16855 c610cda Thanks @​astrobot-houston! - Fixes Astro.currentLocale returning the default locale instead of the domain's locale on dynamic routes served from a mapped domain.

6.4.3

Patch Changes

• #16900 17a0fbd Thanks @​ocavue! - Bumps devalue dependency to v5.8.1

• #16016 0d85e1b Thanks @​felmonon! - Fix a false positive in the dev toolbar accessibility audit for anchors with text inside closed <details> elements.

• #16911 79c6c46 Thanks @​astrobot-houston! - Fixes a bug where experimental.advancedRouting with astro/hono handlers threw TypeError: Cannot read properties of undefined (reading 'route') for unmatched routes instead of rendering the custom 404 page.

... (truncated)

Commits

• 19ad1b4 [ci] release (#17023)
• f1baeea [ci] format
• ffda27b Validate origin in prerendered error page fetch against allowedDomains (#17033)
• 0408628 [ci] format
• add3df1 Harden addAttribute to reject invalid attribute names (#17026)
• cfeb958 [ci] format
• b10e86e fix : content collections image hmr (#16765)
• 0b879fb [ci] release (#16972)
• dc45246 Revert isNode workerd detection that caused Cloudflare build regression (#16997)
• 132a879 [ci] format
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro since your current version.

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates defu from 6.1.4 to 6.1.7

Release notes

Sourced from defu's releases.

v6.1.7

compare changes

📦 Build

• Correct the types export entry (#160)
• Export Defu types (#157)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

✅ Tests

• Add more tests for plain objects (b65f603)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Kricsleo (@​kricsleo)

Changelog

Sourced from defu's changelog.

v6.1.7

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#157)

📦 Build

• Correct the types export entry (#160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v6.1.5

compare changes

🩹 Fixes

• Prevent prototype pollution via __proto__ in defaults (#156)
• Ignore inherited enumerable properties (11ba022)

🏡 Chore

• Add tea.yaml (70cffe5)
• Update repo (23cc432)
• Fix typecheck (89df6bb)

✅ Tests

• Add more tests for plain objects (b65f603)

🤖 CI

... (truncated)

Commits

• 80c0146 chore(release): v6.1.7
• 40d7ef4 fix(defu.d.cts): export Defu types (#157)
• 3d3a7c8 build: correct the types export entry (#160)
• 001c290 chore(release): v6.1.6
• 407b516 build: fix mixed types
• 23e59e6 chore(release): v6.1.5
• 11ba022 fix: ignore inherited enumerable properties
• 3942bfb fix: prevent prototype pollution via __proto__ in defaults (#156)
• d3ef16d chore(deps): update actions/checkout action to v6 (#151)
• 869a053 chore(deps): update actions/setup-node action to v6 (#149)
• Additional commits viewable in compare view

Updates devalue from 5.1.1 to 5.8.1

Release notes

Sourced from devalue's releases.

v5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

v5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

v5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.8.1

Patch Changes

• 206ca67: fix: force sparse arrays to allocate sparsely

5.8.0

Minor Changes

• c5115b0: feat: add stringifyAsync for async serialization

5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

... (truncated)

Commits

• 796ea83 Version Packages (#152)
• 206ca67 Merge commit from fork
• 14933f7 Version Packages (#151)
• c5115b0 feat: stringifyAsync (#150)
• 67dad45 docs: update README to reflect serialization stability non-goal (#147)
• 6eb920a Version Packages (#146)
• 8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
• 2eee2e4 Version Packages (#144)
• 498656e DataView support (#143)
• 5590634 Improve platform types support (#142)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for devalue since your current version.

Updates diff from 5.2.0 to 8.0.4

Changelog

Sourced from diff's changelog.

8.0.4

• #667 - fix another bug in diffWords when used with an Intl.Segmenter. If the text to be diffed included a combining mark after a whitespace character (i.e. roughly speaking, an accented space), diffWords would previously crash. Now this case is handled correctly.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

• #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

• #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

• #580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
• #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

  • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

    Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

  • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

  • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

  • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

  • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

• #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
  • Each key/value pair now gets passed through the replacer once instead of twice
  • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
• #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

7.0.0

Just a single (breaking) bugfix, undoing a behaviour change introduced accidentally in 6.0.0:

... (truncated)

Commits

• dd2f994 8.0.4 release (#678)
• 3cc4384 Update docs on releasing to reflect migration to yarn berry (#677)
• 6fc2aa6 yarn up '*' && yarn up -R '**' (#676)
• af7393a yarn up '*' && yarn up -R '**' (#670)
• 4b5d180 Fix another bug in diffWords's "intlSegmenter" mode (#667)
• 10da50c yarn up '*' && yarn up -R '**' (#666)
• 8dc164b Migrate from Yarn Classic to Yarn Berry (#662)
• 750fbd6 yarn upgrade --latest (#661)
• abe2bde Add release notes for undocumented releases (#658)
• 13576bf 8.0.3 release (#652)
• Additional commits viewable in compare view

Updates esbuild from 0.25.1 to 0.27.7

Release notes

Sourced from esbuild's releases.

v0.27.7

• Fix lowering of define semantics for TypeScript parameter properties (#4421)

  The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:

  // Original code
  class Foo {
    constructor(public x = 1) {}
    y = 2
  }
  // Old output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  this.x = x;
  __publicField(this, "y", 2);
  }
  x;
  }
  // New output (with --loader=ts --target=es2021)
  class Foo {
  constructor(x = 1) {
  __publicField(this, "x", x);
  __publicField(this, "y", 2);
  }
  }

v0.27.5

• Fix for an async generator edge case (#4401, #4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#4420, #4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2025

This changelog documents all esbuild versions published in the year 2025 (versions 0.25.0 through 0.27.2).

0.27.2

• Allow import path specifiers starting with #/ (#4361)

  Previously the specification for package.json disallowed import path specifiers starting with #/, but this restriction has recently been relaxed and support for it is being added across the JavaScript ecosystem. One use case is using it for a wildcard pattern such as mapping #/* to ./src/* (previously you had to use another character such as #_* instead, which was more confusing). There is some more context in nodejs/node#49182.

  This change was contributed by @​hybrist.

• Automatically add the -webkit-mask prefix (#4357, #4358)

  This release automatically adds the -webkit- vendor prefix for the mask CSS shorthand property:

  /* Original code */
  main {
    mask: url(x.png) center/5rem no-repeat
  }
  /* Old output (with --target=chrome110) */
  main {
  mask: url(x.png) center/5rem no-repeat;
  }
  /* New output (with --target=chrome110) */
  main {
  -webkit-mask: url(x.png) center/5rem no-repeat;
  mask: url(x.png) center/5rem no-repeat;
  }

  This change was contributed by @​BPJEnnova.

• Additional minification of switch statements (#4176, #4359)

  This release contains additional minification patterns for reducing switch statements. Here is an example:

  // Original code
  switch (x) {
    case 0:
      foo()
      break
    case 1:
    default:
      bar()
  }

... (truncated)

Commits

• 2025c9f publish 0.27.7 to npm
• c6b586e fix typo in Makefile for @esbuild/win32-x64
• 9785e14 publish 0.27.6 to npm
• b169d8c Revert "update go 1.25.7 => 1.26.1"
• 7ac8762 run make update-compat-table
• 8b5ff53 remove an incorrect else
• e955268 fix #4421: lower generated class fields if needed
• a5a2500 ci: move make test-old-ts
• b71e7ac omit go's buildvcs for more reproducible builds
• 7406b09 organize make platform-all output in Makefile
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for esbuild since your current version.

Updates h3 from 1.15.1 to 1.15.11

Release notes

Sourced from h3's releases.

v1.15.11

compare changes

🏡 Chore

• Update defu to 6.1.6 (6125485)
• Update deps (4998dd8)
• Update cookie-es (d166186)

v1.15.10

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v1.15.9

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

• static: Narrow path traversal check to match .. as a path segment only (c049dc0)
• app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

• Remove implicit event handler conversion warning (#1340)

❤️ Contributors

... (truncated)

Changelog

Sourced from h3's changelog.

Commits

• 7b9f41f chore(release): v1.15.11
• d166186 chore: update cookie-es
• 4998dd8 chore: update deps
• 6125485 chore: update defu to 6.1.6
• b72bb57 chore(release): v1.15.10
• d8ef318 remove resolutions for h3
• 26fec6f chore: update deps
• 51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
• 4e8d43a chore(release): v1.15.9
• 23045df chore: update deps
• Additional commits viewable in compare view

Updates js-yaml from 3.14.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.<...

  Description has been truncated