Bump the minor-and-patch group across 1 directory with 15 updates

[dependabot]

Bumps the minor-and-patch group with 15 updates in the / directory:

Package	From	To
axios	1.13.5	1.15.0
dompurify	3.3.1	3.3.3
i18next-http-backend	3.0.2	3.0.4
lodash	4.17.23	4.18.1
@types/lodash	4.17.23	4.17.24
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-icons	5.5.0	5.6.0
react-router	7.13.0	7.14.1
react-tooltip	5.30.0	5.30.1
@types/node	25.3.0	25.6.0
@vitejs/plugin-react-swc	4.2.3	4.3.0
sass	1.97.3	1.99.0
typescript-eslint	8.56.0	8.58.2
vitest	4.0.18	4.1.4

Updates axios from 1.13.5 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

• Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates dompurify from 3.3.1 to 3.3.3

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

Commits

• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• cd85175 Merge branch 'main' of github.com:cure53/DOMPurify
• Additional commits viewable in compare view

Updates i18next-http-backend from 3.0.2 to 3.0.4

Changelog

Sourced from i18next-http-backend's changelog.

3.0.4

• use own interpolation function for loadPath and addPath instead of relying on i18next's interpolator i18next#2420 — this means only {{lng}} and {{ns}} placeholders are supported; custom interpolation prefix/suffix from i18next config no longer applies to backend paths

Commits

• 4dbb485 3.0.4
• 5f33a0c use own interpolation function for loadPath and addPath instead of relying on...
• 681c09d update ci actions
• e63ff16 adjust deno test
• a851965 adjust deno test
• 3a17e37 update next.js example
• 5bd5a5d Bump next from 14.2.32 to 14.2.35 in /example/next (#176)
• 8ba9250 readme fix
• 282b76c Bump next from 14.2.30 to 14.2.32 in /example/next (#172)
• 6b3599d Bump next from 14.2.21 to 14.2.30 in /example/next (#171)
• Additional commits viewable in compare view

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates @types/lodash from 4.17.23 to 4.17.24

Commits

• See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-icons from 5.5.0 to 5.6.0

Release notes

Sourced from react-icons's releases.

v5.6.0

What's Changed

• Bump prismjs from 1.29.0 to 1.30.0 by @​dependabot[bot] in react-icons/react-icons#1033
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot[bot] in react-icons/react-icons#1036
• Bump http-proxy-middleware from 2.0.7 to 2.0.9 by @​dependabot[bot] in react-icons/react-icons#1041
• Bump form-data from 3.0.1 to 3.0.4 by @​dependabot[bot] in react-icons/react-icons#1058
• Bump vite from 5.4.14 to 5.4.20 by @​dependabot[bot] in react-icons/react-icons#1071
• upgrade packages by @​kamijin-fanta in react-icons/react-icons#1075
• Bump tar from 6.2.0 to 6.2.1 by @​dependabot[bot] in react-icons/react-icons#1078
• Bump vite from 6.3.6 to 6.4.1 by @​dependabot[bot] in react-icons/react-icons#1081
• Bump tmp from 0.2.3 to 0.2.5 by @​dependabot[bot] in react-icons/react-icons#1077
• Bump glob from 11.0.3 to 11.1.0 by @​dependabot[bot] in react-icons/react-icons#1089
• Bump @​babel/runtime from 7.23.2 to 7.28.4 by @​dependabot[bot] in react-icons/react-icons#1073
• Bump node-forge from 1.3.1 to 1.3.2 by @​dependabot[bot] in react-icons/react-icons#1092
• Bump mdast-util-to-hast from 13.0.2 to 13.2.1 by @​dependabot[bot] in react-icons/react-icons#1094
• Bump undici from 7.16.0 to 7.18.2 by @​dependabot[bot] in react-icons/react-icons#1103
• Bump devalue from 5.3.2 to 5.6.2 by @​dependabot[bot] in react-icons/react-icons#1104
• Bump h3 from 1.15.4 to 1.15.5 by @​dependabot[bot] in react-icons/react-icons#1105
• Bump diff from 5.2.0 to 5.2.2 by @​dependabot[bot] in react-icons/react-icons#1107
• Bump webpack from 5.94.0 to 5.104.1 by @​dependabot[bot] in react-icons/react-icons#1110
• Bump jsonpath from 1.1.1 to 1.2.1 by @​dependabot[bot] in react-icons/react-icons#1113
• Bump devalue from 5.6.2 to 5.6.3 by @​dependabot[bot] in react-icons/react-icons#1115
• Bump astro from 5.14.1 to 5.15.9 by @​dependabot[bot] in react-icons/react-icons#1091
• Bump ajv from 6.12.6 to 6.14.0 by @​dependabot[bot] in react-icons/react-icons#1116

Full Changelog: react-icons/react-icons@v5.5.0...v5.6.0

Icon Library	License	Version	Count
Circum Icons	MPL-2.0 license	1.0.0	288
Font Awesome 5	CC BY 4.0 License	5.15.4-3-gafecf2a	1612
Font Awesome 6	CC BY 4.0 License	6.7.2-1-g840c215	2060
Ionicons 4	MIT	4.6.3	696
Ionicons 5	MIT	5.5.4	1332
Material Design icons	Apache License Version 2.0	4.0.0-142-gbb04090f93	4341
Typicons	CC BY-SA 3.0	2.1.2	336
Github Octicons icons	MIT	18.3.0	264
Feather	MIT	4.29.2	287
Lucide	ISC	0.462.0	1541
Game Icons	CC BY 3.0	12920d6565588f0512542a3cb0cdfd36a497f910	4040
Weather Icons	SIL OFL 1.1	2.0.12	219
Devicons	MIT	1.8.0	192
Ant Design Icons	MIT	4.4.2	831
Bootstrap Icons	MIT	1.13.1	2754
Remix Icon	Apache License Version 2.0	4.6.0	3058
Flat Color Icons	MIT	1.0.2	329
Grommet-Icons	Apache License Version 2.0	4.14.0	637
Heroicons	MIT	1.0.6	460
Heroicons 2	MIT	2.2.0	972

... (truncated)

Commits

• 6501a41 v5.6.0
• 387e780 update icons
• fb057e7 5.5.1-snapshot.0
• 6f74755 update eslint
• 73c281f Bump ajv from 6.12.6 to 6.14.0 (#1116)
• 3f2b264 Bump astro from 5.14.1 to 5.15.9 (#1091)
• 04adc76 Bump devalue from 5.6.2 to 5.6.3 (#1115)
• 44a5e85 Bump jsonpath from 1.1.1 to 1.2.1 (#1113)
• e2c1d6c Bump webpack from 5.94.0 to 5.104.1 (#1110)
• f3dca02 Bump diff from 5.2.0 to 5.2.2 (#1107)
• Additional commits viewable in compare view

Updates react-router from 7.13.0 to 7.14.1

Release notes

Sourced from react-router's releases.

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

v7.14.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7140

v7.13.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7132

v7.13.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7131

Changelog

Sourced from react-router's changelog.

v7.14.1

Patch Changes

• Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
• Normalize double-slashes in redirect paths

7.14.0

Patch Changes

• UNSTABLE RSC FRAMEWORK MODE BREAKING CHANGE - Existing route module exports remain unchanged from stable v7 non-RSC mode, but new exports are added for RSC mode. If you want to use RSC features, you will need to update your route modules to export the new annotations. (#14901)

  If you are using RSC framework mode currently, you will need to update your route modules to the new conventions. The following route module components have their own mutually exclusive server component counterparts:

  Server Component Export	Client Component
  ServerComponent	default
  ServerErrorBoundary	ErrorBoundary
  ServerLayout	Layout
  ServerHydrateFallback	HydrateFallback

  If you were previously exporting a ServerComponent, your ErrorBoundary, Layout, and HydrateFallback were also server components. If you want to keep those as server components, you can rename them and prefix them with Server. If you were previously importing the implementations of those components from a client module, you can simply inline them.

  Example:

  Before

  import { ErrorBoundary as ClientErrorBoundary } from "./client";
  export function ServerComponent() {
  // ...
  }
  export function ErrorBoundary() {
  return <ClientErrorBoundary />;
  }
  export function Layout() {
  // ...
  }
  export function HydrateFallback() {
  // ...
  }

  After

... (truncated)

Commits

• 197674b Release 7.14.1 (#14973)
• 583fcce Merge branch 'main' into release
• 05f80c8 Migrate changesets files to .changes files
• a87774f Add new release process (#14916)
• f6d1268 Add new release process (#14916)
• 4547c80 Fix rendering/router.subscribe race condition during hydration (#14497)
• f7a0130 Consolidate slash handling (#14962)
• b768d62 Update redirect docs with note on validation
• 80c67a9 chore: format
• 201cd41 chore: format
• Additional commits viewable in compare view

Updates react-tooltip from 5.30.0 to 5.30.1

Release notes

Sourced from react-tooltip's releases.

v5.30.1

If you like ReactTooltip, please give the project a star on GitHub 🌟

What's Changed

• fix: npm publish worklow updated to use id-token instead of npm token by @​danielbarion in ReactTooltip/react-tooltip#1264
• fix: arrow shoulder corners bleeding outside tooltip border by @​danielbarion in ReactTooltip/react-tooltip#1263
• fix: update tooltip types to allow click events properly by @​danielbarion in ReactTooltip/react-tooltip#1266
• docs: enhance 'Clickable tooltip' section with accessibility info by @​moloko in ReactTooltip/react-tooltip#1267

New Contributors

• @​Copilot made their first contribution in ReactTooltip/react-tooltip#1263
• @​moloko made their first contribution in ReactTooltip/react-tooltip#1267

Full Changelog: ReactTooltip/react-tooltip@v5.30.0...v5.30.1

Commits

• f7539f7 chore(version): v5.30.1
• a1cd387 Merge pull request #1266 from ReactTooltip/fix/Issue-1223-events
• 6057d8c Merge pull request #1267 from moloko/patch-1
• e6e515f Enhance 'Clickable tooltip' section with accessibility info
• 1a04317 fix: update tooltip types to allow click events properly
• 3346e9f Merge pull request #1263 from ReactTooltip/copilot/fix-border-overlap-issue
• 91f3967 fix: arrow border behavior and backface
• 296223f fix: arrow styles when bigger border and bigger size
• 015b900 chore: remove debug log from beta release workflow
• d6e5de7 fix: add more permissions to the comment script
• Additional commits viewable in compare view

Updates @types/lodash from 4.17.23 to 4.17.24

Commits

• See full diff in compare view

Updates @types/node from 25.3.0 to 25.6.0

Commits

• See full diff in compare view

Updates @vitejs/plugin-react-swc from 4.2.3 to 4.3.0

Release notes

Sourced from @​vitejs/plugin-react-swc's releases.

plugin-react-swc@4.3.0

Add Vite 8 to peerDependencies range #1142

This plugin is compatible with Vite 8.

Changelog

Sourced from @​vitejs/plugin-react-swc's changelog.

4.3.0 (2026-03-12)

Add Vite 8 to peerDependencies range #1142

This plugin is compatible with Vite 8.

Commits

• See full diff in compare view

Updates sass from 1.97.3 to 1.99.0

Release notes

Sourced from sass's releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Dart Sass 1.98.0

To install Sass 1.98.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

Command-Line Interface

• Gracefully handle dependency loops in --watch mode.

Dart API

• Add a const Logger.defaultLogger field. This provides a logger that emits to standard error or the browser console, but automatically chooses whether to use terminal colors.

JavaScript API

• Fix a crash when manually constructing a SassCalculation for 'calc' with an argument that can't be simplified.

... (truncated)

Changelog

Sourced from sass's changelog.

1.99.0

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have spec...

  Description has been truncated

[github-actions]

Use docker or podman to test this pull request locally.

Run test server using develop.opencast.org as backend:

podman run --rm -it -p 127.0.0.1:3000:3000 ghcr.io/opencast/admin-interface:pr-1578

Specify a different backend like stable.opencast.org:

podman run --rm -it -p 127.0.0.1:3000:3000 -e PROXY_TARGET=https://stable.opencast.org ghcr.io/opencast/admin-interface:pr-1578

It may take a few seconds for the interface to spin up.
It will then be available at http://127.0.0.1:3000.
For more options you can pass on to the proxy, take a look at the README.md.

[github-actions]

This pull request is deployed at test.admin-interface.opencast.org/1578/2026-04-13_21-45-40/ .
It might take a few minutes for it to become available.