fix(deps): update npm#89
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Test Results75 tests 75 ✅ 4s ⏱️ Results for commit 087550a. ♻️ This comment has been updated with latest results. |
8189936 to
f37e58d
Compare
a0a4c55 to
c575442
Compare
19a2d92 to
f684299
Compare
28bf73b to
bf392ad
Compare
de08799 to
4c968ac
Compare
d7bb7c6 to
f8d2771
Compare
f8d2771 to
4e3fc98
Compare
4e3fc98 to
5f07bd2
Compare
5f07bd2 to
b918e2a
Compare
5e27d7b to
b28e33f
Compare
0086312 to
7200907
Compare
7200907 to
087550a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.27.0→^0.28.07.0.0→7.2.00.5.19→0.5.201.14.1→1.15.23.8.1→3.9.43.5.1→3.5.2^0.7.2→^0.8.04.4.5→4.7.26.0.2→6.0.34.3.6→4.4.3Release Notes
evanw/esbuild (@esbuild/linux-arm64)
v0.28.1Compare Source
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.Thanks to @dellalibera for reporting this issue.
Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)
The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.
Note that esbuild's Deno API installs from
registry.npmjs.orgby default, but allows theNPM_CONFIG_REGISTRYenvironment variable to override this with a custom package registry. This change means that the esbuild executable served byNPM_CONFIG_REGISTRYmust now match the expected content.Thanks to @sondt99 for reporting this issue.
Avoid inlining
usingandawait usingdeclarations (#4482)Previously esbuild's minifier sometimes incorrectly inlined
usingandawait usingdeclarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done forletandconstdeclarations by avoiding doing it forvardeclarations, which no longer worked when more declaration types were added. Here's an example:Fix module evaluation when an error is thrown (#4461, #4467)
If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if
import()orrequire()is used to import a module multiple times. The thrown error is supposed to be thrown by every call toimport()orrequire(), not just the first. With this release, esbuild will now throw the same error every time you callimport()orrequire()on a module that throws during its evaluation.Fix some edge cases around the
newoperator (#4477)Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a
newexpression (specifically an optional chain and/or a tagged template literal). The generated code for thenewtarget was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap thenewtarget in parentheses. Here is an example of some affected code:Fix renaming of nested
vardeclarations (#4471)This release fixes a bug where
vardeclarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass.Emit
varinstead ofconstfor certain TypeScript-only constructs for ES5 (#4448)While esbuild doesn't generally support converting
consttovarfor ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-onlyimportassignment constructs into aconstdeclaration even when targeting ES5. With this release, esbuild will now usevarfor this case instead:v0.28.0Compare Source
Add support for
with { type: 'text' }imports (#4435)The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing
textloader. Here's an example:Add integrity checks to fallback download path (#4343)
Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the
npmcommand, and then with a HTTP request toregistry.npmjs.orgas a last resort).This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level
esbuildpackage. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.Update the Go compiler from 1.25.7 to 1.26.1
This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:
You can read the Go 1.26 release notes for more information.
sveltejs/vite-plugin-svelte (@sveltejs/vite-plugin-svelte)
v7.2.0Compare Source
Minor Changes
v7.1.4Compare Source
Patch Changes
v7.1.3Compare Source
Patch Changes
v7.1.2Compare Source
Patch Changes
v7.1.1Compare Source
Patch Changes
fix: pass
typescript.onlyRemoveTypeImportstotransformWithOxcinvitePreprocessso that value imports are not dropped when they are only referenced in Svelte template markup (#1326)fix: correctly resolve compiled CSS for optimised Svelte dependencies on the server (#1336)
v7.1.0Compare Source
Minor Changes
tailwindlabs/tailwindcss-typography (@tailwindcss/typography)
v0.5.20Compare Source
Fixed
Profiidev/positron_components (positron-components)
v1.15.2Compare Source
Bug Fixes
v1.15.1Compare Source
Bug Fixes
v1.15.0Compare Source
Features
Bug Fixes
v1.14.4Compare Source
Bug Fixes
v1.14.3Compare Source
Bug Fixes
v1.14.2Compare Source
Bug Fixes
prettier/prettier (prettier)
v3.9.4Compare Source
v3.9.3Compare Source
v3.9.2Compare Source
v3.9.1Compare Source
v3.9.0Compare Source
diff
🔗 Release Notes
v3.8.5Compare Source
v3.8.4Compare Source
diff
Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @byplayer)
Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.
v3.8.3Compare Source
diff
SCSS: Prevent trailing comma in
if()function (#18471 by @kovsu)v3.8.2Compare Source
diff
Angular: Support Angular v21.2 (#18722, #19034 by @fisker)
Exhaustive typechecking with
@default never;arrow functionandinstanceofexpressions.sveltejs/prettier-plugin-svelte (prettier-plugin-svelte)
v3.5.2Compare Source
bind:get/set tuple{#each}blockstailwindlabs/prettier-plugin-tailwindcss (prettier-plugin-tailwindcss)
v0.8.0Compare Source
Changed
Added
/sorter(#438)Fixed
canCollapseWhitespaceInhandling for"tailwindPreserveWhitespace": true(#428)v0.7.4Compare Source
Same as v0.7.2, since v0.7.3 contained breaking changes.
v0.7.3Compare Source
Changed
Fixed
sveltejs/language-tools (svelte-check)
v4.7.2Compare Source
Patch Changes
fix: resolve tsgo bin path with package.json (#3074)
fix: report tsconfig errors in --tsgo-experimental-api (#3070)
v4.7.1Compare Source
Patch Changes
v4.7.0Compare Source
Minor Changes
feat: add
--configoption (#3066)feat: svelte-check tsgo support with experimental api (#3036)
Patch Changes
fix: load esm version of Vite (#3065)
fix: stop excluding workspaces under dot-prefixed ancestors (#3037)
Updated dependencies [
7a3464b,a2561fc]:v4.6.0Compare Source
Minor Changes
vite.config.js/ts(#3031)Patch Changes
151cf45]:v4.5.0Compare Source
Minor Changes
Patch Changes
fix: properly handle props with the name
slotinside Svelte 5 snippets (#3030)feat: add support for svelte config ts/mts files (#3009)
v4.4.8Compare Source
Patch Changes
v4.4.7Compare Source
Patch Changes
fix: flush stdout/stderr before exit (#3014)
fix: report diagnostics in tsconfig.json (#3005)
v4.4.6Compare Source
Patch Changes
fix: prevent config loading message in svelte-check --incremental (#2974)
fix: resolve svelte files with NodeNext in --incremental/tsgo (#2990)
perf: various optimization with ast walk (#2969)
fix: prevent error with escape sequence in attribute (#2968)
fix: typescript 6.0 compatibility (#2988)
microsoft/TypeScript (typescript)
v6.0.3: TypeScript 6.0.3Compare Source
For release notes, check out the release announcement blog post.
Downloads are available on:
colinhacks/zod (zod)
v4.4.3Compare Source
Commits:
4c2fa95docs: use Zernio primary wordmark for gold sponsor logo2aeec83docs: prune lapsed gold sponsors and rebalance logo sizing7391be8docs: prune lapsed silver/bronze sponsors and add active ones2c70332docs: normalize bronze sponsor logos to github avatar pattern9195250docs: remove Mintlify from bronze sponsors (churned)b8dffe9docs: remove Numeric and Speakeasy (2+ missed monthly cycles)1cab693fix(v4): restore catch handling for absent object keys (#5937) (#5939)c2be4f8fix(v4): generalize optin/fallback to transform; restore preprocess on absent keys (#5941)f3c9ec04.4.31fb56a5docs: document release procedure in AGENTS.mdv4.4.2Compare Source
Commits:
0c62df0Clean up docs navigation and stale labels (#5901)20cc794chore: add security policy and refresh tooling deps6fbe07bfix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)4bbed1bTighten discriminated union option typingbbac3e5Update PR guidance for agentscf0dc94Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint292c894docs: add Zernio gold sponsor1fc9f31docs: document codec inversion1373c85docs: remove AI disclosure guidancee20d02bchore: ignore triage notese58ea4ddocs: test Zod Mini tab code heights905761adocs: document preprocess input type narrowingbf64bacchore: tighten test guidance in AGENTS.md8ec4e73chore: update play.ts scratch02c2bafMake z.preprocess defer optionality to inner schema (#5929)88015dffix(docs): drop deprecatedbaseUrlfrom tsconfigc59d4474.4.2v4.4.1Compare Source
Commits:
481f7beci: gate release publishing on full test workflow95ccab4test(v3): restore optional undefined expectationscede2c6fix(v4): reject tuple holes before required defaults (#5900)edd0bf0release: 4.4.1180d83ddocs: remove Jazz featured sponsorv4.4.0Compare Source
4.4.0
This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.
Potentially breaking bug fixes
Tuple defaults now materialize output values correctly
Fixed in #5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit
undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.Trailing optional elements that are absent still stay absent; they are not filled with
undefined.But explicit
undefinedvalues supplied by the caller are preserved.When optional elements appear before later defaults, the parsed tuple is now dense so array operations behave predictably.
Tuple length errors are also more consistent now. Since
z.function()arguments are tuple-shaped, function input errors may look different.Required object properties with
z.undefined()Fixed in #5661, with follow-up coverage in
57d80a82. A property whose schema isz.undefined()is now treated as required. The key must be present, but its value may beundefined.Use
.optional()when the key itself may be absent.This also affects related
.catch(),.partial(),.default(), and.prefault()combinations that previously relied on missingz.undefined()keys being treated as optional.Safer
.merge()behavior with refinementsFixed in #5856. The
.merge()method now throws when the receiver has refinements, rather than silently producing ambiguous refinement behavior. Refinements from the second schema are preserved.JSON Schema
$defsentries no longer include redundantidFixed in #5759. JSON Schema conversion through
z.toJSONSchema()now strips redundantidfields from$defsentries. This is required for correctness in older JSON Schema dialects from before$idwas introduced: in those dialects,idchanges the resolution scope, so leaving it inside an extracted definition can make references resolve incorrectly. The removed value was redundant because the schema had already been extracted into$defs, so the definition key itself is the identifier. This may affect consumers that were reading those internalidfields directly.Other JSON Schema fixes in this release:
.describe(): #5797String validators are stricter
Base64 validation now rejects whitespace instead of allowing
atob()-style whitespace stripping. Fixed in #5888.Other string validator changes:
z.cuid()has been tightened, and CUID v1 is now deprecated. Fixed in #5880.z.httpUrl()now rejects malformed HTTP(S) URLs with a missing slash after the protocol. The underlyingURLconstructor normalizes inputs likehttps:/example.com, but Zod now rejects them instead of accepting the repaired URL. Fixed in #5672, related to #5284.Union paths are fixed in formatted errors
Two union-related error fixes landed:
z.treeifyError()andz.formatError(). Fixed in #5708 and60ff3987.ZodErroroutput.Other fixes
Record key transforms now run
Fixed in #5891. Record schemas now run transforms on record keys.
Related record fixes:
invalid_keyissues. Fixed in #5719.z.record(valueType)form works again. Fixed in0e960108.Metadata and input handling in
fromJSONSchema()Schema generation from JSON Schema now applies metadata more consistently across
enum,const,not,anyOf, and multi-type schemas. Fixed in #5758. It also rejects or normalizes more non-JSON-like inputs, including cyclic objects andBigInt. Fixed in87cf0f93.Codecs
Codec changes:
z.discriminatedUnion().encode()now works when the discriminator uses a codec. Fixed in #5769.Transform context
Transform callbacks now support
ctx.addIssue(). Fixed in #5699.Conditional
.superRefine()withwhenThe
whenoption was added for.superRefine(). Added in #5741, with related abort behavior fixed in #5681.Defaults for
MapandSetDefaults for
MapandSetare now cloned instead of shared across parses. Fixed in #5855.Empty unions
Empty
z.union([]),z.xor([]), and discriminated unions no longer crash at construction time. They construct and fail at parse time. Fixed in #5869.Floating-point multiples
Number
multipleOf()/step()validation is more accurate for decimal and exponent edge cases. Fixed in #5687 and #5793.Global config and
jitlessConfiguration fixes:
globalThis, improving behavior across mixed CJS/ESM module instances. Fixed in #5889.Prototype pollution hardening
Object catchall paths now skip
__proto__keys. Fixed in #5898.Performance improvements
Reduced memory usage from lazy-bound methods
Fixed in #5897. Classic builder methods are now lazy-bound through a shared internal prototype instead of eagerly attached per schema instance. This significantly reduces per-schema method allocation overhead, especially in codebases that construct many schemas. Detached methods continue to work:
Improved tree-shaking
Implemented in
195e8696and #5689. Top-level factory calls are annotated as pure, and generated stub package manifests now includesideEffects: false. This gives bundlers more room to remove unused Zod code.This is intended as the conclusive fix for a long-standing class of tree-shaking and bundle-size issues, especially in Next.js and Turbopack projects. The most visible symptom was that unused validators and locales could survive bundling even when importing from
zod/minior from a narrow subpath.Related reports include:
zod/minibundle-size reports: #5561, #5665, #4369, #4572{ "sideEffects": false }Locales
Added or updated locale support:
Locale message text changed in some cases, which may affect snapshots.
Closed issues
The following issues were closed by PRs included in this release:
string.abort: truein.refine()checks withwhen.addIssueto transform context.deleteinfinalizeIssue.optionsto invalid discriminator errors.fromJSONSchema().idfrom$defsentries in JSON Schema output.z.custom()docs for v4 compatibility.discriminatedUnion().encode()with codec discriminators.multipleOf()validation.MapandSetdefaults..merge()refinement semantics with.extend().Configuration
📅 Schedule: (UTC)
* 0-3 * * 1)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.