2 hours ago
billboard.js

4.0.0-next.1

4.0.0-next.1 (2026-06-09)

Bug Fixes

  • types: Add file extensions to types (02c7bf6), closes #4097
  • types: Export shape option types from main entry point (#4109) (f4a236a), closes #4104
  • util: camelCase SVG tag/attribute matching in sanitizer (631ddc5), closes #4078 #4106
  • util: update sanitization function (#4105) (d492644)
  • zoom: fix drag zoom boundary release and circle transition desync (00f6859), closes #4131

Features

  • canvas: add canvas rendering mode (200c99e), #4134
  • esm: tree-shakable grid, regions, category modules (678e761), #4132

BREAKING CHANGES

  • esm: chart.export() and chart.flow() are no longer included automatically in the ESM build. Explicit import required:
import bb, { bar, exportApi, flow } from "billboard.js";

bb.generate({
 ...bar(),
 ...exportApi(),
 ...flow(),
 data: { ... } 
});

UMD bundle users are not affected.

3 hours ago
hono

v4.12.25

Security fixes

This release includes fixes for the following security issues:

CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard

Affects: hono/cors. Fixes the wildcard origin reflecting the request Origin and sending Access-Control-Allow-Credentials: true when credentials: true is set without an explicit origin, where any site a logged-in user visited could make credentialed cross-origin requests and read responses from cookie-authenticated endpoints. GHSA-88fw-hqm2-52qc

Body Limit Middleware can be bypassed on AWS Lambda by understating Content-Length

Affects: hono/body-limit on AWS Lambda (hono/aws-lambda, hono/lambda-edge). Fixes the request being built with the client-declared Content-Length while the body is delivered fully buffered, where a client could declare a small Content-Length with a much larger body and slip past the configured size limit. GHSA-rv63-4mwf-qqc2

Path traversal in serve-static on Windows via encoded backslash (%5C)

Affects: serveStatic on Windows (Node, Bun, Deno adapters). Fixes the path guard allowing a lone backslash, where an encoded backslash (%5C) decoded to \ was treated as a separator by the Windows path resolver, letting a single URL segment escape into a middleware-guarded subtree. GHSA-wwfh-h76j-fc44

AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice

Affects: hono/aws-lambda. Fixes multiple Set-Cookie response headers being joined into one comma-separated value for ALB single-header responses and VPC Lattice v2, where the value could not be split back into individual cookies and clients silently dropped or misparsed them. GHSA-j6c9-x7qj-28xf

Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Affects: hono/lambda-edge. Fixes repeated request headers being written with overwrite instead of append, where only the last value of a header such as X-Forwarded-For reached the application and the remaining values were silently dropped. GHSA-wgpf-jwqj-8h8p

6 hours ago
next.js

v16.3.0-canary.46

Misc Changes

  • docs: clarify next-env.d.ts regeneration: #94232
  • docs: add updateTag example to cacheTag page: #94508
  • Remove experimental.useNodeStreams flag as it's enabled: #93938
  • Remove dead cacheComponents web streams path: #93944
  • [ci] Disable on-call notification if manual deploy e2e tests failed: #94554
  • Reduce new test concurrency to five: #94552
  • fix(dev-overlay): Tidy up issues/insight menu and tab overlay: #94549
  • [turbopack] Remove WebAssembly helpers from the default runtime: #94373
  • docs: clarify use cache persistence across deploys: #93554
  • enable eviction by default: #94452
  • docs: fix onRequestError error type example: #94518
  • docs: move insight error pages from vercel/front to canary: #94564

Credits

Huge thanks to @SJvaca30, @aurorascharff, @timneutkens, @eps1lon, @sampoder, @icyJoseph, @lukesandberg, and @danyalahmed1995 for helping!

10 hours ago
electron

electron v43.0.0-beta.2

Note: This is a beta release. Please file new issues for any bugs you find in it.

This release is published to npm under the beta tag and can be installed via npm install electron@beta, or npm install electron@43.0.0-beta.2.

Release Notes for v43.0.0-beta.2

Fixes

  • Fixed an issue where the "Toggle Developer Tools" menu item failed to function correctly with BaseWindow. #51901 (Also in 41, 42)

Other Changes

  • Updated Node.js to v24.16.0. #51865
12 hours ago
mantine

9.3.1

What's Changed

  • [@mantine/notifications] Fix stale DOM nodes references not being cleaned up when notifications is closed (#8955)
  • [@mantine/dates] DateInput: Add presets support (#8954)
  • [@mantine/core] Collapse: Fix keepMounted prop not being set correctly (#8949)
  • [@mantine/core] Menu: Add controlled state support for Menu.Sub opened state
  • [@mantine/schedule] Fix incorrect current time indicator position when time does not divide evenly with interval minutes in DayView and WeekView (#8945)
  • [@mantine/core] Popover: Fix context menu not working on iOS touch devices (#8942)
  • [@mantine/core] SegemntedControl: Fix incorrect indicator border-radius calculation (#8904)
  • [@mantine/core] PinInput: Fix incorrect placeholder text centering (#8943)
  • [@mantine/core] Tree: Fix arrow key navigation focusing hidden nodes when keepMounted is set (#8939)
  • [@mantine/core] MaskInput: Fix compatibility issues with uncontrolled use-form (#8947)
  • [@mantine/hooks] use-id: Fix id changing to new value with Activity (#8925)

New Contributors

Full Changelog: https://github.com/mantinedev/mantine/compare/9.3.0...9.3.1

13 hours ago
astro

@astrojs/markdown-satteri@0.3.0-alpha.0

Minor Changes

  • #16969 4a31f90 Thanks @Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

    // astro.config.mjs
    import { satteri } from '@astrojs/markdown-satteri';
    
    export default defineConfig({
      markdown: {
        processor: satteri(),
        syntaxHighlight: 'prism',
      },
    });
13 hours ago
astro

@astrojs/mdx@6.0.0-alpha.1

Patch Changes

  • #16969 4a31f90 Thanks @Princesseuh! - Adds support for Prism syntax highlighting to the Sätteri Markdown and MDX processors. Setting markdown.syntaxHighlight to 'prism' now highlights your code blocks with Prism.

    // astro.config.mjs
    import { satteri } from '@astrojs/markdown-satteri';
    
    export default defineConfig({
      markdown: {
        processor: satteri(),
        syntaxHighlight: 'prism',
      },
    });
  • Updated dependencies [4a31f90]:

    • @astrojs/markdown-satteri@0.3.0-alpha.0
13 hours ago
astro

@astrojs/cloudflare@14.0.0-alpha.1

Patch Changes

  • #16990 ebeb830 Thanks @ocavue! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

  • #16671 fd926fd Thanks @alexanderniebuhr! - Removes deprecations warnings added in Astro v6 for Cloudflare specific Astro.locals properties.

  • Updated dependencies [1f07343, 1e000e2, c63e7e4, ebeb830, 10229f7]:

    • astro@7.0.0-alpha.2
    • @astrojs/underscore-redirects@1.0.3
13 hours ago
astro

astro@7.0.0-alpha.2

Major Changes

  • #16610 c63e7e4 Thanks @matthewp! - Adds background dev server management for AI coding agents.

    When an AI coding agent is detected, astro dev now automatically starts the dev server as a detached background process. This prevents the dev server from blocking the agent's terminal and allows it to continue working while the server runs.

    A lock file (.astro/dev.json) is written when the dev server starts, recording the server's URL, port, and PID. This prevents duplicate servers from being started for the same project.

    New flag and subcommands

    • astro dev --background — Start the dev server as a background process (this is what runs automatically when an agent is detected).
    • astro dev stop — Stop a running background dev server.
    • astro dev status — Check if a dev server is running and display its URL, PID, and uptime.
    • astro dev logs — View logs from a background dev server. Use --follow (-f) to stream new output as it's written.

    These allow you to start and manage dev servers programmatically and were designed with AI coding agents in mind.

    What should I do?

    No action is required. If you are not using an AI coding agent, astro dev behaves exactly as before. If you are using an agent, background mode is enabled automatically — the agent will receive the server URL and PID, and can use astro dev stop to shut it down.

    To opt out of automatic background mode when an agent is detected, set the environment variable ASTRO_DEV_BACKGROUND=0 before running astro dev.

  • #16725 10229f7 Thanks @ArmandPhilippot! - Removes deprecated APIs exported from astro:transitions.

    In Astro 6.x, some helpers available in astro:transitions and astro:transitions/client were deprecated.

    In Astro 7.0, the following APIs can no longer be used in your project:

    • TRANSITION_BEFORE_PREPARATION
    • TRANSITION_AFTER_PREPARATION
    • TRANSITION_BEFORE_SWAP
    • TRANSITION_AFTER_SWAP
    • TRANSITION_PAGE_LOAD
    • isTransitionBeforePreparationEvent()
    • isTransitionBeforeSwapEvent()
    • createAnimationScope()

    What should I do?

    Remove any occurrence of createAnimationScope():

    -import { createAnimationScope } from 'astro:transitions';

    Replace any occurrence of the other APIs using the lifecycle event names directly:

    -import {
    -	TRANSITION_AFTER_SWAP,
    -	isTransitionBeforePreparationEvent,
    -} from 'astro:transitions/client';
    
    -console.log(isTransitionBeforePreparationEvent(event));
    +console.log(event.type === 'astro:before-preparation');
    
    -console.log(TRANSITION_AFTER_SWAP);
    +console.log('astro:after-swap');

    Learn more about all utilities available in the View Transitions Router API Reference.

Patch Changes

  • #16980 1f07343 Thanks @matthewp! - Removes state.provide(), state.resolve(), state.finalizeAll(), and App.Providers from the public advanced routing API. These context provider extension points are now internal-only. If you were using them in an integration, use locals to share per-request state instead.

  • #16982 1e000e2 Thanks @matthewp! - Improves the warning when accessing Astro.session without session storage configured. The session property is now always defined on the context object, and accessing it without configuration logs a helpful message instead of silently returning undefined.

  • #16990 ebeb830 Thanks @ocavue! - Fixes Astro.request.url not reflecting validated X-Forwarded-Proto/X-Forwarded-Host headers when security.allowedDomains is configured. Previously, only Astro.url was updated with the forwarded origin while Astro.request.url retained the socket-derived URL, causing the two to diverge behind TLS-terminating proxies.

13 hours ago
astro

@astrojs/svelte@9.0.0-alpha.2

Minor Changes

  • #16549 9d9d516 Thanks @ocavue! - Updates @sveltejs/vite-plugin-svelte to v7. No user action is necessary.