Sourced from actions/upload-artifact's releases.
v7.0.0
v7 What's new
Direct Uploads
Adds support for uploading single files directly (unzipped). Callers can set the new
archiveparameter tofalseto skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. Thenameparameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.ESM
To support new versions of the
@actions/*packages, we've upgraded the package to ESM.What's Changed
- Add proxy integration test by
@Link- in actions/upload-artifact#754- Upgrade the module to ESM and bump dependencies by
@danwkennedyin actions/upload-artifact#762- Support direct file uploads by
@danwkennedyin actions/upload-artifact#764New Contributors
@Link- made their first contribution in actions/upload-artifact#754Full Changelog: https://github.com/actions/upload-artifact/compare/v6...v7.0.0
Sourced from actions/upload-artifact's releases.
v7.0.0
v7 What's new
Direct Uploads
Adds support for uploading single files directly (unzipped). Callers can set the new
archiveparameter tofalseto skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. Thenameparameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.ESM
To support new versions of the
@actions/*packages, we've upgraded the package to ESM.What's Changed
- Add proxy integration test by
@Link- in actions/upload-artifact#754- Upgrade the module to ESM and bump dependencies by
@danwkennedyin actions/upload-artifact#762- Support direct file uploads by
@danwkennedyin actions/upload-artifact#764New Contributors
@Link- made their first contribution in actions/upload-artifact#754Full Changelog: https://github.com/actions/upload-artifact/compare/v6...v7.0.0
Sourced from jakebailey/pyright-action's releases.
v3.0.2
- Update mentioned checkout in readme (03fd2c0)
- Update mentioned setup-python in readme (9fb0169)
- Switch to tiny-jsonc (19c6c23)
- fix lint (1296485)
- output metafile in build (20b106d)
v3.0.1
- Make docs reference v3 (c781035)
v3.0.0
- Update github actions (#208) (5ceb87e)
- Update actions/cache action to v5 (#210) (49e6fb4)
- Disable type lint of build script (d991920)
- Fix tests (1edc551)
- Update action related deps (ce79cd6)
- Update non-action deps (88a1ce8)
- More v24 updates (c45be15)
- Bump to v3, node24 (7dc11cf)
- Update deps (f8c6100)
- Update github actions (#191) (e20b42a)
- Update github actions to v6 (#195) (f5686a6)
- Update deps (e058033)
8ec14b5
Release v3.0.203fd2c0
Update mentioned checkout in readme9fb0169
Update mentioned setup-python in readme19c6c23
Switch to tiny-jsonc1296485
fix lint20b106d
output metafile in build9b73e5f
Release v3.0.1c781035
Make docs reference v361e7045
Release v3.0.05ceb87e
Update github actions (#208)Sourced from webpack's releases.
v5.105.0
Minor Changes
Allow resolving worker module by export condition name when using
new Worker()(by@hai-xin #20353)Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by
@hai-xin #20320)Added the
tsconfigoption for theresolveroptions (replacement fortsconfig-paths-webpack-plugin). Can befalse(disabled),true(use the defaulttsconfig.jsonfile to search for it), a string path totsconfig.json, or an object withconfigFileandreferencesoptions. (by@alexander-akaitin #20400)Support
import.defer()for context modules. (by@ahabhgkin #20399)Added support for array values to the
devtooloption. (by@hai-xin #20191)Improve rendering node built-in modules for ECMA module output. (by
@hai-xin #20255)Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by
@xiaoxiaojxin #20312)Patch Changes
Fixed ESM default export handling for
.mjsfiles in Module Federation (by@y-oktin #20189)Optimized
import.meta.envhandling in destructuring assignments by using cached stringified environment definitions. (by@xiaoxiaojxin #20313)Respect the
stats.errorStackoption in stats output. (by@samarthsinh2660in #20258)Fixed a bug where declaring a
modulevariable in module scope would conflict with the defaultmoduleArgument. (by@xiaoxiaojxin #20265)Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g.,
virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by@xiaoxiaojxin #20390)Fixed Worker self-import handling to support various URL patterns (e.g.,
import.meta.url,new URL(import.meta.url),new URL(import.meta.url, import.meta.url),new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by@xiaoxiaojxin #20381)Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by
@xiaoxiaojxin #20345)Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by
@samarthsinh2660in #20251)Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by
@hai-xin #20346)Fixed
import.meta.env.xxxbehavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by@xiaoxiaojxin #20289)Improved parsing error reporting by adding a link to the loader documentation. (by
@gaurav10ggin #20244)Fix typescript types. (by
@alexander-akaitin #20305)Add declaration for unused harmony import specifier. (by
@hai-xin #20286)Fix compressibility of modules while retaining portability. (by
@dmichon-msftin #20287)Optimize source map generation: only include
ignoreListproperty when it has content, avoiding empty arrays in source maps. (by@xiaoxiaojxin #20319)Preserve star exports for dependencies in ECMA module output. (by
@hai-xin #20293)
... (truncated)
Sourced from webpack's changelog.
5.105.0
Minor Changes
Allow resolving worker module by export condition name when using
new Worker()(by@hai-xin #20353)Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by
@hai-xin #20320)Added the
tsconfigoption for theresolveroptions (replacement fortsconfig-paths-webpack-plugin). Can befalse(disabled),true(use the defaulttsconfig.jsonfile to search for it), a string path totsconfig.json, or an object withconfigFileandreferencesoptions. (by@alexander-akaitin #20400)Support
import.defer()for context modules. (by@ahabhgkin #20399)Added support for array values to the
devtooloption. (by@hai-xin #20191)Improve rendering node built-in modules for ECMA module output. (by
@hai-xin #20255)Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by
@xiaoxiaojxin #20312)Patch Changes
Fixed ESM default export handling for
.mjsfiles in Module Federation (by@y-oktin #20189)Optimized
import.meta.envhandling in destructuring assignments by using cached stringified environment definitions. (by@xiaoxiaojxin #20313)Respect the
stats.errorStackoption in stats output. (by@samarthsinh2660in #20258)Fixed a bug where declaring a
modulevariable in module scope would conflict with the defaultmoduleArgument. (by@xiaoxiaojxin #20265)Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g.,
virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by@xiaoxiaojxin #20390)Fixed Worker self-import handling to support various URL patterns (e.g.,
import.meta.url,new URL(import.meta.url),new URL(import.meta.url, import.meta.url),new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by@xiaoxiaojxin #20381)Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by
@xiaoxiaojxin #20345)Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by
@samarthsinh2660in #20251)Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by
@hai-xin #20346)Fixed
import.meta.env.xxxbehavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by@xiaoxiaojxin #20289)Improved parsing error reporting by adding a link to the loader documentation. (by
@gaurav10ggin #20244)Fix typescript types. (by
@alexander-akaitin #20305)Add declaration for unused harmony import specifier. (by
@hai-xin #20286)Fix compressibility of modules while retaining portability. (by
@dmichon-msftin #20287)Optimize source map generation: only include
ignoreListproperty when it has content, avoiding empty arrays in source maps. (by@xiaoxiaojxin #20319)
... (truncated)
1486f9a
chore(release): new release1a517f6
feat: added the tsconfig option for the
resolver options (#20400)7b3b0f7
feat: support import.defer() for context modulesc4a6a92
refactor: more types and increase types coverage5ecc58d
feat: consider asset module as side-effect-free (#20352)cce0f69
test: avoid comma operator in BinaryMiddleware test (#20398)cd4793d
feat: support import specifier guard (#20320)fe48655
docs: update examples (#20397)de107f8
fix(VirtualUrlPlugin): set resourceData.context to avoid invalid
fallback (#2...a656ab1
test: add self-import test case for dynamic import (#20389)This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.
e92ae29
5.1.879e4447
limit recursion for **, improve perf considerably85ec0ff
lockfile update647146e
lock node version to 1485646c8
5.1.7977c2d8
update CI matrix and actions421ad12
update test expectations for coalesced consecutive starsfebe85d
coalesce consecutive non-globstar * characters3e216b9
5.1.64d0b7f5
Detect leading dots in extglob subpatternsSourced from tomli's changelog.
2.4.0
- Added
- TOML v1.1.0 compatibility
- Binary wheels for Windows arm64
a678e6f
Bump version: 2.3.0 → 2.4.0b8a1358
Tests: remove now needless "TOML
compliance"->"burntsushi" format conversion4979375
Update GitHub actionsf890dd1
Update pre-commit hooksd9c65c3
Add 2.4.0 change log0efe49d
Update README for v2.4.09eb2125
TOML 1.1: Make seconds optional in Date-Time and Time (#203)12314bd
TOML 1.1: Add \xHH Unicode escape code to basic strings (#202)2a2aa62
TOML 1.1: Allow newlines and trailing comma in inline tables (#200)38297f8
Xfail on tests for TOML 1.1 features not yet supportedSourced from packaging's releases.
26.0
Read about the performance improvements here: https://iscinumpy.dev/post/packaging-faster.
What's Changed
Features:
- PEP 751: support pylock by
@sbidoulin pypa/packaging#900- PEP 794: import name metadata by
@brettcannonin pypa/packaging#948- Support writing metadata by
@henryiiiin pypa/packaging#846- Support
__replace__forVersionby@henryiiiin pypa/packaging#1003- Support positional pattern matching for
VersionandSpecifierby@henryiiiin pypa/packaging#1004Behavior adaptations:
- PEP 440 handling of prereleases for
Specifier.contains,SpecifierSet.contains, andSpecifierSet.filterby@notatallshawin pypa/packaging#897- Handle PEP 440 edge case in
SpecifierSet.filterby@notatallshawin pypa/packaging#942- Adjust arbitrary equality intersection preservation in
SpecifierSetby@notatallshawin pypa/packaging#951- Return
Falseinstead of raising for.containswith invalid version by@Liam-DeVoein pypa/packaging#932- Support arbitrary equality on arbitrary strings for
SpecifierandSpecifierSet'sfilterandcontainsmethod. by@notatallshawin pypa/packaging#954- Only try to parse as
Versionon certain marker keys, returnFalseon unequal ordered comparsions by@JP-Ellisin pypa/packaging#939Fixes:
- Update
_hashwhen unpicklingTag()by@dholthin pypa/packaging#860- Correct comment and simplify implicit prerelease handling in
Specifier.prereleasesby@notatallshawin pypa/packaging#896- Use explicit
_GLibCVersionNamedTuplein_manylinuxby@cthoytin pypa/packaging#868- Detect invalid license expressions containing
()by@bwoodsendin pypa/packaging#879- Correct regex for metadata
'name'format by@diin pypa/packaging#925- Improve the message around expecting a semicolon by
@pradyunsgin pypa/packaging#833- Support nested parens in license expressions by
@Liam-DeVoein pypa/packaging#931- Add space before at symbol in
Requirementsstring by@henryiiiin pypa/packaging#953- A root logger use found by ruff LOG, use
packaginglogger instead by@henryiiiin pypa/packaging#965- Better support for subclassing
MarkerandRequirementby@henryiiiin pypa/packaging#1022- Normalize all extras, not just if it comes first by
@henryiiiin pypa/packaging#1024- Don't produce a broken repr if
Markerfails to construct by@henryiiiin pypa/packaging#1033Performance:
- Avoid recompiling regexes in the tokenizer for a 3x speedup by
@hauntsaninjain pypa/packaging#1019- Improve performance in
_manylinux.pyby@cthoytin pypa/packaging#869- Minor cleanups to
Versionby@bearomorphismin pypa/packaging#913- Skip redundant creation of
Versions in specifier comparison by@notatallshawin pypa/packaging#986- Cache
Specifier's Version by@notatallshawin pypa/packaging#985- Make
Versiona little faster by@henryiiiin pypa/packaging#987- Minor
Versionregex cleanup by@henryiiiin pypa/packaging#990- Faster regex on Python 3.11.5+ by
@henryiiiin pypa/packaging#988 and pypa/packaging#1055- Lazily calculate
_keyinVersionby@notatallshawin pypa/packaging#989 and regression forpackaging_legacyfixed by@henryiiiin pypa/packaging#1048- Faster
canonicalize_versionby@henryiiiin pypa/packaging#993- Use
fullmatchin a couple more places by@henryiiiin pypa/packaging#992
... (truncated)
Sourced from packaging's changelog.
26.0 - 2026-01-20
Features:
- PEP 751: support pylock (:pull:
900)- PEP 794: import name metadata (:pull:
948)- Support for writing metadata to a file (:pull:
846)- Support
__replace__on Version (:pull:1003)- Support positional pattern matching for
VersionandSpecifierSet(:pull:1004)Behavior adaptations:
- PEP 440 handling of prereleases for
Specifier.contains,SpecifierSet.contains, andSpecifierSet.filter(:pull:897)- Handle PEP 440 edge case in
SpecifierSet.filter(:pull:942)- Adjust arbitrary equality intersection preservation in
SpecifierSet(:pull:951)- Return
Falseinstead of raising for.containswith invalid version (:pull:932)- Support arbitrary equality on arbitrary strings for
SpecifierandSpecifierSet'sfilterandcontainsmethod. (:pull:954)- Only try to parse as
Versionon certain marker keys, returnFalseon unequal ordered comparisons (:pull:939)Fixes:
- Update
_hashwhen unpicklingTag()(:pull:860)- Correct comment and simplify implicit prerelease handling in
Specifier.prereleases(:pull:896)- Use explicit
_GLibCVersionNamedTuplein_manylinux(:pull:868)- Detect invalid license expressions containing
()(:pull:879)- Correct regex for metadata
'name'format (:pull:925)- Improve the message around expecting a semicolon (:pull:
833)- Support nested parens in license expressions (:pull:
931)- Add space before at symbol in
Requirementsstring (:pull:953)- A root logger use found, use a
packaginglogger instead (:pull:965)- Better support for subclassing
MarkerandRequirement(:pull:1022)- Normalize all extras, not just if it comes first (:pull:
1024)- Don't produce a broken repr if
Markerfails to construct (:pull:1033)Performance:
- Avoid recompiling regexes in the tokenizer for a 3x speedup (:pull:
1019)- Improve performance in
_manylinux.py(:pull:869)- Minor cleanups to
Version(:pull:913)- Skip redundant creation of
Version's in specifier comparison (:pull:986)- Cache the
Specifier'sVersion(:pull:985)- Make
Versiona little faster (:pull:987)- Minor
Versionregex cleanup (:pull:990)- Faster regex on Python 3.11.5+ for
Version(:pull:988, :pull:1055)- Lazily calculate
_keyinVersion(:pull:989, :pull:1048)- Faster
canonicalize_version(:pull:993)- Use
re.fullmatchin a couple more places (:pull:992, :pull:1029)- Use
mapinstead of generator (:pull:996)- Deprecate
._version(_Version, aNamedTuple) (:pull:995, :pull:1062)
</tr></table>
... (truncated)
3b77a26
Bump for release31371cc
docs: prepare for 26.0 final (#1063)9627a88
perf: dual replace (#1064)d5398b8
fix: restore ._version as a compat shim (#1062)3a7b600
Bump for developmentd4eefdc
Bump for release4618912
docs: prepare for 26.0rc3 (#1060)0cf1b41
ci: test on first public release of CPythons (#1056)716beb1
perf: 10% faster stripping zeros (#1058)350a230
fix: support CPython 3.11.0-3.11.4 and older PyPy3.11 (#1055)Sourced from qs's changelog.
6.14.2
- [Fix]
parse: mark overflow objects for indexed notation exceedingarrayLimit(#546)- [Fix]
arrayLimitmeans max count, not max index, incombine/merge/parseArrayValue- [Fix]
parse: throw onarrayLimitexceeded with indexed notation whenthrowOnLimitExceededis true (#529)- [Fix]
parse: enforcearrayLimitoncomma-parsed values- [Fix]
parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)- [Robustness] avoid
.push, usevoid- [readme] document that
addQueryPrefixdoes not add?to empty output (#418)- [readme] clarify
parseArraysandarrayLimitdocumentation (#543)- [readme] replace runkit CI badge with shields.io check-runs badge
- [meta] fix changelog typo (
arrayLength→arrayLimit)- [actions] fix rebase workflow permissions
bdcf0c7
v6.14.2294db90
[readme] document that addQueryPrefix does not add
? to empty output5c308e5
[readme] clarify parseArrays and arrayLimit
documentation6addf8c
[Fix] parse: mark overflow objects for indexed notation
exceeding arrayLimitcfc108f
[Fix] arrayLimit means max count, not max index, in
combine/merge/`pars...febb644
[Fix] parse: throw on arrayLimit exceeded with
indexed notation when `thr...f6a7abf
[Fix] parse: enforce arrayLimit on
comma-parsed valuesfbc5206
[Fix] parse: fix error message to reflect arrayLimit as max
index; remove e...1b9a8b4
[actions] fix rebase workflow permissions2a35775
[meta] fix changelog typo (arrayLength →
arrayLimit)Sourced from mheap/github-action-required-labels's releases.
v5.5.2
What's Changed
- Update dependencies with npm audit fix by
@mheapin mheap/github-action-required-labels#94Full Changelog: https://github.com/mheap/github-action-required-labels/compare/v5.5.1...v5.5.2
0ac283b
Automatic compilation61727ad
Update dependencies with npm audit fix (#94)3bf0909
3.4.2885ddcc
fix CWE-13210bdba70
added flatted-view to the benchmark2a02dce
3.4.1fba4e8f
Merge pull request #89
from WebReflection/python-fix5fe8648
added "when in Rome" also a test for PHP53517ad
some minor improvementb3e2a0c
Fixing recursion issue in Python tooc4b46db
Add SECURITY.md for security policy and reportingf86d071
Create dependabot.yml for version updatesSourced from picomatch's releases.
2.3.2
This is a security release fixing several security relevant issues.
What's Changed
- fix: exception when glob pattern contains constructor by
@Jason3Sin micromatch/picomatch#144- Fix for CVE-2026-33671
- Fix for CVE-2026-33672
Full Changelog: https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2
Sourced from picomatch's changelog.
Release history
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Changelogs are for humans, not machines.
- There should be an entry for every single version.
- The same types of changes should be grouped.
- Versions and sections should be linkable.
- The latest version comes first.
- The release date of each versions is displayed.
- Mention whether you follow Semantic Versioning.
Changelog entries are classified using the following labels (from keep-a-changelog):
Addedfor new features.Changedfor changes in existing functionality.Deprecatedfor soon-to-be removed features.Removedfor now removed features.Fixedfor any bug fixes.Securityin case of vulnerabilities.4.0.0 (2024-02-07)
Fixes
- Fix bad text values in parse #126, thanks to
@connor4312Changed
- Remove process global to work outside of node #129, thanks to
@styfle- Add sideEffects to package.json #128, thanks to
@frandiox- Removed
os, make compatible browser environment. See #124, thanks to@gwsbhqt3.0.1
Fixes
... (truncated)
Sourced from tomli's changelog.
2.4.1
- Fixed
- Limit number of parts of a TOML key to address quadratic time complexity
Sourced from importlib-metadata's changelog.
v9.0.0
Deprecations and Removals
- Added
MetadataNotFound(subclass ofFileNotFoundError) and updatedDistribution.metadata/metadata()to raise it when the metadata files are missing instead of returningNonepython/cpython#143387#532)v8.9.0
Features
python/cpython#110937python/cpython#140141, python/cpython#143658)v8.8.0
Features
- Removed Python 3.9 compatibility.
a9f883f
Finalize9b0dfdf
Raise an exception when no metadata file is found (#532)0f2229c
Merge branch 'main' into feature/no-metadata-exception2f4088e
Remove news fragments about internal details.0ac2720
Add news fragment.a5c2154
Finalizee66e226
Drop support for EOL Python 3.9 (#530)6027933
Add news fragment.b89388a
Import os_helper directly.2dcb761
Add uniform exclusions for test.support.6c353ca
1.1.137fd684f
Backport fix for GHSA-f886-m6hf-6m8v (#95)6c353ca
1.1.137fd684f
Backport fix for GHSA-f886-m6hf-6m8v (#95)Sourced from actions/github-script's releases.
v9.0.0
New features:
getOctokitfactory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients withgetOctokitfor details and examples.- Orchestration ID in user-agent — The
ACTIONS_ORCHESTRATION_IDenvironment variable is automatically appended to the user-agent string for request tracing.Breaking changes:
require('@actions/github')no longer works in scripts. The upgrade to@actions/githubv9 (ESM-only) meansrequire('@actions/github')will fail at runtime. If you previously used patterns likeconst { getOctokit } = require('@actions/github')to create secondary clients, use the new injectedgetOctokitfunction instead — it's available directly in the script context with no imports needed.getOctokitis now an injected function parameter. Scripts that declareconst getOctokit = ...orlet getOctokit = ...will get aSyntaxErrorbecause JavaScript does not allowconst/letredeclaration of function parameters. Use the injectedgetOctokitdirectly, or usevar getOctokit = ...if you need to redeclare it.- If your script accesses other
@actions/githubinternals beyond the standardgithub/octokitclient, you may need to update those references for v9 compatibility.What's Changed
- Add ACTIONS_ORCHESTRATION_ID to user-agent string by
@Copilotin actions/github-script#695- ci: use deployment: false for integration test environments by
@salmanmkcin actions/github-script#712- feat!: add getOctokit to script context, upgrade
@actions/githubv9,@octokit/corev7, and related packages by@salmanmkcin actions/github-script#700New Contributors
@Copilotmade their first contribution in actions/github-script#695Full Changelog: https://github.com/actions/github-script/compare/v8.0.0...v9.0.0
3a2844b
Merge pull request #700
from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbd
fix: use @octokit/core/types import for v7
compatibility86e48e2
merge: incorporate main branch changesc108472
chore: rebuild dist for v9 upgrade and getOctokit factoryafff112
Merge pull request #712
from actions/salmanmkc/deployment-false + fix user-ag...ff8117e
ci: fix user-agent test to handle orchestration ID81c6b78
ci: use deployment: false to suppress deployment noise from integration
tests3953caf
docs: update README examples from @v8 to @v9, add getOctokit docs
and v9 brea...c17d55b
ci: add getOctokit integration test joba047196
test: add getOctokit integration tests via callAsyncFunctionSourced from lodash's releases.
4.18.1
Bugs
Fixes a
ReferenceErrorissue inlodashlodash-eslodash-amdandlodash.templatewhen using thetemplateandfromPairsfunctions from the modular builds. See lodash/lodash#6167These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.
There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:
lodash: https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npmlodash-es: https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-eslodash-amd: https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amdlodash.templatehttps://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages4.18.0
v4.18.0
Full Changelog: https://github.com/lodash/lodash/compare/4.17.23...4.18.0
Security
_.unset/_.omit: Fixed prototype pollution viaconstructor/prototypepath traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Nowconstructorandprototypeare blocked unconditionally as non-terminal path keys, matchingbaseSet. Calls that previously returnedtrueand deleted the property now returnfalseand leave the target untouched.
_.template: Fixed code injection viaimportskeys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. Thevariableoption was validated againstreForbiddenIdentifierCharsbutimportsKeyswas left unguarded, allowing code injection via the sameFunction()constructor sink.importskeys containing forbidden identifier characters now throw"Invalid imports option passed into _.template".Docs
- Add security notice for
_.templatein threat model and API docs (#6099)- Document
lower > upperbehavior in_.random(#6115)- Fix quotes in
_.compactjsdoc (#6090)
lodash.*modular packagesWe have also regenerated and published a select number of the
lodash.*modular packages.These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:
cb0b9b9
release(patch): bump main to 4.18.1 (#6177)75535f5
chore: prune stale advisory refs (#6170)62e91bc
docs: remove n_ Node.js < 6 REPL note from README (#6165)59be2de
release(minor): bump to 4.18.0 (#6161)af63457
fix: broken tests for _.template 879aaa91073a76
fix: linting issues879aaa9
fix: validate imports keys in _.templatefe8d32e
fix: block prototype pollution in baseUnset via constructor/prototype
traversal18ba0a3
refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)b819080
ci: add dist sync validation workflow (#6137)Sourced from packaging's releases.
26.1
Features:
PEP 783: add handling for Emscripten wheel tags by(old name used in implementation, will be fixed in next release)@hoodmanein pypa/packaging#804- PEP 803: add handling for the
abi3.abi3tfree-threading tag by@ngoldbaumin pypa/packaging#1099- PEP 723: add
packaging.dependency_groupsmodule, based on thedependency-groupspackage by@sirosenin pypa/packaging#1065- Add the
packaging.direct_urlmodule by@sbidoulin pypa/packaging#944- Add the
packaging.errorsmodule by@henryiiiin pypa/packaging#1071- Add
SpecifierSet.is_unsatisfiableusing ranges (new internals that will be expanded in future versions) by@notatallshawin pypa/packaging#1119- Add
create_compatible_tags_selectorto select compatible tags by@sbidoulin pypa/packaging#1110- Add a
keyargument toSpecifierSet.filter()by@frostmingin pypa/packaging#1068- Support
&and|forMarker's by@henryiiiin pypa/packaging#1146- Normalize
Version.__replace__and addVersion.from_partsby@henryiiiin pypa/packaging#1078- Add an option to validate compressed tag set sort order in
parse_wheel_filenameby@r266-techin pypa/packaging#1150Behavior adaptations:
- Narrow exclusion of pre-releases for
<V.postNto match spec by@notatallshawin pypa/packaging#1140- Narrow exclusion of post-releases for
>Vto match spec by@notatallshawin pypa/packaging#1141- Rename
format_full_versionto_format_full_versionto make it visibly private by@r266-techin pypa/packaging#1125- Restrict local version to ASCII by
@henryiiiin pypa/packaging#1102Pylock (PEP 751) updates:
- Add pylock
selectfunction by@sbidoulin pypa/packaging#1092- Document pylock
select()method andPylockSelectErrorby@r266-techin pypa/packaging#1153- Add
filenameproperty toPackageSdistandPackageWheel, more validation by@sbidoulin pypa/packaging#1095- Give preference to path over url by
@sbidoulin pypa/packaging#1128- Validate name/version consistency in file names by
@sbidoulin pypa/packaging#1114Fixes:
- Fix
>comparison for versions with dev+local segments by@veeceeyin pypa/packaging#1097- Fix incorrect self-comparison for
InfinityTypeandNegativeInfinityTypeby@bysiberin pypa/packaging#1093- Canonicalize when deduplicating specifiers in
SpecifierSetby@notatallshawin pypa/packaging#1109- Fix charset error message formatting by
@notatallshawin pypa/packaging#1121- Handle the
keyparameter inSpecifierSet.filterwhen specifiers are empty and prerelease isFalseby@notatallshawin pypa/packaging#1096- Standardize inner components of
reproutput by@henryiiiin pypa/packaging#1090Specifier's===uses original string, not normalized, when available by@notatallshawin pypa/packaging#1124- Propagate int-max-str-digits
ValueErrorby@notatallshawin pypa/packaging#1155Performance:
- Add fast path for parsing simple versions (digits and dots only) by
@notatallshawin pypa/packaging#1082- Add fast path for
VersiontoVersioncomparison by skipping_keyproperty by@notatallshawin pypa/packaging#1083- Cache
Versionhash value in dedicated slot by@notatallshawin pypa/packaging#1118- Overhaul
_cmpkeyto remove use of custom objects by@notatallshawin pypa/packaging#1116- Skip
__replace__in Specifier comparison if not needed by@notatallshawin pypa/packaging#1081SpecifierSetusetupleinstead offrozensetfor_specsby@notatallshawin pypa/packaging#1108- Speed up complex
SpecifierSetfiltering by implementing cost-based ordering by@notatallshawin pypa/packaging#1105
... (truncated)
Sourced from packaging's changelog.
26.1 - 2026-04-14
Features:
- PEP 783: add handling for Emscripten wheel tags in (:pull:
804)- PEP 803: add handling for the
abi3.abi3tfree-threading tag in (:pull:1099)- PEP 723: add
packaging.dependency_groupsmodule, based on thedependency-groupspackage in (:pull:1065)- Add the
packaging.direct_urlmodule in (:pull:944)- Add the
packaging.errorsmodule in (:pull:1071)- Add
SpecifierSet.is_unsatisfiableusing ranges (new internals that will be expanded in future versions) in (:pull:1119)- Add
create_compatible_tags_selectorto select compatible tags in (:pull:1110)- Add a
keyargument toSpecifierSet.filter()in (:pull:1068)- Support
&and|forMarker's in (:pull:1146)- Normalize
Version.__replace__and addVersion.from_partsin (:pull:1078)- Add an option to validate compressed tag set sort order in
parse_wheel_filenamein (:pull:1150)Behavior adaptations:
- Narrow exclusion of pre-releases for
<V.postNto match spec in (:pull:1140)- Narrow exclusion of post-releases for
>Vto match spec in (:pull:1141)- Rename
format_full_versionto_format_full_versionto make it visibly private in (:pull:1125)- Restrict local version to ASCII in (:pull:
1102)Pylock (PEP 751) updates:
- Add pylock
selectfunction in (:pull:1092)- Document pylock
select()method andPylockSelectErrorin (:pull:1153)- Add
filenameproperty toPackageSdistandPackageWheel, more validation in (:pull:1095)- Give preference to path over url in (:pull:
1128)- Validate name/version consistency in file names in (:pull:
1114)Fixes:
- Fix
>comparison for versions with dev+local segments in (:pull:1097)- Fix incorrect self-comparison for
InfinityTypeandNegativeInfinityTypein (:pull:1093)- Canonicalize when deduplicating specifiers in
SpecifierSetin (:pull:1109)- Fix charset error message formatting in (:pull:
1121)- Handle the
keyparameter inSpecifierSet.filterwhen specifiers are empty and prerelease isFalsein (:pull:1096)- Standardize inner components of
reproutput in (:pull:1090)Specifier's===uses original string, not normalized, when available in (:pull:1124)- Propagate int-max-str-digits
ValueErrorin (:pull:1155)Performance:
- Add fast path for parsing simple versions (digits and dots only) in (:pull:
1082)- Add fast path for
VersiontoVersioncomparison by skipping_keyproperty in (:pull:1083)- Cache
Versionhash value in dedicated slot in (:pull:1118)- Overhaul
_cmpkeyto remove use of custom objects in (:pull:1116)- Skip
__replace__in Specifier comparison if not needed in (:pull:1081)
</tr></table>
... (truncated)
c1a88a3
Bump for release702c25e
docs: update changelog for 26.1 (#1156)3f4f5d4
Implement is_unsatisfiable on SpecifierSet
using ranges (#1119)06c6555
Propagate int-max-str-digits ValueError (#1155)905c90c
feat: option to validate compressed tag set sort order in
`parse_wheel_filena...af0026c
docs(pylock): document select() method and PylockSelectError (#1153)668da86
Rename format_full_version to _format_full_version to make it visibly
private...f294d52
tests: do not reload the tags module (#1152)2c6c7df
feat: add handling for Emscripten wheels tags per PEP 783 (#804)6762eea
docs(markers): document & and | operators for combining Marker
objects (#1151)Sourced from uuid's releases.
v14.0.0
14.0.0 (2026-04-19)
⚠ BREAKING CHANGES
Features
Bug Fixes
- expect
cryptoto be global everywhere (requires node@20+) (#935) (f2c235f)- Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)
v13.0.0
13.0.0 (2025-09-08)
⚠ BREAKING CHANGES
- make browser exports the default (#901)
Bug Fixes
v12.0.0
12.0.0 (2025-09-05)
⚠ BREAKING CHANGES
Features
- add node@24 to ci matrix (#879) (42b6178)
- drop node@16 support (#883) (0f38cf1)
- remove CommonJS support (#886) (ae786e2)
- update to typescript@5.2 (#887) (c7ee405)
Bug Fixes
... (truncated)
Sourced from uuid's changelog.
14.0.0 (2026-04-19)
Security
- Fixes GHSA-w5hq-g745-h8pq:
v3(),v5(), andv6()did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalidoffsetwas provided. ARangeErroris now thrown ifoffset < 0oroffset + 16 > buf.length.⚠ BREAKING CHANGES
cryptois now expected to be globally defined (requires node@20+) (#935)- drop node@18 support (#934)
- upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years
13.0.0 (2025-09-08)
⚠ BREAKING CHANGES
- make browser exports the default (#901)
Bug Fixes
12.0.0 (2025-09-05)
⚠ BREAKING CHANGES
Features
- add node@24 to ci matrix (#879) (42b6178)
- drop node@16 support (#883) (0f38cf1)
- remove CommonJS support (#886) (ae786e2)
- update to typescript@5.2 (#887) (c7ee405)
Bug Fixes
11.1.0 (2025-02-19)
... (truncated)
7c1ea08
chore(main): release 14.0.0 (#926)3d2c5b0
Merge commit from forkf2c235f
fix!: expect crypto to be global everywhere (requires
node@20+) (#935)529ef08
chore: upgrade TypeScript and fixup types (#927)086fd79
chore: update dependencies (#933)dc4ddb8
feat!: drop node@18 support (#934)0f1f9c9
chore: switch to Biome for parsing and linting (#932)e2879e6
chore: use maintained version of npm-run-all (#930)ffa3138
fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)0423d49
docs: remove obsolete v1 option notes (#915)This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.
This version adds prepare script that runs during
installation. Review the package contents before updating.
Sourced from packaging's releases.
26.2
What's Changed
Fixes:
- Fix incorrect sysconfig var name for pyemscripten by
@ryanking13in pypa/packaging#1160- Make
Version,Specifier,SpecifierSet,Tag,Marker, andRequirementpickle-safe and backward-compatible with pickles created in 25.0-26.1 (including references to the removedpackaging._structuresmodule) by@eachimeiand@henryiiiin pypa/packaging#1163, pypa/packaging#1168, pypa/packaging#1170, and pypa/packaging#1171- fix: re-export ExceptionGroup for now by
@henryiiiin pypa/packaging#1164Documentation:
- docs: add errors section and fix missing details by
@henryiiiin pypa/packaging#1159- docs(dev): document property-based test suite by
@r266-techin pypa/packaging#1167- Fix typo in DirectUrl documentation by
@sbidoulin pypa/packaging#1169- docs(specifiers): add is_unsatisfiable() usage example by
@r266-techin pypa/packaging#1166Internal:
- Enable the auditor persona on zizmor by
@henryiiiin pypa/packaging#1158- Test new pickle guarantees by
@henryiiiin pypa/packaging#1174- Use native uv integration in rtd by
@henryiiiin pypa/packaging#1175New Contributors
@ryanking13made their first contribution in pypa/packaging#1160@eachimeimade their first contribution in pypa/packaging#1163Full Changelog: https://github.com/pypa/packaging/compare/26.1...26.2
Sourced from packaging's changelog.
26.2 - 2026-04-24
Fixes:
- Fix incorrect sysconfig var name for pyemscripten in (:pull:
1160)- Make
Version,Specifier,SpecifierSet,Tag,Marker, andRequirementpickle-safe
and backward-compatible with pickles created in 25.0-26.1 (including references to the removed
packaging._structuresmodule) (:pull:1163, :pull:1168, :pull:1170, :pull:1171)- Re-export
ExceptionGroupin metadata for now in (:pull:1164)Documentation:
- Add errors section and fix missing details in (:pull:
1159)- Document our property-based test suite in (:pull:
1167)- Fix a
DirectUrltypo in (:pull:1167)- Add example of
is_unsatisfiablein (:pull:1166)Internal:
- Enable the auditor persona on zizmor in (:pull:
1158)- Test new pickle guarantees in (:pull:
1174)- Use new native ReadTheDocs uv integration in (:pull:
1175)
84a87ee
Bump for release4a616b6
docs: a few more updates to prepare for 26.2 (#1176)9de6f44
ci: use native uv integration in rtd (#1175)bc76e14
chore: update changelog for 26.2 (#1161)3f00091
tests: add a pickle check (#1174)48a8a06
fix: make Requirements/Markers pickle-safe (#1171)823b44e
fix: make Tags pickle-safe (#1170)4bed32d
fix: make Specifier / SpecifierSet pickle-safe (#1168)963118e
fix: re-export ExceptionGroup for now (#1164)66e34a8
docs(specifiers): add is_unsatisfiable() usage example (#1166)Sourced from fast-uri's releases.
v3.1.2
⚠️ Security Release
What's Changed
- Handle malformed fragment decoding as a parse error by
@mcollinain fastify/fast-uri#171Full Changelog: https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2
v3.1.1
⚠️ Security Release
What's Changed
- build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by
@dependabot[bot] in fastify/fast-uri#148- build(deps): bump actions/checkout from 4 to 5 by
@dependabot[bot] in fastify/fast-uri#149- chore(.npmrc): ignore scripts by
@Fdawgsin fastify/fast-uri#150- build(deps-dev): remove
@fastify/pre-commitby@Fdawgsin fastify/fast-uri#151- build(deps): bump actions/setup-node from 4 to 5 by
@dependabot[bot] in fastify/fast-uri#152- ci(ci): add concurrency config by
@Fdawgsin fastify/fast-uri#153- build(deps): bump actions/setup-node from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#154- build(deps): bump actions/checkout from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#156- chore(license): standardise license notice by
@Fdawgsin fastify/fast-uri#159- style: remove trailing whitespace by
@Fdawgsin fastify/fast-uri#161- ci: remove unused github files by
@Tony133in fastify/fast-uri#162- chore: update readme by
@Tony133in fastify/fast-uri#164- build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#165- build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by
@dependabot[bot] in fastify/fast-uri#166- build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by
@dependabot[bot] in fastify/fast-uri#167- ci: add lock-threads workflow by
@Fdawgsin fastify/fast-uri#169New Contributors
@Tony133made their first contribution in fastify/fast-uri#162Full Changelog: https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1
919dd8e
Bumped v3.1.2c65ba57
fixup: linting6c86c17
Merge commit from forka95158a
Handle malformed fragment decoding without throwing (#171)cea547c
Bumped v3.1.1876ce79
Merge commit from forkdcdf690
ci: add lock-threads workflow (#169)c860e65
build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)9b4c6dc
build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)85d09a9
build(deps): bump
fastify/workflows/.github/workflows/plugins-ci-package-mana...