build(deps): bump the npm_and_yarn group across 1 directory with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
axios	1.14.0	1.15.2
fast-xml-parser	4.5.4	5.7.0
lodash	4.17.23	4.18.1
music-metadata	7.14.0	11.12.3
nodemailer	7.0.13	8.0.5
uuid	10.0.0	14.0.0
postcss	8.4.38	8.5.10
vite	6.4.1	6.4.2
path-to-regexp	0.1.12	8.4.2

Updates axios from 1.14.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates fast-xml-parser from 4.5.4 to 5.7.0

Release notes

Sourced from fast-xml-parser's releases.

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes pass readonly instance of matcher to the call backs to avoid accidental push/pop call

fix bugs of entity parsing and value parsing

fix: entity expansion limits update strnum package to 2.2.0

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

*5.8.0 / 2026-05-12

• integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
  • This will consider xml-version as well. '1.0' is default
• update strnum to 2.3.0
  • You can set octal and binary parsing which is bydeault off
• update fast-xml-builder to 1.2.0
  • can sanitize tag names if found invalid
  • fix format output

5.7.3 / 2006-05-05

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.7
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

... (truncated)

Commits

• f529642 update to release v5.7.0
• 52a8583 Revert "improve performance of attributes reading"
• 8d187f9 update builder
• e174168 improve performance of attributes reading
• 79a8dde update docs
• f5cd5a5 set xml version to decoder even if attributes are ignored
• f44b923 remove unwanted tests
• 869ec8b Use @​nodable/entities v2.1.0
• 7cb49e5 update release detail
• 1b14fa7 include currency entities in default list
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates music-metadata from 7.14.0 to 11.12.3

Release notes

Sourced from music-metadata's releases.

v11.12.3

Changes

🐛 Bug Fixes

• Fix TypeScript decleration inclusion @​Borewit (#2608)

📦 NPM release

NPM release: music-metadata@11.12.3

v11.12.2

⚠️ This release is missing TypeScript declarations, use v11.12.3 instead.

Changes

• ⚠️ Fix CWE-85 by avoiding infinite loop in ASF @​Borewit (#2605)

🐛 Bug Fixes

• Map .wma and .wmv. extension to AsfParser @​Borewit (#2601)

⬆️ Dependencies

• Bump @​borewit/text-codec from 0.2.1 to 0.2.2 @​dependabot (#2602)

📦 NPM release

NPM release: music-metadata@11.12.2

v11.12.1

Changes

🐛 Bug Fixes

• Fix miscalculation Ogg/Vorbis, duration miscalculation @​Borewit (#2583)

📦 NPM release

NPM release: music-metadata@11.12.1

v11.12.0

Changes

🚀 Enhancements

• feat: Add support for multiple albumartists @​ma225tq (#2577)

📦 NPM release

NPM release: music-metadata@11.12.0

v11.11.2

Changes

... (truncated)

Commits

• 894a9e8 11.12.3
• 2beb45c Fix TypeScript decleration inclusion
• 7f13e8e 11.12.2
• 7e5be08 Upgrade @biomejs/biome to 2.4.6
• 318e963 Fix CWE-85 by avoiding infinite loop in ASF
• 5b7e69c Simplify tsconfig.prod.json by removing unused options
• 1ffe9bf Bump tar from 7.5.7 to 7.5.11
• 20f4683 Bump c8 from 10.1.3 to 11.0.0
• cfcf152 Bump @​borewit/text-codec from 0.2.1 to 0.2.2
• 2e4e40c Bump minimatch from 9.0.5 to 9.0.9
• Additional commits viewable in compare view

Updates nodemailer from 7.0.13 to 8.0.5

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

v8.0.0

8.0.0 (2026-02-04)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

... (truncated)

Commits

• 202cfb3 chore(master): release 8.0.5 (#1809)
• b634abf docs: add CLAUDE.md with project conventions and release process
• 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
• 0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
• 08e59e6 chore: update dev dependencies
• 2d31975 chore(master): release 8.0.4 (#1806)
• 2d7b971 fix: sanitize envelope size to prevent SMTP command injection
• 4e702e9 chore(master): release 8.0.3 (#1804)
• c803d90 fix: remove familySupportCache that broke DNS resolution tests
• e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
• Additional commits viewable in compare view

Updates uuid from 10.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

• expect crypto to be global everywhere (requires node@20+) (#935)
• drop node@18 support (#934)

Features

• drop node@18 support (#934) (dc4ddb8)

Bug Fixes

• expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
• Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

• rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

v13.0.0

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

v12.0.1

12.0.1 (2026-04-29)

... (truncated)

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

• Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

• crypto is now expected to be globally defined (requires node@20+) (#935)
• drop node@18 support (#934)
• upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

13.0.0 (2025-09-08)

⚠ BREAKING CHANGES

• make browser exports the default (#901)

Bug Fixes

• make browser exports the default (#901) (bce9d72)

12.0.0 (2025-09-05)

⚠ BREAKING CHANGES

• update to typescript@5.2 (#887)
• remove CommonJS support (#886)
• drop node@16 support (#883)

Features

• add node@24 to ci matrix (#879) (42b6178)
• drop node@16 support (#883) (0f38cf1)
• remove CommonJS support (#886) (ae786e2)
• update to typescript@5.2 (#887) (c7ee405)

Bug Fixes

• improve v4() performance (#894) (5fd974c)
• restore node: prefix (#889) (e1f42a3)

11.1.0 (2025-02-19)

... (truncated)

Commits

• 7c1ea08 chore(main): release 14.0.0 (#926)
• 3d2c5b0 Merge commit from fork
• f2c235f fix!: expect crypto to be global everywhere (requires node@20+) (#935)
• 529ef08 chore: upgrade TypeScript and fixup types (#927)
• 086fd79 chore: update dependencies (#933)
• dc4ddb8 feat!: drop node@18 support (#934)
• 0f1f9c9 chore: switch to Biome for parsing and linting (#932)
• e2879e6 chore: use maintained version of npm-run-all (#930)
• ffa3138 fix: Use GITHUB_TOKEN for release-please and enable npm provenance (#925)
• 0423d49 docs: remove obsolete v1 option notes (#915)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates postcss from 8.4.38 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"
</tr></table>

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

... (truncated)

Commits

• 33b9790 Release 8.5.10 version
• 536c79e Escape </style> in CSS output (#2074)
• afa96b2 Update dependencies (#2073)
• effe88b Typo (#2072)
• 3ee79a2 Thread model (#2071)
• 2e0683d Create incident response docs (#2070)
• fe88ac2 Release 8.5.9 version
• c551632 Avoid RegExp when we can use simple JS
• 89a6b74 Move SECURITY.txt for docs folder to keep GitHub page cleaner
• 6ceb8a4 Create SECURITY.md
• Additional commits viewable in compare view

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (

[postiz-contribution]

Contribution-checker quality warning
Heuristic score: 0/100 (low). This is a non-blocking warning surfaced by the project's quality settings.

Heuristics that flagged:

• Wall-of-text PR body — 65556 chars (>2500)
• Excessive emojis in body — 29 emojis (>2)
• Excessive inline code references — 26 inline refs (>3)
• PR doesn't use the repo's PR template — 4 required checkbox items missing (max 1, match ≥80%)
• Commit message too long — Longest: 4691 chars
• Single giant commit
• Low global merge ratio — 18% (<30%)
• No public email

If this is a genuine contribution, please add detail to your PR description and tighten the diff scope before reviewers look at it.

[postiz-contribution]

Contribution-checker quality warning
Heuristic score: 0/100 (low). This is a non-blocking warning surfaced by the project's quality settings.

Heuristics that flagged:

• Wall-of-text PR body: 65556 chars (>2500)
• Excessive emojis in body: 29 emojis (>2)
• Excessive inline code references: 26 inline refs (>3)
• PR doesn't use the repo's PR template: 5 required checkbox items missing (max 1, match ≥80%)
• Commit message too long: Longest: 4691 chars
• Single giant commit
• No public email

If this is a genuine contribution, please add detail to your PR description and tighten the diff scope before reviewers look at it.