Skip to content

Bump locutus from 3.0.9 to 3.0.14#944

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/locutus-3.0.14
Open

Bump locutus from 3.0.9 to 3.0.14#944
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/locutus-3.0.14

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 13, 2026

Bumps locutus from 3.0.9 to 3.0.14.

Release notes

Sourced from locutus's releases.

v3.0.14

Version rationale: patch for a scoped PHP parity/security fix affecting one removed upstream function without package runtime or import-model changes.

PHP

  • Breaking: removed php/funchand/create_function for PHP 8.3 parity and security posture. The function was deprecated in PHP 7.2, removed in PHP 8.0, and Locutus now treats closure export behavior in php/var/var_export as the current \Closure::__set_state(array(...)) form instead of referencing the removed API.

v3.0.13

Released: 2026-03-11. Diff

Version rationale: patch for a scoped runtime parity fix without import-model or runtime floor changes.

CI

  • Refreshed GitHub Actions workflow pins to checkout@v6, setup-node@v6, and cache@v5, and replaced the Node 20-based Pages deploy action with a shell-based gh-pages deploy step ahead of the GitHub-hosted Node 24 cutoff.

Fixes

  • Fixed php/array/array_values so primitive string input now throws a PHP-style TypeError instead of coercing through Object.values, matching current PHP runtime behavior more closely.

v3.0.12

Released: 2026-03-11. Diff. Version rationale: patch for additive Go time expansion plus website/dependency hardening without import-model or runtime floor changes.

Expansion

  • Added golang/time/ParseInLocation, interpreting wall-clock inputs in a supplied IANA time zone while preserving deterministic Date output and parity coverage around DST boundaries.

Modernization

  • Removed root dev dependencies that are now replaceable with Node 22 built-ins or tiny local helpers:
    • globby
    • indent-string
    • lodash
    • rimraf
  • Replaced cleanup scripts with a small Node-based remover and bumped the remaining low-risk root tooling deps.

Website

  • Added a website build verification harness for representative generated pages, redirects, feed output, and search-index output.
  • Updated CI to run website build verification on pull requests as well as main, so website dependency upgrades get a pre-merge safety net.
  • Upgraded website/ from hexo-generator-feed@3 to hexo-generator-feed@4, added a small Hexo route patch to preserve Atom type="html" semantics, and revalidated the site with a clean rebuild plus the website verification harness.
  • Removed stale website-only packages from the website build/deploy dependency set:
    • hexo-browsersync
    • hexo-migrator-rss
    • cross-spawn-async
  • Added targeted website/ lockfile resolutions so current Hexo packages pick up patched dompurify, filelist, minimatch, and tar releases without changing the website feature set.
  • Kept yarn website:start on the simpler Hexo-only preview path: it still opens the browser automatically, but live

... (truncated)

Changelog

Sourced from locutus's changelog.

v3.0.14

Released: 2026-03-11. Diff. Version rationale: patch for a scoped PHP parity/security fix affecting one removed upstream function without package runtime or import-model changes.

PHP

  • Breaking: removed php/funchand/create_function for PHP 8.3 parity and security posture. The function was deprecated in PHP 7.2, removed in PHP 8.0, and Locutus now treats closure export behavior in php/var/var_export as the current \Closure::__set_state(array(...)) form instead of referencing the removed API.

v3.0.13

Released: 2026-03-11. Diff. Version rationale: patch for a scoped runtime parity fix without import-model or runtime floor changes.

CI

  • Refreshed GitHub Actions workflow pins to checkout@v6, setup-node@v6, and cache@v5, and replaced the Node 20-based Pages deploy action with a shell-based gh-pages deploy step ahead of the GitHub-hosted Node 24 cutoff.

Fixes

  • Fixed php/array/array_values so primitive string input now throws a PHP-style TypeError instead of coercing through Object.values, matching current PHP runtime behavior more closely.

v3.0.12

Released: 2026-03-11. Diff. Version rationale: patch for additive Go time expansion plus website/dependency hardening without import-model or runtime floor changes.

Expansion

  • Added golang/time/ParseInLocation, interpreting wall-clock inputs in a supplied IANA time zone while preserving deterministic Date output and parity coverage around DST boundaries.

Modernization

  • Removed root dev dependencies that are now replaceable with Node 22 built-ins or tiny local helpers:
    • globby
    • indent-string
    • lodash
    • rimraf
  • Replaced cleanup scripts with a small Node-based remover and bumped the remaining low-risk root tooling deps.

Website

  • Added a website build verification harness for representative generated pages, redirects, feed output, and search-index output.
  • Updated CI to run website build verification on pull requests as well as main, so website dependency upgrades get a pre-merge safety net.
  • Upgraded website/ from hexo-generator-feed@3 to hexo-generator-feed@4, added a small Hexo route patch to preserve Atom type="html" semantics, and revalidated the site with a clean rebuild plus the website verification harness.
  • Removed stale website-only packages from the website build/deploy dependency set:
    • hexo-browsersync
    • hexo-migrator-rss
    • cross-spawn-async
  • Added targeted website/ lockfile resolutions so current Hexo packages pick up patched dompurify, filelist, minimatch, and tar releases without changing the website feature set.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump locutus from 3.0.9 to 3.0.14
0696bf2 
Bumps [locutus](https://github.com/locutusjs/locutus) from 3.0.9 to 3.0.14.
- [Release notes](https://github.com/locutusjs/locutus/releases)
- [Changelog](https://github.com/locutusjs/locutus/blob/main/CHANGELOG.md)
- [Commits](locutusjs/locutus@v3.0.9...v3.0.14)

---
updated-dependencies:
- dependency-name: locutus
  dependency-version: 3.0.14
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants