chore(deps): bump the npm_and_yarn group across 1 directory with 28 updates

[dependabot]

Bumps the npm_and_yarn group with 28 updates in the / directory:

Package	From	To
@openzeppelin/contracts	4.9.3	4.9.6
@openzeppelin/contracts-upgradeable	4.9.3	5.4.0
express	4.21.2	5.0.0
zod	3.21.2	3.22.3
vitest	1.4.0	1.6.1
@solana/web3.js	1.95.4	1.95.5
tmp	0.2.3	0.2.4
vite	5.3.5	5.4.19
@babel/helpers	7.23.9	7.28.3
@babel/runtime	7.22.5	7.28.3
@grpc/grpc-js	1.10.8	1.10.11
axios	1.7.2	1.11.0
base-x	3.0.9	3.0.11
braces	3.0.2	3.0.3
cipher-base	1.0.4	1.0.6
decode-uri-component	0.2.0	0.2.2
es5-ext	0.10.61	0.10.64
follow-redirects	1.15.1	1.15.11
get-func-name	2.0.0	2.0.2
http-cache-semantics	4.1.0	4.2.0
micromatch	4.0.5	4.0.8
pbkdf2	3.1.2	3.1.3
rollup	3.29.4	3.29.5
semver	5.7.1	5.7.2
sha.js	2.4.11	2.4.12
store2	2.14.3	2.14.4
tar-fs	1.16.4	1.16.5
word-wrap	1.2.3	1.2.5

Updates @openzeppelin/contracts from 4.9.3 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts's releases.

v4.9.6

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

v4.9.5

• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

v4.9.4

• ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

Changelog

Sourced from @​openzeppelin/contracts's changelog.

4.9.6 (2024-02-29)

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

Commits

• dc44c9f Release v4.9.6 (#4931)
• a6286d0 Port Base64 tests to truffle (#4926) (#4929)
• bd325d5 Release v4.9.5 (#4790)
• ad6a5b6 Add changeset
• 88ac712 Replace double functionDelegateCall
• a83918d Bump node CI version to 16.x
• 0d5f54e Release v4.9.4 (#4784)
• ccfffe1 Make Multicall context-aware
• 9329cfa Remove Wizard page from 4.x
• e1b3d8c Remove Wizard from 4.x navigation
• Additional commits viewable in compare view

Updates @openzeppelin/contracts-upgradeable from 4.9.3 to 5.4.0

Release notes

Sourced from @​openzeppelin/contracts-upgradeable's releases.

v5.4.0

Breaking changes

• Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#5716).

Pragma changes

• Reduced pragma requirement of interface files

Changes by category

Account

• Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)
• AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)
• AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#5657)
• EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)
• IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#5657)

Governance

• GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#5574)

Tokens

• ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)

Cryptography

Signers

• AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)
• SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)
• SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)
• MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)
• MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)

Verifiers

• ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)

Other

• SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)
• ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#5664)
• ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)

Structures

• EnumerableMap: Add support for BytesToBytesMap type. (#5658)

... (truncated)

Changelog

Sourced from @​openzeppelin/contracts-upgradeable's changelog.

5.4.0 (2025-07-17)

Breaking changes

• Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#5716).

Pragma changes

• Reduced pragma requirement of interface files

Changes by category

Account

• Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)
• AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)
• AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#5657)
• EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)
• IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#5657)

Governance

• GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#5574)

Tokens

• ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)

Cryptography

Signers

• AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)
• SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)
• SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)
• MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)
• MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)

Verifiers

• ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)

Other

• SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)
• ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#5664)
• ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)

Structures

... (truncated)

Commits

• e725abd Transpile c64a1edb6
• 14f68d0 Transpile f19bf2900
• d95c31c Transpile 84a600ba7
• f163b61 Transpile fffade5f9
• 60d6d81 Transpile 54a8027af
• 59ee474 Transpile f12605ad4
• 29056a0 Transpile 83b829e0d
• 473630f Transpile 2e152ba69
• fe097cf Transpile a34185060
• 73cfbce Transpile e1277f7ad
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by arr00, a new releaser for @​openzeppelin/contracts-upgradeable since your current version.

Updates express from 4.21.2 to 5.0.0

Release notes

Sourced from express's releases.

5.0.0

Express v5.0.0

🎉 Express v5 is finally here! 🎉

After years of development, the long-awaited Express v5 has been officially released. This version focuses on simplifying the codebase, improving security, and dropping support for older Node.js versions to enable better performance and maintainability.

For detailed information, please check out the official Express v5 release blog post.

Most relevant details

Major Changes in v5

• Node.js version support: Dropped support for Node.js versions before v18.
• Routing changes: Updated to path-to-regexp@8.x, removing sub-expression regex patterns for security reasons (ReDoS mitigation).
• Promise support: Middleware can now return rejected promises, caught by the router as errors.
• body-parser changes: Several improvements including the ability to customize urlencoded body depth and defaulting extended to false.
• Deprecated API methods removed: Removed old, deprecated API method signatures from Express v3/v4.

For a complete list of breaking changes and API deprecations, see the migration guide.

Security Updates

This release includes important security fixes, including improvements to prevent ReDoS attacks and mitigation for CVE-2024-45590. Full details can be found in the security release notes.

Migration

Be sure to check out our migration guide for instructions on how to update your applications from Express v4 to v5.

Security Guidance

For best practices, we recommend reviewing the Threat Model which outlines Express' approach to securing your applications, including tips for user input validation and other critical aspects.

What's Changed

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605
• Use object with null prototype for various app properties by @​EvanHahn in expressjs/express#4861
• deps: encodeurl@~2.0.0 by @​blakeembrey in expressjs/express#5569
• skip QUERY method test by @​jonchurch in expressjs/express#5628
• ignore ETAG query test on 21 and 22, reuse skip util by @​jonchurch in expressjs/express#5639

... (truncated)

Changelog

Sourced from express's changelog.

5.0.0 / 2024-09-10

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

5.0.0-beta.3 / 2024-03-25

This incorporates all changes after 4.19.1 up to 4.19.2.

5.0.0-beta.2 / 2024-03-20

This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14

This is the first Express 5.0 beta release, based off 4.17.2 and includes changes from 5.0.0-alpha.8.

• change:
  • Default "query parser" setting to 'simple'
  • Requires Node.js 4+
  • Use mime-types for file to content type mapping
• deps: array-flatten@3.0.0
• deps: body-parser@2.0.0-beta.1
  • req.body is no longer always initialized to {}

... (truncated)

Commits

• 344b022 5.0.0
• 0c49926 fix(deps): send@^1.1.0
• b3906cb fix(deps): serve-static@^2.1.0
• fed8c2a fix(deps): body-parser@^2.0.1
• bdd81f8 Delete back as a magic string (#5933)
• 6c98f80 🔧 update CI, remove unsupported versions, clean up
• f9256ef Merge branch '5.0' into 5-merge
• e5feb9f Merge tag '4.20.0' into 5.0
• 0264908 feat(deps)!: router@^2.0.0 (#5885)
• 4d713d2 update to fresh@2.0.0 (#5916)
• Additional commits viewable in compare view

Updates zod from 3.21.2 to 3.22.3

Commits

• 1e61d76 3.22.3
• 2ba00fe [2609] fix ReDoS vulnerability in email regex (#2824)
• ae0f7a2 docs: update ref to discriminated-unions docs (#2485)
• ad2ee9c 2718 Updated Custom Schemas documentation example to use type narrowing (#2778)
• 28c1927 Update sponsors
• 18115a8 Formatting
• 64dcc8e Update sponsors
• f59be09 clarify datetime ISO 8601 (#2673)
• 9bd3879 docs: remove obsolete text about readonly types (#2676)
• 1e23990 Commit
• Additional commits viewable in compare view

Updates vitest from 1.4.0 to 1.6.1

Release notes

Sourced from vitest's releases.

v1.6.1

This release includes security patches for:

• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport vitest-dev/vitest#7317 to v1 - by @​hi-ogawa in vitest-dev/vitest#7319

    View changes on GitHub

v1.6.0

   🚀 Features

• Support standalone mode  -  by @​sheremet-va in vitest-dev/vitest#5565 (bdce0)
• Custom "snapshotEnvironment" option  -  by @​sheremet-va in vitest-dev/vitest#5449 (30f72)
• benchmark: Support comparing benchmark result  -  by @​hi-ogawa and @​sheremet-va in vitest-dev/vitest#5398 (f8d3d)
• browser: Allow injecting scripts  -  by @​sheremet-va in vitest-dev/vitest#5656 (21e58)
• reporter: Support includeConsoleOutput and addFileAttribute in junit  -  by @​hi-ogawa in vitest-dev/vitest#5659 (2f913)
• ui: Sort items by file name  -  by @​btea in vitest-dev/vitest#5652 (1f726)

   🐞 Bug Fixes

• Keep order of arguments for .each in custom task collectors  -  by @​sheremet-va in vitest-dev/vitest#5640 (7d57c)
• Call resolveId('vitest') after buildStart  -  by @​hi-ogawa in vitest-dev/vitest#5646 (f5faf)
• Hash the name of the file when caching  -  by @​sheremet-va in vitest-dev/vitest#5654 (c9e68)
• Don't panic on empty files in node_modules  -  by @​sheremet-va (40c29)
• Use toJSON for error serialization  -  by @​hi-ogawa in vitest-dev/vitest#5526 (19a21)
• coverage:
  • Exclude *.test-d.* by default  -  by @​MindfulPol in vitest-dev/vitest#5634 (bfe8a)
  • Apply vite-node's wrapper only to executed files  -  by @​AriPerkkio in vitest-dev/vitest#5642 (c9883)
• vm:
  • Support network imports  -  by @​sheremet-va in vitest-dev/vitest#5610 (103a6)

   🏎 Performance

• Improve performance of forks pool  -  by @​sheremet-va in vitest-dev/vitest#5592 (d8304)
• Unnecessary rpc call when coverage is disabled  -  by @​AriPerkkio in vitest-dev/vitest#5658 (c5712)

    View changes on GitHub

v1.5.3

   🐞 Bug Fixes

• Use package.json name for a workspace project if not provided  -  by @​sheremet-va in vitest-dev/vitest#5608 (48fba)
• Backport jest iterable equality within object  -  by @​sukovanej in vitest-dev/vitest#5621 (30e5d)
• browser: Support benchmark  -  by @​hi-ogawa in vitest-dev/vitest#5622 (becab)
• reporter: Use default error formatter for JUnit  -  by @​hi-ogawa in vitest-dev/vitest#5629 (20060)

... (truncated)

Commits

• 017e1ee chore: release v1.6.1
• 7ce9fbb fix: backport #7317 to v1 (#7319)
• 6b29f3d chore: release v1.6.0
• f8d3d22 feat(benchmark): support comparing benchmark result (#5398)
• 21e58bd feat(browser): allow injecting scripts (#5656)
• 30f728b feat: custom "snapshotEnvironment" option (#5449)
• 2f91322 feat(reporter): support includeConsoleOutput and addFileAttribute in juni...
• c571276 perf: unnecessary rpc call when coverage is disabled (#5658)
• bdce0a2 feat: support standalone mode (#5565)
• 40c299f fix: don't panic on empty files in node_modules
• Additional commits viewable in compare view

Updates @solana/web3.js from 1.95.4 to 1.95.5

Release notes

Sourced from @​solana/web3.js's releases.

v1.95.5

1.95.5 (2024-11-20)

Bug Fixes

• added programId field in TokenBalance type (#3592) (526ce5f)

Commits

• 526ce5f fix: added programId field in TokenBalance type (#3592)
• 474c5a9 chore: bump commitlint from 19.5.0 to 19.6.0 (#3610)
• d8beaa7 chore: bump @​commitlint/config-conventional from 19.5.0 to 19.6.0 (#3609)
• d961599 chore: bump rollup from 4.27.2 to 4.27.3 (#3606)
• 21ee79d chore: create a composite action that builds GitHub Pages
• 7158228 chore: bump rollup from 4.26.0 to 4.27.2 (#3590)
• 48deec7 chore: bump rollup from 4.25.0 to 4.26.0 (#3562)
• b790a64 chore: bump rollup from 4.24.4 to 4.25.0 (#3551)
• fd9d1bf chore: bump mockttp from 3.15.3 to 3.15.4 (#3550)
• a240574 chore: bump rollup from 4.24.3 to 4.24.4 (#3521)
• Additional commits viewable in compare view

Updates tmp from 0.2.3 to 0.2.4

Commits

• 08fa3ab Update version
• 1cf4ec5 Merge commit from fork
• 188b25e Fix GHSA-52f5-9888-hmc6
• 73b9fe4 Add test case for GHSA-52f5-9888-hmc6
• b8e2f29 Remove broken tests
• 2892a02 Remove outdated URL
• f592318 Reformat package.json
• 995ac8c Merge pull request #301 from raszi/dependabot/npm_and_yarn/braces-3.0.3
• caa758d Bump braces from 3.0.2 to 3.0.3
• See full diff in compare view

Updates vite from 5.3.5 to 5.4.19

Release notes

Sourced from vite's releases.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

v5.4.14

Please refer to CHANGELOG.md for details.

v5.4.13

Please refer to CHANGELOG.md for details.

v5.4.12

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

5.4.14 (2025-01-21)

• fix: preview.allowedHosts with specific values was not respected (#19246) (9df6e6b), closes #19246
• fix: allow CORS from loopback addresses by default (#19249) (7d1699c), closes #19249

5.4.13 (2025-01-20)

• fix: try parse server.origin URL (#19241) (5946215), closes #19241

5.4.12 (2025-01-20)

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
• fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
• fix: verify token for HMR WebSocket connection (b71a5c8)
• chore: add deps update changelog (ecd2375)

... (truncated)

Commits

• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• 84b2b46 fix: backport #19782, fs check with svg and relative paths (#19784)
• 712cb71 release: v5.4.16
• b627c50 fix: backport #19761, fs check in transform middleware (#19762)
• 9b0f4c8 release: v5.4.15
• 807d7f0 fix: backport #19702, fs raw query with query separators (#19703)
• Additional commits viewable in compare view

Updates @babel/helpers from 7.23.9 to 7.28.3

Release notes

Sourced from @​babel/helpers's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (