Bump the npm_and_yarn group across 17 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
@modelcontextprotocol/sdk	1.24.3	1.26.0
diff	7.0.0	8.0.3
diff	4.0.2	4.0.4
diff	5.2.0	5.2.2
next	15.5.9	15.5.10
tar	6.2.1	7.5.9
webpack	5.94.0	5.105.2
axios	1.13.2	1.13.5
lodash	4.17.21	4.17.23
undici	7.16.0	7.22.0

Bumps the npm_and_yarn group with 7 updates in the /build directory:

Package	From	To
brace-expansion	1.1.11	1.1.12
brace-expansion	2.0.1	2.0.2
jws	3.2.2	3.2.3
jws	4.0.0	4.0.1
lodash	4.17.21	4.17.23
tar-fs	2.1.1	2.1.4
qs	6.13.0	6.15.0
fast-xml-parser	4.5.0	5.3.7
tmp	0.2.3	0.2.5

Bumps the npm_and_yarn group with 2 updates in the /build/npm/gyp directory: glob and tar.
Bumps the npm_and_yarn group with 1 update in the /extensions/css-language-features directory: brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /extensions/github-authentication directory: form-data.
Bumps the npm_and_yarn group with 1 update in the /extensions/html-language-features directory: brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /extensions/json-language-features directory: brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /extensions/markdown-language-features directory: brace-expansion.
Bumps the npm_and_yarn group with 2 updates in the /extensions/microsoft-authentication directory: form-data and jws.
Bumps the npm_and_yarn group with 1 update in the /extensions/notebook-renderers directory: form-data.
Bumps the npm_and_yarn group with 2 updates in the /extensions/npm directory: brace-expansion and js-yaml.
Bumps the npm_and_yarn group with 1 update in the /extensions/open-remote-ssh directory: @babel/runtime-corejs3.
Bumps the npm_and_yarn group with 1 update in the /extensions/vscode-api-tests directory: node-forge.
Bumps the npm_and_yarn group with 2 updates in the /remote directory: tar-fs and undici.
Bumps the npm_and_yarn group with 2 updates in the /test/automation directory: brace-expansion and tmp.
Bumps the npm_and_yarn group with 2 updates in the /test/integration/browser directory: brace-expansion and tmp.
Bumps the npm_and_yarn group with 2 updates in the /test/smoke directory: brace-expansion and form-data.

Updates @modelcontextprotocol/sdk from 1.24.3 to 1.26.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

• chore: bump v1.25.3 for backport fixes by @​pcarleton in modelcontextprotocol/typescript-sdk#1412
• fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @​samuv in modelcontextprotocol/typescript-sdk#1382
• Fix #1430: Client Credentials providers scopes support (backported) by @​NSeydoux in modelcontextprotocol/typescript-sdk#1442
• chore: bump version to 1.26.0 by @​pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

• @​samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382
• @​NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

• [v1.x backport] Use correct schema for client sampling validation when tools are present by @​olaservo in modelcontextprotocol/typescript-sdk#1407
• fix: prevent Hono from overriding global Response object (v1.x) by @​mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in modelcontextprotocol/typescript-sdk#1319
• fix: README badges links destinations by @​antonpk1 in modelcontextprotocol/typescript-sdk#907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

• @​antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

• spec types - backwards compatibility changes by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1306
• chore: bump version for patch fix by @​felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

• list changed handlers on client constructor by @​mattzcarey in modelcontextprotocol/typescript-sdk#1206
• Role - moved from inline to reusable type by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1221
• fix: use versioned npm tag for non-main branch releases by @​pcarleton in modelcontextprotocol/typescript-sdk#1236
• No automatic completion support unless needed - Revisited yet again by @​cliffhall in modelcontextprotocol/typescript-sdk#1237
• fix: Support updating output schema by @​vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

• fe9c07b chore: bump version to 1.26.0 (#1479)
• 4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
• a05be17 Merge commit from fork
• 50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
• aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
• 6aba065 chore: bump v1.25.3 for backport fixes (#1412)
• 6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
• 12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
• b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
• a0c9b13 fix: README badges links destinations (#907)
• Additional commits viewable in compare view

Updates diff from 7.0.0 to 8.0.3

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

• #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

• #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

• #580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
• #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

  • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

    Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

  • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

  • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

  • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

  • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

• #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
  • Each key/value pair now gets passed through the replacer once instead of twice
  • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
• #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

Commits

• 13576bf 8.0.3 release (#652)
• 1179ccb Ignore .zed (#651)
• 949d6e2 Add test for the vuln I just fixed (#650)
• 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
• de95cca Fix potentially cubic-time regex in parsePatch (#647)
• b9aeede Allow more customisation of file headers in patches (#641)
• 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
• b8162c7 Bump node-forge from 1.3.1 to 1.3.2
• ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
• 3e1774a Fix a comment typo (#633)
• Additional commits viewable in compare view

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

• #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

• #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

• #580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
• #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

  • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

    Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

  • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

  • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

  • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

  • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

• #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
  • Each key/value pair now gets passed through the replacer once instead of twice
  • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
• #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

Commits

• 13576bf 8.0.3 release (#652)
• 1179ccb Ignore .zed (#651)
• 949d6e2 Add test for the vuln I just fixed (#650)
• 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
• de95cca Fix potentially cubic-time regex in parsePatch (#647)
• b9aeede Allow more customisation of file headers in patches (#641)
• 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
• b8162c7 Bump node-forge from 1.3.1 to 1.3.2
• ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
• 3e1774a Fix a comment typo (#633)
• Additional commits viewable in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.
• #641 - the format of file headers in createPatch etc. patches can now be customised somewhat. It now takes a headerOptions option that can be used to disable the file headers entirely, or omit the Index: line and/or the underline. In particular, this was motivated by a request to make jsdiff patches compatible with react-diff-view, which they now are if produced with headerOptions: FILE_HEADERS_ONLY.
• #647 and #649 - fix denial-of-service vulnerabilities in parsePatch whereby adversarial input could cause a memory-leaking infinite loop, typically crashing the calling process. Also fixed ReDOS vulnerabilities whereby adversarially-crafted patch headers could take cubic time to parse. Now, parsePatch should reliably take linear time. (Handling of headers that include the line break characters \r, \u2028, or \u2029 in non-trailing positions is also now more reasonable as side effect of the fix.)

8.0.2

• #616 Restored compatibility of diffSentences with old Safari versions. This was broken in 8.0.0 by the introduction of a regex with a lookbehind assertion; these weren't supported in Safari prior to version 16.4.
• #612 Improved tree shakeability by marking the built CJS and ESM packages with sideEffects: false.

8.0.1

• #610 Fixes types for diffJson which were broken by 8.0.0. The new bundled types in 8.0.0 only allowed diffJson to be passed string arguments, but it should've been possible to pass either strings or objects (and now is). Thanks to Josh Kelley for the fix.

8.0.0

• #580 Multiple tweaks to diffSentences:
  • tokenization no longer takes quadratic time on pathological inputs (reported as a ReDOS vulnerability by Snyk); is now linear instead
  • the final sentence in the string is now handled the same by the tokenizer regardless of whether it has a trailing punctuation mark or not. (Previously, "foo. bar." tokenized to ["foo.", " ", "bar."] but "foo. bar" tokenized to ["foo.", " bar"] - i.e. whether the space between sentences was treated as a separate token depended upon whether the final sentence had trailing punctuation or not. This was arbitrary and surprising; it is no longer the case.)
  • in a string that starts with a sentence end, like "! hello.", the "!" is now treated as a separate sentence
  • the README now correctly documents the tokenization behaviour (it was wrong before)
• #581 - fixed some regex operations used for tokenization in diffWords taking O(n^2) time in pathological cases
• #595 - fixed a crash in patch creation functions when handling a single hunk consisting of a very large number (e.g. >130k) of lines. (This was caused by spreading indefinitely-large arrays to .push() using .apply or the spread operator and hitting the JS-implementation-specific limit on the maximum number of arguments to a function, as shown at https://stackoverflow.com/a/56809779/1709587; thus the exact threshold to hit the error will depend on the environment in which you were running JsDiff.)
• #596 - removed the merge function. Previously JsDiff included an undocumented function called merge that was meant to, in some sense, merge patches. It had at least a couple of serious bugs that could lead to it returning unambiguously wrong results, and it was difficult to simply "fix" because it was unclear precisely what it was meant to do. For now, the fix is to remove it entirely.
• #591 - JsDiff's source code has been rewritten in TypeScript. This change entails the following changes for end users:

  • the diff package on npm now includes its own TypeScript type definitions. Users who previously used the @types/diff npm package from DefinitelyTyped should remove that dependency when upgrading JsDiff to v8.

    Note that the transition from the DefinitelyTyped types to JsDiff's own type definitions includes multiple fixes and also removes many exported types previously used for options arguments to diffing and patch-generation functions. (There are now different exported options types for abortable calls - ones with a timeout or maxEditLength that may give a result of undefined - and non-abortable calls.) See the TypeScript section of the README for some usage tips.

  • The Diff object is now a class. Custom extensions of Diff, as described in the "Defining custom diffing behaviors" section of the README, can therefore now be done by writing a class CustomDiff extends Diff and overriding methods, instead of the old way based on prototype inheritance. (I think code that did things the old way should still work, though!)

  • diff/lib/index.es6.js and diff/lib/index.mjs no longer exist, and the ESM version of the library is no longer bundled into a single file.

  • The ignoreWhitespace option for diffWords is no longer included in the type declarations. The effect of passing ignoreWhitespace: true has always been to make diffWords just call diffWordsWithSpace instead, which was confusing, because that behaviour doesn't seem properly described as "ignoring" whitespace at all. The property remains available to non-TypeScript applications for the sake of backwards compatibility, but TypeScript applications will now see a type error if they try to pass ignoreWhitespace: true to diffWords and should change their code to call diffWordsWithSpace instead.

  • JsDiff no longer purports to support ES3 environments. (I'm pretty sure it never truly did, despite claiming to in its README, since even the 1.0.0 release used Array.map which was added in ES5.)

• #601 - diffJson's stringifyReplacer option behaves more like JSON.stringify's replacer argument now. In particular:
  • Each key/value pair now gets passed through the replacer once instead of twice
  • The key passed to the replacer when the top-level object is passed in as value is now "" (previously, was undefined), and the key passed with an array element is the array index as a string, like "0" or "1" (previously was whatever the key for the entire array was). Both the new behaviours match that of JSON.stringify.
• #602 - diffing functions now consistently return undefined when called in async mode (i.e. with a callback). Previously, there was an odd quirk where they would return true if the strings being diffed were equal and undefined otherwise.

Commits

• 13576bf 8.0.3 release (#652)
• 1179ccb Ignore .zed (#651)
• 949d6e2 Add test for the vuln I just fixed (#650)
• 15a1585 Fix the second denial-of-service vulnerability in parsePatch (#649)
• de95cca Fix potentially cubic-time regex in parsePatch (#647)
• b9aeede Allow more customisation of file headers in patches (#641)
• 43c716c Merge pull request #636 from kpdecker/dependabot/npm_and_yarn/node-forge-1.3.2
• b8162c7 Bump node-forge from 1.3.1 to 1.3.2
• ad6dc17 Fix some bugs in the diffWords regex (and errors & ambiguities in the comment...
• 3e1774a Fix a comment typo (#633)
• Additional commits viewable in compare view

Updates next from 15.5.9 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

• 60a2aa9 v15.5.10
• e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
• 39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
• bf9f084 Sync DoS mitigations for React Flight
• See full diff in compare view

Updates tar from 6.2.1 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates webpack from 5.94.0 to 5.105.2

Release notes

Sourced from webpack's releases.

v5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

v5.105.1

Patch Changes

• Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @​xiaoxiaojx in #20424)

• Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @​hai-x in #20433)

• Skip guard collection when exports-presence mode is disabled to improve parsing performance. (by @​hai-x in #20433)

v5.105.0

Minor Changes

• Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

• Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

• Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

• Support import.defer() for context modules. (by @​ahabhgk in #20399)

• Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

• Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

• Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

• Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

• Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

• Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

• Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

• Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

• Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

• Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

• Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

• Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

5.105.1

Patch Changes

• Fix VirtualUrlPlugin Windows compatibility by sanitizing cache keys and filenames. Cache keys now use toSafePath to replace colons (:) with double underscores (__) and sanitize other invalid characters, ensuring compatibility with Windows filesystem restrictions. (by @​xiaoxiaojx in #20424)

• Revert part of the createRequire generation behavior for require("node:...") to keep compatibility with those modules exports, e.g. const EventEmitter = require("node:events");. (by @​hai-x in #20433)

• Skip guard collection when exports-presence mode is disabled to impro...

  Description has been truncated