Skip to content

Update dependency devalue to v4.3.3#8203

Merged
kodiakhq[bot] merged 1 commit into
canaryfrom
renovate/devalue-4.x
May 31, 2026
Merged

Update dependency devalue to v4.3.3#8203
kodiakhq[bot] merged 1 commit into
canaryfrom
renovate/devalue-4.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 31, 2026

This PR contains the following updates:

Package Change Age Confidence
devalue 5.3.24.3.3 age confidence

Release Notes

sveltejs/devalue (devalue)

v4.3.3

Compare Source

  • Support invalid dates (#​61)
  • Fix incorrect error.path when object contains a map (#​64)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 31, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 21 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
bench/vercel                             |  WARN  deprecated term-size@4.0.0
packages/create-next-app                 |  WARN  deprecated @types/ci-info@3.1.4
packages/eslint-plugin-next              |  WARN  deprecated @types/glob@9.0.0
packages/eslint-plugin-next              |  WARN  deprecated glob@10.5.0
packages/next                            |  WARN  deprecated @babel/plugin-proposal-class-properties@7.18.6
packages/next                            |  WARN  deprecated @babel/plugin-proposal-export-namespace-from@7.18.9
packages/next                            |  WARN  deprecated @babel/plugin-proposal-numeric-separator@7.18.6
packages/next                            |  WARN  deprecated @babel/plugin-proposal-object-rest-spread@7.20.7
packages/eslint-config-next              |  WARN  deprecated eslint@8.57.1
Progress: resolved 66, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/X-oss-byte/Nextjs/packages/next:
 ERR_PNPM_FETCH_404  GET https://registry.npmjs.org/@next%2Fswc: Not Found - 404

This error happened while installing a direct dependency of /tmp/renovate/repos/github/X-oss-byte/Nextjs/packages/next

@next/swc is not in the npm registry, or you have no permission to fetch it.

No authorization header was set for the request.

@bolt-new-by-stackblitz
Copy link
Copy Markdown

bolt-new-by-stackblitz Bot commented May 31, 2026

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 31, 2026

⚠️ No Changeset found

Latest commit: 9688327

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@kodiakhq kodiakhq Bot merged commit 60d86af into canary May 31, 2026
1 of 6 checks passed
@kodiakhq kodiakhq Bot deleted the renovate/devalue-4.x branch May 31, 2026 17:44
kodiakhq Bot pushed a commit that referenced this pull request May 31, 2026
@renovate
Update dependency @actions/github to v9 (#8204)
3cb27a8 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request May 31, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8205)
a83aae0 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request May 31, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8206)
fabc3af 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request May 31, 2026
@renovate
Update dependency devalue to v4.3.3 (#8207)
3fbcd9e 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request May 31, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8208)
0ea3909 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v4.3.3 (#8209)
1804c76 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency @actions/github to v9 (#8210)
d0f325a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8211)
2e1f9a2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8213)
d375887 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v4.3.3 (#8214)
4e61fc7 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8215)
5798be8 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v4.3.3 (#8216)
1c16f1a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 1, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8218)
5a16632 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v4.3.3 (#8219)
7f11066 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update react monorepo (#8220)
d1b4410 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)) | [`18.3.29` → `18.3.30`](https://renovatebot.com/diffs/npm/@types%2freact/18.2.79/18.3.30) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2freact/18.3.30?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2freact/18.2.79/18.3.30?slim=true) |
| [@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)) | [`18.3.29` → `18.3.30`](https://renovatebot.com/diffs/npm/@types%2freact/18.3.29/18.3.30) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2freact/18.3.30?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2freact/18.3.29/18.3.30?slim=true) |
| [@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react-dom) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom)) | [`18.2.25` → `18.3.7`](https://renovatebot.com/diffs/npm/@types%2freact-dom/18.2.25/18.3.7) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2freact-dom/18.3.7?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2freact-dom/18.2.25/18.3.7?slim=true) |
| [@types/react-is](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/react-is) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-is)) | [`18.2.4` → `18.3.1`](https://renovatebot.com/diffs/npm/@types%2freact-is/18.2.4/18.3.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2freact-is/18.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2freact-is/18.2.4/18.3.1?slim=true) |
| [eslint-plugin-react-hooks](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks)) | [`5.0.0-next-fecc288b7-20221025` → `5.2.0`](https://renovatebot.com/diffs/npm/eslint-plugin-react-hooks/5.0.0-next-fecc288b7-20221025/5.2.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-react-hooks/5.2.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-react-hooks/5.0.0-next-fecc288b7-20221025/5.2.0?slim=true) |
| [eslint-plugin-react-hooks](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks)) | [`4.6.0` → `4.6.2`](https://renovatebot.com/diffs/npm/eslint-plugin-react-hooks/4.6.0/4.6.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/eslint-plugin-react-hooks/4.6.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint-plugin-react-hooks/4.6.0/4.6.2?slim=true) |
| [react](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react)) | [`18.2.0` → `18.3.1`](https://renovatebot.com/diffs/npm/react/18.2.0/18.3.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/react/18.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react/18.2.0/18.3.1?slim=true) |
| [react-dom](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react-dom)) | [`18.2.0` → `18.3.1`](https://renovatebot.com/diffs/npm/react-dom/18.2.0/18.3.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/react-dom/18.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-dom/18.2.0/18.3.1?slim=true) |
| [react-is](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react-is)) | [`18.2.0` → `18.3.1`](https://renovatebot.com/diffs/npm/react-is/18.2.0/18.3.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/react-is/18.3.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-is/18.2.0/18.3.1?slim=true) |
| [react-refresh](https://react.dev/) ([source](https://github.com/facebook/react/tree/HEAD/packages/react)) | [`0.14.0` → `0.18.0`](https://renovatebot.com/diffs/npm/react-refresh/0.14.0/0.18.0) | ![age](https://developer.mend.io/api/mc/badges/age/npm/react-refresh/0.18.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-refresh/0.14.0/0.18.0?slim=true) |

---

### Release Notes

<details>
<summary>facebook/react (eslint-plugin-react-hooks)</summary>

### [`v5.2.0`](https://github.com/facebook/react/blob/HEAD/packages/eslint-plugin-react-hooks/CHANGELOG.md#520)

[Compare Source](https://github.com/facebook/react/compare/63cde684f5340b1ca73f6244501aac1c3d2c92a8...3607f4838a8f4a87160da36aa26bb1432d7a5f11)

- Support flat config ([@&#8203;michaelfaith](https://github.com/michaelfaith) in [#&#8203;30774](https://github.com/facebook/react/pull/30774))
- Convert the plugin to TypeScript and provide package type declarations ([@&#8203;michaelfaith](https://github.com/michaelfaith) in [#&#8203;32279](https://github.com/facebook/react/pull/32279), [#&#8203;32283](https://github.com/facebook/react/pull/32283), [#&#8203;32240](https://github.com/facebook/react/pull/32240), [#&#8203;32400](https://github.com/facebook/react/pull/32400) and [@&#8203;poteto](https://github.com/poteto) in [#&#8203;32420](https://github.com/facebook/react/pull/32420))
- Fix false positive error in components with `do`/`while` loops ([@&#8203;tyxla](https://github.com/tyxla) in [#&#8203;31720](https://github.com/facebook/react/pull/31720))
- Detect issues in class properties ([@&#8203;mjesun](https://github.com/mjesun) & [@&#8203;ecraig12345](https://github.com/ecraig12345) in [#&#8203;31823](https://github.com/facebook/react/pull/31823))

### [`v5.1.0`](https://github.com/facebook/react/blob/HEAD/packages/eslint-plugin-react-hooks/CHANGELOG.md#510)

[Compare Source](https://github.com/facebook/react/compare/eslint-plugin-react-hooks@5.0.0...63cde684f5340b1ca73f6244501aac1c3d2c92a8)

- Add support for `do`/`while` loops ([@&#8203;tyxla](https://github.com/tyxla) in [#&#8203;28714](https://github.com/facebook/react/pull/28714))
- Fix error when callback argument is an identifier with an `as` expression ([@&#8203;mskelton](https://github.com/mskelton) in [#&#8203;31119](https://github.com/facebook/react/pull/31119))

### [`v5.0.0`](https://github.com/facebook/react/blob/HEAD/packages/eslint-plugin-react-hooks/CHANGELOG.md#500)

[Compare Source](https://github.com/facebook/react/compare/fecc288b7dce182fbc3056b3f98a445a95fb1e68...eslint-plugin-react-hooks@5.0.0)

- **New Violations:** Component names now need to start with an uppercase letter instead of a non-lowercase letter. This means `_Button` or `_component` are no longer valid. ([@&#8203;kassens](https://github.com/kassens)) in [#&#8203;25162](https://github.com/facebook/react/pull/25162)

* Consider dispatch from `useActionState` stable. ([@&#8203;eps1lon](https://github.com/eps1lon) in [#&#8203;29665](https://github.com/facebook/react/pull/29665))
* Add support for ESLint v9. ([@&#8203;eps1lon](https://github.com/eps1lon) in [#&#8203;28773](https://github.com/facebook/react/pull/28773))
* Accept `as` expression in callback. ([@&#8203;StyleShit](https://github.com/StyleShit) in [#&#8203;28202](https://github.com/facebook/react/pull/28202))
* Accept `as` expressions in deps array. ([@&#8203;StyleShit](https://github.com/StyleShit) in [#&#8203;28189](https://github.com/facebook/react/pull/28189))
* Treat `React.use()` the same as `use()`. ([@&#8203;kassens](https://github.com/kassens) in [#&#8203;27769](https://github.com/facebook/react/pull/27769))
* Move `use()` lint to non-experimental. ([@&#8203;kassens](https://github.com/kassens) in [#&#8203;27768](https://github.com/facebook/react/pull/27768))
* Support Flow `as` expressions. ([@&#8203;cpojer](https://github.com/cpojer) in [#&#8203;27590](https://github.com/facebook/react/pull/27590))
* Allow `useEffect(fn, undefined)`. ([@&#8203;kassens](https://github.com/kassens) in [#&#8203;27525](https://github.com/facebook/react/pull/27525))
* Disallow hooks in async functions. ([@&#8203;acdlite](https://github.com/acdlite) in [#&#8203;27045](https://github.com/facebook/react/pull/27045))
* Rename experimental `useEvent` to `useEffectEvent`. ([@&#8203;sebmarkbage](https://github.com/sebmarkbage) in [#&#8203;25881](https://github.com/facebook/react/pull/25881))
* Lint for presence of `useEvent` functions in dependency lists. ([@&#8203;poteto](https://github.com/poteto) in [#&#8203;25512](https://github.com/facebook/react/pull/25512))
* Check `useEvent` references instead. ([@&#8203;poteto](https://github.com/poteto) in [#&#8203;25319](https://github.com/facebook/react/pull/25319))
* Update `RulesOfHooks` with `useEvent` rules. ([@&#8203;poteto](https://github.com/poteto) in [#&#8203;25285](https://github.com/facebook/react/pull/25285))

</details>

<details>
<summary>facebook/react (react)</summary>

### [`v18.3.1`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1831-April-26-2024)

[Compare Source](https://github.com/facebook/react/compare/v18.3.0...v18.3.1)

- Export `act` from `react` [f1338f](https://github.com/facebook/react/commit/f1338f8080abd1386454a10bbf93d67bfe37ce85)

### [`v18.3.0`](https://github.com/facebook/react/blob/HEAD/CHANGELOG.md#1830-April-25-2024)

[Compare Source](https://github.com/facebook/react/compare/v18.2.0...v18.3.0)

This release is identical to 18.2 but adds warnings for deprecated APIs and other changes that are needed for React 19.

Read the [React 19 Upgrade Guide](https://react.dev/blog/2024/04/25/react-19-upgrade-guide) for more info.

##### React

- Allow writing to `this.refs` to support string ref codemod [909071](https://github.com/facebook/react/commit/9090712fd3ca4e1099e1f92e67933c2cb4f32552)
- Warn for deprecated `findDOMNode` outside StrictMode [c3b283](https://github.com/facebook/react/commit/c3b283964108b0e8dbcf1f9eb2e7e67815e39dfb)
- Warn for deprecated `test-utils` methods [d4ea75](https://github.com/facebook/react/commit/d4ea75dc4258095593b6ac764289f42bddeb835c)
- Warn for deprecated Legacy Context outside StrictMode [415ee0](https://github.com/facebook/react/commit/415ee0e6ea0fe3e288e65868df2e3241143d5f7f)
- Warn for deprecated string refs outside StrictMode [#&#8203;25383](https://github.com/facebook/react/pull/25383)
- Warn for deprecated `defaultProps` for function components [#&#8203;25699](https://github.com/facebook/react/pull/25699)
- Warn when spreading `key` [#&#8203;25697](https://github.com/facebook/react/pull/25697)
- Warn when using `act` from `test-utils` [d4ea75](https://github.com/facebook/react/commit/d4ea75dc4258095593b6ac764289f42bddeb835c)

##### React DOM

- Warn for deprecated `unmountComponentAtNode` [8a015b](https://github.com/facebook/react/commit/8a015b68cc060079878e426610e64e86fb328f8d)
- Warn for deprecated `renderToStaticNodeStream` [#&#8203;28874](https://github.com/facebook/react/pull/28874)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8221)
15ffe9c 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v4.3.3 (#8222)
e994a52 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8223)
b0c66be 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v4.3.3 (#8224)
93f035b 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8226)
9c096d0 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v4.3.3 (#8227)
5002a5a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency @actions/github to v9 (#8228)
b0c03c2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8229)
fd81f31 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 2, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8230)
95be0de 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v9 (#8245)
1e0d64a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8246)
b45e707 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v4.3.3 (#8247)
8f6342c 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8248)
f324b70 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v4.3.3 (#8249)
43769e4 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v9 (#8250)
9000036 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8251)
d2031e2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8252)
53be67b 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v4.3.3 (#8253)
84a5572 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8254)
273e0dc 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v4.3.3 (#8255)
3fe04c6 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v9 (#8256)
63d3fcd 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8257)
303ef11 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 3, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8258)
7f454a4 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8259)
f93070a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8261)
d745e67 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8262)
58e52c2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency @actions/github to v9 (#8263)
6ba35da 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8264)
b6602f8 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8265)
1d0ad27 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8266)
d28d025 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8267)
a13c5db 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8268)
253027a 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency @actions/github to v9 (#8269)
37c3eba 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^6.0.0` → `^9.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`6.0.1` → `9.1.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/9.1.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/9.1.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/9.1.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v9.1.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#911)

- Bump `undici` from `6.23.0` to `6.24.0` [#&#8203;2346](https://github.com/actions/toolkit/pull/2346)

### [`v9.1.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#910)

- Append `actions_orchestration_id` to user-agent when the `ACTIONS_ORCHESTRATION_ID` environment variable is set [#&#8203;2364](https://github.com/actions/toolkit/pull/2364)

### [`v9.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#900)

- **Breaking change**: Package is now ESM-only
  - CommonJS consumers must use dynamic `import()` instead of `require()`
  - Example: `const { getOctokit, context } = await import('@&#8203;actions/github')`
- Fix TypeScript compilation by migrating to ESM, enabling proper imports from `@octokit/core/types`

### [`v8.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#801)

- Update `undici` to `6.23.0`
- Update `@actions/http-client` to `3.0.2`

### [`v8.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#800)

- Update [@&#8203;octokit](https://github.com/octokit) dependencies
  - `@octokit/core` ^7.0.6
  - `@octokit/plugin-paginate-rest` ^14.0.0
  - `@octokit/plugin-rest-endpoint-methods` ^17.0.0
  - `@octokit/request` ^10.0.7
  - `@octokit/request-error` ^7.1.0
- **Breaking change**: Minimum Node.js version is now 20 (previously 18)

### [`v7.0.0`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#700)

- Update to v3.0.1 of `@actions/http-client`

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8270)
3b0eba3 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency @actions/github to v6.0.1 (#8271)
9ad7341 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`^9.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |
| [@actions/github](https://github.com/actions/toolkit/tree/main/packages/github) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/github)) | [`9.1.1` → `6.0.1`](https://renovatebot.com/diffs/npm/@actions%2fgithub/6.0.0/6.0.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fgithub/6.0.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fgithub/6.0.0/6.0.1?slim=true) |

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/github)</summary>

### [`v6.0.1`](https://github.com/actions/toolkit/blob/HEAD/packages/github/RELEASES.md#601)

- Dependency updates [#&#8203;2043](https://github.com/actions/toolkit/pull/2043)
- Add `context.runAttempt` [#&#8203;1588](https://github.com/actions/toolkit/pull/1588)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8272)
5f9a2c4 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v5 [SECURITY] (#8273)
99593e5 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`4.3.3` → `5.3.2`](https://renovatebot.com/diffs/npm/devalue/4.3.2/5.3.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/5.3.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/5.3.2?slim=true) |

---

### devalue prototype pollution vulnerability
[CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820) / [GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

<details>
<summary>More information</summary>

#### Details
##### 1. `devalue.parse` allows `__proto__` to be set

A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten:

```js
class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5
```

##### 2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values:

```js
devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]
```

`devalue.parse` does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

```js
const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0
```

This could be used by a creative attacker to bypass server-side validation.

#### Severity
- CVSS Score: 7.9 / 10 (High)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H`

#### References
- [https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv](https://github.com/sveltejs/devalue/security/advisories/GHSA-vj54-72f3-p5jv)
- [https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132](https://github.com/sveltejs/devalue/commit/0623a47c9555b639c03ff1baea82951b2d9d1132)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-57820](https://nvd.nist.gov/vuln/detail/CVE-2025-57820)
- [https://github.com/advisories/GHSA-vj54-72f3-p5jv](https://github.com/advisories/GHSA-vj54-72f3-p5jv)

This data is provided by the [GitHub Advisory Database](https://github.com/advisories/GHSA-vj54-72f3-p5jv) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v5.3.2`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#532)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.1...v5.3.2)

##### Patch Changes

- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow array method access when parsing
- [`0623a47`](https://github.com/sveltejs/devalue/commit/0623a47): fix: disallow `__proto__` properties on objects

### [`v5.3.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#531)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.3.0...v5.3.1)

##### Patch Changes

- [`ae904c5`](https://github.com/sveltejs/devalue/commit/ae904c5): fix: correctly differentiate between +0 and -0

### [`v5.3.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#530)

[Compare Source](https://github.com/sveltejs/devalue/compare/81148214b72de8088591960ef348afd32b7e9e7d...v5.3.0)

##### Minor Changes

- [`2896e7b`](https://github.com/sveltejs/devalue/commit/2896e7b): feat: support Temporal
- [`fec694d`](https://github.com/sveltejs/devalue/commit/fec694d): feat: support `URL` and `URLSearchParams` objects

### [`v5.2.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#520)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.1...81148214b72de8088591960ef348afd32b7e9e7d)

- Handle custom classes with null proto as pojo ([#&#8203;95](https://github.com/sveltejs/devalue/pull/95))

### [`v5.1.1`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#511)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.1.0...v5.1.1)

- Only iterate over own properties of reducers ([#&#8203;80](https://github.com/Rich-Harris/devalue/pull/80))

### [`v5.1.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#510)

[Compare Source](https://github.com/sveltejs/devalue/compare/v5.0.0...v5.1.0)

- Handle typed arrays and array buffers ([#&#8203;69](https://github.com/Rich-Harris/devalue/pull/69))
- Add `sideEffects: false` to `package.json` ([#&#8203;81](https://github.com/Rich-Harris/devalue/pull/81))
- Better errors when keys are invalid identifiers ([#&#8203;82](https://github.com/Rich-Harris/devalue/pull/82))

### [`v5.0.0`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#500)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.3...v5.0.0)

- Ignore non-enumerable symbolic keys ([#&#8203;78](https://github.com/Rich-Harris/devalue/pull/78))

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency devalue to v4.3.3 (#8274)
9c819c2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [devalue](https://github.com/sveltejs/devalue) | [`5.3.2` → `4.3.3`](https://renovatebot.com/diffs/npm/devalue/4.3.2/4.3.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/devalue/4.3.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/devalue/4.3.2/4.3.3?slim=true) |

---

### Release Notes

<details>
<summary>sveltejs/devalue (devalue)</summary>

### [`v4.3.3`](https://github.com/sveltejs/devalue/blob/HEAD/CHANGELOG.md#433)

[Compare Source](https://github.com/sveltejs/devalue/compare/v4.3.2...v4.3.3)

- Support invalid dates ([#&#8203;61](https://github.com/Rich-Harris/devalue/pull/61))
- Fix incorrect `error.path` when object contains a map ([#&#8203;64](https://github.com/Rich-Harris/devalue/pull/64))

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq Bot pushed a commit that referenced this pull request Jun 4, 2026
@renovate
Update dependency semver to v7.8.2 (#8275)
45510c2 
This PR contains the following updates:

| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [semver](https://github.com/npm/node-semver) | [`7.8.1` → `7.8.2`](https://renovatebot.com/diffs/npm/semver/7.6.0/7.8.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/semver/7.8.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/semver/7.6.0/7.8.2?slim=true) |
| [semver](https://github.com/npm/node-semver) | [`7.8.1` → `7.8.2`](https://renovatebot.com/diffs/npm/semver/7.7.1/7.8.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/semver/7.8.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/semver/7.7.1/7.8.2?slim=true) |

---

### Release Notes

<details>
<summary>npm/node-semver (semver)</summary>

### [`v7.8.2`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#782-2026-06-04)

[Compare Source](https://github.com/npm/node-semver/compare/v7.8.1...v7.8.2)

##### Bug Fixes

- [`bea6028`](https://github.com/npm/node-semver/commit/bea6028694a75e840f48b288ac019e9644cfe6e8) [#&#8203;870](https://github.com/npm/node-semver/pull/870) increment dotted prerelease identifiers ([#&#8203;870](https://github.com/npm/node-semver/issues/870)) ([@&#8203;liuzemei](https://github.com/liuzemei), [@&#8203;SheldonNeo](https://github.com/SheldonNeo))

### [`v7.8.1`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#781-2026-05-21)

[Compare Source](https://github.com/npm/node-semver/compare/v7.8.0...v7.8.1)

##### Bug Fixes

- [`17aa702`](https://github.com/npm/node-semver/commit/17aa702d91166472b197a2ea768f085083bee2e4) [#&#8203;869](https://github.com/npm/node-semver/pull/869) strip build metadata before comparator trimming ([#&#8203;869](https://github.com/npm/node-semver/issues/869)) ([@&#8203;owlstronaut](https://github.com/owlstronaut))
- [`5f3ca13`](https://github.com/npm/node-semver/commit/5f3ca133e040210b6ea80c350a1d61d9da02e722) [#&#8203;867](https://github.com/npm/node-semver/pull/867) handle prerelease bounds in subset ([#&#8203;867](https://github.com/npm/node-semver/issues/867)) ([@&#8203;puneetdixit200](https://github.com/puneetdixit200), Puneet Dixit)

### [`v7.8.0`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#780-2026-05-08)

[Compare Source](https://github.com/npm/node-semver/compare/v7.7.4...v7.8.0)

##### Features

- [`0d0a0a2`](https://github.com/npm/node-semver/commit/0d0a0a2582fb1486bc6cd255ba18819c441ed149) [#&#8203;855](https://github.com/npm/node-semver/pull/855) Add `truncate` function ([#&#8203;855](https://github.com/npm/node-semver/issues/855)) ([@&#8203;pjohnmeyer](https://github.com/pjohnmeyer), [@&#8203;owlstronaut](https://github.com/owlstronaut))

##### Bug Fixes

- [`3905343`](https://github.com/npm/node-semver/commit/3905343045dc293c3694d5e46170b1bb1fb5cf58) [#&#8203;859](https://github.com/npm/node-semver/pull/859) Warn when defaulting to --inc=patch in CLI ([@&#8203;pjohnmeyer](https://github.com/pjohnmeyer))

##### Documentation

- [`c368af6`](https://github.com/npm/node-semver/commit/c368af612e521767e960419e6388c5129c857984) [#&#8203;853](https://github.com/npm/node-semver/pull/853) fix typos in documentation ([#&#8203;853](https://github.com/npm/node-semver/issues/853)) ([@&#8203;ankitkumar572005](https://github.com/ankitkumar572005))
- [`37776c3`](https://github.com/npm/node-semver/commit/37776c31e2f3448fd852c975888e37b03efe9afe) [#&#8203;846](https://github.com/npm/node-semver/pull/846) fix BNF grammar to distinguish prerelease from build identifiers ([#&#8203;846](https://github.com/npm/node-semver/issues/846)) ([@&#8203;abhu85](https://github.com/abhu85), [@&#8203;claude](https://github.com/claude))

##### Chores

- [`9542e09`](https://github.com/npm/node-semver/commit/9542e09ebcd89e916777d35eba868061dad9ed7d) [#&#8203;860](https://github.com/npm/node-semver/pull/860) template-oss-apply ([@&#8203;owlstronaut](https://github.com/owlstronaut))
- [`937bc2c`](https://github.com/npm/node-semver/commit/937bc2cd8721db14745c9be123078c44e77a86ef) [#&#8203;860](https://github.com/npm/node-semver/pull/860) `template-oss-apply@5.0.0` ([@&#8203;owlstronaut](https://github.com/owlstronaut))
- [`6946fef`](https://github.com/npm/node-semver/commit/6946fefa57bd5e191871a4738b28ca673e003527) [#&#8203;852](https://github.com/npm/node-semver/pull/852) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.29.0 to 4.30.0 ([#&#8203;852](https://github.com/npm/node-semver/issues/852)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot], [@&#8203;npm-cli-bot](https://github.com/npm-cli-bot))

### [`v7.7.4`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#774-2026-01-16)

[Compare Source](https://github.com/npm/node-semver/compare/v7.7.3...v7.7.4)

##### Bug Fixes

- [`a29faa5`](https://github.com/npm/node-semver/commit/a29faa5f3309a01c8e5aeb965fb5c02c4c4e80e2) [#&#8203;835](https://github.com/npm/node-semver/pull/835) cli: pass options to semver.valid() for loose version validation ([#&#8203;835](https://github.com/npm/node-semver/issues/835)) ([@&#8203;mldangelo](https://github.com/mldangelo))

##### Documentation

- [`1d28d5e`](https://github.com/npm/node-semver/commit/1d28d5e82de16163daf721a7c76fff93e0d333ab) [#&#8203;836](https://github.com/npm/node-semver/pull/836) fix typos and update -n CLI option documentation ([#&#8203;836](https://github.com/npm/node-semver/issues/836)) ([@&#8203;mldangelo](https://github.com/mldangelo))

##### Dependencies

- [`120968b`](https://github.com/npm/node-semver/commit/120968b76760cb0db85a72bde2adedd0e9628793) [#&#8203;840](https://github.com/npm/node-semver/pull/840) `@npmcli/template-oss@4.29.0` ([#&#8203;840](https://github.com/npm/node-semver/issues/840))

##### Chores

- [`44d7130`](https://github.com/npm/node-semver/commit/44d7130c60cedd3703048aa671bb1d659b79ab07) [#&#8203;824](https://github.com/npm/node-semver/pull/824) bump [@&#8203;npmcli/eslint-config](https://github.com/npmcli/eslint-config) from 5.1.0 to 6.0.0 ([#&#8203;824](https://github.com/npm/node-semver/issues/824)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot])
- [`7073576`](https://github.com/npm/node-semver/commit/70735767b68a1775eb67ac816b183b4a422101f4) [#&#8203;820](https://github.com/npm/node-semver/pull/820) reorder parameters in invalid-versions.js test ([#&#8203;820](https://github.com/npm/node-semver/issues/820)) ([@&#8203;reggi](https://github.com/reggi))
- [`5816d4c`](https://github.com/npm/node-semver/commit/5816d4cfd6d85169527a2bc22fbd5bf4c64f34e3) [#&#8203;829](https://github.com/npm/node-semver/pull/829) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.28.0 to 4.28.1 ([#&#8203;829](https://github.com/npm/node-semver/issues/829)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot], [@&#8203;npm-cli-bot](https://github.com/npm-cli-bot))

### [`v7.7.3`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#773-2025-10-06)

[Compare Source](https://github.com/npm/node-semver/compare/v7.7.2...v7.7.3)

##### Bug Fixes

- [`e37e0ca`](https://github.com/npm/node-semver/commit/e37e0ca0b5fc910d2b1948d25dbc83cc3a0921ea) [#&#8203;813](https://github.com/npm/node-semver/pull/813) faster paths for compare ([#&#8203;813](https://github.com/npm/node-semver/issues/813)) ([@&#8203;H4ad](https://github.com/H4ad))
- [`2471d75`](https://github.com/npm/node-semver/commit/2471d7543e2e63d9d95358e2405e7e1cde926c36) [#&#8203;811](https://github.com/npm/node-semver/pull/811) x-range build metadata support (i529015)

##### Chores

- [`8f05c87`](https://github.com/npm/node-semver/commit/8f05c87f56a4123259b8c6d9324f53eadb02e48f) [#&#8203;807](https://github.com/npm/node-semver/pull/807) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.25.0 to 4.25.1 ([#&#8203;807](https://github.com/npm/node-semver/issues/807)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot], [@&#8203;owlstronaut](https://github.com/owlstronaut))

### [`v7.7.2`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#772-2025-05-12)

[Compare Source](https://github.com/npm/node-semver/compare/v7.7.1...v7.7.2)

##### Bug Fixes

- [`fcafb61`](https://github.com/npm/node-semver/commit/fcafb61ed566ff8ccf24818dd94b76738f037aa4) [#&#8203;780](https://github.com/npm/node-semver/pull/780) add missing `'use strict'` directives ([#&#8203;780](https://github.com/npm/node-semver/issues/780)) ([@&#8203;Fdawgs](https://github.com/Fdawgs))
- [`c99f336`](https://github.com/npm/node-semver/commit/c99f336fa3bdff465652f9041eab2127d2f52eb2) [#&#8203;781](https://github.com/npm/node-semver/pull/781) prerelease identifier starting with digits ([#&#8203;781](https://github.com/npm/node-semver/issues/781)) ([@&#8203;mbtools](https://github.com/mbtools))

##### Chores

- [`c760403`](https://github.com/npm/node-semver/commit/c760403b935d3ad35f83e9bbe5ebe1badef2fc71) [#&#8203;784](https://github.com/npm/node-semver/pull/784) template-oss-apply for workflow permissions ([#&#8203;784](https://github.com/npm/node-semver/issues/784)) ([@&#8203;wraithgar](https://github.com/wraithgar))
- [`2677f2a`](https://github.com/npm/node-semver/commit/2677f2a88334b0e728dbfe9ad9f5f57458437c87) [#&#8203;778](https://github.com/npm/node-semver/pull/778) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.23.6 to 4.24.3 ([#&#8203;778](https://github.com/npm/node-semver/issues/778)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot], [@&#8203;npm-cli-bot](https://github.com/npm-cli-bot))

### [`v7.7.1`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#771-2025-02-03)

[Compare Source](https://github.com/npm/node-semver/compare/v7.7.0...v7.7.1)

##### Bug Fixes

- [`af761c0`](https://github.com/npm/node-semver/commit/af761c05bd53eef83b5e20f8b09360b0e70557dc) [#&#8203;764](https://github.com/npm/node-semver/pull/764) inc: fully capture prerelease identifier ([#&#8203;764](https://github.com/npm/node-semver/issues/764)) ([@&#8203;wraithgar](https://github.com/wraithgar))

### [`v7.7.0`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#770-2025-01-29)

[Compare Source](https://github.com/npm/node-semver/compare/v7.6.3...v7.7.0)

##### Features

- [`0864b3c`](https://github.com/npm/node-semver/commit/0864b3ce7932667013e0c7c5ec764777d4682883) [#&#8203;753](https://github.com/npm/node-semver/pull/753) add "release" inc type ([#&#8203;753](https://github.com/npm/node-semver/issues/753)) ([@&#8203;mbtools](https://github.com/mbtools))

##### Bug Fixes

- [`d588e37`](https://github.com/npm/node-semver/commit/d588e3782864b1cab2fe9f2452b848e8c7f609d1) [#&#8203;755](https://github.com/npm/node-semver/pull/755) diff: fix prerelease to stable version diff logic ([#&#8203;755](https://github.com/npm/node-semver/issues/755)) ([@&#8203;eminberkayd](https://github.com/eminberkayd), berkay.daglar)
- [`8a34bde`](https://github.com/npm/node-semver/commit/8a34bdecc783407f4e1a8a1ee1f67906b84a4b78) [#&#8203;754](https://github.com/npm/node-semver/pull/754) add identifier validation to `inc()` ([#&#8203;754](https://github.com/npm/node-semver/issues/754)) ([@&#8203;mbtools](https://github.com/mbtools))

##### Documentation

- [`67e5478`](https://github.com/npm/node-semver/commit/67e54785a0f871361230f84323cbb631b9b6d834) [#&#8203;756](https://github.com/npm/node-semver/pull/756) readme: added missing period for consistency ([#&#8203;756](https://github.com/npm/node-semver/issues/756)) ([@&#8203;shaymolcho](https://github.com/shaymolcho))
- [`868d4bb`](https://github.com/npm/node-semver/commit/868d4bbe3d318c52544f38d5f9977a1103e924c2) [#&#8203;749](https://github.com/npm/node-semver/pull/749) clarify comment about obsolete prefixes ([#&#8203;749](https://github.com/npm/node-semver/issues/749)) ([@&#8203;mbtools](https://github.com/mbtools), [@&#8203;ljharb](https://github.com/ljharb))

##### Chores

- [`145c554`](https://github.com/npm/node-semver/commit/145c554b8c7b7ecfcb451153ad18bdb2f24ad10d) [#&#8203;741](https://github.com/npm/node-semver/pull/741) bump [@&#8203;npmcli/eslint-config](https://github.com/npmcli/eslint-config) from 4.0.5 to 5.0.0 ([@&#8203;dependabot](https://github.com/dependabot)\[bot])
- [`753e02b`](https://github.com/npm/node-semver/commit/753e02b9d0cb3ac23e085dc33efcab3e08d61f2b) [#&#8203;747](https://github.com/npm/node-semver/pull/747) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.23.3 to 4.23.4 ([#&#8203;747](https://github.com/npm/node-semver/issues/747)) ([@&#8203;dependabot](https://github.com/dependabot)\[bot], [@&#8203;npm-cli-bot](https://github.com/npm-cli-bot))
- [`0b812d5`](https://github.com/npm/node-semver/commit/0b812d5fb5fbb208e89dc1250e2efafeaa549437) [#&#8203;744](https://github.com/npm/node-semver/pull/744) postinstall for dependabot template-oss PR ([@&#8203;hashtagchris](https://github.com/hashtagchris))

### [`v7.6.3`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#763-2024-07-16)

[Compare Source](https://github.com/npm/node-semver/compare/v7.6.2...v7.6.3)

##### Bug Fixes

- [`73a3d79`](https://github.com/npm/node-semver/commit/73a3d79c4ec32d5dd62c9d5f64e5af7fbdad9ec0) [#&#8203;726](https://github.com/npm/node-semver/pull/726) optimize Range parsing and formatting ([#&#8203;726](https://github.com/npm/node-semver/issues/726)) ([@&#8203;jviide](https://github.com/jviide))

##### Documentation

- [`2975ece`](https://github.com/npm/node-semver/commit/2975ece120e17660c9f1ef517de45c09ff821064) [#&#8203;719](https://github.com/npm/node-semver/pull/719) fix extra backtick typo ([#&#8203;719](https://github.com/npm/node-semver/issues/719)) ([@&#8203;stdavis](https://github.com/stdavis))

### [`v7.6.2`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#762-2024-05-09)

[Compare Source](https://github.com/npm/node-semver/compare/v7.6.1...v7.6.2)

##### Bug Fixes

- [`6466ba9`](https://github.com/npm/node-semver/commit/6466ba9b540252db405fdd2a289dd4651495beea) [#&#8203;713](https://github.com/npm/node-semver/pull/713) lru: use map.delete() directly ([#&#8203;713](https://github.com/npm/node-semver/issues/713)) ([@&#8203;negezor](https://github.com/negezor), [@&#8203;lukekarrys](https://github.com/lukekarrys))

### [`v7.6.1`](https://github.com/npm/node-semver/blob/HEAD/CHANGELOG.md#761-2024-05-04)

[Compare Source](https://github.com/npm/node-semver/compare/v7.6.0...v7.6.1)

##### Bug Fixes

- [`c570a34`](https://github.com/npm/node-semver/commit/c570a348ffc6612af07fe94fa46b9affa5e4eff0) [#&#8203;704](https://github.com/npm/node-semver/pull/704) linting: no-unused-vars ([@&#8203;wraithgar](https://github.com/wraithgar))
- [`ad8ff11`](https://github.com/npm/node-semver/commit/ad8ff11dd200dac3a05097d9a82d1977ccfa1535) [#&#8203;704](https://github.com/npm/node-semver/pull/704) use internal cache implementation ([@&#8203;mbtools](https://github.com/mbtools))
- [`ac9b357`](https://github.com/npm/node-semver/commit/ac9b35769ab0ddfefd5a3af4a3ecaf3da2012352) [#&#8203;682](https://github.com/npm/node-semver/pull/682) typo in compareBuild debug message ([#&#8203;682](https://github.com/npm/node-semver/issues/682)) ([@&#8203;mbtools](https://github.com/mbtools))

##### Dependencies

- [`988a8de`](https://github.com/npm/node-semver/commit/988a8deb3ea76b9a314a740e66b5fc2f726822f8) [#&#8203;709](https://github.com/npm/node-semver/pull/709) uninstall `lru-cache` ([#&#8203;709](https://github.com/npm/node-semver/issues/709))
- [`3fabe4d`](https://github.com/npm/node-semver/commit/3fabe4dbfbd199fdb589c076a7f30bc1f18c6614) [#&#8203;704](https://github.com/npm/node-semver/pull/704) remove lru-cache

##### Chores

- [`dd09b60`](https://github.com/npm/node-semver/commit/dd09b60da1e618335d7c269426345b336fd5f63d) [#&#8203;705](https://github.com/npm/node-semver/pull/705) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) to 4.22.0 ([@&#8203;lukekarrys](https://github.com/lukekarrys))
- [`ec49cdc`](https://github.com/npm/node-semver/commit/ec49cdcece9db0020d6829b246681ff65a393644) [#&#8203;701](https://github.com/npm/node-semver/pull/701) chore: chore: postinstall for dependabot template-oss PR ([@&#8203;lukekarrys](https://github.com/lukekarrys))
- [`b236c3d`](https://github.com/npm/node-semver/commit/b236c3d2f357a16a733c96ec2ca8c57848b70091) [#&#8203;696](https://github.com/npm/node-semver/pull/696) add benchmarks ([#&#8203;696](https://github.com/npm/node-semver/issues/696)) ([@&#8203;H4ad](https://github.com/H4ad))
- [`692451b`](https://github.com/npm/node-semver/commit/692451bd6f75b38a71a99f39da405c94a5954a22) [#&#8203;688](https://github.com/npm/node-semver/pull/688) various improvements to README ([#&#8203;688](https://github.com/npm/node-semver/issues/688)) ([@&#8203;mbtools](https://github.com/mbtools))
- [`5feeb7f`](https://github.com/npm/node-semver/commit/5feeb7f4f63061e19a29087115b50cb04135b63e) [#&#8203;705](https://github.com/npm/node-semver/pull/705) postinstall for dependabot template-oss PR ([@&#8203;lukekarrys](https://github.com/lukekarrys))
- [`074156f`](https://github.com/npm/node-semver/commit/074156f64fa91723fe1ae6af8cc497014b9b7aff) [#&#8203;701](https://github.com/npm/node-semver/pull/701) bump [@&#8203;npmcli/template-oss](https://github.com/npmcli/template-oss) from 4.21.3 to 4.21.4 ([@&#8203;dependabot](https://github.com/dependabot)\[bot])

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/X-oss-byte/Nextjs).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants