Bump the legacy-ui-package-updates group across 1 directory with 25 updates

[dependabot]

Bumps the legacy-ui-package-updates group with 24 updates in the /airflow/www directory:

Package	From	To
axios	1.13.6	1.15.2
lodash	4.17.23	4.18.1
moment-timezone	0.6.0	0.6.2
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-router-dom	7.13.1	7.14.2
swagger-ui-dist	5.32.0	5.32.5
type-fest	5.4.4	5.6.0
validator	13.15.26	13.15.35
@babel/preset-env	7.29.0	7.29.2
@types/color	4.2.0	4.2.1
@typescript-eslint/parser	8.56.1	8.59.1
babel-jest	30.2.0	30.3.0
babel-loader	10.0.0	10.1.1
eslint-plugin-promise	7.2.1	7.3.0
eslint-plugin-react-hooks	7.0.1	7.1.1
globals	17.4.0	17.5.0
jest	30.2.0	30.3.0
jest-environment-jsdom	30.2.0	30.3.0
mini-css-extract-plugin	2.10.0	2.10.2
prettier	3.8.1	3.8.3
stylelint	17.4.0	17.9.1
terser-webpack-plugin	5.3.17	5.5.0
webpack	5.105.4	5.106.2

Updates axios from 1.13.6 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates chakra-react-select from 4.0.3 to 4.10.1

Release notes

Sourced from chakra-react-select's releases.

4.10.1

What's Changed

• fix: Reduce selected menu option styles specificity by @​csandman in csandman/chakra-react-select#338

Full Changelog: csandman/chakra-react-select@v4.10.0...v4.10.1

4.10.0

What's Changed

• fix: Switch peer dependencies to depend on @chakra-ui/react instead of sub-packages by @​csandman in csandman/chakra-react-select#336

Full Changelog: csandman/chakra-react-select@v4.9.2...v4.10.0

4.9.2

What's Changed

• fix: Change package type back to default of "commonjs" by @​csandman in csandman/chakra-react-select#331
  • This was to fix #329, which was being caused by Jest importing the wrong build of the package.

Full Changelog: csandman/chakra-react-select@v4.9.1...v4.9.2

4.9.1

What's Changed

• fix: Fix react-select core Props type export by @​csandman in csandman/chakra-react-select#324

Full Changelog: csandman/chakra-react-select@v4.9.0...v4.9.1

4.9.0

What's Changed

• chore: Switch to tsup for building and update dependencies by @​csandman in csandman/chakra-react-select#298
  • This change should finally make this package fully support ESM, where as before it didn't really which was causing some issues. It should fix an issue with the ID prop not matching mentioned in #260, without the need for a workaround. Check the PR description for full details!

I tested this change in a few different environments with different module resolution setups but it's possible I missed a case. If it ends up not working for your particular setup, please open a bug report with as much specific information as you can give me, such as:

• Chakra Package Versions
• React Version
• TypeScript or Vanilla
• Yarn or NPM (and which version of the package manager you're on)
• Your jsconfig/tsconfig setup

I'm not likely to figure out what's going on if I can't replicate the environment locally, so the more information you can provide the better!

Full Changelog: csandman/chakra-react-select@v4.8.0...v4.9.0

4.8.0

What's Changed

• chore: Update all dependencies by @​csandman in csandman/chakra-react-select#315

... (truncated)

Commits

• b49461f 4.10.1
• 2269b85 Merge pull request #338 from csandman/fix/selected-menu-option-styles
• 61bfe64 Generalize the dependency version of react-select
• f806801 Reduce selected menu option styles specificity
• 9b9ddcc 4.10.0
• 12d7cc6 Merge pull request #336 from csandman/fix/switch-to-chakra-ui-react-imports
• f9822c4 Remove CodeSandbox CI
• b495516 Update TSConfig once more
• cef98ce Switch to using the single package import approach for @​chakra-ui/react
• c68d4a7 4.9.2
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates moment-timezone from 0.6.0 to 0.6.2

Release notes

Sourced from moment-timezone's releases.

Release 0.6.2

• Updated data to IANA TZDB 2026b. #1145

Release 0.6.1

• Updated data to IANA TZDB 2026a. #1140

NOTE: This release does not include recently-announced DST changes for British Columbia, Canada. Those changes will likely be in 2026b.

Changelog

Sourced from moment-timezone's changelog.

0.6.2 2026-04-26

• Updated data to IANA TZDB 2026b. #1145

0.6.1 2026-03-18

• Updated data to IANA TZDB 2026a. #1140

Commits

• 466c890 Bump version and build moment-timezone 0.6.2
• e311deb Merge pull request #1145 from moment/data/2026b
• 3270009 data: Add 2026b
• f498d96 build(deps): bump picomatch from 2.3.1 to 2.3.2 (#1143)
• 13e724c Build moment-timezone 0.6.1
• 22070ff Bump version to 0.6.1
• b4ebddb Merge pull request #1140 from moment/automated/data-update
• cb47a65 data: Add 2026a
• 026466a build(deps): bump lodash from 4.17.21 to 4.17.23 (#1137)
• 6dc5413 Update Antarctica guess tests for 2026
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-router-dom from 7.13.1 to 7.14.2

Changelog

Sourced from react-router-dom's changelog.

v7.14.2

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

v7.14.1

Patch Changes

• Updated dependencies:
  • react-router@7.14.1

7.14.0

Patch Changes

• Updated dependencies:
  • react-router@7.14.0

7.13.2

Patch Changes

• Updated dependencies:
  • react-router@7.13.2

Commits

• cf1d250 Release v7.14.2 (#14993)
• 197674b Release 7.14.1 (#14973)
• a87774f Add new release process (#14916)
• e31077b chore: Update version for release (#14945)
• 6683e85 chore: Update version for release (pre) (#14943)
• aadb56f chore: Update version for release (#14908)
• c68a9b3 chore: Update version for release (pre) (#14893)
• See full diff in compare view

Updates swagger-ui-dist from 5.32.0 to 5.32.5

Release notes

Sourced from swagger-ui-dist's releases.

v5.32.5

5.32.5 (2026-04-27)

Bug Fixes

• deps: bump swagger-client to v3.37.3 (#10858) (74e48ce)
• style: markdown list items default text color in Dark Mode (#10790) (#10791) (3608eaa)

Reverts

• Revert "Accessibility: Easier to access Authorization (#10692)" (#10850) (8d17c78)

v5.32.4

5.32.4 (2026-04-15)

Bug Fixes

• authorization: increase backdrop z-index (#10831) (fd08fe8)
• docker: upgrade alpine packages to address HIGH severity CVEs (#10830) (095ee75)

v5.32.3

5.32.3 (2026-04-14)

Bug Fixes

• style: move button margin from right to left (#10696) (30279ef)

Performance Improvements

• operation: limit number of rerenders (#10796) (68f6fde)

v5.32.2

5.32.2 (2026-04-07)

Bug Fixes

• docker: bump libpng and zlib versions to fix CVE-2026-33416, CVE-2026-33636 and CVE-2026-22184 (#10802) (c200a69)

v5.32.1

5.32.1 (2026-03-17)

Bug Fixes

... (truncated)

Commits

• dcb493c chore(release): cut the 5.32.5 release
• 74e48ce fix(deps): bump swagger-client to v3.37.3 (#10858)
• 8d17c78 Revert "Accessibility: Easier to access Authorization (#10692)" (#10850)
• 3608eaa fix(style): markdown list items default text color in Dark Mode (#10790) (#10...
• 7ff52ab chore(deps): bump dompurify from 3.3.2 to 3.4.0 (#10843)
• 34d6186 chore(release): cut the 5.32.4 release
• fd08fe8 fix(authorization): increase backdrop z-index (#10831)
• 095ee75 fix(docker): upgrade alpine packages to address HIGH severity CVEs (#10830)
• 5717343 chore(release): cut the 5.32.3 release
• 685cba6 chore(deps): bump swagger-client to v3.37.2 (#10829)
• Additional commits viewable in compare view

Updates type-fest from 5.4.4 to 5.6.0

Release notes

Sourced from type-fest's releases.

v5.6.0

New types

• Absolute (#1391) 7761f91
• NonNullableDeep (#1401) 1e8bd10
• UnionLength (#1402) 49142db

Improvements

• Add splitOnPunctuation option to CamelCase / PascalCase / KebabCase / SnakeCase (#1394) 852d016
• CamelCase: Add preserveLeadingUnderscores option (#1404) 5ca6564
• TsConfigJson: Add TypeScript 6.0 fields (#1406) ac4861d
• UnionToTuple: Fix behavior with large unions (#1405) 651f7ea

---

sindresorhus/type-fest@v5.5.0...v5.6.0

v5.5.0

New types

• Optional (#1374) 9b52980
• ExcludeExactly (#1349) 0f923d0
• ArrayLength (#1344) 59bd056
• UnionMember (#1368) 878b6df
• SomeExtend (#1380) bbce298
• AndAll (#1383) 94aa3f8
• OrAll (#1378) 4c42d89

Improvements

• Add function parameter constraint examples to numeric comparison types (#1357) 24be93d
• UnionToTuple: Fix behavior when a union member is a supertype of another (#1349) 0f923d0
• ConditionalPickDeep: Fix returning {} instead of never when no keys match (#1360) 6af847a
• ConditionalPick: Fix returning {} instead of never when no keys match (#1359) 3995003
• GreaterThan / LessThan / GreaterThanOrEqual / LessThanOrEqual: Fix behavior with the number type (#1363) cfea505

---

sindresorhus/type-fest@v5.4.4...v5.5.0

Commits

• a549164 5.6.0
• 5ca6564 CamelCase: Add preserveLeadingUnderscores option (#1404)
• ac4861d TsConfigJson: Add TypeScript 6.0 fields (#1406)
• 49142db Add UnionLength type (#1402)
• 651f7ea UnionToTuple: Fix behavior with large unions (#1405)
• d0bbbbe Add lint rule to validate type descriptions in README (#1396)
• 1e8bd10 Add NonNullableDeep type (#1401)
• b390869 Meta tweaks
• 622c546 Minor tweaks
• 852d016 Add splitOnPunctuation option to {Camel,Pascal,Kebab,Snake}Cased types (#1394)
• Additional commits viewable in compare view

Updates validator from 13.15.26 to 13.15.35

Release notes

Sourced from validator's releases.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

New Contributors

• @​Manaskarthik28 made their first contribution in validatorjs/validator.js#2658
• @​johanpoirier-d4 made their first contribution in validatorjs/validator.js#2663
• @​yuna0831 made their first contribution in validatorjs/validator.js#2661
• @​easedu made their first contribution in validatorjs/validator.js#2644
• @​jesroffrouk made their first contribution in validatorjs/validator.js#2643
• @​Kartikeya-guthub made their first contribution in validatorjs/validator.js#2676
• @​moogblob made their first contribution in validatorjs/validator.js#2682
• @​noritaka1166 made their first contribution in validatorjs/validator.js#2592
• @​relu91 made their first contribution in validatorjs/validator.js#2690
• @​Shrawak made their first contribution in validatorjs/validator.js#2693

Full Changelog: validatorjs/validator.js@13.15.26...13.15.35

Changelog

Sourced from validator's changelog.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

Commits

• 7a80797 maintenance: 2604 release (#2695)
• 941db7f fix(isSlug): restrict allowed characters to valid slug charset (#2693)
...

Description has been truncated