Bump the npm_and_yarn group across 4 directories with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 13 updates in the /dynamic-plugins directory:

Package	From	To
@backstage/integration	1.18.1	1.20.1
@backstage/plugin-techdocs-node	1.13.6	1.14.3
@isaacs/brace-expansion	5.0.0	5.0.1
ajv	6.12.6	6.14.0
basic-ftp	5.0.5	5.2.0
dompurify	3.2.4	3.3.3
jsonpath	1.1.1	1.3.0
minimatch	3.1.2	3.1.5
multer	2.0.2	2.1.1
qs	6.5.3	6.5.5
rollup	4.31.0	4.59.0
svgo	2.8.0	2.8.2
webpack	5.95.0	5.105.4

Bumps the npm_and_yarn group with 1 update in the /e2e-tests directory: @keycloak/keycloak-admin-client.
Bumps the npm_and_yarn group with 3 updates in the /packages/backend directory: @backstage/plugin-scaffolder-backend, undici and @backstage/plugin-auth-backend.
Bumps the npm_and_yarn group with 1 update in the /plugins/licensed-users-info-backend directory: @backstage/plugin-auth-backend.

Updates @backstage/integration from 1.18.1 to 1.20.1

Changelog

Sourced from @​backstage/integration's changelog.

@​backstage/integration

2.0.0-next.2

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.

2.0.0-next.1

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Patch Changes

• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.
• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.21.0-next.0

Minor Changes

• d933f62: Add configurable throttling and retry mechanism for GitLab integration.

Patch Changes

• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.20.0

Minor Changes

• 6999f6d: The AzureUrl class in the @​backstage/integration package is now able to process BOTH git branches and git tags. Initially this class only processed git branches and threw an error when non-branch Azure URLs were passed in.

Patch Changes

• cc6206e: Added support for {org}.visualstudio.com domains used by Azure DevOps
• 7455dae: Use node prefix on native imports

1.20.0-next.2

... (truncated)

Commits

• c8a8aac Version Packages
• 4aa43f6 chore(deps): update dependency cross-fetch to v4
• f577e11 Version Packages (next)
• 11153a0 Merge remote-tracking branch 'upstream/master' into entra-rename
• ad7d38c fix tests
• 243c655 Updated Azure Active Directory to Entra ID
• 8cdb8c2 Version Packages
• e43d3eb Version Packages (next)
• 0b55f77 Removed some unused dependencies
• bea3617 Version Packages (next)
• Additional commits viewable in compare view

Updates @backstage/plugin-techdocs-node from 1.13.6 to 1.14.3

Changelog

Sourced from @​backstage/plugin-techdocs-node's changelog.

@​backstage/plugin-techdocs-node

1.14.4-next.2

Patch Changes

• e96f6d9: Removed INHERIT from the ALLOWED_MKDOCS_KEYS set to address a security concern with MkDocs configuration inheritance.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/integration@​2.0.0-next.2

1.14.3-next.1

Patch Changes

• cb7c6b1: Added techdocs.generator.mkdocs.dangerouslyAllowAdditionalKeys configuration option to explicitly bypass MkDocs configuration key restrictions. This enables support for additional MkDocs configuration keys beyond the default safe allow list, such as the hooks key which some MkDocs plugins require.
• Updated dependencies
  • @​backstage/integration@​2.0.0-next.1
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.3-next.0

Patch Changes

• Updated dependencies
  • @​backstage/integration@​1.21.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.2

Patch Changes

• 7455dae: Use node prefix on native imports
• 3c455d4: Some security fixes
• Updated dependencies
  • @​backstage/integration@​1.20.0
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/backend-plugin-api@​1.7.0

... (truncated)

Commits

• See full diff in compare view

Updates @isaacs/brace-expansion from 5.0.0 to 5.0.1

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates basic-ftp from 5.0.5 to 5.2.0

Release notes

Sourced from basic-ftp's releases.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Changelog

Sourced from basic-ftp's changelog.

5.2.0

• Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Commits

• 5d41e45 Bump version
• 49c2e73 Update dependencies
• 2a2a0e6 Skip invalid filenames
• 65c90d9 Fix permissions for workflows
• 593cb78 Set permissions for workflow jobs
• 36adf11 Remove deprecated CodeQL check
• 9da4af0 Update changelog
• 6993039 Improve naming
• 0b8f756 Improve naming
• 67a53f2 Bump version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates dompurify from 3.2.4 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

• Fixed several typos and removed clutter from our documentation, thanks @​Rotzbua
• Added matrix: as an allowed URI scheme, thanks @​kleinesfilmroellchen
• Added better config hardening against prototype pollution, thanks @​EffectRenan
• Added better handling of attribute removal, thanks @​michalnieruchalski-tiugo
• Added better configuration for aggressive mXSS scrubbing behavior, thanks @​BryanValverdeU
• Removed the script that caused the fake entry CVE-2025-48050

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates jsonpath from 1.1.1 to 1.3.0

Commits

• See full diff in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Updates qs from 6.5.3 to 6.5.5

Changelog

Sourced from qs's changelog.

6.5.5

• [Fix] fix regressions from robustness refactor
• [meta] add npmignore to autogenerate an npmignore file
• [actions] update reusable workflows

6.5.4

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

Commits

• 3a6d9f8 v6.5.5
• 48160e7 [actions] update reusable workflows
• 2fc004a [meta] add npmignore to autogenerate an npmignore file
• ddcc5d5 [Fix] fix regressions from robustness refactor
• c190488 v6.5.4
• 40b77c3 [actions] fix rebase workflow permissions
• 6e39e92 [readme] document that addQueryPrefix does not add ? to empty output
• 4e393de [readme] replace runkit CI badge with shields.io check-runs badge
• dbb0346 [readme] clarify parseArrays and arrayLimit documentation
• 6b8b4d8 [Robustness] avoid .push, use void
• See full diff in compare view

Updates rollup from 4.31.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates svgo from 2.8.0 to 2.8.2

Release notes

Sourced from svgo's releases.

v2.8.2

This is effectively just a re-release of SVGO v2.8.1, but with *.test.js files omitted. It seems something was wrong with the configuration in the v2.8.0 tag and I hadn't noticed it included a few extra files. 😅

We'll deprecate v2.8.1, and I'll include the change log here.

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v2.8.0	v2.8.2	Delta
svgo.browser.js	587.2 kB	589.2 kB	⬆️ 2 kB

Support

SVGO v2 is not officially supported, please consider upgrading to SVGO v4 instead. We've backported this fix as there are security implications, but there is no commitment to do this for more complex changes in future.

Consider reading our Migration Guide from v2 to v3 and Migration Guide from v3 to v4 which should ease the process.

v2.8.1

Deprecated

This release left *.test.js files in the package, which have been omitted in v2.8.2. Sorry for the noise!

What's Changed

Dependencies

• Migrates from our unsupported fork of sax (@​trysound/sax) to the upstream version of sax (sax).

Bug Fixes

• No longer throws error when encountering comments in DTD.

Metrics

Before and after of the browser bundle of each respective version:

	v2.8.0	v2.8.1	Delta

... (truncated)

Commits

• f706b07 deps: upgrade to sax v1.5.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by sethiii, a new releaser for svgo since your current version.

Updates underscore from 1.12.1 to 1.13.6

Commits

• bd2d35c Merge remote-tracking branch 'upstream/master'
• 2e7c0f2 Update generated files, tag 1.13.6 release
• 732cafe Underscore 1.13.6
• e8f86fb Add changelog entry for versioin 1.13.6
• 43e827a Bump the version to 1.13.6 (hotfix)
• 1c1d1a2 Remove patch-package postinstall script
• 4eb6894 Merge pull request #2974 from paulsmithkc/patch-1
• 2edcdc1 Hostfix for broken builds
• 66ee70d Verify that production and doc builds still work in CI
• 68e5eb6 Update generated sources, tag 1.13.5 release
• Additional commits viewable in compare view

Updates webpack from 5.95.0 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

v5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

• Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

• Fix some types. (by @​alexander-akait in #20412)

• Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

• Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

• Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

• Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

• Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

v5.105.2

Patch Changes

• Fixed WebpackPluginInstance type regression. (by @​alexander-akait in #20440)

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

• Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

• Handle createRequire in expressions. (by @​alexander-akait in #20549)

• Fixed types for multi stats. (by @​alexander-akait in #20556)

• Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

• Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

• Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

5.105.3

Patch Changes

• Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

• Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

• Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

• Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

• Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now cor...

  Description has been truncated