Bump the npm_and_yarn group across 4 directories with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 3 updates in the /chittyassets directory: @anthropic-ai/claude-code, qs and fast-xml-parser.
Bumps the npm_and_yarn group with 3 updates in the /chittychain directory: qs, fast-xml-parser and socket.io-parser.
Bumps the npm_and_yarn group with 1 update in the /chittychronicle directory: fast-xml-parser.
Bumps the npm_and_yarn group with 1 update in the /chittytrust directory: @anthropic-ai/claude-code.

Updates @anthropic-ai/claude-code from 2.1.7 to 2.1.53

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.53

What's changed

• Fixed a UI flicker where user input would briefly disappear after submission before the message rendered
• Fixed bulk agent kill (ctrl+f) to send a single aggregate notification instead of one per agent, and to properly clear the command queue
• Fixed graceful shutdown sometimes leaving stale sessions when using Remote Control by parallelizing teardown network calls
• Fixed --worktree sometimes being ignored on first launch
• Fixed a panic ("switch on corrupted value") on Windows
• Fixed a crash that could occur when spawning many processes on Windows
• Fixed a crash in the WebAssembly interpreter on Linux x64 & Windows x64
• Fixed a crash that sometimes occurred after 2 minutes on Windows ARM64

v2.1.52

What's changed

• VS Code: Fixed extension crash on Windows ("command 'claude-vscode.editor.openLast' not found")

v2.1.51

What's changed

• Added claude remote-control subcommand for external builds, enabling local environment serving for all users.
• Updated plugin marketplace default git timeout from 30s to 120s and added CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS to configure.
• Added support for custom npm registries and specific version pinning when installing plugins from npm sources
• BashTool now skips login shell (-l flag) by default when a shell snapshot is available, improving command execution performance. Previously this required setting CLAUDE_BASH_NO_LOGIN=true.
• Fixed a security issue where statusLine and fileSuggestion hook commands could execute without workspace trust acceptance in interactive mode.
• Tool results larger than 50K characters are now persisted to disk (previously 100K). This reduces context window usage and improves conversation longevity.
• Fixed a security issue where HTTP hooks could interpolate arbitrary environment variables from header values. Env var interpolation now requires an explicit allowedEnvVars list in the hook configuration.
• Fixed a bug where duplicate control_response messages (e.g. from WebSocket reconnects) could cause API 400 errors by pushing duplicate assistant messages into the conversation.
• Added CLAUDE_CODE_ACCOUNT_UUID, CLAUDE_CODE_USER_EMAIL, and CLAUDE_CODE_ORGANIZATION_UUID environment variables for SDK callers to provide account info synchronously, eliminating a race condition where early telemetry events lacked account metadata.
• Fixed slash command autocomplete crashing when a plugin's SKILL.md description is a YAML array or other non-string type
• HTTP hooks are now routed through the sandbox network proxy when sandboxing is enabled, enforcing the domain allowlist. HTTP hooks are not supported for SessionStart/Setup events.
• The /model picker now shows human-readable labels (e.g., "Sonnet 4.5") instead of raw model IDs for pinned model versions, with an upgrade hint when a newer version is available.

v2.1.50

What's changed

• Added support for startupTimeout configuration for LSP servers
• Added WorktreeCreate and WorktreeRemove hook events, enabling custom VCS setup and teardown when agent worktree isolation creates or removes worktrees.
• Fixed a bug where resumed sessions could be invisible when the working directory involved symlinks, because the session storage path was resolved at different times during startup. Also fixed session data loss on SSH disconnect by flushing session data before hooks and analytics in the graceful shutdown sequence.
• Linux: Fixed native modules not loading on systems with glibc older than 2.30 (e.g., RHEL 8)
• Fixed memory leak in agent teams where completed teammate tasks were never garbage collected from session state
• Fixed CLAUDE_CODE_SIMPLE to fully strip down skills, session memory, custom agents, and CLAUDE.md token counting
• Fixed /mcp reconnect freezing the CLI when given a server name that doesn't exist
• Fixed memory leak where completed task state objects were never removed from AppState
• Added support for isolation: worktree in agent definitions, allowing agents to declaratively run in isolated git worktrees.
• CLAUDE_CODE_SIMPLE mode now also disables MCP tools, attachments, hooks, and CLAUDE.md file loading for a fully minimal experience.
• Fixed bug where MCP tools were not discovered when tool search is enabled and a prompt is passed in as a launch argument
• Improved memory usage during long sessions by clearing internal caches after compaction
• Added claude agents CLI command to list all configured agents
• Improved memory usage during long sessions by clearing large tool results after they have been processed

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.79

• Added --console flag to claude auth login for Anthropic Console (API billing) authentication
• Added "Show turn duration" toggle to the /config menu
• Fixed claude -p hanging when spawned as a subprocess without explicit stdin (e.g. Python subprocess.run)
• Fixed Ctrl+C not working in -p (print) mode
• Fixed /btw returning the main agent's output instead of answering the side question when triggered during streaming
• Fixed voice mode not activating correctly on startup when voiceEnabled: true is set
• Fixed left/right arrow tab navigation in /permissions
• Fixed CLAUDE_CODE_DISABLE_TERMINAL_TITLE not preventing terminal title from being set on startup
• Fixed custom status line showing nothing when workspace trust is blocking it
• Fixed enterprise users being unable to retry on rate limit (429) errors
• Fixed SessionEnd hooks not firing when using interactive /resume to switch sessions
• Improved startup memory usage by ~18MB across all scenarios
• Improved non-streaming API fallback with a 2-minute per-attempt timeout, preventing sessions from hanging indefinitely
• CLAUDE_CODE_PLUGIN_SEED_DIR now supports multiple seed directories separated by the platform path delimiter (: on Unix, ; on Windows)
• [VSCode] Added /remote-control — bridge your session to claude.ai/code to continue from a browser or phone
• [VSCode] Session tabs now get AI-generated titles based on your first message
• [VSCode] Fixed the thinking pill showing "Thinking" instead of "Thought for Ns" after a response completes
• [VSCode] Fixed missing session diff button when opening sessions from the left sidebar

2.1.78

• Added StopFailure hook event that fires when the turn ends due to an API error (rate limit, auth failure, etc.)
• Added ${CLAUDE_PLUGIN_DATA} variable for plugin persistent state that survives plugin updates; /plugin uninstall prompts before deleting it
• Added effort, maxTurns, and disallowedTools frontmatter support for plugin-shipped agents
• Terminal notifications (iTerm2/Kitty/Ghostty popups, progress bar) now reach the outer terminal when running inside tmux with set -g allow-passthrough on
• Response text now streams line-by-line as it's generated
• Fixed git log HEAD failing with "ambiguous argument" inside sandboxed Bash on Linux, and stub files polluting git status in the working directory
• Fixed cc log and --resume silently truncating conversation history on large sessions (>5 MB) that used subagents
• Fixed infinite loop when API errors triggered stop hooks that re-fed blocking errors to the model
• Fixed deny: ["mcp__servername"] permission rules not removing MCP server tools before sending to the model, allowing it to see and attempt blocked tools
• Fixed sandbox.filesystem.allowWrite not working with absolute paths (previously required // prefix)
• Fixed /sandbox Dependencies tab showing Linux prerequisites on macOS instead of macOS-specific info
• Security: Fixed silent sandbox disable when sandbox.enabled: true is set but dependencies are missing — now shows a visible startup warning
• Fixed .git, .claude, and other protected directories being writable without a prompt in bypassPermissions mode
• Fixed ctrl+u in normal mode scrolling instead of readline kill-line (ctrl+u/ctrl+d half-page scroll moved to transcript mode only)
• Fixed voice mode modifier-combo push-to-talk keybindings (e.g. ctrl+k) requiring a hold instead of activating immediately
• Fixed voice mode not working on WSL2 with WSLg (Windows 11); WSL1/Win10 users now get a clear error
• Fixed --worktree flag not loading skills and hooks from the worktree directory
• Fixed CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS and includeGitInstructions setting not suppressing the git status section in the system prompt
• Fixed Bash tool not finding Homebrew and other PATH-dependent binaries when VS Code is launched from Dock/Spotlight
• Fixed washed-out Claude orange color in VS Code/Cursor/code-server terminals that don't advertise truecolor support
• Added ANTHROPIC_CUSTOM_MODEL_OPTION env var to add a custom entry to the /model picker, with optional _NAME and _DESCRIPTION suffixed vars for display
• Fixed ANTHROPIC_BETAS environment variable being silently ignored when using Haiku models
• Fixed queued prompts being concatenated without a newline separator
• Improved memory usage and startup time when resuming large sessions
• [VSCode] Fixed a brief flash of the login screen when opening the sidebar while already authenticated
• [VSCode] Fixed "API Error: Rate limit reached" when selecting Opus — model dropdown no longer offers 1M context variant to subscribers whose plan tier is unknown

... (truncated)

Commits

• 6e7f65e chore: Update CHANGELOG.md
• 8799bb0 Merge pull request #28243 from anthropics/oct/non-write-users-check
• 05a2bde chore: Update CHANGELOG.md
• 3c917df Add non-write users check workflow
• 8f0fe03 chore: Update CHANGELOG.md
• baf29b8 chore: Update CHANGELOG.md
• 6aecb15 chore: Update CHANGELOG.md
• 76826f2 Merge pull request #27911 from anthropics/oct/use-label-script-for-triage
• 3592c8b Use wrapper script for label operations in issue triage
• 3ad3231 chore: Update CHANGELOG.md
• Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates fast-xml-parser from 4.5.4 to 5.5.6

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

... (truncated)

Commits

• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• e54155f update package info
• 3308fd7 handle critical properties
• 0500f6b refactor
• ea07bb2 declare Matcher & Expression as unknown
• 0a4dc92 upgrade builder
• e0a14f7 update dependency to fix typings
• Additional commits viewable in compare view

Updates qs from 6.13.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.3

[Fix] fix regressions from robustness refactor [actions] update reusable workflows

6.13.2

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

6.13.1

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup

... (truncated)

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.4.1 to 5.5.6

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

... (truncated)

Commits

• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• e54155f update package info
• 3308fd7 handle critical properties
• 0500f6b refactor
• ea07bb2 declare Matcher & Expression as unknown
• 0a4dc92 upgrade builder
• e0a14f7 update dependency to fix typings
• Additional commits viewable in compare view

Updates socket.io-parser from 4.2.4 to 4.2.6

Release notes

Sourced from socket.io-parser's releases.

socket.io-parser@4.2.6

This release includes a fix for CVE-2026-33151. Please upgrade as soon as possible.

Bug Fixes

• add a limit to the number of binary attachments (b25738c)

socket.io-parser@4.2.5

This release contains a bump of debug from ~4.3.1 to ~4.4.1.

Commits

• 522edcd chore(release): socket.io-parser@4.2.6
• 3fff7ca fix(parser): add a limit to the number of binary attachments
• 37aad11 fix: cleanup pending acks on timeout to prevent memory leak
• ba9cd69 revert: fix: cleanup pending acks on timeout to prevent memory leak
• 84c2fb7 chore(release): engine.io@6.6.6
• 07cbe15 fix(eio): add @​types/ws as dependency (#5458)
• 44ed73f fix(eio): emit initial_headers and headers events in uServer (#5460)
• da04267 fix: cleanup pending acks on timeout to prevent memory leak (#5442)
• 74599a6 fix(types): properly import http module
• d48718c ci: use actions/checkout@v6 and actions/setup-node@v6 (#5449)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for socket.io-parser since your current version.

Updates fast-xml-parser from 4.5.4 to 5.5.6

Release notes

Sourced from fast-xml-parser's releases.

fix entity expansion and incorrect replacement and performance

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.5...v5.5.6

support onDangerousProperty

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.3...v5.5.5

update dependecies to fix typings

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.1...v5.5.2

integrate path-expression-matcher

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.5.6 / 2026-03-16

• update builder dependency
• fix incorrect regex to replace . in entity name
• fix check for entitiy expansion for lastEntities and html entities too

5.5.5 / 2026-03-13

• sanitize dangerous tag or attribute name
• error on critical property name
• support onDangerousProperty option

5.5.4 / 2026-03-13

• declare Matcher & Expression as unknown so user is not forced to install path-expression-matcher

5.5.3 / 2026-03-11

• upgrade builder

5.5.2 / 2026-03-11

• update dependency to fix typings

5.5.1 / 2026-03-10

• fix dependency

5.5.0 / 2026-03-10

• support path-expression-matcher
• fix: stopNode should not be parsed
• performance improvement for stopNode checking

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

... (truncated)

Commits

• 870043e update release info
• 6df401e update builder dependency
• bd26122 check for entitiy expansion for lastEntities and html entities too
• 7e70dd8 fix incorrect regex to replace . in entity name
• e54155f update package info
• 3308fd7 handle critical properties
• 0500f6b refactor
• ea07bb2 declare Matcher & Expression as unknown
• 0a4dc92 upgrade builder
• e0a14f7 update dependency to fix typings
• Additional commits viewable in compare view

Updates @anthropic-ai/claude-code from 2.1.7 to 2.1.53

Release notes

Sourced from @​anthropic-ai/claude-code's releases.

v2.1.53

What's changed

• Fixed a UI flicker where user input would briefly disappear after submission before the message rendered
• Fixed bulk agent kill (ctrl+f) to send a single aggregate notification instead of one per agent, and to properly clear the command queue
• Fixed graceful shutdown sometimes leaving stale sessions when using Remote Control by parallelizing teardown network calls
• Fixed --worktree sometimes being ignored on first launch
• Fixed a panic ("switch on corrupted value") on Windows
• Fixed a crash that could occur when spawning many processes on Windows
• Fixed a crash in the WebAssembly interpreter on Linux x64 & Windows x64
• Fixed a crash that sometimes occurred after 2 minutes on Windows ARM64

v2.1.52

What's changed

• VS Code: Fixed extension crash on Windows ("command 'claude-vscode.editor.openLast' not found")

v2.1.51

What's changed

• Added claude remote-control subcommand for external builds, enabling local environment serving for all users.
• Updated plugin marketplace default git timeout from 30s to 120s and added CLAUDE_CODE_PLUGIN_GIT_TIMEOUT_MS to configure.
• Added support for custom npm registries and specific version pinning when installing plugins from npm sources
• BashTool now skips login shell (-l flag) by default when a shell snapshot is available, improving command execution performance. Previously this required setting CLAUDE_BASH_NO_LOGIN=true.
• Fixed a security issue where statusLine and fileSuggestion hook commands could execute without workspace trust acceptance in interactive mode.
• Tool results larger than 50K characters are now persisted to disk (previously 100K). This reduces context window usage and improves conversation longevity.
• Fixed a security issue where HTTP hooks could interpolate arbitrary environment variables from header values. Env var interpolation now requires an explicit allowedEnvVars list in the hook configuration.
• Fixed a bug where duplicate control_response messages (e.g. from WebSocket reconnects) could cause API 400 errors by pushing duplicate assistant messages into the conversation.
• Added CLAUDE_CODE_ACCOUNT_UUID, CLAUDE_CODE_USER_EMAIL, and CLAUDE_CODE_ORGANIZATION_UUID environment variables for SDK callers to provide account info synchronously, eliminating a race condition where early telemetry events lacked account metadata.
• Fixed slash command autocomplete crashing when a plugin's SKILL.md description is a YAML array or other non-string type
• HTTP hooks are now routed through the sandbox network proxy when sandboxing is enabled, enforcing the domain allowlist. HTTP hooks are not supported for SessionStart/Setup events.
• The /model picker now shows human-readable labels (e.g., "Sonnet 4.5") instead of raw model IDs for pinned model versions, with an upgrade hint when a newer version is available.

v2.1.50

What's changed

• Added support for startupTimeout configuration for LSP servers
• Added WorktreeCreate and WorktreeRemove hook events, enabling custom VCS setup and teardown when agent worktree isolation creates or removes worktrees.
• Fixed a bug where resumed sessions could be invisible when the working directory involved symlinks, because the session storage path was resolved at different times during startup. Also fixed session data loss on SSH disconnect by flushing session data before hooks and analytics in the graceful shutdown sequence.
• Linux: Fixed native modules not loading on systems with glibc older than 2.30 (e.g., RHEL 8)
• Fixed memory leak in agent teams where completed teammate tasks were never garbage collected from session state
• Fixed CLAUDE_CODE_SIMPLE to fully strip down skills, session memory, custom agents, and CLAUDE.md token counting
• Fixed /mcp reconnect freezing the CLI when given a server name that doesn't exist
• Fixed memory leak where completed task state objects were never removed from AppState
• Added support for isolation: worktree in agent definitions, allowing agents to declaratively run in isolated git worktrees.
• CLAUDE_CODE_SIMPLE mode now also disables MCP tools, attachments, hooks, and CLAUDE.md file loading for a fully minimal experience.
• Fixed bug where MCP tools were not discovered when tool search is enabled and a prompt is passed in as a launch argument
• Improved memory usage during long sessions by clearing internal caches after compaction
• Added claude agents CLI command to list all configured agents
• Improved memory usage during long sessions by clearing large tool results after they have been processed

... (truncated)

Changelog

Sourced from @​anthropic-ai/claude-code's changelog.

2.1.79

• Added --console flag to claude auth login for Anthropic Console (API billing) authentication
• Added "Show turn duration" toggle to the /config menu
• Fixed claude -p hanging when spawned as a subprocess without explicit stdin (e.g. Python subprocess.run)
• Fixed Ctrl+C not working in -p (print) mode
• Fixed /btw returning the main agent's output instead of answering the side question when triggered during streaming
• Fixed voice mode not activating correctly on startup when voiceEnabled: true is set
• Fixed left/right arrow tab navigation in /permissions
• Fixed CLAUDE_CODE_DISABLE_TERMINAL_TITLE not preventing terminal title from being set on startup
• Fixed custom status line showing nothing when workspace trust is blocking it
• Fixed enterprise users being unable to retry on rate limit (429) errors
• Fixed SessionEnd hooks not firing when using interactive /resume to switch sessions
• Improved startup memory usage by ~18MB across all scenarios
• Improved non-streaming API fallback with a 2-minute per-attempt timeout, preventing sessions from hanging indefinitely
• CLAUDE_CODE_PLUGIN_SEED_DIR now supports multiple seed directories separated by the platform path delimiter (: on Unix, ; on Windows)
• [VSCode] Added /remote-control — bridge your session to claude.ai/code to continue from a browser or phone
• [VSCode] Session tabs now get AI-generated titles based on your first message
• [VSCode] Fixed the thinking pill showing "Thinking" instead of "Thought for Ns" after a response completes
• [VSCode] Fixed missing session diff button when opening sessions from the left sidebar

2.1.78

• Added StopFailure hook event that fires when the turn ends due to an API error (rate limit, auth failure, etc.)
• Added ${CLAUDE_PLUGIN_DATA} variable for plugin persistent state that survives plugin updates; /plugin uninstall prompts before deleting it
• Added effort, maxTurns, and disallowedTools frontmatter support for plugin-shipped agents
• Terminal notifications (iTerm2/Kitty/Ghostty popups, progress bar) now reach the outer terminal when running inside tmux with set -g allow-passthrough on
• Response text now streams line-by-line as it's generated
• Fixed git log HEAD failing with "ambiguous argument" inside sandboxed Bash on Linux, and stub files polluting git status in the working directory
• Fixed cc log and --resume silently truncating conversation history on large sessions (>5 MB) that used subagents
• Fixed infinite loop when API errors triggered stop hooks that re-fed blocking errors to the model
• Fixed deny: ["mcp__servername"] permission rules not removing MCP server tools before sending to the model, allowing it to see and attempt blocked tools
• Fixed sandbox.filesystem.allowWrite not working with absolute paths (previously required // prefix)
• Fixed /sandbox Dependencies tab showing Linux prerequisites on macOS instead of macOS-specific info
• Security: Fixed silent sandbox disable when sandbox.enabled: true is set but dependencies are missing — now shows a visible startup warning
• Fixed .git, .claude, and other protected directories being writable without a prompt in bypassPermissions mode
• Fixed ctrl+u in normal mode scrolling instead of readline kill-line (ctrl+u/ctrl+d half-page scroll moved to transcript mode only)
• Fixed voice mode modifier-combo push-to-talk keybindings (e.g. ctrl+k) requiring a hold instead of activating immediately
• Fixed voice mode not working on WSL2 with WSLg (Windows 11); WSL1/Win10 users now get a clear error
• Fixed --worktree flag not loading skills and hooks from the worktree directory
• Fixed CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS and includeGitInstructions setting not suppressing the git status section in the system prompt
• Fixed Bash tool not finding Homebrew and other PATH-dependent binaries when VS Code is launched from Dock/Spotlight
• Fixed washed-out Claude orange color in VS Code/Cursor/code-server terminals that don't advertise truecolor support
• Added ANTHROPIC_CUSTOM_MODEL_OPTION env var to add a custom entry to the /model picker, with optional _NAME and _DESCRIPTION suffixed vars for display
• Fixed ANTHROPIC_BETAS environment variable being silently ignored when using Haiku models
• Fixed queued prompts being concatenated without a newline separator
• Improved memory usage and star...

  Description has been truncated

[dependabot]

Superseded by #32.