This release predominantly contains security related fixes and enhancements, in particular to address https://nvd.nist.gov/vuln/detail/CVE-2026-12208

• Prevent object prototype pollution (PR #799)
• Wildcards should not unwrap function objects (PR #800)
• $append should enforce the sequence guardrail limit (PR #801)
• Prevent object contructor setting internal flags (PR #802)

This release predominantly contains security related fixes and enhancements, in particular to address GHSA-86vw-mfpg-wwv9
Thanks to Doruk Tan Öztürk and Arthur Deierlein for their private disclosures.

• New API to specify resource guardrails on expressions (PR #795)
• Fix ISO8601 regex pattern (PR #793)
• Prevent $lookup from accessing object prototype members (PR #794)
• Enable OIDC publishing to NPM (PR #792)
• Publish step to be triggered by new version tag (PR #796)

• Fix picture string parsing for $formatNumber (PR #788)
• Fix $toMillis() with more than 3 digit fractional seconds (PR #782)
• Fix ?: operator returning wrong result when LHS has array predicate (PR #780)
• Fix ?? operator with array predicate on LHS (PR #774)
• Fix function signature for repeating arguments (PR #760)
• Fix precision fix for $string() function (PR #762)
• Fix to prevent $formatNumber() getting into an infinite loop (PR #785)

• New syntax (?: default operator) supports fallback to RHS if the LHS is Boolean equivalent to false (PR #784)
• New syntax (?? coalescing operator) supports fallback to RHS if the LHS is non-existent (PR #784)
• Improve regex generation for DateTime parser (PR #728)
• Truncate fractional part of numeric argument of $pad function (PR #729)
• Await array elements (PR #747)
• Various documentation fixes and improvements

• Protect __evaluate_entry and __evaluate_exit callbacks (PR #700)
• Add undocumented/private API to hook into when a new frame is created (PR #701)
  • Note this is internal and may change in a future release.
• Update typescript defintion (PR #704)
• Chain operator should respect array constructor (PR #714)

• Fix leaking internal references in expressions when using lambdas (issue #691)

• Prevent writing to the object prototype or constructor (PR #681)

• Prevent writing to the object prototype or constructor (PR #676)
• Add upper/lower presentation format for am/pm in fromMillis (PR #644)
• Various documentation additions and corrections

• Fix regex termination lexer (PR #623)
• Fix TypeScript definition (PR #633)

• Typescript definition: fix return type of evaluate method (PR #615)