Bump serialize-javascript, nuxt and webpack in /nuxt-supabase-auth

[dependabot]

Bumps serialize-javascript to 7.0.5 and updates ancestor dependencies serialize-javascript, nuxt and webpack. These dependencies need to be updated together.

Updates serialize-javascript from 5.0.1 to 7.0.5

Release notes

Sourced from serialize-javascript's releases.

v7.0.5

Fixes

• Improve robustness and validation for array-like object serialization.
• Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

What's Changed

• release: v7.0.4 by @​okuryu in yahoo/serialize-javascript#211

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

• fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb

---

yahoo/serialize-javascript@v7.0.2...v7.0.3

v7.0.2

What's Changed

• ci: bump GitHub Actions to latest versions by @​okuryu in yahoo/serialize-javascript#203
• ci: setup trusted publishing workflow by @​okuryu in yahoo/serialize-javascript#204
• release: v7.0.2 by @​okuryu in yahoo/serialize-javascript#205

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

What's Changed

• Add warning about using this package to send arbitrary data to worker threads by @​valadaptive in yahoo/serialize-javascript#200
• security: sanitize function bodies by @​redonkulus in yahoo/serialize-javascript#199
• docs: tweak README by @​okuryu in yahoo/serialize-javascript#201
• release: v7.0.1 by @​okuryu in yahoo/serialize-javascript#202

New Contributors

• @​redonkulus made their first contribution in yahoo/serialize-javascript#199

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Breaking Changes

• requires Node.js v20+

What's Changed

• Bump mocha from 10.2.0 to 10.4.0 by @​dependabot[bot] in yahoo/serialize-javascript#178

... (truncated)

Commits

• df3f1c1 release: v7.0.5
• f147e90 Merge commit from fork
• eec32e0 release: v7.0.4
• d505715 7.0.3
• 2e609d0 fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207)
• 42b7cdb build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206)
• 44f544b release: v7.0.2 (#205)
• bba0ddd ci: setup trusted publishing workflow (#204)
• 235f6ea ci: bump GitHub Actions to latest versions (#203)
• f7fff15 release: v7.0.1 (#202)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for serialize-javascript since your current version.

Updates nuxt from 2.15.8 to 4.4.6

Release notes

Sourced from nuxt's releases.

v4.4.6

4.4.6 is the next patch release.

👉 Changelog

compare changes

🩹 Fixes

• vite: Use spa entry for vite-node fallback (#35037)
• vite: Invalidate SSR module cache when modules are invalidated via plugin hooks (a86657a0e)
• nuxt: Match deduplicated resolveComponent calls in jsx blocks (#35028)
• nuxt: Prefer our own builder/server deps (#35029)
• nuxt: Update useFetch key even with watch: false (#35002)
• nitro: Mark @babel/plugin-syntax-typescript as optional peer dep (#35041)
• nitro: Add json extension to payload cache items (#35043)
• nuxt: Handle errors fetching app manifest (#35050)
• nuxt: Encode html-significant characters in external redirect body (#35052)
• nuxt: Preserve setPageLayout props on same-path navigation (#35055)
• vite: Don't strip buildAssetsDir from vite-node SSR ids (#35040)
• nuxt: Mark useLoadingIndicator properties as readonly (#35062)
• vite: Strip queries in css inline styles map (#35067)
• nitro: Validate island request hash matches props (#35077)
• nitro: Use regexp to strip query (163e18d4b)
• nitro: Use statusCode for nitro v2 compatibility (952f6841e)
• nitro-server: Re-export h3 named symbols statically (cd99001c8)
• nuxt: Render component-less parent routes during client-side nav (#35036)
• kit: Respect tsConfig.exclude in legacy tsconfig.json (#35079)
• nuxt: Run middleware for page islands (#35092)

💅 Refactors

• rspack,webpack: Extract same-origin check for dev middleware (#35051)

📖 Documentation

• Remove CSB, set node 22 and use steps for clarity (#35066)

🏡 Chore

• One more type, one more (50dcf15bb)
• Remove unneeded (?) overrides (6997093af)
• Use explicit versions for fixture dependencies (294a734d4)
• Ignore link-like syntax in code (2584a549c)
• Narrow engines.node in test (5bb17fb47)
• Remove unused import (a52d78626)

✅ Tests

• Relax relative time assertion (c3dcd16f9)
• Add type (732d844ad)
• Drop h3 v2 types (8286e5fcd)

🤖 CI

• Clean up agent-scan workflow (ab8317547)
• Continue autofix workflow when test:engines fails (3025e561e)
• Improve workflows (#35088)

❤️ Contributors

• Daniel Roe (@​danielroe)

... (truncated)

Commits

• 30a45f7 v4.4.6
• e881fe8 fix(nuxt): run middleware for page islands (#35092)
• 3310097 fix(nuxt): render component-less parent routes during client-side nav (#35036)
• b29f805 chore(deps): update all non-major dependencies (4.x) (#35075)
• e9cddf4 fix(nitro): validate island request hash matches props (#35077)
• 7499721 fix(nuxt): mark useLoadingIndicator properties as readonly (#35062)
• 38507a8 chore(deps): update dependency cssnano to v8 (4.x) (#35038)
• 5abe6d3 chore(deps): update all non-major dependencies (4.x) (#35046)
• 4bdd9dd fix(nuxt): preserve setPageLayout props on same-path navigation (#35055)
• 1ca9c44 fix(nuxt): encode html-significant characters in external redirect body (#35052)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for nuxt since your current version.

Updates webpack from 4.46.0 to 5.107.1

Release notes

Sourced from webpack's releases.

v5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #20988)

v5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

• Add experimental TypeScript support via experiments.typescript: true (auto-enabled by experiments.futureDefaults). Uses Node.js's built-in module.stripTypeScriptTypes (Node.js >= 22.6 with the stable mode: "strip" API, including Node.js 26) to transform .ts, .cts, .mts, data:text/typescript, and data:application/typescript modules — no type checking, only erasable TypeScript (types, generics, import type, casts). .tsx/JSX and non-erasable syntax (enum, namespace, parameter-property constructors, decorator metadata) are NOT supported; use a TSX-capable loader (e.g. ts-loader, swc-loader) for those. (by @​alexander-akait in #20964)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

• Narrow TemplatePathFn callback types by context. pathData.chunk is now non-optional for chunk filename callbacks (output.filename, chunkFilename, cssFilename, cssChunkFilename, htmlFilename, htmlChunkFilename, optimization.splitChunks.cacheGroups[*].filename), and pathData.module is non-optional for module filename callbacks (output.assetModuleFilename, per-module generator.filename / generator.outputPath, module.parser.css.localIdentName). (by @​alexander-akait in #20987)

• Tighten the CreateData typedef in NormalModuleFactory. CreateData now represents the fully-populated value passed to the createModule, module, and createModuleClass hooks (NormalModuleCreateData & { settings: ModuleSettings }), while ResolveData.createData is typed as Partial<CreateData> to reflect the empty initial state. Plugins tapping those hooks no longer need to cast individual fields away from optional. (by @​alexander-akait in #20992)

• Stop webpackPrefetch / webpackPreload magic comments from leaking across import() call sites that share a webpackChunkName. When two imports targeted the same named chunk and only one of them set webpackPrefetch: true, the prefetch directive was applied from every parent chunk that referenced the named chunk. Prefetch and preload orders are now resolved per import() call site instead of from the shared chunk group's accumulated options. (by @​alexander-akait in #20994)

• Fix [fullhash:N] and [hash:N] (with length suffix) in output.publicPath not being interpolated at runtime. The detection regex in RuntimePlugin only matched [fullhash] / [hash] without a length suffix, so the PublicPathRuntimeModule was not flagged as a full-hash module and __webpack_require__.p was emitted with the placeholder XXXX left in place (e.g. out/XXXX/) instead of the real hash truncated to the requested length. (by @​alexander-akait in #21004)

• Re-export ModuleNotFoundError from webpack/lib/ModuleNotFoundError for backward compatibility with old plugins that import it from that path. This re-export will be removed in webpack 6. (by @​alexander-akait in #20988)

5.107.0

Minor Changes

• Add module.generator.javascript.anonymousDefaultExportName option to control whether webpack sets .name to "default" for anonymous default export functions and classes per ES spec. Defaults to true for applications and false for libraries (when output.library is set) to avoid unnecessary bundle size overhead. Also extract anonymous default export .name fix-up into a shared runtime helper (__webpack_require__.dn), replacing repeated inline Object.defineProperty / Object.getOwnPropertyDescriptor calls with a single short call per module to reduce output size. (by @​xiaoxiaojx in #20894)

• Support module concatenation (scope hoisting) for CSS modules with text, css-style-sheet, style, and link export types (by @​xiaoxiaojx in #20851)

• The generator.exportsConvention function form for CSS modules now accepts string[] in addition to string. (by @​alexander-akait in #20914)

• Add linkInsert hook to CssLoadingRuntimeModule.getCompilationHooks(compilation) so plugin developers can control where stylesheet <link> elements are inserted into the document. (by @​alexander-akait in #20947)

• Add CssModulesPlugin.getCompilationHooks(compilation).orderModules hook. (by @​alexander-akait in #20978)

• Add a pure parser option for css/module and css/auto types matching postcss-modules-local-by-default's pure mode: every selector must contain at least one local class or id, otherwise webpack emits a build error. (by @​alexander-akait in #20946)

• Support CSS Modules @value identifiers as @import URLs and inside url() functions, e.g. @value path: "./other.css"; @import path; and @value bg: "./image.png"; .a { background: url(bg); } (by @​alexander-akait in #20925)

... (truncated)

Commits

• a1ce7eb chore(release): new release (#20989)
• 916810e test: lock chunk filenames stay verbatim for scoped names (#21006)
• 72ef0fb fix: tree-shake CommonJS exports through const NAME = require(LITERAL) bind...
• 6c5f2f8 docs: tighten AGENTS.md rules for directory listings, branch names, and PR te...
• 9edcb3d fix: interpolate [fullhash:N] / [hash:N] in output.publicPath at runtime (#21...
• e3ba2ff fix: emit \<link rel=stylesheet> for CSS chunks reachable from `<script src>...
• 1097a7f fix(html): align walkHtmlTokens with WHATWG spec (#21000)
• 67b7419 fix: allow devtool and SourceMapDevToolPlugin to coexist on the same asset (#...
• 294197c fix: correct createParser/createGenerator hook types in `NormalModuleFact...
• ec6ad34 chore(deps): bump codecov/codecov-action in the dependencies group (#20995)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.