chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates

[dependabot]

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package	From	To
vitest	1.6.0	1.6.1
ejs	3.1.9	3.1.10
rollup	2.79.1	2.79.2
vite	5.4.19	5.4.21
@modelcontextprotocol/sdk	1.11.4	1.24.0
@babel/helpers	7.24.1	7.28.4
axios	1.6.8	1.13.2
body-parser	2.2.0	2.2.1
braces	3.0.2	3.0.3
micromatch	4.0.5	4.0.8
store2	2.14.3	2.14.4
ws	7.5.9	7.5.10

Updates vitest from 1.6.0 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

Commits

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• See full diff in compare view

Updates ejs from 3.1.9 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates rollup from 2.79.1 to 2.79.2

Release notes

Sourced from rollup's releases.

v.2.79.2

2.79.2

2024-09-26

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

Changelog

Sourced from rollup's changelog.

rollup changelog

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• See full diff in compare view

Updates vite from 5.4.19 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port [email protected] changes to [email protected] (#20737) (4f1c35b), closes #20737

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.11.4 to 1.24.0

Release notes

Sourced from @​modelcontextprotocol/sdk's releases.

1.24.0

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @​domdomegg in modelcontextprotocol/typescript-sdk#1171
• Make sure to consume HTTP error response bodies by @​GreenStage in modelcontextprotocol/typescript-sdk#1173
• docs: add GET request handling for streamableHttp stateless mode by @​saharis9988 in modelcontextprotocol/typescript-sdk#1161
• SEP-1686: Tasks by @​LucaButBoring in modelcontextprotocol/typescript-sdk#1041
• Fix JSON parse error on SSE events with empty data by @​felixweinberger in modelcontextprotocol/typescript-sdk#1184
• Fix StreamableHTTPClientTransport instantiation by @​yuwzho in modelcontextprotocol/typescript-sdk#944
• feat: eslint rule to prefer node protocols by @​mattzcarey in modelcontextprotocol/typescript-sdk#1187
• fix: call tasks/result to deliver side-channel messages by @​felixweinberger in modelcontextprotocol/typescript-sdk#1185
• Add invalid_target oauth error (rfc 8707) by @​GreenStage in modelcontextprotocol/typescript-sdk#1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @​yamadashy in modelcontextprotocol/typescript-sdk#1178
• coerce 'expires_in' to be a number by @​adam-kuhn in modelcontextprotocol/typescript-sdk#1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @​jerome3o-anthropic in modelcontextprotocol/typescript-sdk#1189
• fix: update registerTool signature for proper typed ToolCallback by @​mattzcarey in modelcontextprotocol/typescript-sdk#1188
• SEP-1046: Client credentials flow for M2M without user interaction by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1157
• adds the transitive @​types/express-serve-static-core dependency as a direct devDependency by @​mgyarmathy in modelcontextprotocol/typescript-sdk#1078
• Fix optional argument handling in prompts for Zod V4 by @​filip-bartuska-ipf in modelcontextprotocol/typescript-sdk#1199
• fix hanging stdio servers by @​mattzcarey in modelcontextprotocol/typescript-sdk#1200
• README refactor by @​KKonstantinov in modelcontextprotocol/typescript-sdk#1197
• [Docs] Fix typo by @​koic in modelcontextprotocol/typescript-sdk#1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @​felixweinberger in modelcontextprotocol/typescript-sdk#1166
• fix: improve SSE reconnection behavior by @​felixweinberger in modelcontextprotocol/typescript-sdk#1191
• fix: normalize headers in sse transport by @​marcrasi in modelcontextprotocol/typescript-sdk#856
• feat: add closeStandaloneSSEStream for GET stream polling by @​felixweinberger in modelcontextprotocol/typescript-sdk#1203
• fix: normalize null to undefined in ElicitResultSchema content field by @​mattzcarey in modelcontextprotocol/typescript-sdk#1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @​jacopoc in modelcontextprotocol/typescript-sdk#1205
• fix: allow zod 4 transformations by @​mattzcarey in modelcontextprotocol/typescript-sdk#1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @​felixweinberger in modelcontextprotocol/typescript-sdk#1212
• chore: bump version for release by @​felixweinberger in modelcontextprotocol/typescript-sdk#1215

New Contributors

• @​GreenStage made their first contribution in modelcontextprotocol/typescript-sdk#1173
• @​saharis9988 made their first contribution in modelcontextprotocol/typescript-sdk#1161
• @​yuwzho made their first contribution in modelcontextprotocol/typescript-sdk#944
• @​yamadashy made their first contribution in modelcontextprotocol/typescript-sdk#1178
• @​adam-kuhn made their first contribution in modelcontextprotocol/typescript-sdk#1111
• @​mgyarmathy made their first contribution in modelcontextprotocol/typescript-sdk#1078
• @​filip-bartuska-ipf made their first contribution in modelcontextprotocol/typescript-sdk#1199
• @​koic made their first contribution in modelcontextprotocol/typescript-sdk#1067
• @​marcrasi made their first contribution in modelcontextprotocol/typescript-sdk#856
• @​jacopoc made their first contribution in modelcontextprotocol/typescript-sdk#1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

1.23.1

Fixed:

... (truncated)

Commits

• 356b7e6 chore: bump version for release (#1215)
• 09623e2 Merge commit from fork
• cf51343 feat: backwards-compatible createMessage overloads for SEP-1577 (#1212)
• 8204126 fix: allow zod 4 transformations (#1213)
• 6083600 Modify Origin header validation in validateRequestHeaders (streamableHttp.ts ...
• a6ee2cb fix: normalize null to undefined in ElicitResultSchema content field (#1204)
• 4b651b8 feat: add closeStandaloneSSEStream for GET stream polling (#1203)
• 5ceabfb fix: normalize headers in sse transport (#856)
• f67fc2f fix: improve SSE reconnection behavior (#1191)
• fab7e1e feat: add closeSSEStream callback to RequestHandlerExtra (#1166)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @​modelcontextprotocol/sdk since your current version.

Updates @babel/helpers from 7.24.1 to 7.28.4

Release notes

Sourced from @​babel/helpers's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

• babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types
  • #17493 Update Jest to v30.1.1 (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17455 chore: Clean up transform-regenerator (@​liuxingbaoyu)
• babel-core
  • #17474 Switch to @​jridgewell/remapping (@​mrginglymus)

Committers: 5

• Babel Bot (@​babel-bot)
• Bill Collins (@​mrginglymus)
• Glenn Willen (@​gwillen)
• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

• babel-core, babel-helper-check-duplicate-nodes, babel-traverse, babel-types
  • #17493 Update Jest to v30.1.1 (@​JLHwung)
• babel-plugin-transform-regenerator
  • #17455 chore: Clean up transform-regenerator (@​liuxingbaoyu)
• babel-core
  • #17474 Switch to @​jridgewell/remapping (@​mrginglymus)

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

... (truncated)

Commits

• 35055e3 v7.28.4
• 18d88b8 Improve @​babel/core typings (#17471)
• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• fdbf1b3 fix: finally causes unexpected return value (#17366)
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• Additional commits viewable in compare view

Updates axios from 1.6.8 to 1.13.2

Release notes

Sourced from axios's releases.

Release v1.13.2

Release notes:

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

Release v1.13.1

Release notes:

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

Release v1.13.0

Release notes:

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma

... (truncated)

Changelog

Sourced from axios's changelog.

1.13.2 (2025-11-04)

Bug Fixes

• http: fix 'socket hang up' bug for keep-alive requests when using timeouts; (#7206) (8d37233)
• http: use default export for http2 module to support stubs; (#7196) (0588880)

Performance Improvements

• http: fix early loop exit; (#7202) (12c314b)

Contributors to this release

• Dmitriy Mozgovoy
• Kasper Isager Dalsgarð

1.13.1 (2025-10-28)

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

1.13.0 (2025-10-27)

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge

... (truncated)

Commits

• 08b84b5 chore(release): v1.13.2 (#7207)
• 8d37233 fix(http): fix 'socket hang up' bug for keep-alive requests when using timeou...
• 12c314b perf(http): fix early loop exit; (#7202)
• f6d79e7 chore(sponsor): update sponsor block (#7203)
• 0588880 fix(http): use default export for http2 module to support stubs; (#7196)
• 1ef8e72 chore(release): v1.13.1 (#7194)
• bcd5581 fix(http): fixed a regression that caused the data stream to be interrupted f...
• c9b3371 chore: enhance styling and responsiveness in client.html (#7173)
• 9ead04d [Release] v1.13.0 (#7189)
• d000fbf fix(http2): fix possible race condition when handling http2 stream on almost ...
• Additional commits viewable in compare view

Updates body-parser from 2.2.0 to 2.2.1

Release notes

Sourced from body-parser's releases.

v2.2.1

Important: Security

• Security fix for CVE-2025-13466 (GHSA-wqch-xfxh-vrr4)

What's Changed

• ci: add dependabot by @​Phillip9587 in expressjs/body-parser#593
• ci: use full SHAs for github action versions by @​Phillip9587 in expressjs/body-parser#594
• deps: type-is@^2.0.1 by @​Phillip9587 in expressjs/body-parser#599
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/body-parser#609
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot[bot] in expressjs/body-parser#610
• build(deps-dev): bump eslint-plugin-promise from 6.1.1 to 6.6.0 by @​dependabot[bot] in expressjs/body-parser#611
• build(deps-dev): bump eslint-plugin-import from 2.27.5 to 2.31.0 by @​dependabot[bot] in expressjs/body-parser#613
• build(deps-dev): bump eslint-plugin-markdown from 3.0.0 to 3.0.1 by @​dependabot[bot] in expressjs/body-parser#612
• ci: add codeql github workflows scanning by @​Phillip9587 in expressjs/body-parser#614
• ci: update CodeQL config to ignore the test directory by @​Phillip9587 in expressjs/body-parser#615
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/body-parser#620
• build(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @​dependabot[bot] in expressjs/body-parser#619
• chore(deps): unpin devDependencies by @​Phillip9587 in expressjs/body-parser#616
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/body-parser#621
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/body-parser#623
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/body-parser#624
• chore: add funding to package.json by @​Phillip9587 in expressjs/body-parser#617
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/body-parser#625
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/body-parser#630
• refactor: move common request validation to read function by @​Phillip9587 in expressjs/body-parser#600
• deps: bump iconv-lite by @​bjohansebas in expressjs/body-parser#631
• doc: pull beta changelog forward into 2.0.0 by @​jonchurch in expressjs/body-parser#629
• refactor: optimize raw and text parsers with shared passthrough function by @​Phillip9587 in expressjs/body-parser#634
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#640
• build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @​dependabot[bot] in expressjs/body-parser#639
• build(deps): bump actions/setup-node from 4.4.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#636
• build(deps): bump actions/download-artifact from 4.3.0 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#637
• build(deps): bump github/codeql-action from 3.29.7 to 3.30.5 by @​dependabot[bot] in expressjs/body-parser#638
• deps: raw-body@^3.0.1 by @​Phillip9587 in expressjs/body-parser#641
• deps: debug@^4.4.3 by @​Phillip9587 in expressjs/body-parser#642
• docs: add iconv-lite 0.7.0 changes to history entry by @​Phillip9587 in expressjs/body-parser#645
• ci: add node.js 25 to test matrix by @​Phillip9587 in expressjs/body-parser#650
• perf: move read options outside parser middlewares by @​Phillip9587 in expressjs/body-parser#648
• test(json): add RFC 7159 whitespace edge cases by @​Ayoub-Mabrouk in expressjs/body-parser#653
• test: add test for urlencoded invalid defaultCharset by @​Phillip9587 in expressjs/body-parser#643
• build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in expressjs/body-parser#657
• build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @​dependabot[bot] in expressjs/body-parser#656
• build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in expressjs/body-parser#655
• build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @​dependabot[bot] in expressjs/body-parser#654
• ci: also test on first supported node.js version by @​Phillip9587 in expressjs/body-parser#646
• chore: switch badges from badgen.net to shields.io by @​Phillip9587 in expressjs/body-parser#661
• Remove history.md from being packaged on publish by @​bjohansebas in expressjs/body-parser#660
• Release: 2.2.1 by @​UlisesGascon in expressjs/body-parser#659

... (truncated)

Changelog

Sourced from body-parser's changelog.

2.2.1 / 2025-11-24

• Security fix for GHSA-wqch-xfxh-vrr4
• deps:
  • type-is@^2.0.1
  • iconv-lite@^0.7.0
    • Handle split surrogate pairs when encoding UTF-8
    • Avoid false positives in encodingExists by using prototype-less objects
  • raw-body@^3.0.1
  • debug@^4.4.3

Commits

• d96b63d 2.2.1 (#659)
• b204886 sec: security patch for CVE-2025-13466
• e20e351 feat: remove history.md from being packaged on publish (#660)
• 0d7ce71 docs: switch badges from badgen.net to shields.io (#661)
• 168afff ci: also test on first supported node.js version (#646)
• e539a71 build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#654)
• 9391612 build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#655)
• 57baafb build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 (#656)
• a6a088e build(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#657)
• 10a114d test: add test for urlencoded invalid defaultCharset (#643)
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704eDescription has been truncated