⬆️(project) upgrade js dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@html-to/text-cli	0.5.4 → 0.6.0			dependencies	minor
mjml (source)	4.15.3 → 5.3.0			dependencies	major
node (source)	20.18.0 → 24.16.0			volta	major

---

Release Notes

mjmlio/mjml (mjml)

v5.3.0

Compare Source

v5.2.2

Compare Source

What's Changed

Fixes

• In CLI, relative includePath entries are now resolved against process.cwd() before being passed to mjml-core, so e.g. --config.includePath '["layouts"]' works correctly when the template lives in a subdirectory by @​dazgreer in #​3092
• Introduced warnings on denied mj-includes for CLI by @​dazgreer in #​3092

Documentation

• Updated documentation by adding an important message concerning the switch in allowIncludes (CLI) ignoreIncludes (Node) by @​dazgreer in #​3092

Full Changelog: mjmlio/mjml@v5.2.1...v5.2.2

v5.2.1

Compare Source

What's Changed

Fix

• mj-accordion elements were closed by default in new versions of Outlook by @​dazgreer in #​3088

Full Changelog: mjmlio/mjml@v5.2.0...v5.2.1

v5.2.0

Compare Source

Overview

We've updated the beautification process in MJML and are moving back to js-beautify.

As part of MJML 5, we introduced changes to the beautification stack, including replacing js-beautify with Prettier and later Biome. While these changes addressed earlier dependency concerns (which are no longer present), they also introduced performance and output issues for some users, including significantly slower processing times in certain environments.

Our priority right now is stability and predictable output, so we're reverting to the long-standing but updated js-beautify implementation while we continue evaluating longer-term improvements to the beautification pipeline.

Thanks to everyone who reported issues and shared feedback over the last few weeks, it helped us identify and resolve the problems much faster.

What's Changed

Features

• Switch beautification to js-beautify in both mjml-core and mjml-browser by @​dazgreer in #​3082

Fixes

• Handle async watch compilation in mjml-cli by @​dazgreer in #​3084

Full Changelog: mjmlio/mjml@v5.1.0...v5.2.0

v5.1.0

Compare Source

What's Changed

Features

• Beautify: replaced Prettier with Biome (with its WASM Node.js port) for beautification as calls to beautify took 500ms for large MJML documents and was causing 504 errors.. Note: Prettier is still used inside mjml-browser by @​totocap in #​3075 and @​dazgreer in #​3076

Full Changelog: mjmlio/mjml@v5.0.1...v5.1.0

v5.0.1

Compare Source

What's Changed

Documentation

• Update mjml package README by @​dazgreer in #​3073

Full Changelog: mjmlio/mjml@v5.0.0...v5.0.1

v5.0.0

Compare Source

Upgrade Guide

These are the changes users need to actively consider when upgrading to MJML 5.x.x from MJML 4.x (and early MJML 5 alphas):

Highlights

• Replaced legacy html-minifier and js-beautify with htmlnano + cssnano. [breaking change]
• Added templating syntax sanitization (runs before PostCSS and is restored afterwards)
• Safer, stricter handling of mj-include and ignoreIncludes [breaking change]
• Restructured outer HTML: the <body> tag is now driven by mj-body, not the global skeleton. [breaking change]
• mjml-browser build/minification pipeline updated
• Better attribute consistency across components (including more flexible border-radius). [breaking change]
• Migration helper removed [breaking change]
• Updated toolchain: Node 20/22/24 in CI. Removed Node 16/18 [breaking change]

---

HTML/CSS minification & formatting

What changed

• HTML minification now uses htmlnano instead of html-minifier.
• CSS minification now uses cssnano presets wired via mjml-core.
• Minification options can be added via .mjmlconfig.js

Impact [potential breaking changes]

• Generated HTML is more aggressively minified. If you rely on exact formatting (e.g. diffing raw HTML, parsing by regex, or checking snapshots), you may see changes.
• Some obscure html-minifier specific options used in custom tooling will no longer apply; options are now expressed as htmlnano/cssnano configs.
• Template tags may error in PostCSS (see Template syntax handling and sanitization below)
• Fixes this issue: #​2589

What to do

• Review any automation that assumes pretty‑printed HTML (tests, diffs, CI snapshot comparisons).
• If you previously passed minify/beautify flags or custom minifier options, re‑map them to the new htmlnano/cssnano config.

Notes

• cssnano uses lite preset by default. Due to this issue: #​2919. default preset can be used if your fonts don’t contain numerals

More detail: (#​2858 (comment))

---

Template syntax handling and sanitization (PostCSS)

What changed

• Template syntax (e.g. {{ }}) is now sanitized before PostCSS and with syntax restored post-processing.

Impact

• A CssSyntaxError error will occur when applying CSS minification to files with some template syntax
• Fixes this issue: #​2858 (comment)

What to do

• If you use a templating engine on top of MJML (Handlebars, Liquid, Twig, etc.), run your existing templates and visually verify output.
• Pay special attention to templates that put templating markers in CSS or style attributes.

More detail: (#​2858 (comment))

---

Includes are more locked down

What changed

• ignoreIncludes / allowIncludes (CLI) defaults and behavior have changed to be more secure. Includes are ignored by default
• A new includePath option is introduced to explicitly control where includes can be loaded from outside of a templates filePath
• Support MJML, HTML and CSS includes only

Impact [potential breaking changes]

• Includes are ignored by default, you will need to explicitly allow them
• Projects that relied on implicit include behavior (e.g. loading templates from arbitrary paths without explicit configuration) may now fail, warn, or simply skip includes.
• In locked‑down environments (containers, CI, hosting), path resolution for includes may change and require configuration.
• Fixes this issue: #​2589

What to do

• Audit usage of mj-include and any config that touches ignoreIncludes / allowIncludes.
• Explicitly configure includePath (and related options) in your .mjmlconfig or CLI usage to match your desired include directories (see docs)
• Expect safer, stricter defaults; don’t rely on includes working without explicit configuration.

More detail: (#​2858 (comment))

---

mj-body and skeleton structure

What changed

• The <body> HTML tag is now generated under mj-body instead of a global skeleton file.
• Added id attribute to mj-body
• mj-body attributes have been refactored:
  • class attribute is applied to the body tag rather than the child div
  • background-color removed from body, applies to child div only

Impact [potential breaking changes]

• If you rely on the exact skeleton (where <body> lived, what attributes were on it), this structure is now different.
• External CSS that relies on the specific placement of the class may no longer apply
• Fixes this issue: #​2396

What to do

• Re‑check any tooling that injects or manipulates the outer HTML skeleton around MJML output.
• Re‑verify any CSS relating to class or background-color attributes that were applied to mj-body

Notes

• Thanks to @​kmcb777 for the work here: #​2408

---

Browser bundle / build scripts

What changed

• mjml-browser build/minification pipeline has been updated to use new minifiers

Why

• New minifiers were not compatible

Impact

• If you import mjml-browser directly or depended on its legacy build scripts, behavior and bundle size/shape might change.
• Bundle size down from 1.22M to 1.04M

What to do

• Re‑build any tools using mjml-browser and verify they still load, minify, and run as expected.

---

Attributes & layout consistency

What changed

• All border-radius attributes now accept a string, previously this was inconsistent across components. Allows more flexible input
• Updated the inner-padding attributes of mj-hero and fixed an Outlook issue with width/padding

Impact [potential breaking changes]

• For some components, border-radius values are less strict
• inner-padding for mj-hero is now applied to all clients, not just Outlook

What to do

• Visual regression‑test focusing on all instances border-radius and mj-hero's inner-padding

---

Migration helper removal

What changed

• The standalone mjml-migrate tool and associated noMigrateWarn option are removed.

Impact [potential breaking changes]

• You can no longer rely on MJML 5 to automatically migrate very old MJML syntax (3.x/early 4.x) on the fly.

What to do

• If you still have legacy MJML, migrate those templates with MJML 4 tooling before moving the project to MJML 5, or update them manually.

---

Node.js version support

What changed

• CI now runs against Node LTS 20, 22 and 24; older Node versions are effectively deprecated/unsupported.

Impact [potential breaking changes]

• MJML 5 may not work (or will be untested) on Node 16/18 in the long term.

What to do

• Plan to run MJML 5 on Node 20, 22 or 24 in CI and production.

Full Changelog: mjmlio/mjml@v4.18.0...v5.0.0

v4.18.0

Compare Source

What's Changed

Documentation

• Content updates by @​dazgreer in #​3021

Full Changelog: mjmlio/mjml@v4.17.2...v4.18.0

v4.17.2

Compare Source

What's Changed

Fixes

• mj-section: do not inherit attributes from context #​3019 by @​dazgreer in #​3020

Full Changelog: mjmlio/mjml@v4.17.1...v4.17.2

v4.17.1

Compare Source

What's Changed

Fixes

• mjml-wrapper: allowed attributes not inheriting #​3011 by @​dazgreer in #​3012

Full Changelog: mjmlio/mjml@v4.17.0...v4.17.1

v4.17.0

Compare Source

What's Changed

Features

• mjml-wrapper: add gap between sections #​2977 by @​dazgreer in #​3004

Fixes

• mjml-social: respect align and icon-height attributes #​3001 by @​dazgreer in #​3002
• mjml-carousel: hide thumbnails if not supported #​2999 by @​dazgreer in #​3000
• mjml-accordion: respect font-family and padding-x attributes #​2997 by @​dazgreer in #​2998
• mjml-table: respect cellspacing #​2995 by @​dazgreer in #​2996
• mjml-navbar: fix ico-padding-x that was not working #​2991 by @​dazgreer in #​2992
• mjml-column: fix border-radius that was not working #​2989 by @​dazgreer in #​2990

Documentation

• Added link to support matrix by @​dazgreer in #​3005
• Update image URLs by @​dazgreer in #​3007
• Examples indenting by @​EtienneHosman in #​2974

Other

• Update local MJML testing by @​dazgreer in #​2987
• Add publish action by @​totocap in #​3009

New Contributors

• @​EtienneHosman made their first contribution in #​2974

Full Changelog: mjmlio/mjml@v4.16.1...v4.17.0

v4.16.1

Compare Source

Fixes

• Fix build issue of version 4.16.0 for mjml-browser

Full Changelog: mjmlio/mjml@v4.16.0...v4.16.1

v4.16.0

Compare Source

What's Changed

Features

• Add direction property to mj-social-element to reverse icon/text order by @​jamestomasino in #​2881
• mjml-table: supports 'auto' table width by @​dazgreer in #​2962
• Added font-weight attribute to mj-accordion-title by @​dazgreer in #​2963
• Add attributes for accessibility in MjBody by @​llepere in #​2954

Fixes

• Watch wrong files on CLI by @​iRyusa in #​2838
• Pass parent attributes to rawXML child components by @​norchard in #​2922
• mjml-wrapper/mjml-section: border-radius not being applied by @​dazgreer in #​2966
• mjml-wrapper/section: border-radius bug by @​dazgreer in #​2980
• mjml-parser: HTML Comments rendered with additional white space by @​dazgreer in #​2972

Documentation

• Add mjml-python to ports, and update missing implementation for MJML. by @​mgd020 in #​2845
• Remove blank "Nesting" section by @​dfabulich in #​2864
• Add a link for Laravel / PHP platform by @​EvanSchleret in #​2885
• Remove missing features for MJML.NET by @​SebastianStehle in #​2905
• Add mjml-bar-chart presentation to community components by @​Freezystem in #​2953

Dependencies

• Bump lodash from 4.17.15 to 4.17.21 by @​abalam666 in #​2831
• Bump brace-expansion from 1.1.11 to 1.1.12 by @​dependabot[bot] in #​2956
• Updated Babel to 7.28.3 by @​dazgreer in #​2978

New Contributors

• @​abalam666 made their first contribution in #​2831
• @​mgd020 made their first contribution in #​2845
• @​dfabulich made their first contribution in #​2864
• @​jamestomasino made their first contribution in #​2881
• @​EvanSchleret made their first contribution in #​2885
• @​norchard made their first contribution in #​2922
• @​dazgreer made their first contribution in #​2962
• @​llepere made their first contribution in #​2954

Full Changelog: mjmlio/mjml@v4.15.3...v4.16.0

nodejs/node (node)

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #​62592
• [7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #​62561
• [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #​62324
• [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #​61829
• [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #​63011
• [cb67a925e9] - deps: use npm undici@​seven tag in update-undici.sh (Matteo Collina) #​62739
• [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #​62828
• [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #​62917
• [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #​61596
• [233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #​63093
• [5d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #​62995
• [2a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #​62884
• [ef413b5358] - doc: fix typo in test.md (Rich Trott) #​62960
• [76f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #​62738
• [ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #​62917
• [46c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #​62917
• [1a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #​62882
• [169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #​62868
• [9a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #​62205
• [0fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #​62841
• [9c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #​62800
• [6b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #​62753
• [ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #​62537
• [ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #​62687
• [70b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #​62668
• [8126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #​62680
• [978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #​62663
• [1684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #​62600
• [86d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #​62590
• [736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #​62566
• [938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #​62504
• [94433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #​62745
• [ddf1f01659] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #​62462
• [4a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #​62695
• [f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #​62835
• [63c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #​62674
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [717476a24e] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #​62936
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [64f15c274a] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #​62872
• [5c4798d799] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #​62333
• [9f3bc70ae5] - http: cleanup pipeline queue (Robert Nagy) #​62534
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [900dc758ff] - http2: expose writable stream state on compat response (T) #​63003
• [b3bfe35912] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #​62616
• [3dc3fb6ad8] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #​62162
• [4f3f21bd7c] - inspector: auto collect webstorage data (Ryuhei Shima) #​62145
• [36cc04189d] - inspector: initial support storage inspection (Ryuhei Shima) #​61139
• [1718bc3b9b] - inspector: fix absolute URLs in network http (bugyaluwang) #​62955
• [97e32c7a74] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #​62914
• [25d2e999de] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #​62877
• [37d3913c8f] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #​62833
• [430c69d25f] - lib: use js-only implementation of isDataView() (René) #​62780
• [3ba0add6a0] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #​62806
• [9b95c41398] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #​62179
• [314dacdbee] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #​62749
• [3d18162430] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #​62632
• [ada3ce879d] - lib: defer AbortSignal.any() following (sangwook) #​62367
• [b2981ec7eb] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #​62549
• [7cd20667b5] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #​63074
• [91a07cfe9f] - meta: bump Mozilla-Actions/sccache-action from 0.0.9 to 0.0.10 (dependabot[bot]) #​63073
• [09e17fe47c] - meta: add automation policy (Chengzhong Wu) #​62871
• [59e7fb7986] - meta: move VoltrexKeyva to emeritus (Matteo Collina) #​62895
• [1e2915cfa6] - meta: bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (dependabot[bot]) #​62845
• [0253c6e2be] - meta: bump step-security/harden-runner from 2.16.1 to 2.19.0 (dependabot[bot]) #​62844
• [f503675b86] - meta: bump actions/setup-node from 6.3.0 to 6.4.0 (dependabot[bot]) #​62842
• [5e14e4d26e] - meta: broaden stale bot (Aviv Keller) #​62658
• [795db76f87] - meta: pass release version to release worker (flakey5) #​62777
• [ef384fe39f] - meta: add QUIC to CODEOWNERS (Tim Perry) #​62652
• [67e0ac568d] - meta: move Michael to emeritus (Michael Dawson) #​62536
• [5dad616393] - meta: populate apt list for slim runner in update-openssl workflow (René) #​62628
• [a869d25d8a] - meta: bump step-security/harden-runner from 2.15.0 to 2.16.1 (dependabot[bot]) #​62550
• [769efc0403] - meta: bump actions/setup-node from 6.2.0 to 6.3.0 (dependabot[bot]) #​62548
• [73fcc2b055] - meta: bump github/codeql-action from 4.32.4 to 4.35.1 (dependabot[bot]) #​62547
• [6c001246fe] - meta: bump codecov/codecov-action from 5.5.2 to 6.0.0 (dependabot[bot]) #​62545
• [5ee40d6a03] - meta: bump actions/cache from 5.0.3 to 5.0.4 (dependabot[bot]) #​62543
• [ca16ad8a05] - meta: require DCO signoff in commit message guidelines (James M Snell) #​62510
• [db9497fc41] - meta: expand memory leak DoS criteria to all DoS (Joyee Cheung) #​62505
• [13b7d08b8d] - module: remove duplicated checks from _resolveFilename (Antoine du Hamel) #​62729
• [6b53efb53a] - module,win: fix long subpath import (Stefan Stojanovic) #​62101
• [841dfbf6fc] - node-api: update libuv ABI stability note (Chengzhong Wu) #​62789
• [01090f2aa1] - node-api: add napi_create_external_sharedarraybuffer (Ben Noordhuis) #​62623
• [87443b4355] - node-api: execute tsfn finalizer after queue drains when aborted (Kevin Eady) #​61956
• [e95570c054] - process: handle rejections only when needed (Gürgün Dayıoğlu) #​62919
• [37d49f3219] - process: optimize asyncHandledRejections by using FixedQueue (Gürgün Dayıoğlu) #​60854
• [f697c55e38] - quic: add QuicEndpoint.listening & QuicStream.destroy() and tests (Tim Perry) #​62648
• [c128942b69] - quic: fixup token verification to handle zero expiration (James M Snell) #​62620
• [abb881ec92] - quic: support multiple ALPN negotiation (James M Snell) #​62620
• [476926c2ad] - quic: apply multiple TLS context improvements and SNI support (James M Snell) #​62620
• [76d9c24b95] - quic: implement rapidhash for hashing improvements (James M Snell) #​62620
• [08726cd43d] - quic: move quic behind compile time flag (Matteo Collina) #​61444
• [ea4f19aaa7] - quic: use arena allocation for packets (James M Snell) #​62589
• [21e9239e2a] - quic: fixup linting/formatting issues (James M Snell) #​62387
• [edeed4303b] - quic: update http3 impl details (James M Snell) #​62387
• [7f3a85e6aa] - quic: fix a handful of bugs and missing functionality (James M Snell) #​62387
• [45c1ebddf8] - quic: copy options.certs buffer instead of detaching (Chengzhong Wu) #​61403
• [a31a8ee680] - quic: reduce boilerplate and other minor cleanups (James M Snell) #​59342
• [3be70ff43a] - quic: multiple fixups and updates (James M Snell) #​59342
• [b91a93444c] - quic: update more of the quic to the new compile guard (James M Snell) #​59342
• [ca0080c164] - quic: few additional small comment edits in cid.h (James M Snell) #​59342
• [6553202d83] - quic: fixup NO_ERROR macro conflict on windows (James M Snell) #​59381
• [6df1508ac2] - quic: fixup windows coverage compile error (James M Snell) #​59381
• [b2b0bf8b04] - quic: update the guard to check openssl version (James M Snell) #​59249
• [5556b154bd] - quic: start re-enabling quic with openssl 3.5 (James M Snell) #​59249
• [2ca42c8263] - repl: keep reference count for process.on('newListener') (Anna Henningsen) #​61895
• [2f37f9177f] - sqlite: use OneByte for ASCII text and internalize col names (Ali Hassan) #​61954
• [3c96ae1b2f] - sqlite: add serialize() and deserialize() (Ali Hassan) #​62579
• [be4d2f3a4c] - sqlite: enable Percentile extension (Jurj Andrei George) #​61295
• [dafed453b2] -

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 7am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.