Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@nuxtjs/storybook (source)	4.2.0 → 4.3.2
composer/installers (source)	2.0.1 → 2.3.0
core-js (source)	3.21.1 → 3.49.0
drupal/core-composer-scaffold (source)	9.3.6 → 9.5.11
drupal/core-dev	9.3.6 → 9.5.11
drupal/core-project-message (source)	9.3.6 → 9.5.11
drupal/druxt (source)	1.1.1 → 1.2.1
drupal/tome (source)	^1.5 → ^1.14.0
drush/drush (source)	^11.0 → ^11.6.0
druxt-site (source)	0.11.0 → 0.14.3

---

Release Notes

nuxt-modules/storybook (@​nuxtjs/storybook)

v4.3.2

Compare Source

🏡 Chore

• upgrade to Storybook v6.5.6

v4.3.1

Compare Source

🐛 Bug Fixes

• Undefined render args argument (#​378)
• keep NODE_ENV set by users (#​383)

💖 Thanks to

• @​adesombergh (Aldebaran Desombergh)
• @​GMartigny (Guillaume Martigny)

v4.3.0

Compare Source

🚀 Features

• Update storybook to 6.4 (#​357)
• Support chromatic's --webpack-stats-json flag (#​367)
• Support object style path(https://redirect.github.com/nuxt-community/storybook/pull/365/commits/eeb66ae8b220b3fb3d2cd5436186105e4f5cb482)

🐛 Bug Fixes

• Missing handler in server middleware (#​344)
• Create dummy package.json for ESM compatibility (#​345)
• Handle single function middleware files (nuxt-community@d502e54)
• Expose close in bundle builder mock(https://redirect.github.com/nuxt-community/storybook/pull/365/commits/c3495180a3ac61c00a81497517294015d7af13c9)
• Update dependency trim@0.0.3(https://redirect.github.com/nuxt-community/storybook/pull/365/commits/3593f4c6540e3cf3dadb15d812abc7aa77baea7e)
• Freeze css loader version css-loader@5.2.7(https://redirect.github.com/nuxt-community/storybook/pull/365/commits/f97c41077b304a0772a42dcac576756e8c470fdc)

📝 Docs & Examples

• Fix examples live sandbox (nuxt-community@438a0e8)
• Remove postcss from install script (#​362)

💖 Thanks to

• @​tobiasdiez (Tobias Diez)
• @​Decipher (Stuart Clark)
• @​ingvoo (Ingvi Jonasson)
• @​valernyx (Valerie E.)

composer/installers (composer/installers)

v2.3.0

Compare Source

Added

• Added recipes for Drupal 10.3+ to DrupalInstaller #​534
• Added BotbleInstaller #​533
• Added new Moodle types (communication, forumreport, h5plib, mlbackend, qbank, tiny) #​535
• Added support for Fork CMS ^6 #​529
• Added ConcreteCMS installers and types mimicking concrete5 ones #​522

v2.2.0

Compare Source

Added

• Added matomo-plugin by @​codemorgan (#​514)

v2.1.1

Compare Source

Fixed

• Fixed TastyIgniter parsing of extra data to use the package being installed instead of the root package (#​507)

v2.1.0

Compare Source

Added

• Added new types (antivirus, customfield, contenttype, dataformat, media, paygw) for Moodle (#​497)
• Added new tastyigniter-module type to TastyIgniter (#​503)
• Added new extra.plugin-modifies-install-path to composer/installers for Composer 2.3 support, see docs if you are writing your own custom installer plugin.

zloirock/core-js (core-js)

v3.49.0

Compare Source

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #​1503, #​1464, #​1510, thanks @​johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #​810, #​1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill
• Fixed block of protocol change for file with empty host in the URL polyfill
• Fixed invalid code points handling in UTF-8 decode in the URLSearchParams polyfill
• Fixed some cases of serialization in URL polyfill (/. prefix for non-special URLs with null host and path starting with empty segment)
• Fixed URL polyfill .origin getter with blob scheme
• Fixed a lack of error in URLSearchParams.prototype.set polyfill on calling only with 1 argument
• Fixed handling invalid UTF-8 continuation bytes in URLSearchParams polyfill
• Fixed incomplete sequences with out-of-range continuation bytes handling in URLSearchParams polyfill
• Fixed allowing unexpected symbols in scheme in the URL polyfill
• Fixed repeated ToPropertyKey calling in Reflect.{ get, set, deleteProperty } polyfills
• Fixed Reflect.set polyfill with some descriptors cases
• Fixed Reflect.set polyfill with some non-extensible receiver cases
• Fixed the order of Reflect.construct polyfill arguments validation (observable only in the error message)
• Fixed a lack of error in Reflect.defineProperty polyfill with malformed descriptor
• Fixed a lack of error in JSON.parse polyfill on unterminated object and array literals
• Fixed a lack of error in JSON.parse polyfill on numbers with ., but without a fraction part
• Fixed a lack of error on \u{} in String.dedent polyfill
• Fixed some cases of hex escaping in the end of string in String.dedent polyfill
• Fixed %AsyncFromSyncIteratorPrototype% to make it a little stricter
• Fixed counter in some cases of some AsyncIterator methods
• Fixed order of async iterators closing
• Fixed iterator closing in AsyncIterator.prototype.flatMap polyfill
• Fixed iterator closing in AsyncIterator.prototype.map polyfill on error in underlying iterator .next()
• Fixed iterator closing in AsyncIterator.prototype.take polyfill with return: null
• Fixed validation .return() result as object in AsyncIterator.prototype.take polyfill
• Fixed a lack of error in structuredClone polyfill on attempt to transfer multiple objects, some of which are non-transferable
• Fixed resizable ArrayBuffer transferring where newByteLength exceeds the original maxByteLength
• Fixed possible loss of symbol enumerability in Object.defineProperty in Symbol polyfill
• Fixed return value of Object.defineProperty in Symbol polyfill in Android ~ 2
• Fixed order of %TypedArray%.from arguments validation
• Fixed a lack of error on passing an ArrayBuffer and a negative length to the %TypedArray% and DataView constructors polyfills
• Fixed some cases of @@​toStringTag on %TypedArray% polyfill
• Fixed some cases of ToUint8Clamp conversion
• Fixed NaN handling in Date.prototype.setYear polyfill
• Fixed false positive on a WeakMap validation in the pure version
• Fixed some minor { Map, Set }.prototype.forEach moments in the pure version
• Fixed possible error in Array.isTemplateObject polyfill on frozen array
• Fixed semantics of Observable.from with multiple subscriptions of the obsolete ECMAScript Observable proposal polyfill
• Fixed handling of ending zeroes in the fraction part in Number.fromString polyfill
• Fixed esmodules: intersect option of core-js-compat
• Fixed a lack of reactnative alias in core-js-compat types
• Fixed a minor logical bug in the debugging output of core-js-builder
• Fixed ignorance of the obsolete blacklist option of core-js-builder - it should be removed only in the next major release
• In case of bugs in String.prototype.{ match, matchAll, replace, split } in modern engines, add s, d and v flag support to polyfills of those methods
• Just in case, added an extra input string validation to the polyfill of obsolete Number.fromString proposals
• Simplified iOS detection
• Many minor stylistic fixes and optimizations
• Compat data improvements:
  • Math.sumPrecise marked as shipped in V8 ~ Chrome 147
  • Iterator.concat marked as shipped in V8 ~ Chrome 146
  • Iterator.concat marked as shipped in Safari 26.4
  • Because of a bug, Array.prototype.includes marked as not supported in modern Safari
  • Fixed compat data for parseInt and parseFloat
  • Added Deno 2.6.7, 2.7.0 and 2.7.2 compat data mapping
  • Added Electron 42 compat data mapping
  • Added Opera for Android 95 and 96 compat data mapping
  • Added Oculus Quest Browser 42 compat data mapping

v3.48.0

Compare Source

• Changes v3.47.0...v3.48.0 (126 commits)
• Map upsert proposal:
  • Built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
  • Moved to stable ES, January 2026 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Use CreateDataProperty / CreateDataPropertyOrThrow in some missed cases, #​1497
• Minor fix / optimization in the RegExp constructor (NCG and dotAll) polyfill
• Added some more workarounds for a Safari < 13 bug with silent ignore of non-writable array .length
• Added detection of a Webkit bug: Iterator.prototype.flatMap throws on iterator without return method
• Added detection of a V8 ~ Chromium < 144 bug: Uint8Array.prototype.setFromHex throws an error on length-tracking views over ResizableArrayBuffer
• Compat data improvements:
  • Map upsert proposal features marked as shipped in V8 ~ Chrome 145
  • Joint iteration proposal features marked as shipped in FF148
  • Iterator.concat marked as shipped in Bun 1.3.7
  • Added Rhino 1.9.0 compat data
  • Added Deno 2.6 compat data mapping
  • Added Opera Android 93 and 94 compat data mapping
  • Added Electron 41 compat data mapping
  • Iterator.prototype.flatMap marked as supported from Safari 26.2 and Bun 1.2.21 because of a bug: throws on iterator without return method
  • Uint8Array.prototype.setFromHex marked as supported from V8 ~ Chromium 144 because of a bug: throws an error on length-tracking views over ResizableArrayBuffer

v3.47.0

Compare Source

• Changes v3.46.0...v3.47.0 (117 commits)
• JSON.parse source text access proposal :
  • Built-ins:
    • JSON.isRawJSON
    • JSON.parse
    • JSON.rawJSON
    • JSON.stringify
  • Moved to stable ES, November 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Reworked JSON.stringify internals
• Iterator sequencing proposal:
  • Built-ins:
    • Iterator.concat
  • Moved to stable ES, November 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Joint iteration proposal:
  • Built-ins:
    • Iterator.zip
    • Iterator.zipKeyed
  • Moved to stage 3, November 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Fixed increasing .size in URLSearchParams.prototype.append polyfill in IE8-
• Compat data improvements:
  • Iterator.concat marked as shipped in FF147
  • Map upsert proposal features marked as shipped in Safari 26.2
  • Math.sumPrecise marked as shipped in Safari 26.2
  • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as fixed in Safari 26.2
  • Missed Explicit Resource Management features added in Bun 1.3.0
  • Added Oculus Quest Browser 41 compat data mapping
  • Added Electron 40 compat data mapping

v3.46.0

Compare Source

• Changes v3.45.1...v3.46.0 (116 commits)
• Map upsert stage 3 proposal:
  • Fixed a FF WeakMap.prototype.getOrInsertComputed bug with callback calling before validation a key
• Iterator chunking proposal:
  • Built-ins:
    • Iterator.prototype.chunks
    • Iterator.prototype.windows
  • Moved to stage 2.7, September 2025 TC39 meeting
  • Iterator.prototype.sliding method replaced with an extra parameter of Iterator.prototype.windows method, tc39/proposal-iterator-chunking/#​24, tc39/proposal-iterator-chunking/#​26
• Fixed Iterator.zip and Iterator.zipKeyed behavior with mode: 'longest' option, #​1469, thanks @​lionel-rowe
• Fixed work of Object.groupBy and Iterator.zipKeyed together with Symbol polyfill - some cases of symbol keys on result null-prototype object were able to leak out to for-in
• Compat data improvements:
  • Map upsert proposal features marked as shipped from FF144
  • Added Node 25.0 compat data mapping
  • Added Deno 2.5 compat data mapping
  • Updated Electron 39 compat data mapping
  • Updated Opera 121+ compat data mapping
  • Added Opera Android 92 compat data mapping
  • Added Oculus Quest Browser 40 compat data mapping

v3.45.1

Compare Source

• Changes v3.45.0...v3.45.1 (30 commits)
• Fixed a conflict of native methods from Map upsert proposal with polyfilled methods in the pure version
• Added bugs fields to package.json of all packages
• Compat data improvements:
  • Map upsert proposal features marked as shipped from Bun 1.2.20
  • Added Samsung Internet 29 compat data mapping
  • Added Electron 39 compat data mapping

v3.45.0

Compare Source

• Changes v3.44.0...v3.45.0 (70 commits)
• Uint8Array to / from base64 and hex proposal:
  • Built-ins:
    • Uint8Array.fromBase64
    • Uint8Array.fromHex
    • Uint8Array.prototype.setFromBase64
    • Uint8Array.prototype.setFromHex
    • Uint8Array.prototype.toBase64
    • Uint8Array.prototype.toHex
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Added detection of a Webkit bug: Uint8Array fromBase64 / setFromBase64 does not throw an error on incorrect length of base64 string
• Math.sumPrecise proposal:
  • Built-ins:
    • Math.sumPrecise
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Iterator sequencing proposal:
  • Built-ins:
    • Iterator.concat
  • Moved to stage 3, July 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Map upsert proposal:
  • Built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
  • Moved to stage 3, July 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Added missing dependencies to some entries of static Iterator methods
• Fixed Joint Iteration proposal in /stage/ entries
• Compat data improvements:
  • Uint8Array to / from base64 and hex proposal features marked as supported from V8 ~ Chromium 140
  • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as unsupported in Safari and supported only from Bun 1.2.20 because of a bug: it does not throw an error on incorrect length of base64 string
  • %TypedArray%.prototype.with marked as fixed in Safari 26.0
  • Updated Electron 38 compat data mapping
  • Added Opera Android 91 compat data mapping

v3.44.0

Compare Source

• Changes v3.43.0...v3.44.0 (87 commits)
• Uint8Array to / from base64 and hex stage 3 proposal:
  • Fixed several V8 bugs in Uint8Array.fromHex and Uint8Array.prototype.{ setFromBase64, toBase64, toHex }, thanks @​brc-dd
• Joint iteration stage 2.7 proposal:
  • Uses Get in Iterator.zipKeyed, following tc39/proposal-joint-iteration#43
• Iterator sequencing stage 2.7 proposal:
  • Iterator.concat no longer reuses IteratorResult object of concatenated iterators, following tc39/proposal-iterator-sequencing#26
• Iterator chunking stage 2 proposal:
  • Added built-ins:
    • Iterator.prototype.sliding
• Number.prototype.clamp stage 2 proposal:
  • clamp no longer throws an error on NaN as min or max, following tc39/proposal-math-clamp#d2387791c265edf66fbe2455eab919016717ce6f
• Fixed some cases of Set.prototype.{ symmetricDifference, union } detection
• Added missing dependencies to some entries of static Iterator methods
• Added missing /full/{ instance, number/virtual }/clamp entries
• Some minor stylistic changes
• Compat data improvements:
  • Added Electron 38 and 39 compat data mapping
  • Added Oculus Quest Browser 38 and 39 compat data mapping
  • Iterator helpers marked as fixed and updated following the latest spec changes in Safari 26.0
  • Set.prototype.{ difference, symmetricDifference, union } marked as fixed in Safari 26.0
  • SuppressedError marked as fixed in FF141
  • Error.isError marked as fixed in Node 24.3
  • setImmediate and clearImmediate marked as available from Deno 2.4
  • Math.sumPrecise marked as shipped in Bun 1.2.18
  • %TypedArray%.prototype.with marked as fixed in Bun 1.2.18

v3.43.0

Compare Source

• Changes v3.42.0...v3.43.0 (139 commits)
• Explicit Resource Management proposals:
  • Built-ins:
    • Symbol.dispose
    • Symbol.asyncDispose
    • SuppressedError
    • DisposableStack
      • DisposableStack.prototype.dispose
      • DisposableStack.prototype.use
      • DisposableStack.prototype.adopt
      • DisposableStack.prototype.defer
      • DisposableStack.prototype.move
      • DisposableStack.prototype[@​@​dispose]
    • AsyncDisposableStack
      • AsyncDisposableStack.prototype.disposeAsync
      • AsyncDisposableStack.prototype.use
      • AsyncDisposableStack.prototype.adopt
      • AsyncDisposableStack.prototype.defer
      • AsyncDisposableStack.prototype.move
      • AsyncDisposableStack.prototype[@​@​asyncDispose]
    • Iterator.prototype[@​@​dispose]
    • AsyncIterator.prototype[@​@​asyncDispose]
  • Moved to stable ES, May 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Array.fromAsync proposal:
  • Built-ins:
    • Array.fromAsync
  • Moved to stable ES, May 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Error.isError proposal:
  • Built-ins:
    • Error.isError
  • Moved to stable ES, May 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Added Joint iteration stage 2.7 proposal:
  • Added built-ins:
    • Iterator.zip
    • Iterator.zipKeyed
• Added Iterator chunking stage 2 proposal:
  • Added built-ins:
    • Iterator.prototype.chunks
    • Iterator.prototype.windows
• Number.prototype.clamp proposal:
  • Built-ins:
    • Number.prototype.clamp
  • Moved to stage 2, May 2025 TC39 meeting
  • Math.clamp was replaced with Number.prototype.clamp
  • Removed a RangeError if min <= max or +0 min and -0 max, tc39/proposal-math-clamp/#​22
• Always check regular expression flags by flags getter PR. Native methods are not fixed, only own implementation updated for:
  • RegExp.prototype[@​@​match]
  • RegExp.prototype[@​@​replace]
• Improved handling of RegExp flags in polyfills of some methods in engines without proper support of RegExp.prototype.flags and without polyfill of this getter
• Added feature detection for a WebKit bug that occurs when this is updated while Set.prototype.difference is being executed
• Added feature detection for a WebKit bug that occurs when iterator record of a set-like object isn't called before cloning this in the following methods:
  • Set.prototype.symmetricDifference
  • Set.prototype.union
• Added feature detection for a bug in V8 ~ Chromium < 126. Following methods should throw an error on invalid iterator:
  • Iterator.prototype.drop
  • Iterator.prototype.filter
  • Iterator.prototype.flatMap
  • Iterator.prototype.map
• Added feature detection for a WebKit bug: incorrect exception thrown by Iterator.from when underlying iterator's return method is null
• Added feature detection for a FF bug: incorrect exception thrown by Array.prototype.with when index coercion fails
• Added feature detection for a WebKit bug: TypedArray.prototype.with should truncate negative fractional index to zero, but instead throws an error
• Worked around a bug of many different tools (example) with incorrect transforming and breaking JS syntax on getting a method from a number literal
• Fixed deoptimization of the Promise polyfill in the pure version
• Added some missed dependencies to /iterator/flat-map entries
• Some other minor fixes and improvements
• Compat data improvements:
  • Added Deno 2.3 and Deno 2.3.2 compat data mapping
  • Updated Electron 37 compat data mapping
  • Added Opera Android 90 compat data mapping
  • Error.isError marked not supported in Node because of a bug
  • Set.prototype.difference marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
  • Set.prototype.{ symmetricDifference, union } marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
  • Iterator.from marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
  • Iterators closing on early errors in Iterator helpers marked as implemented from FF141
  • Array.prototype.with marked as supported only from FF140 because it throws an incorrect exception when index coercion fails
  • TypedArray.prototype.with marked as unsupported in Bun and Safari because it should truncate negative fractional index to zero, but instead throws an error
  • DisposableStack and AsyncDisposableStack marked as shipped in FF141 (SuppressedError has a bug)
  • AsyncDisposableStack bugs marked as fixed in Deno 2.3.2
  • SuppressedError bugs (extra arguments support and arity) marked as fixed in Bun 1.2.15

v3.42.0

Compare Source

• Changes v3.41.0...v3.42.0 (142 commits)
• Map upsert proposal:
  • Moved to stage 2.7, April 2025 TC39 meeting
  • Validation order of WeakMap.prototype.getOrInsertComputed updated following tc39/proposal-upsert#79
  • Built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
• Don't call well-known Symbol methods for RegExp on primitive values following tc39/ecma262#3009:
  • For avoid performance regression, temporarily, only in own core-js implementations
  • Built-ins:
    • String.prototype.matchAll
    • String.prototype.match
    • String.prototype.replaceAll
    • String.prototype.replace
    • String.prototype.search
    • String.prototype.split
• Added workaround for the Uint8Array.prototype.setFromBase64 bug in some of Linux builds of WebKit
• Implemented early-error iterator closing following tc39/ecma262#3467, including fix of a WebKit bug, in the following methods:
  • Iterator.prototype.drop
  • Iterator.prototype.every
  • Iterator.prototype.filter
  • Iterator.prototype.find
  • Iterator.prototype.flatMap
  • Iterator.prototype.forEach
  • Iterator.prototype.map
  • Iterator.prototype.reduce
  • Iterator.prototype.some
  • Iterator.prototype.take
• Fixed missing forced replacement of AsyncIterator helpers
• Added closing of sync iterator when async wrapper yields a rejection following tc39/ecma262#2600. Affected methods:
  • Array.fromAsync (due to the lack of async feature detection capability - temporarily, only in own core-js implementation)
  • AsyncIterator.from
  • Iterator.prototype.toAsync
• Added detection for throwing on undefined initial parameter in Iterator.prototype.reduce (see WebKit bug)
• core-js-compat and core-js-builder API:
  • Added 'intersect' support for targets.esmodules (Babel 7 behavior)
  • Fixed handling of targets.esmodules: true (Babel 7 behavior)
• Compat data improvements:
  • Explicit Resource Management features disabled (again) in V8 ~ Chromium 135 and re-added in 136
  • RegExp.escape marked as shipped from V8 ~ Chromium 136
  • Error.isError marked as shipped from FF138
  • Explicit Resource Management features re-enabled in Deno 2.2.10
  • Iterator helpers proposal features marked as supported from Deno 1.38.1 since it seems they were disabled in 1.38.0
  • Iterator.prototype.{ drop, reduce, take } methods marked as fixed in Bun 1.2.11
  • Added NodeJS 24.0 compat data mapping
  • Updated Electron 36 and added Electron 37 compat data mapping
  • Added Opera Android 88 and 89 compat data mapping
  • Added Oculus Quest Browser 37 compat data mapping

v3.41.0

Compare Source

• Changes v3.40.0...v3.41.0 (85 commits)
• RegExp.escape proposal:
  • Built-ins:
    • RegExp.escape
  • Moved to stable ES, February 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Float16 proposal:
  • Built-ins:
    • Math.f16round
    • DataView.prototype.getFloat16
    • DataView.prototype.setFloat16
  • Moved to stable ES, February 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Math.clamp stage 1 proposal:
  • Built-ins:
    • Math.clamp
  • Extracted from old Math extensions proposal, February 2025 TC39 meeting
  • Added arguments validation
  • Added new entries
• Added a workaround of a V8 AsyncDisposableStack bug, tc39/proposal-explicit-resource-management/256
• Compat data improvements:
  • DisposableStack, SuppressedError and Iterator.prototype[@​@​dispose] marked as shipped from V8 ~ Chromium 134
  • Error.isError added and marked as shipped from V8 ~ Chromium 134
  • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from V8 ~ Chromium 135
  • Iterator helpers proposal features marked as shipped from Safari 18.4
  • JSON.parse source text access proposal features marked as shipped from Safari 18.4
  • Math.sumPrecise marked as shipped from FF137
  • Added Deno 2.2 compat data and compat data mapping
    • Explicit Resource Management features are available in V8 ~ Chromium 134, but not in Deno 2.2 based on it
  • Updated Electron 35 and added Electron 36 compat data mapping
  • Updated Opera Android 87 compat data mapping
  • Added Samsung Internet 28 compat data mapping
  • Added Oculus Quest Browser 36 compat data mapping

v3.40.0

Compare Source

• Changes v3.39.0...v3.40.0 (130 commits)
• Added Error.isError stage 3 proposal:
  • Added built-ins:
    • Error.isError
  • We have no bulletproof way to polyfill this method / check if the object is an error, so it's an enough naive implementation that is marked as .sham
• Explicit Resource Management stage 3 proposal:
  • Updated the way async disposing of only sync disposable resources, tc39/proposal-explicit-resource-management/218
• Iterator sequencing stage 2.7 proposal:
  • Reuse IteratorResult objects when possible, tc39/proposal-iterator-sequencing/17, tc39/proposal-iterator-sequencing/18, December 2024 TC39 meeting
• Added a fix of V8 < 12.8 / NodeJS < 22.10 bug with handling infinite length of set-like objects in Set methods
• Optimized DataView.prototype.{ getFloat16, setFloat16 } performance, #​1379, thanks @​LeviPesin
• Dropped unneeded feature detection of non-standard %TypedArray%.prototype.toSpliced
• Dropped possible re-usage of some non-standard / early stage features (like Math.scale) available on global
• Some other minor improvements
• Compat data improvements:
  • RegExp.escape marked as shipped from Safari 18.2
  • Promise.try marked as shipped from Safari 18.2
  • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from Safari 18.2
  • Uint8Array to / from base64 and hex proposal methods marked as shipped from Safari 18.2
  • JSON.parse source text access proposal features marked as shipped from FF135
  • RegExp.escape marked as shipped from FF134
  • Promise.try marked as shipped from FF134
  • Symbol.dispose, Symbol.asyncDispose and Iterator.prototype[@​@​dispose] marked as shipped from FF135
  • JSON.parse source text access proposal features marked as shipped from Bun 1.1.43
  • Fixed NodeJS version where URL.parse was added - 22.1 instead of 22.0
  • Added Deno 2.1 compat data mapping
  • Added Rhino 1.8.0 compat data with significant number of modern features
  • Added Electron 35 compat data mapping
  • Updated Opera 115+ compat data mapping
  • Added Opera Android 86 and 87 compat data mapping

v3.39.0

Compare Source

• Changes v3.38.1...v3.39.0
• Iterator helpers proposal:
  • Built-ins:
    • Iterator
      • Iterator.from
      • Iterator.prototype.drop
      • Iterator.prototype.every
      • Iterator.prototype.filter
      • Iterator.prototype.find
      • Iterator.prototype.flatMap
      • Iterator.prototype.forEach
      • Iterator.prototype.map
      • Iterator.prototype.reduce
      • Iterator.prototype.some
      • Iterator.prototype.take
      • Iterator.prototype.toArray
      • Iterator.prototype[@​@​toStringTag]
  • Moved to stable ES, October 2024 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
• Promise.try:
  • Built-ins:
    • Promise.try
  • Moved to stable ES, October 2024 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Fixed /actual|full/promise/try entries for the callback arguments support
• Math.sumPrecise proposal:
  • Built-ins:
    • Math.sumPrecise
  • Moved to stage 3, October 2024 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Added Iterator sequencing stage 2.7 proposal:
  • Added built-ins:
    • Iterator.concat
• Map upsert stage 2 proposal:
  • Updated to the new API following the October 2024 TC39 meeting
  • Added built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
• Extractors proposal moved to stage 2, October 2024 TC39 meeting
• Usage of @@​species pattern removed from %TypedArray% and ArrayBuffer methods, tc39/ecma262/3450:
  • Built-ins:
    • %TypedArray%.prototype.filter
    • %TypedArray%.prototype.filterReject
    • %TypedArray%.prototype.map
    • %TypedArray%.prototype.slice
    • %TypedArray%.prototype.subarray
    • ArrayBuffer.prototype.slice
• Some other minor improvements
• Compat data improvements:
  • Uint8Array to / from base64 and hex proposal methods marked as shipped from FF133
  • Added NodeJS 23.0 compat data mapping
  • self descriptor is fixed in Deno 1.46.0
  • Added Deno 1.46 and 2.0 compat data mapping
  • Iterator helpers proposal methods marked as shipped from Bun 1.1.31
  • Added Electron 34 and updated Electron 33 compat data mapping
  • Added Opera Android 85 compat data mapping
  • Added Oculus Quest Browser 35 compat data mapping

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: drupal/composer.lock

Command failed: composer update composer/installers:2.2.0 drupal/core-composer-scaffold:9.5.11 drupal/core-dev:9.5.11 drupal/core-project-message:9.5.11 drupal/core-recommended:9.5.11 drupal/druxt:1.2.0 drupal/tome:1.12.0 drush/drush:11.6.0 --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
������������������������������������������������������                                                      ������������������������������������������������������Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - longwave/laminas-diactoros[2.14.2, ..., 2.14.x-dev] require php ^7.3 || ~8.0.0 || ~8.1.0 || ~8.2.0 -> your php version (8.3.6) does not satisfy that requirement.
    - drupal/core-recommended 9.5.11 requires longwave/laminas-diactoros ~2.14.2 -> satisfiable by longwave/laminas-diactoros[2.14.2, 2.14.x-dev].
    - Root composer.json requires drupal/core-recommended 9.5.11 -> satisfiable by drupal/core-recommended[9.5.11].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: drupal/composer.lock

Command failed: composer update composer/installers:2.3.0 drupal/core-composer-scaffold:9.5.11 drupal/core-dev:9.5.11 drupal/core-project-message:9.5.11 drupal/druxt:1.2.1 drupal/tome:1.14.0 drush/drush:11.6.0 --with-dependencies --ignore-platform-req=ext-* --ignore-platform-req=lib-* --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins --minimal-changes
Loading composer repositories with package information
������������������������������������������������������                                                      ������������������������������������������������������Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - drupal/core-recommended is locked to version 9.3.6 and an update of this package was not requested.
    - drupal/core-recommended 9.3.6 requires drupal/core 9.3.6 -> found drupal/core[9.3.6] but these were not loaded, because they are affected by security advisories ("SA-CORE-2022-005", "SA-CORE-2022-006", "SA-CORE-2022-008", "SA-CORE-2022-009", "SA-CORE-2022-010", "SA-CORE-2022-011", "SA-CORE-2022-012", "SA-CORE-2022-013", "SA-CORE-2022-014", "SA-CORE-2022-015", "SA-CORE-2022-016", "SA-CORE-2023-001", "SA-CORE-2023-002", "SA-CORE-2023-003", "SA-CORE-2023-004", "SA-CORE-2023-005", "SA-CORE-2023-006", "SA-CORE-2024-001", "SA-CORE-2024-003", "SA-CORE-2024-004", "SA-CORE-2024-006", "SA-CORE-2024-007", "SA-CORE-2024-008", "SA-CORE-2025-001", "SA-CORE-2025-002", "SA-CORE-2025-003", "SA-CORE-2025-004", "SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006", "PKSA-d8tb-wwz2-ctxk", "PKSA-dh1f-zjm5-qg8y", "PKSA-bn52-vyzy-rmnm", "PKSA-xj83-g6g8-41vf", "PKSA-s1zc-gcfk-ddw5", "PKSA-ctyc-dmct-npkz", "PKSA-42zc-x5ss-z64p", "PKSA-s6zc-mws4-ngh4", "PKSA-xd2s-f2mt-7tf3", "PKSA-g51h-n1x3-mszr", "PKSA-jthw-vxjy-kxnx", "PKSA-ts55-c66h-g96n", "PKSA-yjvc-rnsz-8n3c", "PKSA-styk-3knc-d1bt", "PKSA-2gfj-5sh8-j3c5", "PKSA-qvwm-3y4s-nttg", "PKSA-my7h-svxh-5q3g", "PKSA-h7d4-5mdz-2965", "PKSA-fpcy-trdp-tpy2", "PKSA-zbq2-x219-h8gz", "PKSA-4j5n-cxxv-ptjc", "PKSA-7q72-qds7-4xyv", "PKSA-hy6y-p19f-b5kf", "PKSA-gkkw-qh7h-5181"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 2
    - Root composer.json requires drupal/druxt 1.2.1 -> satisfiable by drupal/druxt[1.2.1].
    - drupal/druxt 1.2.1 requires drupal/core ^8.8 || ^9 || ^10 || ^11 -> found drupal/core[8.8.0-alpha1, ..., 8.9.x-dev, 9.0.0-alpha1, ..., 9.5.x-dev, 10.0.0-alpha1, ..., 10.6.x-dev, 11.0.0-alpha1, ..., 11.x-dev] but these were not loaded, because they are affected by security advisories ("SA-CORE-2019-009", "SA-CORE-2019-010", "SA-CORE-2019-012", "SA-CORE-2019-011", "SA-CORE-2020-001", "SA-CORE-2020-002", "SA-CORE-2020-004", "SA-CORE-2020-005", "SA-CORE-2020-006", "SA-CORE-2020-007", "SA-CORE-2020-009", "SA-CORE-2020-010", "SA-CORE-2020-008", "SA-CORE-2020-011", "SA-CORE-2020-012", "SA-CORE-2020-013", "SA-CORE-2021-001", "SA-CORE-2021-002", "SA-CORE-2021-003", "SA-CORE-2021-004", "SA-CORE-2021-005", "SA-CORE-2021-006", "SA-CORE-2021-007", "SA-CORE-2021-008", "SA-CORE-2021-009", "SA-CORE-2021-010", "SA-CORE-2021-011", "SA-CORE-2022-001", "SA-CORE-2022-003", "SA-CORE-2022-004", "SA-CORE-2022-005", "SA-CORE-2022-006", "SA-CORE-2022-008", "SA-CORE-2022-009", "SA-CORE-2022-010", "SA-CORE-2022-011", "SA-CORE-2022-012", "SA-CORE-2022-013", "SA-CORE-2022-014", "SA-CORE-2022-015", "SA-CORE-2022-016", "SA-CORE-2023-001", "SA-CORE-2023-002", "SA-CORE-2023-003", "SA-CORE-2023-004", "SA-CORE-2023-005", "SA-CORE-2023-006", "SA-CORE-2024-001", "SA-CORE-2024-002", "SA-CORE-2024-003", "SA-CORE-2024-004", "SA-CORE-2024-006", "SA-CORE-2024-007", "SA-CORE-2024-008", "SA-CORE-2025-001", "SA-CORE-2025-002", "SA-CORE-2025-003", "SA-CORE-2025-004", "SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006", "PKSA-d8tb-wwz2-ctxk", "PKSA-dh1f-zjm5-qg8y", "PKSA-bn52-vyzy-rmnm", "PKSA-xj83-g6g8-41vf", "PKSA-s1zc-gcfk-ddw5", "PKSA-ctyc-dmct-npkz", "PKSA-42zc-x5ss-z64p", "PKSA-s6zc-mws4-ngh4", "PKSA-xd2s-f2mt-7tf3", "PKSA-g51h-n1x3-mszr", "PKSA-jthw-vxjy-kxnx", "PKSA-ts55-c66h-g96n", "PKSA-yjvc-rnsz-8n3c", "PKSA-q8r5-cgs2-dxxk", "PKSA-mh8z-kh9f-vv4z", "PKSA-styk-3knc-d1bt", "PKSA-2gfj-5sh8-j3c5", "PKSA-qvwm-3y4s-nttg", "PKSA-my7h-svxh-5q3g", "PKSA-h7d4-5mdz-2965", "PKSA-fpcy-trdp-tpy2", "PKSA-zbq2-x219-h8gz", "PKSA-4j5n-cxxv-ptjc", "PKSA-7q72-qds7-4xyv", "PKSA-hy6y-p19f-b5kf", "PKSA-gkkw-qh7h-5181", "PKSA-cp8p-f15s-htbt", "PKSA-72rg-qbp7-873g", "PKSA-2tvs-gcpz-cmm6", "PKSA-46zx-gs68-q4zv", "PKSA-4q53-3jd6-45wg", "PKSA-njy4-5vnq-bx5f", "PKSA-s6ck-qn9j-xnqf", "PKSA-6dxs-yv9z-8twp", "PKSA-bc4x-jnrh-4k6w", "PKSA-7zvx-63nf-7nkj", "PKSA-kjgx-r4v3-961f", "PKSA-77t6-rxnw-bfjm", "PKSA-jknr-sjbw-zn24", "PKSA-1k26-dn58-yzpc", "PKSA-69gr-9b59-5f99", "PKSA-c6qk-kgrx-8q42", "PKSA-ggc3-34xd-zmzd", "PKSA-j215-hxck-vk25", "PKSA-jkzg-rr1r-vmvy", "PKSA-5wmm-s575-4sjg", "PKSA-yxnf-v37t-gh27", "PKSA-rb2t-qsk8-f792", "PKSA-vcbr-zg2g-wfsp", "PKSA-n8hw-tywm-xrh7", "PKSA-mw8j-f3jc-m8zf", "PKSA-xv6s-sqg3-tq2g"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 3
    - Root composer.json requires drupal/tome ^1.14.0 -> satisfiable by drupal/tome[1.14.0].
    - drupal/tome 1.14.0 requires drupal/core ^9 || ^10 || ^11 -> found drupal/core[9.0.0-alpha1, ..., 9.5.x-dev, 10.0.0-alpha1, ..., 10.6.x-dev, 11.0.0-alpha1, ..., 11.x-dev] but these were not loaded, because they are affected by security advisories ("SA-CORE-2020-004", "SA-CORE-2020-005", "SA-CORE-2020-006", "SA-CORE-2020-007", "SA-CORE-2020-009", "SA-CORE-2020-010", "SA-CORE-2020-008", "SA-CORE-2020-011", "SA-CORE-2020-012", "SA-CORE-2020-013", "SA-CORE-2021-001", "SA-CORE-2021-002", "SA-CORE-2021-003", "SA-CORE-2021-004", "SA-CORE-2021-005", "SA-CORE-2021-006", "SA-CORE-2021-007", "SA-CORE-2021-008", "SA-CORE-2021-009", "SA-CORE-2021-010", "SA-CORE-2021-011", "SA-CORE-2022-001", "SA-CORE-2022-003", "SA-CORE-2022-004", "SA-CORE-2022-005", "SA-CORE-2022-006", "SA-CORE-2022-008", "SA-CORE-2022-009", "SA-CORE-2022-010", "SA-CORE-2022-011", "SA-CORE-2022-012", "SA-CORE-2022-013", "SA-CORE-2022-014", "SA-CORE-2022-015", "SA-CORE-2022-016", "SA-CORE-2023-001", "SA-CORE-2023-002", "SA-CORE-2023-003", "SA-CORE-2023-004", "SA-CORE-2023-005", "SA-CORE-2023-006", "SA-CORE-2024-001", "SA-CORE-2024-002", "SA-CORE-2024-003", "SA-CORE-2024-004", "SA-CORE-2024-006", "SA-CORE-2024-007", "SA-CORE-2024-008", "SA-CORE-2025-001", "SA-CORE-2025-002", "SA-CORE-2025-003", "SA-CORE-2025-004", "SA-CORE-2025-007", "SA-CORE-2025-008", "SA-CORE-2025-005", "SA-CORE-2025-006", "PKSA-d8tb-wwz2-ctxk", "PKSA-dh1f-zjm5-qg8y", "PKSA-bn52-vyzy-rmnm", "PKSA-xj83-g6g8-41vf", "PKSA-s1zc-gcfk-ddw5", "PKSA-ctyc-dmct-npkz", "PKSA-42zc-x5ss-z64p", "PKSA-s6zc-mws4-ngh4", "PKSA-xd2s-f2mt-7tf3", "PKSA-g51h-n1x3-mszr", "PKSA-jthw-vxjy-kxnx", "PKSA-ts55-c66h-g96n", "PKSA-yjvc-rnsz-8n3c", "PKSA-q8r5-cgs2-dxxk", "PKSA-mh8z-kh9f-vv4z", "PKSA-styk-3knc-d1bt", "PKSA-2gfj-5sh8-j3c5", "PKSA-qvwm-3y4s-nttg", "PKSA-my7h-svxh-5q3g", "PKSA-h7d4-5mdz-2965", "PKSA-fpcy-trdp-tpy2", "PKSA-zbq2-x219-h8gz", "PKSA-4j5n-cxxv-ptjc", "PKSA-7q72-qds7-4xyv", "PKSA-hy6y-p19f-b5kf", "PKSA-gkkw-qh7h-5181", "PKSA-cp8p-f15s-htbt", "PKSA-72rg-qbp7-873g", "PKSA-2tvs-gcpz-cmm6", "PKSA-46zx-gs68-q4zv", "PKSA-4q53-3jd6-45wg", "PKSA-njy4-5vnq-bx5f", "PKSA-s6ck-qn9j-xnqf", "PKSA-6dxs-yv9z-8twp", "PKSA-bc4x-jnrh-4k6w", "PKSA-7zvx-63nf-7nkj", "PKSA-kjgx-r4v3-961f", "PKSA-77t6-rxnw-bfjm", "PKSA-jknr-sjbw-zn24", "PKSA-1k26-dn58-yzpc", "PKSA-69gr-9b59-5f99", "PKSA-c6qk-kgrx-8q42", "PKSA-ggc3-34xd-zmzd", "PKSA-j215-hxck-vk25", "PKSA-jkzg-rr1r-vmvy", "PKSA-5wmm-s575-4sjg"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 4
    - Root composer.json requires drush/drush ^11.6.0 -> satisfiable by drush/drush[11.6.0].
    - drush/drush 11.6.0 requires guzzlehttp/guzzle ^6.5 || ^7.0 -> found guzzlehttp/guzzle[6.5.0, ..., 6.5.x-dev, 7.0.0-beta.1, ..., 7.10.x-dev] but these were not loaded, because they are affected by security advisories ("PKSA-yfw5-9gnj-n2c7", "PKSA-k1b4-kshy-xgbh", "PKSA-2z36-j4q9-rsfy", "PKSA-fvw5-9t6n-nwvr", "PKSA-6d8m-6kgw-18zr"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
  Problem 5
    - drupal-tome/tome_drush is locked to version dev-feature/3-drush_11 and an update of this package was not requested.
    - drupal-tome/tome_drush dev-feature/3-drush_11 requires drush/drush ^9.6.0 || ^10.0 || ^11.0 -> satisfiable by drush/drush[11.6.0].
    - drush/drush 11.6.0 requires guzzlehttp/guzzle ^6.5 || ^7.0 -> found guzzlehttp/guzzle[6.5.0, ..., 6.5.x-dev, 7.0.0-beta.1, ..., 7.10.x-dev] but these were not loaded, because they are affected by security advisories ("PKSA-yfw5-9gnj-n2c7", "PKSA-k1b4-kshy-xgbh", "PKSA-2z36-j4q9-rsfy", "PKSA-fvw5-9t6n-nwvr", "PKSA-6d8m-6kgw-18zr"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.