Bump locutus from 2.0.16 to 3.0.0

[dependabot]

Bumps locutus from 2.0.16 to 3.0.0.

Release notes

Sourced from locutus's releases.

v3.0.0

Breaking Changes

• Full source migration to TypeScript with named exports across modules.
• Node engine bumped to >= 22.
• Public deep-import usage now targets named exports (import { fn } from 'locutus/.../fn').

Build and Packaging

• Package now publishes dual runtime outputs:
  • CommonJS-compatible deep require(...) paths.
  • ESM output for modern import.
• Repo/tooling switched to native ESM operation (\"type\": \"module\"), with TypeScript-based scripts.

Type Safety and CI

• Added strict type quality gates in CI:
  • API signature snapshot checks.
  • Type contract snapshot checks.
  • Type debt policy checks (@ts-ignore / @ts-nocheck / unsafe patterns blocked).
• Added automated signature comparison tooling against DefinitelyTyped for triage (compare:dt:signatures).

Website and Docs

• Website function pages now include improved TS/JS code variants (module and standalone where applicable).
• Added release documentation and migration notes for TypeScript-first development.

Full changelog: https://github.com/locutusjs/locutus/blob/main/CHANGELOG.md

v2.0.39

Security

• Fix prototype pollution bypass in parse_str where overriding String.prototype.includes could defeat the guard (GHSA-rxrv-835q-v5mh)

Full changelog: https://github.com/locutusjs/locutus/blob/main/CHANGELOG.md

v2.0.38

Infrastructure

• Restore published Node engine range to >= 10 for 2.x releases (engine bumps now treated as major changes)
• Add CI guardrail to block raising engines.node without a major version bump

Full changelog: https://github.com/locutusjs/locutus/blob/main/CHANGELOG.md

v2.0.37

New Functions (32 across 7 languages)

• R: toupper, tolower, nchar, sqrt, round, max, min (7)
• Lua: string.len, string.rep, string.reverse, math.sqrt, math.sin, math.cos, math.max, math.min (8)
• AWK: cos, exp, log, sin, sqrt (5)
• Elixir: String.downcase, String.upcase, String.length, String.reverse (4)
• Clojure: string/lower-case, string/upper-case, string/reverse, string/trim, string/blank? (5)
• Julia: lowercase, uppercase (2)
• Perl: reverse (1)

Infrastructure

• Moved rosetta.yml from src/_data/ to src/ for cleaner structure

... (truncated)

Changelog

Sourced from locutus's changelog.

v3.0.0

Released: 2026-03-03. Diff.

Breaking Changes

• Full source migration to TypeScript with named exports across modules.
• Source modules migrated from CommonJS export patterns to ESM module syntax.
• Node engine bumped to >= 22.
• Public deep-import usage now targets named exports (import { fn } from 'locutus/.../fn').

Build and Packaging

• Package now publishes dual runtime outputs:
  • CommonJS-compatible deep require(...) paths.
  • ESM output for modern import.
• Repo/tooling switched to native ESM operation ("type": "module"), with TypeScript-based scripts.

Type Safety and CI

• Added strict type quality gates in CI:
  • API signature snapshot checks.
  • Type contract snapshot checks.
  • Type debt policy checks (@ts-ignore / @ts-nocheck / unsafe patterns blocked).
• Added automated signature comparison tooling against DefinitelyTyped for triage (compare:dt:signatures).

Website and Docs

• Website function pages now include improved TS/JS code variants (module and standalone where applicable).
• Added release documentation and migration notes for TypeScript-first development.

v2.0.39

Released: 2026-02-02. Diff.

Security

• Fix prototype pollution bypass in parse_str where overriding String.prototype.includes could defeat the guard (GHSA-rxrv-835q-v5mh)

v2.0.38

Released: 2026-01-19. Diff.

Infrastructure

• Restore published Node engine range to >= 10 for 2.x releases (engine bumps now treated as major changes)
• Add CI guardrail to block raising engines.node without a major version bump

v2.0.37

Released: 2026-01-08. Diff.

... (truncated)

Commits

• e583ac4 docs(release): finalize v3.0.0 changelog and drop stale changeset
• 59e0221 Release v3.0.0
• 977a1fb feat: Complete TypeScript migration of all source files (#535)
• fb90ed0 Release v2.0.39
• 2dbbc60 Prepare v2.0.39 changelog
• 042af9c fix: Harden parse_str prototype pollution guard against includes() bypass (#533)
• 57ea89d Release v2.0.38
• 2777dd6 Prepare v2.0.38 changelog
• 4589efd Restore node engine range and guardrail engine bumps
• 8cf68fd feat: Improve PHP parity tests and verify 6 more functions (#528)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for locutus since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.