- added `getCredentials` callback in `S3Config`
- simplified signer test util ( `sigv4-signer.js` ) and moved to
`src/signer.ts`
- all tests run in a new non root minio user ( required for sts ) ,
which gets created before the tests start see `tests/s3-client/setup.js`
- tests added for sts , using `@aws-sdk/client-sts` for getting creds.
- credential caching inspired from the current implementation in
`@aws-s3` plugin , see `#getTemporarySecurityCredentials` inside
`@uppy/aws-s3/src/index.ts`
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
AI disclaimer : AI used
## Changes
- **jsdom 26 → 29** across all packages' devDependencies —
**except`@uppy/aws-s3`** (left at 26; that plugin is being rewritten and
its deps are handled on the rewrite branch).
- **`@uppy/xhr-upload` unit tests migrated from nock to MSW**, and
`nock` dropped from its devDependencies.
## Why the test migration was needed
jsdom **28** overhauled resource loading so `XMLHttpRequest` now goes
through jsdom's internal (undici-based) fetch instead of Node's `http`
module ([jsdom 28 release
notes](https://github.com/jsdom/jsdom/releases/tag/28.0.0)).
nock intercepts at the Node `http` / `http.ClientRequest` layer ([nock
README](https://github.com/nock/nock)), so it can no longer see uppy's
upload requests — the mocked responses never arrive and the tests time
out. (This is the long-standing nock + jsdom XHR incompatibility:
[nock#518](https://github.com/nock/nock/issues/518).)
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Part of the dev-dependency major-version upgrades. These required code
changes so they're split out from the no-code-change batch (#6315).
**AI Disclaimer** : AI Used
- **glob 8 → 13** — `@uppy/locales` scripts: the callback API was
removed, so `getPaths()` uses the promise form and `test.mjs` uses the
named `globSync`.
- **npm-packlist 5 → 11** — `upload-to-cdn.js`: v7+ takes an
`@npmcli/arborist` tree instead of `{ path }`; loads the tree and passes
it to `packlist()`. Adds `@npmcli/arborist` as a devDependency.
- **nock 13 → 14** (`@uppy/companion`) — the v14 @mswjs/interceptors
rewrite crashed the SSRF tests in `http-agent.test.ts`; nock
interception is now kept off by default and only activated for the one
test that mocks a host.
- **@types/use-sync-external-store 0 → 1** — `@uppy/react`: v1's exports
map only exposes extensionless subpaths, so imports use
`use-sync-external-store/shim` and `/with-selector` (runtime supports
both).
will do a separte PR for changes which would require code changes so
it's easier to review , didn't upgrade any deps for `@uppy/aws-s3` since
we'll merge the rewrite so I think we should do that upgrade in the
rewrite branch before merging.
update : Dependency upgrades which required code changes were raised
separately
- #6309
- #6310
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
this fixes#6287 , another similar attempted fix which didn't got merged
: #5683
in #5683 we discussed a more longer term solution but IMO that would be
a breaking change as it would change the event contract
AI Disclaimer : AI Used
This fix is Manually Tested across **Chrome and Firefox**
all the dev deps upgraded excepts for these :
- `@types/cors: 2.8.6`
- `@types/jsonwebtoken: 8.3.7`
- `@types/morgan: 1.7.37`
- `@types/node: ^20.19.0`
- `nock: ^13.1.3`
upgrading these to their latest major either breaks the test suite or
requires us to do code changes on our end.
#6297
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
exact copy of #6175
- I will point the uppy deps upgrade pr to this PR's branch
- no other changes needed in this branch as #6175 was reviewed and all
the comments were resolved
this should be the order of merge :
1. #6300
2. uppy deps upgrade ( yet to be raised )
3. merge this to main
4. merge biome changes #6244
@mifi let me know if you think otherwise.
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Supersedes #6178.
This branch keeps the exact same final content as #6178, but splits
history for reviewability:
1. `chore(companion): rename source and test files from .js to .ts`
(pure `git mv`, no content changes)
2. `feat(companion): port Companion to TypeScript` (actual
content/type/schema/build updates)
Validation note:
- Final tree is byte-for-byte identical to `ts-companion`
(`7b5b16a298690b0492de4cc4fab744f998b45570`).
---------
Co-authored-by: Mikael Finstad <finstaden@gmail.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.8.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="6b8eba0ef3"><code>6b8eba0</code></a>
7.5.8</li>
<li><a
href="2cb1120bce"><code>2cb1120</code></a>
fix(unpack): improve UnpackSync symlink error "into" path
accuracy</li>
<li><a
href="d18e4e1f84"><code>d18e4e1</code></a>
fix: do not write linkpaths through symlinks</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.8">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<details>
<summary>Install script changes</summary>
<p>This version adds <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
this fixes #6167
AI summary :
**The Bug: S3 Multipart Upload Fails with InvalidPart**
**What happened**
When uploading large files (200MB+) from Google Drive → Companion → S3
using multipart upload, the upload would reach ~96-100% and then fail
with S3's `InvalidPart` error on `CompleteMultipartUpload`.
*Root cause*
_A version mismatch between two AWS SDK packages caused by yarn dedupe._
Commit `3c3034b40` ("Dedupe dependencies #6085") ran `yarn dedupe`.
Companion had `@aws-sdk/client-s3` and `@aws-sdk/lib-storage` both at
`"^3.338.0"`, which previously both resolved to `3.600.0`. But the
`@uppy/transloadit` package elsewhere in the monorepo had
`"@aws-sdk/client-s3": "^3.891.0"`. Dedupe merged the resolutions —
`client-s3` jumped to `3.896.0` while `lib-storage` stayed at `3.600.0`.
*Why the mismatch matters*
AWS SDK `client-s3@3.896.0` introduced a _breaking behavioral change_ in
its checksum middleware:
• *Old (3.600.0):* Default checksum = MD5, no auto-injection.
`UploadPart` requests sent _no checksum header_.
• *New (3.896.0):* Default checksum = CRC32,
`requestChecksumCalculation` defaults to `"WHEN_SUPPORTED"`. The
middleware _auto-injects `x-amz-checksum-crc32`_ on every `UploadPart`
request.
The old `lib-storage@3.600.0` didn't know about this new behavior. It
called `CreateMultipartUpload` _without_ setting `ChecksumAlgorithm`.
Then `client-s3@3.896.0` added CRC32 checksums to each `UploadPart`. S3
saw parts with checksums that weren't declared at creation time →
rejected with `InvalidPart` at `CompleteMultipartUpload`.
*How the fixes work*
_Option A — `requestChecksumCalculation: 'WHEN_REQUIRED'`_ (workaround):
Tells the new `client-s3` to only add checksums when S3 requires them
(which it doesn't for `UploadPart`). This restores the old behavior — no
checksum headers, no mismatch.
_Option B — Upgrade all AWS SDK packages to `^3.986.0`_ (proper fix):
The new `lib-storage@3.986.0` is _aware_ of the CRC32 checksum behavior.
When it detects `requestChecksumCalculation = "WHEN_SUPPORTED"`, it
explicitly sets `ChecksumAlgorithm: "CRC32"` on the
`CreateMultipartUpload` call. Now S3 expects CRC32 checksums on the
parts, the parts have CRC32 checksums → everything is consistent →
upload succeeds.
*TL;DR*
`yarn dedupe` upgraded `client-s3` but not `lib-storage`. The new
`client-s3` started adding CRC32 checksums to parts, but the old
`lib-storage` didn't declare CRC32 at multipart creation time. S3
rejected the mismatch. Fix: upgrade both packages together so they agree
on checksum behavior.
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.5 to 7.5.7.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4a37eb9a1c"><code>4a37eb9</code></a>
7.5.7</li>
<li><a
href="f4a7aa9bc3"><code>f4a7aa9</code></a>
fix: properly sanitize hard links containing ..</li>
<li><a
href="394ece6ad8"><code>394ece6</code></a>
7.5.6</li>
<li><a
href="7d4cc17c76"><code>7d4cc17</code></a>
fix race puting a Link ahead of its target File</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.5...v7.5.7">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.21 to
4.17.23.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="dec55b7a3b"><code>dec55b7</code></a>
Bump main to v4.17.23 (<a
href="https://redirect.github.com/lodash/lodash/issues/6088">#6088</a>)</li>
<li><a
href="19c9251b36"><code>19c9251</code></a>
fix: setCacheHas JSDoc return type should be boolean (<a
href="https://redirect.github.com/lodash/lodash/issues/6071">#6071</a>)</li>
<li><a
href="b5e672995a"><code>b5e6729</code></a>
jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (<a
href="https://redirect.github.com/lodash/lodash/issues/6062">#6062</a>)</li>
<li><a
href="edadd45214"><code>edadd45</code></a>
Prevent prototype pollution on baseUnset function</li>
<li><a
href="4879a7a7d0"><code>4879a7a</code></a>
doc: fix autoLink function, conversion of source links (<a
href="https://redirect.github.com/lodash/lodash/issues/6056">#6056</a>)</li>
<li><a
href="9648f692b0"><code>9648f69</code></a>
chore: remove <code>yarn.lock</code> file (<a
href="https://redirect.github.com/lodash/lodash/issues/6053">#6053</a>)</li>
<li><a
href="dfa407db0b"><code>dfa407d</code></a>
ci: remove legacy configuration files (<a
href="https://redirect.github.com/lodash/lodash/issues/6052">#6052</a>)</li>
<li><a
href="156e1965ae"><code>156e196</code></a>
feat: add renovate setup (<a
href="https://redirect.github.com/lodash/lodash/issues/6039">#6039</a>)</li>
<li><a
href="933e1061b8"><code>933e106</code></a>
ci: add pipeline for Bun (<a
href="https://redirect.github.com/lodash/lodash/issues/6023">#6023</a>)</li>
<li><a
href="072a807ff7"><code>072a807</code></a>
docs: update links related to Open JS Foundation (<a
href="https://redirect.github.com/lodash/lodash/issues/5968">#5968</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.21...4.17.23">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.3 to 7.5.4.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="911c886bb1"><code>911c886</code></a>
7.5.4</li>
<li><a
href="3b1abfae65"><code>3b1abfa</code></a>
normalize out unicode ligatures</li>
<li><a
href="a43478c5c5"><code>a43478c</code></a>
remove some unused files</li>
<li><a
href="970c58f6d3"><code>970c58f</code></a>
update deps</li>
<li><a
href="bb21974894"><code>bb21974</code></a>
update changelog</li>
<li>See full diff in <a
href="https://github.com/isaacs/node-tar/compare/v7.5.3...v7.5.4">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~isaacs">isaacs</a>, a new releaser for tar
since your current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [tar](https://github.com/isaacs/node-tar) from 6.2.1 to 7.5.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md">tar's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>7.5</h2>
<ul>
<li>Added <code>zstd</code> compression support.</li>
</ul>
<h2>7.4</h2>
<ul>
<li>Deprecate <code>onentry</code> in favor of <code>onReadEntry</code>
for clarity.</li>
</ul>
<h2>7.3</h2>
<ul>
<li>Add <code>onWriteEntry</code> option</li>
</ul>
<h2>7.2</h2>
<ul>
<li>DRY the command definitions into a single <code>makeCommand</code>
method,
and update the type signatures to more appropriately infer the
return type from the options and arguments provided.</li>
</ul>
<h2>7.1</h2>
<ul>
<li>Update minipass to v7.1.0</li>
<li>Update the type definitions of <code>write()</code> and
<code>end()</code> methods on
<code>Unpack</code> and <code>Parser</code> classes to be compatible
with the
NodeJS.WritableStream type in the latest versions of
<code>@types/node</code>.</li>
</ul>
<h2>7.0</h2>
<ul>
<li>Drop support for node <18</li>
<li>Rewrite in TypeScript, provide ESM and CommonJS hybrid
interface</li>
<li>Add tree-shake friendly exports, like
<code>import('tar/create')</code>
and <code>import('tar/read-entry')</code> to get individual functions or
classes.</li>
<li>Add <code>chmod</code> option that defaults to false, and deprecate
<code>noChmod</code>. That is, reverse the default option regarding
explicitly setting file system modes to match tar entry
settings.</li>
<li>Add <code>processUmask</code> option to avoid having to call
<code>process.umask()</code> when <code>chmod: true</code> (or
<code>noChmod: false</code>) is
set.</li>
</ul>
<h2>6.2</h2>
<ul>
<li>Add support for brotli compression</li>
<li>Add <code>maxDepth</code> option to prevent extraction into
excessively
deep folders.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="03138441b2"><code>0313844</code></a>
7.5.3</li>
<li><a
href="340eb285b6"><code>340eb28</code></a>
fix: sanitize absolute linkpaths properly</li>
<li><a
href="8bb83f7e51"><code>8bb83f7</code></a>
update deps</li>
<li><a
href="1c4aedd28a"><code>1c4aedd</code></a>
Fix typo in onWriteEntry documentation</li>
<li><a
href="d9ea73a9b3"><code>d9ea73a</code></a>
7.5.2</li>
<li><a
href="5e1a8e6386"><code>5e1a8e6</code></a>
Fix sync tar.list when file size reduces while reading</li>
<li><a
href="0fbeaeddf5"><code>0fbeaed</code></a>
formatting</li>
<li><a
href="2dbacfe339"><code>2dbacfe</code></a>
add types for make-tar util</li>
<li><a
href="c5865d3120"><code>c5865d3</code></a>
remove unused taprc file</li>
<li><a
href="bdb38096af"><code>bdb3809</code></a>
header: only read from ustar block if not specified in Pax</li>
<li>Additional commits viewable in <a
href="https://github.com/isaacs/node-tar/compare/v6.2.1...v7.5.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@sveltejs/kit](https://github.com/sveltejs/kit/tree/HEAD/packages/kit)
from 2.20.7 to 2.49.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/releases"><code>@sveltejs/kit</code>'s
releases</a>.</em></p>
<blockquote>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2><code>@sveltejs/kit</code><a
href="https://github.com/2"><code>@2</code></a>.49.1</h2>
<h3>Patch Changes</h3>
<ul>
<li>fix: suppress <code>state_referenced_locally</code> warnings in
<code>.svelte-kit/generated/root.svelte</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15013">#15013</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sveltejs/kit/blob/main/packages/kit/CHANGELOG.md"><code>@sveltejs/kit</code>'s
changelog</a>.</em></p>
<blockquote>
<h2>2.49.5</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid overriding Vite default <code>base</code> when running
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/14866">#14866</a>)</p>
</li>
<li>
<p>fix: ensure url decoded pathnames are not mistaken as rerouted
requests (<a
href="d9ae9b00b1"><code>d9ae9b0</code></a>)</p>
</li>
<li>
<p>fix: add length checks to remote forms (<a
href="8ed8155215"><code>8ed8155</code></a>)</p>
</li>
</ul>
<h2>2.49.4</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: support instrumentation for <code>vite preview</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15105">#15105</a>)</p>
</li>
<li>
<p>fix: support for <code>URLSearchParams.has(name, value)</code>
overload (<a
href="https://redirect.github.com/sveltejs/kit/pull/15076">#15076</a>)</p>
</li>
<li>
<p>fix: put forking behind <code>experimental.forkPreloads</code> (<a
href="https://redirect.github.com/sveltejs/kit/pull/15135">#15135</a>)</p>
</li>
</ul>
<h2>2.49.3</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: avoid false-positive Vite config overridden warning when using
Vitest 4 (<a
href="https://redirect.github.com/sveltejs/kit/pull/15121">#15121</a>)</p>
</li>
<li>
<p>fix: add <code>typescript</code> as an optional peer dependency (<a
href="https://redirect.github.com/sveltejs/kit/pull/15074">#15074</a>)</p>
</li>
<li>
<p>fix: use hasOwn check when deep-setting object properties (<a
href="https://redirect.github.com/sveltejs/kit/pull/15127">#15127</a>)</p>
</li>
</ul>
<h2>2.49.2</h2>
<h3>Patch Changes</h3>
<ul>
<li>
<p>fix: Stop re-loading already-loaded CSS during server-side route
resolution (<a
href="https://redirect.github.com/sveltejs/kit/pull/15014">#15014</a>)</p>
</li>
<li>
<p>fix: posixify the instrumentation file import on Windows (<a
href="https://redirect.github.com/sveltejs/kit/pull/14993">#14993</a>)</p>
</li>
<li>
<p>fix: Correctly handle shared memory when decoding binary form data
(<a
href="https://redirect.github.com/sveltejs/kit/pull/15028">#15028</a>)</p>
</li>
</ul>
<h2>2.49.1</h2>
<h3>Patch Changes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="80ffb53382"><code>80ffb53</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15162">#15162</a>)</li>
<li><a
href="8ed8155215"><code>8ed8155</code></a>
Merge commit from fork</li>
<li><a
href="d9ae9b00b1"><code>d9ae9b0</code></a>
Merge commit from fork</li>
<li><a
href="ec4596a066"><code>ec4596a</code></a>
chore: Upgrade devalue (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15172">#15172</a>)</li>
<li><a
href="81cd545dd7"><code>81cd545</code></a>
fix: avoid overriding Vite default <code>base</code> when running Vitest
4 (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14866">#14866</a>)</li>
<li><a
href="6cf9491ccd"><code>6cf9491</code></a>
chore: remove unused is_http_method helper and method set to (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15152">#15152</a>)</li>
<li><a
href="3305022433"><code>3305022</code></a>
Revert "breaking: remove <code>buttonProps</code> from experimental
remote form function...</li>
<li><a
href="4f9870dd9d"><code>4f9870d</code></a>
breaking: remove <code>buttonProps</code> from experimental remote form
functions (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/14622">#14622</a>)</li>
<li><a
href="c8e4017c3c"><code>c8e4017</code></a>
Version Packages (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15129">#15129</a>)</li>
<li><a
href="50bf727f59"><code>50bf727</code></a>
chore: fix prettier ignoring source code in with build in the name (<a
href="https://github.com/sveltejs/kit/tree/HEAD/packages/kit/issues/15133">#15133</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sveltejs/kit/commits/@sveltejs/kit@2.49.5/packages/kit">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by [GitHub Actions](<a
href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a>
Actions), a new releaser for <code>@sveltejs/kit</code> since your
current version.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler)
from 19.2.17 to 19.2.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@angular/compiler</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.18</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c"><img
src="https://img.shields.io/badge/26cdc53d9c-fix-green" alt="fix -
26cdc53d9c" /></a></td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@angular/compiler</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.18 (2026-01-07)</h1>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c">26cdc53d9c</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.0.7 (2026-01-07)</h1>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="8e808740c9">8e808740c9</a></td>
<td>fix</td>
<td>better types for a few expression AST nodes</td>
</tr>
<tr>
<td><a
href="63b1cdcf70">63b1cdcf70</a></td>
<td>fix</td>
<td>produce accurate span for typeof and void expressions</td>
</tr>
<tr>
<td><a
href="3c3ae0cb64">3c3ae0cb64</a></td>
<td>fix</td>
<td>provide location information for literal map keys</td>
</tr>
<tr>
<td><a
href="523dbaf1c3">523dbaf1c3</a></td>
<td>fix</td>
<td>stop ThisReceiver inheritance from ImplicitReceiver</td>
</tr>
</tbody>
</table>
<h3>compiler-cli</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="4d9c4567ed">4d9c4567ed</a></td>
<td>fix</td>
<td>ensure component import diagnostics are reported within the
<code>imports</code> expression</td>
</tr>
<tr>
<td><a
href="cd405685af">cd405685af</a></td>
<td>fix</td>
<td>fix up spelling of diagnostic</td>
</tr>
<tr>
<td><a
href="778460fcca">778460fcca</a></td>
<td>fix</td>
<td>support qualified names in <code>typeof</code> type references</td>
</tr>
</tbody>
</table>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c74674eb0">7c74674eb0</a></td>
<td>fix</td>
<td>avoid leaking view data in animations</td>
</tr>
<tr>
<td><a
href="0edbee4550">0edbee4550</a></td>
<td>fix</td>
<td>explicitly cast signal node value to String</td>
</tr>
<tr>
<td><a
href="f9c29572d2">f9c29572d2</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<h3>forms</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="e3fba182f9">e3fba182f9</a></td>
<td>feat</td>
<td>add <code>[formField]</code> directive</td>
</tr>
<tr>
<td><a
href="561772b152">561772b152</a></td>
<td>fix</td>
<td>allow custom controls to require <code>dirty</code> input</td>
</tr>
<tr>
<td><a
href="f0fb1d8581">f0fb1d8581</a></td>
<td>fix</td>
<td>allow custom controls to require <code>hidden</code> input</td>
</tr>
<tr>
<td><a
href="ec110f170b">ec110f170b</a></td>
<td>fix</td>
<td>allow custom controls to require <code>pending</code> input</td>
</tr>
<tr>
<td><a
href="ae1dc16bb0">ae1dc16bb0</a></td>
<td>fix</td>
<td>clean up abort listener after timeout</td>
</tr>
<tr>
<td><a
href="9748b0d5da">9748b0d5da</a></td>
<td>fix</td>
<td>support custom controls with non signal-based models</td>
</tr>
<tr>
<td><a
href="6bd22df987">6bd22df987</a></td>
<td>fix</td>
<td>Support readonly arrays in signal forms</td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="41cd4a6af8">41cd4a6af8</a></td>
<td>fix</td>
<td>Fix RouterLink href not updating with
<code>queryParamsHandling</code></td>
</tr>
<tr>
<td><a
href="5e9e09aee0">5e9e09aee0</a></td>
<td>fix</td>
<td>handle errors from view transition <code>updateCallbackDone</code>
promise</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.4 (2025-12-17)</h1>
<h2>Breaking Changes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26cdc53d9c"><code>26cdc53</code></a>
fix(core): sanitize sensitive attributes on SVG script elements</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/v19.2.18/packages/compiler">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core)
from 19.2.17 to 19.2.18.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/releases"><code>@angular/core</code>'s
releases</a>.</em></p>
<blockquote>
<h2>19.2.18</h2>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c"><img
src="https://img.shields.io/badge/26cdc53d9c-fix-green" alt="fix -
26cdc53d9c" /></a></td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/angular/angular/blob/main/CHANGELOG.md"><code>@angular/core</code>'s
changelog</a>.</em></p>
<blockquote>
<h1>19.2.18 (2026-01-07)</h1>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="26cdc53d9c">26cdc53d9c</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.0.7 (2026-01-07)</h1>
<h3>compiler</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="8e808740c9">8e808740c9</a></td>
<td>fix</td>
<td>better types for a few expression AST nodes</td>
</tr>
<tr>
<td><a
href="63b1cdcf70">63b1cdcf70</a></td>
<td>fix</td>
<td>produce accurate span for typeof and void expressions</td>
</tr>
<tr>
<td><a
href="3c3ae0cb64">3c3ae0cb64</a></td>
<td>fix</td>
<td>provide location information for literal map keys</td>
</tr>
<tr>
<td><a
href="523dbaf1c3">523dbaf1c3</a></td>
<td>fix</td>
<td>stop ThisReceiver inheritance from ImplicitReceiver</td>
</tr>
</tbody>
</table>
<h3>compiler-cli</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="4d9c4567ed">4d9c4567ed</a></td>
<td>fix</td>
<td>ensure component import diagnostics are reported within the
<code>imports</code> expression</td>
</tr>
<tr>
<td><a
href="cd405685af">cd405685af</a></td>
<td>fix</td>
<td>fix up spelling of diagnostic</td>
</tr>
<tr>
<td><a
href="778460fcca">778460fcca</a></td>
<td>fix</td>
<td>support qualified names in <code>typeof</code> type references</td>
</tr>
</tbody>
</table>
<h3>core</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="7c74674eb0">7c74674eb0</a></td>
<td>fix</td>
<td>avoid leaking view data in animations</td>
</tr>
<tr>
<td><a
href="0edbee4550">0edbee4550</a></td>
<td>fix</td>
<td>explicitly cast signal node value to String</td>
</tr>
<tr>
<td><a
href="f9c29572d2">f9c29572d2</a></td>
<td>fix</td>
<td>sanitize sensitive attributes on SVG script elements</td>
</tr>
</tbody>
</table>
<h3>forms</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="e3fba182f9">e3fba182f9</a></td>
<td>feat</td>
<td>add <code>[formField]</code> directive</td>
</tr>
<tr>
<td><a
href="561772b152">561772b152</a></td>
<td>fix</td>
<td>allow custom controls to require <code>dirty</code> input</td>
</tr>
<tr>
<td><a
href="f0fb1d8581">f0fb1d8581</a></td>
<td>fix</td>
<td>allow custom controls to require <code>hidden</code> input</td>
</tr>
<tr>
<td><a
href="ec110f170b">ec110f170b</a></td>
<td>fix</td>
<td>allow custom controls to require <code>pending</code> input</td>
</tr>
<tr>
<td><a
href="ae1dc16bb0">ae1dc16bb0</a></td>
<td>fix</td>
<td>clean up abort listener after timeout</td>
</tr>
<tr>
<td><a
href="9748b0d5da">9748b0d5da</a></td>
<td>fix</td>
<td>support custom controls with non signal-based models</td>
</tr>
<tr>
<td><a
href="6bd22df987">6bd22df987</a></td>
<td>fix</td>
<td>Support readonly arrays in signal forms</td>
</tr>
</tbody>
</table>
<h3>router</h3>
<table>
<thead>
<tr>
<th>Commit</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><a
href="41cd4a6af8">41cd4a6af8</a></td>
<td>fix</td>
<td>Fix RouterLink href not updating with
<code>queryParamsHandling</code></td>
</tr>
<tr>
<td><a
href="5e9e09aee0">5e9e09aee0</a></td>
<td>fix</td>
<td>handle errors from view transition <code>updateCallbackDone</code>
promise</td>
</tr>
</tbody>
</table>
<!-- raw HTML omitted -->
<p><!-- raw HTML omitted --><!-- raw HTML omitted --></p>
<h1>21.1.0-next.4 (2025-12-17)</h1>
<h2>Breaking Changes</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="26cdc53d9c"><code>26cdc53</code></a>
fix(core): sanitize sensitive attributes on SVG script elements</li>
<li>See full diff in <a
href="https://github.com/angular/angular/commits/v19.2.18/packages/core">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/transloadit/uppy/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>