v2.1.6

Compare Source

• fix: normalize lefthook path for sh script (#​1383) by @​AndrewKahr
• fix: normalize root to always include trailing slash before path replacement (#​1381) by @​Copilot
• fix: skip pty allocation when stdout is not a terminal (#​1393) by @​technicalpickles
• docs: upgrade docmd (#​1391) by @​mrexox
• fix: log full scoped name for skipped jobs (#​1291) by @​scop
• fix: do not pipe stdout and stderr (#​1382) by @​mrexox

v2.1.5

Compare Source

• deps: April 2026 (#​1375) by @​mrexox
• docs: update documentation and docs for claude (#​1373) by @​mrexox
• fix: git repository merge issue (#​1372) by @​mrexox
• fix: use pre-push stdin for push file detection (#​1368) by @​supitsdu
• chore: small cleanup (#​1370) by @​mrexox
• fix: prevent lefthook run from overwriting global hooks (#​1371) by @​ivy
• chore: upgrade to 2.11.4 (#​1362) by @​scop
• chore: fix golangci-lint version lookup by @​mrexox
• chore: move golangci-lint version to .tool-versions (#​1349) by @​scop

v2.1.4

Compare Source

• pkg: fix scripts (#​1348) by @​mrexox
• fix: bring back {lefthook_job_name} template (#​1347) by @​mrexox
• pkg: refactor packaging (2) (#​1346) by @​mrexox
• fix: separate more commands' non-option args with -- (#​1339) by @​scop
• docs: change logo to point to landing page instead of itself (#​1343) by @​igas
• pkg: make it easier to read (#​1340) by @​mrexox
• pkg: refactor packaging scripts (#​1308) by @​mrexox

v3.5.32

Compare Source

Bug Fixes

• runtime-core: prevent currentInstance leak into sibling render during async setup re-entry (#​14668) (f166353), closes #​14667
• teleport: handle updates before deferred mount (#​14642) (32b44f1), closes #​14640
• types: allow customRef to have different getter/setter types (#​14639) (e20ddb0)
• types: use private branding for shallowReactive (#​14641) (302c47a), closes #​14638 #​14493

Reverts

• Revert "fix(server-renderer): cleanup component effect scopes after SSR render" (#​14674) (219d83b), closes #​14674 #​14669

v3.5.31

Compare Source

Bug Fixes

• compiler-sfc: allow Node.js subpath imports patterns in asset urls (#​13045) (95c3356), closes #​9919
• compiler-sfc: support template literal as defineModel name (#​14622) (bd7eef0), closes #​14621
• reactivity: normalize toRef property keys before dep lookup + improve types (#​14625) (1bb28d0), closes #​12427 #​12431
• runtime-core: invalidate detached v-for memo vnodes after unmount (#​14624) (560def4), closes #​12708 #​12710
• runtime-core: preserve nullish event handlers in mergeProps (#​14550) (5725222)
• runtime-core: prevent merging model listener when value is null or undefined (#​14629) (b39e032)
• runtime-dom: defer teleport mount/update until suspense resolves (#​8619) (88ed045), closes #​8603
• runtime-dom: handle activeElement check in Shadow DOM for v-model (#​14196) (959ded2)
• server-renderer: cleanup component effect scopes after SSR render (#​14548) (862f11e)
• suspense: avoid unmount activeBranch twice if wrapped in transition (#​9392) (908c6ad), closes #​7966
• suspense: update suspense vnode's el during branch self-update (#​12922) (a2c1700), closes #​12920
• transition: skip enter guard while hmr updating (#​14611) (be0a2f1), closes #​14608
• types: prevent shallowReactive marker from leaking into value unions (#​14493) (3b561db), closes #​14490

v3.5.30

Compare Source

Bug Fixes

• compat: add entities to @​vue/compat deps to fix CJS edge cases (#​12514) (e725a67), closes #​10609
• custom-element: ensure child component styles are injected in correct order before parent styles (#​13374) (1398bf8), closes #​13029
• custom-element: properly locate parent when slotted in shadow dom (#​12480) (f06c81a), closes #​12479
• custom-element: should properly patch as props for vue custom elements (#​12409) (740983e), closes #​12408
• reactivity: avoid duplicate raw/proxy entries in Set.add (#​14545) (d943612)
• reactivity: fix reduce on reactive arrays to preserve reactivity (#​12737) (16ef165), closes #​12735
• reactivity: handle Set with initial reactive values edge case (#​12393) (5dc27ca), closes #​8647
• runtime-core: warn about negative number in v-for (#​12308) (9438cc5)
• ssr: prevent watch from firing after async setup await (#​14547) (6cda71d), closes #​14546
• types: make generics with runtime props in defineComponent work (fix #​11374) (#​13119) (cea3cf7), closes #​13763
• types: narrow useAttrs class/style typing for TSX (#​14492) (bbb8977), closes #​14489

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

v6.1.7

Compare Source

compare changes

🩹 Fixes

• defu.d.cts: Export Defu types (#​157)

📦 Build

• Correct the types export entry (#​160)

❤️ Contributors

• Jakub Michálek (@​J-Michalek)
• Kricsleo (@​kricsleo)

v6.1.6

Compare Source

compare changes

📦 Build

• Fix mixed types (407b516)

❤️ Contributors

• Pooya Parsa (@​pi0)

v8.0.4

Compare Source

• #​667 - fix another bug in diffWords when used with an Intl.Segmenter. If the text to be diffed included a combining mark after a whitespace character (i.e. roughly speaking, an accented space), diffWords would previously crash. Now this case is handled correctly.

v9.39.4

Compare Source

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (#​20564) (Milos Djermanovic)
• a3c868f fix: update dependency @​eslint/eslintrc to ^3.3.4 (#​20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (#​20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (#​20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (#​20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (#​20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @​eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (#​20563) (Milos Djermanovic)

v1.15.11

Compare Source

compare changes

🏡 Chore

• Update defu to 6.1.6 (6125485)
• Update deps (4998dd8)
• Update cookie-es (d166186)

v1.15.10

Compare Source

compare changes

🩹 Fixes

• Preserve percent-encoded req.url in app event handler (#​1355)

❤️ Contributors

• Sergio Azócar (@​sergioazoc)

v10.2.5

Compare Source

v5.1.9

Compare Source

• Fixed npm package size regression.

v5.1.8

Compare Source

• Made cusatomAlphabet 75% faster (by @​saripovdenis).

v5.1.7

Compare Source

• Added --version to CLI (by @​mahmoodhamdi).
• Updated nanoid.js for CDN (by @​mahmoodhamdi).
• Fixed docs (by @​mahmoodhamdi).
• Fixed customRandom types (by @​oguimbal).

v24.14.1

Compare Source

v10.29.1

Compare Source

Fixes

• Create a unique event-clock for each Preact instance on a page. (#​5068, thanks @​JoviDeCroock)
• Fix incorrect DOM order with conditional ContextProvider and inner keys (#​5067, thanks @​JoviDeCroock)

Maintenance

• fix: Remove postinstall script for playwright setup (#​5063, thanks @​rschristian)
• chore: speed up tests by using playwright instead of webdriverio (#​5060, thanks @​marvinhagemeister)
• chore: migrate remaining .js -> .jsx files (#​5059, thanks @​marvinhagemeister)
• chore: rename .test.js -> .test.jsx when JSX is used (#​5058, thanks @​marvinhagemeister)
• Migrate from biome to oxfmt (#​5033, thanks @​JoviDeCroock)

v6.15.1

Compare Source

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

v5.31.5

Compare Source

Full Changelog: sebhildebrandt/systeminformation@v5.31.4...v5.31.5

v5.31.4

Compare Source

Full Changelog: sebhildebrandt/systeminformation@v5.31.3...v5.31.4

v7.5.13

Compare Source

v7.5.12

Compare Source

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

v3.2.7

Compare Source

component-meta

• fix: preserve non-ASCII characters in prop default values (#​6012) - Thanks to @​ef81sp!

workspace

• chore: bump typescript to 6.0.3 (#​6017) - Thanks to @​KazariEX!

v3.2.6

Compare Source

language-core

• fix: generate $slots type in template correctly with defineSlots (#​5984) - Thanks to @​KazariEX!
• fix: infer only readonly component of arrays in v-for (#​5987) - Thanks to @​ascott18!
• fix: avoid false positives for destructured props detection on binding property names (#​5994) - Thanks to @​KazariEX!

vscode

• fix: use regex for TS extension patching to support VS Code 1.110+ (#​5983) - Thanks to @​ebiryu!