Sourced from @​changesets/cli's releases.

@​changesets/cli@​2.27.11

Patch Changes

• Updated dependencies [f0270f6]:
  • @​changesets/config@​3.0.5
  • @​changesets/apply-release-plan@​7.0.7
  • @​changesets/get-release-plan@​4.0.6

• ac2fd12 Version Packages (#1532)
• f0270f6 relax parameters for read() (#1517)
• f03f70b Bump @​typescript-eslint/parser from 5.43.0 to 5.62.0 (#1527)
• 5412908 Bump jest-watch-typeahead from 2.2.1 to 2.2.2 (#1529)
• 828a238 Bump enquirer from 2.3.2 to 2.4.1 (#1530)
• 5c1617f Bump @​types/lodash from 4.14.144 to 4.17.13 (#1520)
• 22eff6f Bump extendable-error from 0.1.5 to 0.1.7 (#1522)
• 7a53030 Bump eslint-config-standard from 17.0.0 to 17.1.0 (#1521)
• 921a852 Bump @​babel/preset-typescript from 7.18.6 to 7.26.0 (#1523)
• ff59515 Add Dependabot config file (#1219)
• See full diff in compare view

Sourced from @​rspack/cli's releases.

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens. Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

• perf: improve cached source data struct by @​SyMind in web-infra-dev/rspack#8602
• perf: reduce heap allocations for RuntimeModule by @​h-a-n-a in web-infra-dev/rspack#8620

... (truncated)

• 938829f chore: release 1.1.8
• f366a2d Release Packages:1.1.6
• 08ddcdd release:1.1.5 (#8599)
• See full diff in compare view

Sourced from @​rspack/core's releases.

v1.1.8

Security Vulnerability Report

Overview

This is a re-release version of v1.1.6

On 12/19/2024, 02:01 (UTC), we discovered that our npm packages @rspack/core and @rspack/cli were maliciously attacked. The attacker released v1.1.7 using a compromised npm token, which contained malicious code. We took immediate action upon discovering the issue.

Impact

• Affected versions: @rspack/core and @rspack/cli v1.1.7
• Duration: 12/19/2024, 02:01 (UTC), lasting approximately 1 hour
• Malicious code impact: After npm install, the postinstall script in package.json runs malicious code in dist/util/support.js. See Malicious code analysis for more details.

Actions Taken

Upon discovery, we immediately deprecated the affected v1.1.7, redirected the npm latest tag to v1.1.6, and reset all related tokens. Subsequently, we released a secure new version v1.1.8.

Recommended Actions

If you installed v1.1.7 during the affected period, please:

1. Update to the latest safe version immediately: @rspack/core and @rspack/cli to >= 1.1.8
2. Check your system for any unusual activity

Apology and Commitment

We deeply apologize for the risks caused by this incident. To prevent similar incidents from happening again, we will implement stricter token management protocols and enhance our security review processes.

If you have any questions or discover any suspicious activity, please create an issue or send an email to: [email protected]

We will continue to follow and respond to community feedback.

v1.1.6

What's Changed

Highlights 💡

Reduced memory usage

Rspack's memory usage in large projects has been significantly reduced since v1.1.6:

Related PRs:

• perf: improve cached source data struct by @​SyMind in web-infra-dev/rspack#8602
• perf: reduce heap allocations for RuntimeModule by @​h-a-n-a in web-infra-dev/rspack#8620

... (truncated)

• 938829f chore: release 1.1.8
• f366a2d Release Packages:1.1.6
• 9e1205c feat: add intermediate file system (#8631)
• 3836042 feat: support getResolve in external function context (#8577)
• 5c44bd7 feat(incremental): named module ids (#8593)
• ac7d0d0 feat: support output.trustedTypes.onPolicyCreationFailure (#8619)
• 89ddc85 test(snapshot): make snapshots cleaner and update path-serializer 0.3.4 (#8161)
• 044e8e3 feat: implement output.clean.keep: Option<string> (#8479)
• 08ddcdd release:1.1.5 (#8599)
• 6b0e319 fix: importModule should have err (#8590)
• See full diff in compare view

Sourced from esbuild's releases.

v0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

v0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },
  ))

... (truncated)

Sourced from esbuild's changelog.

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

  // The following code now transforms to "return true;\n"
  console.log(esbuild.transformSync(
    `return process.env['SOME-TEST-VAR']`,
    { define: { 'process.env["SOME-TEST-VAR"]': 'true' } },

... (truncated)

• 745abd9 publish 0.24.2 to npm
• 79fd0b0 skip nulls in source map finalization (#4011)
• 4b9322f source map: avoid null entry for 0-length parts
• 199a0d3 close #4013: credit to @​sapphi-red for the fix
• 947f99f fix #4010, fix #4012: import.meta regression
• de9598f publish 0.24.1 to npm
• 15d56ca emit null source mappings for empty chunk content
• 8d98f6f fix #3985: entryPoint metadata for copy loader
• 0db1b82 fix #3998: avoid outbase in identifier names
• 7236472 close #3974: add support for netbsd on arm64
• Additional commits viewable in compare view

Sourced from publint's releases.

[email protected]

Patch Changes

• (Potentially breaking) Disable running lifecycle scripts, such as prepare, prepack, and postpack, when running the pack command internally. This returns to the behavior in v0.2. (Note that this change does not apply to yarn as it does not support ignoring lifecycle scripts for local projects) (#128)

  This change is made as running lifecycle scripts was an unintentional behavior during the v0.3 breaking change, which could cause the linting process to take longer than expected, or even cause infinite loops if publint is used in a lifecycle script.

• Update repository and bugs URLs to point to the new publint organization (1eda033)

• Updated dependencies [1eda033, 10e3891]:

  • @​publint/pack@​0.1.1

[email protected]

Patch Changes

• Correctly process the pack option (#124)

[email protected]

Minor Changes

• The vfs option is removed in favour of an extended support of pack: { tarball: ArrayBuffer | ReadableStream } and pack: { files: PackFile[] } APIs. Now, it is even easier to use publint in the browser or against a packed .tgz file in Node.js. See the docs for more examples of how to use these new options. (#122)

• Bump node version support to >=18 (cb2ed8b)

• publint now runs your project's package manager's pack command to get the list of packed files for linting. The previous npm-packlist dependency is now removed. (#120)

  NOTE: In this release (v0.3.0), the pack command also runs lifecycle scripts like prepare, prepack, and postpack. This behavior is unintentional and is fixed in v0.3.2, where they will no longer run (except for yarn as it does not support ignoring lifecycle scripts for local projects). This returns to the behavior in v0.2.

  A new pack option is added to the node API to allow configuring this. It defaults to 'auto' and will automatically detect your project's package manager using package-manager-detector. See its JSDoc for more information of the option.

  This change is made as package managers have different behaviors for packing files, so running their pack command directly allows for more accurate linting. However, as a result of executing these commands in a child process, it may take 200-500ms longer to lint depending on the package manager used and the project size. The new handling also does not support yarn 1. See this comment for more information.

  If you use yarn 1, you should upgrade to the latest yarn version or a different package manager. Otherwise, no other changes are required for this new behavior.

Patch Changes

• Initial setup to publish with Changesets (24a62f5)

• When a dependency with the file: or link: protocol is specified in the package.json, it will now error to prevent accidentally publishing dependencies that will likely not work when installed by end-users (6e6ab33)

• Fix EXPORT_TYPES_INVALID_FORMAT linting to detect .d.mts and .d.cts files (af5e88b)

• Updated dependencies [d0b406b]:

  • @​publint/pack@​0.1.0

Sourced from publint's changelog.

0.3.2

Patch Changes

• (Potentially breaking) Disable running lifecycle scripts, such as prepare, prepack, and postpack, when running the pack command internally. This returns to the behavior in v0.2. (Note that this change does not apply to yarn as it does not support ignoring lifecycle scripts for local projects) (#128)

  This change is made as running lifecycle scripts was an unintentional behavior during the v0.3 breaking change, which could cause the linting process to take longer than expected, or even cause infinite loops if publint is used in a lifecycle script.

• Update repository and bugs URLs to point to the new publint organization (1eda033)

• Updated dependencies [1eda033, 10e3891]:

  • @​publint/pack@​0.1.1

0.3.1

Patch Changes

• Correctly process the pack option (#124)

0.3.0

Minor Changes

• The vfs option is removed in favour of an extended support of pack: { tarball: ArrayBuffer | ReadableStream } and pack: { files: PackFile[] } APIs. Now, it is even easier to use publint in the browser or against a packed .tgz file in Node.js. See the docs for more examples of how to use these new options. (#122)

• Bump node version support to >=18 (cb2ed8b)

• publint now runs your project's package manager's pack command to get the list of packed files for linting. The previous npm-packlist dependency is now removed. (#120)

  NOTE: In this release (v0.3.0), the pack command also runs lifecycle scripts like prepare, prepack, and postpack. This behavior is unintentional and is fixed in v0.3.2, where they will no longer run (except for yarn as it does not support ignoring lifecycle scripts for local projects). This returns to the behavior in v0.2.

  A new pack option is added to the node API to allow configuring this. It defaults to 'auto' and will automatically detect your project's package manager using package-manager-detector. See its JSDoc for more information of the option.

  This change is made as package managers have different behaviors for packing files, so running their pack command directly allows for more accurate linting. However, as a result of executing these commands in a child process, it may take 200-500ms longer to lint depending on the package manager used and the project size. The new handling also does not support yarn 1. See this comment for more information.

  If you use yarn 1, you should upgrade to the latest yarn version or a different package manager. Otherwise, no other changes are required for this new behavior.

Patch Changes

• Initial setup to publish with Changesets (24a62f5)

• When a dependency with the file: or link: protocol is specified in the package.json, it will now error to prevent accidentally publishing dependencies that will likely not work when installed by end-users (6e6ab33)

• Fix EXPORT_TYPES_INVALID_FORMAT linting to detect .d.mts and .d.cts files (af5e88b)

• Updated dependencies [d0b406b]:

  • @​publint/pack@​0.1.0

• 1d13571 Release packages (#126)
• cccd71e Update dependencies
• e758ba9 Format with trailing comma
• 10e3891 Ignore scripts when packing (#128)
• 1eda033 Replace bluwy with new publint org
• 95b142f Release packages (#125)
• add8f31 Correctly process the pack option (#124)
• cb87bd1 Release packages (#118)
• b048f41 Lint packages with publint
• 2ecf76a Update docs
• Additional commits viewable in compare view

Sourced from typescript's releases.

TypeScript 5.7.3

For release notes, check out the release announcement.

• fixed issues query for Typescript 5.7.0 (Beta).
• fixed issues query for Typescript 5.7.1 (RC).
• fixed issues query for Typescript 5.7.2 (Stable).
• fixed issues query for Typescript 5.7.3 (Stable).

Downloads are available on npm

• a5e123d Update LKG
• 8bc0204 🤖 Pick PR #60828 (Fix CodeQL configuration, releases) into release-5.7 (#60923)
• 7aa63df 🤖 Pick PR #60393 (Don't try to add an implicit undefi...) into release-5.7 (#...
• 9df7c36 Bump version to 5.7.3 and LKG
• e167412 🤖 Pick PR #60794 (Harden sanitizeLog against incorr...) into release-5.7 (#...
• 9ba364c Fix coverage build on release-5.7 (#60792)
• 4b7441a 🤖 Pick PR #60680 (Mark the inherited any-based index ...) into release-5.7 (#...
• e844dc3 Cherry-pick #60402, #60440, #60616 into release-5.7 (#60777)
• 21b02a1 🤖 Pick PR #60749 (Do not require import attribute on ...) into release-5.7 (#...
• b82fd16 🤖 Pick PR #60576 (Avoid incorrectly reusing assertion...) into release-5.7 (#...
• Additional commits viewable in compare view

• See full diff in compare view

• See full diff in compare view

• See full diff in compare view

Sourced from svelte's releases.

[email protected]

Minor Changes

• feat: Expose ClassValue from svelte/elements (#15035)

Patch Changes

• fix: create fewer deriveds for concatenated strings (#15041)

• fix: correctly parse leading comments in function binding (#15020)

[email protected]

Minor Changes

• feat: allow \<template> elements to contain any child (#15007)

Patch Changes

• fix: ensure resume effects are scheduled in topological order (#15012)

• fix: bump esrap (#15015)

• fix: remove listener on bind_current_time teardown (#15013)

[email protected]

Patch Changes

• feat: allow const tag inside svelte:boundary (#14993)

• fix: ensure signal write invalidation within effects is consistent (#14989)

[email protected]

Patch Changes

• fix: never consider inert boundary effects (#14999)

• fix: store access on component destroy (#14968)

• fix: correctly transform pre with no content (#14973)

• fix: wrap each block expression in derived to encapsulate effects (#14967)

[email protected]

Patch Changes

• fix: reset dependency read versions after reaction execution (#14964)

[email protected]

Patch Changes

... (truncated)

Sourced from svelte's changelog.

5.19.0

Minor Changes

• feat: Expose ClassValue from svelte/elements (#15035)

Patch Changes

• fix: create fewer deriveds for concatenated strings (#15041)

• fix: correctly parse leading comments in function binding (#15020)

5.18.0

Minor Changes

• feat: allow \<template> elements to contain any child (#15007)

Patch Changes

• fix: ensure resume effects are scheduled in topological order (#15012)

• fix: bump esrap (#15015)

• fix: remove listener on bind_current_time teardown (#15013)

5.17.5

Patch Changes

• feat: allow const tag inside svelte:boundary (#14993)

• fix: ensure signal write invalidation within effects is consistent (#14989)

5.17.4

Patch Changes

• fix: never consider inert boundary effects (#14999)

• fix: store access on component destroy (#14968)

• fix: correctly transform pre with no content (#14973)

• fix: wrap each block expression in derived to encapsulate effects (#14967)

5.17.3

Patch Changes

... (truncated)

• a9d1f46 Version Packages (#15021)
• 509ba56 fix: create fewer deriveds for concatenated strings (#15041)
• 2aefc54 feat(elements): Expose ClassValue (#15035)
• 973b51d fix: correctly parse leading comments in function binding (#15020)
• 1d3c439 Version Packages (#15010)
• ff79704 fix: bump esrap (#15015)
• 5419610 fix: ensure resume effects are scheduled in topological order (#15012)
• 360ee70 fix: remove listener on bind_current_time teardown (#15013)
• dfa97a5 feat: allow every children in template tags (#15007)
• a1698c6 Version Packages (#15001)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions