Bump the npm_and_yarn group across 2 directories with 19 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the / directory:

Package	From	To
@solana/web3.js	1.47.3	1.47.5
store2	2.13.2	2.14.4
tsup	6.1.3	8.3.5
base-x	3.0.9	3.0.11
json5	2.2.1	2.2.3
secp256k1	4.0.3	4.0.4
semver	6.3.0	6.3.1

Bumps the npm_and_yarn group with 11 updates in the /example directory:

Package	From	To
@solana/web3.js	1.47.3	1.47.5
store2	2.14.2	2.14.4
braces	3.0.2	3.0.3
cross-spawn	7.0.3	7.0.6
json5	1.0.1	1.0.2
micromatch	4.0.5	4.0.8
next	12.2.2	15.2.4
browserify-sign	4.2.1	4.2.3
follow-redirects	1.15.1	1.15.9
socket.io-parser	4.2.1	4.2.4
word-wrap	1.2.3	1.2.5

Updates @solana/web3.js from 1.47.3 to 1.47.5

Release notes

Sourced from @​solana/web3.js's releases.

The New web3.js – Technology Preview 4

tp4 (2024-07-02)

This version of the @solana/web3.js Technology Preview fixes a bug with the default RPC transport, adds a utility that you can use to get an estimate of a transaction message's compute unit cost, and introduces @solana/react hooks for interacting with Wallet Standard wallets.

To install the fourth Technology Preview:

npm install --save @solana/web3.js@tp4

For an example of how to use the new @solana/react package to interact with wallets in a React application, see the example application in examples/react-app. We hope to see similar wallet-connection packages patterned off @solana/react for other application frameworks soon.

Try a demo of Technology Preview 4 in your browser at CodeSandbox.

Changelog since Technology Preview 3

• #2858 22a34aa Thanks @​steveluscher! - Transaction signers' methods now take minContextSlot as an option. This is important for signers that simulate transactions, like wallets. They might be interested in knowing the slot at which the transaction was prepared, lest they run simulation at too early a slot.

• #2852 cec9048 Thanks @​lorisleiva! - The signAndSendTransactionMessageWithSigners function now automatically asserts that the provided transaction message contains a single sending signer and fails otherwise.

• #2707 cb49bfa Thanks @​mcintyre94! - Allow creating keypairs and keys from ReadonlyUint8Array

• #2715 26dae19 Thanks @​lorisleiva! - Consolidated getNullableCodec and getOptionCodec with their Zeroable counterparts and added more configurations

  Namely, the prefix option can now be set to null and the fixed option was replaced with the noneValue option which can be set to "zeroes" for Zeroable codecs or a custom byte array for custom representations of none values. This means the getZeroableNullableCodec and getZeroableOptionCodec functions were removed in favor of the new options.

  // Before.
  getZeroableNullableCodec(getU16Codec());
  // After.
  getNullableCodec(getU16Codec(), { noneValue: 'zeroes', prefix: null });

  Additionally, it is now possible to create nullable codecs that have no prefix nor noneValue. In this case, the existence of the nullable item is indicated by the presence of any remaining bytes left to decode.

  const codec = getNullableCodec(getU16Codec(), { prefix: null });
  codec.encode(42); // 0x2a00
  codec.encode(null); // Encodes nothing.
  codec.decode(new Uint8Array([42, 0])); // 42
  codec.decode(new Uint8Array([])); // null

  Also note that it is now possible for custom noneValue byte arrays to be of any length — previously, it had to match the fixed-size of the nullable item.

  Here is a recap of all supported scenarios, using a u16 codec as an example:

  | encode(42) / encode(null) | No noneValue (default) | noneValue: "zeroes" | Custom noneValue (0xff) |

... (truncated)

Commits

• See full diff in compare view

Updates store2 from 2.13.2 to 2.14.4

Commits

• bb2680d 2.14.4
• 5c4c208 minor version build updates
• 582a86c fix syntax/lint issue
• 0ef2405 Merge pull request #128 from TasosY2K/master
• b5b7723 removed eval use from deep.store.js
• 0216588 ssh git repo url
• cc4444b remove component
• 29cbc3b 2.14.3
• 6a1f112 obsolete long ago
• 77ca9ea npm update
• Additional commits viewable in compare view

Updates tsup from 6.1.3 to 8.3.5

Release notes

Sourced from tsup's releases.

v8.3.5

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in egoist/tsup#1236 (fddd4)

    View changes on GitHub

v8.3.4

No significant changes

    View changes on GitHub

v8.3.3

No significant changes

    View changes on GitHub

v8.3.1

   🚀 Features

• Add es2024 target  -  by @​sxzz (4c8cd)

   🐞 Bug Fixes

• Support TS 5.6 for svelte  -  by @​sxzz (28b9c)
• Add neutral value to platform options in schema.json  -  by @​venables in egoist/tsup#982 (a03db)
• Wider restriction for target option  -  by @​odanado in egoist/tsup#1118 (1979b)
• Add terser value to minify option in schema.json  -  by @​damienbutt in egoist/tsup#991 (34951)
• Change newlineKind to lf for experimentalDts  -  by @​aryaemami59 in egoist/tsup#1234 (4584b)
• Enable rollup output.compact when minify is enabled  -  by @​hyrious in egoist/tsup#1232 (9cc86)
• Support Node16 and NodeNext module resolution in experimentalDts  -  by @​aryaemami59 in egoist/tsup#1225 (41c98)

    View changes on GitHub

v8.3.0

8.3.0 (2024-09-17)

Bug Fixes

• fix experimentalDts file cleaning and watching (#1199) (76dc18b)

Features

• add support for cts and mts config files (#1178) (ec811b3)
• add support for async injectStyle (#1193) (f25a9db)

v8.2.4

8.2.4 (2024-08-02)

... (truncated)

Commits

• cd03e1e chore: release v8.3.5
• fddd451 fix: run experimentalDts only once (#1236)
• 21b1193 chore: release v8.3.4
• 580e03d ci: fix release workflow
• 01b38f2 chore: release v8.3.3
• 4f5b71e ci: fix release workflow
• e80dad6 chore: release v8.3.2
• f4af79a ci: fix release workflow (#1241)
• 4b72d61 chore: release v8.3.1
• 41c98ff fix: support Node16 and NodeNext module resolution in experimentalDts (...
• Additional commits viewable in compare view

Updates base-x from 3.0.9 to 3.0.11

Commits

• 043a888 3.0.11
• 2705ddd [backport 3.x] Prohibit char codes that would overflow the BASE_MAP
• 3d43c0e 3.0.10
• 0a35446 Improve decoding performance
• See full diff in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates esbuild from 0.14.49 to 0.24.2

Release notes

Sourced from esbuild's releases.

v0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2022

This changelog documents all esbuild versions published in the year 2022 (versions 0.14.11 through 0.16.12).

0.16.12

• Loader defaults to js for extensionless files (#2776)

  Certain packages contain files without an extension. For example, the yargs package contains the file yargs/yargs which has no extension. Node, Webpack, and Parcel can all understand code that imports yargs/yargs because they assume that the file is JavaScript. However, esbuild was previously unable to understand this code because it relies on the file extension to tell it how to interpret the file. With this release, esbuild will now assume files without an extension are JavaScript files. This can be customized by setting the loader for "" (the empty string, representing files without an extension) to another loader. For example, if you want files without an extension to be treated as CSS instead, you can do that like this:

  • CLI:

    esbuild --bundle --loader:=css
    

  • JS:

    esbuild.build({
      bundle: true,
      loader: { '': 'css' },
    })

  • Go:

    api.Build(api.BuildOptions{
      Bundle: true,
      Loader: map[string]api.Loader{"": api.LoaderCSS},
    })

  In addition, the "type" field in package.json files now only applies to files with an explicit .js, .jsx, .ts, or .tsx extension. Previously it was incorrectly applied by esbuild to all files that had an extension other than .mjs, .mts, .cjs, or .cts including extensionless files. So for example an extensionless file in a "type": "module" package is now treated as CommonJS instead of ESM.

0.16.11

• Avoid a syntax error in the presence of direct eval (#2761)

  The behavior of nested function declarations in JavaScript depends on whether the code is run in strict mode or not. It would be problematic if esbuild preserved nested function declarations in its output because then the behavior would depend on whether the output was run in strict mode or not instead of respecting the strict mode behavior of the original source code. To avoid this, esbuild transforms nested function declarations to preserve the intended behavior of the original source code regardless of whether the output is run in strict mode or not:

  // Original code
  if (true) {
    function foo() {}
    console.log(!!foo)
    foo = null
    console.log(!!foo)
  }

... (truncated)

Commits

• 745abd9 publish 0.24.2 to npm
• 79fd0b0 skip nulls in source map finalization (#4011)
• 4b9322f source map: avoid null entry for 0-length parts
• 199a0d3 close #4013: credit to @​sapphi-red for the fix
• 947f99f fix #4010, fix #4012: import.meta regression
• de9598f publish 0.24.1 to npm
• 15d56ca emit null source mappings for empty chunk content
• 8d98f6f fix #3985: entryPoint metadata for copy loader
• 0db1b82 fix #3998: avoid outbase in identifier names
• 7236472 close #3974: add support for netbsd on arm64
• Additional commits viewable in compare view

Updates json5 from 2.2.1 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays
• edde30a Readme: slight tweak to intro
• 97286f8 Improve example in readme
• Additional commits viewable in compare view

Updates rollup from 2.76.0 to 4.41.1

Release notes

Sourced from rollup's releases.

v4.41.1

4.41.1

2025-05-24

Bug Fixes

• If a plugin calls this.resolve with skipSelf: true, subsequent calls when handling this by the same plugin with same parameters will return null to avoid infinite recursions (#5945)

Pull Requests

• #5945: Avoid recursively calling a plugin's resolveId hook with same id and importer (@​younggglcy, @​lukastaegert)
• #5963: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #5964: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.41.0

4.41.0

2025-05-18

Features

• Detect named exports in more dynamic import scenarios (#5954)

Pull Requests

• #5949: ci: use node 24 (@​btea, @​lukastaegert)
• #5951: chore(deps): update dependency pretty-bytes to v7 (@​renovate[bot])
• #5952: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5953: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5954: enhance tree-shaking for dynamic imports (@​TrickyPi, @​renovate[bot], @​lukastaegert)
• #5957: chore(deps): update dependency lint-staged to v16 (@​renovate[bot], @​lukastaegert)
• #5958: fix(deps): update rust crate swc_compiler_base to v20 (@​renovate[bot], @​lukastaegert)
• #5959: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5960: Use spawn to run CLI tests (@​lukastaegert)

v4.40.2

4.40.2

2025-05-06

Bug Fixes

• Create correct IIFE/AMD/UMD bundles when using a mutable default export (#5934)
• Fix execution order when using top-level await for dynamic imports with inlineDynamicImports (#5937)
• Throw when the output is watched in watch mode (#5939)

Pull Requests

• #5934: fix(exports): avoid "exports is not defined" ReferenceError (@​dasa)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.41.1

2025-05-24

Bug Fixes

• If a plugin calls this.resolve with skipSelf: true, subsequent calls when handling this by the same plugin with same parameters will return null to avoid infinite recursions (#5945)

Pull Requests

• #5945: Avoid recursively calling a plugin's resolveId hook with same id and importer (@​younggglcy, @​lukastaegert)
• #5963: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #5964: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.41.0

2025-05-18

Features

• Detect named exports in more dynamic import scenarios (#5954)

Pull Requests

• #5949: ci: use node 24 (@​btea, @​lukastaegert)
• #5951: chore(deps): update dependency pretty-bytes to v7 (@​renovate[bot])
• #5952: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5953: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5954: enhance tree-shaking for dynamic imports (@​TrickyPi, @​renovate[bot], @​lukastaegert)
• #5957: chore(deps): update dependency lint-staged to v16 (@​renovate[bot], @​lukastaegert)
• #5958: fix(deps): update rust crate swc_compiler_base to v20 (@​renovate[bot], @​lukastaegert)
• #5959: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5960: Use spawn to run CLI tests (@​lukastaegert)

4.40.2

2025-05-06

Bug Fixes

• Create correct IIFE/AMD/UMD bundles when using a mutable default export (#5934)
• Fix execution order when using top-level await for dynamic imports with inlineDynamicImports (#5937)
• Throw when the output is watched in watch mode (#5939)

Pull Requests

• #5934: fix(exports): avoid "exports is not defined" ReferenceError (@​dasa)
• #5937: consider TLA imports have higher execution priority (@​TrickyPi)
• #5939: fix: watch mode input should not be an output subpath (@​btea)
• #5940: chore(deps): update dependency vite to v6.3.4 [security] (@​renovate[bot])

... (truncated)

Commits

• 7c469dc 4.41.1
• 9f4abf1 Avoid recursively calling a plugin's resolveId hook with same id and importer...
• 605ec27 fix(deps): update swc monorepo (major) (#5963)
• b88492b fix(deps): lock file maintenance minor/patch updates (#5964)
• 0928185 4.41.0
• 2491b31 ci: use node 24 (#5949)
• 7759f56 Use spawn to run CLI tests (#5960)
• dd29577 fix(deps): update rust crate swc_compiler_base to v20 (#5958)
• fff335f enhance tree-shaking for dynamic imports (#5954)
• 9cf84fc fix(deps): lock file maintenance minor/patch updates (#5959)
• Additional commits viewable in compare view

Updates secp256k1 from 4.0.3 to 4.0.4

Commits

• 756fce1 4.0.4
• 8bd6446 elliptic: fix key verification in loadCompressedPublicKey
• 840834e Update elliptic to 6.5.7 (CVE-2024-42461) (#206)
• See full diff in compare view

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates @solana/web3.js from 1.47.3 to 1.47.5

Release notes

Sourced from @​solana/web3.js's releases.

The New web3.js – Technology Preview 4

tp4 (2024-07-02)

This version of the @solana/web3.js Technology Preview fixes a bug with the default RPC transport, adds a utility that you can use to get an estimate of a transaction message's compute unit cost, and introduces @solana/react hooks for interacting with Wallet Standard wallets.

To install the fourth Technology Preview:

npm install --save @solana/web3.js@tp4

For an example of how to use the new @solana/react package to interact with wallets in a React application, see the example application in examples/react-app. We hope to see similar wallet-connection packages patterned off @solana/react for other application frameworks soon.

Try a demo of Technology Preview 4 in your browser at CodeSandbox.

Changelog since Technology Preview 3

• #2858 22a34aa Thanks @​steveluscher! - Transaction signers' methods now take minContextSlot as an option. This is important for signers that simulate transactions, like wallets. They might be interested in knowing the slot at which the transaction was prepared, lest they run simulation at too early a slot.

• #2852 cec9048 Thanks @​lorisleiva! - The signAndSendTransactionMessageWithSigners function now automatically asserts that the provided transaction message contains a single sending signer and fails otherwise.

• #2707 cb49bfa Thanks @​mcintyre94! - Allow creating keypairs and keys from ReadonlyUint8Array

• #2715 26dae19 Thanks @​lorisleiva! - Consolidated getNullableCodec and getOptionCodec with their Zeroable counterparts and added more configurations

  Namely, the prefix option can now be set to null and the fixed option was replaced with the noneValue option which can be set to "zeroes" for Zeroable codecs or a custom byte array for custom representations of none values. This means the getZeroableNullableCodec and getZeroableOptionCodec functions were removed in favor of the new options.

  // Before.
  getZeroableNullableCodec(getU16Codec());
  // After.
  getNullableCodec(getU16Codec(), { noneValue: 'zeroes', prefix: null });

  Additionally, it is now possible to create nullable codecs that have no prefix nor noneValue. In this case, the existence of the nullable item is indicated by the presence of any remaining bytes left to decode.

  const codec = getNullableCodec(getU16Codec(), { prefix: null });
  codec.encode(42); // 0x2a00
  codec.encode(null); // Encodes nothing.
  codec.decode(new Uint8Array([42, 0])); // 42
  codec.decode(new Uint8Array([])); // null

  Also note that it is now possible for custom noneValue byte arrays to be of any length — previously, it had to match the fixed-size of the nullable item.

  Here is a recap of all supported scenarios, using a u16 codec as an example:

  | encode(42) / encode(null) | No noneValue (default) | noneValue: "zeroes" | Custom noneValue (0xff) |

... (truncated)

Commits

• See full diff in compare view

Updates store2 from 2.14.2 to 2.14.4

Commits

• bb2680d 2.14.4
• 5c4c208 minor version build updates
• 582a86c fix syntax/lint issue
• 0ef2405 Merge pull request #128 from TasosY2K/master
• b5b7723 removed eval use from deep.store.js
• 0216588 ssh git repo url
• cc4444b remove component
• 29cbc3b 2.14.3
• 6a1f112 obsolete long ago
• 77ca9ea npm update
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates json5 from 1.0.1 to 1.0.2

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• 3b8cebf docs(security): use GitHub security advisories
• f0fd9e1 docs: publish a security policy
• 6a91a05 docs(template): bug -> bug report
• 14f8cb1 2.2.2
• 10cc7ca docs: update CHANGELOG for v2.2.2
• 7774c10 fix: add proto to objects and arrays

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
embed	❌ Failed (Inspect)			Jun 1, 2025 10:03am