Bump the npm_and_yarn group across 7 directories with 13 updates

[dependabot]

Bumps the npm_and_yarn group with 9 updates in the / directory:

Package	From	To
webpack	5.98.0	5.104.1
zx	8.4.1	8.8.5
webpack-dev-server	5.2.0	5.2.1
@hono/node-server	1.14.0	1.19.10
hono	4.7.5	4.12.7
glob	11.0.1	12.0.0
lodash	4.17.21	4.17.23
axios	1.8.4	1.13.5
mermaid	11.6.0	11.10.0

Bumps the npm_and_yarn group with 1 update in the /crates/rustbolt_resolver directory: axios.
Bumps the npm_and_yarn group with 1 update in the /crates/rustbolt_resolver/fixtures/pnpm directory: axios.
Bumps the npm_and_yarn group with 1 update in the /packages/rustbolt directory: webpack-dev-server.
Bumps the npm_and_yarn group with 1 update in the /packages/rustbolt-dev-server directory: webpack-dev-server.
Bumps the npm_and_yarn group with 3 updates in the /packages/rustbolt-test-tools directory: webpack, glob and lodash.
Bumps the npm_and_yarn group with 2 updates in the /scripts directory: zx and glob.

Updates webpack from 5.98.0 to 5.104.1

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

• 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
• c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

• d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
• d3dd841: Enhance import.meta.env to support object access.
• 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
• 04cd530: Handle more at-rules for CSS modules.
• cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
• d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
• 5983843: Provide a stable runtime function variable __webpack_global__.
• d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

• 22c48fb: Added module existence check for informative error message in development mode.
• 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
• d3dd841: Support universal lazy compilation.
• d3dd841: Fixed module library export definitions when multiple runtimes.
• d3dd841: Fixed CSS nesting and CSS custom properties parsing.
• d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
• aab1da9: Fixed bugs for css/global type.
• d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
• d3dd841: Handle nested __webpack_require__.
• 728ddb7: The speed of identifier parsing has been improved.
• 0f8b31b: Improve types.
• d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
• 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
• d3dd841: Serialize HookWebpackError.
• d3dd841: Added ability to use built-in properties in dotenv and define plugin.
• 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
• d3dd841: Reduce collision for local indent name in CSS.
• d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

• Added DotenvPlugin and top level dotenv option to enable this plugin
• Added WebpackManifestPlugin
• Added support the ignoreList option in devtool plugins
• Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

• 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
• c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

• d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
• d3dd841: Enhance import.meta.env to support object access.
• 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
• 04cd530: Handle more at-rules for CSS modules.
• cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
• d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
• 5983843: Provide a stable runtime function variable __webpack_global__.
• d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

• 22c48fb: Added module existence check for informative error message in development mode.
• 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
• d3dd841: Support universal lazy compilation.
• d3dd841: Fixed module library export definitions when multiple runtimes.
• d3dd841: Fixed CSS nesting and CSS custom properties parsing.
• d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
• aab1da9: Fixed bugs for css/global type.
• d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
• d3dd841: Handle nested __webpack_require__.
• 728ddb7: The speed of identifier parsing has been improved.
• 0f8b31b: Improve types.
• d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
• 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
• d3dd841: Serialize HookWebpackError.
• d3dd841: Added ability to use built-in properties in dotenv and define plugin.
• 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
• d3dd841: Reduce collision for local indent name in CSS.
• d3dd841: Remove CSS link tags when CSS imports are removed.

Commits

• 24e3c2d chore(release): new release (#20253)
• 2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
• c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
• 4b0501c ci: fix release (#20252)
• 0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
• 5bf8bc5 refactor: types for benchmarks and tests
• 505a5e7 chore(release): new release (#20188)
• 0c06680 refactor: update eslint configuration
• 2eb0d6a ci: release announcement (#20238)
• b2b2459 ci: cancel in progress (#20239)
• Additional commits viewable in compare view

Updates zx from 8.4.1 to 8.8.5

Release notes

Sourced from zx's releases.

8.8.5 — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also globby@15.0.0 arrives here.

8.8.4 — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344 webpod/ps#15

1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

8.8.3 — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

8.8.2 — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

8.8.1 — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

• Applied flags filtration for CLI-driven deps install #1308
• Added kill() event logging #1312
• Set SIGTERM as kill() fallback signal #1313
• Allowed stdio() arg be an array #1311

const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

• Added check for zx@lite pkg contents #1317 #1316
• Simplified ProcessPromise[asyncIterator] inners #1307
• Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 #1309 #1323 #1326
• Added TS@next to the test matrix #1310
• Optimized internal shell setters #1314
• Refactored build-publish pipelines and scripts #1319 #1320 #1321 #1322 #1324 #1325 #1327

8.8.0 — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

unpipe() — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

</tr></table> 

... (truncated)

Commits

• 1ca9270 chore: pr template formatting (#1359)
• 52b01a1 chore: update pr template (#1358)
• 70ecf23 chore: update issue templates (#1357)
• 8b08fc0 chore: bump version to 8.8.5 (#1356)
• 6045c34 chore: update globby to v15 (#1354)
• a4d1bc2 fix: checks node_modules ref on linking (#1355)
• 9ef6d3c fix(cli): prevent external node_modules deletion with --prefer-local (#1349)
• cc2a4f7 ci: update zizmor to v1.15.1 (#1353)
• b47a5f0 ci: refactor smoke tests naming (#1352)
• 1fb8c9f ci: update gh actions (#1351)
• Additional commits viewable in compare view

Updates webpack-dev-server from 5.2.0 to 5.2.1

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

Commits

• 0d22a08 chore(release): 5.2.1
• 6045b1e chore(deps): update (#5444)
• ffd0b86 fix: take the first network found instead of the last one, this restores the ...
• 9ea7b08 ci: update dependency-review-action (#5442)
• 5c9378b Merge commit from fork
• d2575ad Merge commit from fork
• 8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
• 5a39c70 ci: update codecov/codecov-action to v5 (#5406)
• 55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
• 09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
• See full diff in compare view

Updates @hono/node-server from 1.14.0 to 1.19.10

Release notes

Sourced from @​hono/node-server's releases.

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290
• chore: add configVersion to bun.lock by @​yusukebe in honojs/node-server#291

New Contributors

• @​tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

What's Changed

• fix(serve-static): fix onFound timing by @​usualoma in honojs/node-server#286

Full Changelog: honojs/node-server@v1.19.5...v1.19.6

v1.19.5

What's Changed

• fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @​usualoma in honojs/node-server#280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

v1.19.4

... (truncated)

Commits

• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• 26f5e89 1.19.9
• 2d729e7 fix(globals): Stop overwriting global.fetch (#295)
• 9b72ddf 1.19.8
• 0b1229e fix(serve-static): Use Readable.toWeb in serveStatic (#293)
• 76d80e6 docs: add guide for listening to UNIX domain socket (#292)
• Additional commits viewable in compare view

Updates hono from 4.7.5 to 4.12.7

Release notes

Sourced from hono's releases.

v4.12.7

Security hardening

Ignore __proto__ path segments in parseBody({ dot: true }) to prevent potential prototype pollution when merged with unsafe patterns.

---

Full Changelog: honojs/hono@v4.12.6...v4.12.7

v4.12.6

What's Changed

• fix(accept): replace regex split to mitigate ReDoS by @​EdamAme-x in honojs/hono#4758
• fix(jsx): align link hoisting and dedupe with React 19 by @​usualoma in honojs/hono#4792
• chore(builld): tsconfig project references by @​BarryThePenguin in honojs/hono#4797
• chore: add tsconfig.spec.json by @​yusukebe in honojs/hono#4798
• feat(jsx-renderer): support function-based options by @​3w36zj6 in honojs/hono#4780
• fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X by @​t0waxx in honojs/hono#4782

New Contributors

• @​t0waxx made their first contribution in honojs/hono#4782

Full Changelog: honojs/hono@v4.12.5...v4.12.6

v4.12.5

What's Changed

• fix(request): return string | undefined from param() when path type is any by @​andrewdamelio in honojs/hono#4723
• fix(jwt): validate token format in decode and decodeHeader functions by @​otoneko1102 in honojs/hono#4752
• fix(jsx): Fix "Invalid state: Controller is already closed" by @​gaearon in honojs/hono#4770
• chore(eslint): upgrade @hono/eslint-config by @​BarryThePenguin in honojs/hono#4781

New Contributors

• @​andrewdamelio made their first contribution in honojs/hono#4723
• @​otoneko1102 made their first contribution in honojs/hono#4752
• @​gaearon made their first contribution in honojs/hono#4770

Full Changelog: honojs/hono@v4.12.4...v4.12.5

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

... (truncated)

Commits

• b0aba5b 4.12.7
• 1be3a53 ci: apply automated fixes
• ef90225 Merge commit from fork
• 3f88636 4.12.6
• 53b66ae fix(lambda-edge): avoid callback handler deprecation on NODEJS_24_X (#4782)
• 58825a7 feat(jsx-renderer): support function-based options (#4780)
• 0e80acb chore: add tsconfig.spec.json (#4798)
• d69deb8 chore(builld): tsconfig project references (#4797)
• 8217d9e fix(jsx): align link hoisting and dedupe with React 19 (#4792)
• 5086956 fix(accept): replace regex split to mitigate ReDoS (#4758)
• Additional commits viewable in compare view

Updates glob from 11.0.1 to 12.0.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 2b03cca 12.0.0
• d56203d prettier config
• bb521e5 Remove --shell option where unsafe to use
• 2551fb5 11.1.0
• 47473c0 bin: Do not expose filenames to shell expansion
• bc33fe1 skip tilde test on systems that lack tilde expansion
• 59bf9ca fix notes
• dde4fa6 docs(README): add #anchor and improve notes
• 0559b0e docs: add better links to path-scurry docs
• c9773c2 fix: correct typos in README.md
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for glob since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates lodash from 4.17.21 to 4.17.23

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Updates axios from 1.8.4 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates mermaid from 11.6.0 to 11.10.0

Release notes

Sourced from mermaid's releases.

mermaid@11.10.0

Minor Changes

• #6744 daf8d8d Thanks @​SpecularAura! - feat: Added support for per link curve styling in flowchart diagram using edge ids

Patch Changes

• #6857 b9ef683 Thanks @​knsv! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration

• #6653 2c0931d Thanks @​darshanr0107! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status

• #6683 33e08da Thanks @​darshanr0107! - fix: Position the edge label in state diagram correctly relative to the edge

• #6693 814b68b Thanks @​darshanr0107! - fix: Apply correct dateFormat in Gantt chart to show only day when specified

• #6734 fce7cab Thanks @​darshanr0107! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HH:mm:ss'

• #6733 fc07f0d Thanks @​omkarht! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape

• #6876 12e01bd Thanks @​sidharthv96! - fix: sanitize icon labels and icon SVGs

  Resolves CVE-2025-54880 reported by @​fourcube

• #6801 01aaef3 Thanks @​sidharthv96! - fix: Update casing of ID in requirement diagram

• #6796 c36cd05 Thanks @​HashanCP! - fix: Make flowchart elk detector regex match less greedy

• #6702 8bb29fc Thanks @​qraqras! - fix(block): overflowing blocks no longer affect later lines

  This may change the layout of block diagrams that have overflowing lines (i.e. block diagrams that use up more columns that the columns specifier).

• #6717 71b04f9 Thanks @​darshanr0107! - fix: log warning for blocks exceeding column width

  This update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.

• #6820 c99bce6 Thanks @​kriss-u! - fix: Add escaped class literal name on namespace

• #6332 6cc1926 Thanks Description has been truncated