Skip to content

Build(deps): Bump devalue from 5.6.1 to 5.6.4#42159

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/devalue-5.6.4
Open

Build(deps): Bump devalue from 5.6.1 to 5.6.4#42159
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/devalue-5.6.4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 12, 2026
edited
Loading

Bumps devalue from 5.6.1 to 5.6.4.

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

  • 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

    This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

  • 40f1db1: fix: ensure sparse array indices are integers

  • 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

    This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

  • 0f04d4d: fix: Properly handle __proto__
  • 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

  • 1175584: fix: validate input for ArrayBuffer parsing
  • e46afa6: fix: validate input for typed arrays
  • 1175584: fix: more helpful errors for inputs causing stack overflows
Commits

@dependabot dependabot bot mentioned this pull request Mar 12, 2026
Closed
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/devalue-5.6.4 branch from 277cb59 to 2bd9af9 Compare March 17, 2026 10:03
@dependabot
Build(deps): Bump devalue from 5.6.1 to 5.6.4
3c3f28f 
Bumps [devalue](https://github.com/sveltejs/devalue) from 5.6.1 to 5.6.4.
- [Release notes](https://github.com/sveltejs/devalue/releases)
- [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md)
- [Commits](sveltejs/devalue@v5.6.1...v5.6.4)

---
updated-dependencies:
- dependency-name: devalue
  dependency-version: 5.6.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/devalue-5.6.4 branch from 2bd9af9 to 3c3f28f Compare March 31, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies on-hold v5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@julien-deramond