chore(deps): update npm - website - website/package.json

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@docusaurus/core (source)	^3.10.0 → ^3.10.1
@docusaurus/plugin-google-gtag (source)	^3.10.0 → ^3.10.1
@docusaurus/preset-classic (source)	^3.10.0 → ^3.10.1
@docusaurus/theme-mermaid (source)	^3.10.0 → ^3.10.1
@mermaid-js/layout-elk	^0.1.9 → ^0.2.1
ajv (source)	^8.17.1 → ^8.20.0
axios (source)	^1.13.4 → ^1.16.1
eslint (source)	^10.1.0 → ^10.4.0
eslint-plugin-react	^7.22.0 → ^7.37.5
react (source)	^19.2.4 → ^19.2.6
react-dom (source)	^19.2.4 → ^19.2.6
webpack	~5.105.0 → ~5.107.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

mermaid-js/mermaid (@​mermaid-js/layout-elk)

v0.2.1

Compare Source

Patch Changes

• #​7425 f16bfbb Thanks @​knsv! - fix: use rounded right-angle edges for ELK layout

  ELK layout edges now default to rounded curve (right-angle segments with rounded corners) instead of inheriting the global basis default. This fixes ELK edges that were curving instead of routing at right angles (#​7213). Non-ELK layouts are unaffected and keep their existing basis default.

• Updated dependencies [96a766d, 32723b2, a60e615, 1a9d45a, 96ca7c0, 60f6331, fa15ce8, 33c7c72, 3c069b5, 9745f32, d6db0b0, cdacb0b, a408b55, 712c1ec, 981a62e, a4bb0b5, b0f9d5b, 981fbb8, 93aa657, 6bc6617, 73e9849, 9d0669a, acce4db, 7eed6a1, 2000680, b7c66a2, f16bfbb, aac86f7, 9745f32, 2dd29be, ace0367, 09b74f1, 33c7c72, 835de00, a9e4c72, ff15e51, 8bfd477, b136acd, e0317ac]:

  • mermaid@​11.13.0

v0.2.0

Compare Source

Minor Changes

• #​6802 c8e5027 Thanks @​darshanr0107! - feat: Update mindmap rendering to support multiple layouts, improved edge intersections, and new shapes

Patch Changes

• Updated dependencies [33bc4a0, e0b45c2, 012530e, c8e5027]:
  • mermaid@​11.11.0

axios/axios (axios)

v1.16.1

Compare Source

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

eslint/eslint (eslint)

v10.4.0

Compare Source

facebook/react (react)

v19.2.6: 19.2.6 (May 6th, 2026)

Compare Source

React Server Components

• Type hardening and performance improvements
  (by @​eps1lon and @​unstubbable)

webpack/webpack (webpack)

v5.107.2

Compare Source

Patch Changes

• Reduce per-file overhead in ContextModuleFactory.resolveDependencies by batching alternativeRequests hook calls. Previously the hook was invoked once per file in the context (with a single-item array), paying per-call overhead (closure allocation, resolverFactory.get, intermediate arrays in RequireContextPlugin) for every file. The hook is now invoked once per directory with all matched files in one batch — RequireContextPlugin's tap already iterates the items array, so the output is unchanged. Steady-state rebuild on a 4000-file require.context drops a further ~15 ms (after the watch-mode purge fix in the same release). (by @​alexander-akait in #​21020)

• Include each external info's runtimeCondition in ConcatenatedModule#updateHash so changes to a concatenated external's runtime condition invalidate persistent caches instead of slipping through with the module id alone. (by @​alexander-akait in #​21023)

• Fix HTML [contenthash] for referenced asset and inline-style URL changes. (by @​alexander-akait in #​21018)

• Resolve chunk-hash placeholders in chunk URLs embedded into extracted HTML. (by @​alexander-akait in #​21018)

• Remove unnecessary __webpack_require__ runtime helpers in ESM library output with multi-module chunks. (by @​xiaoxiaojx in #​21032)

• Rewrite NormalModule#getSideEffectsConnectionState walk as an allocation-light iterative loop instead of a generator trampoline, restoring rebuild performance lost in #​20993 while keeping deep import chains stack-safe. (by @​alexander-akait in #​21014)

• Fix runtime ReferenceError on the first activation of a lazy-compiled module when output.library.type produces a closure-wrapped bundle (umd, umd2, amd, amd-require, system). (by @​alexander-akait in #​21013)

  External modules of these types reference closure-bound identifiers like __WEBPACK_EXTERNAL_MODULE_react__, supplied by the library wrapper that is generated once per chunk. When lazyCompilation activates an entry or import for the first time, any external dependency the lazily-built module pulls in arrives in a hot-update chunk that lives outside the original wrapper closure, so its factory body cannot resolve the closure identifier and only a manual page refresh recovers.

  The inactive LazyCompilationProxyModule now declares statically-enumerable externals (string and object forms of externals) as its own dependencies, so the initial entry chunk's library wrapper already exposes their closure identifiers. When activation later pulls in those externals through the lazily-compiled module, they resolve to the already-installed factories instead of throwing. Function and RegExp externals are not pre-populated because their effective request set isn't knowable up front.

• Fill in missing entryOptions when an async block joins an existing entrypoint. (by @​alexander-akait in #​21026)

• Release per-child codeGenerationResults in MultiCompiler and at Compiler.close to reduce memory retention. (by @​alexander-akait in #​21015)

• Reduce peak memory of SourceMapDevToolPlugin on large builds (closes #​20961). (by @​alexander-akait in #​20963)

• Fix slow require.context() / dynamic import() rebuilds in watch mode (#​13636). When a file inside a watched context directory changed, NodeWatchFileSystem would call inputFileSystem.purge(contextDir). The enhanced-resolve purge implementation matches cache keys with key.startsWith(contextDir), so the stat cache of every file under the directory was discarded on every rebuild — ContextModuleFactory.resolveDependencies then re-stat-ed the whole tree on each rebuild. Single-file rebuilds on a 4000-file context now reuse the warm stat cache, dropping median rebuild from ~1260 ms to ~650 ms in a local reproduction (≈49%). For directory items that are explicitly watched contexts, purge is now called with { exact: true } (added in enhanced-resolve@5.22.0) so only the directory's own entry is invalidated; file-level changes in the same aggregated event continue to purge file stats and the parent readdir as before. (by @​alexander-akait in #​21020)

v5.107.1

Compare Source

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #​21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #​21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #​20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #​20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #​20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #​21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #​21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #​20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #​20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #​20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #​21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #​20988)

v5.107.0

Compare Source

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #​20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #​20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #​20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #​20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #​20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #​20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @​import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #​20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #​20964)

• Added an experiments.html flag that reserves the html module type for the first-class HTML entry-point support. (by @​aryanraj45 in #​20902)

• Preserve defer / source import phase keywords on external dependencies in ESM output, the same way import attributes are preserved. (by @​alexander-akait in #​20934)

• Support the #__NO_SIDE_EFFECTS__ annotation to mark functions as pure for better tree-shaking. (by @​hai-x in #​20775)

• Add module.generator.html.extract for HTML modules and the matching output.htmlFilename / output.htmlChunkFilename filename templates (defaults derived from output.filename / output.chunkFilename with .js swapped for .html, mirroring the CSS pipeline). When extraction is on, the parsed and URL-rewritten HTML is emitted as a standalone .html output file alongside the module's JavaScript export. (by @​alexander-akait in #​20979)

• Add "module-sync" to default conditionNames for resolver defaults to align with Node.js, which exposes the module-sync community condition for synchronously-loadable ESM. (by @​alexander-akait in #​20933)

Patch Changes

• Fix CSS modules composes so composes: foo from "./self.module.css" from inside self.module.css no longer creates a duplicate module instance. Fix CSS modules composes parsing so local() and global() function wrappers are tracked per class name. Fix CSS modules composes: ... from "<file>" so the composed files load in an order consistent with every rule's local composes order, instead of source first-appearance order. (by @​alexander-akait in #​20929)

• Avoid emitting the __webpack_require__ runtime in CSS bundles when all imported CSS modules were concatenated into the same scope. (by @​alexander-akait in #​20936)

• Recompute the CSS chunk's [contenthash] and the rendered CSS bytes when an asset referenced by url()/src()/string in CSS changes its hashed filename. (by @​alexander-akait in #​20938)

• Embed an inline sourceMappingURL data URI inside the CSS when the parser.exportType option are text, style, or css-style-sheet. Also merge @imported CSS at build time for text and css-style-sheet exportTypes so the bundle ships a single accurate inline source map covering every contributing file. Map each generated CSS-module class export line in the JS bundle back to its selector position in the original CSS file (e.g. btn: "..." → .btn { ... }). (by @​alexander-akait in #​20886)

• Fix CSS modules deduplication so a .module.<ext> file imported both directly (JS) and via icss (composes from / :import) becomes a single module instance. (by @​alexander-akait in #​20929)

• Preserve @charset at-rule when CSS modules use exportType: "text". (by @​alexander-akait in #​20912)

• Resolve [hash]/[fullhash] placeholders in output.publicPath when generating url() references for experiments.css. (by @​alexander-akait in #​20879)

• Fix HMR for concatenated CSS modules with style exportType by using stable per-module identifiers for injected style elements and tracking inner module IDs of concatenated modules in HMR records (by @​xiaoxiaojx in #​20911)

• Fix CSS Modules @value resolution when the same local name is imported from multiple modules. (by @​alexander-akait in #​20940)

• Fix typeof ns.default / ns.default instanceof X on a static import defer * as ns from "./mod" for default-only and default-with-named external modules under optimization.concatenateModules. The concatenated-module rewrite was collapsing ns.default to the deferred-namespace proxy itself instead of routing through the optimized .a getter (which lazily evaluates the module and returns its default value), so typeof ns.default observed "object" (the proxy) rather than the type of the default. The dynamic exportsType already used .a correctly; default-only and default-with-named now match. (by @​alexander-akait in #​20910)

• Make import defer * as ns more spec-compliant: ns.x = value no longer triggers module evaluation (per the TC39 import-defer [[Set]] algorithm), and the deferred namespace is now a distinct object from the eager namespace, with the same Deferred Module Namespace Exotic Object shared across defer-import call sites for the same module. (by @​alexander-akait in #​20913)

• Fixed spec deviations in the deferred namespace object returned by __webpack_require__.z (import defer * as ns / import.defer(...)). (by @​alexander-akait in #​20910)

• Drop the __webpack_require__, __webpack_require__.d, and __webpack_require__.o runtime helpers from library: { type: "module" } bundles when the on-demand exports source they were emitted for ends up dropped (e.g. a single concatenated entry without an IIFE). (by @​alexander-akait in #​20901)

• Resolve the static specifier of a dynamic import() whose argument is a side-effect-free SequenceExpression, e.g. import((1, 0, "./mod.js")) is now treated the same as import("./mod.js") instead of being rejected as unresolvable. (by @​alexander-akait in #​20917)

• Stable shared module ids and runtime-chunk emission order. (by @​imccausl in #​20860)

• Fix snapshot validity check for context dependencies in watch mode by treating watchpack's existence-only entries ({}) as cache misses. (by @​alexander-akait in #​20916)

• Support no-expression template literals in computed member access (e.g. import.meta[`url`]). (by @​alexander-akait in #​20889)

• Improve tree-shaking in isPure: handle more expression types (ArrayExpression, ObjectExpression, NewExpression, ChainExpression, UnaryExpression (safe operators), MetaProperty, TaggedTemplateExpression, BinaryExpression (strict equality)), prevent /*#__PURE__*/ comments from leaking across ObjectExpression properties, and detect PURE comments inside TemplateLiteral interpolations. (by @​alexander-akait in #​20723)

• Reject new import.defer(...) and new import.source(...) as a parse-time SyntaxError, matching the spec — ImportCall is a CallExpression and is not a valid operand of new. Parenthesized forms (new (import.defer(...))) remain valid and continue to throw TypeError at runtime as before. (by @​alexander-akait in #​20917)

• Escape # characters that appear inside a path-shaped request's directory portion before passing the request to the resolver, so projects located in directories like /home/user/proj#1 (and tools like webpack-dev-server that build entry requests with query strings) resolve correctly. The escape only kicks in when the request contains both a # in the path portion and a ? query string — paths without a query keep their existing semantics. (by @​alexander-akait in #​20980)

• Silence unhandled rejection from the prefetch trigger when chunk loading fails. The ensureChunkHandlers.prefetch runtime created Promise.all(promises).then(...) whose result is discarded by __webpack_require__.e. If chunk loading rejected (e.g. chunkLoadTimeout), that dangling chain produced an unhandled rejection. Prefetch is best-effort, so a no-op rejection handler is now attached. (by @​alexander-akait in #​20898)

• Align require() of an ES module with Node.js's require(esm) "module.exports" named-export convention. When CommonJS require() resolves to an ES module that exports a binding with the literal string name "module.exports" (e.g. export { value as "module.exports" }), require() now returns the value of that export instead of the module's namespace object — matching Node.js v22.12+/v23+ behavior and easing migration of dual ESM/CJS libraries that rely on module.exports = …. The unwrap applies to plain require(), require().foo, calls (require()(…)), destructuring, and to CJS wrappers like module.exports = require(esm) / exports.x = require(esm). (by @​alexander-akait in #​20981)

• Remove outdated @types/eslint-scope package from dependencies. (by @​alexander-akait in #​20869)

• Fix export * resolution when a star-reexported module re-exports a name back to the importer cyclically. Previously, in a graph where a does export * from "./b"; export * from "./c"; and b does export { foo } from "./a"; while c provides the actual foo binding, webpack hoisted foo from b into a's namespace without per-name cycle detection — emitting a getter chain (a.foo → b.foo → a.foo) that threw "Maximum call stack size exceeded" at runtime. The TC39 ResolveExport algorithm requires the cyclic branch to return null and the star loop to fall through to the non-cyclic source. (by @​alexander-akait in #​20959)

• Preserve using declaration initializers when the inner graph optimization is enabled. (by @​hai-x in #​20906)

• Fixed typescript types. (by @​alexander-akait in #​20880)

• Bump webpack-sources to ^3.4.1 and feed asset bytes into hashes via the new Source.prototype.buffers() API. For large ConcatSource/ReplaceSource outputs this avoids the intermediate Buffer.concat that source.buffer() performs, removing a peak-memory spike equal to the source's total size on each hashed asset (AssetGenerator.getFullContentHash, CssIcssExportDependency content hashing, and RealContentHashPlugin). A small benchmark on a 64 MiB ConcatSource shows ~64 MiB lower peak external memory and ~45% faster hashing. (by @​alexander-akait in #​20897)

[v5.106.2](https://redirect.github.com/webpack/webpack/blob/HEAD/

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name	Link
🔨 Latest commit	747d0aa
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a1b452522439a000708a304
😎 Deploy Preview	https://deploy-preview-1428.git-proxy.preview.finos.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 6 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

website/package.json

Package	Version	License	Issue Type
@docusaurus/core	^3.10.1	Null	Unknown License
@docusaurus/plugin-google-gtag	^3.10.1	Null	Unknown License
@docusaurus/preset-classic	^3.10.1	Null	Unknown License
@docusaurus/theme-mermaid	^3.10.1	Null	Unknown License
ajv	^8.20.0	Null	Unknown License
eslint-plugin-react	^7.37.5	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, Apache-2.0, BSD-3-Clause, BSD-3-Clause-Clear, ISC, BSD-2-Clause, Unlicense, CC0-1.0, 0BSD, X11, MPL-2.0, MPL-1.0, MPL-1.1, MPL-2.0, OFL-1.1, Zlib, BlueOak-1.0.0, Ubuntu-font-1.0, Artistic-2.0, Python-2.0, EPL-2.0

Excluded from license check:

pkg:npm/caniuse-lite, pkg:npm/path-is-inside, pkg:npm/unicode-match-property-value-ecmascript, pkg:npm/unicode-property-aliases-ecmascript, pkg:npm/uri-js

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@eslint/config-helpers	0.6.0	Unknown	Unknown
npm/@mermaid-js/layout-elk	0.2.1	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 59 existing vulnerabilities detected CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 11 contributing companies or organizations
npm/agent-base	6.0.2	⚠️ 1.6	Details Check Score Reason Dangerous-Workflow ⚠️ -1 no workflows found Pinned-Dependencies ⚠️ -1 no dependencies found Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 1 Found 4/30 approved changesets -- score normalized to 1 Token-Permissions ⚠️ -1 No tokens found Packaging ⚠️ -1 packaging workflow not detected Maintained ⚠️ 0 project is archived CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License ⚠️ 0 license file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/axios	1.16.1	🟢 7.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 4 Found 10/25 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
npm/enhanced-resolve	5.22.0	🟢 6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 6/14 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/eslint	10.4.0	🟢 6.5	Details Check Score Reason Code-Review 🟢 8 Found 22/26 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits
npm/https-proxy-agent	5.0.1	🟢 3.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review ⚠️ 1 Found 1/8 approved changesets -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License ⚠️ 0 license file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/is-core-module	2.16.2	🟢 4.5	Details Check Score Reason Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 no SAST tool detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected
npm/react	19.2.6	🟢 6.6	Details Check Score Reason Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Fuzzing ⚠️ 0 project is not fuzzed
npm/react-dom	19.2.6	🟢 6.6	Details Check Score Reason Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 SAST ⚠️ 2 SAST tool is not run on all commits -- score normalized to 2 Fuzzing ⚠️ 0 project is not fuzzed
npm/resolve	2.0.0-next.7	🟢 7.1	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected SAST 🟢 10 SAST tool detected: CodeQL Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 24 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
npm/webpack	5.107.2	🟢 5.6	Details Check Score Reason Code-Review 🟢 3 Found 11/29 approved changesets -- score normalized to 3 Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies 🟢 10 all dependencies are pinned SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/webpack-sources	3.5.0	🟢 5.5	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 0/13 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/@docusaurus/core	^3.10.1	Unknown	Unknown
npm/@docusaurus/plugin-google-gtag	^3.10.1	Unknown	Unknown
npm/@docusaurus/preset-classic	^3.10.1	Unknown	Unknown
npm/@docusaurus/theme-mermaid	^3.10.1	Unknown	Unknown
npm/ajv	^8.20.0	Unknown	Unknown
npm/eslint-plugin-react	^7.37.5	Unknown	Unknown

Scanned Files

• website/package-lock.json
• website/package.json

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.65%. Comparing base (ffd6937) to head (747d0aa).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1428   +/-   ##
=======================================
  Coverage   90.65%   90.65%           
=======================================
  Files          69       69           
  Lines        5690     5690           
  Branches      985      985           
=======================================
  Hits         5158     5158           
  Misses        514      514           
  Partials       18       18           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.