Skip to content

Bump the dependencies group with 8 updates#34

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-f640c8c648
Apr 13, 2026
Merged

Bump the dependencies group with 8 updates#34
github-actions[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-f640c8c648

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 13, 2026

Bumps the dependencies group with 8 updates:

Package From To
axios 1.14.0 1.15.0
jsdom 29.0.1 29.0.2
@types/node 25.5.2 25.6.0
@typescript-eslint/eslint-plugin 8.58.0 8.58.2
@typescript-eslint/parser 8.58.0 8.58.2
@vitest/coverage-v8 4.1.2 4.1.4
@vitest/ui 4.1.2 4.1.4
vitest 4.1.2 4.1.4

Updates axios from 1.14.0 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

  • Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

  • SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

  • Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

  • Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

  • CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

  • Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

  • Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view

Updates jsdom from 29.0.1 to 29.0.2

Release notes

Sourced from jsdom's releases.

v29.0.2

  • Significantly improved and sped up getComputedStyle(). Computed value rules are now applied across a broader set of properties, and include fixes related to inheritance, defaulting keywords, custom properties, and color-related values such as currentcolor and system colors. (@​asamuzaK)
  • Fixed CSS 'background' and 'border' shorthand parsing. (@​asamuzaK)
Commits
  • 2a1e2cd 29.0.2
  • 4097d66 Resolve computed CSS values lazily in CSSStyleDeclaration
  • cf5523f Add more test cases for nested color-mix with currentColor
  • b33b616 Add test that getComputedStyle() works with !important
  • 6bf559c Add test for custom property inheritance in computed styles
  • 6817657 Fix border shorthand handling
  • 470f5c5 Consolidate color helpers
  • 3db53cb Fix background shorthand handlers
  • 678e840 Remove some longhand property files
  • d526a07 Add regression test for getComputedStyle() liveness
  • See full diff in compare view

Updates @types/node from 25.5.2 to 25.6.0

Commits

Updates @typescript-eslint/eslint-plugin from 8.58.0 to 8.58.2

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

  • remove tsbuildinfo cache file from published packages (#12187)
  • eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

  • eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.58.2 (2026-04-13)

🩹 Fixes

  • eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)
  • remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.1 (2026-04-08)

🩹 Fixes

  • eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits
  • 90c2803 chore(release): publish 8.58.2
  • 7c9e06f fix(eslint-plugin): [no-unnecessary-condition] use assignability checks in ch...
  • dae1732 chore(eslint-plugin): switch auto-generated test cases to hand-written in unb...
  • be6b49a fix: remove tsbuildinfo cache file from published packages (#12187)
  • 5311ed3 chore(release): publish 8.58.1
  • c3f8ed5 fix(eslint-plugin): [no-unused-vars] fix false negative for type predicate pa...
  • e372a66 Revert: feat(eslint-plugin): [no-unnecessary-type-arguments] report inferred ...
  • See full diff in compare view

Updates @typescript-eslint/parser from 8.58.0 to 8.58.2

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

  • remove tsbuildinfo cache file from published packages (#12187)
  • eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (#12147)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

  • eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.58.2 (2026-04-13)

🩹 Fixes

  • remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.1 (2026-04-08)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

Updates @vitest/coverage-v8 from 4.1.2 to 4.1.4

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates @vitest/ui from 4.1.2 to 4.1.4

Release notes

Sourced from @​vitest/ui's releases.

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub
Commits

Updates vitest from 4.1.2 to 4.1.4

Release notes

Sourced from vitest's releases.

v4.1.4

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • ac04bac chore: release v4.1.4
  • 82c858d chore: Remove no-op function in plugin config logic (#8501)
  • d4fbb5c feat(experimental): support aria snapshot (#9668)
  • b77de96 feat(reporter): add filterMeta option to json reporter (#10078)
  • a120e3a feat(experimental): expose assertion as a public field (#10095)
  • 5375780 feat(coverage): default to text reporter skipFull if agent detected (#10018)
  • a1b5f0f fix: make expect(..., message) consistent as error message prefix (#10068)
  • 203f07a fix: use "black" foreground for labeled terminal message to ensure contrast (...
  • 2dc0d62 chore: release v4.1.3
  • 7827363 feat: add experimental.preParse flag (#10070)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the dependencies group with 8 updates
684969a 
Bumps the dependencies group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.14.0` | `1.15.0` |
| [jsdom](https://github.com/jsdom/jsdom) | `29.0.1` | `29.0.2` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.5.2` | `25.6.0` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.58.0` | `8.58.2` |
| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.58.0` | `8.58.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.1.2` | `4.1.4` |
| [@vitest/ui](https://github.com/vitest-dev/vitest/tree/HEAD/packages/ui) | `4.1.2` | `4.1.4` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.2` | `4.1.4` |


Updates `axios` from 1.14.0 to 1.15.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.14.0...v1.15.0)

Updates `jsdom` from 29.0.1 to 29.0.2
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](jsdom/jsdom@v29.0.1...v29.0.2)

Updates `@types/node` from 25.5.2 to 25.6.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@typescript-eslint/eslint-plugin` from 8.58.0 to 8.58.2
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.2/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.58.0 to 8.58.2
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.58.2/packages/parser)

Updates `@vitest/coverage-v8` from 4.1.2 to 4.1.4
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/coverage-v8)

Updates `@vitest/ui` from 4.1.2 to 4.1.4
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/ui)

Updates `vitest` from 4.1.2 to 4.1.4
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.4/packages/vitest)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: jsdom
  dependency-version: 29.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@types/node"
  dependency-version: 25.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.58.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.58.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@vitest/ui"
  dependency-version: 4.1.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: vitest
  dependency-version: 4.1.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 13, 2026

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Apr 13, 2026
@github-actions github-actions Bot merged commit ad41274 into main Apr 13, 2026
1 of 3 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/dependencies-f640c8c648 branch April 13, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants