🚨 [security] Update all of nextjs 12.1.0 → 13.5.6 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ eslint-config-next (12.1.0 → 13.5.6)

Sorry, we couldn't find anything useful about this release.

✳️ next (12.1.0 → 13.5.6) · Repo

Security Advisories 🚨

🚨 Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

• Thai Vu of flyseccorp.com
• Aonan Guan (@0dd), Senior Cloud Security Engineer

🚨 Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

🚨 Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

🚨 Unexpected server crash in Next.js

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

• Affected: All of the following must be true to be affected by this CVE

  • Node.js version above v15.0.0 being used with strict unhandledRejection exiting
  • Next.js version v12.2.3
  • Using next start or a custom server

• Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where next-server isn't being shared across requests.

Patches

https://github.com/vercel/next.js/releases/tag/v12.2.4

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

↗️ @​next/env (indirect, 12.1.0 → 13.5.6) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

↗️ @​next/eslint-plugin-next (indirect, 12.1.0 → 13.5.6)

Sorry, we couldn't find anything useful about this release.

↗️ @​rushstack/eslint-patch (indirect, 1.0.8 → 1.10.5)

Sorry, we couldn't find anything useful about this release.

↗️ array-includes (indirect, 3.1.4 → 3.1.8) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ array.prototype.flat (indirect, 1.2.5 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

More info than we can show here.

1.3.2 (from changelog)

More info than we can show here.

1.3.1 (from changelog)

More info than we can show here.

1.3.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ array.prototype.flatmap (indirect, 1.2.5 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3 (from changelog)

More info than we can show here.

1.3.2 (from changelog)

More info than we can show here.

1.3.1 (from changelog)

More info than we can show here.

1.3.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ axe-core (indirect, 4.4.1 → 4.10.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ call-bind (indirect, 1.0.2 → 1.0.8) · Repo · Changelog

Release Notes

1.0.8 (from changelog)

More info than we can show here.

1.0.7 (from changelog)

More info than we can show here.

1.0.6 (from changelog)

More info than we can show here.

1.0.5 (from changelog)

More info than we can show here.

1.0.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ debug (indirect, 2.6.9 → 3.2.7) · Repo · Changelog

Security Advisories 🚨

🚨 debug Inefficient Regular Expression Complexity vulnerability

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a016. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.

🚨 Regular Expression Denial of Service in debug

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

🚨 Regular Expression Denial of Service in debug

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

Release Notes

3.2.1

More info than we can show here.

3.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ define-properties (indirect, 1.1.3 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

More info than we can show here.

1.2.0 (from changelog)

More info than we can show here.

1.1.4 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ es-abstract (indirect, 1.19.1 → 1.23.9) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ es-to-primitive (indirect, 1.2.1 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-import-resolver-node (indirect, 0.3.6 → 0.3.9) · Repo · Changelog

↗️ eslint-import-resolver-typescript (indirect, 2.5.0 → 3.8.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-module-utils (indirect, 2.7.1 → 2.12.0) · Repo · Changelog

Release Notes

2.12.0 (from changelog)

More info than we can show here.

2.11.0 (from changelog)

More info than we can show here.

2.10.0 (from changelog)

More info than we can show here.

2.9.0 (from changelog)

More info than we can show here.

2.8.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-import (indirect, 2.25.2 → 2.31.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-jsx-a11y (indirect, 6.5.1 → 6.10.2) · Repo · Changelog

Release Notes

6.10.2 (from changelog)

More info than we can show here.

6.10.1 (from changelog)

More info than we can show here.

6.10.0 (from changelog)

More info than we can show here.

6.9.0

More info than we can show here.

6.8.0 (from changelog)

More info than we can show here.

6.7.1 (from changelog)

More info than we can show here.

6.7.0 (from changelog)

More info than we can show here.

6.6.1 (from changelog)

More info than we can show here.

6.6.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-react (indirect, 7.29.4 → 7.37.4) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ eslint-plugin-react-hooks (indirect, 4.3.0 → 5.0.0-canary-7118f5dd7-20230705) · Repo · Changelog

↗️ get-intrinsic (indirect, 1.1.1 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7 (from changelog)

More info than we can show here.

1.2.6 (from changelog)

More info than we can show here.

1.2.5 (from changelog)

More info than we can show here.

1.2.4 (from changelog)

More info than we can show here.

1.2.3 (from changelog)

More info than we can show here.

1.2.2 (from changelog)

More info than we can show here.

1.2.1 (from changelog)

More info than we can show here.

1.2.0 (from changelog)

More info than we can show here.

1.1.3 (from changelog)

More info than we can show here.

1.1.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ has-bigints (indirect, 1.0.1 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

1.0.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ has-symbols (indirect, 1.0.3 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-bigint (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-boolean-object (indirect, 1.1.2 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2 (from changelog)

More info than we can show here.

1.2.1 (from changelog)

More info than we can show here.

1.2.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-callable (indirect, 1.2.4 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7 (from changelog)

More info than we can show here.

1.2.6 (from changelog)

More info than we can show here.

1.2.5 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-date-object (indirect, 1.0.5 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-number-object (indirect, 1.0.6 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

More info than we can show here.

1.1.0 (from changelog)

More info than we can show here.

1.0.7 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-regex (indirect, 1.1.4 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

More info than we can show here.

1.2.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-string (indirect, 1.0.7 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

More info than we can show here.

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ is-symbol (indirect, 1.0.4 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

More info than we can show here.

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json5 (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in JSON5 via Parse Method

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:

const JSON5 = require('json5');
const doSomethingDangerous = (props) => {

if (props.isAdmin) {

console.log('Doing dangerous thing as admin.');

} else {

console.log('Doing dangerous thing as user.');

}

};
const secCheckKeysSet = (obj, searchKeys) => {

let searchKeyFound = false;

Object.keys(obj).forEach((key) => {

if (searchKeys.indexOf(key) > -1) {

searchKeyFound = true;

}

});

return searchKeyFound;

};
const props = JSON5.parse('{"foo": "bar"}');

if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {

doSomethingDangerous(props); // "Doing dangerous thing as user."

} else {

throw new Error('Forbidden...');

}

If the user attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}

However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:

const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}

Release Notes

1.0.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minimist (indirect, 1.2.6 → 1.2.8) · Repo · Changelog

Release Notes

1.2.8 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ms (indirect, 2.0.0 → 2.1.3) · Repo

Release Notes

2.1.3

More info than we can show here.

2.1.2

More info than we can show here.

2.1.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object-inspect (indirect, 1.11.0 → 1.13.4) · Repo · Changelog

Release Notes

1.13.4 (from changelog)

More info than we can show here.

1.13.3 (from changelog)

More info than we can show here.

1.13.2 (from changelog)

More info than we can show here.

1.13.1 (from changelog)

More info than we can show here.

1.13.0 (from changelog)

More info than we can show here.

1.12.3 (from changelog)

More info than we can show here.

1.12.2 (from changelog)

More info than we can show here.

1.12.1 (from changelog)

More info than we can show here.

1.12.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object.assign (indirect, 4.1.2 → 4.1.7) · Repo · Changelog

Release Notes

4.1.7 (from changelog)

More info than we can show here.

4.1.6 (from changelog)

More info than we can show here.

4.1.5 (from changelog)

More info than we can show here.

4.1.4 (from changelog)

More info than we can show here.

4.1.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object.entries (indirect, 1.1.5 → 1.1.8) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

More info than we can show here.

1.1.6 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object.fromentries (indirect, 2.0.5 → 2.0.8) · Repo · Changelog

Release Notes

2.0.7 (from changelog)

More info than we can show here.

2.0.6 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ object.values (indirect, 1.1.5 → 1.2.1) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

More info than we can show here.

1.1.6 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ semver (indirect, 6.3.0 → 6.3.1) · Repo · Changelog

Security Advisories 🚨

🚨 semver vulnerable to Regular Expression Denial of Service

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Release Notes

6.3.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ side-channel (indirect, 1.0.4 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ string.prototype.matchall (indirect, 4.0.7 → 4.0.12) · Repo · Changelog

Release Notes

4.0.12 (from changelog)

More info than we can show here.

4.0.10 (from changelog)

More info than we can show here.

4.0.9 (from changelog)

More info than we can show here.

4.0.8 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ string.prototype.trimend (indirect, 1.0.4 → 1.0.9) · Repo · Changelog

Release Notes

1.0.9 (from changelog)

More info than we can show here.

1.0.7 (from changelog)

More info than we can show here.

1.0.6 (from changelog)

More info than we can show here.

1.0.5 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ string.prototype.trimstart (indirect, 1.0.4 → 1.0.8) · Repo · Changelog

Release Notes

1.0.7 (from changelog)

More info than we can show here.

1.0.6 (from changelog)

More info than we can show here.

1.0.5 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ styled-jsx (indirect, 5.0.0 → 5.1.1) · Repo · Changelog

Release Notes

5.1.1

More info than we can show here.

5.1.0

More info than we can show here.

5.0.7

More info than we can show here.

5.0.6

More info than we can show here.

5.0.5

More info than we can show here.

5.0.4

More info than we can show here.

5.0.3

More info than we can show here.

5.0.2

More info than we can show here.

5.0.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tsconfig-paths (indirect, 3.11.0 → 3.15.0) · Repo · Changelog

Release Notes

3.14.2 (from changelog)

More info than we can show here.

3.14.1 (from changelog)

More info than we can show here.

3.14.0 (from changelog)

More info than we can show here.

3.13.0 (from changelog)

More info than we can show here.

3.12.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unbox-primitive (indirect, 1.0.1 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

More info than we can show here.

1.0.2 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ which-boxed-primitive (indirect, 1.0.2 → 1.1.1) · Repo · Changelog

Release Notes

1.1.1 (from changelog)

More info than we can show here.

1.1.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​nolyfill/is-core-module (added, 1.0.39)

🆕 @​rtsao/scc (added, 1.1.0)

🆕 @​swc/helpers (added, 0.5.2)

🆕 array-buffer-byte-length (added, 1.0.2)

🆕 array.prototype.findlast (added, 1.2.5)

🆕 array.prototype.findlastindex (added, 1.2.5)

🆕 array.prototype.tosorted (added, 1.1.4)

🆕 arraybuffer.prototype.slice (added, 1.0.4)

🆕 async-function (added, 1.0.0)

🆕 available-typed-arrays (added, 1.0.7)

🆕 busboy (added, 1.6.0)

🆕 call-bind-apply-helpers (added, 1.0.2)

🆕 call-bound (added, 1.0.3)

🆕 client-only (added, 0.0.1)

🆕 data-view-buffer (added, 1.0.2)

🆕 data-view-byte-length (added, 1.0.2)

🆕 data-view-byte-offset (added, 1.0.1)

🆕 define-data-property (added, 1.1.4)

🆕 dunder-proto (added, 1.0.1)

🆕 enhanced-resolve (added, 5.18.1)

🆕 es-define-property (added, 1.0.1)

🆕 es-errors (added, 1.3.0)

🆕 es-iterator-helpers (added, 1.2.1)

🆕 es-object-atoms (added, 1.1.1)

🆕 es-set-tostringtag (added, 2.1.0)

🆕 es-shim-unscopables (added, 1.1.0)

🆕 fdir (added, 6.4.3)

🆕 for-each (added, 0.3.5)

🆕 function.prototype.name (added, 1.1.8)

🆕 functions-have-names (added, 1.2.3)

🆕 get-proto (added, 1.0.1)

🆕 get-tsconfig (added, 4.10.0)

🆕 glob-to-regexp (added, 0.4.1)

🆕 globalthis (added, 1.0.4)

🆕 gopd (added, 1.2.0)

🆕 graceful-fs (added, 4.2.11)

🆕 has-property-descriptors (added, 1.0.2)

🆕 has-proto (added, 1.2.0)

🆕 is-array-buffer (added, 3.0.5)

🆕 is-async-function (added, 2.1.1)

🆕 is-bun-module (added, 1.3.0)

🆕 is-data-view (added, 1.0.2)

🆕 is-finalizationregistry (added, 1.1.1)

🆕 is-generator-function (added, 1.1.0)

🆕 is-map (added, 2.0.3)

🆕 is-set (added, 2.0.3)

🆕 is-typed-array (added, 1.1.15)

🆕 is-weakmap (added, 2.0.2)

🆕 is-weakset (added, 2.0.4)

🆕 isarray (added, 2.0.5)

🆕 iterator.prototype (added, 1.1.5)

🆕 math-intrinsics (added, 1.1.0)

🆕 object.groupby (added, 1.0.3)

🆕 own-keys (added, 1.0.1)

🆕 possible-typed-array-names (added, 1.1.0)

🆕 reflect.getprototypeof (added, 1.0.10)

🆕 resolve-pkg-maps (added, 1.0.0)

🆕 safe-array-concat (added, 1.1.3)

🆕 safe-push-apply (added, 1.0.0)

🆕 safe-regex-test (added, 1.1.0)

🆕 set-function-length (added, 1.2.2)

🆕 set-function-name (added, 2.0.2)

🆕 set-proto (added, 1.0.0)

🆕 side-channel-list (added, 1.0.0)

🆕 side-channel-map (added, 1.0.1)

🆕 side-channel-weakmap (added, 1.0.2)

🆕 stable-hash (added, 0.0.4)

🆕 streamsearch (added, 1.1.0)

🆕 string.prototype.includes (added, 2.0.1)

🆕 string.prototype.repeat (added, 1.0.0)

🆕 string.prototype.trim (added, 1.2.10)

🆕 tapable (added, 2.2.1)

🆕 tinyglobby (added, 0.2.12)

🆕 typed-array-buffer (added, 1.0.3)

🆕 typed-array-byte-length (added, 1.0.3)

🆕 typed-array-byte-offset (added, 1.0.4)

🆕 typed-array-length (added, 1.0.7)

🆕 watchpack (added, 2.4.0)

🆕 which-builtin-type (added, 1.2.1)

🆕 which-collection (added, 1.0.2)

🆕 which-typed-array (added, 1.1.18)

🗑️ @​babel/runtime-corejs3 (removed)

🗑️ @​next/swc-android-arm64 (removed)

🗑️ @​next/swc-linux-arm-gnueabihf (removed)

🗑️ core-js-pure (removed)

🗑️ has (removed)

🗑️ is-negative-zero (removed)

🗑️ object.hasown (removed)

🗑️ typescript (removed)

🗑️ use-subscription (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud