Update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@sentry/vue (source)	10.45.0 → 10.47.0			dependencies	minor
axios (source)	1.13.6 → 1.14.0			dependencies	minor
celery (source, changelog)	==5.6.2 → ==5.6.3			project.dependencies	patch
django-allauth (changelog)	==65.15.0 → ==65.15.1			project.dependencies	patch
django-debug-toolbar (changelog)	==6.2.0 → ==6.3.0			project.optional-dependencies	minor
faker (changelog)	==40.11.1 → ==40.12.0			project.optional-dependencies	minor
gunicorn (changelog)	==25.1.0 → ==25.3.0			project.dependencies	minor
ipython	==9.11.0 → ==9.12.0			project.optional-dependencies	minor
lodash (source)	4.17.23 → 4.18.1			dependencies	minor
maplibre-gl (source)	5.17.0 → 5.21.1			dependencies	minor	5.22.0
node	24.14.0 → 24.14.1				patch
numpy (changelog)	==2.4.3 → ==2.4.4			project.optional-dependencies	patch
pillow (changelog)	==12.1.1 → ==12.2.0			project.optional-dependencies	minor
requests (changelog)	==2.32.5 → ==2.33.1			project.dependencies	minor
sentry-sdk (changelog)	==2.55.0 → ==2.57.0			project.dependencies	minor
vue (source)	3.5.30 → 3.5.31			dependencies	patch	3.5.32
vuetify (source)	3.12.3 → 3.12.5			dependencies	patch
werkzeug (changelog)	==3.1.6 → ==3.1.8			project.optional-dependencies	patch

---

Release Notes

getsentry/sentry-javascript (@​sentry/vue)

v10.47.0

Compare Source

Important Changes

• feat(node-core): Add OTLP integration for node-core/light (#​19729)

  Added otlpIntegration at @sentry/node-core/light/otlp for users who manage
  their own OpenTelemetry setup and want to send trace data to Sentry without
  adopting the full @sentry/node SDK.

  import { NodeTracerProvider } from '@​opentelemetry/sdk-trace-node';
  import * as Sentry from '@​sentry/node-core/light';
  import { otlpIntegration } from '@​sentry/node-core/light/otlp';
  
  const provider = new NodeTracerProvider();
  provider.register();
  
  Sentry.init({
    dsn: '__DSN__',
    integrations: [
      otlpIntegration({
        // Export OTel spans to Sentry via OTLP (default: true)
        setupOtlpTracesExporter: true,
      }),
    ],
  });

  The integration links Sentry errors to OTel traces and exports spans to Sentry via OTLP.

• feat(node, bun): Add runtime metrics integrations for Node.js and Bun (#​19923, #​19979)

  New nodeRuntimeMetricsIntegration and bunRuntimeMetricsIntegration automatically collect runtime health metrics and send them to Sentry on a configurable interval (default: 30s). Collected metrics include memory (RSS, heap used/total), CPU utilization, event loop utilization, and process uptime. Node additionally collects event loop delay percentiles (p50, p99). Extra metrics like CPU time and external memory are available as opt-in.

  // Node.js
  import * as Sentry from '@​sentry/node';
  
  Sentry.init({
    dsn: '...',
    integrations: [Sentry.nodeRuntimeMetricsIntegration()],
  });
  
  // Bun
  import * as Sentry from '@​sentry/bun';
  
  Sentry.init({
    dsn: '...',
    integrations: [Sentry.bunRuntimeMetricsIntegration()],
  });

• feat(core): Support embedding APIs in google-genai (#​19797)

  Adds instrumentation for the Google GenAI embedContent API, creating gen_ai.embeddings spans.

• feat(browser): Add elementTimingIntegration for tracking element render and load times (#​19869)

  The new elementTimingIntegration captures Element Timing API data as Sentry metrics. It emits element_timing.render_time and element_timing.load_time distribution metrics for elements annotated with the elementtiming HTML attribute.

  import * as Sentry from '@​sentry/browser';
  
  Sentry.init({
    dsn: '__DSN__',
    integrations: [Sentry.browserTracingIntegration(), Sentry.elementTimingIntegration()],
  });

  <img src="hero.jpg" elementtiming="hero-image" />

Other Changes

• feat(nuxt): Add middleware instrumentation compatibility for Nuxt 5 (#​19968)
• feat(nuxt): Support parametrized SSR routes in Nuxt 5 (#​19977)
• feat(solid): Add route parametrization for Solid Router (#​20031)
• fix(core): Guard nullish response in supabase PostgREST handler (#​20033)
• fix(node): Deduplicate sentry-trace and baggage headers on outgoing requests (#​19960)
• fix(node): Ensure startNewTrace propagates traceId in OTel environments (#​19963)
• fix(nuxt): Use virtual module for Nuxt pages data (SSR route parametrization) (#​20020)
• fix(opentelemetry): Convert seconds timestamps in span.end() to milliseconds (#​19958)
• fix(profiling): Disable profiling in worker threads (#​20040)
• fix(react-router): Disable debug ID injection in Vite plugin to prevent double injection (#​19890)
• refactor(browser): Reduce browser package bundle size (#​19856)
• feat(deps): Bump OpenTelemetry dependencies (#​20046)

Internal Changes

• chore: Add shared validate-pr composite action (#​20025)
• chore: Update validate-pr action to latest version (#​20027)
• chore(deps): Bump @​apollo/server from 5.4.0 to 5.5.0 (#​20007)
• chore(deps): Bump amqplib from 0.10.7 to 0.10.9 (#​20000)
• chore(deps): Bump srvx from 0.11.12 to 0.11.13 (#​20001)
• chore(deps-dev): Bump node-forge from 1.3.2 to 1.4.0 (#​20012)
• chore(deps-dev): Bump yaml from 2.8.2 to 2.8.3 (#​19985)
• ci(deps): Bump actions/upload-artifact from 6 to 7 (#​19569)
• docs(release): Update publishing-a-release.md (#​19982)
• feat(deps): Bump babel-loader from 10.0.0 to 10.1.1 (#​19997)
• feat(deps): Bump handlebars from 4.7.7 to 4.7.9 (#​20008)
• fix(browser-tests): Pin axios to 1.13.5 to avoid compromised 1.14.1 (#​20047)
• fix(ci): Update validate-pr action to remove draft enforcement (#​20035)
• fix(ci): Update validate-pr action to remove draft enforcement (#​20037)
• fix(e2e): Pin @​opentelemetry/api to 1.9.0 in ts3.8 test app (#​19992)
• ref(browser-tests): Add waitForMetricRequest helper (#​20002)
• ref(core): Consolidate getOperationName into one shared utility (#​19971)
• ref(core): Introduce instrumented method registry for AI integrations (#​19981)
• test(deno): Expand Deno E2E test coverage (#​19957)
• test(e2e): Add e2e tests for nodeRuntimeMetricsIntegration (#​19989)

Bundle size 📦

Path	Size
@​sentry/browser	25.04 KB
@​sentry/browser - with treeshaking flags	23.57 KB
@​sentry/browser (incl. Tracing)	41.16 KB
@​sentry/browser (incl. Tracing, Profiling)	45.67 KB
@​sentry/browser (incl. Tracing, Replay)	79.04 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	68.91 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	83.64 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	95.62 KB
@​sentry/browser (incl. Feedback)	41.42 KB
@​sentry/browser (incl. sendFeedback)	29.59 KB
@​sentry/browser (incl. FeedbackAsync)	34.46 KB
@​sentry/browser (incl. Metrics)	26.32 KB
@​sentry/browser (incl. Logs)	26.46 KB
@​sentry/browser (incl. Metrics & Logs)	27.12 KB
@​sentry/react	26.76 KB
@​sentry/react (incl. Tracing)	43.44 KB
@​sentry/vue	29.37 KB
@​sentry/vue (incl. Tracing)	43.02 KB
@​sentry/svelte	25.06 KB
CDN Bundle	27.65 KB
CDN Bundle (incl. Tracing)	42.09 KB
CDN Bundle (incl. Logs, Metrics)	28.99 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	43.12 KB
CDN Bundle (incl. Replay, Logs, Metrics)	66.87 KB
CDN Bundle (incl. Tracing, Replay)	78.13 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	79.14 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	83.54 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	84.55 KB
CDN Bundle - uncompressed	80.72 KB
CDN Bundle (incl. Tracing) - uncompressed	124.81 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	84.77 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	128.14 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	204.87 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	238.95 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	242.26 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	251.56 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	254.86 KB
@​sentry/nextjs (client)	45.79 KB
@​sentry/sveltekit (client)	41.62 KB
@​sentry/node-core	54.45 KB
@​sentry/node	168.93 KB
@​sentry/node - without tracing	93.76 KB
@​sentry/aws-serverless	110.13 KB

v10.46.0

Compare Source

Important Changes

• feat(elysia): @sentry/elysia - Alpha Release (#​19509)

  New Sentry SDK for the Elysia web framework, supporting both Bun and Node.js runtimes.

  Note: This is an alpha release. Please report any issues or feedback on GitHub.

  Features

  • Automatic error capturing — 5xx errors captured via global onError hook; 3xx/4xx ignored by default. Customizable with shouldHandleError.
  • Automatic tracing — Lifecycle spans for every Elysia phase (Request, Parse, Transform, BeforeHandle, Handle, AfterHandle, MapResponse, AfterResponse, Error) with parameterized route names (e.g. GET /users/:id).
  • Distributed tracing — sentry-trace and baggage headers propagated automatically on incoming/outgoing requests.

  Usage

  import * as Sentry from '@​sentry/elysia';
  import { Elysia } from 'elysia';
  
  Sentry.init({ dsn: '__DSN__', tracesSampleRate: 1.0 });
  
  const app = Sentry.withElysia(new Elysia());
  app.get('/', () => 'Hello World');
  app.listen(3000);

Other Changes

• feat(nuxt): Conditionally use plugins based on Nitro version (v2/v3) (#​19955)
• fix(cloudflare): Forward ctx argument to Workflow.do user callback (#​19891)
• fix(cloudflare): Send correct events in local development (#​19900)
• fix(core): Do not overwrite user provided conversation id in Vercel (#​19903)
• fix(core): Preserve .withResponse() on Anthropic instrumentation (#​19935)
• fix(core): Send internal_error as span status for Vercel error spans (#​19921)
• fix(core): Truncate content array format in Vercel (#​19911)
• fix(deps): bump fast-xml-parser to 5.5.8 in @​azure/core-xml chain (#​19918)
• fix(deps): bump socket.io-parser to 4.2.6 to fix CVE-2026-33151 (#​19880)
• fix(nestjs): Add node to nest metadata (#​19875)
• fix(serverless): Add node to metadata (#​19878)

Internal Changes

• chore(ci): Fix "Gatbsy" typo in issue package label workflow (#​19905)
• chore(claude): Enable Claude Code Intelligence (LSP) (#​19930)
• chore(deps): bump mongodb-memory-server-global from 10.1.4 to 11.0.1 (#​19888)
• chore(deps-dev): bump @​react-router/node from 7.13.0 to 7.13.1 (#​19544)
• chore(deps-dev): bump effect from 3.19.19 to 3.20.0 (#​19926)
• chore(deps-dev): bump qunit-dom from 3.2.1 to 3.5.0 (#​19546)
• chore(node-integration-tests): Remove unnecessary file-type dependency (#​19824)
• chore(remix): Replace glob with native recursive fs walk (#​19531)
• feat(deps): bump stacktrace-parser from 0.1.10 to 0.1.11 (#​19887)
• fix(craft): Add missing mainDocsUrl for @​sentry/effect SDK (#​19860)
• fix(deps): bump next to 15.5.14 in nextjs-15 and nextjs-15-intl E2E test apps (#​19917)
• fix(deps): update lockfile to resolve h3@​1.15.10 (#​19933)
• ref(core): Remove duplicate buildMethodPath utility from openai (#​19969)
• ref(elysia): Drop @elysiajs/opentelemetry dependency (#​19947)
• ref(nuxt): Extract core logic for storage/database to prepare for Nuxt v5 (#​19920)
• ref(nuxt): Extract handler patching to extra plugin for Nitro v2/v3 (#​19915)
• ref(sveltekit): Replace recast + @​babel/parser with acorn (#​19533)
• test(astro): Re-enable server island tracing e2e test in Astro 6 (#​19872)
• test(cloudflare): Enable multi-worker tests for CF integration tests (#​19938)

Work in this release was contributed by @​roli-lpci. Thank you for your contributions!

Important Changes

• feat(node): Add nodeRuntimeMetricsIntegration for automatic Node.js runtime metrics (#​19923)

  The new nodeRuntimeMetricsIntegration automatically collects Node.js runtime health metrics and sends them to Sentry. Eight metrics are emitted by default every 30 seconds: memory (RSS, heap used/total), CPU utilization, event loop delay (p50, p99), event loop utilization, and process uptime. Additional metrics are available as opt-in.

  import * as Sentry from '@​sentry/node';
  
  Sentry.init({
    dsn: '...',
    integrations: [Sentry.nodeRuntimeMetricsIntegration()],
  });

axios/axios (axios)

v1.14.0

Compare Source

celery/celery (celery)

v5.6.3

Compare Source

What's Changed

• Fix Django worker recursion bug + defensive checks for pool_cls.module by @​maycuatroi1 in #​10048
• Docs: Update user_preload_options example to use click. by @​jorsyk in #​10056
• Fix invalid configuration key "bootstrap_servers" in Kafka demo by @​jorsyk in #​10060
• Fix broken images on PyPI page by @​Timour-Ilyas in #​10066
• Remove broken reference. by @​sueannioanis in #​10071
• Removed --dist=loadscope from smoke tests by @​Nusnus in #​10073
• Docs: Clarify task_retry signal args may be None by @​GangEunzzang in #​10076
• Update example for Django by @​sbc-khacnha in #​10081
• Make tests compatible with pymongo >= 4.16 by @​cjwatson in #​10074
• fix: source install of cassandra-driver by @​Izzette in #​10105
• fix: register task cross-reference role in Sphinx extension by @​veeceey in #​10100
• fix: avoid cycle detection in native delayed delivery by @​Izzette in #​10095
• fix(asynpool): avoid AttributeError when proc lacks _sentinel_poll by @​mriddle in #​10086
• fix dusk_astronomical horizon sign (+18 -> -18) by @​Mr-Neutr0n in #​10121
• Fix/10106 onupdate col use lambda func by @​ChickenBenny in #​10108
• Fix warm shutdown RuntimeError with eventlet>=0.37.0 (#​10083) by @​ChickenBenny in #​10123
• Fix 10109 db backend connection health by @​ChickenBenny in #​10124
• Database Backend filter unsupport sql engine arguments with nullpool #​7355 by @​ChickenBenny in #​10134
• fix(beat): correct argument order in Service.reduce by @​bysiber in #​10137
• ci: declare explicit read-only token permissions in workflow jobs by @​Rohan5commit in #​10139
• chore: 'boto3to' to 'boto3 to' by @​cuiweixie in #​10133
• Database Backend: Add missing index on date_done (Fixes #​10097) by @​ChickenBenny in #​10098
• docs: fix typo in CONTRIBUTING.rst by @​Rohan5commit in #​10141
• Refer to Flower / Prometheus for monitoring by @​WilliamDEdwards in #​10140
• docs: remove duplicated words in broker and routing docs by @​Rohan5commit in #​10146
• docs: fix stale version reference and grammar in README by @​kelsonbrito50 in #​10145
• docs: fix wording in Celery 5.3 worker pool notes by @​Rohan5commit in #​10149
• docs: fix duplicated wording in 3.1 changelog entry by @​Rohan5commit in #​10152
• docs: fix changelog typo in context manager wording by @​Rohan5commit in #​10144
• Fix/10096 worker fails to reconnect after redis failover by @​ChickenBenny in #​10151
• Improve on_after_finalize signal documentation by @​Br1an67 in #​10155
• Add non-commutative example to clarify partial arg ordering in canvas docs by @​Br1an67 in #​10157
• Remove redundant test_isa_mapping test (fixes #​10077) by @​daniel7an in #​10103
• Upgrade pytest-celery to >=1.3.0 and adopt PYTEST_CELERY_PKG build arg by @​Nusnus in #​10162
• Remove deprecated args from redis get_connection call by @​JaeHyuckSa in #​10036
• Fix #​6912 rpc backend reconnection error by @​ChickenBenny in #​10179
• Fix NameError with TYPE_CHECKING annotations on Python 3.14+ (PEP 649) by @​drichardson in #​10165
• docs: Add elaboration on prefetch multiplier settings (worker_prefetch_multiplier) and worker_eta_task_limit by @​tsangwailam in #​10181
• Fix O(K²) message bloat in a chain of chords by @​Borzik in #​10171
• Fix mock connection interfaces to prevent TypeError during exception handling by @​ChickenBenny in #​10178
• fix(trace): dispatch chain/callbacks on dedup fast-path for redelivered tasks by @​aurangzaib048 in #​10159
• Extract reconnect_on_error to BaseResultConsumer by @​ChickenBenny in #​10189
• pep 649 by @​ericbuehl in #​10187
• Fix#9722 friendly status errors for CLI by @​ChickenBenny in #​10190
• docs: clarify after_return behavior for retried tasks by @​KianAnbarestani in #​10192
• Add compression header to message protocol docs by @​Br1an67 in #​10156
• docs: fix duplicated word in bootsteps comment by @​Rohan5commit in #​10153
• Remove outdated autoreloader section from extending docs by @​Br1an67 in #​10154
• Fix: prioritize request ignore_result over task definition by @​patri27826 in #​10184
• fix: clear the timer while catch the exception by @​ChickenBenny in #​10218
• Prepare for release: v5.6.3 by @​Nusnus in #​10221

New Contributors

• @​maycuatroi1 made their first contribution in #​10048
• @​jorsyk made their first contribution in #​10056
• @​Timour-Ilyas made their first contribution in #​10066
• @​sueannioanis made their first contribution in #​10071
• @​GangEunzzang made their first contribution in #​10076
• @​sbc-khacnha made their first contribution in #​10081
• @​veeceey made their first contribution in #​10100
• @​mriddle made their first contribution in #​10086
• @​Mr-Neutr0n made their first contribution in #​10121
• @​ChickenBenny made their first contribution in #​10108
• @​bysiber made their first contribution in #​10137
• @​Rohan5commit made their first contribution in #​10139
• @​cuiweixie made their first contribution in #​10133
• @​kelsonbrito50 made their first contribution in #​10145
• @​Br1an67 made their first contribution in #​10155
• @​daniel7an made their first contribution in #​10103
• @​drichardson made their first contribution in #​10165
• @​tsangwailam made their first contribution in #​10181
• @​Borzik made their first contribution in #​10171
• @​aurangzaib048 made their first contribution in #​10159
• @​ericbuehl made their first contribution in #​10187
• @​KianAnbarestani made their first contribution in #​10192
• @​patri27826 made their first contribution in #​10184

Full Changelog: celery/celery@v5.6.2...v5.6.3

allauth/django-allauth (django-allauth)

v65.15.1

Compare Source

django-commons/django-debug-toolbar (django-debug-toolbar)

v6.3.0

Compare Source

What's Changed

• remove requirement_dev.txt from project by @​p-r-a-v-i-n in #​2277
• Upgraded ReadTheDocs Python version to 3.13. by @​tim-schilling in #​2307
• Modernize some panel styles and colors by @​federicobond in #​2285
• Update the translatable strings for the application. by @​tim-schilling in #​2311
• Update translations 2026-02-09 by @​tim-schilling in #​2312
• Add a py.typed file, to make types available downstream by @​brianhelba in #​2314
• Emit RedirectsPanel warning on usage rather than set up. by @​tim-schilling in #​2326
• Highlighted docs on disabling browser caching. by @​tim-schilling in #​2302
• Only patch the cache methods once. by @​tim-schilling in #​2332
• Add CacheStore, a store that uses Django's cache framework by @​robhudson in #​2304

Changelog from docs:

• Replaced requirements_dev.txt file for pyproject.toml support with dependency groups.
• Updated ReadTheDocs Python version to 3.13.
• Modernize some panel styles and colors.
• Standardize use of time/duration units and labels across panels.
• Added translations for Lithuanian, Turkish and Uzbek.
• Update the translations.
• Expose a py.typed marker file.
• Updated RedirectsPanel to emit the deprecation warning when it’s used rather than on instantiation.
• Highlighted the documentation about disabling the browser’s caching to ensure the latest static assets are used.
• Fixed bug with CachePanel so the cache patching is only applied once.
• Added debug_toolbar.store.CacheStore for storing toolbar data using Django’s cache framework. This provides persistence without requiring database migrations, and works with any cache backend (Memcached, Redis, database, file-based, etc.).
• Added CACHE_BACKEND and CACHE_KEY_PREFIX settings to configure the CacheStore.

New Contributors

• @​brianhelba made their first contribution in #​2314

Full Changelog: django-commons/django-debug-toolbar@6.2.0...6.3.0

joke2k/faker (faker)

v40.12.0

Compare Source

• Add address providers for ar_DZ and fr_DZ locales (#​2341). Thanks @​othmane099.

benoitc/gunicorn (gunicorn)

v25.3.0: Gunicorn 25.3.0

Compare Source

Bug Fixes

• HTTP/2 ASGI Body Duplication: Fix request body being received twice in HTTP/2
  ASGI requests, causing JSON parsing errors with "Extra data" messages
  (#​3558)

• ASGI Chunked EOF Handling: Add finish() method to callback parser to handle
  chunked encoding edge case where connection closes before final CRLF after zero-chunk

• HTTP/2 Documentation: Fix http_protocols examples to use comma-separated string
  instead of list syntax (#​3561)

• Chunked Encoding: Reject chunk extensions containing bare CR bytes per RFC 9112
  (#​3556)

• Request Line Limit: Fix --limit-request-line 0 to mean unlimited as documented,
  instead of using default maximum. Works with both Python and fast C parser.
  (#​3563)

Security

• ASGI Parser Header Validation: Add security checks per RFC 9110/9112:
  • Reject duplicate Content-Length headers
  • Reject requests with both Content-Length and Transfer-Encoding
  • Reject chunked transfer encoding in HTTP/1.0
  • Reject stacked chunked encoding
  • Validate Transfer-Encoding values
  • Strict chunk size validation

Changes

• Fast HTTP Parser: Update to gunicorn_h1c >= 0.6.3 for asgi_headers property
  and InvalidChunkExtension validation for bare CR rejection

• ASGI PROXY Protocol: Add PROXY protocol v1/v2 support to callback parser

• Docker Images: Update to Python 3.14

v25.2.0: Gunicorn 25.2.0

Compare Source

New Features

• Fast HTTP Parser (gunicorn_h1c 0.4.1): Integrate new exception types and limit parameters from gunicorn_h1c 0.4.1 for both WSGI and ASGI workers
  • Requires gunicorn_h1c >= 0.4.1 for http_parser='fast'
  • Falls back to Python parser in auto mode if version not met
  • Proper HTTP status codes for limit errors (414, 431)

Bug Fixes

• uWSGI Async Workers: Fix InvalidUWSGIHeader: incomplete header error when using gevent or gthread workers with uwsgi protocol behind nginx. (#​3552, PR #​3554)

• FileWrapper Iterator Protocol: Add __iter__ and __next__ methods to FileWrapper for full PEP 3333 compliance. (#​3396, PR #​3550)

Performance

• ASGI HTTP Parser Optimizations: Improve ASGI worker HTTP parsing performance
  • Callback-based parsing with direct bytearray buffer operations
  • Use bytearray.find() directly instead of converting to bytes first
  • Use index-based iteration for header parsing instead of list.pop(0) (O(1) vs O(n))

ipython/ipython (ipython)

v9.12.0

Compare Source

lodash/lodash (lodash)

v4.18.1

Compare Source

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See #​6167 (comment)

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

v4.18.0

Compare Source

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#​6099)
• Document lower > upper behavior in _.random (#​6115)
• Fix quotes in _.compact jsdoc (#​6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

maplibre/maplibre-gl-js (maplibre-gl)

v5.21.1

Compare Source

🐞 Bug fixes

• Add missing promoteId parameter to geojson worker and refactor communication object (#​7320) (by @​HarelM)

v5.21.0

Compare Source

✨ Features and improvements

• Add compatibility for ES2020 (#​7283) (by @​claudiobgit)
• Add referrerPolicy option to RequestParameters to allow controlling the referrer policy for tile requests (#​7278) (by @​Bingtagui404)
• Wait for the GPU to finish its callstack for rendering benchmarks (#​7285) (by [@​xavierjs](https://redirect.github.co

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying bats-ai with    Cloudflare Pages

Latest commit:	477ba8a
Status:	✅  Deploy successful!
Preview URL:	https://83b98980.bats-ai.pages.dev
Branch Preview URL:	https://renovate-all-minor-patch.bats-ai.pages.dev

View logs