• #15312 72f7960 Thanks @ocavue! - Update @vitejs/plugin-react to v5.

• #15309 4b9c8b8 Thanks @ematipico! - Update the underneath @cloudflare/workers-types library to address a warning emitted by the package manager during the installation.

• #15255 a66783a Thanks @florian-lefebvre! - Fixes a case where the types of handle() could mismatch with the ones from the user's project. They now rely on globals, that can be obtained by running wrangler types

• Updated dependencies []:

  • @astrojs/underscore-redirects@1.0.0

• #15283 daf41c6 Thanks @eldair! - Updates validation to use Zod v4

• #14821 48ea241 Thanks @ocavue! - Update @sveltejs/vite-plugin-svelte to v6.

• #15308 89cbcfa Thanks @matthewp! - Fixes styles missing in dev for prerendered pages when using Cloudflare adapter

• #15279 8983f17 Thanks @ematipico! - Fixes an issue where the dev server would serve files like /README.md from the project root when they shouldn't be accessible. A new route guard middleware now blocks direct URL access to files that exist outside of srcDir and publicDir, returning a 404 instead.

• remove IE support, removed all polyfills
• update tooling, added Deno for lint, format, added rolldown for build, removed eslint, rollup, plugins, and others
• updated dependencies and components
• fixed all lint issues
• updated docs
• added publish workflow

• Bump terser from 5.14.1 to 5.14.2 by @dependabot[bot] in https://github.com/thednp/kute.js/pull/112
• Bump json5 from 1.0.1 to 1.0.2 by @dependabot[bot] in https://github.com/thednp/kute.js/pull/117
• Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot[bot] in https://github.com/thednp/kute.js/pull/121
• Bump rollup from 2.75.7 to 3.29.5 by @dependabot[bot] in https://github.com/thednp/kute.js/pull/124
• Bump js-yaml, eslint and eslint-config-airbnb-base by @dependabot[bot] in https://github.com/thednp/kute.js/pull/129
• Bump lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in https://github.com/thednp/kute.js/pull/130

• @dependabot[bot] made their first contribution in https://github.com/thednp/kute.js/pull/112

Full Changelog: https://github.com/thednp/kute.js/compare/2.0.16...2.2.5

• /pr-status (former /ci-failures): fetch PR reviews too: #89082
• Improve /pr-status: comments, argument, avoid full log: #89092
• chore(ci): rename 'new tests' jobs to 'new and changed tests': #89054
• Turbopack: Add postcss.config.ts support: #89049

Huge thanks to @sokra and @timneutkens for helping!

This release includes security fixes for multiple vulnerabilities in Hono and related middleware. We recommend upgrading if you are using any of the affected components.

Fixed an IPv4 address validation bypass that could allow IP-based access control to be bypassed under certain configurations.

Fixed an issue where responses marked with Cache-Control: private or no-store could be cached, potentially leading to information disclosure on some runtimes.

Fixed an issue that could allow unintended access to internal asset keys when serving static files with user-controlled paths.

Fixed a reflected Cross-Site Scripting (XSS) issue in the ErrorBoundary component that could occur when untrusted strings were rendered without proper escaping.

Users are encouraged to upgrade to this release, especially if they:

• Use IP Restriction Middleware
• Use Cache Middleware on Deno, Bun, or Node.js
• Use Serve Static Middleware with user-controlled paths on Cloudflare Workers
• Render untrusted data inside ErrorBoundary components

• IP Restriction Middleware – IPv4 address validation bypass

  • Advisory: https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh
  • CVE: CVE-2026-24398

• Cache Middleware ignores Cache-Control: private

  • Advisory: https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4
  • CVE: CVE-2026-24472

• Serve Static Middleware (Cloudflare Workers adapter) – Arbitrary key read

  • Advisory: https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p
  • CVE: CVE-2026-24473

• hono/jsx ErrorBoundary – Cross-Site Scripting (XSS)

  • Advisory: https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5
  • CVE: Pending

---

Full Changelog: https://github.com/honojs/hono/compare/v4.11.6...v4.11.7

• Improve no response route handler error: #89036

Huge thanks to @timneutkens for helping!

• feat: support import and export string specifier by @JSerFeng in https://github.com/web-infra-dev/rspack/pull/12759
• feat(mf): add async startup promise gating for entrypoints by @ScriptedAlchemy in https://github.com/web-infra-dev/rspack/pull/11899

• fix: require.resolve() replaced as require() by @intellild in https://github.com/web-infra-dev/rspack/pull/12773
• fix: handle rs.requireActual and rs.importActual in all contexts by @9aoy in https://github.com/web-infra-dev/rspack/pull/12806
• fix(mf): filter runtime plugin invocation for used exports by @ahabhgk in https://github.com/web-infra-dev/rspack/pull/12807
• fix: fix panic caused by missing lazy dependency by @hardfist in https://github.com/web-infra-dev/rspack/pull/12820
• fix(mf): use dynamic exports type for MF modules (cherry-pick #12841) by @ahabhgk in https://github.com/web-infra-dev/rspack/pull/12848
• fix: normalize paths for extract source map (cherry-pick #12825) by @ahabhgk in https://github.com/web-infra-dev/rspack/pull/12847
• fix: enable panic backtrace for release-debug by @hardfist in https://github.com/web-infra-dev/rspack/pull/12854
• fix: should not panic when accessing slate stats for Rspack 1.x by @SyMind in https://github.com/web-infra-dev/rspack/pull/12853
• fix(mf): cherry pick mf manifest improving to v1.x by @2heal1 in https://github.com/web-infra-dev/rspack/pull/12851

• refactor: use readonly ref in runtime requirements in tree hook by @stormslowly in https://github.com/web-infra-dev/rspack/pull/12789
• refactor: introduce ArtifactExt trait by @hardfist in https://github.com/web-infra-dev/rspack/pull/12800
• refactor: to use &Compilation in AdditionalTreeRuntimeRequirementsHook by @stormslowly in https://github.com/web-infra-dev/rspack/pull/12801
• refactor: differentiate snapshot strategies by dependency type by @jerrykingxyz in https://github.com/web-infra-dev/rspack/pull/12805

• chore: update Node.js version in .nvmrc to 22 by @chenjiahan in https://github.com/web-infra-dev/rspack/pull/12797
• chore: enable fair sched for codspeed by @CPunisher in https://github.com/web-infra-dev/rspack/pull/12798
• chore: try to make wasm test more stable by @CPunisher in https://github.com/web-infra-dev/rspack/pull/12795
• chore: disable generation of wasm binding by @CPunisher in https://github.com/web-infra-dev/rspack/pull/12802
• chore(test): uniform all time to X ms by @stormslowly in https://github.com/web-infra-dev/rspack/pull/12790
• test: hideSkippedTestFiles by @9aoy in https://github.com/web-infra-dev/rspack/pull/12812
• test: skip native watcher test case for skip chunk build case by @stormslowly in https://github.com/web-infra-dev/rspack/pull/12858

• @intellild made their first contribution in https://github.com/web-infra-dev/rspack/pull/12773

Full Changelog: https://github.com/web-infra-dev/rspack/compare/v1.7.3...v1.7.4