chore(deps): bump the npm-minor-patch group in /extension/secureflow with 8 updates

[dependabot]

Bumps the npm-minor-patch group in /extension/secureflow with 8 updates:

Package	From	To
@sentry/node	10.46.0	10.53.1
@types/vscode	1.110.0	1.120.0
@typescript-eslint/eslint-plugin	8.58.0	8.59.4
@typescript-eslint/parser	8.58.0	8.59.4
prettier	3.8.1	3.8.3
svelte	5.55.1	5.55.9
ts-loader	9.5.4	9.5.7
webpack	5.105.4	5.107.1

Updates @sentry/node from 10.46.0 to 10.53.1

Release notes

Sourced from @​sentry/node's releases.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

Bundle size 📦

Path	Size
@​sentry/browser	26.22 KB
@​sentry/browser - with treeshaking flags	24.69 KB
@​sentry/browser (incl. Tracing)	43.69 KB
@​sentry/browser (incl. Tracing + Span Streaming)	45.62 KB
@​sentry/browser (incl. Tracing, Profiling)	48.56 KB
@​sentry/browser (incl. Tracing, Replay)	82.4 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.08 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	86.99 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	99.33 KB
@​sentry/browser (incl. Feedback)	43 KB
@​sentry/browser (incl. sendFeedback)	30.92 KB
@​sentry/browser (incl. FeedbackAsync)	35.91 KB
@​sentry/browser (incl. Metrics)	27.27 KB
@​sentry/browser (incl. Logs)	27.42 KB
@​sentry/browser (incl. Metrics & Logs)	28.08 KB
@​sentry/react	27.92 KB
@​sentry/react (incl. Tracing)	45.9 KB
@​sentry/vue	31.01 KB
@​sentry/vue (incl. Tracing)	45.5 KB
@​sentry/svelte	26.24 KB
CDN Bundle	28.55 KB
CDN Bundle (incl. Tracing)	46.04 KB
CDN Bundle (incl. Logs, Metrics)	29.89 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	47.14 KB
CDN Bundle (incl. Replay, Logs, Metrics)	68.3 KB
CDN Bundle (incl. Tracing, Replay)	82.55 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	83.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	88.23 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.3 KB
CDN Bundle - uncompressed	83.97 KB
CDN Bundle (incl. Tracing) - uncompressed	138.12 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.07 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.5 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.97 KB

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

10.53.0

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are sent to Sentry. When set, the SDK extracts all gen_ai spans out of a transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#20789)
• feat(core): split exports by browser/server for bundle size (#20435)
• feat(nextjs): Add top-level applicationKey option (#20794)
• feat(node): Support Node 26 (#20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#20720)
• fix(cloudflare): avoid flush lock self-wait (#20719)
• fix(hono): Capture transaction name on request for correct culprit (#20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#20722)

... (truncated)

Commits

• cd97408 release: 10.53.1
• 66cfb25 Merge pull request #20838 from getsentry/prepare-release/10.53.1
• df8fd38 meta(changelog): Update changelog for 10.53.1
• 5881009 fix(core): Include subpath type shims in published package (#20835)
• 6a7d179 fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• ad47c3c ref(hono): Consolidate route patching and add clarification comments (#20829)
• 28d6fe5 Merge pull request #20826 from getsentry/master
• 46aca45 Merge branch 'release/10.53.0'
• b5cbc9c chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/tes...
• 05489b8 release: 10.53.0
• Additional commits viewable in compare view

Updates @types/vscode from 1.110.0 to 1.120.0

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.0 to 8.59.4

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)
• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• rule-tester: add TypeScript as a peer dependency (#12288)

❤️ Thank You

• Dariusz Czajkowski
• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

8.59.1 (2026-04-27)

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)

❤️ Thank You

• Evyatar Daud @​StyleShit

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.3 (2026-05-11)

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)

❤️ Thank You

• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

... (truncated)

Commits

• ca6ca14 chore(release): publish 8.59.4
• 4302433 fix(eslint-plugin): [no-floating-promises] stack overflow when using recursiv...
• 10b79f1 chore(deps): update dependency eslint to v10.4.0 (#12339)
• 2a6765d chore: clenaup getAwaitedType from typescript.d.ts (#12302)
• 48e13c0 chore(release): publish 8.59.3
• e26dc80 docs: update stale links to latest (#12313)
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• 2ec35f1 chore(release): publish 8.59.2
• ec3ef25 test: make no-useless-empty-export tests fully static (#12260)
• 60d0a51 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.58.0 to 8.59.4

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.4

8.59.4 (2026-05-18)

🩹 Fixes

• eslint-plugin: [no-floating-promises] stack overflow when using recursive types (#12294)
• project-service: throw error cause in getParsedConfigFileFromTSServer (#12321)
• typescript-eslint: export Compatible* types from typescript-eslint to resolve pnpm TS error (#12340)

❤️ Thank You

• Evyatar Daud @​StyleShit
• Kirk Waiblinger @​kirkwaiblinger
• lumir

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)
• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• rule-tester: add TypeScript as a peer dependency (#12288)

❤️ Thank You

• Dariusz Czajkowski
• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

8.59.1 (2026-04-27)

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.4 (2026-05-18)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.3 (2026-05-11)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.2 (2026-05-04)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.1 (2026-04-27)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

• Abhijeet Singh @​cseas

... (truncated)

Commits

• ca6ca14 chore(release): publish 8.59.4
• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• 2ec35f1 chore(release): publish 8.59.2
• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• 90c2803 chore(release): publish 8.58.2
• be6b49a fix: remove tsbuildinfo cache file from published packages (#12187)
• 5311ed3 chore(release): publish 8.58.1
• See full diff in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates svelte from 5.55.1 to 5.55.9

Release notes

Sourced from svelte's releases.

svelte@5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

svelte@5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

svelte@5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

svelte@5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

• fix: reapply context after transforming error during SSR (#18099)

• fix: don't rebase just-created batches (#18117)

... (truncated)

Changelog

Sourced from svelte's changelog.

5.55.9

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#18243)

• fix: avoid false-positive batch invariant error (#18246)

• fix: inline primitive constants in attribute values during SSR (#18232)

5.55.8

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#18234)

• fix: execute uninitialized derived even if it's destroyed (#18228)

• fix: use named symbols everywhere (#18238)

• fix: don't run teardown effects when deriveds are unfreezed (#18227)

• fix: unset context synchronously in run (#18236)

5.55.7

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

5.55.6

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#18180)

• fix: keep dependencies of $state.eager/pending (#18218)

... (truncated)

Commits

• b65a3f3 Version Packages (#18240)
• ef319ed chore: bump acorn-typescript/esrap (#18248)
• d654db8 fix: avoid false-positive batch invariant error (#18246)
• 000c594 fix: {#await await ...} and async dependencies fixes (#18243)
• a5df661 fix: avoid unnecessary stringify in server attributes (#18232)
• f9440dc Version Packages (#18239)
• ca3f35b fix(print): handle svelte:body and fix keyframe percentage double-printing (#...
• 2bc3592 fix: use named symbols everywhere (#18238)
• dc1f037 fix: don't run teardown effects when deriveds are unfreezed (#18227)
• 1e899cb fix: execute uninitialized derived even if it's destroyed (#18228)
• Additional commits viewable in compare view

Updates ts-loader from 9.5.4 to 9.5.7

Release notes

Sourced from ts-loader's releases.

v9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Changelog

Sourced from ts-loader's changelog.

9.5.7

• fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: undefined #1678 - thanks @​julioz and @​errorx666
• feat: migrate to trusted publishing - thanks @​johnnyreilly

Skipping 9.5.5-9.5.6 due to publishing issues

Commits

• 4a60de4 chore: trusted publishing attempt 3
• b03b4aa chore: version bump
• 2421dcf fix: trusted publishing by changing respository.url in package.json
• f84480f fix: TS5011 errors with TypeScript 6.0: transpileModule called with rootDir: ...
• 0cef777 feat: migrate to trusted publishing (#1680)
• a0cfb39 docs: add AGENTS.md / CLAUDE.md
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ts-loader since your current version.

Updates webpack from 5.105.4 to 5.107.1

Release notes

Sourced from webpack's releases.

v5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #20988)

v5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #20964)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexa...

  Description has been truncated

[safedep]

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
@fastify/otel @ 0.18.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/api-logs @ 0.214.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/core @ 2.7.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation @ 0.214.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-amqplib @ 0.61.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-connect @ 0.57.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-dataloader @ 0.31.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-fs @ 0.33.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-generic-pool @ 0.57.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-graphql @ 0.62.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-hapi @ 0.60.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-http @ 0.214.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-kafkajs @ 0.23.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-knex @ 0.58.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-koa @ 0.62.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-lru-memoizer @ 0.58.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-mongodb @ 0.67.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-mongoose @ 0.60.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-mysql @ 0.60.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-mysql2 @ 0.60.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-pg @ 0.66.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/instrumentation-tedious @ 0.33.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/resources @ 2.7.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/sdk-trace-base @ 2.7.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@opentelemetry/semantic-conventions @ 1.41.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@prisma/instrumentation @ 7.6.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@sentry/core @ 10.53.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@sentry/node @ 10.53.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@sentry/node-core @ 10.53.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@sentry/opentelemetry @ 10.53.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@sveltejs/acorn-typescript @ 1.0.10 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@types/vscode @ 1.120.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/eslint-plugin @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/parser @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/project-service @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/scope-manager @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/tsconfig-utils @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/type-utils @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/types @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/typescript-estree @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/utils @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
@typescript-eslint/visitor-keys @ 8.59.4 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
devalue @ 5.8.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
enhanced-resolve @ 5.21.6 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
es-module-lexer @ 2.1.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
esrap @ 2.2.9 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
import-in-the-middle @ 3.0.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
loader-runner @ 4.3.2 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
mime-db @ 1.54.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
pg-protocol @ 1.14.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
prettier @ 3.8.3 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
svelte @ 5.55.9 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
tapable @ 2.3.3 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
terser @ 5.48.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
terser-webpack-plugin @ 5.6.0 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
ts-loader @ 9.5.7 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
webpack @ 5.107.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗
webpack-sources @ 3.4.1 npm extension/secureflow/package-lock.json	✔️	✔️	✔️	🔗

View complete scan results →

_{This report is generated by SafeDep Github App}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[ghost]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	2
Rules	205

---

_{Powered by Code Pathfinder}

[code-pathfinder]

Pathfinder Report

✅ No security findings on the changed files. This pull request is clean.

View report on the dashboard

---

Powered by Code Pathfinder.

[dependabot]

The group that created this PR has been removed from your configuration.