Bump the npm_and_yarn group across 3 directories with 15 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
vite	5.4.11	5.4.21
astro	5.4.1	5.15.9
dompurify	3.1.7	3.2.4
js-yaml	4.1.0	4.1.1
markdown-it	13.0.2	14.1.1
@nuxt/devtools	1.6.3	2.6.4
glob	10.4.2	12.0.0
nuxt	3.14.1592	3.19.0

Bumps the npm_and_yarn group with 6 updates in the /apps/frontend directory:

Package	From	To
dompurify	3.1.7	3.2.4
js-yaml	4.1.0	4.1.1
markdown-it	14.1.0	14.1.1
@nuxt/devtools	1.6.3	2.6.4
glob	10.4.2	12.0.0
nuxt	3.14.1592	3.19.0

Bumps the npm_and_yarn group with 1 update in the /packages/ui directory: markdown-it.

Updates vite from 5.4.11 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates astro from 5.4.1 to 5.15.9

Changelog

Sourced from astro's changelog.

5.15.9

Patch Changes

• #14786 758a891 Thanks @​mef! - Add handling of invalid encrypted props and slots in server islands.

• #14783 504958f Thanks @​florian-lefebvre! - Improves the experimental Fonts API build log to show the number of downloaded files. This can help spotting excessive downloading because of misconfiguration

• #14791 9e9c528 Thanks @​Princesseuh! - Changes the remote protocol checks for images to require explicit authorization in order to use data URIs.

  In order to allow data URIs for remote images, you will need to update your astro.config.mjs file to include the following configuration:

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  images: {
  remotePatterns: [
  {
  protocol: 'data',
  },
  ],
  },
  });

• #14787 0f75f6b Thanks @​matthewp! - Fixes wildcard hostname pattern matching to correctly reject hostnames without dots

  Previously, hostnames like localhost or other single-part names would incorrectly match patterns like *.example.com. The wildcard matching logic has been corrected to ensure that only valid subdomains matching the pattern are accepted.

• #14776 3537876 Thanks @​ktym4a! - Fixes the behavior of passthroughImageService so it does not generate webp.

• Updated dependencies [9e9c528, 0f75f6b]:

  • @​astrojs/internal-helpers@​0.7.5
  • @​astrojs/markdown-remark@​6.3.9

5.15.8

Patch Changes

• #14772 00c579a Thanks @​matthewp! - Improves the security of Server Islands slots by encrypting them before transmission to the browser, matching the security model used for props. This improves the integrity of slot content and prevents injection attacks, even when component templates don't explicitly support slots.

  Slots continue to work as expected for normal usage—this change has no breaking changes for legitimate requests.

• #14771 6f80081 Thanks @​matthewp! - Fix middleware pathname matching by normalizing URL-encoded paths

  Middleware now receives normalized pathname values, ensuring that encoded paths like /%61dmin are properly decoded to /admin before middleware checks. This prevents potential security issues where middleware checks might be bypassed through URL encoding.

5.15.7

... (truncated)

Commits

• 7a07f02 [ci] release (#14788)
• 8cf3f05 [ci] format
• 758a891 fix(astro): handle invalid encrypted props in server island (#14786)
• 3537876 fix: passthroughImageService generate webp (#14776)
• 048e4dc [ci] format
• 9e9c528 fix: require explicit authorization to use data urls (#14791)
• 0f75f6b Fix wildcard hostname matching to reject hostnames without dots (#14787)
• 504958f feat(fonts): log number of downloaded files (#14783)
• 24e28d2 fix(deps): update astro dependencies (#14779)
• 60af4d0 [ci] release (#14773)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for astro since your current version.

Updates dompurify from 3.1.7 to 3.2.4

Release notes

Sourced from dompurify's releases.

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

Commits

• ec29e65 Merge pull request #1062 from cure53/main
• 1c1b183 chore: Preparing 3.2.4 release
• d18ffcb fix: Changed the template literal regex to avoid a config-dependent bypass
• 0d64d2b Merge pull request #1060 from yehuya/initializeTestImprovements
• 9ad7933 tests: DOMPurify custom window tests improvements
• 72760ca Merge pull request #1059 from yehuya/fixMissingWindowElement
• bc72d44 Fix tests
• 363a89d fix: handle undefined Element in DOMPurify initialization
• f41b45d Update LICENSE
• b25bf26 Update README.md
• Additional commits viewable in compare view

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates markdown-it from 13.0.2 to 14.1.1

Changelog

Sourced from markdown-it's changelog.

[14.1.1] - 2026-01-11

Security

• Fixed regression from v13 in linkify inline rule. Specific patterns could cause high CPU use. Thanks to @​ltduc147 for report.

[14.1.0] - 2024-03-19

Changed

• Updated CM spec compatibility to 0.31.2, #1009.

Fixed

• Fixed quadratic complexity when parsing references, #996.
• Fixed quadratic output size with pathological user input in tables, #1000.

[14.0.0] - 2023-12-08

Changed

• Drop ancient browsers support (use .fromCodePoint and other features).
• Rewrite to ESM (including all plugins/deps). CJS fallback still available. No signatures changed, except markdown-it-emoji plugin.
• Dropped dist/ folder from repo, build on package publish.
• Set punicode.js as external dependency.

Fixed

• Html tokens inside img alt are now rendered as their original text, #896.
• Hardbreaks inside img alt are now rendered as newlines.

Commits

• b4a9b65 14.1.1 released
• 4b4bbca Fixed perf regression in linkify-it wrapper
• d2782d8 Add supplementary example-driven documentation (#1092)
• 0fe7ccb 14.1.0 released
• a367c44 Fix typo in comments of text.mjs (#1015)
• 7ad8179 add changelog
• 5e90063 simplify logic in scanDelims
• d7ce5ec Merge pull request #1009 from notriddle/spec-0.31.2
• 0bfc57d Update spec to 0.31.2
• cd24778 Update to comply with spec 0.31.2
• Additional commits viewable in compare view

Updates @nuxt/devtools from 1.6.3 to 2.6.4

Release notes

Sourced from @​nuxt/devtools's releases.

v2.6.4

   🐞 Bug Fixes

• Using textContent instead of innerHtml for auth pagechore: update lock  -  by @​antfu (7cadb)

    View changes on GitHub

v2.6.3

No significant changes

    View changes on GitHub

v2.6.2

   🐞 Bug Fixes

• Panel dragging issue, close #874, close #871, close #873  -  by @​antfu in nuxt/devtools#874, nuxt/devtools#871 and nuxt/devtools#873 (619de)

    View changes on GitHub

v2.6.1

   🐞 Bug Fixes

• deps: Do not depend on @nuxt/schema  -  by @​danielroe in nuxt/devtools#872 (62443)

    View changes on GitHub

v2.6.0

   🚀 Features

• Update deps  -  by @​antfu (eef2c)

   🐞 Bug Fixes

• Timing labels wrapping  -  by @​DallasHoff in nuxt/devtools#866 (fd01e)

    View changes on GitHub

v2.5.0

   🚀 Features

• Use webcomponents for embedded views  -  by @​antfu in nuxt/devtools#864 (ad8f3)

   🐞 Bug Fixes

• Inspector interaction  -  by @​antfu (bbc62)

    View changes on GitHub

v2.5.0-beta.2

   🐞 Bug Fixes

... (truncated)

Changelog

Sourced from @​nuxt/devtools's changelog.

2.6.4 (2025-09-19)

Bug Fixes

• using textContent instead of innerHtml for auth pagechore: update lock (7cadbbe)

2.6.3 (2025-08-22)

2.6.2 (2025-07-02)

Bug Fixes

• panel dragging issue, close #874, close #871, close #873 (619de37)

2.6.1 (2025-07-01)

Bug Fixes

• deps: do not depend on @nuxt/schema (#872) (62443ec)

2.6.0 (2025-06-29)

Bug Fixes

• timing labels wrapping (#866) (fd01e60)

Features

• update deps (eef2c09)

2.5.0 (2025-06-04)

2.5.0-beta.2 (2025-06-04)

... (truncated)

Commits

• 39a0677 chore: release v2.6.4
• 7cadbbe fix: using textContent instead of innerHtml for auth pagechore: update lock
• 27f80d0 chore: release v2.6.3
• d602a81 chore: release v2.6.2
• 619de37 fix: panel dragging issue, close #874, close #871, close #873
• 8d2ca01 chore: release v2.6.1
• 0af979e chore: update deps
• e07326b chore: release v2.6.0
• b3754b8 chore: lint
• fd01e60 fix: timing labels wrapping (#866)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nuxt/devtools since your current version.

Updates glob from 10.4.2 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates nuxt from 3.14.1592 to 3.19.0

Release notes

Sourced from nuxt's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#32858)
• kit: Add onInstall and onUpgrade module hooks (#32397)
• nuxt,vite: Add experimental support for rolldown-vite (#31812)
• nuxt: Extract defineRouteRules to page rules property (#32897)
• nuxt,vite: Use importmap to increase chunk stability (#33075)
• nuxt: Lazy hydration macros without auto-imports (#33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#32877)
• nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#32902)
• nuxt: Type response in useFetch hooks (#32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)
• nuxt: Use correct unit thresholds for relative time (#32893)
• nuxt: Handle uncached current build manifests (#32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#32857)
• schema,vite: Bump requestTimeout + allow configuration (#32874)
• nuxt: Deep merge extracted route meta (#32887)
• nuxt: Do not expose app components until fully resolved (#32993)
• kit: Only exclude node_modules/ if no custom srcDir (#32987)
• nuxt: Compare final matched routes when syncing route object (#32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)
• kit: Ensure local layers are prioritised alphabetically (#33030)
• kit,nuxt: Expose global types to vue compiler (#33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#33025)
• nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

• 8956505 v3.19.0
• 9a3b445 test: update test for app creation
• ae8b0d2 fix(kit): prioritise local layers over extended layers
• 2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
• 6cc79dd feat(kit,nuxt,schema): allow modules to specify dependencies (#33063)
• 78153ba fix(nuxt): add validation for nuxt island reviver key (#33069)
• f4e38b7 fix(nuxt): delete nuxtApp._runningTransition on resolve (#33025)
• 31a9282 fix(nuxt): search for colliding names in route children
• 10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
• 04dda84 feat(nuxt): lazy hydration macros without auto-imports (#33037)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nuxt since your current version.

Updates @nuxt/vite-builder from 3.14.1592 to 3.19.0

Release notes

Sourced from @​nuxt/vite-builder's releases.

v3.19.0

👀 Highlights

Please see the release notes for Nuxt v4.1 for full details on the features and fixes in Nuxt v3.19.

✅ Upgrading

As usual, our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will refresh your lockfile and pull in all the latest dependencies that Nuxt relies on, especially from the unjs ecosystem.

👉 Changelog

compare changes

🚀 Enhancements

• kit: Add ignore option to resolveFiles (#32858)
• kit: Add onInstall and onUpgrade module hooks (#32397)
• nuxt,vite: Add experimental support for rolldown-vite (#31812)
• nuxt: Extract defineRouteRules to page rules property (#32897)
• nuxt,vite: Use importmap to increase chunk stability (#33075)
• nuxt: Lazy hydration macros without auto-imports (#33037)
• kit,nuxt,schema: Allow modules to specify dependencies (#33063)
• kit,nuxt: Add getLayerDirectories util and refactor to use it (#33098)

🔥 Performance

• nuxt: Clear inline route rules cache when pages change (#32877)
• nuxt: Stop watching app manifest once a change has been detected (#32880)

🩹 Fixes

• nuxt: Handle satisfies in page augmentation (#32902)
• nuxt: Type response in useFetch hooks (#32891)
• nuxt: Add TS parenthesis and as expression for page meta extraction (#32914)
• nuxt: Use correct unit thresholds for relative time (#32893)
• nuxt: Handle uncached current build manifests (#32913)
• kit: Resolve directories in resolvePath and normalize file extensions (#32857)
• schema,vite: Bump requestTimeout + allow configuration (#32874)
• nuxt: Deep merge extracted route meta (#32887)
• nuxt: Do not expose app components until fully resolved (#32993)
• kit: Only exclude node_modules/ if no custom srcDir (#32987)
• nuxt: Compare final matched routes when syncing route object (#32899)
• nuxt: Make vue server warnings much less verbose in dev mode (#33018)
• schema: Allow disabling cssnano/autoprefixer postcss plugins (#33016)
• kit: Ensure local layers are prioritised alphabetically (#33030)
• kit,nuxt: Expose global types to vue compiler (#33026)
• nuxt: Support config type inference for defineNuxtModule().with() (#33081)
• nuxt: Search for colliding names in route children (31a9282c2)
• nuxt: Delete nuxtApp._runningTransition on resolve (#33025)
• nuxt: Add validation for nuxt island reviver key (#33069)

... (truncated)

Commits

• 8956505 v3.19.0
• 2fd3bc2 feat(kit,nuxt): add getLayerDirectories util and refactor to use it (#33098)
• 10fd012 refactor(kit,nuxt,ui-templates,vite): address deprecations + improve regexp p...
• 9ea90fc refactor(vite): simplify inline chunk iteration
• e6618e2 feat(nuxt,vite): use importmap to increase chunk stability (#33075)
• 6ae620e feat(nuxt,vite): add experimental support for rolldown-vite (#31812)
• bebdbf5 fix(schema,vite): bump requestTimeout + allow configuration (#32874)
• cf7175d chore(deps): update all non-major dependencies (3.x) (#33095)
• 436cf01 chore(deps): update all non-major dependencies (3.x) (#33062)
• 4b5b219 chore(deps): update all non-major dependencies (3.x) (#33055)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nuxt/vite-builder since your current version.

Updates devalue from 5.1.1 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

v5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

v5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

v5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

v5.4.0

Minor Changes

• 9306d09: feat: pass uneval to replacer, for handling nested custom types

Patch Changes

• b617c7c: perf: shrink uneval output with null-proto objects

v5.3.2

Patch Changes

... (truncated)

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

5.5.0

Minor Changes

• 828fa1c: Enable support for custom reducer/reviver for "function" values

5.4.2

Patch Changes

• 5c26c0d: fix: allow custom revivers to revive things serialized by builtin reducers

5.4.1

Patch Changes

• ca3c7b6: chore: Remove impossible void type from replacer's uneval

5.4.0

Minor Changes

... (truncated)

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• 5e07a67 Version Packages (#129)
• aa09604 Bump js-yaml from 3.14.1 to 3.14.2 (#125)
• 2161d44 fix: add hasOwn check before calling reviver (#128)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for devalue since your current version.

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

• b7b6339 v5.2.2
• b5377ab Update package version to 5.2.1
• 7801789 Backport kpdecker/jsdiff#649
• 042a837 Backport kpdecker/jsdiff#647
• See full diff in compare view

Updates h3 from 1.13.0 to 1.15.5

Release notes

Sourced from h3's rel...

Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.