build(deps): bump the npm_and_yarn group across 4 directories with 30 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the /packages/browser-sync directory:

Package	From	To
eazy-logger	4.0.1	4.1.0
immutable	3.8.2	3.8.3
send	0.16.2	1.2.1
serve-static	1.13.2	1.16.3
socket.io	4.6.1	4.6.2
request	2.88.0	2.88.2
requirejs	2.3.6	2.3.7
brace-expansion	1.1.11	1.1.13
brace-expansion	2.0.1	2.0.3
cookie	0.4.2	0.7.2
follow-redirects	1.14.9	1.15.11
js-yaml	4.1.0	4.1.1
lodash	4.17.21	4.17.23
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
qs	6.11.0	6.15.0
socket.io-parser	3.3.3	3.3.5

Bumps the npm_and_yarn group with 20 updates in the / directory:

Package	From	To
eazy-logger	4.0.1	4.1.0
immutable	3.8.2	3.8.3
send	0.16.2	0.19.0
serve-static	1.13.2	1.16.0
socket.io	4.6.1	4.6.2
request	2.88.0	2.88.2
requirejs	2.3.6	2.3.7
axios	1.2.1	1.14.0
brace-expansion	1.1.11	1.1.13
braces	3.0.2	3.0.3
form-data	2.3.2	2.3.3
lodash	4.17.21	4.17.23
minimatch	3.0.4	3.0.5
picomatch	2.3.1	2.3.2
esbuild	0.14.27	0.25.0
webpack	5.76.0	5.104.1
angular	1.8.2	1.8.3
angular-sanitize	1.8.2	1.8.3
object-path	0.11.5	0.11.8
handlebars	4.7.7	4.7.9

Bumps the npm_and_yarn group with 11 updates in the /packages/browser-sync-ui directory:

Package	From	To
immutable	3.8.2	3.8.3
brace-expansion	1.1.11	1.1.13
brace-expansion	2.0.1	2.0.3
braces	3.0.2	3.0.3
ws	8.2.3	8.18.3
picomatch	2.3.1	2.3.2
esbuild	0.14.27	0.25.0
angular	1.8.2	1.8.3
angular-sanitize	1.8.2	1.8.3
object-path	0.11.5	0.11.8
on-headers	1.0.2	1.1.0
shelljs	0.3.0	removed

Bumps the npm_and_yarn group with 6 updates in the /packages/browser-sync-client directory:

Package	From	To
braces	3.0.2	3.0.3
ws	8.2.3	8.18.3
picomatch	2.3.1	2.3.2
serialize-javascript	6.0.1	6.0.2
esbuild	0.14.27	0.25.0
webpack	5.76.0	5.105.4

Updates eazy-logger from 4.0.1 to 4.1.0

Commits

• a2e0ddc 4.1.0
• 5a4da5d Merge branch 'L-four-master'
• a8baa6f Reslove CVE-2024-57075 with and add a test.
• See full diff in compare view

Updates immutable from 3.8.2 to 3.8.3

Release notes

Sourced from immutable's releases.

v3.8.3

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• c407425 bump v3.8.3
• c6ff68a release script on 3.x branch
• a675a66 Merge pull request #2179 from immutable-js/port-patch-for-cve-2026-29063
• 6e2cf1c Port patch for CVE 2026-29063 onto branch 3.x
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates send from 0.16.2 to 1.2.1

Release notes

Sourced from send's releases.

1.2.1

What's Changed

• ci: add CodeQl (SAST) by @​Phillip9587 in pillarjs/send#250
• ci: add node.js 24 to test matrix by @​Phillip9587 in pillarjs/send#255
• [StepSecurity] Apply security best practices by @​step-security-bot in pillarjs/send#256
• chore: add funding to package.json by @​bjohansebas in pillarjs/send#265
• build(deps): bump github/codeql-action from 2.23.2 to 3.29.5 by @​dependabot[bot] in pillarjs/send#266
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.2 by @​dependabot[bot] in pillarjs/send#257
• build(deps): bump actions/download-artifact from 4 to 5 by @​dependabot[bot] in pillarjs/send#269
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.11 by @​dependabot[bot] in pillarjs/send#268
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in pillarjs/send#267
• build(deps): bump github/codeql-action from 3.29.11 to 4.31.2 by @​dependabot[bot] in pillarjs/send#278
• build(deps): bump actions/download-artifact from 5 to 6 by @​dependabot[bot] in pillarjs/send#277
• build(deps): bump actions/upload-artifact from 4 to 5 by @​dependabot[bot] in pillarjs/send#276
• build(deps): bump actions/setup-node from 4 to 6 by @​dependabot[bot] in pillarjs/send#275
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in pillarjs/send#272
• build(deps-dev): bump eslint-plugin-import from 2.25.4 to 2.32.0 by @​dependabot[bot] in pillarjs/send#262
• build(deps-dev): bump supertest from 6.2.2 to 6.3.4 by @​dependabot[bot] in pillarjs/send#260
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in pillarjs/send#283
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.5 by @​dependabot[bot] in pillarjs/send#282
• chore: remove HISTORY.md from tarball by @​Phillip9587 in pillarjs/send#285
• ci: add Node.js 25 to test matrix by @​Phillip9587 in pillarjs/send#284
• chore: update dependency ranges to latest versions by @​Phillip9587 in pillarjs/send#286
• Release: 1.2.1 by @​UlisesGascon in pillarjs/send#281

New Contributors

• @​step-security-bot made their first contribution in pillarjs/send#256
• @​dependabot[bot] made their first contribution in pillarjs/send#266

Full Changelog: pillarjs/send@1.2.0...1.2.1

1.2.0

What's Changed

• chore(deps): updated dependency fresh to v2 by @​Phillip9587 in pillarjs/send#247
• fix: remove obsolete dependency destroy by @​Phillip9587 in pillarjs/send#245
• docs: remove security file by @​bjohansebas in pillarjs/send#248
• deps: update mime-types to v3.0.1 by @​bjohansebas in pillarjs/send#251
• ci: update ci workflow and remove appveyor by @​Phillip9587 in pillarjs/send#249
• refactor: remove getHeaderNames() polyfill and refactor clearHeaders() by @​Phillip9587 in pillarjs/send#243
• Release 1.2.0 by @​UlisesGascon in pillarjs/send#252

New Contributors

• @​Phillip9587 made their first contribution in pillarjs/send#247
• @​bjohansebas made their first contribution in pillarjs/send#248

Full Changelog: pillarjs/send@1.1.0...1.2.0

1.1.0

What's Changed

• Remove link renderization in html while redirecting (pillarjs/send#235)

... (truncated)

Changelog

Sourced from send's changelog.

1.2.1 / 2025-12-15

• Minor changes (package metadata)
• deps:
  • debug@^4.4.3
  • http-errors@^2.0.1
  • mime-types@^3.0.2
  • statuses@^2.0.2

1.2.0 / 2025-03-27

• deps:
  • mime-types@^3.0.1
  • fresh@^2.0.0
  • removed destroy
• remove getHeaderNames() polyfill and refactor clearHeaders()

1.1.0 / 2024-09-10

• Changes from 0.19.0

1.0.0 / 2024-07-25

• Drop support for Node.js <18.0
• statuses@^2.0.1
• range-parser@^1.2.1
• on-finished@^2.4.1
• ms@^2.1.3
• mime-types@^2.1.35
• http-errors@^2.0.0
• fresh@^0.5.2
• etag@^1.8.1
• escape-html@^1.0.3
• encodeurl@^2.0.0
• destroy@^1.2.0
• debug@^4.3.5

1.0.0-beta.2 / 2024-03-04

• Changes from 0.18.0

1.0.0-beta.1 / 2022-02-04

• Drop support for Node.js 0.8

... (truncated)

Commits

• 096a614 1.2.1 (#281)
• 861e3c6 chore: update depenency ranges to latest versions (#286)
• a40fcd4 ci: add Node.js 25 to test matrix (#284)
• 7740dde chore: remove HISTORY.md from tarball (#285)
• f532f41 build(deps): bump github/codeql-action from 4.31.2 to 4.31.5 (#282)
• f9b651f build(deps): bump actions/checkout from 5 to 6 (#283)
• db2558b build(deps-dev): bump supertest from 6.2.2 to 6.3.4 (#260)
• 136fcf6 build(deps-dev): bump eslint-plugin-import from 2.25.4 to 2.32.0 (#262)
• fac9c3f build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 (#272)
• cd0c253 build(deps): bump actions/setup-node from 4 to 6 (#275)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates serve-static from 1.13.2 to 1.16.3

Release notes

Sourced from serve-static's releases.

v1.16.3

What's Changed

• deps: send@~0.19.1 by @​Phillip9587 in expressjs/serve-static#227
• Release: 1.16.3 by @​UlisesGascon in expressjs/serve-static#229

Full Changelog: expressjs/serve-static@v1.16.2...v1.16.3

v1.16.2

What's Changed

• encodeurl@~2.0.0 by @​wesleytodd in expressjs/serve-static#180

Full Changelog: expressjs/serve-static@v1.16.1...v1.16.2

v1.16.1

What's Changed

• bump send to 0.19 by @​tommasini in expressjs/serve-static#176

New Contributors

• @​tommasini made their first contribution in expressjs/serve-static#176

Full Changelog: expressjs/serve-static@1.16.0...v1.16.1

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

1.15.0

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

... (truncated)

Changelog

Sourced from serve-static's changelog.

1.16.3 / 2024-12-15

• deps: send@~0.19.1
  • deps: encodeurl@~2.0.0

1.16.2 / 2024-09-11

• deps: encodeurl@~2.0.0

1.16.1 / 2024-09-11

• deps: send@0.19.0

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

1.15.0 / 2022-03-24

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2 / 2021-12-15

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

1.14.1 / 2019-05-10

• Set stricter CSP header in redirect response
• deps: send@0.17.1
  • deps: range-parser@~1.2.1

1.14.0 / 2019-05-07

... (truncated)

Commits

• 9acad22 1.16.3 (#229)
• 52dc97d deps: send@~0.19.1 and upgrade Node.js versions on the CI (#227)
• ec9c5ec 1.16.2
• f454d37 fix(deps): encodeurl@~2.0.0
• 77a8255 1.16.1
• 4263f49 fix(deps): send@0.19.0
• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• 9b5a12a 1.15.0
• a39a0df docs: update CI link
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates serve-static from 1.13.2 to 1.16.3

Release notes

Sourced from serve-static's releases.

v1.16.3

What's Changed

• deps: send@~0.19.1 by @​Phillip9587 in expressjs/serve-static#227
• Release: 1.16.3 by @​UlisesGascon in expressjs/serve-static#229

Full Changelog: expressjs/serve-static@v1.16.2...v1.16.3

v1.16.2

What's Changed

• encodeurl@~2.0.0 by @​wesleytodd in expressjs/serve-static#180

Full Changelog: expressjs/serve-static@v1.16.1...v1.16.2

v1.16.1

What's Changed

• bump send to 0.19 by @​tommasini in expressjs/serve-static#176

New Contributors

• @​tommasini made their first contribution in expressjs/serve-static#176

Full Changelog: expressjs/serve-static@1.16.0...v1.16.1

1.16.0

What's Changed

• Remove link renderization in html while redirecting (expressjs/serve-static#173)

New Contributors

• @​UlisesGascon made their first contribution in expressjs/serve-static#173

Full Changelog: expressjs/serve-static@v1.15.0...1.16.0

1.15.0

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

... (truncated)

Changelog

Sourced from serve-static's changelog.

1.16.3 / 2024-12-15

• deps: send@~0.19.1
  • deps: encodeurl@~2.0.0

1.16.2 / 2024-09-11

• deps: encodeurl@~2.0.0

1.16.1 / 2024-09-11

• deps: send@0.19.0

1.16.0 / 2024-09-10

• Remove link renderization in html while redirecting

1.15.0 / 2022-03-24

• deps: send@0.18.0
  • Fix emitted 416 error missing headers property
  • Limit the headers removed for 304 response
  • deps: depd@2.0.0
  • deps: destroy@1.2.0
  • deps: http-errors@2.0.0
  • deps: on-finished@2.4.1
  • deps: statuses@2.0.1

1.14.2 / 2021-12-15

• deps: send@0.17.2
  • deps: http-errors@1.8.1
  • deps: ms@2.1.3
  • pref: ignore empty http tokens

1.14.1 / 2019-05-10

• Set stricter CSP header in redirect response
• deps: send@0.17.1
  • deps: range-parser@~1.2.1

1.14.0 / 2019-05-07

... (truncated)

Commits

• 9acad22 1.16.3 (#229)
• 52dc97d deps: send@~0.19.1 and upgrade Node.js versions on the CI (#227)
• ec9c5ec 1.16.2
• f454d37 fix(deps): encodeurl@~2.0.0
• 77a8255 1.16.1
• 4263f49 fix(deps): send@0.19.0
• 48c7397 1.16.0
• 0c11fad Merge commit from fork
• 9b5a12a 1.15.0
• a39a0df docs: update CI link
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for serve-static since your current version.

Updates socket.io from 4.6.1 to 4.6.2

Changelog

Sourced from socket.io's changelog.

4.6.2 (2023-05-31)

Bug Fixes

• exports: move types condition to the top (#4698) (3d44aae)

Dependencies

• engine.io@~6.4.0 (no change)
• ws@~8.11.0 (no change)

Commits

• faf914c chore(release): 4.6.2
• 15af22f refactor: add a noop handler for the error event
• d365894 chore: bump socket.io-parser to version 4.2.3
• 12b0de4 chore: bump engine.io to version 6.4.2
• 3d44aae fix(exports): move types condition to the top (#4698)
• cbf0362 docs(examples): bump dependencies for the private messaging example
• 59280da docs(examples): update examples to docker compose v2
• 50a4d37 docs(changelog): add version of transitive dependencies
• 6458b2b docs(example): basic WebSocket-only client
• b56da8a docs(examples): upgrade to React 18
• See full diff in compare view

Updates request from 2.88.0 to 2.88.2

Changelog

Sourced from request's changelog.

Change Log

Commits

• See full diff in compare view

Updates requirejs from 2.3.6 to 2.3.7

Commits

• 1874a29 Rev to 2.3.7
• 152f450 Merge pull request #1016 from requirejs/jr/1854-pollution
• ecc356a Fixes requirejs/requirejs#1854, pollution
• acec536 SECURITY.md
• See full diff in compare view

Updates brace-expansion from 1.1.11 to 1.1.13

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates brace-expansion from 2.0.1 to 2.0.3

Release notes

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates cookie from 0.4.2 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

0.5.0

• Add priority option
• Fix expires option to reject invalid dates
• pref: improve default decode speed
• pref: remove slow string split in parse

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates follow-redirects from 1.14.9 to 1.15.11

Commits

• 21ef28a Release version 1.15.11 of the npm package.
• 7c88135 Roll back tree shaking.
• 6e389ba Release version 1.15.10 of the npm package.
• 5bc496e Shake me up before you go-go.
• 694d6b4 Bump minimist from 1.2.5 to 1.2.8
• e4e55c7 Release version 1.15.9 of the npm package.
• 31a1abf Attempt much more gentle detection.
• d2aaa97 Fix url field.
• 62558f0 Release version 1.15.8 of the npm package.
• a8d1cee Return subtlety.
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates qs from 6.11.0 to 6.15.0

Changelog

Sourced from qs's changelog.

6.15.0

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use sha...

  Description has been truncated