Bump the npm_and_yarn group across 12 directories with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the /astro-fastify directory:

Package	From	To
@fastify/middie	8.3.0	9.3.2
astro	4.5.9	6.1.6
fastify	4.26.2	5.8.5
brace-expansion	2.0.1	2.1.0
minimatch	5.1.6	5.1.9
picomatch	2.3.1	2.3.2

Bumps the npm_and_yarn group with 4 updates in the /astro-fastify-ssg directory: astro, fastify, brace-expansion and minimatch.
Bumps the npm_and_yarn group with 6 updates in the /eslint-plugin-tailwindcss directory:

Package	From	To
brace-expansion	1.1.11	1.1.14
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
rollup	4.13.0	4.60.2
vite	5.1.6	8.0.9
flatted	3.3.1	3.4.2

Bumps the npm_and_yarn group with 1 update in the /fastify-http-errors-enhanced directory: fastify.
Bumps the npm_and_yarn group with 1 update in the /hono directory: hono.
Bumps the npm_and_yarn group with 4 updates in the /jest directory: brace-expansion, minimatch, picomatch and lodash.
Bumps the npm_and_yarn group with 6 updates in the /kita directory:

Package	From	To
fastify	4.26.2	5.8.5
brace-expansion	1.1.11	1.1.14
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
yaml	2.4.1	2.8.3
lodash	4.17.21	4.18.1

Bumps the npm_and_yarn group with 1 update in the /media-capture directory: brace-expansion.
Bumps the npm_and_yarn group with 1 update in the /use-swr directory: brace-expansion.
Bumps the npm_and_yarn group with 5 updates in the /vad directory:

Package	From	To
brace-expansion	1.1.11	1.1.14
minimatch	3.0.4	3.1.5
picomatch	2.2.2	2.3.2
lodash	4.17.20	4.18.1
next	9.5.2	15.5.15

Bumps the npm_and_yarn group with 4 updates in the /vercel-fastify directory: fastify, brace-expansion, minimatch and picomatch.
Bumps the npm_and_yarn group with 5 updates in the /wxt directory:

Package	From	To
brace-expansion	2.0.1	2.1.0
brace-expansion	1.1.11	1.1.14
minimatch	9.0.3	9.0.9
minimatch	3.1.2	3.1.5
picomatch	2.3.1	2.3.2
rollup	4.12.1	4.60.2
vite	5.1.5	8.0.9

Updates @fastify/middie from 8.3.0 to 9.3.2

Release notes

Sourced from @​fastify/middie's releases.

v9.3.2

⚠️ Security Release

This fixes CVE CVE-2026-6270 GHSA-72c6-fx6q-fr5w. This fixes CVE CVE-2026-33804 GHSA-v9ww-2j6r-98q6.

What's Changed

• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/middie#256
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/middie#258
• ci: add lock-threads workflow by @​Fdawgs in fastify/middie#259

Full Changelog: fastify/middie@v9.3.1...v9.3.2

v9.3.1

What's Changed

• fix: preserve percent-encoding in prefix stripping by @​panva in fastify/middie#255

Full Changelog: fastify/middie@v9.3.0...v9.3.1

v9.3.0

What's Changed

• chore(license): standardise license notice by @​Fdawgs in fastify/middie#250
• fix: preserve query string when stripping path prefix by @​panva in fastify/middie#249
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in fastify/middie#253

New Contributors

• @​panva made their first contribution in fastify/middie#249

Full Changelog: fastify/middie@v9.2.0...v9.3.0

v9.2.0

⚠️ Security Release

Fixes GHSA-8p85-9qpw-fwgw

What's Changed

• ci: remove stale.yml by @​Tony133 in fastify/middie#247

New Contributors

• @​Tony133 made their first contribution in fastify/middie#247

Full Changelog: fastify/middie@v9.1.0...v9.2.0

v9.1.0

What's Changed

• build(dependabot): reduce npm updates to monthly by @​Fdawgs in fastify/middie#228
• chore: rename master to main by @​Fdawgs in fastify/middie#230
• ci(ci): set job permissions by @​Fdawgs in fastify/middie#231

... (truncated)

Commits

• 792d2f4 Bumped v9.3.2
• ca42dd7 Merge commit from fork
• 29162c8 Merge commit from fork
• 33c7553 ci: add lock-threads workflow (#259)
• caf538b build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#258)
• 57dd100 build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#256)
• fb12937 Bumped v9.3.1
• 24aa8d3 fix: preserve percent-encoding in prefix stripping (#255)
• f57b37f Bumped v9.3.0
• 5b47608 build(deps-dev): bump c8 from 10.1.3 to 11.0.0 (#253)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by climba03003, a new releaser for @​fastify/middie since your current version.

Updates astro from 4.5.9 to 6.1.6

Release notes

Sourced from astro's releases.

astro@6.1.6

Patch Changes

• #16202 b5c2fba Thanks @​matthewp! - Fixes Actions failing with ActionsWithoutServerOutputError when using output: 'static' with an adapter

• #16303 b06eabf Thanks @​matthewp! - Improves handling of special characters in inline <script> content

• #14924 bb4586a Thanks @​aralroca! - Fixes SCSS and CSS module file changes triggering a full page reload instead of hot-updating styles in place during development

astro@6.1.5

Patch Changes

• #16171 5bcd03c Thanks @​Desel72! - Fixes a build error that occurred when a pre-rendered page used the <Picture> component and another page called render() on content collection entries.

• #16239 7c65c04 Thanks @​dataCenter430! - Fixes sync content inside <Fragment> not streaming to the browser until all async sibling expressions have resolved.

• #16242 686c312 Thanks @​martrapp! - Revives UnoCSS in dev mode when used with the client router.

  This change partly reverts #16089, which in hindsight turned out to be too general. Instead of automatically persisting all style sheets, we now do this only for styles from Vue components.

• #16192 79d86b8 Thanks @​alexanderniebuhr! - Uses today’s date for Cloudflare compatibility_date in astro add cloudflare

  When creating new projects, astro add cloudflare now sets compatibility_date to the current date. Previously, this date was resolved from locally installed packages, which could be unreliable in some package manager environments. Using today’s date is simpler and more reliable across environments, and is supported by workerd.

• #16259 34df955 Thanks @​gameroman! - Removed dlv dependency

astro@6.1.4

Patch Changes

• #16197 21f9fe2 Thanks @​SchahinRohani! - Remove unused re-exports from assets/utils barrel file to fix Vite build warning

• #16059 6d5469e Thanks @​matthewp! - Fixes Expected 'miniflare' to be defined errors and 404 responses in dev mode when using the Cloudflare adapter and the config file changes. Instead of creating a brand new Vite server on config changes, Astro now performs a Vite in-place restart, allowing the Cloudflare adapter to reuse its existing miniflare instance across restarts.

• #16154 7610ba4 Thanks @​Desel72! - Fixes pages with dots in their filenames (e.g. hello.world.astro) returning 404 when accessed with a trailing slash in the dev server. The trailingSlashForPath function now only forces trailingSlash: 'never' for endpoints with file extensions, allowing pages to correctly respect the user's trailingSlash config.

• #16193 23425e2 Thanks @​matthewp! - Fixes trailingSlash: "always" producing redirect HTML instead of the actual response for extensionless endpoints during static builds

astro@6.1.3

Patch Changes

• #16161 b51f297 Thanks @​matthewp! - Fixes a dev rendering issue with the Cloudflare adapter where head metadata could be missing and dev CSS/scripts could be injected in the wrong place

• #16110 de669f0 Thanks @​tmimmanuel! - Fixes skew protection query parameters not being appended to inter-chunk JavaScript imports in client bundles, which could cause version mismatches during rolling deployments on Vercel

• #16162 a0a49e9 Thanks @​rururux! - Fixes an issue where HMR would not trigger when modifying files while using @​astrojs/cloudflare with prerenderEnvironment: 'node' enabled.

• #16142 7454854 Thanks @​rururux! - Fixes HTML content being incorrectly escaped as plain text when rendering a MDX component using the AstroContainer APIs.

• #16116 12602a9 Thanks @​riderx! - Fixes a bug where page-level CSS could leak between unrelated pages when traversing style parents across top-level route boundaries

... (truncated)

Changelog

Sourced from astro's changelog.

4.16.16

Patch Changes

• #12542 65e50eb Thanks @​kadykov! - Fix JPEG image size determination

• #12525 cf0d8b0 Thanks @​ematipico! - Fixes an issue where with i18n enabled, Astro couldn't render the 404.astro component for nonexistent routes.

4.16.15

Patch Changes

• #12498 b140a3f Thanks @​ematipico! - Fixes a regression where Astro was trying to access Request.headers

4.16.14

Patch Changes

• #12480 c3b7e7c Thanks @​matthewp! - Removes the default throw behavior in astro:env

• #12444 28dd3ce Thanks @​ematipico! - Fixes an issue where a server island hydration script might fail case the island ID misses from the DOM.

• #12476 80a9a52 Thanks @​florian-lefebvre! - Fixes a case where the Content Layer glob() loader would not update when renaming or deleting an entry

• #12418 25baa4e Thanks @​oliverlynch! - Fix cached image redownloading if it is the first asset

• #12477 46f6b38 Thanks @​ematipico! - Fixes an issue where the SSR build was emitting the dist/server/entry.mjs file with an incorrect import at the top of the file/

• #12365 a23985b Thanks @​apatel369! - Fixes an issue where Astro.currentLocale was not correctly returning the locale for 404 and 500 pages.

4.16.13

Patch Changes

• #12436 453ec6b Thanks @​martrapp! - Fixes a potential null access in the clientside router

• #12392 0462219 Thanks @​apatel369! - Fixes an issue where scripts were not correctly injected during the build. The issue was triggered when there were injected routes with the same entrypoint and different pattern

4.16.12

Patch Changes

• #12420 acac0af Thanks @​ematipico! - Fixes an issue where the dev server returns a 404 status code when a user middleware returns a valid Response.

4.16.11

Patch Changes

• #12305 f5f7109 Thanks @​florian-lefebvre! - Fixes a case where the error overlay would not escape the message

... (truncated)

Commits

• 1945a93 [ci] release (#16281)
• bb4586a fix: avoid full-reload in scss modules (#14924)
• 5f3085b [ci] format
• b5c2fba Skip actions server-output validation when an adapter is configured (#16202)
• b06eabf Consolidate inline script escaping into shared utility (#16303)
• 92fc030 refactor(core): rename logger internal types (#16271)
• ba18015 [ci] format
• d198e82 test: port 16 routing unit tests to TypeScript (#16266)
• 673a871 [ci] release (#16244)
• fab9c00 chore: upgrade biome (#16246)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for astro since your current version.

Updates fastify from 4.26.2 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

• chore: Fix port parsing by @​jsumners in fastify/fastify#6603
• chore: upgrade to typescript v6.0.2 by @​Tony133 in fastify/fastify#6605
• fix: restore trustProxy function for number and string types, add null check for socketAddr by @​mcollina in fastify/fastify#6613
• ci: reduce cron scheduled workflows from daily/weekly to monthly by @​Fdawgs in fastify/fastify#6623
• chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in fastify/fastify#6629
• chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @​dependabot[bot] in fastify/fastify#6632
• chore: Bump borp from 0.21.0 to 1.0.0 by @​dependabot[bot] in fastify/fastify#6633
• chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in fastify/fastify#6630
• docs(ecosystem): add @​pompelmi/fastify-plugin by @​SonoTommy in fastify/fastify#6610

New Contributors

• @​SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

v5.8.4

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

• docs(readme): add @​Tony133 to plugin team by @​Tony133 in fastify/fastify#6565
• Updated Plugins-Guide.md; Changed "fastify" to "instance" during plugin registration to showcase that it's added as a child by @​kyrylchenko in fastify/fastify#6566
• test: use fastify.test in test case by @​climba03003 in fastify/fastify#6568
• docs: use fastify.example in documentation by @​climba03003 in fastify/fastify#6567
• docs: add common performance degradation guidance by @​maxpetrusenko in fastify/fastify#6520
• docs(server): fix camelCase anchor links in TOC by @​Deepvamja in fastify/fastify#6530
• ci(link-checker): fix root-relative links resolution by @​barba-rossa in fastify/fastify#6535
• docs: update syntax markdown, absolute paths and links by @​Tony133 in fastify/fastify#6569
• docs: clarify content-type parser/schema mismatch is outside threat model by @​mcollina in fastify/fastify#6537
• docs: fix incorrect code examples in Reply and Request reference by @​mahmoodhamdi in fastify/fastify#6582
• docs: replace redirected npm.im http-errors link by @​mcollina in fastify/fastify#6588
• types: Allow port to be null in request type definition by @​TristanBarlow in fastify/fastify#6589
• docs: update links by @​Tony133 in fastify/fastify#6593
• ci(lock-threads): use shared lock-threads workflow by @​Fdawgs in fastify/fastify#6592

New Contributors

• @​kyrylchenko made their first contribution in fastify/fastify#6566
• @​maxpetrusenko made their first contribution in fastify/fastify#6520
• @​Deepvamja made their first contribution in fastify/fastify#6530
• @​barba-rossa made their first contribution in fastify/fastify#6535

... (truncated)

Commits

• 3983cce Bumped v5.8.5
• 3ce3ae6 Merge commit from fork
• b06a196 docs(ecosystem): add @​pompelmi/fastify-plugin (#6610)
• 909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
• 4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
• 0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
• 33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
• fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
• 8dee9be fix: restore trustProxy function for number and string types, add null check ...
• d457aed chore: upgrade to typescript v6.0.2 (#6605)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by climba03003, a new releaser for fastify since your current version.

Updates @fastify/reply-from from 9.7.0 to 12.6.2

Release notes

Sourced from @​fastify/reply-from's releases.

v12.6.2

⚠️ Security Release

This fixes CVE CVE-2026-33805 GHSA-gwhp-pf74-vj37.

What's Changed

• fix: correct path traversal check to allow '...' in URL path segments by @​q0rban in fastify/fastify-reply-from#461
• build(deps): Bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fastify-reply-from#462
• build(deps-dev): Bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fastify-reply-from#463
• build(deps-dev): Bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#464
• ci: add lock-threads workflow by @​Fdawgs in fastify/fastify-reply-from#466

New Contributors

• @​q0rban made their first contribution in fastify/fastify-reply-from#461

Full Changelog: fastify/fastify-reply-from@v12.6.1...v12.6.2

v12.6.1

What's Changed

• build(deps-dev): Bump @​sinonjs/fake-timers from 14.0.0 to 15.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#440
• build(deps-dev): Bump @​types/node from 24.10.4 to 25.0.3 by @​dependabot[bot] in fastify/fastify-reply-from#447
• fix: strip headers listed in Connection header per RFC 7230 Section 6.1 by @​mcollina in fastify/fastify-reply-from#450
• feat: preserve undici agent by default by @​mcollina in fastify/fastify-reply-from#452
• chore: removed unused files by @​Tony133 in fastify/fastify-reply-from#453
• chore(license): standardise license notice by @​Fdawgs in fastify/fastify-reply-from#454
• style: remove trailing whitespace by @​Fdawgs in fastify/fastify-reply-from#455
• build(deps-dev): Bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in fastify/fastify-reply-from#456
• fix: avoid trailing ? when queryString option resolves to empty string by @​fooddilsn in fastify/fastify-reply-from#459

New Contributors

• @​fooddilsn made their first contribution in fastify/fastify-reply-from#459

Full Changelog: fastify/fastify-reply-from@v12.5.0...v12.6.1

v12.5.0

⚠️ Security Release ⚠️

By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @​fastify/reply-from.

Read more at GHSA-2q7r-29rg-6m5h. This is catalogued as CVE-2025-66415.

What's Changed

• Add test for text/event-stream proxying with custom parser by @​mcollina in fastify/fastify-reply-from#438

Full Changelog: fastify/fastify-reply-from@v12.4.0...v12.5.0

v12.4.0

What's Changed

... (truncated)

Commits

• 457ac75 Bumped v12.6.2
• c815dc4 Merge commit from fork
• 1b8a45d ci: add lock-threads workflow (#466)
• a71839c build(deps-dev): Bump proxy from 2.2.0 to 4.0.0 (#464)
• f8aa76f build(deps-dev): Bump neostandard from 0.12.2 to 0.13.0 (#463)
• e697b5e build(deps): Bump fastify/workflows/.github/workflows/plugins-ci.yml (#462)
• 456a7e3 fix: correct path traversal check to allow '...' in URL path segments (#461)
• e61ac4d Bumped v12.6.1
• 4b87813 fix: avoid trailing ? when queryString option resolves to empty string (#459)
• f883886 build(deps-dev): Bump c8 from 10.1.3 to 11.0.0 (#456)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by climba03003, a new releaser for @​fastify/reply-from since your current version.

Updates brace-expansion from 2.0.1 to 2.1.0

Release notes

Sourced from brace-expansion's releases.

v2.0.2

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

---

juliangruber/brace-expansion@v2.0.1...v2.0.2

Commits

• 1ee4a90 2.1.0
• b0302ac Add opt-in { max } mitigation to v2 legacy line (#100)
• 73b5459 2.0.3
• 311ac0d Backport fix for GHSA-f886-m6hf-6m8v to v2 (#96)
• a3efcee 2.0.2
• 14f1d91 pkg: publish on tag 2.x
• ed7780a fmt
• 36603d5 Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65)
• See full diff in compare view

Updates devalue from 4.3.2 to 5.7.1

Release notes

Sourced from devalue's releases.

v5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

v5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

... (truncated)

Changelog

Sourced from devalue's changelog.

5.7.1

Patch Changes

• 8becc7c: fix: handle regexes consistently in uneval's value and reference formats

5.7.0

Minor Changes

• df2e284: feat: use native alternatives to encode/decode base64
• 498656e: feat: add DataView support
• a210130: feat: whitelist Float16Array
• df2e284: feat: simplify TypedArray slices

Patch Changes

• 5590634: fix: get uneval type handling up to parity with stringify
• 57f73fc: fix: correctly support boxed bigints and sentinel values

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

... (truncated)

Commits

• 6eb920a Version Packages (#146)
• 8becc7c fix: handle regexes consistently in uneval's value and reference formats (#145)
• 2eee2e4 Version Packages (#144)
• 498656e DataView support (#143)
• 5590634 Improve platform types support (#142)
• 57f73fc fix: support boxed bigints and sentinel values (#141)
• baec4cb Add prettier configuration (#140)
• a210130 feat: whitelist Float16Array (#137)
• df2e284 feat: use native alternatives to encode/decode base64 (#136)
• 26b7c8d chore: add simple benchmarks (#135)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for devalue since your current version.

Updates minimatch from 5.1.6 to 5.1.9

Commits

• 4419b6e 5.1.9
• 383ce59 docs: add warning about ReDoS
• b02ef18 fix partial matching of globstar patterns
• e92ae29 5.1.8
• 79e4447 limit recursion for **, improve perf considerably
• 85ec0ff lockfile update
• 647146e lock node version to 14
• 85646c8 5.1.7
• 977c2d8 update CI matrix and actions
• 421ad12 update test expectations for coalesced consecutive stars
• Additional commits viewable in compare view

Updates picomatch from 2.3.1 to 2.3.2

Release notes

Sourced from picomatch's releases.

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• 81cba8d Publish 2.3.2
• fc1f6b6 Merge commit from fork
• eec17ae Merge commit from fork
• 78f8ca4 Merge pull request #156 from micromatch/backport-144
• 3f4f10e Merge pull request #144 from Jason3S/jdent-object-properties
• See full diff in compare view

Updates rollup from 4.13.0 to 4.60.2

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate...

  Description has been truncated

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud