Sourced from @​preact/preset-vite's releases.

2.10.5

What's Changed

• The this of config() is undefined in vite 5 by @​JoviDeCroock in preactjs/preset-vite#192
• Use import() for zimmerframe in order to support CJS Vite configs. by @​washingtonsteven in preactjs/preset-vite#194

New Contributors

• @​washingtonsteven made their first contribution in preactjs/preset-vite#194

Full Changelog: preactjs/preset-vite@2.10.4...2.10.5

2.10.4

What's Changed

• perf: avoid babel in dev by using magic string for hook names injection by @​sapphi-red in preactjs/preset-vite#183
• Add support for vite 8 by @​JoviDeCroock in preactjs/preset-vite#189
• Add support for oxc by @​JoviDeCroock in preactjs/preset-vite#190

Full Changelog: preactjs/preset-vite@2.10.3...2.10.4

• c9d28d1 2.10.5 (#195)
• 97a3c06 use import for zimmerframe (#194)
• 14d9cd6 this is undefined in vite 5 (#192)
• d364393 2.10.4 (#191)
• d160257 Add support for oxc (#190)
• 193a724 Add support for vite 8 (#189)
• d2d5681 perf: avoid babel in dev by using magic string for hook names injection (#183)
• See full diff in compare view

• See full diff in compare view

Sourced from comment-parser's changelog.

1.4.6

Patch Changes

• 02d3c46: Support default values on non-optional names (e.g. @property {number} BITMASK_VALUE_A=16 - description)

• See full diff in compare view

Sourced from lerna's releases.

v9.0.7

9.0.7 (2026-03-13)

Bug Fixes

• core: normalize ./ prefix in workspace globs for package detection (#4308) (bd39779)
• core: remove multimatch dependency and legacy-core internals (#4314) (ec01462)
• version: skip config resolution in prettier getFileInfo check (#4306) (ae53efe)
• version: support ESM and new v8+ conventional-changelog preset API (#4302) (575b248)

v9.0.6

9.0.6 (2026-03-11)

Bug Fixes

• deps: add missing ci-info dependency (#4263) (b768187)
• deps: bump tar from 7.5.8 to 7.5.11 (#4296) (7a69a57)

Sourced from lerna's changelog.

9.0.7 (2026-03-13)

Bug Fixes

• core: remove multimatch dependency and legacy-core internals (#4314) (ec01462)

9.0.6 (2026-03-11)

Bug Fixes

• deps: add missing ci-info dependency (#4263) (b768187)
• deps: bump tar from 7.5.8 to 7.5.11 (#4296) (7a69a57)

• 4322536 chore(misc): publish 9.0.7
• ec01462 fix(core): remove multimatch dependency and legacy-core internals (#4314)
• 538bf1a chore(deps): replace write-pkg with internal writePackage utility (#4313)
• ebf6729 chore(deps): remove set-blocking, is-stream, get-port (#4311)
• 76ad78b chore(deps): replace uuid, pify, temp-dir with native Node.js APIs (#4310)
• 5ad1cf8 chore(deps): replace make-dir, rimraf, resolve-from with native Node.js APIs ...
• bb30d88 chore(misc): publish 9.0.6
• c15070b refactor(create): consolidate @​lerna/create into the main lerna package (#4300)
• 7a69a57 fix(deps): bump tar from 7.5.8 to 7.5.11 (#4296)
• b768187 fix(deps): add missing ci-info dependency (#4263)
• See full diff in compare view

• See full diff in compare view

Sourced from @​xmldom/xmldom's releases.

0.9.10

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

Commits

Added

• implement ParentNode.children getter [#960](https://github.com/xmldom/xmldom/issues/960) / [#410](https://github.com/xmldom/xmldom/issues/410)

Fixed

• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp
• correctly traverse ancestor chain in Node.contains [#931](https://github.com/xmldom/xmldom/issues/931)

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Chore

• updated dependencies

Thank you, @​stevenobiajulu,

... (truncated)

Sourced from @​xmldom/xmldom's changelog.

0.9.10

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.9.9

... (truncated)

• bf396a5 0.9.10
• 78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
• 192ce5b ci: remove unused imports flagged by CodeQL
• ca81c06 test: lower stack size for tests
• c9d5937 style: npm run format
• 1537fb4 docs: add 0.9.10 changelog entry
• afd6f6f docs: add 0.8.13 changelog entry
• afeb4ee refactor: align error mesage between branches
• 4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
• dfb94a4 test: add missing isEqualNode behavioral coverage
• Additional commits viewable in compare view

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Sourced from mlly's releases.

v1.8.2

compare changes

🩹 Fixes

• Generic angle bracket parsing (#341)

📖 Documentation

• Fix typo (#333)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• AngelHdz (@​angelhdzmultimedia)

Sourced from mlly's changelog.

v1.8.2

compare changes

🩹 Fixes

• Extract variable names ignoring function calls (#336)
• Generic angle bracket parsing (#341)

📖 Documentation

• Fix typo (#333)

🏡 Chore

• Update deps (12913db)
• Lint (33495f9)
• release: V1.8.1 (ed17783)
• Update deps (1b09363)

❤️ Contributors

• Florian Heuberger (@​Flo0806)
• Pooya Parsa (@​pi0)
• AngelHdz [email protected]
• Daniel Roe (@​danielroe)

• c5ce4e5 chore(release): v1.8.2
• abef19c fix: generic angle bracket parsing (#341)
• 1b09363 chore: update deps
• ed17783 chore(release): v1.8.1
• 3f4c751 docs: fix typo (#333)
• 24bd871 chore(deps): update autofix-ci/action digest to 7a166d7 (#334)
• 938cf7e chore(deps): update actions/setup-node action to v6 (#328)
• 915dd32 chore(deps): update actions/checkout action to v6 (#332)
• See full diff in compare view

Sourced from @​percy/selenium-webdriver's releases.

v2.2.6

What's Changed

• Feat : Adding Cross Iframe Feature by @​yashmahamulkar-bs in percy/percy-selenium-js#720
• 🔖 Release v2.2.6-beta.1 by @​yashmahamulkar-bs in percy/percy-selenium-js#728
• 🔖 Release 2.2.6 by @​yashmahamulkar-bs in percy/percy-selenium-js#730

New Contributors

• @​yashmahamulkar-bs made their first contribution in percy/percy-selenium-js#720

Full Changelog: percy/percy-selenium-js@v2.2.5...v2.2.6

v2.2.6-beta.1

What's Changed

• Feat : Adding Cross Iframe Feature by @​yashmahamulkar-bs in percy/percy-selenium-js#720
• 🔖 Release v2.2.6-beta.1 by @​yashmahamulkar-bs in percy/percy-selenium-js#728

New Contributors

• @​yashmahamulkar-bs made their first contribution in percy/percy-selenium-js#720

Full Changelog: percy/percy-selenium-js@v2.2.5...v2.2.6-beta.1

• 0ecedb4 Release 2.2.6 (#730)
• e7071a0 🔖 Release v2.2.6-beta.1 (#728)
• bbbe1b4 Feat : Cross Origin Iframe Capture and CLI Upgrade Change (#720)
• See full diff in compare view

Sourced from browserstack-local's releases.

Changed local binary paths to support LocalBinary 7.3. Fixed folder argument.

Changed local binary paths to support LocalBinary 7.3. Fixed folder argument when building browserstack local arguments.

• fa2dcbc 1.5.13
• dcfaf7b Merge pull request #175 from browserstack/LOC-6635_sdk_binary_compatibility
• e79cd0e Remove debug log
• 4376222 Fix url ref
• 18f9a57 Add Async method to fetch download url for async flow
• See full diff in compare view

• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• See full diff in compare view

• f31407f Release 5.1.2
• 9ee352a docs: Update changelog
• b369a8c Merge pull request #90 from davidparsson/update/package-json
• 30f180f ci: Run tests for node.js 24
• e216c42 Update package-lock.json
• 2fcd16c Merge pull request #89 from assitantforjess/fix/security/bump-lodash-4.18.1
• 0fdcfb9 Whitespace
• 895ddd4 chore: bump lodash to 4.18.1 to address security advisories
• 0a39e68 Merge pull request #88 from davidparsson/dependabot/npm_and_yarn/basic-ftp-5.2.2
• 589e30f chore(deps-dev): bump basic-ftp from 5.2.1 to 5.2.2
• Additional commits viewable in compare view

• bbfe84d Roll protocol to r1629771
• f223775 Bump simple-git from 3.32.3 to 3.36.0 in /scripts (#355)
• 145f3d6 Roll protocol to r1628107
• b3d7e08 Roll protocol to r1627472
• 6e7b094 Roll protocol to r1625959
• 8feb4e1 Roll protocol to r1624250
• 470fb6a Roll protocol to r1621552
• e0946be Roll protocol to r1619965
• 5d8fd1a Roll protocol to r1618660
• eed2b1b Roll protocol to r1617982
• Additional commits viewable in compare view

Sourced from nock's releases.

v14.0.15

14.0.15 (2026-05-07)

Bug Fixes

• Revert "fix(backport): apply body delay before the response end" (#2973) (de5450c), closes #2969

v14.0.14

14.0.14 (2026-04-30)

Bug Fixes

• backport: apply body delay before the response end (#2969) (215cd2a)

v14.0.13

14.0.13 (2026-04-20)

Bug Fixes

• types: align Definition with runtime; add rawHeaders, drop headers (#2955) (07fbfab)

v14.0.12

14.0.12 (2026-04-05)

Bug Fixes

• prevent crash when query params have conflicting dot-notation keys (#2958) (7ea9933)

• de5450c fix: Revert "fix(backport): apply body delay before the response end" (#2973)
• 215cd2a fix(backport): apply body delay before the response end (#2969)
• 07fbfab fix(types): align Definition with runtime; add rawHeaders, drop headers (#2955)
• fe2c3ea chore(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#2961)
• ee49b4f chore(deps-dev): bump flatted from 3.2.5 to 3.4.2
• 11bf183 chore(deps-dev): bump undici from 6.23.0 to 6.24.1 (#2954)
• 6b80154 chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#2960)
• 4cbf6cc chore(deps): bump tar and npm (#2952)
• 7ea9933 fix: prevent crash when query params have conflicting dot-notation keys (#2958)
• d00d371 chore(deps): bump picomatch
• Additional commits viewable in compare view

Sourced from vue's releases.

v3.5.34

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.33

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.32

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.31

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

v3.5.30

For stable releases, please refer to CHANGELOG.md for details. For pre-releases, please refer to CHANGELOG.md of the minor branch.

Sourced from vue's changelog.

3.5.34 (2026-05-06)

Bug Fixes

• compiler-sfc: infer Vue ref wrapper types when source is unresolvable (#14758) (7f46fd4), closes #14729
• compiler-sfc: preserve hash hrefs on <image> elements (#14756) (090b2e3)
• compiler-sfc: resolve type re-exports inside declare global (#14766) (acfffe3)
• reactivity: prevent orphan effect when created in a stopped scope (#14778) (c8e2d4a), closes #14777
• runtime-core: avoid symbol coercion during props validation (#8539) (23d4fb5), closes #8487
• suspense: avoid DOM leak with out-in transition in v-if fragment (#14762) (9667e0d), closes #14761

3.5.33 (2026-04-22)

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#14725) (bb9d265), closes #14724
• reactivity: unlink effect scopes on out-of-order off (#14734) (e7659be), closes #14733
• runtime-dom: preserve textarea resize dimensions (#14747) (11fb2fd), closes #14741
• teleport: don't move teleport children if not mounted (#14702) (6a61f44), closes #14701
• transition: preserve placeholder for conditional explicit default slots (#14748) (45990ce), closes #14727

3.5.32 (2026-04-03)

Bug Fixes

• runtime-core: prevent currentInstance leak into sibling render during async setup re-entry (#14668) (f166353), closes #14667
• teleport: handle updates before deferred mount (#14642) (32b44f1), closes #14640
• types: allow customRef to have different getter/setter types (#14639) (e20ddb0)
• types: use private branding for shallowReactive (#14641) (302c47a), closes #14638 #14493

Reverts

• Revert "fix(server-renderer): cleanup component effect scopes after SSR render" (#14674) (219d83b), closes #14674 #14669

3.5.31 (2026-03-25)

Bug Fixes

• compiler-sfc: allow Node.js subpath imports patterns in asset urls (#13045) (95c3356), closes #9919
• compiler-sfc: support template literal as defineModel name (#14622) (bd7eef0), closes #14621
• reactivity: normalize toRef property keys before dep lookup + improve types (#14625) (1bb28d0), closes #12427 #12431

... (truncated)

• 57545e9 release: v3.5.34
• a3b2617 chore(deps): update dependency jsdom to ^29.1.1 (#14775)
• 23d4fb5 fix(runtime-core): avoid symbol coercion during props validation (#8539)
• 090b2e3 fix(compiler-sfc): preserve hash hrefs on \<image> elements (#14756)
• 9667e0d fix(suspense): avoid DOM leak with out-in transition in v-if fragment (#14762)
• c8e2d4a fix(reactivity): prevent orphan effect when created in a stopped scope (#14778)
• 7f46fd4 fix(compiler-sfc): infer Vue ref wrapper types when source is unresolvable (#...
• acfffe3 fix(compiler-sfc): resolve type re-exports inside declare global (#14766)
• a037385 chore(deps): update build (#14759)
• 0bc56ff chore(deps): update pnpm to v10.33.3 (#14760)
• Additional commits viewable in compare view