Bump the "pdfding" group with 3 updates across multiple ecosystems

[dependabot]

Bumps the pdfding group with 9 updates:

Package	From	To
django	5.2.12	5.2.13
django-allauth	65.15.0	65.15.1
gunicorn	25.1.0	25.3.0
nh3	0.3.3	0.3.4
pypdfium2	5.6.0	5.7.0
pypdf	6.9.2	6.10.0
rapidfuzz	3.14.3	3.14.5
pytest	9.0.2	9.0.3
pytest-cov	7.0.0	7.1.0

Updates django from 5.2.12 to 5.2.13

Commits

• 7d831a9 [5.2.x] Bumped version for 5.2.13 release.
• 49e1e2b [5.2.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ...
• 0b46789 [5.2.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.
• 397c220 [5.2.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ModelAdmin.li...
• 60ffa95 [5.2.x] Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelA...
• 1cc2a76 [5.2.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.
• 2a8a76a [5.2.x] Added stub release notes and release date for 5.2.13 and 4.2.30.
• 90924f5 [5.2.x] Bumped black to 26.3.1.
• 0ee44c6 [5.2.x] Applied Black's 2026 stable style.
• 89b4d94 [5.2.x] Combined scripts confirm_release.sh and test_new_version.sh into veri...
• Additional commits viewable in compare view

Updates django-allauth from 65.15.0 to 65.15.1

Commits

• See full diff in compare view

Updates gunicorn from 25.1.0 to 25.3.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 25.3.0

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2 ASGI requests, causing JSON parsing errors with "Extra data" messages (#3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string instead of list syntax (#3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112 (#3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented, instead of using default maximum. Works with both Python and fast C parser. (#3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

Gunicorn 25.2.0

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#3552, [PR #3554](benoitc/gunicorn#3554))

... (truncated)

Commits

• 9bce72c Update changelog with missing 25.3.0 changes
• 2a15fdb Fix pylint isinstance-second-argument-not-valid-type warning
• 8d08aaa Fix --limit-request-line 0 to mean unlimited
• d40a374 Fix pytest-asyncio configuration and treq_asgi hex escapes
• da8bd48 Remove unused AsyncRequest class
• b00f125 Integrate gunicorn_h1c 0.6.3 with InvalidChunkExtension support
• bdb2ebd Reject chunk extensions with bare CR bytes (RFC 9112)
• 7057fc9 Fix http_protocols documentation to use string syntax
• d43acb8 Update to gunicorn_h1c >= 0.6.2 for asgi_headers support
• cbd27e8 Merge pull request #3559 from benleembruggen/fix/http2-asgi-body-duplication
• Additional commits viewable in compare view

Updates nh3 from 0.3.3 to 0.3.4

Release notes

Sourced from nh3's releases.

v0.3.4

What's Changed

• Bump pyo3 from 0.28.1 to 0.28.2 by @​dependabot[bot] in messense/nh3#114
• Validate rel attribute conflict with link_rel by @​gghez in messense/nh3#117
• Expose default clean_content_tags as module constant by @​gghez in messense/nh3#118
• Accept frozenset and Mapping in type stubs by @​gghez in messense/nh3#119

New Contributors

• @​gghez made their first contribution in messense/nh3#117

Full Changelog: messense/nh3@v0.3.3...v0.3.4

Commits

• c2ddb81 Bump version to 0.3.4
• d19279a Accept frozenset and Mapping in type stubs (#119)
• b98f2c5 Expose default clean_content_tags as module constant (#118)
• 9fdfa76 Validate rel attribute conflict with link_rel (#117)
• 8af5eee Bump the github-actions group with 2 updates (#115)
• 613bdae Bump pyo3 from 0.28.1 to 0.28.2 (#114)
• 565c231 Bump pyo3 from 0.28.0 to 0.28.1 (#113)
• See full diff in compare view

Updates pypdfium2 from 5.6.0 to 5.7.0

Release notes

Sourced from pypdfium2's releases.

5.7.0

Changes (Release 5.7.0)

Summary (pypdfium2)

• PdfDocument: When encoding input filepath to UTF-8, use the surrogateescape error handler (except on Windows). This fixes loading some garbled filenames, where a default .encode("utf-8") call would raise UnicodeEncodeError. Thanks to Filipe Litaiff for the report.
• Simplified output string handling. Access buffer directly instead of buffer.raw. This might be more efficient.
• The CLI has moved from pypdfium2._cli to pypdfium2_cli, i.e. an own submodule. pypdfium2.__main__ and python3 -m pypdfium2 are deprecated. Use pypdfium2_cli.__main__ and python3 -m pypdfium2_cli or the pypdfium2 entrypoint instead. This has been necessary since a module's __main__.py implies its __init__.py, which gives us no chance to prepare before library init if __main__.py lives in the pypdfium2 module itself.
• Added new helper PdfSysfontBase. Wraps FPDF_SYSFONTINFO and related APIs. Callers can subclass from PdfSysfontBase to inspect or alter the way PDFium uses system fonts. This is a first step towards implementing a warning mechanism for missing system fonts or substitution. Thanks to scyyh11 for related proposals, and especially a hint on passing the right pointer in callbacks.
• Added PdfiumWarning (subclass of Warning). A PdfiumWarning is now issued on XFA forms load failure, with programmatic error code info, rather than just a log message.
• Added new submodule stub pypdfium2_cfg, which can be imported before pypdfium2 for init-time configuration. The DEBUG_AUTOCLOSE setting has been moved to this module. In the future, pypdfium2_cfg may be extended to give callers control over how pypdfium2 initializes PDFium (e.g. custom font paths).
• Split off pypdfium2_raw/version.py from pypdfium2/version.py, so that PDFIUM_INFO is now available from within pypdfium2_raw. This has been necessary to implement a target-specific workaround (see below).
• build_native.py: When GCC is used, we now declare a custom_toolchain, with environment passthrough.
  • First, this avoids inconsistency across different platforms in pdfium's build config, with some expecting just gcc and others an arch-prefixed variant. This makes build_native.py more likely to work out of the box, relieving callers from the necessity to create symlinks, including our internal cibuildwheel callers.
  • Second, this allows you to use a different version of GCC, or in fact any other compatible compiler, including clang, by setting CC, CXX and TOOLPREFIX. This makes --clang-as-gcc more straightforward to implement.
  • Also, extra CFLAGS, CPPFLAGS, CXXFLAGS and LDFLAGS are now honored in this build mode.
• Basic FreeBSD CI added (powered by cross-platform-actions), testing installation with libreoffice-pdfium.
  • On (Free)BSD with libreoffice-pdfium, pre-load implicit dependency libraries with mode=RTLD_GLOBAL to fix library load.

Commits between 5.6.0 and 5.7.0 (latest commit first):

• f2a5380 [autorelease main] update 5.7.0
• 77f58a1 Simplify sysfontinfo docs
• 27c3a63 Align doc param name with actual param name
• e3cc95c changelog: break some lines
• 3aefaa0 Reland "Try to give GH API request a token"
• 46795ee Revert "Try to give GH API request a token"
• 47dffe8 Try to fix macOS and python < 3.8
• de6a0d7 Try to give GH API request a token
• 3ca4b06 Satisfy check-wheel-contents
• 3d8423b Fix a typo that codespell didn't catch
• edaf6ab FPDF_SYSFONTINFO wrapper + other progress (#417)
• c085743 Move minitest script to utils/
• 640e3b0 minitest: register exit handler only after successful library init
• b85072a build(deps): bump extractions/setup-just from 3 to 4
• 0bec727 Bump cibuildwheel to v3.4.1

... (truncated)

Commits

• f2a5380 [autorelease main] update 5.7.0
• 77f58a1 Simplify sysfontinfo docs
• 27c3a63 Align doc param name with actual param name
• e3cc95c changelog: break some lines
• 3aefaa0 Reland "Try to give GH API request a token"
• 46795ee Revert "Try to give GH API request a token"
• 47dffe8 Try to fix macOS and python < 3.8
• de6a0d7 Try to give GH API request a token
• 3ca4b06 Satisfy check-wheel-contents
• 3d8423b Fix a typo that codespell didn't catch
• Additional commits viewable in compare view

Updates pypdf from 6.9.2 to 6.10.0

Release notes

Sourced from pypdf's releases.

Version 6.10.0, 2026-04-10

What's new

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724) by @​stefan6419846

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694) by @​Ygnas

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310) by @​j-t-1
• Fix PdfReadError when xref table contains comments before trailer (#3710) by @​rassie
• Correctly verify AES padding during decryption (#3699) by @​stefan6419846
• Fix stale object cache from non-authoritative object streams (#3698) by @​astahlman
• Fix extract_links pairing when annotations include non-links (#3687) by @​ReinerBRO

Documentation (DOC)

• Add AI policy (#3717) by @​stefan6419846

Full Changelog

Changelog

Sourced from pypdf's changelog.

Version 6.10.0, 2026-04-10

Security (SEC)

• Disallow custom XML entity declarations for XMP metadata (#3724)

New Features (ENH)

• Skip MD5 key derivation for AES-256 encrypted PDFs (#3694)

Bug Fixes (BUG)

• Use remove_orphans in compress_identical_objects (#3310)
• Fix PdfReadError when xref table contains comments before trailer (#3710)
• Correctly verify AES padding during decryption (#3699)
• Fix stale object cache from non-authoritative object streams (#3698)
• Fix extract_links pairing when annotations include non-links (#3687)

Documentation (DOC)

• Add AI policy (#3717)

Full Changelog

Commits

• fd0aeca REL: 6.10.0
• b15a374 SEC: Disallow custom XML entity declarations for XMP metadata (#3724)
• d0d9de6 DEV: Update cryptography to 46.0.7 in ci.txt
• 1e0e5be DOC: Include policies about AI and PoCs into security policy
• 3155e04 Bump cryptography from 46.0.6 to 46.0.7 in /requirements (#3723)
• 696b978 DEV: Bump codecov/codecov-action from 5 to 6 (#3701)
• 5456731 TST: Extending typing to tests; cover generic and scripts folder files (#3660)
• e00505e DOC: Add AI policy (#3717)
• bd95bd8 Fix PdfReadError when xref table contains comments before trailer (#3710)
• f3f501b DEV: Update pygments version to 2.20.0 (#3707)
• Additional commits viewable in compare view

Updates rapidfuzz from 3.14.3 to 3.14.5

Release notes

Sourced from rapidfuzz's releases.

Release 3.14.5

Fixed

• fix release ci attempting to upload a pyodide wheel

Release 3.14.4

Added

• add risc64 wheels
• add support for taskflow 4.0.0

Changed

• upgrade to Cython==3.2.4.

Fixed

• fix type hints for extractOne when no score_cutoff is provided

Changelog

Sourced from rapidfuzz's changelog.

Changelog

[3.14.5] - 2026-08-07 ^^^^^^^^^^^^^^^^^^^^^ Fixed

* fix release ci attempting to upload a pyodide wheel
[3.14.4] - 2026-04-06
^^^^^^^^^^^^^^^^^^^^^
Added

• add risc64 wheels
• add support for taskflow 4.0.0

Changed

* upgrade to ``Cython==3.2.4``.
Fixed
* fix type hints for extractOne when no score_cutoff is provided
[3.14.3] - 2025-11-01

^^^^^^^^^^^^^^^^^^^^^

Fixed



add missing pypy and freethreaded linux wheels

Removed

• drop s390x and ppc64le wheels since they are virtually unused and require extremly long to build under emulation

[3.14.2] - 2025-10-30 ^^^^^^^^^^^^^^^^^^^^^ Changed

* upgrade to ``Cython==3.1.6``
* enable free threading
[3.14.1] - 2025-09-08
^^^^^^^^^^^^^^^^^^^^^
Fixed
* Fully disable line tracing in release builds
[3.14.0] - 2025-08-27

^^^^^^^^^^^^^^^^^^^^^

Changed

</tr></table>

</code></pre>

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/edf9f3c2d016c878dae1511301f8b4a501bba871&quot;&gt;&lt;code&gt;edf9f3c&lt;/code&gt;&lt;/a> fix release ci</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/3d8470bf60062dda5c200517f61a8ff43e3e9ef2&quot;&gt;&lt;code&gt;3d8470b&lt;/code&gt;&lt;/a> enable verbose publish</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7fd4ee202b5e3cc9f158f505a33d934a68c14148&quot;&gt;&lt;code&gt;7fd4ee2&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/9691cf1bf985eaf59f6c968f3d7cd8e59054ebaa&quot;&gt;&lt;code&gt;9691cf1&lt;/code&gt;&lt;/a> tag release</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/fd16748843be7d1a4842604fa3429e3943e80e5c&quot;&gt;&lt;code&gt;fd16748&lt;/code&gt;&lt;/a> ci: switch riscv64 from QEMU to native RISE runner</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/7f7d58b91a2716eaaec939a72b476ab1bf1ead1b&quot;&gt;&lt;code&gt;7f7d58b&lt;/code&gt;&lt;/a> ci: add riscv64 wheel builds via QEMU</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f4b56942bdbbb99bba556656ea8a0aef1e8c12f0&quot;&gt;&lt;code&gt;f4b5694&lt;/code&gt;&lt;/a> Bump pypa/cibuildwheel from 3.3.1 to 3.4.0 in the github-actions group</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/f2873ce9868285eca1d05d8645791d76a2b545fe&quot;&gt;&lt;code&gt;f2873ce&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 3 updates</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/4e48509d858454ea994521f90ae8c5d66eb15073&quot;&gt;&lt;code&gt;4e48509&lt;/code&gt;&lt;/a> support Taskflow 4.0.0</li>

<li><a href="https://github.com/rapidfuzz/RapidFuzz/commit/70480396a66fadabd897407ce289978dec2c13c0&quot;&gt;&lt;code&gt;7048039&lt;/code&gt;&lt;/a> Bump the github-actions group across 1 directory with 4 updates</li>

<li>Additional commits viewable in <a href="https://github.com/rapidfuzz/RapidFuzz/compare/v3.14.3...v3.14.5&quot;&gt;compare view</a></li>

</ul>

</details>
<br />

Updates pytest from 9.0.2 to 9.0.3

Release notes
Sourced from pytest's releases.

9.0.3
pytest 9.0.3 (2026-04-07)
Bug fixes


#12444: Fixed pytest.approx which now correctly takes into account ~collections.abc.Mapping keys order to compare them.


#13634: Blocking a conftest.py file using the -p no: option is now explicitly disallowed.
Previously this resulted in an internal assertion failure during plugin loading.
Pytest now raises a clear UsageError explaining that conftest files are not plugins and cannot be disabled via -p.


#13734: Fixed crash when a test raises an exceptiongroup with __tracebackhide__ = True.


#14195: Fixed an issue where non-string messages passed to unittest.TestCase.subTest() were not printed.


#14343: Fixed use of insecure temporary directory (CVE-2025-71176).


Improved documentation

#13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and fixed an incorrect -p example.
#13731: Clarified that capture fixtures (e.g. capsys and capfd) take precedence over the -s / --capture=no command-line options in Accessing captured output from a test function <accessing-captured-output>.
#14088: Clarified that the default pytest_collection hook sets session.items before it calls pytest_collection_finish, not after.
#14255: TOML integer log levels must be quoted: Updating reference documentation.

Contributor-facing changes


#12689: The test reports are now published to Codecov from GitHub Actions.
The test statistics is visible on the web interface.
-- by aleguy02





Commits

a7d58d7 Prepare release version 9.0.3
089d981 Merge pull request #14366 from bluetech/revert-14193-backport
8127eaf Revert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"
99a7e60 Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...
ddee02a Merge pull request #14343 from bluetech/cve-2025-71176-simple
74eac69 doc: Update training info (#14298) (#14301)
f92dee7 Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...
7ee58ac Merge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...
37da870 Merge pull request #14259 from mitre88/patch-4 (#14268)
c34bfa3 Add explanation for string context diffs (#14257) (#14266)
Additional commits viewable in compare view




Updates pytest-cov from 7.0.0 to 7.1.0

Changelog
Sourced from pytest-cov's changelog.

7.1.0 (2026-03-21)


Fixed total coverage computation to always be consistent, regardless of reporting settings.
Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on
reporting options.
See [#641](https://github.com/pytest-dev/pytest-cov/issues/641) <https://github.com/pytest-dev/pytest-cov/issues/641>_.


Improve handling of ResourceWarning from sqlite3.
The plugin adds warning filter for sqlite3 ResourceWarning unclosed database (since 6.2.0).
It checks if there is already existing plugin for this message by comparing filter regular expression.
When filter is specified on command line the message is escaped and does not match an expected message.
A check for an escaped regular expression is added to handle this case.
With this fix one can suppress ResourceWarning from sqlite3 from command line::
pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...


Various improvements to documentation.
Contributed by Art Pelling in [#718](https://github.com/pytest-dev/pytest-cov/issues/718) <https://github.com/pytest-dev/pytest-cov/pull/718>_ and
"vivodi" in [#738](https://github.com/pytest-dev/pytest-cov/issues/738) <https://github.com/pytest-dev/pytest-cov/pull/738>.
Also closed [#736](https://github.com/pytest-dev/pytest-cov/issues/736) <https://github.com/pytest-dev/pytest-cov/issues/736>.


Fixed some assertions in tests.
Contributed by in Markéta Machová in [#722](https://github.com/pytest-dev/pytest-cov/issues/722) <https://github.com/pytest-dev/pytest-cov/pull/722>_.


Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).





Commits

66c8a52 Bump version: 7.0.0 → 7.1.0
f707662 Make the examples use pypy 3.11.
6049a78 Make context test use the old ctracer (seems the new sysmon tracer behaves di...
8ebf20b Update changelog.
861d30e Remove the backup context manager  - shouldn't be needed since coverage 5.0, ...
fd4c956 Pass the precision on the nulled total (seems that there's some caching goion...
78c9c4e Only run the 3.9 on older deps.
4849a92 Punctuation.
197c35e Update changelog and hopefully I don't forget to publish release again :))
14dc1c9 Update examples to use 3.11 and make the adhoc layout example look a bit more...
Additional commits viewable in compare view




Bumps the pdfding group with 1 update: alpinejs.
Updates alpinejs from 3.15.8 to 3.15.11

Release notes
Sourced from alpinejs's releases.

v3.15.11
What's Changed

fix(csp): skip sharedStorage when enumerating globalThis properties by @​PierreBultez in alpinejs/alpine#4787
Fix x-trap.noscroll layout shift conflict with scrollbar-gutter by @​dotfrag in alpinejs/alpine#4512
Add support for [x-sort:handle] attributes defined in template tags by @​SimoTod in alpinejs/alpine#4483
Add x-anchor.noflip modifier by @​calebporzio in alpinejs/alpine#4791
Warn when x-for template has multiple root elements by @​calebporzio in alpinejs/alpine#4752
Fix $refs unavailable during morph (v3.15.9 regression) by @​calebporzio in alpinejs/alpine#4793

New Contributors

@​PierreBultez made their first contribution in alpinejs/alpine#4787
@​dotfrag made their first contribution in alpinejs/alpine#4512

Full Changelog: https://github.com/alpinejs/alpine/compare/v3.15.10...v3.15.11
v3.15.10
Fixed

Fix x-anchor crash during wire:navigate cleanup #4790

v3.15.9
What's Changed

fix(morph): close dialogs properly when removing open attribute by @​calebporzio in alpinejs/alpine#4739
Update tabbable and focus-trap dependencies in focus plugin by @​joshhanley in alpinejs/alpine#4737
feat(x-anchor): allow dynamic reference to be used with x-anchor by @​maximbelyayev in alpinejs/alpine#4735
Handle all types of whitespace in class lists, not just spaces by @​calebporzio in alpinejs/alpine#4743
docs: clearer variable name in x-bind example by @​calebporzio in alpinejs/alpine#4742
Fix x-model.parent when inside of x-teleport by @​willrowe in alpinejs/alpine#4676
feat: x-on.passive.false modifier by @​hirasso in alpinejs/alpine#4610
Add support for Set objects in x-for loop function by @​alfanzain in alpinejs/alpine#4672
Add support for custom options and cancelable $dispatch by @​nicolagianelli in alpinejs/alpine#4608
Fix how x-html handles undefined by @​willrowe in alpinejs/alpine#4555
move dependencies from monorepo root to correct packages by @​Igloczek in alpinejs/alpine#4550
Don't assign the normalEvaluator per default by @​JeroenBoersma in alpinejs/alpine#4548
Fix class setters invocation on nested x-data by @​helio3197 in alpinejs/alpine#4528
:bug: Masks model updates by @​ekwoka in alpinejs/alpine#4175
Allow debouncing/throttling x-model when using x-modelable by @​Spitfire972 in alpinejs/alpine#4186
UI x-radio: fix keyboard navigation when value of first/last radio option is null by @​gdebrauwer in alpinejs/alpine#4308
Improve handling of autocomplete values in X-Mask by @​robertmarney in alpinejs/alpine#4260
:zap: Improves x-for performance by @​ekwoka in alpinejs/alpine#4361
Fix x-ref crash during child-element morph by @​calebporzio in alpinejs/alpine#4748
Fix $watch oldValue for objects by @​calebporzio in alpinejs/alpine#4749
Escape attribute values in morph setAttribute patch by @​joshhanley in alpinejs/alpine#4770
Fix x-model setting .value instead of .checked on checkboxes by @​ganyicz in alpinejs/alpine#4779
Fix x-model.blur crash when input is removed from a form by @​joshhanley in alpinejs/alpine#4783

New Contributors

@​maximbelyayev made their first contribution in alpinejs/alpine#4735
@​hirasso made their first contribution in alpinejs/alpine#4610
@​alfanzain made their first contribution in alpinejs/alpine#4672



... (truncated)


Commits

3c93f1e Bump version to 3.15.11
49641af Fix $refs unavailable during morph (v3.15.9 regression) (#4793)
a423ef5 Warn when x-for template has multiple root elements (#4752)
b20830c wip
906abcf wip
06a18b0 Fix x-model.blur crash when input is removed from a form (#4783)
c829163 Fix x-model setting .value instead of .checked on checkboxes (#4779)
7848735 Fix $watch oldValue for objects being identical to new value (#4749)
cfcd08d Fix x-ref crash during child-element morph (#4748)
1771d0b :zap: Improves x-for performance (#4361)
Additional commits viewable in compare view



Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for alpinejs since your current version.



Bumps the pdfding group with 1 update: node.
Updates node from 22.22.1-bookworm-slim to 22.22.2-bookworm-slim
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions