⬆️ Update Node Dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.15.0 → 1.15.2
eslint-plugin-react-hooks (source)	7.0.1 → 7.1.1
react-router-dom (source)	7.14.1 → 7.14.2
typescript-eslint (source)	8.58.2 → 8.59.1

---

Release Notes

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

facebook/react (eslint-plugin-react-hooks)

v7.1.1

Compare Source

Note: 7.1.0 accidentally removed the component-hook-factories rule, causing errors for users who referenced it in their ESLint config. This is now fixed.

• Add deprecated no-op component-hook-factories rule for backwards compatibility. (@​mofeiZ in #​36307)

v7.1.0

Compare Source

This release adds ESLint v10 support, improves performance by skipping compilation for non-React files, and includes compiler lint improvements including better set-state-in-effect detection, improved ref validation, and more helpful error reporting.

• Add ESLint v10 support. (@​nicolo-ribaudo in #​35720)
• Skip compilation for non-React files to improve performance. (@​josephsavona in #​35589)
• Fix exhaustive deps bug with Flow type casting. (@​jorge-cab in #​35691)
• Fix useEffectEvent checks in component syntax. (@​jbrown215 in #​35041)
• Improved set-state-in-effect validation with fewer false negatives. (@​jorge-cab in #​35134, @​josephsavona in #​35147, @​jackpope in #​35214, @​chesnokov-tony in #​35419, @​jsleitor in #​36107)
• Improved ref validation for non-mutating functions and event handler props. (@​josephsavona in #​35893, @​kolvian in #​35062)
• Compiler now reports all errors instead of stopping at the first. (@​josephsavona in #​35873–#​35884)
• Improved source locations and error display in compiler diagnostics. (@​nathanmarks in #​35348, @​josephsavona in #​34963)

remix-run/react-router (react-router-dom)

v7.14.2

Compare Source

Patch Changes

• Updated dependencies:
  • react-router@7.14.2

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.