chore(deps): bump the npm_and_yarn group across 2 directories with 14 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: ajv, vega, vite and express.
Bumps the npm_and_yarn group with 1 update in the /tests/e2e directory: express.

Updates ajv from 8.17.1 to 8.18.0

Release notes

Sourced from ajv's releases.

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• f06766f feat: allow tree-shaking by adding ``"sideEffects": falsetopackage.json` ...
• See full diff in compare view

Updates vega from 5.30.0 to 5.32.0

Release notes

Sourced from vega's releases.

v5.32.0

Changes since v5.31.0

vega-expression

• Add base64 string encoder/decoder to vega-expression and vega-interpreter (via #4009). (Thanks @​hydrosquall!)

vega-typings

• Add Typescript Types for vega-loader (via #4000). (Thanks @​hydrosquall!)

docs

• Correct data year citation in dorling-cartogram example (via #4006). (Thanks @​dsmedia!)
• Update typo in vega.timeFloor description (via #4010). (Thanks @​hydrosquall!)
• Add Security Advisory Policy for Vega (via #4008). (Thanks @​hydrosquall!)
• Replace redirect url in expressions.md (via #3996). (Thanks @​dangotbanned!)
• correct queries to query in crossfilter.md (via #4005). (Thanks @​danmarshall!)

v5.31.0

changes since v5.30.0

vega-utils

• use Object.hasOwn instead of Object.prototype.hasOwnProperty (via #3951). (Thanks @​domoritz!)

vega-parser

• Add discrete legend type (via #3957). (Thanks @​hydrosquall!)

vega-functions

• Add sort function to vega-functions (and vega-interpreter) (via #3973). (Thanks @​hydrosquall!)

vega-selections

• Add field predicate types to selectionTest (via #3675). (Thanks @​jonathanzong!)

monorepo

• Replace flights-5k.json external reference (via #3999). (Thanks @​dwootton!)

docs

• Update packed bubble example (via #3955). (Thanks @​PBI-David!)
• Correct typo in production rules documentation (via #3958). (Thanks @​shanebruggeman!)
• Update README.md to fix broken link to current roadmap (via #3979). (Thanks @​cahogan & @​joelostblom!)

Commits

• c46889d chore: update vega-cli to v5.32.0 (#4015)
• 2fe2e63 chore: v5.32.0 (#4014)
• 81ed011 chore: remove extra space in test name
• 6026887 fix: correct data year citation in dorling-cartogram example (#4006)
• a3af49e feat: Add base64 string encoder/decoder to vega-expression and `vega-interp...
• cd88cc8 fix(docs): Update typo in vega.timeFloor description (#4010)
• 694560c Merge commit from fork
• 560aeec docs: Add Security Advisory Policy for vega (#4008)
• 0b6a114 feat(vega-typings): add Typescript Types for vega-loader (#4000)
• b83b8e5 docs: Replace redirect url in expressions.md (#3996)
• Additional commits viewable in compare view

Updates vite from 5.2.8 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

... (truncated)

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates express from 4.19.2 to 4.22.0

Release notes

Sourced from express's releases.

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @​sazk07 in expressjs/express#6190
• ci: add support for Node.js@23.0 by @​UlisesGascon in expressjs/express#6080
• Method functions with no path should error by @​wesleytodd in expressjs/express#5957
• ci: updated github actions ci workflow by @​Phillip9587 in expressjs/express#6323
• ci: reorder npm i steps to fix ci for older node versions by @​Phillip9587 in expressjs/express#6336
• Backport: ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6506
• chore(4.x): wider range for query test skip by @​jonchurch in expressjs/express#6513
• use tilde notation for certain dependencies by @​UlisesGascon in expressjs/express#6905
• deps: qs@6.14.0 by @​UlisesGascon in expressjs/express#6909
• deps: use tilde notation for qs by @​Phillip9587 in expressjs/express#6919
• Release: 4.22.0 by @​UlisesGascon in expressjs/express#6921

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: path-to-regexp@0.1.11 by @​blakeembrey in expressjs/express#5956
• deps: bump path-to-regexp@0.1.12 by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• finalhandler@1.3.1 by @​wesleytodd in expressjs/express#5954
• fix(deps): serve-static@1.16.2 by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

... (truncated)

Changelog

Sourced from express's changelog.

4.22.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: use tilde notation for dependencies
• deps: qs@6.14.0

4.21.2 / 2024-11-06

• deps: path-to-regexp@0.1.12
  • Fix backtracking protection
• deps: path-to-regexp@0.1.11
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: serve-static@1.16.2
  • includes send@0.19.0
• deps: finalhandler@1.3.1
• deps: qs@6.13.0

4.20.0 / 2024-09-10

• deps: serve-static@0.16.0
  • Remove link renderization in html while redirecting
• deps: send@0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

Commits

• 49744ab 4.22.0 (#6921)
• 6e97452 sec: security patch for CVE-2024-51999
• 6a23d34 deps: use tilde notation for qs (#6919)
• 8c12cdf deps: qs@6.14.0 (#6909)
• 7fea74f deps: use tilde notation for certain dependencies (#6905)
• dac7a04 chore: wider range for query test skip (#6513)
• 997919b ci: add node.js 24 to test matrix (#6506)
• 36fb59c fix(ci): reorder npm i steps to fix ci for older node versions (#6336)
• 3a5edfa fix(ci): updated github actions ci workflow (#6323)
• 52d9781 fix(test): add test for method routes without paths #5955
• Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.4

Release notes

Sourced from body-parser's releases.

1.20.4

What's Changed

• Remove redundant depth check by @​blakeembrey in expressjs/body-parser#538
• ci: add support for Node.js v23 by @​Phillip9587 in expressjs/body-parser#553
• ci: restore CI for 1.x branch by @​bjohansebas in expressjs/body-parser#665
• deps: qs@^6.14.0 by @​bjohansebas in expressjs/body-parser#664
• deps: use tilde notation and update certain dependencies by @​Phillip9587 in expressjs/body-parser#668
• chore: remove SECURITY.md by @​Phillip9587 in expressjs/body-parser#669
• ci: add CodeQL (SAST) by @​Phillip9587 in expressjs/body-parser#670
• Release: 1.20.4 by @​UlisesGascon in expressjs/body-parser#672

Full Changelog: expressjs/body-parser@1.20.3...1.20.4

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.4 / 2025-12-01

• deps: qs@~6.14.0
• deps: use tilde notation for dependencies
• deps: http-errors@~2.0.1
• deps: raw-body@~2.5.3

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

• 7db202c 1.20.4 (#672)
• d8f8adb ci: add CodeQL (SAST) (#670)
• 6d133c1 chore: remove SECURITY.md (#669)
• fcd1535 deps: use tilde notation and update certain dependencies (#668)
• ec5fa29 deps: qs@~6.14.0 (#664)
• ffb95c1 ci: restore CI for 1.x branch (#665)
• 48a5f07 ci: add support for Node.js v23 (#553)
• f20f6ad Remove redundant depth check (#538)
• 1752951 1.20.3
• 39744cf chore: linter (#534)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates cookie from 0.6.0 to 0.7.2

Release notes

Sourced from cookie's releases.

v0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

jshttp/cookie@v0.7.1...v0.7.2

0.7.1

Fixed

• Allow leading dot for domain (#174)
  • Although not permitted in the spec, some users expect this to work and user agents ignore the leading dot according to spec
• Add fast path for serialize without options, use obj.hasOwnProperty when parsing (#172)

jshttp/cookie@v0.7.0...v0.7.1

0.7.0

• perf: parse cookies ~10% faster (#144 by @​kurtextrem and #170)
• fix: narrow the validation of cookies to match RFC6265 (#167 by @​bewinsnw)
• fix: add main to package.json for rspack (#166 by @​proudparrot2)

jshttp/cookie@v0.6.0...v0.7.0

Commits

• d19eaa1 0.7.2
• bc38ffd Fix object assignment of hasOwnProperty (#177)
• cf4658f 0.7.1
• 6a8b8f5 Allow leading dot for domain (#174)
• 58015c0 Remove more code and perf wins (#172)
• ab057d6 0.7.0
• 5f02ca8 Migrate history to GitHub releases
• a5d591c Migrate history to GitHub releases
• 51968f9 Skip isNaN
• 9e7ca51 perf(parse): cache length, return early (#144)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by blakeembrey, a new releaser for cookie since your current version.

Updates esbuild from 0.20.2 to 0.21.5

Release notes

Sourced from esbuild's releases.

v0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.21.5

• Fix Symbol.metadata on classes without a class decorator (#3781)

  This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

• Allow unknown import attributes to be used with the copy loader (#3792)

  Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

  // This is an error with "--bundle" without also using "--external:./bagel.js"
  import tasty from "./bagel.js" with { type: "bagel" }

  Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

  However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

  // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
  import tasty from "./tasty.bagel" with { type: "bagel" }

• Support import attributes with glob-style imports (#3797)

  This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

  async function loadLocale(locale: string): Locale {
    const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
    return unpackLocale(locale, data)
  }

  Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

  ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data
  example.ts:2:28:
    2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
      ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  

  In addition, this change means plugins can now access the contents of with for glob-style imports.

• Support ${configDir} in tsconfig.json files (#3782)

  This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

... (truncated)

Commits

• fc37c2f publish 0.21.5 to npm
• cb11924 fix Symbol.metadata errors in decorator tests
• b93a2a9 fix #3781: add metadata to all decorated classes
• 953dae9 fix #3797: import attributes and glob-style import
• 98cb2ed fix #3782: support ${configDir} in tsconfig.json
• 8e6603b run make update-compat-table
• db1b8ca fix #3792: import attributes and the copy loader
• de572d0 fix non-deterministic import attribute plugin test
• ae8d1b4 fix #3794: --supported:object-accessors=false
• 67cbf87 publish 0.21.4 to npm
• Additional commits viewable in compare view

Updates path-to-regexp from 0.1.7 to 0.1.12

Release notes

Sourced from path-to-regexp's releases.

Fix backtracking (again)

Fixed

• Improved backtracking protection for 0.1.x, will break some previously valid paths (see previous advisory: GHSA-9wv6-86v2-598j)

pillarjs/path-to-regexp@v0.1.11...v0.1.12

Error on bad input

Changed

• Add error on bad input values 8f09549

pillarjs/path-to-regexp@v0.1.10...v0.1.11

Backtrack protection

Fixed

• Add backtrack protection to parameters 29b96b4
  • This will break some edge cases but should improve performance

pillarjs/path-to-regexp@v0.1.9...v0.1.10

Support non-lookahead regex output

Added

• Allow a non-lookahead regex (#312) c4272e4

component/path-to-regexp@v0.1.8...v0.1.9

Support named matching groups in RegExp

Added

• Add support for named matching groups (#301) 114f62d

pillarjs/path-to-regexp@v0.1.7...v0.1.8

Commits

• 640e694 0.1.12
• f01c26a Merge commit from fork
• 0c71192 0.1.11
• 8f09549 Add error on bad input values
• c827fce 0.1.10
• 29b96b4 Add backtrack protection to parameters
• ac4c234 Update repo url (#314)
• bdb6635 0.1.9
• c4272e4 Allow a non-lookahead regex (#312)
• 51a1955 0.1.8
• Additional commits viewable in compare view

Updates qs from 6.11.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates rollup from 4.14.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59...

Description has been truncated

[pullrequest]

⚠️ This pull request was not sent to the PullRequest network because the author name contains "dependabot".

[dependabot]

Superseded by #1281.