Bump the npm_and_yarn group across 2 directories with 18 updates

[dependabot]

Bumps the npm_and_yarn group with 17 updates in the / directory:

Package	From	To
@anthropic-ai/sdk	0.80.0	0.91.1
@github/copilot	1.0.12	1.0.43
dompurify	3.3.2	3.4.0
electron	37.8.0	39.8.5
@hono/node-server	1.19.10	1.19.14
@nevware21/ts-utils	0.12.5	0.14.0
protobufjs	7.5.4	7.6.1
basic-ftp	5.2.0	5.3.1
fast-uri	3.0.5	3.1.2
fast-xml-builder	1.1.4	1.2.0
fast-xml-parser	5.5.7	5.8.0
hono	4.12.7	4.12.22
ip-address	10.1.0	10.2.0
postcss	8.5.6	8.5.15
qs	6.14.2	6.15.2
vite	7.1.12	7.3.3
ws	8.19.0	8.21.0

Bumps the npm_and_yarn group with 4 updates in the /chat-lib directory: @anthropic-ai/sdk, brace-expansion, postcss and vite.

Updates @anthropic-ai/sdk from 0.80.0 to 0.91.1

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.91.1

0.91.1 (2026-04-24)

Full Changelog: sdk-v0.91.0...sdk-v0.91.1

Bug Fixes

• memory: use restrictive file mode for memory files (#901) (6db3b7e)

Chores

• formatter: run prettier and eslint separately (974d22f)

sdk: v0.91.0

0.91.0 (2026-04-23)

Full Changelog: sdk-v0.90.0...sdk-v0.91.0

Features

• api: CMA Memory public beta (ddf732f)
• bedrock: use auth header for mantle client (#866) (aec801a)

Bug Fixes

• api: fix errors in api spec (ae10768)
• api: restore missing features (1a5b47b)

Chores

• internal: more robust bootstrap script (7716e19)
• tests: bump steady to v0.22.1 (219a971)

sdk: v0.90.0

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.91.1 (2026-04-24)

Full Changelog: sdk-v0.91.0...sdk-v0.91.1

Bug Fixes

• memory: use restrictive file mode for memory files (#901) (6db3b7e)

Chores

• formatter: run prettier and eslint separately (974d22f)

0.91.0 (2026-04-23)

Full Changelog: sdk-v0.90.0...sdk-v0.91.0

Features

• api: CMA Memory public beta (ddf732f)
• bedrock: use auth header for mantle client (#866) (aec801a)

Bug Fixes

• api: fix errors in api spec (ae10768)
• api: restore missing features (1a5b47b)

Chores

• internal: more robust bootstrap script (7716e19)
• tests: bump steady to v0.22.1 (219a971)

0.90.0 (2026-04-16)

Full Changelog: sdk-v0.89.0...sdk-v0.90.0

Features

• api: add claude-opus-4-7, token budgets and user_profiles (b26134b)

Chores

• actually delete release-doctor.yml (0fe984d)
• ci: remove release-doctor workflow (08e58bd)

0.89.0 (2026-04-14)

... (truncated)

Commits

• 74ac150 chore: release main (#1014)
• 22cb810 chore: release main (#1008)
• 93ac7c7 chore: release main (#1003)
• 39549e9 chore: release main (#993)
• 089fe05 chore: release main (#987)
• 73f128f chore: release main (#985)
• fd6cf54 chore: release main (#983)
• 79d1d73 chore: release main (#982)
• 4ade5b1 chore: release main (#979)
• 4368602 chore: release main (#978)
• Additional commits viewable in compare view

Updates @github/copilot from 1.0.12 to 1.0.43

Release notes

Sourced from @​github/copilot's releases.

1.0.43

2026-05-06

• Add username toggle to /statusline picker to display the active account in the footer
• Auto mode uses server-side model routing for improved real-time model selection
• Resume prompt shows correct session name when multiple sessions are active
• Protect against RCE from malicious bare repositories nested inside a project (for more information, GHSA-9ccr-r5hg-74gf)
• MCP server child processes (e.g. started via npx or uvx) are now fully terminated when a session ends
• Show download progress when running the update command

1.0.43-0

Improved

• Show download progress when running the update command

Fixed

• MCP server child processes (e.g. started via npx or uvx) are now fully terminated when a session ends

1.0.42

2026-05-06

• MCP server failure warning now suggests a directly runnable /mcp show command when the server name contains whitespace
• MCP server failure warnings include stderr output to help diagnose connection errors
• Add -C flag to change working directory before starting, similar to git -C
• Exit message resume command shows session ID instead of auto-generated name when session has not been renamed
• Remote session export now supports non-GitHub repositories and repo-less directories
• Resuming a session no longer shows a false "session in use" warning after choosing "Go back"
• Enter key no longer gets permanently stuck after cancelling a request
• Suppress the exit summary when the session has no user messages and no saved session to resume
• CLI updates on Windows no longer fail with ENOENT when a transient EPERM occurs during package extraction
• Add rubber-duck agent for GPT sessions, powered by Claude (available in /experimental)

1.0.42-0

Added

• Add rubber-duck agent for GPT sessions, powered by Claude (available in /experimental)

1.0.41

2026-05-05

• CLI starts faster by rendering the UI immediately while authentication resolves in the background
• Shell completions (bash, zsh, fish) are automatically installed on first run and updated after copilot update
• Tab-completing slash commands that accept arguments now adds a trailing space automatically
• Package extraction no longer crashes on Windows when antivirus or filesystem locks cause transient EPERM errors
• Remote session connection errors show your logged-in account and tailored remediation steps
• Markdown formatting renders in ask user prompt questions
• Add experimental MCP Tasks support: MCP tools with taskSupport: "required" run as non-blocking background agents trackable via list_agents and read_agent (available when experimental mode is enabled, e.g. via /experimental on or the --experimental flag)
• Extensions now load in prompt mode (-p). User extensions load by default; project extensions alnd management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true.
• Assistant responses no longer contain spurious system notification XML tags
• Large output guidance correctly references the configured grep tool name
• Adding a plugin marketplace using a git SSH URL (e.g. git@github.com:owner/repo) now works correctly
• Slash command picker searches command descriptions and underlines matched characters

... (truncated)

Changelog

Sourced from @​github/copilot's changelog.

1.0.43 - 2026-05-06

• Add username toggle to /statusline picker to display the active account in the footer
• Auto mode uses server-side model routing for improved real-time model selection
• Resume prompt shows correct session name when multiple sessions are active
• Protect against RCE from malicious bare repositories nested inside a project
• MCP server child processes (e.g. started via npx or uvx) are now fully terminated when a session ends
• Show download progress when running the update command

1.0.42 - 2026-05-06

• MCP server failure warning now suggests a directly runnable /mcp show command when the server name contains whitespace
• MCP server failure warnings include stderr output to help diagnose connection errors
• Add -C flag to change working directory before starting, similar to git -C
• Exit message resume command shows session ID instead of auto-generated name when session has not been renamed
• Remote session export now supports non-GitHub repositories and repo-less directories
• Resuming a session no longer shows a false "session in use" warning after choosing "Go back"
• Enter key no longer gets permanently stuck after cancelling a request
• Suppress the exit summary when the session has no user messages and no saved session to resume
• CLI updates on Windows no longer fail with ENOENT when a transient EPERM occurs during package extraction
• Add rubber-duck agent for GPT sessions, powered by Claude (available in /experimental)

1.0.41 - 2026-05-05

• CLI starts faster by rendering the UI immediately while authentication resolves in the background
• Shell completions (bash, zsh, fish) are automatically installed on first run and updated after copilot update
• Tab-completing slash commands that accept arguments now adds a trailing space automatically
• Package extraction no longer crashes on Windows when antivirus or filesystem locks cause transient EPERM errors
• Remote session connection errors show your logged-in account and tailored remediation steps
• Markdown formatting renders in ask user prompt questions
• Add experimental MCP Tasks support: MCP tools with taskSupport: "required" run as non-blocking background agents trackable via list_agents and read_agent (available when experimental mode is enabled, e.g. via /experimental on or the --experimental flag)
• Extensions now load in prompt mode (-p). User extensions load by default; project extensions alnd management tools require GITHUB_COPILOT_PROMPT_MODE_EXTENSIONS=true.
• Assistant responses no longer contain spurious system notification XML tags
• Large output guidance correctly references the configured grep tool name
• Adding a plugin marketplace using a git SSH URL (e.g. git@github.com:owner/repo) now works correctly
• Slash command picker searches command descriptions and underlines matched characters
• Memory tool confirmation prompt now shows the scope (repository or user) when requesting permission to store a memory
• SQL todo timeline entries display more accurately for INSERT OR IGNORE/REPLACE and blocked status updates
• Streaming text and shimmer animations stay smooth on slow or busy hosts
• Add --attachment flag in non-interactive (-p/--prompt) mode to attach files (images or native documents) to the initial prompt
• @-mention completion works for ./ paths, no longer adds trailing space on directories, and shows project files before workspace roots
• Improve stability on Windows by working around a V8 crash in Node 24.x
• Session files containing Unicode line separator characters load correctly
• Reasoning effort picker hint text displays "Esc to cancel" with correct spacing
• Improve reliability of file edits by better recovering from fuzzy or misaligned edit blocks

1.0.40 - 2026-05-01

• PR branch decoration displays correctly in the footer regardless of model name length
• /clear and /new reset the active custom agent selection

... (truncated)

Commits

• 5ab6de6 Update changelog.md for version 1.0.42
• ac346d1 Update changelog.md for version 1.0.41
• cc85e32 Update changelog.md for version 1.0.40
• cb0ddf8 Update changelog.md for version 1.0.39
• 4e5cb95 Update changelog.md for version 1.0.37
• 6d1c577 Update changelog.md for version 1.0.36
• d7a0581 Update changelog.md for version 1.0.35
• 6594437 Update changelog.md for version 1.0.34
• 75fbe0c Update changelog.md for version 1.0.33
• 4e51f5a Update changelog.md for version 1.0.32
• Additional commits viewable in compare view

Updates dompurify from 3.3.2 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

Updates electron from 37.8.0 to 39.8.5

Release notes

Sourced from electron's releases.

electron v39.8.5

Release Notes for v39.8.5

Fixes

• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #50499 (Also in 40, 41, 42)

electron v39.8.4

Release Notes for v39.8.4

Fixes

• Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)
• Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400 (Also in 40, 41, 42)
• Fixed improper focus tracking in BaseWindow on MacOS. #50338 (Also in 40, 41, 42)
• Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341 (Also in 40, 41, 42)

Other Changes

• Added support for using a proxy during yarn install. #50349 (Also in 40, 41, 42)
• Backported fix for 485935305. #50440
• Backported fix for 489381399. #50443
• Backported fix for chromium:475877320. #50436
• Backported fixes for 484751092, 487117772. #50461

electron v39.8.3

Release Notes for v39.8.3

Fixes

• Added additional ASAR support to additional fs copy methods. #50284 (Also in 40, 41, 42)
• Fixed user resizing of transparent windows on win32 platform. #50300 (Also in 40, 41, 42)

electron v39.8.2

Release Notes for v39.8.2

Other Changes

• Backported fix for b/491421267. #50230

electron v39.8.1

Release Notes for v39.8.1

Fixes

• Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156 (Also in 38, 40, 41)
• Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215 (Also in 40, 41)
• Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136 (Also in 40, 41)
• Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174 (Also in 38, 40, 41)
• Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106 (Also in 40, 41)

... (truncated)

Commits

• 9d2f8cb refactor: remove dead named-window lookup from guest-window-manager (#50498)
• 1173004 fix: crash calling OSR shared texture release() after texture GC'd (#50499)
• be37ade fix: crash in clipboard.readImage() on malformed image data (#50493)
• 7007907 chore: cherry-pick 3 changes from chromium (#50461)
• 2c8b6ee chore: cherry-pick fbfb27470bf6 from chromium (#50436)
• 4c64377 chore: cherry-pick 50b057660b4d from chromium (#50440)
• 0ef0561 fix: read nodeIntegrationInWorker from per-frame WebPreferences (#50122) (#50...
• 64373df chore: cherry-pick 074d472db745 from chromium (#50443)
• 13e4407 fix: don't re-parse URL unnecessarily when handling dialogs (#50400)
• 16a0385 ci: output build cache hit rate as GHA annotation (#50369)
• Additional commits viewable in compare view

Updates @hono/node-server from 1.19.10 to 1.19.14

Release notes

Sourced from @​hono/node-server's releases.

v1.19.14

What's Changed

• fix: add custom inspect to lightweight Request/Response to prevent TypeError on console.log by @​usualoma in honojs/node-server#340

Full Changelog: honojs/node-server@v1.19.13...v1.19.14

v1.19.13

Security Fix

Fixed an issue in Serve Static Middleware where inconsistent handling of repeated slashes (//) between the router and static file resolution could allow middleware to be bypassed. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-92pp-h63x-v22m for details.

v1.19.12

What's Changed

• chore: ignore claude setting by @​yusukebe in honojs/node-server#314
• fix: request draining for early 413 responses by @​usualoma in honojs/node-server#329

Full Changelog: honojs/node-server@v1.19.11...v1.19.12

v1.19.11

What's Changed

• fix: do not overwrite Content-Length in the fast path pattern if Content-Length already exists. by @​usualoma in honojs/node-server#309

Full Changelog: honojs/node-server@v1.19.10...v1.19.11

Commits

• b5e63a3 1.19.14
• c02d777 fix: add custom inspect to lightweight Request/Response to prevent TypeError ...
• fd64e65 1.19.13
• 025c30f Merge commit from fork
• 6cdb5a7 1.19.12
• 70250f7 fix: request draining for early 413 responses (#329)
• cfc08b3 chore: ignore claude setting (#314)
• ecd4d6b 1.19.11
• c944899 fix: do not overwrite Content-Length in the fast path pattern if Content-Leng...
• See full diff in compare view

Updates @nevware21/ts-utils from 0.12.5 to 0.14.0

Release notes

Sourced from @​nevware21/ts-utils's releases.

0.14.0

Changelog

Features

• #525 feat(array): add new array helpers and array-like detection
  • New helpers: isArrayLike, arrUnique, arrCompact, arrFlatten, arrGroupBy, arrChunk and export previously missed isArrayLike
• #527 feat(string): add strReplace and strReplaceAll helpers with refactored internal replacements
• #528 feat(string): add strCapitalizeWords helper
• #529 / #530 feat(string): add strTruncate, strCount, strAt, and strMatchAll helpers with shared literal regex helper
• #533 feat(array): add arrFlatMap with ES5 polyfill support
• #535 docs(types): add typing utilities for v0.14.0 and expand TSDoc examples
• #536 feat: add isAsyncIterable and isIntegerInRange type/value inspection helpers
• #543 feat(string): add strStartsWithAny, strEndsWithAny, strWrap, strUnwrap, and strNormalizeNewlines helpers
• #564 feat(object): add new object utility helpers and harden defaults against prototype pollution
  • New helpers: objPick, objOmit, objPickBy, objOmitBy — property selection and omission with typed overloads
  • New helpers: objMapValues — create a new object with values transformed by a mapper function
  • New helpers: objMergeIf, objDefaults — conditional merge and shallow defaults (similar to Lodash _.defaults) hardened against prototype pollution
  • New helper: objDiff — shallow diff returning only changed/added keys from a modified object vs a base
  • New helpers: forEachOwnKey, forEachOwnKeySafe — iteration over both string and symbol keys (existing forEachOwnKeySafe was string-only)
  • New helper: objForEachKeySafe — safe string-key iteration that filters __proto__, constructor, prototype
  • Extended isUnsafeTarget coverage to TypedArrays, ArrayBuffer, DataView, WeakRef, FinalizationRegistry

Security Issue

• CVE-2026-46681 Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
  • Also affected setValueByKey and setValueByIter
  • #565 feat: add prototype-pollution guards and array key helpers

Bug Fixes

• #558 Fix ES2015 built-in type errors in consumers by adding lib reference directive to published declarations
  • Consumers using "lib": ["ES5", "DOM"] (or omitting lib) received Cannot find name 'Symbol' / Cannot find name 'Iterator' errors because the published .d.ts exposed ES2015 types without declaring the dependency
  • Added /// <reference lib="es2015" /> to the source entry points (index.ts, polyfills.ts) and a new post-processing script (lib/scripts/setTsReferences.js) that prepends the directive to the api-extractor bundled output (api-extractor strips these directives from its rollup)
  • Added "lib": ["ES2015", "DOM"] to all library and test tsconfig files for consistent compile-time validation
  • Net effect: consumers no longer need to add "ES2015" to their own tsconfig.json lib settings
• #561 Bug: Falsy thisArg (0, '', false) overridden in arrForEach/iterForOf/objForEachKey
  • #566 Fix falsy thisArg (0, '', false) being overridden in arrForEach, iterForOf, objForEachKey
• #562 Fix thisArg binding in polyArrFindIndex / polyArrFindLastIndex polyfills

Repository Improvements

• #549 Drop Node.js 16 from CI matrix and add Node.js 24
• #552 Upgrade Grunt devDependency to v1.6.2
• #554 Add funding metadata to published package manifests
• #556 Add release PR instructions to Copilot instructions

Full Changelog

0.13.0

... (truncated)

Changelog

Sourced from @​nevware21/ts-utils's changelog.

v0.14.0 May 18th, 2026

Changelog

Features

• #525 feat(array): add new array helpers and array-like detection
  • New helpers: isArrayLike, arrSlice, and other array utility improvements
• #527 feat(string): add strReplace and strReplaceAll helpers with refactored internal replacements
• #528 feat(string): add strCapitalizeWords helper
• #529 / #530 feat(string): add strTruncate, strCount, strAt, and strMatchAll helpers with shared literal regex helper
• #533 feat(array): add arrFlatMap with ES5 polyfill support
• #535 docs(types): add typing utilities for v0.14.0 and expand TSDoc examples
• #536 feat: add isAsyncIterable and isIntegerInRange type/value inspection helpers
• #543 feat(string): add strStartsWithAny, strEndsWithAny, strWrap, strUnwrap, and strNormalizeNewlines helpers
• #564 feat(object): add new object utility helpers and harden defaults against prototype pollution
  • New helpers: objPick, objOmit, objPickBy, objOmitBy — property selection and omission with typed overloads
  • New helpers: objMapValues — create a new object with values transformed by a mapper function
  • New helpers: objMergeIf, objDefaults — conditional merge and shallow defaults (similar to Lodash _.defaults) hardened against prototype pollution
  • New helper: objDiff — shallow diff returning only changed/added keys from a modified object vs a base
  • New helpers: forEachOwnKey, forEachOwnKeySafe — iteration over both string and symbol keys (existing forEachOwnKeySafe was string-only)
  • New helper: objForEachKeySafe — safe string-key iteration that filters __proto__, constructor, prototype
  • Extended isUnsafeTarget coverage to TypedArrays, ArrayBuffer, DataView, WeakRef, FinalizationRegistry

Security Issue

• CVE-2026-46681 Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
  • Also affected setValueByKey and setValueByIter
  • #565 feat: add prototype-pollution guards and array key helpers

Bug Fixes

• #558 Fix ES2015 built-in type errors in consumers by adding lib reference directive to published declarations
  • Consumers using "lib": ["ES5", "DOM"] (or omitting lib) received Cannot find name 'Symbol' / Cannot find name 'Iterator' errors because the published .d.ts exposed ES2015 types without declaring the dependency
  • Added /// <reference lib="es2015" /> to the source entry points (index.ts, polyfills.ts) and a new post-processing script (lib/scripts/setTsReferences.js) that prepends the directive to the api-extractor bundled output (api-extractor strips these directives from its rollup)
  • Added "lib": ["ES2015", "DOM"] to all library and test tsconfig files for consistent compile-time validation
  • Net effect: consumers no longer need to add "ES2015" to their own tsconfig.json lib settings
• #561 Bug: Falsy thisArg (0, '', false) overridden in arrForEach/iterForOf/objForEachKey
  • #566 Fix falsy thisArg (0, '', false) being overridden in arrForEach, iterForOf, objForEachKey
• #562 Fix thisArg binding in polyArrFindIndex / polyArrFindLastIndex polyfills

Repository Improvements

• #549 Drop Node.js 16 from CI matrix and add Node.js 24
• #552 Upgrade Grunt devDependency to v1.6.2
• #554 Add funding metadata to published package manifests
• #556 Add release PR instructions to Copilot instructions

Dependency Updates

... (truncated)

Commits

• 45cb369 [Release] Increase version to 0.14.0 (#567)
• 5e887f4 Add new object utility helpers and harden defaults against prototype pollutio...
• 0a486d3 Bug: Falsy thisArg (0, '', false) overridden in arrForEach/iterForOf/objForEa...
• 9362b6e Bump puppeteer from 24.43.1 to 25.0.2 (#559)
• d65f853 Fix thisArg binding in polyArrFindIndex / polyArrFindLastIndex polyfill...
• 26b4766 Add prototype-pollution guards and array key helpers (#565)
• 4d28559 Fix ES2015 built-in type errors in consumers by adding lib reference directiv...
• da838a4 docs: add release PR instructions to copilot instructions (#556)
• 97d40a2 Add funding metadata to published package manifests (#554)
• 287f7c9 Upgrade Grunt devDependency to v1.6.2 (#552)
• Additional commits viewable in compare view

Updates protobufjs from 7.5.4 to 7.6.1

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.6.1

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

protobufjs: v7.6.0

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

protobufjs: v7.5.9

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

protobufjs: v7.5.8

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

protobufjs: v7.5.7

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

... (truncated)

Changelog

Sourced from protobufjs's changelog.

7.6.1 (2026-05-22)

Bug Fixes

• Backport misc utility hardening (#2280) (8a45c13)
• Treat fixed64 as unsigned in converters (#2266) (479dfdc)

7.6.0 (2026-05-18)

Features

• Support BigInt conversions (7.x) (#2258) (f769242)

7.5.9 (2026-05-17)

Bug Fixes

• Backport bundler-safe optional module lookups (#2254) (0853a62)

7.5.8 (2026-05-12)

Bug Fixes

• Backport parser hardening to 7.x (#2245) (54b593f)

7.5.7 (2026-05-09)

Bug Fixes

• Restore first-match namespace lookup (#2236) (cc7d595)

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

Commits

• f0b50d2 chore: release protobufjs-v7.x (#2268)
• 8a45c13 fix: Backport misc utility hardening (#2280)
• 479dfdc fix: Treat fixed64 as unsigned in converters (#2266)
• e30c334 chore: release protobufjs-v7.x (#2260)
• f769242 feat: Support BigInt conversions (7.x) (#2258)
• ab3862d chore: release protobufjs-v7.x (#2255)
• 0853a62 fix: Backport bundler-safe optional module lookups (#2254)
• d7035f9 chore: release protobufjs-v7.x (#2248)
• 54b593f fix: Backpor...

  Description has been truncated