chore(deps): bump the npm_and_yarn group across 17 directories with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/auth/expo-social-auth directory: flatted.
Bumps the npm_and_yarn group with 1 update in the /examples/auth/quickstarts/react-native directory: undici.
Bumps the npm_and_yarn group with 1 update in the /examples/caching/with-cloudflare-workers-kv directory: undici.
Bumps the npm_and_yarn group with 2 updates in the /examples/caching/with-nextjs-13 directory: next and flatted.
Bumps the npm_and_yarn group with 2 updates in the /examples/caching/with-nextjs-13-server-components directory: next and flatted.
Bumps the npm_and_yarn group with 2 updates in the /examples/caching/with-react-query-nextjs-14 directory: next and flatted.
Bumps the npm_and_yarn group with 2 updates in the /examples/clerk directory: next and flatted.
Bumps the npm_and_yarn group with 2 updates in the /examples/realtime/nextjs-auth-presence directory: next and flatted.
Bumps the npm_and_yarn group with 1 update in the /examples/realtime/nextjs-authorization-demo directory: next.
Bumps the npm_and_yarn group with 2 updates in the /examples/todo-list/nextjs-todo-list directory: next and flatted.
Bumps the npm_and_yarn group with 1 update in the /examples/user-management/angular-user-management directory: flatted.
Bumps the npm_and_yarn group with 1 update in the /examples/user-management/expo-push-notifications directory: fast-xml-parser.
Bumps the npm_and_yarn group with 2 updates in the /examples/user-management/expo-user-management directory: fast-xml-parser and undici.
Bumps the npm_and_yarn group with 1 update in the /examples/user-management/nextjs-user-management directory: flatted.
Bumps the npm_and_yarn group with 2 updates in the /examples/user-management/nuxt3-user-management directory: flatted and undici.
Bumps the npm_and_yarn group with 1 update in the /examples/with-cloudflare-workers directory: undici.

Updates next from 16.0.11 to 16.1.7

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates undici from 6.23.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Updates undici from 5.20.0 to 7.24.4

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Updates next from 13.0.0 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates next from 13.0.3 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates next from 14.2.10 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.2.9 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates next from 15.3.1 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates next from 13.1.6 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates next from 14.2.4 to 16.2.1

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates next from 13.1.6 to 15.5.14

Release notes

Sourced from next's releases.

v16.1.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• [Cache Components] Prevent streaming fetch calls from hanging in dev (#89194)
• Apply server actions transform to node_modules in route handlers (#89380)
• ensure maxPostponedStateSize is always respected (See: CVE-2026-27979)
• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (See: CVE-2026-27980)
• Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: CVE-2026-27977)
• Disallow Server Action submissions from privacy-sensitive contexts by default (See: CVE-2026-27978)
• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​unstubbable, @​styfle, @​eps1lon, and @​ztanner for helping!

Commits

• bdf3e35 v16.1.7
• dc98c04 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• 9023c0a [backport] Disallow Server Action submissions from privacy-sensitive contexts...
• 36a97b9 Allow blocking cross-site dev-only websocket connections from privacy-sensiti...
• 93c3993 [backport]: feat(next/image): add lru disk cache and `images.maximumDiskCache...
• c68d62d Backport documentation fixes for 16.1.x (#90655)
• 5214ac1 [backport]: ensure maxPostponedStateSize is always respected (#90060) (#90471)
• c95e357 Backport/docs fixes 16.1.x (#90125)
• cba6144 [backport] Apply server actions transform to node_modules in route handlers...
• 3db9063 [backport] [Cache Components] Prevent streaming fetch calls from hanging in d...
• Additional commits viewable in compare view

Updates flatted from 3.2.7 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Updates flatted from 3.3.3 to 3.4.2

Commits

• 3bf0909 3.4.2
• 885ddcc fix CWE-1321
• 0bdba70 added flatted-view to the benchmark
• 2a02dce 3.4.1
• fba4e8f Merge pull request #89 from WebReflection/python-fix
• 5fe8648 added "when in Rome" also a test for PHP
• 53517ad some minor improvement
• b3e2a0c Fixing recursion issue in Python too
• c4b46db Add SECURITY.md for security policy and reporting
• f86d071 Create dependabot.yml for version updates
• Additional commits viewable in compare view

Removes fast-xml-parser

Removes fast-xml-parser

Updates undici from 6.22.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Change...

Description has been truncated