Bump the production group with 18 updates

[dependabot]

Bumps the production group with 18 updates:

Package	From	To
@anthropic-ai/sdk	0.9.1	0.89.0
@octokit/rest	20.1.2	22.0.1
@octokit/webhooks	12.3.2	14.2.0
@slack/web-api	6.13.0	7.15.1
diff	5.2.2	9.0.0
dotenv	16.6.1	17.4.2
ejs	3.1.10	5.0.2
express	4.22.1	5.2.1
fs-extra	11.3.0	11.3.4
openai	4.104.0	6.34.0
pino	9.7.0	10.3.1
probot	13.4.7	14.3.2
tree-sitter	0.20.6	0.25.0
tree-sitter-java	0.20.2	0.23.5
tree-sitter-javascript	0.20.4	0.25.0
tree-sitter-python	0.20.4	0.25.0
tree-sitter-rust	0.20.4	0.24.0
tree-sitter-typescript	0.20.5	0.23.2

Updates @anthropic-ai/sdk from 0.9.1 to 0.89.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.89.0

0.89.0 (2026-04-14)

Full Changelog: sdk-v0.88.0...sdk-v0.89.0

Features

• api: manual updates (57c2a11)
• api: mark Sonnet and Opus 4 as deprecated (eff41b7)

Bug Fixes

• streaming: add missing events (4c52919)

sdk: v0.88.0

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

sdk: v0.87.0

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

Features

• api: Add beta advisor tool (1e99a8d)

sdk: v0.86.1

0.86.1 (2026-04-08)

Full Changelog: sdk-v0.86.0...sdk-v0.86.1

Chores

• update @​anthropic-ai/sdk dependency version (#870) (036342b)

sdk: v0.86.0

0.86.0 (2026-04-08)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.89.0 (2026-04-14)

Full Changelog: sdk-v0.88.0...sdk-v0.89.0

Features

• api: manual updates (57c2a11)
• api: mark Sonnet and Opus 4 as deprecated (eff41b7)

Bug Fixes

• streaming: add missing events (4c52919)

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

Features

• api: Add beta advisor tool (1e99a8d)

0.86.1 (2026-04-08)

Full Changelog: sdk-v0.86.0...sdk-v0.86.1

Chores

• update @​anthropic-ai/sdk dependency version (#870) (036342b)

0.86.0 (2026-04-08)

Full Changelog: sdk-v0.85.0...sdk-v0.86.0

Features

... (truncated)

Commits

• 39549e9 chore: release main (#993)
• 089fe05 chore: release main (#987)
• 73f128f chore: release main (#985)
• fd6cf54 chore: release main (#983)
• 79d1d73 chore: release main (#982)
• 4ade5b1 chore: release main (#979)
• 4368602 chore: release main (#978)
• 4105fd6 chore: release main (#973)
• 0b536ae chore: release main (#970)
• 6d72814 chore: release main (#967)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by packy-anthropic, a new releaser for @​anthropic-ai/sdk since your current version.

Updates @octokit/rest from 20.1.2 to 22.0.1

Release notes

Sourced from @​octokit/rest's releases.

v22.0.1

22.0.1 (2025-10-31)

Bug Fixes

• deps: update octokit monorepo (major) (#538) (ded2f17)

v22.0.0

22.0.0 (2025-05-25)

Bug Fixes

• deps: update octokit monorepo (major) (#504) (77530ab)

BREAKING CHANGES

• deps: Drop support for NodeJS v18
• deps: Remove deprecated Projects endpoints
• deps: Remove deprecated Copilot usage metrics endpoints

v21.1.1

21.1.1 (2025-02-14)

Bug Fixes

• deps: update Octokit dependencies to mitigate ReDos [security] (#484) (ca256c3)

v21.1.0

21.1.0 (2025-01-08)

Features

• new endpoints, bump Octokit deps to fix Deno (#477) (908b1c8)

v21.0.2

21.0.2 (2024-08-16)

Bug Fixes

• docs: update to react 18 and latest gatsby deps (#462) (9a80f06), closes #216 #230 #460

... (truncated)

Commits

• daa3ec9 ci(action): update actions/setup-node action to v6 (#534)
• 1dec0c7 ci(action): update peter-evans/create-or-update-comment action to v5 (#531)
• ded2f17 fix(deps): update octokit monorepo (major) (#538)
• 0e0eaea chore(deps): update dependency @​types/node to v24 (#537)
• c04acc8 chore(deps): update vitest monorepo to v4 (major) (#536)
• e6dd306 chore(deps): update dependency undici to v7 (#474)
• 5f380d0 build(deps-dev): Bump form-data from 4.0.2 to 4.0.4 in /docs (#520)
• dc6827d build(deps-dev): Bump tar-fs from 2.1.2 to 2.1.3 in /docs (#516)
• 77530ab fix(deps): update octokit monorepo (major) (#504)
• d07b719 build(deps): Bump vite from 6.2.5 to 6.3.4 (#509)
• Additional commits viewable in compare view

Updates @octokit/webhooks from 12.3.2 to 14.2.0

Release notes

Sourced from @​octokit/webhooks's releases.

v14.2.0

14.2.0 (2025-12-03)

Features

• new secret_scanning_alert.assigned, secret_scanning_alert.unassigned, issue_dependencies events (#1189) (b47e4b0)

v14.1.3

14.1.3 (2025-07-31)

Bug Fixes

• avoid Object.assign to avoid hiding potential type errors (#1166) (4c36fce)

v14.1.2

14.1.2 (2025-07-30)

Bug Fixes

• normalize trailing slashes (#1167) (ea2a89d)

v14.1.1

14.1.1 (2025-07-10)

Bug Fixes

• createLogger should not recreate the logger object if it already exists (#1162) (18f0be5)

v14.1.0

14.1.0 (2025-06-29)

Features

• add validate-event-name (#1161) (6965d70)

v14.0.2

14.0.2 (2025-06-05)

Bug Fixes

• types: add missing enterprise key (#1158) (4e83370)

v14.0.1

14.0.1 (2025-06-04)

... (truncated)

Commits

• b47e4b0 feat: new secret_scanning_alert.assigned, `secret_scanning_alert.unassigned...
• 5ca3206 ci(action): update github/codeql-action action to v4 (#1178)
• 07b617c ci(action): update actions/setup-node action to v6 (#1179)
• 3e7c815 build(deps): lock file maintenance (#1177)
• be82b3d ci(action): update peter-evans/create-or-update-comment action to v5 (#1175)
• 73ec1fc chore(deps): update vitest monorepo to v4 (major) (#1181)
• 4b4ad0f build(deps): lock file maintenance (#1174)
• 2a24466 ci(action): update actions/checkout action to v5 (#1170)
• aea297e ci(action): update actions/setup-node action to v5 (#1172)
• 302105e build(deps): lock file maintenance (#1168)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​octokit/webhooks since your current version.

Updates @slack/web-api from 6.13.0 to 7.15.1

Release notes

Sourced from @​slack/web-api's releases.

@​slack/web-api@​7.15.1

Patch Changes

• 3a9c444: build(deps): bump minimum axios version to 1.15.0
• 175dcb8: Fix user-agent header to URI-encode characters outside the Latin-1 range, preventing errors when process.title contains non-ASCII characters

@​slack/web-api@​7.15.0

Minor Changes

• 75649f4: feat: add support for apps.user.connection.update

Patch Changes

• b8d922f: build: add support for node 24
• Updated dependencies [b8d922f]
• Updated dependencies [b8d922f]
  • @​slack/logger@​4.0.1
  • @​slack/types@​2.20.1

@​slack/web-api@​7.14.1

Patch Changes

• 370cf22: chore(deps): bump axios to ^1.13.5

@​slack/web-api@​7.14.0

Agent Thinking Steps: Display Tasks/Tools, Plans, and Markdown Text

🍿 Preview: Display as Plan

2026-02-11-thinking-steps-js-display-mode-plan.mov

🍿 Preview: Display as Timeline

2026-02-11-thinking-steps-js-display-mode-timeline.mov

📺 Chat Stream with 2 Display Mode

• Plan Display Mode
• Timeline Display Mode

👾 Chat Stream Structured Content

Now, you can display a mixture of structured content called "chunks":

• 🔠 Markdown Text Block to format your text with standard markdown
• ☑️ Task Card Block to display a single task, representing an AI Tool Call or general action
• 🗒️ Plan Block to display a collection of related tasks
• 📚 URL Sources Element to display references within a task card block

Available in:

... (truncated)

Commits

• b56deda chore: release (#2547)
• 3a9c444 build(deps): bump minimum axios version to 1.15.0 (#2552)
• 175dcb8 fix: user-agent should be uri safe (#2546)
• 700a636 chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#2543)
• c2bef00 chore(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 (#2542)
• 909b5bd chore: release (#2530)
• b8d922f ci: add support for node 24 version (#2534)
• 9b23414 build: write all docs for workspace packages (#2533)
• 98dbd4e build: use a shared tsconfig for workspace packages (#2532)
• 8ce4770 chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (#2537)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​slack/web-api since your current version.

Updates diff from 5.2.2 to 9.0.0

Changelog

Sourced from diff's changelog.

9.0.0

(All changes part of PR #672.)

• ES5 support is dropped. parsePatch now uses TextDecoder and Uint8Array, which are not available in ES5, and TypeScript is now compiled with the "es6" target. From now on, I intend to freely use any features that are deemed "Widely available" by Baseline. Users who need ES5 support should stick to version 8.

• C-style quoted strings in filename headers are now properly supported.

  When the name of either the old or new file in a patch contains "special characters", both GNU diff and Git quote the filename in the patch's headers and escape special characters using the same escape sequences that are used in string literals in C, including octal escapes for all non-ASCII characters. Previously, jsdiff had very little support for this; parsePatch would remove the quotes, and unescape any escaped backslashes, but would not unescape other escape sequences. formatPatch, meanwhile, did not quote or escape special characters at all.

  Now, parsePatch parses all the possible escape sequences that GNU diff (or Git) ever output, and formatPatch quotes and escapes filenames containing special characters in the same way GNU diff does.

• formatPatch now omits file headers when oldFileName or newFileName in the provided patch object are undefined, regardless of the headerOptions parameter. (Previously, it would treat the absence of oldFileName or newFileName as indicating the filename was the word "undefined" and emit headers --- undefined / +++ undefined.)

• formatPatch no longer outputs trailing tab characters at the end of ---/+++ headers.

  Previously, if formatPatch was passed a patch object to serialize that had empty strings for the oldHeader or newHeader property, it would include a trailing tab character after the filename in the --- and/or +++ file header. Now, this scenario is treated the same as when oldHeader/newHeader is undefined - i.e. the trailing tab is omitted.

• formatPatch no longer mutates its input when serializing a patch containing a hunk where either the old or new content contained zero lines. (Such a hunk occurs only when the hunk has no context lines and represents a pure insertion or pure deletion, which for instance will occur whenever one of the two files being diffed is completely empty.) Previously formatPatch would provide the correct output but also mutate the oldLines or newLines property on the hunk, changing the meaning of the underlying patch.

• Git-style patches are now supported by parsePatch, formatPatch, and reversePatch.

  Patches output by git diff can include some features that are unlike those output by GNU diff, and therefore not handled by an ordinary unified diff format parser. An ordinary diff simply describes the differences between the content of two files, but Git diffs can also indicate, via "extended headers", the creation or deletion of (potentially empty) files, indicate that a file was renamed, and contain information about file mode changes. Furthermore, when these changes appear in a diff in the absence of a content change (e.g. when an empty file is created, or a file is renamed without content changes), the patch will contain no associated ---/+++ file headers nor any hunks.

  jsdiff previously did not support parsing Git's extended headers, nor hunkless patches. Now parsePatch parses some of the extended headers, parses hunkless Git patches, and can determine filenames (e.g. from the extended headers) when parsing a patch that includes no --- or +++ file headers. The additional information conveyed by the extended headers we support is recorded on new fields on the result object returned by parsePatch. See isGit and subsequent properties in the docs in the README.md file.

  formatPatch now outputs extended headers based on these new Git-specific properties, and reversePatch respects them as far as possible (with one unavoidable caveat noted in the README.md file).

• Unpaired file headers now cause parsePatch to throw.

  It remains acceptable to have a patch with no file headers whatsoever (e.g. one that begins with a @@ hunk header on the very first line), but a patch with only a --- header or only a +++ header is now considered an error.

• parsePatch is now more tolerant of "trailing garbage"

  That is: after a patch, or between files/indexes in a patch, it is now acceptable to have arbitrary lines of "garbage" (so long as they unambiguously have no syntactic meaning - e.g. trailing garbage that leads with a +, -, or and thus is interpretable as part of a hunk still triggers a throw).

  This means we no longer reject patches output by tools that include extra data in "garbage" lines not understood by generic unified diff parsers. (For example, SVN patches can include "Property changes on:" lines that generic unified diff parsers should discard as garbage; jsdiff previously threw errors when encountering them.)

  This change brings jsdiff's behaviour more in line with GNU patch, which is highly permissive of "garbage".

• The oldFileName and newFileName fields of StructuredPatch are now typed as string | undefined instead of string. This type change reflects the (pre-existing) reality that parsePatch can produce patches without filenames (e.g. when parsing a patch that simply contains hunks with no file headers).

8.0.4

• #667 - fix another bug in diffWords when used with an Intl.Segmenter. If the text to be diffed included a combining mark after a whitespace character (i.e. roughly speaking, an accented space), diffWords would previously crash. Now this case is handled correctly.

8.0.3

• #631 - fix support for using an Intl.Segmenter with diffWords. This has been almost completely broken since the feature was added in v6.0.0, since it would outright crash on any text that featured two consecutive newlines between a pair of words (a very common case).
• #635 - small tweaks to tokenization behaviour of diffWords when used without an Intl.Segmenter. Specifically, the soft hyphen (U+00AD) is no longer considered to be a word break, and the multiplication and division signs (× and ÷) are now treated as punctuation instead of as letters / word characters.

... (truncated)

Commits

• ed13aca Update version in package.json and in release notes (#683)
• 7a49317 Bump dependencies again (#682)
• afe5aec Add Git support, and otherwise variously improve & fix parsePatch (and other ...
• 2e46779 Fix a typo (#679)
• dd2f994 8.0.4 release (#678)
• 3cc4384 Update docs on releasing to reflect migration to yarn berry (#677)
• 6fc2aa6 yarn up '*' && yarn up -R '**' (#676)
• af7393a yarn up '*' && yarn up -R '**' (#670)
• 4b5d180 Fix another bug in diffWords's "intlSegmenter" mode (#667)
• 10da50c yarn up '*' && yarn up -R '**' (#666)
• Additional commits viewable in compare view

Updates dotenv from 16.6.1 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

• Change text injecting to injected (#1005)

17.4.0 (2026-04-01)

Added

• Add skills/ folder with focused agent skills: skills/dotenv/SKILL.md (core usage) and skills/dotenvx/SKILL.md (encryption, multiple environments, variable expansion) for AI coding agent discovery via the skills.sh ecosystem (npx skills add motdotla/dotenv)

Changed

• Tighten up logs: ◇ injecting env (14) from .env (#1003)

17.3.1 (2026-02-12)

Changed

• Fix as2 example command in README and update spanish README

17.3.0 (2026-02-12)

Added

• Add a new README section on dotenv’s approach to the agentic future.

Changed

• Rewrite README to get humans started more quickly with less noise while simultaneously making more accessible for llms and agents to go deeper into details.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

17.2.3 (2025-09-29)

Changed

• Fixed typescript error definition (#912)

... (truncated)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates ejs from 3.1.10 to 5.0.2

Release notes

Sourced from ejs's releases.

v5.0.2

Version 5.0.2

v5.0.1

Version 5.0.1

v4.0.1

Version 4.0.1

Changelog

Sourced from ejs's changelog.

EJS Version 5.0.1 Release Notes

Overview

EJS version 5.0.1 is a major release that removes deprecated options, fixes template behavior with custom delimiters, improves the CLI and build pipeline, and simplifies the package by moving Jake to a dev-only dependency.

Major Changes

Deprecated Option Removed

• Removed client option (Fixes #746): The legacy client flag and related code have been removed. This option produced browser-oriented template functions by inlining escape and rethrow helpers; it was unmaintained and broken. Use the standard browser bundle (ejs.min.js) or compile templates for the client using your own build setup.

Bug Fixes

• Custom delimiters and whitespace-slurp tags (Fixed #780): Whitespace-slurp tags (<%_ and _%> by default) now respect custom openDelimiter, delimiter, and closeDelimiter. Previously, the slurp regex was hardcoded to <%/%>, so custom delimiters did not work correctly with <%_/_%>-style tags.

CLI & Build

• CLI no longer depends on Jake: The ejs CLI now uses a bundled argument parser (lib/esm/parseargs.js / lib/cjs/parseargs.js) instead of the Jake program module. Jake remains a devDependency for the build (lint, compile, browserify, minify, test).
• Jake moved to devDependencies: Jake was moved from dependencies to devDependencies, so installing ejs as a dependency no longer pulls in Jake.
• Minification fix: The minify task now minifies the browserified ejs.js bundle (output of the browserify task) instead of lib/cjs/ejs.js, so the browser bundle is correctly minified.

Documentation & Examples

• JSDoc updates: Removed references to the client option and ClientFunction from options and template-function documentation.
• Examples: examples/client-compilation.html and examples/express/app.js updated to remove use of the client option; Express example no longer passes client: true.
• README: Removed broken link to the third-party EJS playground.

Code Quality

• Tests: Removed tests that targeted the removed client option behavior.
• Utils: Removed unused client-related code from lib/esm/utils.js.

Breaking Changes

Removed client Option

• Option removed: The client option is no longer supported. Passing client: true (or any value) is ignored; no error is thrown, but no

... (truncated)

Commits

• a464c96 Version 5.0.2
• b4f7b49 Hardening
• 2b15562 Added release notes
• f9ab0b7 Version 5.0.1
• 173c46f Bump version for release
• 35ad41b Removed Jake
• bf142d1 Updated version number
• 3cd835c Remove broken playground link
• 6e1289c Fix minification
• 5090873 Fixes #746, removed old 'client' flag
• Additional commits viewable in compare view

Updates express from 4.22.1 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

• Release: 5.2.1 by @​UlisesGascon in expressjs/express#6933

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.13 by @​dependabot[bot] in expressjs/express#6429
• Refactor: simplify acceptsLanguages implementation using spread operator by @​Ayoub-Mabrouk in expressjs/express#6137
• increased code coverage of utils.js file by @​ashish3011 in expressjs/express#6386
• chore: remove duplicate word by @​dufucun in expressjs/express#6456
• build(deps): bump github/codeql-action from 3.28.13 to 3.28.16 by @​dependabot[bot] in expressjs/express#6498
• build(deps): bump actions/setup-node from 4.3.0 to 4.4.0 by @​dependabot[bot] in expressjs/express#6497
• build(deps): bump actions/download-artifact from 4.2.1 to 4.3.0 by @​dependabot[bot] in expressjs/express#6496
• ci: add node.js 24 to test matrix by @​Phillip9587 in expressjs/express#6504
• ci: update codeql config by @​Phillip9587 in expressjs/express#6488
• chore: wider range for query test skip by @​jonchurch in expressjs/express#6512
• chore: fix typos in test by @​noritaka1166 in expressjs/express#6535
• ci: disable credential persistence for checkout actions by @​mertssmnoglu in expressjs/express#6522
• ci: allow manual triggering of workflow by @​shivarm in expressjs/express#6515
• test: add coverage for app.listen() variants by @​kgarg1 in expressjs/express#6476
• docs: move documentation and charters to the discussions and .github … by @​bjohansebas in expressjs/express#6427
• build(deps): bump github/codeql-action from 3.28.16 to 3.28.18 by @​dependabot[bot] in expressjs/express#6549
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/express#6548
• chore: enforce explicit Buffer import and add lint rule by @​shivarm in expressjs/express#6525
• chore: use node protocol for querystring by @​shivarm in expressjs/express#6520
• chore: fix typo by @​mountdisk in expressjs/express#6609
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @​dependabot[bot] in expressjs/express#6618
• add deprecation warnings for redirect arguments undefined by @​bjohansebas in expressjs/express#6405
• ci: run CI when the markdown changes by @​bjohansebas in expressjs/express#6632
• doc: fix CONTRIBUTING link by @​jonchurch in expressjs/express#6653
• doc: update contributing guidelines and code of conduct links by @​ShubhamOulkar in expressjs/express#6601
• build(deps-dev): bump morgan from 1.10.0 to 1.10.1 by @​dependabot[bot] in expressjs/express#6679
• build(deps-dev): bump cookie-session from 2.1.0 to 2.1.1 by @​dependabot[bot] in expressjs/express#6678
• lint: add --fix flag to automatic fix linting issue by @​shivarm in expressjs/express#6644
• chore: ignore yarn.lock file and update example by @​shivarm in expressjs/express#6588
• lib: use req.socket over deprecated req.connection by @​bjohansebas in expressjs/express#6705
• doc: update express app example by @​shivarm in expressjs/express#6718
• build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @​dependabot[bot] in expressjs/express#6675
• Remove history.md from being packaged on publish by @​sheplu in expressjs/express#6780

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

• Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
• deps: body-parser@^2.2.1
• A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: server-static@2.2.0
• deps: type-is@2.0.1

5.0.1 / 2024-10-08

• Update cookie semver lock to address CVE-2024-47764

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0

... (truncated)

Commits

• dbac741 5.2.1
• 697547c Revert "sec: security patch for CVE-2024-51999"
• 4007ad1 Release: 5.2.0 (#6920)
• 2f64f68 sec: security patch for CVE-2024-51999
• ed0ba3f build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#6928)
• 8eace46 build(deps): bump github/codeql-action from 4.31.2 to 4.31.6 (#6929)
• 30bae81 build(deps): bump coverallsapp/github-action from 2.3.6 to 2.3.7 (#6930)
• 758d435 deps: body-parser@^2.2.1 (#6922)
• 77bcd52 docs: update emeritus triagers (#6890)
• f33caf1 Nominate to @​efekrskl for triage team (#6888)
• Additional commits viewable in compare view

Updates fs-extra from 11.3.0 to 11.3.4

Changelog

Sourced from fs-extra's changelog.

11.3.4 / 2026-03-03

• Fix bug where calling ensureSymlink/ensureSymlinkSync with a relative srcPath would fail if the symlink already existed (#1038, #1064)

11.3.3 / 2025-12-18

• Fix copying symlink when destination is a symlink to the same target (#1019, #1060)

11.3.2 / 2025-09-15

• Fix spurrious UnhandledPromiseRejectionWarning that could occur when calling .copy() in some cases (#1056, #1058)

11.3.1 / 2025-08-05

• Fix case where move/moveSync could incorrectly think files are identical on Windows (#1050)

Commits

• 353a29b 11.3.4
• 3e65fbe fix(ensureSymlink): resolve relative srcpath correctly when symlink exists (#...
• e2615e5 Fix git URL in package.json (