Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Sourced from @​supabase/auth-js's releases.

v2.89.0

2.89.0 (2025-12-18)

🚀 Features

• auth: add X (OAuth 2.0) provider (#1960)
• auth: add string array support for AMR claims (#1967)
• supabase: export DatabaseWithoutInternals utility type (#1935)

❤️ Thank You

• Cemal Kılıç @​cemalkilic
• issuedat @​issuedat
• Vaibhav @​7ttp

v2.88.1-canary.2

2.88.1-canary.2 (2025-12-18)

🚀 Features

• supabase: export DatabaseWithoutInternals utility type (#1935)

❤️ Thank You

• Vaibhav @​7ttp

v2.88.1-canary.1

2.88.1-canary.1 (2025-12-17)

🚀 Features

• auth: add string array support for AMR claims (#1967)

❤️ Thank You

• Cemal Kılıç @​cemalkilic

v2.88.1-canary.0

2.88.1-canary.0 (2025-12-17)

🚀 Features

• auth: add X (OAuth 2.0) provider (#1960)

❤️ Thank You

• issuedat @​issuedat

v2.88.0

2.88.0 (2025-12-16)

... (truncated)

Sourced from @​supabase/auth-js's changelog.

2.89.0 (2025-12-18)

🚀 Features

• auth: add string array support for AMR claims (#1967)
• auth: add X (OAuth 2.0) provider (#1960)

❤️ Thank You

• Cemal Kılıç @​cemalkilic
• issuedat @​issuedat

2.88.0 (2025-12-16)

🚀 Features

• auth: allow custom predicate for detectSessionInUrl option (#1958)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.87.3 (2025-12-15)

This was a version bump only for @​supabase/auth-js to align it with other projects, there were no code changes.

2.87.2 (2025-12-15)

🩹 Fixes

• auth: add helpful error when PKCE code verifier is missing (#1931)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.87.1 (2025-12-09)

🩹 Fixes

• auth: skip navigator lock when persistSession is false (#1928)

❤️ Thank You

• Vaibhav @​7ttp

2.87.0 (2025-12-08)

This was a version bump only for @​supabase/auth-js to align it with other projects, there were no code changes.

... (truncated)

• efca12c feat(auth): add string array support for AMR claims (#1967)
• 281070a feat(auth): add X (OAuth 2.0) provider (#1960)
• ba17c2f chore(release): version 2.88.0 changelogs (#1965)
• f346169 feat(auth): allow custom predicate for detectSessionInUrl option (#1958)
• f57b882 chore(release): version 2.87.3 changelogs (#1954)
• a660d29 chore(release): version 2.87.2 changelogs (#1952)
• 9c73572 chore(auth): typo in error message (#1944)
• 32d2187 fix(auth): add helpful error when PKCE code verifier is missing (#1931)
• 13af49b chore(release): version 2.87.1 changelogs (#1934)
• eae712d fix(auth): skip navigator lock when persistSession is false (#1928)
• Additional commits viewable in compare view

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​supabase/auth-js since your current version.

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Sourced from brace-expansion's releases.

v1.1.12

• pkg: publish on tag 1.x c460dbd
• fmt ccb8ac6
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) c3c73c8

---

juliangruber/brace-expansion@v1.1.11...v1.1.12

• 44f33b4 1.1.12
• c460dbd pkg: publish on tag 1.x
• ccb8ac6 fmt
• c3c73c8 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Sourced from cookie's releases.

v1.1.1

Fixed

• Overwrite value in passed in options (#253) c66147c
  • When value was provided in serialize(key, value, { value }) the value in options was used instead of the value passed as an argument

---

jshttp/cookie@v1.1.0...v1.1.1

v1.1.0

Added:

• Add stringifyCookie and parseSetCookie methods (#244, #214)
• Rename existing methods for clarity (old method names remain for backward compatibility)
  • parse → parseCookie
  • serialize → stringifySetCookie
• Add side effects field (#245) 00b0327

---

jshttp/cookie@v1.0.2...v1.1.0

v1.0.2

Fixed

• Loosen cookie name/value validation (#210)
• fix: options.priority used incorrect fallback (#207) by @​jonchurch

Added

• Add import example to README (#190) by @​isnifer

jshttp/cookie@v1.0.1...v1.0.2

v1.0.1

Added

• Allow case insensitive options (#194) 3bed080

jshttp/cookie@v1.0.0...v1.0.1

v1.0.0

Breaking changes

• Use modern JS features, ship TypeScript definition (#175) 1cc64ff
  • Adds __esModule marker, imports need to use import { parse, serialize } or import * as cookie
• Minimum node.js v18
• Uses null prototype object for parse return value
• Changes strict and priority to match the lower case strings (i.e. low, not LOW or Low)

... (truncated)

• 1b89eec 1.1.1
• c66147c Overwrite value in passed in options (#253)
• 09cec9f 1.1.0
• 05ebd34 Add tests for parsing top sites (#249)
• 6214eaf Add benchmark for parseSetCookie (#247)
• 71798d7 Fix skip over of boolean attributes (#248)
• 9e41cf1 build(deps): bump the npm_and_yarn group across 1 directory with 4 updates (#...
• 6fea506 Add parse method for set-cookie (#244)
• 00b0327 Add side effects field (#245)
• 94586de feat: remove dependabot from repo (#242)
• Additional commits viewable in compare view

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Sourced from next's releases.

v14.2.35

Please see the Next.js Security Update for information about this security patch.

• 7b940d9 v14.2.35
• 7c1be85 Backport facebook/react#35351 for 14.2.34 (#87095)
• f307368 v14.2.34
• 8e43882 Update React Version (#36)
• 385e8c2 Backport Next.js changes to v14.2.34 (#29)
• 7a2cf51 update version script
• 778e7bf lock swc binaries
• 5a97b40 v14.2.33
• cb88824 backport(v14): omit searchParam data from FlightRouterState before transport ...
• 89ee561 v14.2.32
• Additional commits viewable in compare view

Sourced from @​supabase/auth-js's releases.

v2.89.0

2.89.0 (2025-12-18)

🚀 Features

• auth: add X (OAuth 2.0) provider (#1960)
• auth: add string array support for AMR claims (#1967)
• supabase: export DatabaseWithoutInternals utility type (#1935)

❤️ Thank You

• Cemal Kılıç @​cemalkilic
• issuedat @​issuedat
• Vaibhav @​7ttp

v2.88.1-canary.2

2.88.1-canary.2 (2025-12-18)

🚀 Features

• supabase: export DatabaseWithoutInternals utility type (#1935)

❤️ Thank You

• Vaibhav @​7ttp

v2.88.1-canary.1

2.88.1-canary.1 (2025-12-17)

🚀 Features

• auth: add string array support for AMR claims (#1967)

❤️ Thank You

• Cemal Kılıç @​cemalkilic

v2.88.1-canary.0

2.88.1-canary.0 (2025-12-17)

🚀 Features

• auth: add X (OAuth 2.0) provider (#1960)

❤️ Thank You

• issuedat @​issuedat

v2.88.0

2.88.0 (2025-12-16)

... (truncated)

Sourced from @​supabase/auth-js's changelog.

2.89.0 (2025-12-18)

🚀 Features

• auth: add string array support for AMR claims (#1967)
• auth: add X (OAuth 2.0) provider (#1960)

❤️ Thank You

• Cemal Kılıç @​cemalkilic
• issuedat @​issuedat

2.88.0 (2025-12-16)

🚀 Features

• auth: allow custom predicate for detectSessionInUrl option (#1958)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.87.3 (2025-12-15)

This was a version bump only for @​supabase/auth-js to align it with other projects, there were no code changes.

2.87.2 (2025-12-15)

🩹 Fixes

• auth: add helpful error when PKCE code verifier is missing (#1931)

❤️ Thank You

• Katerina Skroumpelou @​mandarini

2.87.1 (2025-12-09)

🩹 Fixes

• auth: skip navigator lock when persistSession is false (#1928)

❤️ Thank You

• Vaibhav @​7ttp

2.87.0 (2025-12-08)

This was a version bump only for @​supabase/auth-js to align it with other projects, there were no code changes.

... (truncated)

• efca12c feat(auth): add string array support for AMR claims (#1967)
• 281070a feat(auth): add X (OAuth 2.0) provider (#1960)
• ba17c2f chore(release): version 2.88.0 changelogs (#1965)
• f346169 feat(auth): allow custom predicate for detectSessionInUrl option (#1958)
• f57b882 chore(release): version 2.87.3 changelogs (#1954)
• a660d29 chore(release): version 2.87.2 changelogs (#1952)
• 9c73572 chore(auth): typo in error message (#1944)
• 32d2187 fix(auth): add helpful error when PKCE code verifier is missing (#1931)
• 13af49b chore(release): version 2.87.1 changelogs (#1934)
• eae712d fix(auth): skip navigator lock when persistSession is false (#1928)
• Additional commits viewable in compare view

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​supabase/auth-js since your current version.

Sourced from @​vercel/flags's releases.

@​vercel/flags@​3.1.1

Patch Changes

• 6955b68: emit reduced console info when falling back to defaultValue during development
• cf532da: Update package.json and tsup.config.js for flags package

@​vercel/flags@​3.1.0

Minor Changes

• 76feb16: Add mergeProviderData function to @vercel/flags.

  This function allows merging ProviderData from multiple sources.

  This is handy when you declare feature flags in code, and want to extend those definitions with data loaded from your feature flag provider.

  import { verifyAccess, mergeProviderData, type ApiData } from '@vercel/flags';
  import { getProviderData } from '@vercel/flags/next';
  import { NextResponse, type NextRequest } from 'next/server';
  import { getProviderData as getStatsigProviderData } from '@flags-sdk/statsig';
  import * as flagsA from '../../../../flags-a'; // your feature flags file(s)
  import * as flagsB from '../../../../flags-b'; // your feature flags file(s)
  export async function GET(request: NextRequest) {
  const access = await verifyAccess(request.headers.get('Authorization'));
  if (!access) return NextResponse.json(null, { status: 401 });
  const providerData = await mergeProviderData([
  // expose flags declared in code first
  getProviderData({ ...flagsA, ...flagsB }),
  // then enhance them with metadata from your flag provider
  getStatsigProviderData({ consoleApiKey: '', projectId: '' }),
  ]);
  return NextResponse.json<ApiData>(providerData);
  }

Patch Changes

• 2713ea7: Handle undefined values

  • fix: Fall back to defaultValue when a feature flag returns undefined
  • fix: Throw error when a flag resolves to undefined and no defaultValue is present

  The value undefined can not be serialized so feature flags should never resolve to undefined. Use null instead.

  Fix exports

  • fix: Export Identify and Decide types

... (truncated)

• See full diff in compare view

• 63d5f66 Version Packages (#8895)
• 930399b Backport: fix(ai): download files when intermediate file cannot be downloaded...
• 7ca78f1 Backport: feat(provider/gateway): Add new Qwen models to Gateway model string...
• 1cfc209 Backport: feat(provider/openai): OpenAILanguageModelOptions type (#8858)
• 347b7ec ci: rename v5.0 branch to release-v*
• 85909a9 Backport: chore(ai): update test message (#8875)
• c56822d Backport: fix(ai): update uiMessageChunkSchema to satisfy the `UIMessageChu...
• 1461adf Backport: chore(examples): remove redundant OpenAI reasoning examples (#8871)
• 6bd07df Version Packages (#8853)
• a45d61a ci(release): remove incorrect changeset bump for @ai-sdk/baseten
• Additional commits viewable in compare view

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Sourced from katex's releases.

v0.16.21

0.16.21 (2025-01-17)

Bug Fixes

• escape \htmlData attribute name (57914ad)
  • See security advisory GHSA-cg87-wmx4-v546

v0.16.20

0.16.20 (2025-01-12)

Bug Fixes

• \providecommand does not overwrite existing macro (#4000) (6d30fe4), closes #3928

v0.16.19

0.16.19 (2024-12-29)

Bug Fixes

• types: improve strict function type (#4009) (4228b4e)

v0.16.18

0.16.18 (2024-12-18)

Bug Fixes

• Actually publish TypeScript type definitions (#4008) (629b873)

v0.16.17

0.16.17 (2024-12-17)

Bug Fixes

• MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#3999) (7d79e22), closes #3995

v0.16.16

0.16.16 (2024-12-17)

Features

• ESM exports, TypeScript types (#3992) (ea9c173)

... (truncated)

Sourced from katex's changelog.

0.16.21 (2025-01-17)

Bug Fixes

• escape \htmlData attribute name (57914ad)

0.16.20 (2025-01-12)

Bug Fixes

• \providecommand does not overwrite existing macro (#4000) (6d30fe4), closes #3928

0.16.19 (2024-12-29)

Bug Fixes

• types: improve strict function type (#4009) (4228b4e)

0.16.18 (2024-12-18)

Bug Fixes

• Actually publish TypeScript type definitions (#4008) (629b873)

0.16.17 (2024-12-17)

Bug Fixes

• MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM (#3999) (7d79e22), closes #3995

0.16.16 (2024-12-17)

Features

• ESM exports, TypeScript types (#3992) (ea9c173)

0.16.15 (2024-12-09)

Features

• italic sans-serif in math mode via \mathsfit command (#3998) (2218901)

0.16.14 (2024-12-08)

... (truncated)

• 923f2aa chore(release): 0.16.21 [ci skip]
• 57914ad fix: escape \htmlData attribute name
• ff28995 Merge commit from fork
• 28a0bf5 chore(release): 0.16.20 [ci skip]
• 6d30fe4 fix: \providecommand does not overwrite existing macro (#4000)
• 8f47dba chore(deps): update actions/upload-artifact to v4 (#4012)
• 88b5056 chore(release): 0.16.19 [ci skip]
• 4228b4e fix(types): improve strict function type (#4009)
• f934646 chore(release): 0.16.18 [ci skip]
• 629b873 fix: Actually publish TypeScript type definitions (#4008)
• Additional commits viewable in compare view

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• See full diff in compare view

Sourced from @​sentry/node's releases.

10.32.1

• fix(cloudflare): Add hono transaction name when error is thrown (#18529)
• fix(ember): Make implementation field optional (hash routes) (#18564)
• fix(vercelai): Fix input token count (#18574)

• chore(lint): prefer 'unknown' to 'any', fix lint warnings
• chore(test): Remove cloudflare-astro e2e test (#18567)

Bundle size 📦

Path	Size
@​sentry/browser	24.24 KB
@​sentry/browser - with treeshaking flags	22.77 KB
@​sentry/browser (incl. Tracing)	40.62 KB
@​sentry/browser (incl. Tracing, Profiling)	45.12 KB
@​sentry/browser (incl. Tracing, Replay)	78.3 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.28 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	82.88 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	94.83 KB
@​sentry/browser (incl. Feedback)	40.57 KB
@​sentry/browser (incl. sendFeedback)	28.82 KB
@​sentry/browser (incl. FeedbackAsync)	33.7 KB
@​sentry/react	25.92 KB
@​sentry/react (incl. Tracing)	42.77 KB
@​sentry/vue	28.6 KB
@​sentry/vue (incl. Tracing)	42.39 KB
@​sentry/svelte	24.25 KB
CDN Bundle	26.62 KB
CDN Bundle (incl. Tracing)	41.25 KB
CDN Bundle (incl. Tracing, Replay)	77.1 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	82.44 KB
CDN Bundle - uncompressed	78.18 KB
CDN Bundle (incl. Tracing) - uncompressed	122.47 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	236.27 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	248.74 KB
@​sentry/nextjs (client)	44.94 KB
@​sentry/sveltekit (client)	40.98 KB
@​sentry/node-core	50.4 KB
@​sentry/node	157.73 KB
@​sentry/node - without tracing	90.87 KB
@​sentry/aws-serverless	106.02 KB

10.32.0

Important Changes

... (truncated)

Sourced from @​sentry/node's changelog.

10.32.1

• fix(cloudflare): Add hono transaction name when error is thrown (#18529)
• fix(ember): Make implementation field optional (hash routes) (#18564)
• fix(vercelai): Fix input token count (#18574)

• chore(lint): prefer 'unknown' to 'any', fix lint warnings
• chore(test): Remove cloudflare-astro e2e test (#18567)

10.32.0

Important Changes

• feat(core): Apply scope attributes to logs (#18184)

  You can now set attributes on the SDK's scopes which will be applied to all logs as long as the respective scopes are active. For the time being, only string, number and boolean attribute values are supported.

  Sentry.geGlobalScope().setAttributes({ is_admin: true, auth_provider: 'google' });
  Sentry.withScope(scope => {
  scope.setAttribute('step', 'authentication');
  // scope attributes is_admin, auth_provider and step are added
  Sentry.logger.info(user ${user.id} logged in, { activeSince: 100 });
  Sentry.logger.info(updated ${user.id} last activity);
  });
  // scope attributes is_admin and auth_provider are added
  Sentry.logger.warn('stale website version, reloading page');

• feat(replay): Add Request body with attachRawBodyFromRequest option (#18501)

  To attach the raw request body (from Request objects passed as the first fetch argument) to replay events, you can now use the attachRawBodyFromRequest option in the Replay integration:

  Sentry.init({
    integrations: [
      Sentry.replayIntegration({
        attachRawBodyFromRequest: true,
      }),
    ],
  });

... (truncated)

• 528ade2 release: 10.32.1
• 25f695d Merge pull request #18578 from getsentry/prepare-release/10.32.1
• a981a3d meta(changelog): Update changelog for 10.32.1
• 0d8547c fix(vercelai): Fix input token count (#18574)
• 71384a2 chore(lint): prefer 'unknown' to 'any', fix lint warnings
• d1dd308 chore(test): Remove cloudflare-astro e2e test (#18567)
• 12f3007 fix(ember): Make implementation field optional (hash routes) (#18564)
• 3fda84d fix(cloudflare): Add hono transaction name when error is thrown (#18529)
• a538901 Merge pull request #18563 from getsentry/master
• 063c4dc Merge pull request #18562 from getsentry/ab/skip-ci-when-no-code-changes
• Additional commits viewable in compare view

Sourced from vite's releases.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to Description has been truncated