Bump the update-dependencies group across 1 directory with 18 updates

[dependabot]

Bumps the update-dependencies group with 17 updates in the / directory:

Package	From	To
@azure/msal-common	16.4.1	16.5.2
@azure/msal-node	5.1.2	5.1.5
@inquirer/confirm	6.0.10	6.0.12
@inquirer/input	5.0.10	5.0.12
@inquirer/select	5.1.2	5.1.4
@xmldom/xmldom	0.9.9	0.9.10
adaptivecards	3.0.5	3.0.6
axios	1.14.0	1.15.2
uuid	13.0.0	13.0.1
zod	4.3.6	4.4.1
@actions/core	3.0.0	3.0.1
@types/node	24.12.0	24.12.2
@typescript-eslint/eslint-plugin	8.58.0	8.59.1
eslint	10.1.0	10.2.1
globals	17.4.0	17.5.0
sinon	21.0.3	21.1.2
@types/sinon	21.0.0	21.0.1

Updates @azure/msal-common from 16.4.1 to 16.5.2

Release notes

Sourced from @​azure/msal-common's releases.

@​azure/msal-common v16.5.2

16.5.2

Tue, 28 Apr 2026 21:30:32 GMT

Patches

• Fix unstable sort that can result in returning guest account instead of home account #8477 (ruijungao@microsoft.com)

@​azure/msal-common v16.5.1

16.5.1

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Improved account filtering when login hint is provided #8478 (lalimasharda@microsoft.com)

@​azure/msal-common v16.5.0

16.5.0

Thu, 16 Apr 2026 22:44:53 GMT

Minor changes

• Add support for client data telemetry with CLI_DATA parameter #8378 (kshabelko@microsoft.com)
• Add Platform broker telemetry #8488 (lalimasharda@microsoft.com)

Patches

• Add ssoCapable field to PerformanceEvent type for SSO capability telemetry. (sameera.gajjarapu@microsoft.com)
• Add skipBrokerClaims parameter for brokered authentication flows #8419 (AzureADGitHubBot@users.noreply.github.com)

Commits

• 7ca7202 fix(sample): acquire token after B2C edit profile policy (#8568)
• 29a826b Address dependabot Github Actions alerts (#8550)
• 34a4e06 fix(msal-browser): CookieStorage tolerates malformed percent-encoded cookies ...
• a800fd2 fix(msal-common): use proper 2-arg comparator in getAccountInfoFilter… (#8559)
• 1737897 fix(msal-browser): freeze Date.now() in beforeEach to eliminate timestamp fla...
• b9c8b81 fix(msal-node): replace uuid with node:crypto.randomUUID() (GHSA-w5hq… (#8566)
• 8033a18 Remove beachball change file for msal-browser native broker revert (#8567)
• e6f44e9 Revert "Bugfix - include extra query parameters in ExtraParameters in Platfor...
• 109a351 Bugfix - include extra query parameters in ExtraParameters in PlatformAuthReq...
• 2747951 Native Auth:fix: use client_info="1" string value in native auth token reques...
• Additional commits viewable in compare view

Updates @azure/msal-node from 5.1.2 to 5.1.5

Release notes

Sourced from @​azure/msal-node's releases.

@​azure/msal-node-extensions v5.1.5

5.1.5

Tue, 28 Apr 2026 21:30:33 GMT

Patches

• Bump @​azure/msal-common to v16.5.2 (beachball)

@​azure/msal-node v5.1.5

5.1.5

Tue, 28 Apr 2026 21:30:32 GMT

Patches

• fix(msal-node): replace uuid with node:crypto to resolve GHSA-w5hq-g745-h8pq (pieter.willaert@colruytgroup.com)
• Preserve authority metadata when calling clear() #8542 (shylasummers@microsoft.com)
• Bump @​azure/msal-common to v16.5.2 (beachball)

@​azure/msal-angular v5.1.4

5.1.4

Wed, 01 Apr 2026 20:09:00 GMT

Patches

• Bump @​azure/msal-browser to v5.6.3 (beachball)

@​azure/msal-node-extensions v5.1.4

5.1.4

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Bump @​azure/msal-common to v16.5.1 (beachball)

@​azure/msal-node v5.1.4

5.1.4

Tue, 21 Apr 2026 22:41:19 GMT

Patches

• Bump @​azure/msal-common to v16.5.1 (beachball)

@​azure/msal-angular v5.1.3

5.1.3

... (truncated)

Commits

• 7ca7202 fix(sample): acquire token after B2C edit profile policy (#8568)
• 29a826b Address dependabot Github Actions alerts (#8550)
• 34a4e06 fix(msal-browser): CookieStorage tolerates malformed percent-encoded cookies ...
• a800fd2 fix(msal-common): use proper 2-arg comparator in getAccountInfoFilter… (#8559)
• 1737897 fix(msal-browser): freeze Date.now() in beforeEach to eliminate timestamp fla...
• b9c8b81 fix(msal-node): replace uuid with node:crypto.randomUUID() (GHSA-w5hq… (#8566)
• 8033a18 Remove beachball change file for msal-browser native broker revert (#8567)
• e6f44e9 Revert "Bugfix - include extra query parameters in ExtraParameters in Platfor...
• 109a351 Bugfix - include extra query parameters in ExtraParameters in PlatformAuthReq...
• 2747951 Native Auth:fix: use client_info="1" string value in native auth token reques...
• Additional commits viewable in compare view

Updates @inquirer/confirm from 6.0.10 to 6.0.12

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @inquirer/input from 5.0.10 to 5.0.12

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @inquirer/select from 5.1.2 to 5.1.4

Commits

• 35bda2a chore: Publish new release
• 98eee29 fix(lint): suppress no-unnecessary-type-parameters on parseJSON helper
• aba5965 chore(deps-dev): Bump @​types/node in the types group (#2088)
• db8fbf1 chore(deps-dev): Bump turbo from 2.9.5 to 2.9.6 in the build group (#2087)
• 3cdecf5 chore(deps-dev): Bump oxfmt in the formatting group (#2086)
• e370b57 chore(deps-dev): Bump the linting group with 5 updates (#2085)
• 2787267 chore(deps-dev): Bump the testing group with 3 updates (#2084)
• 0c55499 chore(deps-dev): Bump the formatting group with 2 updates (#2081)
• e7115d9 fix(@​inquirer/core): mute output after readline initialization (#2077)
• e5e14ab chore(deps): Bump dependabot/fetch-metadata from 2 to 3 (#2078)
• Additional commits viewable in compare view

Updates @xmldom/xmldom from 0.9.9 to 0.9.10

Release notes

Sourced from @​xmldom/xmldom's releases.

0.9.10

Commits

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.9.10

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option. When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -- anywhere, ends with -, or contains characters outside the XML Char production
  • ProcessingInstruction: throws when target contains : or matches xml (case-insensitive), or data contains characters outside the XML Char production or contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById(), Node.prototype.isEqualNode()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw
• isEqualNode now correctly returns false for CDATASection nodes with different data

Deprecated

• The splitCDATASections serializer option is deprecated and will be removed in the next breaking release. The automatic splitting of "]]>" in CDATASection data was introduced as a workaround; use requireWellFormed: true or ensure CDATASection data does not contain "]]>" before serialization.

Chore

• updated dependencies

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

0.8.13

Fixed

• Security: XMLSerializer.serializeToString() (and Node.toString(), NodeList.toString()) now accept a requireWellFormed option (fourth argument, after isHtml and nodeFilter). When { requireWellFormed: true } is passed, the serializer throws InvalidStateError for injection-prone node content, preventing XML injection via attacker-controlled node data. GHSA-j759-j44w-7fr8 GHSA-x6wf-f3px-wcqx GHSA-f6ww-3ggp-fr8h
  • Comment: throws when data contains -->
  • ProcessingInstruction: throws when data contains ?>
  • DocumentType: throws when publicId fails PubidLiteral, systemId fails SystemLiteral, or internalSubset contains ]>
• Security: DOM traversal operations (XMLSerializer.serializeToString(), Node.prototype.normalize(), Node.prototype.cloneNode(true), Document.prototype.importNode(node, true), node.textContent getter, getElementsByTagName() / getElementsByTagNameNS() / getElementsByClassName() / getElementById()) are now iterative. Previously, deeply nested DOM trees would exhaust the JavaScript call stack and throw an unrecoverable RangeError. GHSA-2v35-w6hq-6mfw

Thank you, @​Jvr2022, @​praveen-kv, @​TharVid, @​decsecre583, @​tlsbollei, @​KarimTantawey, for your contributions

Commits

• bf396a5 0.9.10
• 78f6089 test: add missing serializer coverage for nodeFilter string return, Attribute...
• 192ce5b ci: remove unused imports flagged by CodeQL
• ca81c06 test: lower stack size for tests
• c9d5937 style: npm run format
• 1537fb4 docs: add 0.9.10 changelog entry
• afd6f6f docs: add 0.8.13 changelog entry
• afeb4ee refactor: align error mesage between branches
• 4845ef1 fix: prevent stack overflow in isEqualNode (GHSA-2v35-w6hq-6mfw)
• dfb94a4 test: add missing isEqualNode behavioral coverage
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates adaptivecards from 3.0.5 to 3.0.6

Release notes

Sourced from adaptivecards's releases.

adaptivecards@3.0.6

Adaptive Cards JavaScript SDK v3.0.6

Security Fix

• CVE-2026-27212 — Updated swiper peer dependency from ^11.0.7 → ^12.1.2

Bug Fixes

• Fixed Dart Sass import issue caused by Swiper 12 dropping .scss files — imports updated to extensionless format to ensure CSS is properly inlined
• Bumped sass dev dependency from ^1.43.4 → ^1.98.0 to support CSS nesting in Swiper 1

Commits

• bae9212 Version adaptivecards to 3.0.6 for swiper CVE-2026-27212 fix
• 99ec7d0 Merge remote-tracking branch 'origin/main' into release/3.0.6
• 76156ce Update swiper peer dependency to ^12.1.2 to fix CVE-2026-27212 (#9356)
• 23b0987 Update swiper peer dependency to ^12.1.2 to fix CVE-2026-27212 (#9356)
• dd0ffca Update ASP.NET Core dependencies and add Kestrel in ImageRendererServer (#9352)
• 368bb76 Updating Microsoft.Bot.AdaptiveExpressions.Core Version to 4.23.1 (#9339)
• 644d933 Redirect website to new domain (#9337)
• 78f0f5f Adaptive Cards dev team review is mandatory for all changes in AdaptiveCards ...
• ea28be6 fixing WinUI3 pipeline (#9336)
• 7ad630d fixing c# projections (#9293)
• Additional commits viewable in compare view

Updates axios from 1.14.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates uuid from 13.0.0 to 13.0.1

Release notes

Sourced from uuid's releases.

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

Changelog

Sourced from uuid's changelog.

13.0.1 (2026-04-27)

Bug Fixes

• backport fix for GHSA-w5hq-g745-h8pq (9d27ddf)

Commits

• e5424b6 chore(13.x): release 13.0.1 (#943)
• 04f488b workflow: update release-please workflow
• 9d27ddf fix: backport fix for GHSA-w5hq-g745-h8pq
• See full diff in compare view

Updates zod from 4.3.6 to 4.4.1

Release notes

Sourced from zod's releases.

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

Tuple defaults now materialize output values correctly

Fixed in #5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.

const schema = z.tuple([
  z.string(),
  z.string().default("fallback"),
]);
schema.parse(["a"]);
// ["a", "fallback"]

Trailing optional elements that are absent still stay absent; they are not filled with undefined.

const schema = z.tuple([
  z.string(),
  z.string().optional(),
]);
schema.parse(["a"]);
// ["a"]

But explicit undefined values supplied by the caller are preserved.

schema.parse(["a", undefined]);
// ["a", undefined]

When optional elements appear before later defaults, the parsed tuple is now dense so array operations behave predictably.

... (truncated)

Commits

• 180d83d docs: remove Jazz featured sponsor
• edd0bf0 release: 4.4.1
• cede2c6 fix(v4): reject tuple holes before required defaults (#5900)
• 95ccab4 test(v3): restore optional undefined expectations
• 481f7be ci: gate release publishing on full test workflow
• d05f026 release: 4.4.0
• f778e02 build: bump zshy for JSR wildcard exports
• 6db607b fix(release): keep JSR manifest publishable
• ad0b827 ci: update release workflow for trusted publishing
• b6066b3 fix(v4): align object and tuple optionality handling (#5661)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Updates @actions/core from 3.0.0 to 3.0.1

Changelog

Sourced from @​actions/core's changelog.

3.0.1

• Bump undici from 6.23.0 to 6.24.1 #2348

Commits

• See full diff in compare view

Updates @types/node from 24.12.0 to 24.12.2

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.0 to 8.59.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)
• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

• Abhijeet Singh @​cseas
• 송재욱

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our ver...

Description has been truncated