From 4c979a09b8e853264db1f681cad969feecab6696 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 21 Apr 2026 22:52:50 +0000 Subject: [PATCH] chore(release): version packages --- .changeset/fix-csrf-fetch-request-headers.md | 10 --------- .changeset/security-vite-unhead.md | 15 ------------- packages/core/CHANGELOG.md | 14 ++++++++++++ packages/core/package.json | 2 +- packages/express/CHANGELOG.md | 17 +++++++++++++++ packages/express/package.json | 2 +- packages/nextjs/CHANGELOG.md | 23 ++++++++++++++++++++ packages/nextjs/package.json | 2 +- packages/nuxt/CHANGELOG.md | 23 ++++++++++++++++++++ packages/nuxt/package.json | 2 +- 10 files changed, 81 insertions(+), 29 deletions(-) delete mode 100644 .changeset/fix-csrf-fetch-request-headers.md delete mode 100644 .changeset/security-vite-unhead.md diff --git a/.changeset/fix-csrf-fetch-request-headers.md b/.changeset/fix-csrf-fetch-request-headers.md deleted file mode 100644 index c4e14ac..0000000 --- a/.changeset/fix-csrf-fetch-request-headers.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -"@csrf-armor/nextjs": patch -"@csrf-armor/nuxt": patch ---- - -fix(client): preserve headers when `csrfFetch` is called with a `Request` object - -`csrfFetch` previously only read headers from the `init` argument, so when it was called with a full `Request` object (e.g. `csrfFetch(new Request(url, { headers }))`), the Request's headers were stripped. It now merges headers from the Request, then the `init` argument, then the CSRF headers (CSRF headers always take precedence), making `csrfFetch` a drop-in replacement for `fetch`. - -Fixes #49 diff --git a/.changeset/security-vite-unhead.md b/.changeset/security-vite-unhead.md deleted file mode 100644 index 1cc2257..0000000 --- a/.changeset/security-vite-unhead.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -"@csrf-armor/core": patch -"@csrf-armor/express": patch -"@csrf-armor/nextjs": patch -"@csrf-armor/nuxt": patch ---- - -chore(deps): patch transitive dev dependency security advisories - -Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes. - -Addresses: -- GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1) -- GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1) -- GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13) diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md index 0e1b763..b3576c9 100644 --- a/packages/core/CHANGELOG.md +++ b/packages/core/CHANGELOG.md @@ -1,5 +1,19 @@ # @csrf-armor/core +## 1.2.3 + +### Patch Changes + +- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories + + Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes. + + Addresses: + + - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1) + - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1) + - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13) + ## 1.2.2 ### Patch Changes diff --git a/packages/core/package.json b/packages/core/package.json index ef94939..33ecc76 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@csrf-armor/core", - "version": "1.2.2", + "version": "1.2.3", "description": "Framework-agnostic CSRF protection core functionality", "type": "module", "main": "./dist/index.mjs", diff --git a/packages/express/CHANGELOG.md b/packages/express/CHANGELOG.md index 2aa3d99..b2b86f2 100644 --- a/packages/express/CHANGELOG.md +++ b/packages/express/CHANGELOG.md @@ -1,5 +1,22 @@ # @csrf-armor/express +## 1.2.3 + +### Patch Changes + +- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories + + Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes. + + Addresses: + + - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1) + - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1) + - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13) + +- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]: + - @csrf-armor/core@1.2.3 + ## 1.2.2 ### Patch Changes diff --git a/packages/express/package.json b/packages/express/package.json index c214e7b..57903eb 100644 --- a/packages/express/package.json +++ b/packages/express/package.json @@ -1,6 +1,6 @@ { "name": "@csrf-armor/express", - "version": "1.2.2", + "version": "1.2.3", "description": "Express.js adapter for CSRF Armor - Advanced CSRF protection for Express.js applications", "type": "module", "types": "./dist/index.d.ts", diff --git a/packages/nextjs/CHANGELOG.md b/packages/nextjs/CHANGELOG.md index 93f2b0c..80f9e18 100644 --- a/packages/nextjs/CHANGELOG.md +++ b/packages/nextjs/CHANGELOG.md @@ -1,5 +1,28 @@ # @csrf-armor/nextjs +## 1.4.3 + +### Patch Changes + +- [#50](https://github.com/muneebs/csrf-armor/pull/50) [`7d4adeb`](https://github.com/muneebs/csrf-armor/commit/7d4adebc94ceb1f01a6af0807b7a5f0c7a92b1f0) Thanks [@muneebs](https://github.com/muneebs)! - fix(client): preserve headers when `csrfFetch` is called with a `Request` object + + `csrfFetch` previously only read headers from the `init` argument, so when it was called with a full `Request` object (e.g. `csrfFetch(new Request(url, { headers }))`), the Request's headers were stripped. It now merges headers from the Request, then the `init` argument, then the CSRF headers (CSRF headers always take precedence), making `csrfFetch` a drop-in replacement for `fetch`. + + Fixes #49 + +- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories + + Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes. + + Addresses: + + - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1) + - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1) + - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13) + +- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]: + - @csrf-armor/core@1.2.3 + ## 1.4.2 ### Patch Changes diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json index 4eb5515..1f0e2e2 100644 --- a/packages/nextjs/package.json +++ b/packages/nextjs/package.json @@ -1,6 +1,6 @@ { "name": "@csrf-armor/nextjs", - "version": "1.4.2", + "version": "1.4.3", "description": "CSRF protection middleware for Next.js applications", "type": "module", "main": "./dist/index.js", diff --git a/packages/nuxt/CHANGELOG.md b/packages/nuxt/CHANGELOG.md index 154df05..43edfd0 100644 --- a/packages/nuxt/CHANGELOG.md +++ b/packages/nuxt/CHANGELOG.md @@ -1,5 +1,28 @@ # @csrf-armor/nuxt +## 1.1.2 + +### Patch Changes + +- [#50](https://github.com/muneebs/csrf-armor/pull/50) [`7d4adeb`](https://github.com/muneebs/csrf-armor/commit/7d4adebc94ceb1f01a6af0807b7a5f0c7a92b1f0) Thanks [@muneebs](https://github.com/muneebs)! - fix(client): preserve headers when `csrfFetch` is called with a `Request` object + + `csrfFetch` previously only read headers from the `init` argument, so when it was called with a full `Request` object (e.g. `csrfFetch(new Request(url, { headers }))`), the Request's headers were stripped. It now merges headers from the Request, then the `init` argument, then the CSRF headers (CSRF headers always take precedence), making `csrfFetch` a drop-in replacement for `fetch`. + + Fixes #49 + +- [#52](https://github.com/muneebs/csrf-armor/pull/52) [`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43) Thanks [@muneebs](https://github.com/muneebs)! - chore(deps): patch transitive dev dependency security advisories + + Bumps pnpm overrides for `vite` (`^6.4.1` → `^6.4.2`) and `unhead` (`>=2.1.11` → `>=2.1.13`) to pull in patched versions. These are dev/build-time dependencies only — no runtime behavior or published API changes. + + Addresses: + + - GHSA: Vite arbitrary file read via dev server WebSocket (high, <=6.4.1) + - GHSA: Vite path traversal in optimized deps `.map` handling (medium, <=6.4.1) + - GHSA: Unhead `hasDangerousProtocol()` bypass via leading-zero padded HTML entities in `useHeadSafe()` (medium, <2.1.13) + +- Updated dependencies [[`440e0af`](https://github.com/muneebs/csrf-armor/commit/440e0af0a55bf2b3c93e26d031ea31a40540ad43)]: + - @csrf-armor/core@1.2.3 + ## 1.1.1 ### Patch Changes diff --git a/packages/nuxt/package.json b/packages/nuxt/package.json index 9894d8f..ff2da8b 100644 --- a/packages/nuxt/package.json +++ b/packages/nuxt/package.json @@ -1,6 +1,6 @@ { "name": "@csrf-armor/nuxt", - "version": "1.1.1", + "version": "1.1.2", "description": "Nuxt module for CSRF protection powered by csrf-armor", "type": "module", "license": "MIT",