build(deps): bump the npm_and_yarn group across 6 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 5 updates in the /business-strategy-cms directory:

Package	From	To
multer	2.0.2	2.1.1
ajv	6.12.6	6.14.0
fast-xml-parser	5.3.5	5.4.2
minimatch	3.1.2	3.1.5
qs	6.14.1	6.14.2

Bumps the npm_and_yarn group with 1 update in the /docker/alert-receiver directory: qs.
Bumps the npm_and_yarn group with 2 updates in the /mcp-servers/linear-mcp directory: express-rate-limit and hono.
Bumps the npm_and_yarn group with 3 updates in the /src/integrations/react directory: devalue, rollup and svgo.
Bumps the npm_and_yarn group with 1 update in the /tests/integration directory: rollup.
Bumps the npm_and_yarn group with 2 updates in the /tests/security directory: ajv and minimatch.

Updates multer from 2.0.2 to 2.1.1

Release notes

Sourced from multer's releases.

v2.1.1

Important

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)

What's Changed

• chore: add node version to 25.x in CI by @​imangas in expressjs/multer#1372
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @​dependabot[bot] in expressjs/multer#1378
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 by @​dependabot[bot] in expressjs/multer#1377
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 by @​dependabot[bot] in expressjs/multer#1376
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 by @​dependabot[bot] in expressjs/multer#1375
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 by @​dependabot[bot] in expressjs/multer#1374
• fix error/abort handling by @​ctcpip in expressjs/multer#1373
• 2.1.1 by @​UlisesGascon in expressjs/multer#1380

New Contributors

• @​imangas made their first contribution in expressjs/multer#1372
• @​dependabot[bot] made their first contribution in expressjs/multer#1378

Full Changelog: expressjs/multer@v2.1.0...v2.1.1

v2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @​bjohansebas in expressjs/multer#1346
• chore: drop mkdirp dependency by @​wojtekmaj in expressjs/multer#1350
• chore: drop object-assign dependency by @​wojtekmaj in expressjs/multer#1351
• chore: drop xtend dependency by @​wojtekmaj in expressjs/multer#1352
• chore(gitignore): ignore .nyc_output directory by @​ShubhamOulkar in expressjs/multer#1332
• Fix typo in README-vi.md regarding file upload by @​Kunniii in expressjs/multer#1366
• Fix typo in README-pt-br.md for array method by @​matheushbm192 in expressjs/multer#1367
• headers-support-utf8 by @​Doc999tor in expressjs/multer#1210
• Add Turkish translation (README-tr.md) by @​Sabandogan in expressjs/multer#1360
• Release: 2.1.0 by @​UlisesGascon in expressjs/multer#1371

New Contributors

• @​wojtekmaj made their first contribution in expressjs/multer#1350
• @​ShubhamOulkar made their first contribution in expressjs/multer#1332
• @​Kunniii made their first contribution in expressjs/multer#1366
• @​matheushbm192 made their first contribution in expressjs/multer#1367
• @​Doc999tor made their first contribution in expressjs/multer#1210
• @​Sabandogan made their first contribution in expressjs/multer#1360

Full Changelog: expressjs/multer@v2.0.2...v2.1.0

Changelog

Sourced from multer's changelog.

2.1.1

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

2.1.0

• Add defParamCharset option for UTF-8 filename support (#1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

Commits

• 368c8a1 2.1.1 (#1380)
• 7e66481 🐛 fix recursion issue
• 643571e ✅ add explicit test for client able to send body without abrupt disconnect
• e86fa52 fix error/abort handling
• ca37779 chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• 13088f4 chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• bc6a1d1 chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• c496e93 chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• fa173d3 chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• 17d7f51 chore: add node version to 25.x in CI
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates fast-xml-parser from 5.3.5 to 5.4.2

Release notes

Sourced from fast-xml-parser's releases.

Separate Builder

XML Builder was the part of fast-xml-parser for years. But considering that any bug in builder may false-alarm the users who are only using parser and vice-versa, we have decided to split it into a separate package.

Migration

To migrate to fast-xml-builder;

From

import { XMLBuilder } from "fast-xml-parser";

To

import  XMLBuilder  from "fast-xml-builder";

XMLBuilder will be removed from current package in any next major version of this library. So better to migrate.

support strictReservedNames

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.9...v5.3.9

handle non-array input for XML builder && support maxNestedTags

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.7...v5.3.8

CJS typing fix

What's Changed

• Unexport X2jOptions at declaration site by @​Drarig29 in NaturalIntelligence/fast-xml-parser#787

New Contributors

• @​Drarig29 made their first contribution in NaturalIntelligence/fast-xml-parser#787

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.6...v5.3.7

Entity security and performance

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.3.5...v5.3.6

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

• fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

• fix: Escape regex char in entity name
• update strnum to 2.1.2
• add missing exports in CJS typings

5.3.4 / 2026-01-30

• fix: handle HTML numeric and hex entities when out of range

5.3.3 / 2025-12-12

• fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

• fix for import statement for v6

5.3.1 / 2025-11-03

... (truncated)

Commits

• 44af544 update release info
• 3abdca9 support maxEntityCount
• f95852a update changelog
• 4e7ca80 update release info
• 36023b4 fix (#785) unpairedTag node should not have tag content
• b366026 separate builder
• 6f333a8 update release info
• c3ffbab support strictReservedNames
• c692040 update release info
• 107e34c avoid {} to create an empty object
• Additional commits viewable in compare view

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates qs from 6.14.1 to 6.15.0

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.2.1 to 8.3.0

Release notes

Sourced from express-rate-limit's releases.

v8.3.0

You can view the changelog here.

Commits

• 9c90752 ci: setup oidc connect with npm for automatatic publish
• e4477fa 8.3.0
• 06d7340 docs: add changelog for 8.3.0
• 14e5388 fix: handle ipv4 mapped to ipv6 (GHSA-46wh-pxpv-q5gq)
• 2767a95 chore(deps-dev): bump the development-dependencies group across 1 directory w...
• f400c7f chore(deps-dev): bump the development-dependencies group with 2 updates (#603)
• 4e4884c chore(deps-dev): bump the development-dependencies group across 1 directory w...
• fadbccb formatting
• 7b57b95 biome migration
• 88a1f7f docs: typo fix
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by gamemaker1, a new releaser for express-rate-limit since your current version.

Attestation changes

This version has no provenance attestation, while the previous version (8.2.1) was attested. Review the package versions before updating.

Updates hono from 4.11.9 to 4.12.5

Release notes

Sourced from hono's releases.

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

---

Other changes

• fix(client): preserve route schema in ApplyGlobalResponse by @​agumy in honojs/hono#4777
• fix(utils/url): specify the return type of tryDecodeURI by @​yusukebe in honojs/hono#4779

New Contributors

• @​agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

• fix(validator): prevent type diff bug in form data parsing by @​EdamAme-x in honojs/hono#4753
• fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @​EdamAme-x in honojs/hono#4754
• fix(jwt): fix JwtVariables for ContextVariableMap by @​yusukebe in honojs/hono#4764

... (truncated)

Commits

• 18cc595 4.12.5
• 5d59ac7 chore(eslint): upgrade @hono/eslint-config (#4781)
• b8cff18 fix(jsx): Fix "Invalid state: Controller is already closed" (#4770)
• 8c4d7f3 fix(jwt): validate token format in decode and decodeHeader functions (#4752)
• 0f49915 fix(request): return string | undefined from param() when path type is any ...
• 19d20d2 4.12.4
• 44ae0c8 Merge commit from fork
• f4123ed Merge commit from fork
• 80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
• 6a0607a Merge commit from fork
• Additional commits viewable in compare view

Updates devalue from 5.6.2 to 5.6.3

Release notes

Sourced from devalue's releases.

v5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

Changelog

Sourced from devalue's changelog.

5.6.3

Patch Changes

• 0f04d4d: fix: Properly handle __proto__
• 819f1ac: fix: better encoding for sparse arrays

Commits

• a4a37d2 Version Packages (#132)
• 819f1ac Merge commit from fork
• 0f04d4d Merge commit from fork
• See full diff in compare view

Updates rollup from 4.56.0 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)
• #6252: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6253: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6254: Fully include dynamic imports in a try-catch (@​lukastaegert)

... (truncated)

Commits

• ae84695 4.59.0
• b39616e Update audit-resolve
• c60770d Validate bundle stays within output dir (#6275)
• 33f39c1 4.58.0
• b61c408 forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...
• 7f00689 Extend agent instructions
• e7b2b85 chore(deps): lock file maintenance (#6270)
• 2aa5da9 fix(deps): update minor/patch updates (#6267)
• 4319837 chore(deps): update dependency lru-cache to v11 (#6269)
• c3b6b4b chore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)
• Additional commits viewable in compare view

Updates svgo from 4.0.0 to 4.0.1

Release notes

Sourced from svgo's releases.

v4.0.1

What's Changed

Dependencies

• Sets minimum version of sax (XML parser) to v1.5.0, which improves built-in guards against entity expansion.

Bug Fixes

• removeEmptyContainers, removed leftover <use> elements referencing an empty container that were removed. By @​johnkenny54 in svg/svgo#2051
• removeUnknownsAndDefaults, don't remove attributes if they're referenced in attribute selectors (CSS). By @​SethFalco in svg/svgo#2144

Performance

• convertPathData, refactor to reduce redundant equality checks. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135
• removeHiddenElems, compute styles lazily. By @​Lorfdail in svg/svgo#1764 and svg/svgo#2135

Other Changes

• Plugins no longer include if they are enabled or disabled by default, as this was written inconsistently. The --show-plugins argument appends the presets a plugin is in to the end of the line. By @​viralcodex in svg/svgo#2174
• Plugin/preset types to enforce the name start with preset- if it is a preset (collection of plugins). By @​SethFalco in svg/svgo#2178

Metrics

Before and after of the browser bundle of each respective version:

	v4.0.0	v4.0.1	Delta
svgo.browser.js	780.2 kB	781.5 kB	⬆️ 1.3 kB

Commits

• e691f5f Merge commit from fork
• b1d9f1a chore(deps): bump actions/upload-artifact from 6 to 7 (#2202)
• d724af1 chore(deps): bump actions/checkout from 5 to 6 (#2195)
• 4114b32 chore(deps): bump actions/upload-artifact from 4 to 6 (#2196)
• c06d8f6 chore: upgrade js-yaml and glob (#2191)
• 26e86e5 fix: remove unused <use> elements when deleting empty symbols (#2051)
• 50c326b perf: optimiztions to reduce regression test runtime (#2135)
• 1f33cbe ci: separate regression tests and write delta report (#2190)
• 79a2167 ci: save test reports to artifacts (#2189)
• 0ae52a0 chore(deps): bump actions/setup-node from 5 to 6 (#2187)
• Additional commits viewable in compare view

Updates rollup from 4.53.3 to 4.59.0

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

• Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

• #6275: Validate bundle stays within output dir (@​lukastaegert)

v4.58.0

4.58.0

2026-02-20

Features

• Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

• #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (@​njg7194, @​lukastaegert)
• #6259: docs: Correct typo and improve sentence structure in docs for output.experimentalMinChunkSize (@​millerick, @​lukastaegert)
• #6260: fix(deps): update rust crate swc_compiler_base to v47 (@​renovate[bot], @​lukastaegert)
• #6261: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6262: Avoid unnecessary cloning of the code string (@​lukastaegert)
• #6263: fix(deps): update minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6265: chore(deps): lock file maintenance (@​renovate[bot])
• #6267: fix(deps): update minor/patch updates (@​renovate[bot])
• #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (@​renovate[bot], @​lukastaegert)
• #6269: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6270: chore(deps): lock file maintenance (@​renovate[bot])
• #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (@​lukastaegert)

v4.57.1

4.57.1

2026-01-30

Bug Fixes

• Fix heap corruption issue in Windows (#6251)
• Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

• #6251: fix: Isolate and cache process.report.getReport() calls in a child process for robust environment detection (@​alan-agius4, @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-...

Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pixelated	Error		Mar 6, 2026 7:24pm