Sourced from next-auth's releases.

[email protected]

What's Changed

• fix: functions that return promises must be async by @​thomaslindstrom in nextauthjs/next-auth#12105
• fix: support AUTH_SECRET for compat with npx auth secret by @​balazsorban44 in nextauthjs/next-auth@490a033

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.10

[email protected]

What's Changed

• chore(docs): fix typo in WorkOS documentation by @​outofgamut in nextauthjs/next-auth#11959
• chore(v4): add neon sponsor by @​ndom91 in nextauthjs/next-auth#12008
• cookie package upgraded by @​talyuk in nextauthjs/next-auth#12046
• Allow Next.js v15 peer dependency by @​thomaslindstrom in nextauthjs/next-auth#12098
• await dynamic APIs as per Next.js 15 changes by @​balazsorban44 in nextauthjs/next-auth@4d143c5

New Contributors

• @​outofgamut made their first contribution in nextauthjs/next-auth#11959
• @​talyuk made their first contribution in nextauthjs/next-auth#12046
• @​thomaslindstrom made their first contribution in nextauthjs/next-auth#12098

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.9

• 6bca388 chore(release): bump version [skip ci]
• c46fd4f chore(deps): allow react v19 as peer deps (#12352)
• 3dfe5d5 chore: Update docusaurus.config.js
• 0447db0 chore(v4): add sent.dm sponsor (#12172)
• 5a5859a docs: Update options.md
• 5ad7fb4 docs: Update options.md
• c7ea50d chore(release): bump version [skip ci]
• 490a033 fix: support AUTH_SECRET for compat with npx auth secret
• 1e6be72 fix: functions that return promises must be async (#12105)
• ddab3cc chore(release): bump version [skip ci]
• Additional commits viewable in compare view

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

0.6.0

• Add partitioned option

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Sourced from nanoid's releases.

3.3.9

• Reduced npm package size.

Sourced from nanoid's changelog.

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Sourced from next's releases.

v15.2.1

Core Changes

• Unify Link and Form prefetching: #76184
• Turbopack: Ensure server actions sourcemaps tests pass: #76157
• [dev-overlay] control dark theme in one place: #76528
• [dev-overlay] change css var for terminal: #76590
• [dev-overlay] Discriminate stack frame settled typed: #76517
• Remove obsolete sourcePackage references: #76550
• refactor: remove unused variable in externals handling: #76599
• fix: Add popular embedding libraries to serverExternalPackages: #76574
• [Segment Cache] Implement hash-only navigations: #76179
• Webpack: abstract away getting compilation spans: #76579
• report compiler duration for webpack and improve numbers: #76665
• [dev-overlay] fix dark theme missing close bracket: #76672
• Remove revalidate property from incremental cache ctx for FETCH kind: #76500
• [dev-overlay] fix: env name label style was out of sync with error type label: #76668
• Turbopack: avoid celling source maps before minify: #76626
• refactor(CI): Merge all four bundler test manifest scripts into one: #76652
• [metadata] fix duplicate metadata for parallel routes: #76669
• [Segment Cache] Omit from bundle if flag disabled: #76622
• [Segment Cache] Support output: "export" mode: #75671
• [Segment Cache] Refresh on same-page navigation: #76223
• [metadata] re-enable streaming metadata with PPR: #76119
• [Segment Cache] Search param fallback handling: #75990
• [Segment Cache] Fix: canonicalURL omits origin: #76444
• fix metadata basePath for manifest: #76681
• Propagate expire time to cache-control header and prerender manifest: #76207
• Show revalidate/expire columns in build output: #76343
• Gate alternate bundler behind canary only: #76634
• [dynamicIO] routes with dynamic segments should be able to be static in dev: #76691
• [repo] upgrade ts 5.8.2: #76709
• [metadata]: ensure metadata boundary is only rendered once on client nav: #76692
• [metadata] clean up redudant options: #76712
• Fix uniqueness detection for generateStaticParams: #76713
• Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #76680
• [Turbopack] Compute module batches and use them for chunking: #76133
• [Dev Tools] Improve keyboard interactions for menu & overlays: #76754
• Keep server code out of browser chunks: #76660
• Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #76628
• fix edge runtime asset fetch in pages api: #76750
• Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #76682

Example Changes

• docs: fix reading params code blocks: #76705

Misc Changes

• fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #76448

... (truncated)

• 6338781 v15.2.1
• 197b4bb v15.2.1-canary.6
• f5e2dcc Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler (#...
• e45411e Fix flaky Bun test (#76763)
• 0940320 chore(github): move top prs and feature requests to different Slack channel (...
• 4369731 feat(CI): Revalidate vercel data cache on areweturboyet after uploading data ...
• 58a22f7 Disable flaky Turbopack tests (#76760)
• 6dc8579 fix edge runtime asset fetch in pages api (#76750)
• ead6e95 Fix: missing close brace in demo code (#76549)
• bd39335 toDisplayRedbox(): replace all occurrences of testDir (#76618)
• Additional commits viewable in compare view

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from nanoid's releases.

3.3.9

• Reduced npm package size.

Sourced from nanoid's changelog.

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• d643045 Fix pool pollution, infinite loop (#510)
• See full diff in compare view

Sourced from next's releases.

v15.2.1

Core Changes

• Unify Link and Form prefetching: #76184
• Turbopack: Ensure server actions sourcemaps tests pass: #76157
• [dev-overlay] control dark theme in one place: #76528
• [dev-overlay] change css var for terminal: #76590
• [dev-overlay] Discriminate stack frame settled typed: #76517
• Remove obsolete sourcePackage references: #76550
• refactor: remove unused variable in externals handling: #76599
• fix: Add popular embedding libraries to serverExternalPackages: #76574
• [Segment Cache] Implement hash-only navigations: #76179
• Webpack: abstract away getting compilation spans: #76579
• report compiler duration for webpack and improve numbers: #76665
• [dev-overlay] fix dark theme missing close bracket: #76672
• Remove revalidate property from incremental cache ctx for FETCH kind: #76500
• [dev-overlay] fix: env name label style was out of sync with error type label: #76668
• Turbopack: avoid celling source maps before minify: #76626
• refactor(CI): Merge all four bundler test manifest scripts into one: #76652
• [metadata] fix duplicate metadata for parallel routes: #76669
• [Segment Cache] Omit from bundle if flag disabled: #76622
• [Segment Cache] Support output: "export" mode: #75671
• [Segment Cache] Refresh on same-page navigation: #76223
• [metadata] re-enable streaming metadata with PPR: #76119
• [Segment Cache] Search param fallback handling: #75990
• [Segment Cache] Fix: canonicalURL omits origin: #76444
• fix metadata basePath for manifest: #76681
• Propagate expire time to cache-control header and prerender manifest: #76207
• Show revalidate/expire columns in build output: #76343
• Gate alternate bundler behind canary only: #76634
• [dynamicIO] routes with dynamic segments should be able to be static in dev: #76691
• [repo] upgrade ts 5.8.2: #76709
• [metadata]: ensure metadata boundary is only rendered once on client nav: #76692
• [metadata] clean up redudant options: #76712
• Fix uniqueness detection for generateStaticParams: #76713
• Upgrade React from 22e39ea7-20250225 to d55cc79b-20250228: #76680
• [Turbopack] Compute module batches and use them for chunking: #76133
• [Dev Tools] Improve keyboard interactions for menu & overlays: #76754
• Keep server code out of browser chunks: #76660
• Turbopack: inline minify into code generation and make it a plain function instead of a turbo tasks function: #76628
• fix edge runtime asset fetch in pages api: #76750
• Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler: #76682

Example Changes

• docs: fix reading params code blocks: #76705

Misc Changes

• fix(rustdoc): Fix rustdoc warnings, block on rustdoc failures in CI: #76448

... (truncated)

• 6338781 v15.2.1
• 197b4bb v15.2.1-canary.6
• f5e2dcc Update use-cache-unknown-cache-kind.test.ts snapshot for alternate bundler (#...
• e45411e Fix flaky Bun test (#76763)
• 0940320 chore(github): move top prs and feature requests to different Slack channel (...
• 4369731 feat(CI): Revalidate vercel data cache on areweturboyet after uploading data ...
• 58a22f7 Disable flaky Turbopack tests (#76760)
• 6dc8579 fix edge runtime asset fetch in pages api (#76750)
• ead6e95 Fix: missing close brace in demo code (#76549)
• bd39335 toDisplayRedbox(): replace all occurrences of testDir (#76618)
• Additional commits viewable in compare view

Sourced from pug's releases.

[email protected]

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

[email protected]

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• See full diff in compare view

Sourced from dompurify's releases.

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

DOMPurify 3.1.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

DOMPurify 3.1.6

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
• Updated several development dependencies

DOMPurify 3.1.5

• Fixed a minor issue with the dist paths in bower.js, thanks @​HakumenNC
• Fixed a minor issue with sanitizing HTML coming from copy&paste Word content, thanks @​kakao-bishop-cho

DOMPurify 3.1.4

• Fixed an issue with the recently implemented isNaN checks, thanks @​tulach
• Added several new popover attributes to allow-list, thanks @​Gigabyte5671
• Fixed the tests and adjusted the test runner to cover all branches

... (truncated)

• ec29e65 Merge pull request #1062 from cure53/main
• 1c1b183 chore: Preparing 3.2.4 release
• d18ffcb fix: Changed the template literal regex to avoid a config-dependent bypass
• 0d64d2b Merge pull request #1060 from yehuya/initializeTestImprovements
• 9ad7933 tests: DOMPurify custom window tests improvements
• 72760ca Merge pull request #1059 from yehuya/fixMissingWindowElement
• bc72d44 Fix tests
• 363a89d fix: handle undefined Element in DOMPurify initialization
• f41b45d Update LICENSE
• b25bf26 Update README.md
• Additional commits viewable in compare view

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• Additional commits viewable in compare view

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Sourced from katex's releases.

v0.16.21

0.16.21 (2025-01-17)

Bug Fixes

• escape \htmlData attribute name (57914ad)
  • See security advisory GHSA-cg87-wmx4-v546

v0.16.20

0.16...

Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.