Bump the npm_and_yarn group across 13 directories with 23 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/debugger/tools/lldb-dap/extension directory: minimatch.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/packages/bun-vscode/example directory: elysia.
Bumps the npm_and_yarn group with 15 updates in the /compiler/internal/vm/foundation/test directory:

Package	From	To
jws	4.0.0	4.0.1
axios	1.6.8	1.13.5
@astrojs/node	9.1.3	9.5.4
@remix-run/node	2.16.8	2.17.2
@remix-run/react	2.10.3	2.17.3
astro	5.5.5	5.15.9
devalue	5.1.1	5.6.4
fastify	5.2.2	5.8.1
hono	4.7.2	4.12.7
immutable	5.1.3	5.1.5
lodash	4.17.21	4.17.23
nodemailer	6.9.3	7.0.11
rollup	4.4.1	4.59.0
undici	5.20.0	6.24.0
webpack	5.88.0	5.104.1

Bumps the npm_and_yarn group with 2 updates in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test directory: minimatch and fastify.
Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/foundation/test/cli/install/migration/yarn/yarn-cli-repo directory: minimatch, js-yaml and tar.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/dynamic_bitset/doc directory: minimatch, js-yaml, axios and fast-xml-parser.
Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/libconsepts/msm/doc directory: js-yaml, axios and fast-xml-parser.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/openmethod/doc directory: minimatch, js-yaml, axios and fast-xml-parser.
Bumps the npm_and_yarn group with 5 updates in the /compiler/internal/vm/libconsepts/redis/doc directory:

Package	From	To
minimatch	3.1.2	3.1.5
form-data	4.0.3	4.0.5
js-yaml	4.1.0	4.1.1
axios	1.10.0	1.13.6
sha.js	2.4.11	2.4.12

Bumps the npm_and_yarn group with 2 updates in the /compiler/internal/vm/libconsepts/unordered/doc directory: minimatch and js-yaml.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/url/doc directory: minimatch, js-yaml, axios and fast-xml-parser.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/omni/test-tools/wamr-ide/VSCode-Extension directory: yauzl.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/static_core/plugins/ets/tools/declgen_ts2sts directory: webpack.

Updates minimatch from 9.0.5 to 9.0.9

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Updates minimatch from 10.1.1 to 10.2.4

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Updates minimatch from 5.1.6 to 5.1.9

Commits

• 8a10e47 9.0.9
• c6f1806 brace-expansion@2
• 446cfa3 9.0.8
• 8fa151a docs: add warning about ReDoS
• 71b78a2 fix partial matching of globstar patterns
• 2de496f 9.0.7
• 0d4616d limit nested extglob recursion, flatten extglobs
• 7117ef3 9.0.6
• 2418458 update deps, do not checkin dist
• 1d1f531 update deps
• Additional commits viewable in compare view

Updates elysia from 0.6.24 to 1.4.27

Release notes

Sourced from elysia's releases.

1.4.27

What's changed

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun
• export AnySchema, UnwrapSchema, ModelsToTypes from root

Full Changelog: elysiajs/elysia@1.4.26...1.4.27

1.4.26

What's changed

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

Full Changelog: elysiajs/elysia@1.4.25...1.4.26

1.4.25

What's changed

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

Full Changelog: elysiajs/elysia@1.4.24...1.4.25

1.4.24

What's Changed

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers by @​cipher416
• object cookie with secret doesn't deserialized after parsed

New Contributors

• @​cipher416 made their first contribution in elysiajs/elysia#1733

Full Changelog: elysiajs/elysia@1.4.23...1.4.24

... (truncated)

Changelog

Sourced from elysia's changelog.

1.4.27 - 1 Mar 2026

Bug fix:

• getSchemaValidator: handle TypeBox as sub type
• handle cookie prototype pollution when parsing cookie

Improvement:

• conditional async on getSchemaValidator when schema is Standard Schema
• use Response.json on Bun

1.4.26 - 25 Feb 2026

Bug fix:

• #1755 deduplicate local handler from global event
• #1752 system router with trailing path doesn't match with non-trailing
• url format redos
• #1747 parsing request from mount hang

1.4.25 - 12 Feb 2026

Feature:

• export ElysiaStatus

Bug fix:

• macro with conflict literal value per status
• recursive macro with conflict value per status

1.4.24 - 11 Feb 2026

Feature:

• graceful unsigned cookie transition

Bug fix:

• #1733 preserve multiple set-cookie headers in mounted handlers
• object cookie with secret doesn't deserialized after parsed

1.4.23 - 9 Feb 2026

Feature:

• #1719 add t.Union/t.Intersection handling in property enumerations/checks
• #1697 extend complex formdata support to StandardSchema
• #1656 serialize custom array-like custom class with array sub class

Bug fix:

• #1721 Promise with response schema
• #1700 distinct union object
• #1683 response validation returns 500 instead of 422 for nested schemas in dynamic mode
• #1679 preserve headers when throwing from AsyncGenerator
• #1595 stream reference should point to teed value
• fix can't modify immutable headers error

Change:

• update exact-mirror to 0.2.7

1.4.22 - 14 Jan 2026

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for elysia since your current version.

Updates jws from 4.0.0 to 4.0.1

Release notes

Sourced from jws's releases.

v4.0.1

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

• Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

• Code reorganization, thanks [@​fearphage]! (7880050)

Added

• Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

• 34c45b2 Merge commit from fork
• 49bc39b version 4.0.1
• d42350c Enhance tests for HMAC streaming sign and verify
• 5cb007c Improve secretOrKey initialization in VerifyStream
• f9a2e1c Improve secret handling in SignStream
• b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
• 95b75ee Upload OpsLevel YAML
• 8857ee7 test: remove unused variable (#96)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates axios from 1.6.8 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates @astrojs/node from 9.1.3 to 9.5.4

Release notes

Sourced from @​astrojs/node's releases.

@​astrojs/node@​9.5.4

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

Changelog

Sourced from @​astrojs/node's changelog.

9.5.4

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

9.5.3

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

9.5.2

Patch Changes

• #15196 a8317c1 Thanks @​ematipico! - Fixes an issue where some prendered pages weren't correctly rendered when using the Node.js adapter in middleware mode.

• #15169 b803d8b Thanks @​rururux! - fix: fix image 500 error when moving dist directory in standalone Node

9.5.1

Patch Changes

• Updated dependencies [9e9c528, 0f75f6b]:
  • @​astrojs/internal-helpers@​0.7.5

9.5.0

Minor Changes

• #14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

9.4.6

Patch Changes

• #14514 66a26d7 Thanks @​matthewp! - Fixes compatibility issue with older versions of Astro by making getAllowedDomains() call optional and updating peer dependency to require astro@^5.14.3

9.4.5

... (truncated)

Commits

• e0f1a2b [ci] release (#15571)
• ef851bf Update minimum astro version support in @​astrojs/node (#15572)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• c19b70e fix(deps): update astro adapters (#15243)
• 7fe9e1b fix: update devalue to the latest (#15222)
• 44f4e78 [ci] release (#15188)
• 2fa19c4 fix(core): add defensive validation for mod.page in App.render (#15148)
• 8d74e9e [ci] format
• a8317c1 fix(node): hash URL stripping (#15196)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​astrojs/node since your current version.

Updates @remix-run/node from 2.16.8 to 2.17.2

Release notes

Sourced from @​remix-run/node's releases.

file-storage-s3 v0.1.0

Minor Changes

• Unreleased

  Initial release of @remix-run/file-storage-s3.

Patch Changes

• Bumped @remix-run/* dependencies:
  • file-storage@0.13.3

Commits

• 3920349 Version 2.17.2
• 64d88de Validate session id in file session storage (#10806)
• 91ef6fe Version 2.17.1
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• See full diff in compare view

Updates @remix-run/react from 2.10.3 to 2.17.3

Release notes

Sourced from @​remix-run/react's releases.

remix v2.17.3

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2173

Commits

• b1d29d9 Version 2.17.3
• 5c87c08 Escape HTML in scroll restoration keys (#10925)
• 4a5ffd1 Revert "Version 2.17.3"
• 98c89fa Version 2.17.3
• 3920349 Version 2.17.2
• 91ef6fe Version 2.17.1
• 6bfad4e Escape meta json ld content (#10741)
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​remix-run/react since your current version.

Updates astro from 5.5.5 to 5.15.9

Changelog

Sourced from astro's changelog.

5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

5.15.7

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)