Bump follow-redirects from 1.15.11 to 1.16.0

[dependabot]

Bumps follow-redirects from 1.15.11 to 1.16.0.

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Low risk lockfile-only dependency bump; behavior changes are limited to HTTP redirect handling in downstream packages.

Overview
Bumps the follow-redirects version recorded in package-lock.json from 1.15.11 to 1.16.0 (updated tarball URL and integrity hash). No application/source code changes are included.

^{Reviewed by Cursor Bugbot for commit a55baf4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how follow-redirects appears in the lockfile and whether the published package includes suspicious scripts.

Verdict: benign

Why

1. Known package, normal release — follow-redirects is a widely used HTTP redirect helper. The jump is 1.15.11 → 1.16.0 with listed changes (e.g. sensitiveHeaders, input sanitization, CI/docs) that match a routine maintenance release, not a supply-chain pattern (no rename, no typosquat).

2. Lockfile looks standard — In this repo, package-lock.json pins follow-redirects 1.16.0 to https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz with a normal npm integrity (sha512) entry (see around 8775:8794:/home/runner/work/chia-docs/chia-docs/package-lock.json). No odd registries or missing integrity.

3. Scanner vs interpretation — The report is warn with warn_only: true, 0 unicode/confusable/IOC hits. The 32 heuristics are false positives: shell_process_spawn matches the name cross-spawn / spawn-wrap in the lockfile; network_c2_indicator matches localhost URLs in upstream tests (test/test.js). Those are not evidence of malware.

4. Workflow “touch” — Listing .github/workflows/ci.yml in the upstream diff reflects changes in the follow-redirects Git repo for that release. Dependabot/npm installs the published tarball, which does not ship that workflow into your app; it is not the same as this PR silently changing your .github/workflows/. So this does not meet “highly suspicious workflow injection in the consumer repo” in a meaningful way.

Residual risk (normal, not red flags) — As with any minor bump, regressions could exist in redirect/header behavior; that is compatibility, not compromise. No evidence here points to malicious code in the dependency update itself.

Compatibility Analysis

Tracing how follow-redirects enters the project and inspecting upstream changes for 1.16.0.

1) Where follow-redirects shows up

• Not a direct dependency. It does not appear in root package.json dependencies / devDependencies.
• Lockfile: Pinned under node_modules/follow-redirects and pulled in as a dependency of http-proxy (package-lock.json shows http-proxy → follow-redirects: ^1.0.0).
• Chain: webpack-dev-server → http-proxy-middleware → http-proxy → follow-redirects (see node_modules/webpack-dev-server depending on http-proxy-middleware, and http-proxy listing follow-redirects).
• Implication: Used in the Docusaurus / Webpack dev-server stack (local docusaurus start / dev middleware), not as something your app code imports.
• Repo source: No first-party require('follow-redirects') / import usage in application code (only lockfile + vendored .upstream-dependency for review).

2) Overlap with 1.16.0 changes

Upstream highlights: sensitiveHeaders option, input sanitization, plus CI-only changes.

• sensitiveHeaders: New optional request option; defaults are backward-compatible (options.sensitiveHeaders normalized to [] in _sanitizeOptions). Your project does not call follow-redirects directly, so you do not depend on this API surface.
• Sanitizing input: Touches internal option handling (e.g. headers always present, host vs hostname, path parsing). Consumers are http-proxy (and thus dev-server proxying), not your MDX/React code.
• Intersection: No direct intersection with app code. Indirect only: behavior of HTTP(S) proxying during webpack-dev-server if you use custom proxy rules that follow redirects.

3) Risks / unknowns

• Scope: Risk is limited to dev-time proxy/redirect behavior, not production static output, unless your pipeline runs the same dev server in CI in a way that exercises proxies (unusual for a docs site).
• Behavior drift: Minor changes to redirect handling or header stripping are possible in edge cases (unusual URLs, custom headers on proxied requests). Unlikely to affect typical docusaurus start without advanced proxy config.
• Node: Lockfile still shows engines.node for the package as >=4.0; repo requires Node >=18, so no engine conflict.

4) Recommendation

Merge — appropriate for a transitive patch/minor bump on a dev-tooling path with no direct usage; merge-with-caveats only if you rely heavily on custom proxy / API forwarding in Docusaurus/Webpack dev config (then smoke-test npm start and any proxied routes).

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 6
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 21ef28a544c5e57f4c34b8476d75f2144609a1eb..0c23a223067201c368035e82954c11eb2578a33b
• Resolved refs: from=21ef28a544c5e57f4c34b8476d75f2144609a1eb to=0c23a223067201c368035e82954c11eb2578a33b
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 32

Top findings

• package-lock.json:587 shell_process_spawn :: "node_modules/cross-spawn": {
• package-lock.json:589 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
• package-lock.json:790 shell_process_spawn :: "cross-spawn": "^6.0.5",
• package-lock.json:1168 shell_process_spawn :: "cross-spawn": "^4",
• package-lock.json:1172 shell_process_spawn :: "node_modules/foreground-child/node_modules/cross-spawn": {
• package-lock.json:1174 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-4.0.2.tgz",
• package-lock.json:2141 shell_process_spawn :: "spawn-wrap": "^1.4.2",
• package-lock.json:2823 shell_process_spawn :: "node_modules/spawn-wrap": {
• package-lock.json:2825 shell_process_spawn :: "resolved": "https://registry.npmjs.org/spawn-wrap/-/spawn-wrap-1.4.3.tgz",
• package-lock.json:3862 shell_process_spawn :: "cross-spawn": {
• package-lock.json:3864 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
• package-lock.json:4025 shell_process_spawn :: "cross-spawn": "^6.0.5",
• package-lock.json:4338 shell_process_spawn :: "cross-spawn": "^4",
• package-lock.json:4342 shell_process_spawn :: "cross-spawn": {
• package-lock.json:4344 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-4.0.2.tgz",
• package-lock.json:5119 shell_process_spawn :: "spawn-wrap": "^1.4.2",
• package-lock.json:5634 shell_process_spawn :: "spawn-wrap": {
• package-lock.json:5636 shell_process_spawn :: "resolved": "https://registry.npmjs.org/spawn-wrap/-/spawn-wrap-1.4.3.tgz",
• test/test.js:190 network_c2_indicator :: http.get("http://127.0.0.1:3600/a", concatJson(resolve, reject)).on("error", reject);
• test/test.js:194 network_c2_indicator :: assert.deepEqual(res.responseUrl, "http://127.0.0.1:3600/f");

[dependabot]

Looks like follow-redirects is up-to-date now, so this is no longer needed.