This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @raashish1601 (#10573)
• @Kilros0817 (#10625)
• @ashstrc (#10624)
• @Abhi3975 (#10589)
• @theamodhshetty (#7452)

Please refer to CHANGELOG.md for details.

Generated from commits between v4.5.8 and HEAD

This release includes several small refactors to improve performance.

• fix(vanilla/utils/atomWithObservable): use symbol index signature to avoid 'Symbol.observable' type reference by @sukvvon in https://github.com/pmndrs/jotai/pull/3274
• refactor(internals): replace nextDeps with prevDeps by @dmaskasky in https://github.com/pmndrs/jotai/pull/3278
• refactor(internals): reduce recomputeInvalidatedAtoms overhead (performance) by @dmaskasky in https://github.com/pmndrs/jotai/pull/3284
• refactor(internals): reduce flushPending overhead (performance) by @dmaskasky in https://github.com/pmndrs/jotai/pull/3285
• fix(internals): check if atom has dependencies before doing mountDependencies work (performance) by @dmaskasky in https://github.com/pmndrs/jotai/pull/3290
• fix(internals): check if atom has onMount property before queueing processOnMount callback (performance) by @dmaskasky in https://github.com/pmndrs/jotai/pull/3291
• refactor(types): prefer no-any by @dai-shi in https://github.com/pmndrs/jotai/pull/3304

• @aio39 made their first contribution in https://github.com/pmndrs/jotai/pull/3277

Full Changelog: https://github.com/pmndrs/jotai/compare/v2.19.0...v2.19.1

Please refer to CHANGELOG.md for details.

This release includes fixes for the following security issues:

Affects: Serve Static middleware. Fixes a path normalization inconsistency where repeated slashes (//) could bypass route-based middleware protections and allow access to protected static files. GHSA-wmmm-f939-6g9c

Affects: toSSG() for Static Site Generation. Fixes a path traversal issue where crafted ssgParams values could write files outside the configured output directory. GHSA-xf4j-xp2r-rqqx

Affects: IP Restriction Middleware. Fixes improper handling of IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) that could cause allow/deny rules to be bypassed. GHSA-xpcf-pg52-r92g

Affects: setCookie(), serialize(), and serializeSigned() from hono/cookie. Fixes missing validation of cookie names on the write path, preventing inconsistent handling between parsing and serialization. GHSA-26pp-8wgv-hjvm

Affects: getCookie() from hono/cookie. Fixes a discrepancy in cookie name handling that could allow attacker-controlled cookies to override legitimate ones and bypass prefix protections. GHSA-r5rp-j6wh-rvv4

Users who use Serve Static, Static Site Generation, Cookie utilities, or IP restriction middleware are strongly encouraged to upgrade to this version.

• chore: Upgrade to pnpm 10.x: #92283
• fix(server-hmr): metadata routes overwrite page runtime HMR handler: #92273
• Turbopack: Add a check for node version before allowing workerThreads: #91614

• turbo-persistence: optimize file syncing: #90542
• Bump turborepo from 2.8.11 to 2.9.4: #92425
• Turbopack: Remove turbo_tasks::apply_effects, use Effects::apply instead: #91858

Huge thanks to @bgw, @wbinnssmith, and @lukesandberg for helping!

Note: This is a beta release. Please file new issues for any bugs you find in it.

This release is published to npm under the beta tag and can be installed via npm install electron@beta, or npm install electron@42.0.0-beta.1.

• Added allowExtensions privilege to protocol.registerSchemesAsPrivileged() to enable Chrome extensions on custom protocols. #50530 ^{(Also in 40, 41)}

• BrowserWindow now enforces min/max size constraints on window creation, even if they conflict with the requested width and height. #50754 ^{(Also in 41)}
• Fixed a crash when calling contentTracing.getTraceBufferUsage() while a trace session is active. #50592 ^{(Also in 39, 40, 41)}
• Fixed an intermittent Invoke in DisallowJavascriptExecutionScope crash on application quit when a WebContents (or other JS-emitting native object) is garbage-collected during shutdown. #50695 ^{(Also in 40, 41)}
• Fixed an issue on macOS where show/hide events and WebContents visibility state could be reported incorrectly when multiple WebContentsViews were attached to a window. #50712 ^{(Also in 40, 41)}
• Fixed an issue where concurrent getFileHandle requests on the same path could stall indefinitely. #50671 ^{(Also in 40, 41)}
• Fixed an issue where custom options in webContents.print() did not prefill the print dialog on macOS. #50643
• Fixed an issue where margins did not look as expected when printing in silent mode. #50653 ^{(Also in 41)}
• Fixed an issue where the webContents.print() callback may not fire correctly in some cases. #50603 ^{(Also in 41)}
• Fixed certain DevTools extension panels not showing without a page reload. #50640
• Fixed native notification clicks not focusing the application window on Wayland. #50669
• Fixed the appearance of maximized windows on GNOME in Wayland, especially when non-default GTK themes like Breeze are set. #50644 ^{(Also in 41)}
• Removed "representedObject is not a WeakPtrToElectronMenuModelAsNSObject" logging when interacting with macOS menus. #50614 ^{(Also in 41)}

• Enabled profile-guided optimization for V8 builtins in release builds, improving JavaScript builtin performance (Array, String, RegExp, etc.). #50573 ^{(Also in 40, 41)}
• Updated Node.js to v24.14.1. #50479

• Allow for parsing app route strings with and without slot names.: #92327

• use sorted inserts to improve builder performance: #91553
• [tests]: remove unnecessary skipDeployment flags: #92423

Huge thanks to @lukesandberg, @ztanner, and @gnoff for helping!

• Handle edge runtime in places that import node:stream: #92354
• fix: add AGENTS.md at package root for agent discovery: #92376
• Fix fallback route params case in app-page handler: #91737

Huge thanks to @timneutkens, @aurorascharff, and @ijjk for helping!