Bump the npm_and_yarn group across 12 directories with 23 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the /compiler/internal/vm/foundation/test directory:

Package	From	To
@astrojs/node	9.1.3	9.5.4
@remix-run/node	2.16.8	2.17.2
@remix-run/react	2.10.3	2.17.3
astro	5.5.5	5.15.9
axios	1.6.8	1.13.5
devalue	5.1.1	5.6.4
express	4.18.2	4.22.0
fastify	5.2.2	5.8.1
hono	4.7.2	4.12.7
jws	4.0.0	4.0.1
lodash	4.17.21	4.17.23
nodemailer	6.9.3	7.0.11
rollup	4.4.1	4.59.0
typeorm	0.3.20	0.3.26
undici	5.20.0	6.24.0
webpack	5.88.0	5.104.1

Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test directory: fastify, next and minimatch.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/blog directory: next.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/foundation/test/cli/install/migration/contoso-test/packages/blog directory: next.
Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/foundation/test/integration/vite-build/the-test-app directory: nodemailer, kysely and svelte.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/dynamic_bitset/doc directory: axios, js-yaml, minimatch and fast-xml-parser.
Bumps the npm_and_yarn group with 3 updates in the /compiler/internal/vm/libconsepts/msm/doc directory: axios, js-yaml and fast-xml-parser.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/openmethod/doc directory: axios, js-yaml, minimatch and fast-xml-parser.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/redis/doc directory: axios, js-yaml, minimatch and sha.js.
Bumps the npm_and_yarn group with 2 updates in the /compiler/internal/vm/libconsepts/unordered/doc directory: js-yaml and minimatch.
Bumps the npm_and_yarn group with 4 updates in the /compiler/internal/vm/libconsepts/url/doc directory: axios, js-yaml, minimatch and fast-xml-parser.
Bumps the npm_and_yarn group with 1 update in the /compiler/internal/vm/static_core/plugins/ets/tools/declgen_ts2sts directory: webpack.

Updates @astrojs/node from 9.1.3 to 9.5.4

Changelog

Sourced from @​astrojs/node's changelog.

9.5.4

Patch Changes

• #15564 522f880 Thanks @​matthewp! - Add a default body size limit for server actions to prevent oversized requests from exhausting memory.

• #15572 ef851bf Thanks @​matthewp! - Upgrade astro package support

  astro@5.17.3 includes a fix to prevent Action payloads from exhausting memory. @​astrojs/node now depends on this version of Astro as a minimum requirement.

9.5.3

Patch Changes

• c13b536 Thanks @​matthewp! - Improves error page loading to read from disk first before falling back to configured host

9.5.2

Patch Changes

• #15196 a8317c1 Thanks @​ematipico! - Fixes an issue where some prendered pages weren't correctly rendered when using the Node.js adapter in middleware mode.

• #15169 b803d8b Thanks @​rururux! - fix: fix image 500 error when moving dist directory in standalone Node

9.5.1

Patch Changes

• Updated dependencies [9e9c528, 0f75f6b]:
  • @​astrojs/internal-helpers@​0.7.5

9.5.0

Minor Changes

• #14441 62ec8ea Thanks @​upsuper! - Updates redirect handling to be consistent across static and server output, aligning with the behavior of other adapters.

  Previously, the Node.js adapter used default HTML files with meta refresh tags when in static output. This often resulted in an extra flash of the page on redirect, while also not applying the proper status code for redirections. It's also likely less friendly to search engines.

  This update ensures that configured redirects are always handled as HTTP redirects regardless of output mode, and the default HTML files for the redirects are no longer generated in static output. It makes the Node.js adapter more consistent with the other official adapters.

  No change to your project is required to take advantage of this new adapter functionality. It is not expected to cause any breaking changes. However, if you relied on the previous redirecting behavior, you may need to handle your redirects differently now. Otherwise you should notice smoother redirects, with more accurate HTTP status codes, and may potentially see some SEO gains.

9.4.6

Patch Changes

• #14514 66a26d7 Thanks @​matthewp! - Fixes compatibility issue with older versions of Astro by making getAllowedDomains() call optional and updating peer dependency to require astro@^5.14.3

9.4.5

... (truncated)

Commits

• e0f1a2b [ci] release (#15571)
• ef851bf Update minimum astro version support in @​astrojs/node (#15572)
• f2955fb [ci] release (#15474)
• c13b536 Validate Host header against allowedDomains
• c19b70e fix(deps): update astro adapters (#15243)
• 7fe9e1b fix: update devalue to the latest (#15222)
• 44f4e78 [ci] release (#15188)
• 2fa19c4 fix(core): add defensive validation for mod.page in App.render (#15148)
• 8d74e9e [ci] format
• a8317c1 fix(node): hash URL stripping (#15196)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​astrojs/node since your current version.

Updates @remix-run/node from 2.16.8 to 2.17.2

Release notes

Sourced from @​remix-run/node's releases.

file-storage-s3 v0.1.0

Minor Changes

• Unreleased

  Initial release of @remix-run/file-storage-s3.

Patch Changes

• Bumped @remix-run/* dependencies:
  • file-storage@0.13.3

Commits

• 3920349 Version 2.17.2
• 64d88de Validate session id in file session storage (#10806)
• 91ef6fe Version 2.17.1
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• See full diff in compare view

Updates @remix-run/react from 2.10.3 to 2.17.3

Release notes

Sourced from @​remix-run/react's releases.

remix v2.17.3

See the changelog for the release notes: https://github.com/remix-run/remix/blob/v2/CHANGELOG.md#v2173

Commits

• b1d29d9 Version 2.17.3
• 5c87c08 Escape HTML in scroll restoration keys (#10925)
• 4a5ffd1 Revert "Version 2.17.3"
• 98c89fa Version 2.17.3
• 3920349 Version 2.17.2
• 91ef6fe Version 2.17.1
• 6bfad4e Escape meta json ld content (#10741)
• 3000859 chore: Update version for release (#10698)
• 3004a98 chore: Update version for release (pre) (#10692)
• fc5cb1f chore: Update version for release (pre) (#10691)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​remix-run/react since your current version.

Updates astro from 5.5.5 to 5.15.9

Changelog

Sourced from astro's changelog.

5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

5.15.7

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates axios from 1.6.8 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates devalue from 5.1.1 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

... (truncated)

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates express from 4.18.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

... (truncated)

Commits

• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• 3a5edfa fix(ci): updated github actions ci workflow (#6323)
• 52d9781 fix(test): add test for method routes without paths #5955
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for express since your current version.

Updates fastify from 5.2.2 to 5.8.1

Release notes

Sourced from fastify's releases.

v5.8.1

⚠️ Security Release

Fixes "Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation": GHSA-573f-x89g-hqp9.

CVE-2026-3419

Full Changelog: fastify/fastify@v5.8.0...v5.8.1

v5.8.0

What's Changed

• docs(request): add host security warning references by @​mcollina in fastify/fastify#6476
• docs: fix note style by @​Fdawgs in fastify/fastify#6487
• chore: rename deploy website ci by @​Eomm in fastify/fastify#6492
• chore: support pino v9 and v10 by @​mcollina in fastify/fastify#6496
• chore: update logger types and fix TODO comment by @​Tony133 in fastify/fastify#6470
• refactor(test-types): migrate dummy-plugin to FastifyPluginAsync by @​Tony133 in fastify/fastify#6472
• docs: fix markdown typo in README.md by @​droppingbeans in fastify/fastify#6491
• test: cover non-numeric content-length client error path by @​mcollina in fastify/fastify#6500
• ci: remove tests-checker workflow by @​Tony133 in fastify/fastify#6481
• ci: remove stale.yml file by @​Tony133 in fastify/fastify#6504
• docs(security): remove hackerone references; change note style by @​Fdawgs in fastify/fastify#6501
• chore: rename @​sinclair/typebox to typebox by @​Tony133 in fastify/fastify#6494
• ci(links-check): add external link checker using linkinator-action by @​umxr in fastify/fastify#6386
• chore: upgrade borp to v1.0.0 by @​Tony133 in fastify/fastify#6510
• docs: Add OpenJS CNA reference to SECURITY.md by @​mcollina in fastify/fastify#6516
• fix: avoid mutating shared routerOptions across instances by @​mcollina in fastify/fastify#6515
• fix(types): accept async route hooks in shorthand options by @​mcollina in fastify/fastify#6514
• docs: Improve shutdown lifecycle documentation by @​kibertoad in fastify/fastify#6517
• chore: remove unused tsconfig.eslint.json by @​mrazauskas in fastify/fastify#6524
• feat: First-class support for handler-level timeouts by @​kibertoad in fastify/fastify#6521
• docs(security): clarify insecureHTTPParser threat model scope by @​mcollina in fastify/fastify#6533
• chore(license): standardise license notice by @​Fdawgs in fastify/fastify#6511
• docs: clarify anyOf nullable coercion behavior with primitive types by @​slegarraga in fastify/fastify#6531
• fix: remove format placeholder from FST_ERR_CTP_INVALID_MEDIA_TYPE message by @​super-mcgin in fastify/fastify#6528
• docs(reference/hooks): fix note style by @​Fdawgs in fastify/fastify#6538
• chore: Bump lycheeverse/lychee-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in fastify/fastify#6539
• chore: Bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in fastify/fastify#6540
• chore: Bump markdownlint-cli2 from 0.20.0 to 0.21.0 by @​dependabot[bot] in fastify/fastify#6542
• ci: remove broken links and add ecosystem link validator by @​mcollina in fastify/fastify#6421
• ci(validate-ecoystem-links): add job level permission by @​Fdawgs in fastify/fastify#6545
• style: remove trailing whitespace by @​FdawgsDescription has been truncated