Sourced from @​babel/runtime's releases.

v7.27.1 (2025-04-30)

Thanks @​kermanx and @​woaitsAryan for your first PRs!

:eyeglasses: Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@​JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@​JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@​JLHwung)

:bug: Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@​kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@​magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@​Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@​JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@​JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@​JLHwung)
  • #17080 Fix start of TSParameterProperty (@​JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@​JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@​liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@​JLHwung)

:nail_care: Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@​nicolo-ribaudo)

:house: Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@​nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@​JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@​JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@​liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@​nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@​JLHwung)

... (truncated)

Sourced from @​babel/runtime's changelog.

v7.27.1 (2025-04-30)

:eyeglasses: Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@​JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@​JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@​JLHwung)

:bug: Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@​kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@​magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@​Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@​JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@​JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@​JLHwung)
  • #17080 Fix start of TSParameterProperty (@​JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@​JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@​liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@​JLHwung)

:nail_care: Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@​nicolo-ribaudo)

:house: Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@​nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@​JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@​JLHwung)
• Other
  • #17232 Bump typescript-eslint to 8.29.1 (@​JLHwung)
  • #17219 test: add basic typescript-eslint integration tests (@​JLHwung)
  • #17205 Inline regenerator in the relevant packages (@​nicolo-ribaudo)
• babel-register
  • #16844 Migrate @babel/register to cts (@​liuxingbaoyu)
• babel-cli, babel-compat-data, babel-core, babel-generator, babel-helper-compilation-targets, babel-helper-fixtures, babel-helper-module-imports, babel-helper-module-transforms, babel-helper-plugin-test-runner, babel-helper-transform-fixture-test-runner, babel-helpers, babel-node, babel-parser, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-modules-umd, babel-plugin-transform-react-display-name, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-preset-env, babel-register, babel-standalone, babel-types
  • #17207 Enforce node protocol import (@​JLHwung)
• babel-plugin-transform-regenerator

... (truncated)

• eebd3a0 v7.27.1
• 296cdc5 Remove unused regenerator-runtime dep in @babel/runtime (#17263)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• 5c350ea v7.27.0
• ca4865a Fix: align behaviour to tsc rewriteRelativeImportExtensions (#17118)
• e1ce99d v7.26.10
• d5952e8 Fix processing of replacement pattern with named capture groups (#17173)
• 64bca7b v7.26.9
• 2d95140 v7.26.7
• 63d3038 v7.26.0
• Additional commits viewable in compare view

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

https://github.com/jshttp/cookie/compare/v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

https://github.com/jshttp/cookie/compare/v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

https://github.com/jshttp/cookie/compare/v0.6.0...v0.7.0

0.6.0

• Add partitioned option

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

• 6bca388 chore(release): bump version [skip ci]
• c46fd4f chore(deps): allow react v19 as peer deps (#12352)
• 3dfe5d5 chore: Update docusaurus.config.js
• 0447db0 chore(v4): add sent.dm sponsor (#12172)
• 5a5859a docs: Update options.md
• 5ad7fb4 docs: Update options.md
• c7ea50d chore(release): bump version [skip ci]
• 490a033 fix: support AUTH_SECRET for compat with npx auth secret
• 1e6be72 fix: functions that return promises must be async (#12105)
• ddab3cc chore(release): bump version [skip ci]
• Additional commits viewable in compare view

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Sourced from next's releases.

v15.3.2

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#78488) (#78883)
• @​next/mdx: Use stable turbopack config options (#78880)
• Fix react-compiler: Fix detection of interest (#78879)
• Fix turbopack: Backport sourcemap bugfix (#78881)
• [next-server] preserve rsc query for rsc redirects (#78876)
• Update middleware public/static matching (#78875)

Credits

Huge thanks to @​ijjk, @​huozhi, @​kdy1, @​wbinnssmith, and @​bgw for helping!

v15.3.1

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Backport SWC-based RC optimization (#78260)
• fix: bump image-size@1.2.1 (#78164)

Credits

Huge thanks to @​kdy1 and @​styfle for helping!

v15.3.1-canary.15

Core Changes

• [Turbopack] refactor persistent caching from log based to cow approach: #76234

Misc Changes

• fix(turbo-tasks-fs): Handle filesystem watcher rescan events: #78045

Credits

Huge thanks to @​bgw and @​sokra for helping!

v15.3.1-canary.14

Core Changes

• Add graceful error boundary for bots requests: #78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #78305
• Migrate pages API routes to handler interface: #78166

... (truncated)

• d9ec4a4 v15.3.2
• 3def5ff backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOu...
• d0b2f8a @​next/mdx: Use stable turbopack config options (#78880)
• 04176de fix(react-compiler): Fix detection of interest (#78879)
• b40778b fix(turbopack): Backport sourcemap bugfix (#78881)
• 20f3120 [next-server] preserve rsc query for rsc redirects (#78876)
• b464d18 Update middleware public/static matching (#78875)
• fa536cf v15.3.1
• 256e6f0 update learn allow branch
• 84e103b chore: Backport SWC-based RC optimization (#78260)
• Additional commits viewable in compare view

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Sourced from nanoid's releases.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

Sourced from nanoid's changelog.

3.3.11

• Fixed React Native support.

3.3.10

• Fixed React Native support (by @​steida).

3.3.9

• Reduced npm package size.

3.3.8

• Fixed a way to break Nano ID by passing non-integer size (by @​myndzi).

• 37289ce Release 3.3.11 version
• 23690b7 Fix CI
• c147962 Fix RN support
• a83734e Move to manually ESM/CJS dual package
• bb12e8a Release 3.3.10 version
• 8f44264 Fix Expo support
• adf9b0c Release 3.3.9 version
• 1c6f088 Remove dev file from npm package
• 3044cd5 Release 3.3.8 version
• 4fe3495 Update size limit
• Additional commits viewable in compare view

Sourced from next's releases.

v15.3.2

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOutput (#78488) (#78883)
• @​next/mdx: Use stable turbopack config options (#78880)
• Fix react-compiler: Fix detection of interest (#78879)
• Fix turbopack: Backport sourcemap bugfix (#78881)
• [next-server] preserve rsc query for rsc redirects (#78876)
• Update middleware public/static matching (#78875)

Credits

Huge thanks to @​ijjk, @​huozhi, @​kdy1, @​wbinnssmith, and @​bgw for helping!

v15.3.1

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Backport SWC-based RC optimization (#78260)
• fix: bump image-size@1.2.1 (#78164)

Credits

Huge thanks to @​kdy1 and @​styfle for helping!

v15.3.1-canary.15

Core Changes

• [Turbopack] refactor persistent caching from log based to cow approach: #76234

Misc Changes

• fix(turbo-tasks-fs): Handle filesystem watcher rescan events: #78045

Credits

Huge thanks to @​bgw and @​sokra for helping!

v15.3.1-canary.14

Core Changes

• Add graceful error boundary for bots requests: #78298
• make sure eslint-plugin-next is built when running 'pnpm dev': #78305
• Migrate pages API routes to handler interface: #78166

... (truncated)

• d9ec4a4 v15.3.2
• 3def5ff backport: fix(turbopack): Store persistence of wrapped task on RawVc::LocalOu...
• d0b2f8a @​next/mdx: Use stable turbopack config options (#78880)
• 04176de fix(react-compiler): Fix detection of interest (#78879)
• b40778b fix(turbopack): Backport sourcemap bugfix (#78881)
• 20f3120 [next-server] preserve rsc query for rsc redirects (#78876)
• b464d18 Update middleware public/static matching (#78875)
• fa536cf v15.3.1
• 256e6f0 update learn allow branch
• 84e103b chore: Backport SWC-based RC optimization (#78260)
• Additional commits viewable in compare view

Sourced from pug's releases.

pug-code-gen@3.0.3

Bug Fixes

• Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options (#3438)

pug@3.0.3

Bug Fixes

• Update pug-code-gen with the following fix: (#3438)

  Validate templateName and globals are valid JavaScript identifiers to prevent possible remote code execution if un-trusted user input is passed to the compilation options

• 32acfe8 fix: ensure template names are valid identifiers (#3438)
• 4767caf refactor: convert pug-error to TypeScript (#3355)
• a724446 chore: update character-parser (#3354)
• 6cca8f7 docs: fix GitHub format in README (#3335)
• See full diff in compare view

Sourced from dompurify's releases.

DOMPurify 3.2.5

• Added a check to the mXSS detection regex to be more strict, thanks @​masatokinugawa
• Added ESM type imports in source, removes patch function, thanks @​donmccurdy
• Added script to verify various TypeScript configurations, thanks @​reduckted
• Added more modern browsers to the Karma launchers list
• Added Node 23.x to tested runtimes, removed Node 17.x
• Fixed the generation of source maps, thanks @​reduckted
• Fixed an unexpected behavior with ALLOWED_URI_REGEXP using the 'g' flag, thanks @​hhk-png
• Fixed a few typos in the README file

DOMPurify 3.2.4

• Fixed a conditional and config dependent mXSS-style bypass reported by @​nsysean
• Added a new feature to allow specific hook removal, thanks @​davecardwell
• Added purify.js and purify.min.js to exports, thanks @​Aetherinox
• Added better logic in case no window object is president, thanks @​yehuya
• Updated some dependencies called out by dependabot
• Updated license files etc to show the correct year

DOMPurify 3.2.3

• Fixed two conditional sanitizer bypasses discovered by @​parrot409 and @​Slonser
• Updated the attribute clobbering checks to prevent future bypasses, thanks @​parrot409

DOMPurify 3.2.2

• Fixed a possible bypass in case a rather specific config for custom elements is set, thanks @​yaniv-git
• Fixed several minor issues with the type definitions, thanks again @​reduckted
• Fixed a minor issue with the types reference for trusted types, thanks @​reduckted
• Fixed a minor problem with the template detection regex on some systems, thanks @​svdb99

DOMPurify 3.2.1

• Fixed several minor issues with the type definitions, thanks @​reduckted @​ghiscoding @​asamuzaK @​MiniDigger
• Fixed an issue with non-minified dist files and order of imports, thanks @​reduckted

DOMPurify 3.2.0

• Added type declarations, thanks @​reduckted , @​philmayfield, @​aloisklink, @​ssi02014 and others
• Fixed a minor issue with the handling of hooks, thanks @​kevin-mizu

DOMPurify 3.1.7

• Fixed an issue with comment detection and possible bypasses with specific config settings, thanks @​masatokinugawa
• Fixed several smaller typos in documentation and test & build files, thanks @​christianhg
• Added better support for Angular compiler, thanks @​jeroen1602
• Added several new attributes to HTML and SVG allow-list, thanks @​Gigabyte5671 and @​Rotzbua
• Removed the foreignObject element from the list of HTML entry-points, thanks @​masatokinugawa
• Bumped several dependencies to be more up to date

DOMPurify 3.1.6

• Fixed an issue with the execution logic of attribute hooks to prevent bypasses, thanks @​kevin-mizu
• Fixed an issue with element removal leading to uncaught errors through DOM Clobbering, thanks @​realansgar
• Fixed a minor problem with the bower file pointing to the wrong dist path
• Fixed several minor typos in docs, comments and comment blocks, thanks @​Rotzbua
• Updated several development dependencies

... (truncated)

• 7806004 Merge pull request #1082 from cure53/main
• f14c22f chore: Preparing 3.2.5 release
• c69d7a8 Merge pull request #1080 from hhk-png/main
• fce40b5 chore: for lint
• 59e8664 Merge branch 'cure53:main' into main
• e62e3ef fix: Using ALLOWED_URI_REGEXP with the 'g' flag leads to incorrect results
• b428788 Update README.md
• 72c00db Merge branch 'main' of github.com:cure53/DOMPurify
• 49882dc test: Added Node 23.x to tested runtimes, removed Node 17.x
• 2e5fd64 Merge pull request #1078 from reduckted/fix-sourcemaps
• Additional commits viewable in compare view

Sourced from express's releases.

v5.1.0

What's Changed

• Update captains by @​UlisesGascon in expressjs/express#6027
• build: Node.js 23.0 by @​bjohansebas in expressjs/express#6075
• Add funding field (v5) by @​bjohansebas in expressjs/express#6064Description has been truncated