chore: bump the npm-security group across 2 directories with 16 updates

[dependabot]

Bumps the npm-security group with 10 updates in the /services/frontend directory:

Package	From	To
axios	1.13.5	1.16.1
postcss	8.5.6	8.5.15
vite	7.3.1	7.3.3
@babel/plugin-transform-modules-systemjs	7.27.1	7.29.4
minimatch	3.1.2	10.0.3
picomatch	2.3.1	4.0.4
fast-uri	3.1.0	3.1.2
flatted	3.3.3	3.4.2
js-cookie	3.0.5	3.0.7
rollup	4.52.2	4.60.4

Bumps the npm-security group with 5 updates in the / directory:

Package	From	To
minimatch	10.1.2	removed
picomatch	2.3.1	4.0.4
lodash	4.17.23	4.18.1
handlebars	4.7.8	4.7.9
undici	6.23.0	6.25.0

Updates axios from 1.13.5 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Commits

• 1337d6b chore(release): prepare release 1.16.1 (#10877)
• 858a790 fix: remove all caches (#10882)
• 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
• 847d89b fix: support URL object as config.url input (#10866)
• 4094886 fix(progress): guard malformed XHR upload events (#10868)
• 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
• 64e1095 chore: update PR and issue template to use h2 (#10865)
• 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
• c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
• caa00a9 fix: https data in cleartext to proxy (#10858)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates postcss from 8.5.6 to 8.5.15

Release notes

Sourced from postcss's releases.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Changelog

Sourced from postcss's changelog.

8.5.15

• Fixed declaration parsing performance (by @​homanp).

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

8.5.12

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

8.5.11

• Fixed nested brackets parsing performance (by @​offset).

8.5.10

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

• Speed up source map encoding paring in case of the error.

8.5.8

• Fixed Processor#version.

8.5.7

• Improved source map annotation cleaning performance (by CodeAnt AI).

Commits

• eae46db Release 8.5.15 version
• 79508ff Update CI actions
• b128e21 Speed up declaration parsing by avoiding creating new array on each token
• 9825dca Fix code format
• 55789c8 Update dependencies
• 84fbbe9 Install older pnpm action for old Node.js
• 9f860bd Revert pnpm action for old Node.js
• 0877198 Update CI actions
• b2d1a33 Fix linter warnings
• 0700dac Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Additional commits viewable in compare view

Updates vite from 7.3.1 to 7.3.3

Release notes

Sourced from vite's releases.

v7.3.3

Please refer to CHANGELOG.md for details.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.3 (2026-05-07)

Bug Fixes

• avoid destructure lowering for newer safari (#22346) (5ab51c0)

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

Commits

• ca31424 release: v7.3.3
• 5ab51c0 fix: avoid destructure lowering for newer safari (#22346)
• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• See full diff in compare view

Updates @babel/plugin-transform-modules-systemjs from 7.27.1 to 7.29.4

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env

... (truncated)

Commits

• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Updates minimatch from 3.1.2 to 10.0.3

Changelog

Sourced from minimatch's changelog.

change log

10.2

• Add braceExpandMax option

10.1

• Add magicalBraces option for escape
• Fix makeRe when partial: true is set.
• Fix makeRe when pattern ends in a final ** path part.

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

... (truncated)

Commits

• 2c65ee2 10.0.3
• 4fba25e Use @​isaacs/brace-expansion
• 41cb7dd ci: update typedoc action versions
• be94de0 update ci versions
• ad70a85 10.0.2
• 803156d modernize repo, update brace-expansion
• 0569cd3 10.0.1
• 17d31c7 rollback to brace-expansion 2, for cjs support
• 346685c 10.0.0
• 632e0da modernize, drop old node versions
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates picomatch from 2.3.1 to 4.0.4

Release notes

Sourced from picomatch's releases.

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@4.0.3...4.0.4

4.0.3

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144

New Contributors

• @​Jason3S made their first contribution in micromatch/picomatch#144

Full Changelog: micromatch/picomatch@4.0.2...4.0.3

3.0.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@3.0.1...3.0.2

2.3.2

This is a security release fixing several security relevant issues.

What's Changed

• fix: exception when glob pattern contains constructor by @​Jason3S in micromatch/picomatch#144
• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: micromatch/picomatch@2.3.1...2.3.2

Changelog

Sourced from picomatch's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

4.0.0 (2024-02-07)

Fixes

• Fix bad text values in parse #126, thanks to @​connor4312

Changed

• Remove process global to work outside of node #129, thanks to @​styfle
• Add sideEffects to package.json #128, thanks to @​frandiox
• Removed os, make compatible browser environment. See #124, thanks to @​gwsbhqt

3.0.1

Fixes

... (truncated)

Commits

• e5474fc Publish 4.0.4
• 4516eb5 Merge commit from fork
• 5eceecd Merge commit from fork
• 0db7dd7 Run benchmark again against latest minimatch version (#161)
• 9500377 docs: clarify what brace expansion syntax is and isn't supported (#134)
• 2661f23 fix typo in globstars.js test name (#138)
• 1798b07 docs: fix makeRe example (#143)
• 9d76bc5 chore: undocument removed options (#146)
• e4d718b Remove unused time-require (#160)
• 38dffeb chore(deps): pin dependencies (#158)
• Additional commits viewable in compare view

Updates fast-uri from 3.1.0 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• See full diff in compare view

Updates js-cookie from 3.0.5 to 3.0.7

Release notes

Sourced from js-cookie's releases.

v3.0.7

• Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)
• Add Partitioned attribute to readme (b994768)
• Publish to npm registry via trusted publisher exclusively (4dc71be)
• Ensure consistent behaviour for get('name') + get() (1953d30)

Commits

• 17bacba Craft v3.0.7 release
• adb823c Fix release workflow halting at git tag
• 5f9e759 May remove Git user config from release workflow
• 6ac9211 Fix release workflow not able to push commit + tag
• 2278bc5 Fix missing package version bump
• eb3c40e Prevent cookie attribute injection
• f6f157f Bump globals from 17.5.0 to 17.6.0
• f409d02 Bump eslint from 10.2.0 to 10.3.0
• a686883 Bump protobufjs in the npm_and_yarn group across 1 directory
• c6112d2 Bump @​protobufjs/utf8 in the npm_and_yarn group across 1 directory
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for js-cookie since your current version.

Updates rollup from 4.52.2 to 4.60.4

Release notes

Sourced from rollup's releases.

v4.60.4

4.60.4

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#6362)

Pull Requests

• #6362: fix: stabilize chunk assignment across parallel file reads (@​sonukapoor, @​Sonu Kapoor, @​TrickyPi, @​lukastaegert)
• #6370: fix(deps): update minor/patch updates (@​renovate[bot])
• #6371: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6372: chore(deps): update react monorepo to v19 (major) (@​renovate[bot])
• #6373: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6375: Resolve vulnerabilities (@​lukastaegert)

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

• #6327: docs: fix various typos in source and documentation (@​Abhi3975, @​lukastaegert)
• #6331: fix(deps): update minor/patch updates (@​renovate[bot])
• #6332: chore(deps): update codecov/codecov-action action to v6 (@​renovate[bot])
• #6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@​renovate[bot])
• #6334: fix(deps): update rust crate swc_compiler_base to v51 (@​renovate[bot])
• #6335: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6346: fix(deps): update minor/patch updates (@​renovate[bot])
• #6347: chore(deps): update dependency lru-cache to v11 (@​renovate[bot])
• #6348: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6349: chore(deps): lock file maintenance (@​renovate[bot], @​lukastaegert)
• #6350: fix: reset variable render names between outputs in the same generate (@​barry3406, @​lukastaegert)
• #6351: chore(deps): update minor/patch updates (@​renovate[bot])
• #6352: chore(deps): update cross-platform-actions/action action to v1 (@​renovate[bot])
• #6353: chore(deps): update dependency lru-cache to v11 (@​renovate[bot], @​lukastaegert)
• #6354: chore(deps): lock file maintenance (@​renovate[bot])
• #6355: chore(deps): lock file maintenance (@​renovate[bot])
• #6356: chore(deps): lock file maintenance (@​renovate[bot])
• #6358: chore: remove cross-env from devDeps (@​K-tecchan)

v4.60.1

4.60.1

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.4

2026-05-14

Bug Fixes

• Improve stability of chunk hashes (#6362)

Pul...

Description has been truncated