chore(deps-dev): bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
@hono/node-server	2.0.2	2.0.3
eslint-config-webpack	4.9.5	4.9.6
hono	4.12.18	4.12.22
koa	3.2.0	3.2.1
lint-staged	17.0.4	17.0.5
webpack	5.106.2	5.107.1

Updates @hono/node-server from 2.0.2 to 2.0.3

Release notes

Sourced from @​hono/node-server's releases.

v2.0.3

What's Changed

• chore(ci): update GitHub Actions versions by @​BlankParticle in honojs/node-server#352
• docs: Align the ServeStaticOptions comment with the current spec by @​kakkokari-gtyih in honojs/node-server#356
• fix: preserve headers mutated after raw Response construction by @​abdulmunimjemal in honojs/node-server#357

New Contributors

• @​kakkokari-gtyih made their first contribution in honojs/node-server#356
• @​abdulmunimjemal made their first contribution in honojs/node-server#357

Full Changelog: honojs/node-server@v2.0.2...v2.0.3

Commits

• 9d87987 2.0.3
• 9463250 fix: preserve headers mutated after raw Response construction (#357)
• cee5e81 docs: Align the ServeStaticOption command with the current specification (#...
• 4aa0650 chore(ci): update GitHub Actions versions (#352)
• See full diff in compare view

Updates eslint-config-webpack from 4.9.5 to 4.9.6

Release notes

Sourced from eslint-config-webpack's releases.

v4.9.6

Patch Changes

• Set reportUnusedDisableDirectives to "error". (by @​alexander-akait in #146)

• Ignore test module in n/no-unsupported-features/node-builtins rule. (by @​alexander-akait in #157)

• Respect minor engines.node versions when picking the ES feature set. The node-to-ES mapping now lives in configs/utils/get-es-version-from-node.js and uses semver ranges, so >=7.6 lands on ES2017 (async/await) instead of ES2016, and >=16.11 lands on ES2022 (Object.hasOwn) instead of older 16.x ranges that lack it. (by @​alexander-akait in #156)

Changelog

Sourced from eslint-config-webpack's changelog.

4.9.6

Patch Changes

• Set reportUnusedDisableDirectives to "error". (by @​alexander-akait in #146)

• Ignore test module in n/no-unsupported-features/node-builtins rule. (by @​alexander-akait in #157)

• Respect minor engines.node versions when picking the ES feature set. The node-to-ES mapping now lives in configs/utils/get-es-version-from-node.js and uses semver ranges, so >=7.6 lands on ES2017 (async/await) instead of ES2016, and >=16.11 lands on ES2022 (Object.hasOwn) instead of older 16.x ranges that lack it. (by @​alexander-akait in #156)

Commits

• 4be45cc chore(release): new release (#147)
• 0d7c539 chore(deps): update (#158)
• a052d99 fix: ignore test module in n/no-unsupported-features/node-builtins rule (#157)
• d8359ff chore(deps): bump the dependencies group across 1 directory with 6 updates (#...
• aa0e27b chore(deps): bump changesets/action in the dependencies group (#153)
• 0987fa1 fix: respect minor Node versions when picking the ES feature set (#156)
• 837b2e0 chore(deps): bump typescript-eslint in the dependencies group (#148)
• 11232bd chore: update deps and set reportUnusedDisableDirectives to "error". (#146)
• 32eaa6f chore(deps): bump actions/setup-node in the dependencies group (#145)
• 2b53bb3 chore(deps): bump the dependencies group with 3 updates (#141)
• See full diff in compare view

Updates hono from 4.12.18 to 4.12.22

Release notes

Sourced from hono's releases.

v4.12.22

What's Changed

• chore: update vitest to v4 and cleanups by @​BlankParticle in honojs/hono#4952
• fix(mime): specify charset parameter per MIME type instead of mechanical detection by @​renatograsso10 in honojs/hono#4912
• fix(compress): respect Accept-Encoding when encoding option is set by @​LeSingh1 in honojs/hono#4951
• fix(deno): echo negotiated WebSocket subprotocol in upgrade response by @​ATOM00blue in honojs/hono#4955
• feat: add msgpack as a compressible content type by @​na-trium-144 in honojs/hono#4957

New Contributors

• @​renatograsso10 made their first contribution in honojs/hono#4912
• @​LeSingh1 made their first contribution in honojs/hono#4951
• @​ATOM00blue made their first contribution in honojs/hono#4955
• @​na-trium-144 made their first contribution in honojs/hono#4957

Full Changelog: honojs/hono@v4.12.21...v4.12.22

v4.12.21

Security fixes

This release includes fixes for the following security issues:

app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Affects: app.mount(). Fixes prefix stripping using the raw URL pathname instead of the decoded path, where percent-encoded characters in the mount prefix or path could cause the prefix to be removed at the wrong position, resulting in the sub-application receiving an incorrect path. GHSA-2gcr-mfcq-wcc3

IP Restriction bypasses static deny rules for non-canonical IPv6

Affects: hono/ip-restriction. Fixes IP address comparison using string equality, where non-canonical IPv6 representations of a denied address — such as compressed forms or hex-notation IPv4-mapped addresses — could bypass static deny rules. GHSA-xrhx-7g5j-rcj5

Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Affects: hono/cookie. Fixes missing validation of sameSite and priority options against injection characters (;, \r, \n), where user-controlled input passed to either option could inject additional attributes into the Set-Cookie response header. GHSA-3hrh-pfw6-9m5x

JWT middleware accepts any Authorization scheme, not only Bearer

Affects: hono/jwt, hono/jwk. Fixes missing scheme validation in the Authorization header, where any two-part header value was accepted regardless of the scheme name, allowing non-Bearer schemes to pass JWT authentication. GHSA-f577-qrjj-4474

---

Users who use app.mount(), hono/ip-restriction, hono/cookie, or hono/jwt/hono/jwk are encouraged to upgrade to this version.

v4.12.20

What's Changed

• fix(route): preserve the base path of the mounted route() app by @​usualoma in honojs/hono#4942
• fix(jsx): widen jsx and jsxFn children to Child[] by @​ashunar0 in honojs/hono#4947

New Contributors

• @​ashunar0 made their first contribution in honojs/hono#4947

Full Changelog: honojs/hono@v4.12.19...v4.12.20

... (truncated)

Commits

• 2f01b77 4.12.22
• 6bc0dff feat: add msgpack as a compressible content type (#4957)
• 7e0555d fix(deno): echo negotiated WebSocket subprotocol in upgrade response (#4955)
• f0ed246 fix(compress): respect Accept-Encoding when encoding option is set (#4951)
• a192df0 fix(mime): specify charset parameter per MIME type instead of mechanical dete...
• cf6ef70 chore: update vitest to v4 and cleanups (#4952)
• a83ddb8 4.12.21
• 6cbb025 Merge commit from fork
• c831020 Merge commit from fork
• 905aedb Merge commit from fork
• Additional commits viewable in compare view

Updates koa from 3.2.0 to 3.2.1

Release notes

Sourced from koa's releases.

v3.2.1

What's Changed

• fix: request.length overflows on Content-Length > 2GB by @​tejgokani in koajs/koa#1961

New Contributors

• @​tejgokani made their first contribution in koajs/koa#1961

Full Changelog: koajs/koa@v3.2.0...v3.2.1

Commits

• 6984592 3.2.1
• 3f3ac48 fix: request.length overflows on Content-Length > 2GB (#1961)
• See full diff in compare view

Updates lint-staged from 17.0.4 to 17.0.5

Release notes

Sourced from lint-staged's releases.

v17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

Changelog

Sourced from lint-staged's changelog.

17.0.5

Patch Changes

• #1792 1f67271 - Correctly set the --max-arg-length default value based on the running platform. This controls how very long lists of staged files are split into multiple chunks.

Commits

• cbd822e Merge pull request #1793 from lint-staged/changeset-release/main
• 1911244 chore(changeset): release
• 7339d7d Merge pull request #1792 from lint-staged/fix-max-arg-length-default
• 1f67271 fix: default maxArgLength to undefined instead of NaN when parsing cli ...
• See full diff in compare view

Updates webpack from 5.106.2 to 5.107.1

Release notes

Sourced from webpack's releases.

v5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #20988)

v5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #20964)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #20988)

5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

... (truncated)

Commits

• a1ce7eb chore(release): new release (#20989)
• 916810e test: lock chunk filenames stay verbatim for scoped names (#21006)
• 72ef0fb fix: tree-shake CommonJS exports through const NAME = require(LITERAL) bind...
• 6c5f2f8 docs: tighten AGENTS.md rules for directory listings, branch names, and PR te...
• 9edcb3d fix: interpolate [fullhash:N] / [hash:N] in output.publicPath at runtime (#21...
• e3ba2ff fix: emit \<link rel=stylesheet> for CSS chunks reachable from `<script src>...
• 1097a7f fix(html): align walkHtmlTokens with WHATWG spec (#21000)
• 67b7419 fix: allow devtool and SourceMapDevToolPlugin to coexist on the same asset (#...
• 294197c fix: correct createParser/createGenerator hook types in `NormalModuleFact...
• ec6ad34 chore(deps): bump codecov/codecov-action in the dependencies group (#20995)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[changeset-bot]

⚠️ No Changeset found

Latest commit: 67d2ab2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR