chore(deps): bump the npm_and_yarn group across 4 directories with 20 updates

[dependabot]

Bumps the npm_and_yarn group with 20 updates in the / directory:

Package	From	To
dompurify	3.3.1	3.4.0
lodash	4.17.23	4.18.1
next	14.2.35	15.5.15
nodemailer	7.0.12	8.0.5
@nestjs/core	10.4.20	11.1.18
axios	1.15.0	1.15.2
kysely	0.28.2	0.28.14
vite	6.4.1	6.4.2
@hono/node-server	1.19.9	1.19.14
@xmldom/xmldom	0.8.11	0.8.13
defu	6.1.4	6.1.7
express-rate-limit	8.2.1	8.5.1
flatted	3.3.3	3.4.2
follow-redirects	1.15.11	1.16.0
hono	4.11.7	4.12.18
i18next-fs-backend	2.6.0	2.6.5
picomatch	2.3.1	2.3.2
protobufjs	7.4.0	7.5.6
socket.io-parser	4.2.4	4.2.6
yaml	1.10.2	1.10.3

Bumps the npm_and_yarn group with 3 updates in the /apps/api/v2 directory: lodash, @nestjs/core and axios.
Bumps the npm_and_yarn group with 4 updates in the /apps/web directory: dompurify, lodash, next and nodemailer.
Bumps the npm_and_yarn group with 2 updates in the /packages/platform/atoms directory: dompurify and vite.

Updates dompurify from 3.3.1 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates next from 14.2.35 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• Additional commits viewable in compare view

Updates nodemailer from 7.0.12 to 8.0.5

Release notes

Sourced from nodemailer's releases.

v8.0.5

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

v8.0.4

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

v8.0.3

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

v8.0.2

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

v8.0.1

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

v8.0.0

8.0.0 (2026-02-04)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

8.0.5 (2026-04-07)

Bug Fixes

• decode SMTP server responses as UTF-8 at line boundary (95876b1)
• sanitize CRLF in transport name option to prevent SMTP command injection (GHSA-vvjj-xcjg-gr5g) (0a43876)

8.0.4 (2026-03-25)

Bug Fixes

• sanitize envelope size to prevent SMTP command injection (2d7b971)

8.0.3 (2026-03-18)

Bug Fixes

• clean up addressparser and fix group name fallback producing undefined (9d55877)
• fix cookie bugs, remove dead code, and improve hot-path efficiency (e8c8b92)
• refactor smtp-connection for clarity and add Node.js 6 syntax compat test (c5b48ea)
• remove familySupportCache that broke DNS resolution tests (c803d90)

8.0.2 (2026-03-09)

Bug Fixes

• merge fragmented display names with unquoted commas in addressparser (fe27f7f)

8.0.1 (2026-02-07)

Bug Fixes

• absorb TLS errors during socket teardown (7f8dde4)
• absorb TLS errors during socket teardown (381f628)
• Add Gmail Workspace service configuration (#1787) (dc97ede)

8.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• Error code 'NoAuth' renamed to 'ENOAUTH'

Bug Fixes

... (truncated)

Commits

• 202cfb3 chore(master): release 8.0.5 (#1809)
• b634abf docs: add CLAUDE.md with project conventions and release process
• 95876b1 fix: decode SMTP server responses as UTF-8 at line boundary
• 0a43876 fix: sanitize CRLF in transport name option to prevent SMTP command injection...
• 08e59e6 chore: update dev dependencies
• 2d31975 chore(master): release 8.0.4 (#1806)
• 2d7b971 fix: sanitize envelope size to prevent SMTP command injection
• 4e702e9 chore(master): release 8.0.3 (#1804)
• c803d90 fix: remove familySupportCache that broke DNS resolution tests
• e8c8b92 fix: fix cookie bugs, remove dead code, and improve hot-path efficiency
• Additional commits viewable in compare view

Updates @nestjs/core from 10.4.20 to 11.1.18

Release notes

Sourced from @​nestjs/core's releases.

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

Dependencies

• common
  • #16567 fix(deps): update dependency file-type to v21.3.2 (@​renovate[bot])
• platform-fastify
  • #16533 fix(deps): update dependency fastify to v5.8.2 (@​renovate[bot])

Committers: 3

• Rohan Santhosh Kumar (@​Rohan5commit)
• Vasil Chomakov (@​vchomakov)
• Kamil Mysliwiec (@​kamilmysliwiec)

... (truncated)

Commits

• 3c1cc5f chore(release): publish v11.1.18 release
• 0f962c7 fix(core): sanitize sse message
• 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
• 368691c fix(core): prevent injector hang when design:paramtypes is missing
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 4677434 feat(core): export IEntryNestModule type
• 7493b94 fix(core): dependency injection edge case with moduleref.create
• Additional commits viewable in compare view

Updates axios from 1.15.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates kysely from 0.28.2 to 0.28.14

Release notes

Sourced from kysely's releases.

0.28.14

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

MySQL 🐬

• fix: string literals are injectable on MySQL when backslash escapes (\\') are used. by @​igalklebanov in kysely-org/kysely#1754 & kysely-org/kysely@054e801

📖 Documentation

• Add Node SQLite link to dialects documentation by @​wolfie in kysely-org/kysely#1709 & kysely-org/kysely#1755
• docs: document immediate value behavior in case() then/else by @​alexchenai in kysely-org/kysely#1753

📦 CICD & Tooling

• bump deno kysely dependency. by @​igalklebanov in kysely-org/kysely@9e02f3b

⚠️ Breaking Changes

🐤 New Contributors

• @​wolfie made their first contribution in kysely-org/kysely#1709
• @​alexchenai made their first contribution in kysely-org/kysely#1753

Full Changelog: kysely-org/kysely@v0.28.13...v0.28.14

0.28.13

Hey 👋

A small batch of bug fixes. Please report any issues. 🤞😰🤞

🚀 Features

🐞 Bugfixes

• fix: missing sideEffects: false in root package.json resulting in bigger bundles in various bundlers. by @​igalklebanov in kysely-org/kysely#1746
• fix: Insertable allows non-objects when a table has no required columns. by @​igalklebanov in kysely-org/kysely#1747

PostgreSQL 🐘

• fix: ON COMMIT clause not being output when using .as(query) in CREATE TABLE queries. by @​igalklebanov in kysely-org/kysely#1748

📖 Documentation

📦 CICD & Tooling

... (truncated)

Commits

• 91cf373 0.28.14
• 9e02f3b bump deno kysely dependency.
• 6ef6f63 docs: document immediate value behavior in case() then/else (#1753)
• 2fb071b Remove unnecessary ")" in Node SQLite link (#1755)
• 29032ea Add Node SQLite link to dialects documentation (#1709)
• 054e801 test: add sql.lit(string) test case following #1754.
• e63ceb9 fix: string literals are injectable on MySQL when backslash escapes (\\') a...
• b15c041 0.28.13
• 6a3c898 chore: bump GitHub actions. (#1751)
• 88e6cca chore: bump dependencies. (#1750)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for kysely since your current version.

Updates vite from 6.4.1 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.9 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining ...

  Description has been truncated