Bump the npm_and_yarn group across 1 directory with 22 updates by dependabot[bot] · Pull Request #4 · doodlemania2/azurenotes

dependabot · 2026-03-26T01:19:41Z

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
nuxt	`3.3.1`	`3.19.0`
semver	`6.3.0`	`6.3.1`
minimatch	`3.0.8`	`10.2.4`
lodash	`4.17.21`	`4.17.23`
picomatch	`2.3.1`	`2.3.2`
tar	`6.1.13`	`removed`

Updates nuxt from 3.3.1 to 3.19.0

Release notes

Sourced from nuxt's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:
npx nuxt upgrade --dedupe
This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

kit: Add ignore option to resolveFiles (#32858)

kit: Add onInstall and onUpgrade module hooks (#32397)

nuxt,vite: Add experimental support for rolldown-vite (#31812)

nuxt: Extract defineRouteRules to page rules property (#32897)

nuxt,vite: Use importmap to increase chunk stability (#33075)

nuxt: Lazy hydration macros without auto-imports (#33037)

kit,nuxt,schema: Allow modules to specify dependencies (#33063)

kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

nuxt: Clear inline route rules cache when pages change (#32877)

nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

nuxt: Handle satisfies in page augmentation (#32902)

nuxt: Type response in useFetch hooks (#32891)

nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)

nuxt: Use correct unit thresholds for relative time (#32893)

nuxt: Handle uncached current build manifests (#32913)

kit: Resolve directories in resolvePath and normalize file extensions (#32857)

schema,vite: Bump requestTimeout + allow configuration (#32874)

nuxt: Deep merge extracted route meta (#32887)

nuxt: Do not expose app components until fully resolved (#32993)

kit: Only exclude node_modules/ if no custom srcDir (#32987)

nuxt: Compare final matched routes when syncing route object (#32899)

nuxt: Make vue server warnings much less verbose in dev mode (#33018)

schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)

kit: Ensure local layers are prioritised alphabetically (#33030)

kit,nuxt: Expose global types to vue compiler (#33026)

nuxt: Support config type inference for defineNuxtModule().with() (#33081)

nuxt: Search for colliding names in route children (31a9282c2)

nuxt: Delete nuxtApp._runningTransition on resolve (#33025)

nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

8956505 v3.19.0
9a3b445 test: update test for app creation
ae8b0d2 fix(kit): prioritise local layers over extended layers
2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
6cc79dd feat(kit,nuxt,schema): allow modules to specify dependencies (#33063)
78153ba fix(nuxt): add validation for nuxt island reviver key (#33069)
f4e38b7 fix(nuxt): delete nuxtApp._runningTransition on resolve (#33025)
31a9282 fix(nuxt): search for colliding names in route children
10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
04dda84 feat(nuxt): lazy hydration macros without auto-imports (#33037)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nuxt since your current version.

Updates postcss from 8.4.21 to 8.5.8

Release notes

Sourced from postcss's releases.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@romainmenke during his work on Stylelint added Input#document in additional to Input#css.
root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
Thanks to Sponsors

This release was possible thanks to our community.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.8

Fixed Processor#version.

8.5.7

Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

Fixed ContainerWithChildren type discriminating (by @Goodwine).

8.5.5

Fixed package.json→exports compatibility with some tools (by @JounQin).

8.5.4

Fixed Parcel compatibility issue (by @git-sumitchaudhary).

8.5.3

Added more details to Unknown word error (by @hiepxanh).

Fixed types (by @romainmenke).

Fixed docs (by @catnipan).

8.5.2

Fixed end position of rules with semicolon (by @romainmenke).

8.5.1

Fixed backwards compatibility for complex cases (by @romainmenke).

8.5 “Duke Alloces”

Added Input#document for sources like CSS-in-JS or HTML (by @romainmenke).

8.4.49

Fixed custom syntax without source.offset (by @romainmenke).

8.4.48

Fixed position calculation in error/warnings methods (by @romainmenke).

8.4.47

Removed debug code.

8.4.46

Fixed Cannot read properties of undefined (reading 'before').

8.4.45

Removed unnecessary fix which could lead to infinite loop.

8.4.44

Another way to fix markClean is not a function error.

8.4.43

Fixed markClean is not a function error.

... (truncated)

Commits

65de537 Release 8.5.8 version
b2c6d97 Run git hook register
0ae0a49 Update Processor#version
6ee9f14 Release 8.5.7 version
3fbc951 Fix uvu Node.js 25 support
52db53e Update dependencies
497daef Speed up source map annotation cleaning by moving from RegExp
41e739a Remove banner
1329142 chore: speed up space-only string check in lib/parser.js (#2064)
23beff9 Update dependencies
Additional commits viewable in compare view

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

928e56d #591 better handling of whitespace (#591) (@lukekarrys, @joaomoreno, @nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

928e56d #591 better handling of whitespace (#591) (@lukekarrys, @joaomoreno, @nicolo-ribaudo)

6.2.0

Coerce numbers to strings when passed to semver.coerce()

Add rtl option to coerce from right to left

6.1.3

Handle X-ranges properly in includePrerelease mode

6.1.2

Do not throw when testing invalid version strings

6.1.1

Add options support for semver.coerce()

Handle undefined version passed to Range.test

6.1.0

Add semver.compareBuild function

Support * in semver.intersects

6.0

Fix intersects logic.

This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

Add minVersion method

5.6

Move boolean loose param to an options object, with backwards-compatibility protection.

Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

44d27bc chore: release 6.3.1
928e56d fix: better handling of whitespace (#591)
39f6326 chore: @npmcli/template-oss@4.16.0
See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates @babel/helpers from 7.21.0 to 7.29.2

Release notes

Sourced from @babel/helpers's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

babel-parser

#17840 [7.x backport] async x => {} must be in leading pos (@JLHwung)

🐛 Bug Fix

babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3

#17805 [7.x backport] fix: Properly handle await in finally (@liuxingbaoyu)

babel-preset-env

#17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@JLHwung)

🏠 Internal

#17813 chore: update eslint peer deps (@JLHwung)

Committers: 2

Huáng Jùnliàng (@JLHwung)

@liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

babel-standalone

#17771 [7.x backport] fix: ensure targets.esmodules is validated (@JLHwung)

babel-generator

#17776 [7.x backport] Fix undefined when 64 indents (@liuxingbaoyu)

Committers: 2

Huáng Jùnliàng (@JLHwung)

@liuxingbaoyu

v7.29.0 (2026-01-31)

Thanks @simbahax for your first PR!

🚀 New Feature

babel-types

#17750 [7.x backport] Add attributes import declaration builder (@JLHwung)

babel-standalone

#17663 [7.x backport] feat(standalone): export async transform (@JLHwung)

#17725 [7.x backport] feat: read standalone targets from data-targets (@JLHwung)

🐛 Bug Fix

babel-parser

#17765 fix(parser): correctly parse type assertions in extends clause (@nicolo-ribaudo)

#17723 [7.x backport] fix(parser): improve super type argument parsing (@JLHwung)

babel-traverse

#17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@simbahax)

babel-plugin-transform-block-scoping, babel-traverse

#17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@magic-akari)

... (truncated)

Commits

37d5595 v7.29.2
1c0a08d [7.x backport] fix: Properly handle await in finally (#17805)
d7f4008 v7.28.6
99dcba5 chore: enable some ts-eslint rules (#17592)
c1b55f6 Use eslint.config.mts (#17573)
35055e3 v7.28.4
18d88b8 Improve @babel/core typings (#17471)
ef155f5 v7.28.3
741cbd2 chore: fix various typos across codebase (#17476)
cac0ff4 v7.28.2
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @babel/helpers since your current version.

Updates @babel/traverse from 7.21.3 to 7.29.0

Release notes

Sourced from @babel/traverse's releases.

v7.29.0 (2026-01-31)

Thanks @simbahax for your first PR!

🚀 New Feature

babel-types

#17750 [7.x backport] Add attributes import declaration builder (@JLHwung)

babel-standalone

#17663 [7.x backport] feat(standalone): export async transform (@JLHwung)

#17725 [7.x backport] feat: read standalone targets from data-targets (@JLHwung)

🐛 Bug Fix

babel-parser

#17765 fix(parser): correctly parse type assertions in extends clause (@nicolo-ribaudo)

#17723 [7.x backport] fix(parser): improve super type argument parsing (@JLHwung)

babel-traverse

#17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@simbahax)

babel-plugin-transform-block-scoping, babel-traverse

#17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@magic-akari)

🏃‍♀️ Performance

babel-generator, babel-runtime-corejs3

#17642 [Babel 7] Improve generator performance (@liuxingbaoyu)

Committers: 6

David (@simbahax)

Huáng Jùnliàng (@JLHwung)

Nicolò Ribaudo (@nicolo-ribaudo)

@liuxingbaoyu

@magic-akari

v7.28.6 (2026-01-12)

Thanks @kadhirash and @kolvian for your first PRs!

🐛 Bug Fix

babel-cli, babel-code-frame, babel-core, babel-helper-check-duplicate-nodes, babel-helper-fixtures, babel-helper-plugin-utils, babel-node, babel-plugin-transform-flow-comments, babel-plugin-transform-modules-commonjs, babel-plugin-transform-property-mutators, babel-preset-env, babel-traverse, babel-types

#17589 Improve Unicode handling in code-frame tokenizer (@JLHwung)

babel-plugin-transform-regenerator

#17556 fix: transform-regenerator correctly handles scope (@liuxingbaoyu)

babel-plugin-transform-react-jsx

#17538 fix: Keep jsx comments (@liuxingbaoyu)

💅 Polish

babel-core, babel-standalone

#17606 Polish(standalone): improve message on invalid preset/plugin (@JLHwung)

🏠 Internal

babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-proposal-decorators, babel-plugin-proposal-import-attributes-to-assertions, babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-async-do-expressions, babel-plugin-syntax-decorators, babel-plugin-syntax-destructuring-private, babel-plugin-syntax-do-expressions, babel-plugin-syntax-explicit-resource-management, babel-plugin-syntax-export-default-from, babel-plugin-syntax-flow, babel-plugin-syntax-function-bind, babel-plugin-syntax-function-sent, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-plugin-syntax-import-defer, babel-plugin-syntax-import-source, babel-plugin-syntax-jsx, babel-plugin-syntax-module-blocks, babel-plugin-syntax-optional-chaining-assign, babel-plugin-syntax-partial-application, babel-plugin-syntax-pipeline-operator, babel-plugin-syntax-throw-expressions, babel-plugin-syntax-typescript, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-dotall-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-explicit-resource-management, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-json-strings, babel-plugin-transform-logical-assignment-operators, babel-plugin-transform-nullish-coalescing-operator, babel-plugin-transform-numeric-separator, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-catch-binding, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-regexp-modifiers, babel-plugin-transform-unicode-property-regex, babel-plugin-transform-unicode-sets-regex

#17580 Allow Babel 8 in compatible Babel 7 plugins (@nicolo-ribaudo)

... (truncated)

Commits

aa8394e v7.29.0
84366a8 fix(traverse): provide a hub when traversing a File or Program and no parentP...
229eb45 [7.x backport] fix: Rename switch discriminant references when body creates s...
d7f4008 v7.28.6
905bc22 fix: lint errors in main branch (#17612)
a03e2b6 fix: path.evaluate correctly returns confident (#17584)
aac2c37 chore: Use Gulpfile.mts (#17579)
65c4a6b [Babel 8] fix: Improve traverse types (#17574)
99dcba5 chore: enable some ts-eslint rules (#17592)
c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @babel/traverse since your current version.

Updates minimatch from 3.0.8 to 10.2.4

Changelog

Sourced from minimatch's changelog.

change log

10.2

Add braceExpandMax option

10.1

Add magicalBraces option for escape

Fix makeRe when partial: true is set.

Fix makeRe when pattern ends in a final ** path part.

10.0

Require node 20 or 22 and higher

9.0

No default export, only named exports.

8.0

Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions

Bump required Node.js version

7.4

Add escape() method

Add unescape() method

Add Minimatch.hasMagic() method

7.3

Add support for posix character classes in a unicode-aware way.

7.2

Add windowsNoMagicRoot option

7.1

Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

c36addb 10.2.4
26b9002 docs: add warning about ReDoS
3a0d83b fix partial matching of globstar patterns
ea94840 10.2.3
0873fba update deps
cecaad1 more extglob coalescing for performance
11d0df6 limit nested extglob recursion, flatten extglobs
c3448c4 update assertValidPattern param type to unknown from any
0bf499a limit recursion for **, improve perf considerably
9f15c58 update deps
Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates esbuild from 0.16.17 to 0.25.12

Release notes

Sourced from esbuild's releases.

v0.25.12
Fix a minification regression with CSS media queries (#4315)

The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.
Update the list of known JavaScript globals (#4310)

This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

From ES2017:

Atomics

SharedArrayBuffer

From ES2020:

BigInt64Array

BigUint64Array

From ES2021:

FinalizationRegistry

WeakRef

From ES2025:

Float16Array

Iterator

Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:
// This can now be tree-shaken by esbuild:
class ExampleIterator extends Iterator {}
Add support for the new @view-transition CSS rule (#4313)

With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):
/* Original code */
@view-transition {
  navigation: auto;
  types: check;
}
/* Old output */
@view-transition { navigation: auto; types: check; }
/* New output */
@view-transition {
navigation: auto;
types: check;

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2023

This changelog documents all esbuild versions published in the year 2023 (versions 0.16.13 through 0.19.11).

0.19.11
Fix TypeScript-specific class transform edge case (#3559)

The previous release introduced an optimization that avoided transforming super() in the class constructor for TypeScript code compiled with useDefineForClassFields set to false if all class instance fields have no initializers. The rationale was that in this case, all class instance fields are omitted in the output so no changes to the constructor are needed. However, if all of this is the case and there are #private instance fields with initializers, those private instance field initializers were still being moved into the constructor. This was problematic because they were being inserted before the call to super() (since super() is now no longer transformed in that case). This release introduces an additional optimization that avoids moving the private instance field initializers into the constructor in this edge case, which generates smaller code, matches the TypeScript compiler's output more closely, and avoids this bug:
// Original code
class Foo extends Bar {
  #private = 1;
  public: any;
  constructor() {
    super();
  }
}
// Old output (with esbuild v0.19.9)
class Foo extends Bar {
constructor() {
super();
this.#private = 1;
}
#private;
}
// Old output (with esbuild v0.19.10)
class Foo extends Bar {
constructor() {
this.#private = 1;
super();
}
#private;
}
// New output
class Foo extends Bar {
#private = 1;
constructor() {
super();
}
}
Minifier: allow reording a primitive past a side-effect (#3568)

The minifier previously allowed reordering a side-effect past a primitive, but didn't handle the case of reordering a primitive past a side-effect. This additional case is now handled:

... (truncated)

Commits

208f539 publish 0.25.12 to npm
5f03afd update release notes
6b2ee78 minify: remove css rules containing empty :is()
f361deb add some additional known static methods
07aa646 automatically mark "RegExp.escape()" calls as pure
9039c46 simplify some call expression checks
188944d add some additional known static methods
d3c67f9 fix #4310: add Iterator and other known globals
4a51f0b fix: escape dev server breadcrumb hrefs properly (#4316)
26b29ed fix #4315: @media deduplication bug edge case
Additional commits viewable in compare view

Updates h3 from 1.6.2 to 1.15.10

Release notes

Sourced from h3's releases.

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

static: Narrow path traversal check to match .. as a path segment only (c049dc0)

app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

Remove implicit event handler conversion warning (#1340)

❤️ Contributors

Pooya Parsa (@pi0)

Wind (@productdevbook)

v1.15.6

compare changes

🩹 Fixes

sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.10

compare changes

🩹 Fixes

Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

Update deps (26fec6f)

❤️ Contributors

Pooya Parsa (@pi0)

Sergio Azócar (@sergioazoc)

v1.15.9

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)

sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

release: V1.15.8 (e3b9c9e)

Update deps (23045df)

❤️ Contributors

Pooya Parsa (@pi0)

v1.15.8

compare changes

🩹 Fixes

Preserve %25 in pathname (1103df6)

❤️ Contributors

Pooya Parsa (@pi0)

v1.15.7

... (truncated)

Commits

b72bb57 chore(release): v1.15.10
d8ef318 remove resolutions for h3
26fec6f chore: update deps
51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
4e8d43a chore(release): v1.15.9
23045df chore: update deps
ba3c3fe fix(sse): sanitize carriage returns in event stream data and comments
c56683d fix(static): prevent path traversal via double-encoded dot segments (`%252e%2...
e3b9c9e chore(release): v1.15.8
1103df6 fix: preserve %25 in pathname
Additional commits viewable in compare view

Updates koa from 2.14.1 to 2.16.4

Release notes

Sourced from koa's releases.

v2.16.4

What's Changed

fix(security): Host Header Injection via ctx.hostname by @killagu GHSA-7gcc-r8m5-44qm

v2.16.3

What's Changed

fix: normalize referer before redirect by @fengmk2 in koajs/koa#1909

Full Changelog: koajs/koa@v2.16.2...v2.16.3

v2.16.2

What's Changed

fix: only allow back redirect to the same origin referer by @fengmk2 in koajs/koa#1898

Full Changelog: koajs/koa@v2.16.1...v2.16.2

v2.16.1

fix: don't render redirect values in anchor ref

2.16.0

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at koajs/koa#1593 and koajs/koa#1547.

fix missing cleanup, if response socket is no longer writeable (issue 1547) (koajs/koa#1593) 399cb6b0dd2104224c0ef0ce8e92f84e4f7faf42

2.15.4

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

Commits

ca76ea6 2.16.4
b76ddc0 Merge commit from fork
c8af309 2.16.3
7af5268 fix: normalize referer before redirect (#1909)
3b16886 2.16.2
c61f094 chore: add publish tag
c02f188 fix: only allow back redirect to the same origin referer (#1898)
ba14822 2.16.1
2ff6c3f 2.16.0
3d51d03 ci: allow codecov to fail
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for koa since your current version.

Updates lodash from 4.17.21 to 4.17.23

Commits

dec55b7 Bump main to v4.17.23 (#6088)
19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
edadd45 Prevent prototype pollution on baseUnset function
4879a7a doc: fix autoLink function, conversion of source links (#6056)
9648f69 chore: remove yarn.lock file (#6053)
dfa407d ci: remove legacy configuration files (#6052)
156e196 feat: add renovate setup (#6039)
933e106 ci: add pipeline for Bun (#6023)
072a807 docs: update links related to Open JS Foundation (#5968)
Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.Description has been truncated

Bumps the npm_and_yarn group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [nuxt](https://github.com/nuxt/nuxt/tree/HEAD/packages/nuxt) | `3.3.1` | `3.19.0` | | [semver](https://github.com/npm/node-semver) | `6.3.0` | `6.3.1` | | [minimatch](https://github.com/isaacs/minimatch) | `3.0.8` | `10.2.4` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [tar](https://github.com/isaacs/node-tar) | `6.1.13` | `removed` | Updates `nuxt` from 3.3.1 to 3.19.0 - [Release notes](https://github.com/nuxt/nuxt/releases) - [Commits](https://github.com/nuxt/nuxt/commits/v3.19.0/packages/nuxt) Updates `postcss` from 8.4.21 to 8.5.8 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.4.21...8.5.8) Updates `semver` from 6.3.0 to 6.3.1 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md) - [Commits](npm/node-semver@v6.3.0...v6.3.1) Updates `@babel/helpers` from 7.21.0 to 7.29.2 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.2/packages/babel-helpers) Updates `@babel/traverse` from 7.21.3 to 7.29.0 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.29.0/packages/babel-traverse) Updates `minimatch` from 3.0.8 to 10.2.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.8...v10.2.4) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `esbuild` from 0.16.17 to 0.25.12 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md) - [Commits](evanw/esbuild@v0.16.17...v0.25.12) Updates `h3` from 1.6.2 to 1.15.10 - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.10/CHANGELOG.md) - [Commits](h3js/h3@v1.6.2...v1.15.10) Updates `koa` from 2.14.1 to 2.16.4 - [Release notes](https://github.com/koajs/koa/releases) - [Changelog](https://github.com/koajs/koa/blob/master/History.md) - [Commits](koajs/koa@2.14.1...v2.16.4) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `micromatch` from 4.0.5 to 4.0.8 - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](micromatch/micromatch@4.0.5...4.0.8) Updates `node-forge` from 1.3.1 to 1.4.0 - [Changelog](https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md) - [Commits](digitalbazaar/forge@v1.3.1...v1.4.0) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `rollup` from 3.20.0 to 4.60.0 - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG-3.md) - [Commits](rollup/rollup@v3.20.0...v4.60.0) Updates `send` from 0.18.0 to 1.2.1 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...1.2.1) Updates `serialize-javascript` from 6.0.1 to 7.0.5 - [Release notes](https://github.com/yahoo/serialize-javascript/releases) - [Commits](yahoo/serialize-javascript@v6.0.1...v7.0.5) Updates `serve-static` from 1.15.0 to 2.2.1 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/master/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v2.2.1) Updates `svgo` from 2.8.0 to 4.0.1 - [Release notes](https://github.com/svg/svgo/releases) - [Commits](svg/svgo@v2.8.0...v4.0.1) Removes `tar` Updates `unhead` from 1.1.23 to 2.1.12 - [Release notes](https://github.com/unjs/unhead/releases) - [Commits](https://github.com/unjs/unhead/commits/v2.1.12/packages/unhead) Updates `vite` from 4.1.4 to 7.3.1 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.1/packages/vite) --- updated-dependencies: - dependency-name: nuxt dependency-version: 3.19.0 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: postcss dependency-version: 8.5.8 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: semver dependency-version: 6.3.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/helpers" dependency-version: 7.29.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@babel/traverse" dependency-version: 7.29.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 10.2.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: braces dependency-version: 3.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.25.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: h3 dependency-version: 1.15.10 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: koa dependency-version: 2.16.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: micromatch dependency-version: 4.0.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: node-forge dependency-version: 1.4.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: rollup dependency-version: 4.60.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-version: 1.2.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serialize-javascript dependency-version: 7.0.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-version: 2.2.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: svgo dependency-version: 4.0.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: tar dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: unhead dependency-version: 2.1.12 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: vite dependency-version: 7.3.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the npm_and_yarn group across 1 directory with 22 updates#4

Bump the npm_and_yarn group across 1 directory with 22 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-2664f2bbdb

dependabot Bot commented on behalf of github Mar 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Mar 26, 2026

v3.19.0

👀 Highlights

✅ Upgrading

👉 Changelog

🚀 Enhancements

🔥 Performance

🩹 Fixes

8.5.8

8.5.7

8.5.6

8.5.5

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

Thanks to Sponsors

8.5.8

8.5.7

8.5.6

8.5.5

8.5.4

8.5.3

8.5.2

8.5.1

8.5 “Duke Alloces”

8.4.49

8.4.48

8.4.47

8.4.46

8.4.45

8.4.44

8.4.43

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

6.3.1 (2023-07-10)

Bug Fixes

6.2.0

6.1.3

6.1.2

6.1.1

6.1.0

6.0

5.7

5.6

5.5

v7.29.2 (2026-03-16)

👓 Spec Compliance

🐛 Bug Fix

🏠 Internal

Committers: 2

v7.29.1 (2026-02-04)

🐛 Bug Fix

Committers: 2

v7.29.0 (2026-01-31)

🚀 New Feature

🐛 Bug Fix

v7.29.0 (2026-01-31)

🚀 New Feature

🐛 Bug Fix

🏃‍♀️ Performance

Committers: 6

v7.28.6 (2026-01-12)

🐛 Bug Fix

💅 Polish

🏠 Internal

change log

10.2

10.1

10.0

9.0

8.0

7.4

7.3

7.2

7.1