chore(deps): bump the npm_and_yarn group across 3 directories with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 22 updates in the / directory:

Package	From	To
react-router	6.30.1	6.30.2
@backstage/backend-defaults	0.6.2	0.15.2
@backstage/plugin-auth-backend	0.25.7	0.27.1
@backstage/plugin-scaffolder-backend	3.1.0	3.1.5
qs	6.14.0	6.14.2
@backstage/cli-common	0.1.15	0.1.18
@backstage/integration	1.18.1	1.20.1
@backstage/plugin-techdocs-node	1.13.10	1.14.3
@smithy/config-resolver	4.3.2	4.4.11
basic-ftp	5.0.5	5.2.0
diff	4.0.2	4.0.4
fast-xml-parser	4.5.3	4.5.4
immutable	3.8.2	3.8.3
js-yaml	3.14.1	3.14.2
jsonpath	1.1.1	1.3.0
jws	3.2.2	3.2.3
lodash	4.17.21	4.17.23
multer	2.0.2	2.1.1
node-forge	1.3.1	1.3.3
rollup	4.52.4	4.59.0
svgo	2.8.0	2.8.2
vm2	3.10.0	3.10.5

Bumps the npm_and_yarn group with 2 updates in the /packages/backend directory: @backstage/backend-defaults and @backstage/plugin-auth-backend.
Bumps the npm_and_yarn group with 1 update in the /plugins/stack-overflow-teams-backend directory: @backstage/backend-defaults.

Updates react-router from 6.30.1 to 6.30.2

Release notes

Sourced from react-router's releases.

v6.30.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

Changelog

Sourced from react-router's changelog.

v6.30.2

Date: 2025-11-13

Security Notice

This release addresses 1 security vulnerability:

• Unexpected external redirect via untrusted paths

Patch Changes

• Normalize double-slashes in resolvePath (#14537)

Full Changelog: v6.30.1...v6.30.2

Commits

• 26b5d45 chore: Update version for release (#14541)
• 919f8a8 chore: Update version for release (pre-v6) (#14540)
• 69bf705 Normalize double slashes in resolvePath (#14537)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router since your current version.

Updates @backstage/backend-defaults from 0.6.2 to 0.15.2

Changelog

Sourced from @​backstage/backend-defaults's changelog.

0.15.2

Patch Changes

• 7455dae: Use node prefix on native imports
• 44f5d04: Minor internal restructure of the postgres config loading code
• 4fc7bf0: Bump to tar v7
• 5dd683f: createRateLimitMiddleware is now exported from @backstage/backend-defaults/httpRouter
• 8dd518a: Support connection.type: azure in database client to use Microsoft Entra authentication with Azure database for PostgreSQL
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/backend-app-api@​1.5.0
  • @​backstage/integration@​1.20.0
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/backend-plugin-api@​1.7.0
  • @​backstage/backend-dev-utils@​0.1.7
  • @​backstage/config-loader@​1.10.8
  • @​backstage/cli-node@​0.2.18
  • @​backstage/plugin-auth-node@​0.6.13
  • @​backstage/plugin-permission-node@​0.10.10
  • @​backstage/plugin-events-node@​0.4.19

0.15.2-next.1

Patch Changes

• 8dd518a: Support connection.type: azure in database client to use Microsoft Entra authentication with Azure database for PostgreSQL
• Updated dependencies
  • @​backstage/integration@​1.20.0-next.1
  • @​backstage/cli-node@​0.2.18-next.1
  • @​backstage/backend-plugin-api@​1.7.0-next.1

0.15.1-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• 44f5d04: Minor internal restructure of the postgres config loading code
• 4fc7bf0: Bump to tar v7
• 69d880e: Bump to latest zod to ensure it has the latest features
• Updated dependencies
  • @​backstage/integration-aws-node@​0.1.20-next.0
  • @​backstage/backend-plugin-api@​1.7.0-next.0
  • @​backstage/backend-dev-utils@​0.1.7-next.0
  • @​backstage/config-loader@​1.10.8-next.0
  • @​backstage/integration@​1.19.3-next.0
  • @​backstage/cli-node@​0.2.17-next.0
  • @​backstage/plugin-auth-node@​0.6.12-next.0
  • @​backstage/backend-app-api@​1.5.0-next.0
  • @​backstage/plugin-permission-node@​0.10.9-next.0

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-auth-backend from 0.25.7 to 0.27.1

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

@​backstage/plugin-auth-backend

0.27.1-next.2

Patch Changes

• d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/plugin-auth-node@​0.6.14-next.2
  • @​backstage/plugin-catalog-node@​2.1.0-next.2

0.27.1-next.1

Patch Changes

• 1ccad86: Added who-am-i action to the auth backend actions registry. Returns the catalog entity and user info for the currently authenticated user.
• Updated dependencies
  • @​backstage/plugin-auth-node@​0.6.14-next.1
  • @​backstage/plugin-catalog-node@​2.1.0-next.1
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2

0.27.1-next.0

Patch Changes

• 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
• 619be54: Update migrations to be reversible
• Updated dependencies
  • @​backstage/plugin-catalog-node@​2.1.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-auth-node@​0.6.14-next.0

0.27.0

Minor Changes

• 31de2c9: Added experimental support for Client ID Metadata Documents (CIMD).

  This allows Backstage to act as an OAuth 2.0 authorization server that supports the IETF Client ID Metadata Document draft. External OAuth clients can use HTTPS URLs as their client_id, and Backstage will fetch metadata from those URLs to validate the client.

  Configuration example:

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-scaffolder-backend from 3.1.0 to 3.1.5

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

@​backstage/plugin-scaffolder-backend

3.2.0-next.2

Minor Changes

• e8736ea: Added secrets schema validation for task creation, retry, and dry-run endpoints. When a template defines spec.secrets.schema, the API validates provided secrets against the schema and returns a 400 error if validation fails.

Patch Changes

• 30ff981: Fixed a security vulnerability where secrets could bypass log redaction when transformed through Nunjucks filters in scaffolder templates.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/integration@​2.0.0-next.2
  • @​backstage/plugin-scaffolder-common@​2.0.0-next.2
  • @​backstage/backend-openapi-utils@​0.6.7-next.1
  • @​backstage/plugin-catalog-node@​2.1.0-next.2
  • @​backstage/plugin-events-node@​0.4.20-next.1
  • @​backstage/plugin-permission-node@​0.10.11-next.1
  • @​backstage/plugin-scaffolder-node@​0.13.0-next.2

3.2.0-next.1

Minor Changes

• c9b11eb: Added a new list-scaffolder-tasks action that allows querying scaffolder tasks with optional ownership filtering and pagination support
• 0fbcf23: Migrated OpenAPI schemas to 3.1.
• 7695dd2: Added a new list-scaffolder-actions action that returns all installed scaffolder actions with their schemas and examples

Patch Changes

• e27bd4e: Removed @backstage/plugin-scaffolder-backend-module-bitbucket from package.json as the package itself has been deprecated and the code deleted.
• ccc20cf: create scaffolder MCP action to dry run a provided scaffolder template
• Updated dependencies
  • @​backstage/integration@​2.0.0-next.1
  • @​backstage/plugin-scaffolder-common@​2.0.0-next.1
  • @​backstage/plugin-scaffolder-node@​0.13.0-next.1
  • @​backstage/plugin-catalog-node@​2.1.0-next.1
  • @​backstage/backend-openapi-utils@​0.6.7-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-events-node@​0.4.20-next.0
  • @​backstage/plugin-permission-common@​0.9.6
  • @​backstage/plugin-permission-node@​0.10.11-next.0

3.1.4-next.0

... (truncated)

Commits

• See full diff in compare view

Updates qs from 6.14.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates @backstage/cli-common from 0.1.15 to 0.1.18

Changelog

Sourced from @​backstage/cli-common's changelog.

0.1.18

Patch Changes

• 7455dae: Use node prefix on native imports

0.1.18-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.17

Patch Changes

• ae4dd5d: Move some of the symlink resolution to isChildPath

0.1.16

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.
• c8c2329: Add proxy configuration from env-vars to create-app tasks
• 2bae83a: Bumped dev dependencies @types/node

0.1.16-next.2

Patch Changes

• 2bae83a: Bumped dev dependencies @types/node
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.16-next.1

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.

0.1.16-next.0

Patch Changes

• c8c2329: Add proxy configuration from env-vars to create-app tasks

Commits

• See full diff in compare view

Updates @backstage/integration from 1.18.1 to 1.20.1

Changelog

Sourced from @​backstage/integration's changelog.

@​backstage/integration

2.0.0-next.2

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.

2.0.0-next.1

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Patch Changes

• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.
• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.21.0-next.0

Minor Changes

• d933f62: Add configurable throttling and retry mechanism for GitLab integration.

Patch Changes

• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.20.0

Minor Changes

• 6999f6d: The AzureUrl class in the @​backstage/integration package is now able to process BOTH git branches and git tags. Initially this class only processed git branches and threw an error when non-branch Azure URLs were passed in.

Patch Changes

• cc6206e: Added support for {org}.visualstudio.com domains used by Azure DevOps
• 7455dae: Use node prefix on native imports

1.20.0-next.2

... (truncated)

Commits

• c8a8aac Version Packages
• 4aa43f6 chore(deps): update dependency cross-fetch to v4
• f577e11 Version Packages (next)
• 11153a0 Merge remote-tracking branch 'upstream/master' into entra-rename
• ad7d38c fix tests
• 243c655 Updated Azure Active Directory to Entra ID
• 8cdb8c2 Version Packages
• e43d3eb Version Packages (next)
• 0b55f77 Removed some unused dependencies
• bea3617 Version Packages (next)
• Additional commits viewable in compare view

Updates @backstage/plugin-techdocs-node from 1.13.10 to 1.14.3

Changelog

Sourced from @​backstage/plugin-techdocs-node's changelog.

@​backstage/plugin-techdocs-node

1.14.4-next.2

Patch Changes

• e96f6d9: Removed INHERIT from the ALLOWED_MKDOCS_KEYS set to address a security concern with MkDocs configuration inheritance.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/integration@​2.0.0-next.2

1.14.3-next.1

Patch Changes

• cb7c6b1: Added techdocs.generator.mkdocs.dangerouslyAllowAdditionalKeys configuration option to explicitly bypass MkDocs configuration key restrictions. This enables support for additional MkDocs configuration keys beyond the default safe allow list, such as the hooks key which some MkDocs plugins require.
• Updated dependencies
  • @​backstage/integration@​2.0.0-next.1
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.3-next.0

Patch Changes

• Updated dependencies
  • @​backstage/integration@​1.21.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.2

Patch Changes

• 7455dae: Use node prefix on native imports
• 3c455d4: Some security fixes
• Updated dependencies
  • @​backstage/integration@​1.20.0
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/backend-plugin-api@​1.7.0

... (truncated)

Commits

• See full diff in compare view

Updates @smithy/config-resolver from 4.3.2 to 4.4.11

Release notes

Sourced from @​smithy/config-resolver's releases.

@​smithy/config-resolver@​4.4.11

Patch Changes

• Updated dependencies [5340b11]
  • @​smithy/types@​4.13.1
  • @​smithy/node-config-provider@​4.3.12
  • @​smithy/util-endpoints@​3.3.3
  • @​smithy/util-middleware@​4.2.12

Changelog

Sourced from @​smithy/config-resolver's changelog.

4.4.11

Patch Changes

• Updated dependencies [5340b11]
  • @​smithy/types@​4.13.1
  • @​smithy/node-config-provider@​4.3.12
  • @​smithy/util-endpoints@​3.3.3
  • @​smithy/util-middleware@​4.2.12

4.4.10

Patch Changes

• a4d95e6: Set downlevel types to be used in typescript@'<4.5'
• Updated dependencies [a4d95e6]
  • @​smithy/node-config-provider@​4.3.11
  • @​smithy/util-config-provider@​4.2.2
  • @​smithy/util-middleware@​4.2.11
  • @​smithy/util-endpoints@​3.3.2

4.4.9

Patch Changes

• Updated dependencies [d0954cc]
  • @​smithy/types@​4.13.0
  • @​smithy/node-config-provider@​4.3.10
  • @​smithy/util-endpoints@​3.3.1
  • @​smithy/util-middleware@​4.2.10

4.4.8

Patch Changes

• Updated dependencies [2bf677c]
  • @​smithy/util-endpoints@​3.3.0

4.4.7

Patch Changes

• 03c3dc8: update for rollup build externalLiveBindings=false
• Updated dependencies [03c3dc8]
  • @​smithy/node-config-provider@​4.3.9
  • @​smithy/types@​4.12.1
  • @​smithy/util-config-provider@​4.2.1
  • @​smithy/util-endpoints@​3.2.9
  • @​smithy/util-middleware@​4.2.9

... (truncated)

Commits

• 0bdca15 Version NPM packages
• 5eab7ea Version NPM packages
• a4d95e6 fix: set downlevel types to be used in typescript@'<4.5' (#1906)
• 2acebec Version NPM packages
• 06793cc Version NPM packages
• 1f51a0c Version NPM packages
• a028fc5 chore: replace rimraf with premove (#1834)
• 0e8cc49 Version NPM packages
• 7e4bbf6 chore: upgrade rimraf to v5.0.10 (#1829)
• 521d67c Version NPM packages
• Additional commits viewable in compare view

Updates basic-ftp from 5.0.5 to 5.2.0

Release notes

Sourced from basic-ftp's releases.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Changelog

Sourced from basic-ftp's changelog.

5.2.0

• Changed: Skip files with invalid name in downloadToDir. Fixes security vulnerability CVE-2026-27699, see GHSA-5rq4-664w-9x2c.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (#259)

Commits

• 5d41e45 Bump version
• 49c2e73 Update dependencies
• 2a2a0e6 Skip invalid filenames
• 65c90d9 Fix permissions for workflows
• 593cb78 Set permissions for workflow jobs
• 36adf11 Remove deprecated CodeQL check
• 9da4af0 Update changelog
• 6993039 Improve naming
• 0b8f756 Improve naming
• 67a53f2 Bump version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by patrickjuchli, a new releaser for basic-ftp since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates diff from 4.0.2 to 4.0.4

Changelog

Sourced from diff's changelog.

v4.0.4 - January 2026

Only change from 4.0.2 is a backport of the fix to GHSA-73rr-hh4g-fpgx.

v4.0.3 (deprecated)

Accidental release - do not use.

Commits

• f06f3e4 v4.0.4
• 0179a48 v4.0.3
• 4568cae Backport kpdecker/jsdiff#649
• 4de0ffa Backport kpdecker/jsdiff#647
• See full diff in compare view

Maintainer changes

This version was pushed to npm by explodingcabbage, a new releaser for diff since your current version.

Updates fast-xml-parser from 4.5.3 to 4.5.4

Release notes

Sourced from fast-xml-parser's releases.

Summary update on all the previous releases from v4.2.4

• Multiple minor fixes provided in the validator and parser
• v6 is added for experimental use.
• ignoreAttributes support function, and array of string or regex
• Add support for parsing HTML numeric entities
• v5 of the application is ESM module now. However, JS is also supported

Note: Release section in not updated frequently. Please check CHANGELOG or Tags for latest release information.

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

• fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

• fix: Escape regex char in entity name
• update strnum to 2.1.2

... (truncated)

Commits

• f8d4d42 update strnum to fix parsing issues of 0 when skiplike is used
• 2ae1f62 fix: return type for tagValueProcessor & attributeValueProcessor (#582)
• See full diff in compare view

Updates form-data from 2.3.3 to 2.5.5

Release notes

Sourced from form-data's releases.

v2.5.2

Fixes

• Buffer.from and Buffer.alloc require node 4+
• npmignore temporary build files (#532)
• move util.isArray to Array.isArray (#564)

Tests

• migrate from travis to GHA

Dev Improvements

• Fixed error in the documentations as indicated in #439
• Added remaining combined-stream options to typedef
• Bumped rimraf to 2.7.1 (dev-dep)
• Added constructor options to TypeScript defs
• Fixed error in callback signatures

Added Types

• Added TS types
• Improved documentation

Added getBuffer method

Updated test builds to support node10 and 12.

Changelog

Sourced from form-data's changelog.

v2.5.5 - 2025-07-18

Commits

• [meta] actually ensure the readme backup isn’t published 10626c0
• [Fix] use proper dependency 026abe5

v2.5.4 - 2025-07-17

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] update linting config 8bf2492
• [meta] add auto-changelog b5101ad
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 0e93122
• [Fix] Switch to using crypto random for boundary values b88316c
• [Fix] validate boundary type in setBoundary() method 131ae5e
• [Tests] Switch to newer v8 prediction library; enable node 24 testing c97cfbe
• [Refactor] use hasown 97ac9c2
• [meta] remove local commit hooks be99d4e
• [Dev Deps] remove unused deps ddbc89b
• [meta] fix scripts to use prepublishOnly e351a97
• [Dev Deps] remove unused script 8f23366
• [Dev Deps] add missing peer dep 02ff026
• [meta] fix readme capitalization 2fd5f61

v2.5.3 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)

Commits

• [Refactor] use Object.prototype.hasOwnProperty.call 6e682d4
• [Dev Deps] update @types/node, browserify, coveralls, eslint, formidable, in-publish, phantomjs-prebuilt, pkgfiles, pre-commit, request, tape, typescript 819f6b7
• Only apps should have lockfiles b170ee2
• [Deps] update combined-stream, mime-types 6b1ca1d
• Bumped version 2.5.3 9457283
• [Dev Deps] pin request which via tough-cookie ^2.4 depends on psl 9dbe192

v2.5.2 - 2024-10-10

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for form-data since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates immutable from 3.8.2 to 3.8.3

Release notes

Sourced from immutable's releases.

v3.8.3

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

• Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

• Migrate some files to TS by @​jdeniau in immutable-js/immutable-js#2125
  • Iterator.ts
  • PairSorting.ts
  • toJS.ts
  • Math.ts
  • Hash.ts
• Extract CollectionHelperMethods and convert to TS by @​jdeniau in immutable-js/immutable-js#2131
• Use npm trusted publishing only to avoid token stealing.

Documentation

• Fix/a11y issues by @​lyannel in immutable-js/immutable-js#2136
• Doc add Map.get signature update by @​borracciaBlu in immutable-js/immutable-js#2138
• fix(doc):minor-issues#2132 by @​JayMeDotDot in immutable-js/immutable-js#2133
• Fix algolia search by @​jdeniau in immutable-js/immutable-js#2135
• Typo in OrderedMap by @​jdeniau in immutable-js/immutable-js#2144

Internal

• chore: Sort all imports and activate eslint import rule by @​jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

• fix: allow readonly map entry constructor by @​septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

• c407425 bump v3.8.3
• c6ff68a release script on 3.x branch
• a675a66 Merge pull request #2179 from immutable-js/port-patch-for-cve-2026-29063
• 6e2cf1c Port patch for CVE 2026-29063 onto branch 3.x
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released