fix(security): update vulnerability-updates

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@swc/core (source)	1.11.31 -> 1.12.9
configcat-common (source)	9.3.1 -> 9.4.0
msw (source)	2.2.3 -> 2.10.3
ts-jest (source)	29.3.4 -> 29.4.0

---

Release Notes

swc-project/swc (@​swc/core)

v1.12.9

Compare Source

Bug Fixes

• (es/lexer) Parse uppercase hex numbers correctly (#​10728) (ead6256)

• (es/lexer) Allow keywords as jsx attribute names (#​10730) (04ef20a)

• (es/minifier) Fix top level option (#​10227) (485fced)

• (es/minifier) Do not drop self-referential class expressions (#​10710) (39e6c2e)

• (es/minifier) Mark cons and alt of CondExpr as ref (#​10740) (9649cc8)

• (es/minifier) Fix termination detection (#​10741) (87bc698)

• (es/parser) Allow non-prop operand in delete (#​10733) (38132e0)

Features

• (es/minifier) Hoist more properties (#​10707) (0f2c8d5)

• (es/transforms) Expose tsEnumIsMutable to JS (#​10716) (6b3ae00)

Performance

• (es/minifier) Make CharFreq::scan in mangler table-based (#​10679) (04d39aa)

• (ts/fast-strip) Use swc_ecma_parser::Lexer (#​10677) (ffe0292)

• Optimize Input::reset_to (#​10719) (8084066)

Refactor

• (es/lexer) Useless reset (#​10714) (c9eee0b)

• (es/lexer) Cleanup read_int (#​10727) (c5fb4b1)

• (es/parser) Remove read_number_no_dot (#​10703) (fa8607f)

• (es/parser) Remove needless branching (#​10717) (b0c23b2)

Testing

• (es/preset-env) Add entry import bench (#​10722) (9868b4d)

• Make codspeed concurrent on main branch (#​10711) (4392ce3)

v1.12.7

Compare Source

Bug Fixes

• (es/minifier) Fix condition for preserving properties (#​10694) (5c57a05)

• (es/minifier) Drop pure tagged string call expr (#​10702) (85cd9a7)

• (es/parser) Improve error message for template literals (#​10690) (a066b76)

• (es/parser) Rescan >= for JSX closing tag (#​10693) (fe82c4c)

• (es/parser) Support keywords as JSX member expression properties (#​10701) (643253d)

Features

• (es/parser) Add override and out keyword (#​10695) (636d7a3)

• (es/parser) Enable import attributes unconditionally (#​10706) (5ecc3ca)

• (es/parser) Expose Token API with unstable feature flag (#​10699) (750c7d4)

Performance

• (es/parser) Do not compare error each time (#​10696) (0ae0341)

Testing

• (es) Remove outdated test snapshots (#​10689) (03d520b)

v1.12.6

Compare Source

Bug Fixes

• (es/parser) Throw error if JSX does not end with > (#​10687) (cb3d6db)

• (es/react-compiler) Use tsx syntax for parser (#​10682) (a355e37)

• (hstr) Support MSRV = 1.86 (#​10673) (de19d1e)

• (ts/isolated-dts) Skip parameters without accessibility modifiers in private constructors (#​10675) (1976d8e)

Features

• (ts/fast-strip) Support JSX under a feature flag (#​10656) (6a70d17)

Miscellaneous Tasks

• (ecosystem-ci) Exclude react-leaflet (cfbb1f9)

Performance

• (es/lexer) Optimize number literal parsing with fast path (#​10655) (15d0828)

• (es/lexer) Reduce allocations while lexing numbers (#​10667) (115d228)

• (es/lexer) Introduce byte_search to reduce comparison operations (#​10668) (3806ffd)

• (es/lexer) Compare \n first (#​10669) (9c41e2f)

• (es/lexer) Optimize lexing of numbers with separators (#​10665) (cac651b)

• (es/minifier) Remove needless clones (#​10661) (5f4f7dd)

• (ts/fast-strip) Prealloc buf for codegen (#​10680) (a8347fe)

Refactor

• (ts/fast-strip) Rename crate (#​10685) (6b5904c)

Build

• (wasm) Fix wasm builds (eee0578)

v1.12.5

Compare Source

Bug Fixes

• (es/parser) Parse jsx entity (#​10652) (bfd3bc5)

• (es/parser) Consider reseved ident in jsx name (#​10647) (9262a59)

Performance

• (es/parser) Optimize next_token (#​10654) (1be2ca0)

Refactor

• (es/lexer) Remove faster path for \t (#​10650) (d6ac3b7)

v1.12.4

Compare Source

Bug Fixes

• (es/minifier) Fix Buffer handling of minify() API (#​10643) (cdf068e)

• (es/minifier) Fix arrow inlining (#​10642) (7232c10)

• (es/parser) Don't be greedy in the end of jsx open el (#​10637) (8a2c656)

• Update par-core and par-iter (#​10629) (38f7d51)

• Fix CI (#​10641) (9df98f7)

Refactor

• (es/parser) Cleanup (#​10631) (c7c2035)

v1.12.3

Compare Source

Bug Fixes

• (es/codgen) Emit leading comments of JSXExprContainer (#​10627) (2d2162a)

v1.12.2

Compare Source

Bug Fixes

• (ci) Fix build of @swc/minifier (0dc5244)

• (es/codegen) Fix .map path when using output_path (01e5bd1)

• (es/parser) Allow type ann in jsx expr child (#​10626) (48f576c)

• (swc) Fix wrong caching of resolvers regarding file exts (#​10615) (68aacd1)

• (ts/isolated-dts) Fix usage dependency (#​10621) (b3677d3)

• (ts/isolated-dts) Emit properties in overloaded constructor params (#​10623) (6634ef1)

Features

• (swc_common) Allow returning None in try_lookup_source_file (#​10625) (d8e2405)

Performance

• (atoms) Improve atom! for inlinable strings (#​10612) (5113121)

• (es/minifier) Avoid calling some costly function when optimizing deep nested binary expr (#​10611) (1434571)

• (es/minifier) Remove needless JSON conversion (#​10628) (4a58dca)

• (es/parser) Reduce cmp in jsx spread child (#​10606) (fb33c13)

Refactor

• (es/parser) Cleanup - deduplicate some code (#​10608) (5f9af96)

• (es/parser) Remove token contexts (#​10547) (7ffe9d2)

v1.12.1

Compare Source

Bug Fixes

• (@​swc/types) Remove nativeClassProperties (#​10592) (39032dc)

• (es/minifier) Fix top level detection of DCE (#​10603) (964a560)

• (es/minifier) Fix inlining of arrows (#​10604) (cc3bc4d)

• (es/minifier) Perform DCE on the end (#​10602) (a97b149)

• (swc_common) Add Files#is_in_file (#​10599) (e6b61eb)

Features

• (es/parser) Support parsing CommonJS (#​10600) (70bda6a)

v1.12.0

Compare Source

Bug Fixes

• (@​swc/types) Add jsc.output.charset (#​10567) (26b41e8)

• (es/codegen) Don't call cmt.get_leading for dummy span (#​10568) (16e204d)

• (es/parser) Disallow spread operator(...) in JSX attribute values (#​10587) (8deba78)

• (es/typescript) Pass native_class_properties (#​10561) (7e4cd9a)

• (es/typescript) Handle export declare var in namespace (#​10579) (2daa17f)

• (ts/isolated-dts) Add edges SymbolFlags::Value and SymbolFlags::Type in exports (#​10577) (e6d4da2)

• Fix bindings (0f858fd)

Documentation

• (contributing) Add a script to patch local projects (#​10565) (3ac0a21)

Features

• (es/minifier) Regex support for format.comments (#​10571) (e441df5)

• (es/module) Add support for import.meta.main in AMD and CJS (#​10596) (759de2e)

Miscellaneous Tasks

• (plugin/runner) Update virtual-fs to dedupe dependencies (#​10594) (de667bb)

Refactor

• (es/lexer) Remove unnecessary result wrap (#​10578) (49d15df)

• (es/parser) Extract parse_jsx_attrs (#​10569) (6492786)

• (es/parser) Remove cur!(false) macro (#​10583) (c96fa23)

• (swc_common) Remove Input::find (#​10542) (494cef9)

• (swc_common) Use BytesStr instead of Lrc<String> (#​10580) (6f00973)

• (swc_common) Use swc_sourcemap instead (#​10593) (8a9f609)

Testing

• (es/parser) Enable jsx test (#​10566) (72b1efe)

configcat/common-js (configcat-common)

v9.4.0

Compare Source

Improvements:

• Include the SDK Key in log message of error 1100 ("Your SDK Key seems to be wrong...") (#​112)
• Mask SDK Key (keep only the last 6 characters visible) when writing it to the log.
• If available, use monitonic clock (performance.now) instead of system clock (new Date()) for scheduling poll iterations in Auto Polling mode for improved precision and resistance to system clock adjustments (time sync, user initiated clock adjustments, etc.)
• Correct the internal cache refresh behavior in offline mode: if the client uses an external cache, a synchronization should happen in every case where a fetch operation would happen in online mode. (For example, in Auto Polling mode, the background polling loop should sync with the external cache even when it doesn't initiate config fetch operations.)
• Eliminate race condition between concurrent cache synchronizations.
• Emit configChanged once per config refresh operation, eliminate race conditions around cache write, and improve performance in high concurrency situations by deduplicating config refresh instead of config fetch operation only.
• Correct the intellisense docs for some config caching/refreshing-related APIs.

Bug fixes:

• Fix a bug that causes an error when user-provided logger, config cache, etc. implementation contains a circular reference. (#​111, #​112)
• Fix a minor bug in setting type mismatch check. (Type mismatch should also be reported for allowed flag override values.)
• Fix a minor bug in formatting errors. (Some JS runtimes doesn't include the error message in the stack trace.)
• Fix a minor bug in FetchError. (Name property should be set to the class name.)

Breaking changes:

• Change forceRefreshAsync to report failure and log a warning in offline mode only when the client is not configured to use an external cache. (Very low impact expected.) (#​112)
• Make the clientReady event consistent with other SDKs in Auto Polling mode. When the client is offline, clientReady is emitted as soon as the initial sync with the external cache completes. (Low impact expected.)
• Make changes to also emit the configChanged event when the local cache is updated as a result of synchronization with the external cache. (Low impact expected.)

mswjs/msw (msw)

v2.10.3

Compare Source

v2.10.3 (2025-07-04)

Bug Fixes

• ws: support resolutionContext on parse and run (#​2544) (0245685) @​kettanaito
• getResponse: support resolutionContext argument (#​2543) (ce3ab1f) @​kettanaito

v2.10.2

Compare Source

v2.10.2 (2025-06-09)

Bug Fixes

• TypeScript: support Response.error() and HttpResponse.error() as mocked responses (#​2132) (72cc8dd) @​jacquesg @​kettanaito

v2.10.1

Compare Source

v2.10.1 (2025-06-07)

Bug Fixes

• update @mswjs/interceptors to support WebSocket server protocol (#​2528) (6704fa0) @​kettanaito

v2.10.0

Compare Source

v2.10.0 (2025-06-07)

Features

• WebSocketHandler: add run method (#​2527) (94fc78e) @​kettanaito

v2.9.0

Compare Source

v2.9.0 (2025-06-03)

Features

• send request reference within the RESPONSE event (#​2510) (4256351) @​kettanaito

v2.8.7

Compare Source

v2.8.7 (2025-05-31)

Bug Fixes

• update links to the documentation (#​2519) (56f24d5) @​kettanaito

v2.8.6

Compare Source

v2.8.6 (2025-05-29)

Bug Fixes

• browser: set the default entrypoint to commonjs (#​2516) (ee44fab) @​kettanaito

v2.8.5

Compare Source

v2.8.5 (2025-05-27)

Bug Fixes

• HttpResponse: strictly annotate all response methods (#​2509) (2cdc2b1) @​kettanaito
• update @mswjs/interceptors to 0.38.7 (#​2508) (b06fd0e) @​kettanaito

v2.8.4

Compare Source

v2.8.4 (2025-05-19)

Bug Fixes

• support nullable GraphQL queries (#​2403) (594e8ca) @​huuyafwww @​kettanaito

v2.8.3

Compare Source

v2.8.3 (2025-05-17)

Bug Fixes

• HttpResponse: export StrictResponse type again with added deprecation notice (#​2500) (a5bbe97) @​christoph-fricke

v2.8.2

Compare Source

v2.8.1

Compare Source

v2.8.1 (2025-05-09)

Bug Fixes

• do not append .mjs to .d.ts core imports (#​2496) (6ae6b29) @​kettanaito

v2.8.0

Compare Source

v2.8.0 (2025-05-08)

Features

• support typescript 5.6 - 5.8 (#​2493) (3fce594) @​kettanaito
• migrate to ESM internally, remain CJS-first (#​2490) (17d553b) @​kettanaito @​Andarist
• SetupServerApi: allow using custom interceptors (#​2464) (0cc656a) @​tastypackets @​kettanaito
• HttpResponse: support explicitly empty response body via null type argument (#​2118) (50ce6a4) @​kettanaito

v2.7.6

Compare Source

v2.7.6 (2025-05-05)

Bug Fixes

• remove unused dependencies (#​2484) (436cbcb) @​kettanaito

v2.7.5

Compare Source

v2.7.5 (2025-04-18)

Bug Fixes

• ws: ignore /socket.io/ path prefix during url matching (#​2476) (69ae82d) @​kettanaito

v2.7.4

Compare Source

v2.7.4 (2025-04-12)

Bug Fixes

• resolve relative URLs against location.href (#​2471) (fa9b07f) @​kettanaito
• graphql: add extensions property to the GraphQLResponseBody type (#​2468) (827a5dc) @​ytoshiki

v2.7.3

Compare Source

v2.7.3 (2025-02-24)

Bug Fixes

• do not treat static asset requests as unhandled by default (#​2440, docs) (eb45e7a) @​kettanaito

v2.7.2

Compare Source

v2.7.2 (2025-02-24)

Bug Fixes

• HttpResponse: set the default bodyType to any (#​2439) (bb1faf8) @​kettanaito

v2.7.1

Compare Source

v2.7.1 (2025-02-20)

Bug Fixes

• HttpResponse: support non-configurable status codes (#​2434) (0cf639e) @​kettanaito

v2.7.0

Compare Source

v2.7.0 (2024-12-17)

Features

• use picocolors instead of chalk (#​2377) (85bdd82) @​Namchee @​kettanaito

v2.6.9

Compare Source

v2.6.9 (2024-12-16)

Bug Fixes

• support SharedArrayBuffer in HttpResponse.arrayBuffer (#​2389) (41f00e1) @​danilofuchs @​kettanaito

v2.6.8

Compare Source

v2.6.8 (2024-12-07)

Bug Fixes

• setupServer: reapply interception after calling server.listen() after server.close() (#​2383) (00da9ca) @​kettanaito

v2.6.7

Compare Source

v2.6.7 (2024-12-06)

Bug Fixes

• setupWorker: correctly delete internal accept header on passthrough (#​2375) (3f40055) @​smouillour @​kettanaito

v2.6.6

Compare Source

v2.6.6 (2024-11-22)

Bug Fixes

• types: support optional path parameters (#​2368) (3b7b776) @​kettanaito

v2.6.5

Compare Source

v2.6.5 (2024-11-16)

Bug Fixes

• support non-configurable responses (#​2360) (5bf3e3b) @​kettanaito

v2.6.4

Compare Source

v2.6.4 (2024-11-10)

Bug Fixes

• prevent infinite loop when bypassing sendBeacon() requests (#​2353) (2fa98c3) @​kettanaito
• remove the internal bypass request header before performing the request as-is in Node.js (#​2353) (2fa98c3) @​kettanaito

v2.6.3

Compare Source

v2.6.3 (2024-11-10)

Bug Fixes

• handleRequest: remove transformResponse option (#​2351) (74c4a3a) @​kettanaito

v2.6.2

Compare Source

v2.6.2 (2024-11-07)

Bug Fixes

• update @bundled-es-modules/cookie to 2.0.1 (#​2312) (c134352) @​kettanaito

v2.6.1

Compare Source

v2.6.1 (2024-11-06)

Bug Fixes

• prevent instanceof handler check failures between different MSW versions (#​2349) (28d26bd) @​kettanaito

v2.6.0

Compare Source

v2.6.0 (2024-10-29)

Features

• support mocking WebSocket APIs (#​2011) (ae786f5) @​kettanaito @​DanielleHuisman

v2.5.2

Compare Source

v2.5.2 (2024-10-27)

Bug Fixes

• enable provenance for publishing (#​2334) (e9b0636) @​kettanaito

v2.5.1

Compare Source

v2.5.1 (2024-10-24)

Bug Fixes

• update@inquirer/confirm requirement to 5.0.0 (#​2325) (b65c0a8) @​greysteil @​kettanaito

v2.5.0

Compare Source

v2.5.0 (2024-10-22)

Features

• isolate parent and child frames when handling requests (#​2324) (a1a81ba) @​kettanaito

v2.4.13

Compare Source

v2.4.13 (2024-10-22)

Bug Fixes

• update @inquirer/confirm to 4.0 (#​2300) (0cf9cce) @​greysteil @​kettanaito

v2.4.12

Compare Source

v2.4.12 (2024-10-21)

Bug Fixes

• node: preserve headers instanceof when recording raw headers (#​2321) (a58a300) @​paoloricciuti

v2.4.11

Compare Source

v2.4.11 (2024-10-14)

Bug Fixes

• update dependencies (#​2313) (8f68f0a) @​kettanaito

v2.4.10

Compare Source

v2.4.10 (2024-10-11)

Bug Fixes

• setupWorker: perform worker update in the background (#​2311) (8e40724) @​kettanaito

v2.4.9

Compare Source

v2.4.9 (2024-09-20)

Bug Fixes

• ClientRequest: support Request as init when recording raw headers (#​2293) (bf982ea) @​kettanaito

v2.4.8

Compare Source

v2.4.8 (2024-09-17)

Bug Fixes

• address express and path-to-regexp vulnerabilities (#​2285) (e3487bc) @​markmssd

v2.4.7

Compare Source

v2.4.7 (2024-09-15)

Bug Fixes

• ClientRequest: prevent duplicates when recording set headers (#​2284) (e04eb8f) @​kettanaito
• use Object.defineProperty for Headers proxy (#​2283) (94e17be) @​kettanaito

v2.4.6

Compare Source

v2.4.6 (2024-09-13)

Bug Fixes

• xhr: clone request body before calculating its size (#​2282) (397444b) @​kettanaito

v2.4.5

Compare Source

v2.4.5 (2024-09-11)

Bug Fixes

• remove cookies with max-age=0 from cookie store (#​2275) (c307ab2) @​kettanaito

v2.4.4

Compare Source

v2.4.4 (2024-09-08)

Bug Fixes

• fetch: follow mocked redirect responses (#​2268) (f5785bf) @​kettanaito
• Adopts a new, Socket-based request interception algorithm.

v2.4.3

Compare Source

v2.4.3 (2024-09-07)

Bug Fixes

• revert "graphql" as optional peer dependency (#​2267) (7cd39e7) @​kettanaito

v2.4.2

Compare Source

v2.4.2 (2024-09-04)

Bug Fixes

• cli: support windows paths in the init command (#​2260) (ba285b8) @​ivanfernandez2646 @​kettanaito
• use typescript@4.8 as the minimal supported version (#​2251) (6b2a7e6) @​THETCR @​kettanaito
• keep graphql import as require in cjs (#​2258) (b977602) @​kettanaito

v2.4.1

Compare Source

v2.4.1 (2024-08-29)

Bug Fixes

• import graphql lazily (#​2250) (1799e06) @​kettanaito
• add graphql to "peerDependencies" (#​2249) (8a9568a) @​THETCR

v2.4.0

Compare Source

v2.4.0 (2024-08-28)

Features

• add HttpResponse.html() static method (#​2140, docs) (8c5580a) @​scruffymongrel @​kettanaito
• list "graphql" as an optional peer dependency (#​2187) (40b17fd) @​kettanaito
• print request body in onUnhandledRequest message (#​2227) (a2153c9) @​bitttttten @​kettanaito

v2.3.5

Compare Source

v2.3.5 (2024-08-02)

Bug Fixes

• HttpResponse: skip setting "Content-Length" if it is already set (#​2228) (a0234c9) @​kettanaito

v2.3.4

Compare Source

v2.3.4 (2024-07-23)

Bug Fixes

• cookieStore: remove left-over console.log (#​2217) (00fdbb2) @​Lalem001

v2.3.3

Compare Source

v2.3.3 (2024-07-23)

Bug Fixes

• implement cookie persistence using tough-cookie (#​2206) (c30613c) @​kettanaito
• support async generators as response resolvers (#​2108) (d38fc3d) @​kettanaito @​jakebailey

v2.3.2

Compare Source

v2.3.2 (2024-07-19)

Bug Fixes

• support typescript@5.5 (deprecate v4.7) (#​2190) (7df2533) @​KaiSpencer @​kettanaito

v2.3.1

Compare Source

v2.3.1 (2024-06-01)

Bug Fixes

• preserve trailing optional path parameters (#​2169) (e69bbd6) @​kettanaito @​KaiSpencer

v2.3.0

Compare Source

v2.3.0 (2024-05-08)

[!WARNING]
This release changes how MSW treats unhandled exceptions in response resolvers. Previously, they were treated as request errors. Starting with this release, unhandled resolver exceptions will be coerced to 500 Unhandled Exception mocked error responses produced by the library. Please note that you must not intentionally throw errors in your resolvers. Please use Response.error() to mock request/network errors. Unhandled exceptions are considered unintended and will be treated as if they happen on the actual server.

Features

• treat unhandled exceptions in handl

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: libs/providers/config-cat/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @openfeature/config-cat-provider@0.7.5
npm error Found: @openfeature/core@1.2.0
npm error node_modules/@openfeature/core
npm error   peer @openfeature/core@"1.2.0" from @openfeature/server-sdk@1.14.0
npm error   node_modules/@openfeature/server-sdk
npm error     peer @openfeature/server-sdk@"^1.13.5" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @openfeature/config-cat-core@"0.1.1" from the root project
npm error
npm error Conflicting peer dependency: @openfeature/core@1.8.1
npm error node_modules/@openfeature/core
npm error   peer @openfeature/core@"^1.6.0" from @openfeature/config-cat-core@0.1.1
npm error   node_modules/@openfeature/config-cat-core
npm error     peer @openfeature/config-cat-core@"0.1.1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-07-04T18_35_28_311Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-07-04T18_35_28_311Z-debug-0.log

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.