Bump the npm_and_yarn group across 1 directory with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 8 updates in the / directory:

Package	From	To
ajv	6.12.6	6.14.0
devalue	5.5.0	5.6.4
diff	5.2.0	5.2.2
h3	1.15.4	1.15.10
rollup	4.53.3	4.60.0
smol-toml	1.5.2	1.6.1
svgo	4.0.0	4.0.1
tar	7.5.2	7.5.13

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates devalue from 5.5.0 to 5.6.4

Release notes

Sourced from devalue's releases.

v5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

v5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

v5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

v5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

Changelog

Sourced from devalue's changelog.

5.6.4

Patch Changes

• 87c1f3c: fix: reject __proto__ keys in malformed Object wrapper payloads

  This validates the "Object" parse path and throws when the wrapped value has an own __proto__ key.

• 40f1db1: fix: ensure sparse array indices are integers

• 87c1f3c: fix: disallow __proto__ keys in null-prototype object parsing

  This disallows __proto__ keys in the "null" parse path so null-prototype object hydration cannot carry that key through parse/unflatten.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

5.6.2

Patch Changes

• 1175584: fix: validate input for ArrayBuffer parsing
• e46afa6: fix: validate input for typed arrays
• 1175584: fix: more helpful errors for inputs causing stack overflows

5.6.1

Patch Changes

• 2161d44: fix: add hasOwn check before calling reviver

5.6.0

Minor Changes

• a3d09d4: feat: expose DevalueError for instanceof checks in catch clauses
• a3d09d4: feat: add value and root properties in DevalueError instances

Commits

• 6cbb3f5 Version Packages (#133)
• 40f1db1 Merge commit from fork
• 87c1f3c Merge commit from fork
• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• fcf4e88 fix tests
• 1d8a5ea Version Packages (#131)
• 1175584 Merge commit from fork
• e46afa6 Merge commit from fork
• Additional commits viewable in compare view

Updates diff from 5.2.0 to 5.2.2

Changelog

Sourced from diff's changelog.

v5.2.2 - January 2026

Only change from 5.2.0 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v5.2.1 (deprecated)

Accidental release - do not use.

Commits

• b7b6339 v5.2.2
• b5377ab Update package version to 5.2.1
• 7801789 Backport kpdecker/jsdiff#649
• 042a837 Backport kpdecker/jsdiff#647
• See full diff in compare view

Updates h3 from 1.15.4 to 1.15.10

Release notes

Sourced from h3's releases.

v1.15.10

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v1.15.9

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

v1.15.8

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

v1.15.7

compare changes

🩹 Fixes

• static: Narrow path traversal check to match .. as a path segment only (c049dc0)
• app: Decode percent-encoded path segments to prevent auth bypass (313ea52)

💅 Refactors

• Remove implicit event handler conversion warning (#1340)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Wind (@​productdevbook)

v1.15.6

compare changes

🩹 Fixes

• sse: Sanitize newlines in event stream fields to prevent SSE injection (840ac5c)

... (truncated)

Changelog

Sourced from h3's changelog.

v1.15.10

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#1355)

🏡 Chore

• Update deps (26fec6f)

❤️ Contributors

• Pooya Parsa (@​pi0)
• Sergio Azócar (@​sergioazoc)

v1.15.9

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)
• static: Prevent path traversal via double-encoded dot segments (%252e%252e) (c56683d)
• sse: Sanitize carriage returns in event stream data and comments (ba3c3fe)

🏡 Chore

• release: V1.15.8 (e3b9c9e)
• Update deps (23045df)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.8

compare changes

🩹 Fixes

• Preserve %25 in pathname (1103df6)

❤️ Contributors

• Pooya Parsa (@​pi0)

v1.15.7

... (truncated)

Commits

• b72bb57 chore(release): v1.15.10
• d8ef318 remove resolutions for h3
• 26fec6f chore: update deps
• 51ca9b3 fix: preserve percent-encoded req.url in app event handler (#1355)
• 4e8d43a chore(release): v1.15.9
• 23045df chore: update deps
• ba3c3fe fix(sse): sanitize carriage returns in event stream data and comments
• c56683d fix(static): prevent path traversal via double-encoded dot segments (`%252e%2...
• e3b9c9e chore(release): v1.15.8
• 1103df6 fix: preserve %25 in pathname
• Additional commits viewable in compare view

Updates minimatch from 5.1.6 to 5.1.9

Commits

• 4419b6e 5.1.9
• 383ce59 docs: add warning about ReDoS
• b02ef18 fix partial matching of globstar patterns
• e92ae29 5.1.8
• 79e4447 limit recursion for **, improve perf considerably
• 85ec0ff lockfile update
• 647146e lock node version to 14
• 85646c8 5.1.7
• 977c2d8 update CI matrix and actions
• 421ad12 update test expectations for coalesced consecutive stars
• Additional commits viewable in compare view

Updates nanotar from 0.2.0 to 0.2.1

Changelog

Sourced from nanotar's changelog.

Changelog

v0.3.0

compare changes

🚀 Enhancements

• parse: ⚠️ Support extended item types and headers (#30)
• parse: Handle long file names (#31)

🩹 Fixes

• Sanitise paths (#58)

🏡 Chore

• release: V0.2.0 (7e35c5b)

✅ Tests

• Add additional tests for different formats (f13b802)
• Update fixture (6fa56df)

⚠️ Breaking Changes

• parse: ⚠️ Support extended item types and headers (#30)

❤️ Contributors

• Daniel Roe (@​danielroe)
• Pooya Parsa (@​pi0)

Commits

• 10b6a2a fix syntax
• 6326638 chore: bump 0.2
• e5e68cf fix: sanitise paths (#58)
• See full diff in compare view

Updates rollup from 4.53.3 to 4.60.0

Release notes

Sourced from rollup's releases.

v4.60.0

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

v4.59.1

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• #6300: docs: update packagephobia link (@​bluwy)
• #6301: chore(deps): update dependency lint-staged to ^16.3.3 (@​renovate[bot])
• #6306: fix: fix chunk assignment for deoptimized module with dynamic import (@​JoaoBrlt, @​lukastaegert)
• #6307: chore(deps): update minor/patch updates (@​renovate[bot])
• #6308: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6309: chore(deps): update dependency vite to v8 (@​renovate[bot])
• #6310: chore(deps): lock file maintenance (@​renovate[bot])
• #6311: chore(deps): lock file maintenance (@​renovate[bot])
• #6312: chore(deps): lock file maintenance (@​renovate[bot])

v4.59.0

4.59.0

2026-02-22

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.0

2026-03-22

Features

• Support source phase imports as long as they are external (#6279)

Pull Requests

• #6279: feat: external only Source Phase imports support (@​guybedford, @​lukastaegert)

4.59.1

2026-03-21

Bug Fixes

• Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)

Pull Requests

• #6281: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6282: chore(deps): update github artifact actions (major) (@​renovate[bot], @​lukastaegert)
• #6283: chore(deps): update dependency nyc to v18 (@​renovate[bot], @​lukastaegert)
• #6284: fix(deps): update swc monorepo (major) (@​renovate[bot])
• #6285: chore(deps): lock file maintenance (@​renovate[bot])
• #6290: chore(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6291: chore(deps): update dependency @​shikijs/vitepress-twoslash to v4 (@​renovate[bot])
• #6292: chore(deps): lock file maintenance (@​renovate[bot])
• #6297: chore(deps): update minor/patch updates (@​renovate[bot])
• #6298: chore(deps): lock file maintenance (@​renovate[bot])
• #6299: chore(deps): lock file maintenance (@​renovate[bot])
• #6300: docs: update packagephobia link (@​bluwy)
• #6301: chore(deps): update dependency lint-staged to ^16.3.3 (@​renovate[bot])
• #6306: fix: fix chunk assignment for deoptimized module with dynamic import (@​JoaoBrlt, @​lukastaegert)
• #6307: chore(deps): update minor/patch updates (@​renovate[bot])
• #6308: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6309: chore(deps): update dependency vite to v8 (@​renovate[bot])
• #6310: chore(deps): lock file maintenance (@​renovate[bot])
• #6311: chore(deps): lock file maintenance (@​renovate[bot])
• #6312: chore(deps): lock file maintenance (@​renovate[bot])

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

... (truncated)

Commits

• 6ecd69f 4.60.0
• 6b725b9 feat: external only Source Phase imports support (#6279)
• 0cba9e0 4.59.1
• 4eeea29 Pin Vite
• 1cd49ae fix: fix chunk assignment for deoptimized module with dynamic import (#6306)
• c9dabc3 Downgrade Vite
• d46200f chore(deps): update dependency vite to v8 (#6309)
• aa6c853 chore(deps): update dependency lru-cache to v11 (#6308)
• 4208811 chore(deps): lock file maintenance (#6312)
• 5348a82 chore(deps): lock file maintenance (#6311)
• Additional commits viewable in compare view

Updates serialize-javascript from 6.0.2 to 7.0.5

Release notes

Sourced from serialize-javascript's releases.

v7.0.5

Fixes

• Improve robustness and validation for array-like object serialization.
• Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

What's Changed

• release: v7.0.4 by @​okuryu in yahoo/serialize-javascript#211

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

• fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb

---

yahoo/serialize-javascript@v7.0.2...v7.0.3

v7.0.2

What's Changed

• ci: bump GitHub Actions to latest versions by @​okuryu in yahoo/serialize-javascript#203
• ci: setup trusted publishing workflow by @​okuryu in yahoo/serialize-javascript#204
• release: v7.0.2 by @​okuryu in yahoo/serialize-javascript#205

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

What's Changed

• Add warning about using this package to send arbitrary data to worker threads by @​valadaptive in yahoo/serialize-javascript#200
• security: sanitize function bodies by @​redonkulus in yahoo/serialize-javascript#199
• docs: tweak README by @​okuryu in yahoo/serialize-javascript#201
• release: v7.0.1 by @​okuryu in yahoo/serialize-javascript#202

New Contributors

• @​redonkulus made their first contribution in yahoo/serialize-javascript#199

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Breaking Changes

• requires Node.js v20+

What's Changed

• Bump mocha from 10.2.0 to 10.4.0 by @​dependabot[bot] in yahoo/serialize-javascript#178

... (truncated)

Commits

• df3f1c1 release: v7.0.5
• f147e90 Merge commit from fork
• eec32e0 release: v7.0.4
• d505715 7.0.3
• 2e609d0 fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207)
• 42b7cdb build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206)
• 44f544b release: v7.0.2 (#205)
• bba0ddd ci: setup trusted publishing workflow (#204)
• 235f6ea ci: bump GitHub Actions to latest versions (#203)
• f7fff15 release: v7.0.1 (#202)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serialize-javascript since your current version.

Updates seroval from 1.4.0 to 1.5.1

Commits

• See full diff in compare view

Updates simple-git from 3.30.0 to 3.33.0

Release notes

Sourced from simple-git's releases.

simple-git@3.33.0

Minor Changes

• a263635: Use pathspec wrappers for remote and local paths when running either git.clone or git.mirror to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.

Patch Changes

• e253a0d: Enhanced git -c checks in unsafe plugin.

  Thanks to @​JohannesLks for identifying the issue

simple-git@3.32.3

Patch Changes

• f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

  Thanks to @​CodeAnt-AI-Security for identifying the issue

simple-git@3.32.2

Patch Changes

• 8d02097: Enhanced clone unsafe switch detection.

simple-git@3.32.1

Patch Changes

• 23b070f: Fix regex for detecting unsafe clone options

  Thanks to @​stevenwdv for reporting this issue.

simple-git@3.32.0

Minor Changes

• 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

  Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

• d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

simple-git@3.31.1

Patch Changes

• a44184f: Resolve NPM publish steps

Changelog

Sourced from simple-git's changelog.

3.33.0

Minor Changes

• a263635: Use pathspec wrappers for remote and local paths when running either git.clone or git.mirror to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.

Patch Changes

• e253a0d: Enhanced git -c checks in unsafe plugin.

  Thanks to @​JohannesLks for identifying the issue

3.32.3

Patch Changes

• f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

  Thanks to @​CodeAnt-AI-Security for identifying the issue

3.32.2

Patch Changes

• 8d02097: Enhanced clone unsafe switch detection.

3.32.1

Patch Changes

• 23b070f: Fix regex for detecting unsafe clone options

  Thanks to @​stevenwdv for reporting this issue.

3.32.0

Minor Changes

• 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised along with other single character options.

  Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

• d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

3.31.1

... (truncated)

Commits

• 8bbbabc Version Packages
• a263635 Clone API use pathspec (#1132)
• e253a0d Fix/block unsafe 2603 (#1135)
• a1170e5 Version Packages
• f704208 In extension to CVE-2022-25912, switch to case-insensitive check for `protoco...
• 4bb2081 Version Packages
• 7ae7537 Match tokens to word boundary
• c47ad10 Lint
• 8d02097 Enhanced clone switch detection
• f6909a5 Remove test timeout override
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for simple-git since your current version.

Updates smol-toml from 1.5.2 to 1.6.1

Release notes

Sourced from smol-toml's releases.

v1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

v1.6.0

As of this version, smol-toml now supports the newly released TOML 1.1.0 specification!

Highlights

Multiline inline tables

TOML 1.1.0 now allows inline tables to have newlines, as well as trailing commas.

database = {
  driver = "postgresql",
  server = {
    host = "127.0.0.1",
    port = 3307,
  },
}

Omitting seconds in datetime and time

TOML 1.1.0 renders the seconds component of time elements optional.

datetime-tz = 1979-05-27 07:32Z
datetime = 2001-09-21 10:17
time = 13:37

New string escapes

Strings now support 2 additional escape sequences:

• \xHH for code points between 0 and 255
• \e for the escape character (U+001B)

What's Changed

• feat: toml 1.1 support by @​cyyynthia in squirrelchat/smol-toml#49

Full Changelog: squirrelchat/smol-toml@v1.5.2...v1.6.0

Commits

• 072b64f chore: version bump
• 19a5dc7 chore: upgrade dependencies and actions
• f286f87 fix: don't use recursion in skipVoid
• 399c545 chore: version bump
• 06521ca Merge pull request #49 from squirrelchat/toml-110
• f3a68a7 fix: properly test \e escape
• 9743a86 fix: properly run toml-test v2
• 1ec5303 docs: toml 1.1.0 in the readme
• 8bc0e2b chore: upgrade dependencies, actions
• 24618db feat: allow omitting seconds in datetime and time values
• Additional commits viewable in compare view

Updates svgo from 4.0.0 to 4.0.1

Release notes

Sourced from svgo's releases.

v4.0.1

What's Changed

Dependencies

• Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

• removeEmptyContainers, removed leftover <use> elements referencing an empty container that were removed. By @​johnkenny54 in svg/svgo#2051
• removeUnknownsAndDefaults, don't remove attributes if they're referenced in attribute selectors (CSS). By @​SethFalco in svg/svgo#2144

Performance

• convertPathData, refactor to reduce redundant equality checks. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135
• removeHiddenElems, compute styles lazily. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135

Other Changes

• Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @​viralcodex in svg/svgo#2174
• Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @​SethFalco in svg/svgo#2178

Metrics

Before and after of the browser bundle of each respective version:

	v4.0.0	v4.0.1	Delta
svgo.browser.js	780.2 kB	781.5 kB	⬆️ 1.3 kB

Commits

• e691f5f Merge commit from fork
• b1d9f1a chore(deps): bump actions/upload-artifact from 6 to 7 (#2202)
• d724af1 chore(deps): bump actions/checkout from 5 to 6 (#2195)
• 4114b32 chore(deps): bump actions/upload-artifact from 4 to 6 (#2196)
• c06d8f6 chore: upgrade js-yaml and glob (#2191)
• 26e86e5 fix: remove unused <use> elements when deleting empty symbols (#2051)
• 50c326b perf: optimiztions to reduce regression test runtime (#2135)
• 1f33cbe ci: separate regression tests and write delta report (#2190)
• 79a2167 ci: save test reports to artifacts (#2189)
• 0ae52a0 chore(deps): bump actions/setup-node from 5 to 6 (#2187)
• Additional commits viewable in compare view

Updates tar from 7.5.2 to 7.5.13

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates unhead from 2.0.19 to 2.1.12

Release notes

Sourced from unhead's releases.

v2.1.12

   🐞 Bug Fixes

• Harden prototype pollution  -  by @​harlan-zw (a6ed9)
• Case insensitive attr dedupe  -  by @​harlan-zw (3146b)

    View changes on GitHub

v2.1.11

    ⚠️ Security

• Fixed XSS bypass in useHeadSafe via attribute name injection (GHSA-g5xx-pwrp-g3fv). Users handling untrusted input with useHeadSafe should upgrade immediately.

   🐞 Bug Fixes

• addons,schema-org: Permissive peer dependencies  -  by @​harlan-zw (4c5d1)

    View changes on GitHub

v2.1.10

   🐞 Bug Fixes

• solid-js: Correct peerDependency version  -  by @​tyeporter in unjs/unhead#671 (64e17)

    View changes on GitHub

v2.1.9

   🐞 Bug Fixes

• schema-org: Nuxt test utils compat bug  -  by @​harlan-zw (ef838)

    View changes on GitHub

v2.1.8

   🐞 Bug Fixes

• schema-org: Avoid crashing from 3+ duplicate nodes  -  by @​harlan-zw (4baf9)

    View changes on GitHub

v2.1.7

   🐞 Bug Fixes

• unhead:
  • deduplicate matching tags inside same render cycle  -  by @​harlan-zw in unjs/unhead#668 (5c0b2)

    View changes on GitHub

v2.1.6

   🐞 Bug Fixes

... (truncated)

Commits

• 20a19e0 chore: release v2.1.12
• 3146b90 fix: case insensitive attr dedupe
• a6ed9f9 fix: harden prototype pollution
• 59ef1e2 chore: release v2.1.11
• 9ecc4f9 Merge commit from fork
• e454562 chore: release v2.1.10
• 9322daf chore: sync
• d2035a4 chore: release v2.1.9
• ffb3895 chore: release v2.1.8
• 30f0b5c chore: release v2.1.7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}