chore(deps-dev): bump the development-dependencies group across 1 directory with 21 updates

[dependabot]

Bumps the development-dependencies group with 21 updates in the / directory:

Package	From	To
@aws-sdk/client-s3	3.894.0	3.1041.0
@aws-sdk/lib-storage	3.894.0	3.1041.0
@diplodoc/mermaid-extension	1.4.0	1.4.2
@diplodoc/page-constructor-extension	0.13.2	0.13.3
@types/async	3.2.15	3.2.25
@types/html-escaper	3.0.0	3.0.4
@types/node	22.19.0	22.19.17
ajv	8.17.1	8.20.0
axios	1.12.2	1.16.0
esbuild	0.27.3	0.28.0
minimatch	9.0.3	9.0.9
node-html-parser	6.1.5	6.1.13
simple-git	3.22.0	3.36.0
slugify	1.6.5	1.6.9
strip-ansi	7.1.2	7.2.0
svgo	3.3.2	3.3.3
typescript	5.4.5	5.9.3
typescript-transform-paths	3.5.5	3.5.6
uuid	11.0.4	11.1.1
vite	6.3.6	6.4.2
vitest-when	0.6.2	0.10.0

Updates @aws-sdk/client-s3 from 3.894.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/client-s3

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/client-s3

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/client-s3

3.1038.0 (2026-04-27)

Bug Fixes

• xml-builder: use xml 1.1 parsing behavior for entities (#7964) (7a30bce)

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/client-s3

3.1036.0 (2026-04-23)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
• 3fbf6c5 Publish v3.1038.0
• e9f8d8a chore(codegen): sync for typed waiter-result values (#7965)
• 7a30bce fix(xml-builder): use xml 1.1 parsing behavior for entities (#7964)
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• 107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
• Additional commits viewable in compare view

Updates @aws-sdk/lib-storage from 3.894.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/lib-storage's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/lib-storage's changelog.

3.1041.0 (2026-05-01)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046)

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1038.0 (2026-04-27)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/lib-storage

3.1036.0 (2026-04-23)

Note: Version bump only for package @​aws-sdk/lib-storage

... (truncated)

Commits

• 5df4c01 Publish v3.1041.0
• 8a58046 fix(lib-storage): use Math.ceil in default partSize calculation to prevent ex...
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3fbf6c5 Publish v3.1038.0
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• 107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
• d8fbfbc Publish v3.1035.0
• d08b5a7 Publish v3.1034.0
• Additional commits viewable in compare view

Updates @diplodoc/mermaid-extension from 1.4.0 to 1.4.2

Release notes

Sourced from @​diplodoc/mermaid-extension's releases.

v1.4.2

1.4.2 (2026-02-09)

Bug Fixes

• update mermaid 11.12.2 (fb23572)

v1.4.1

1.4.1 (2026-01-26)

Bug Fixes

• handle mermaid unhandled exception (4943754)
• update version actions, node 22 (59defe2)

Changelog

Sourced from @​diplodoc/mermaid-extension's changelog.

1.4.2 (2026-02-09)

Bug Fixes

• update mermaid 11.12.2 (fb23572)

1.4.1 (2026-01-26)

Bug Fixes

• handle mermaid unhandled exception (4943754)
• update version actions, node 22 (59defe2)

Commits

• 250ad7c Merge pull request #44 from diplodoc-platform/release-please--branches--maste...
• 60a69fa chore(master): release 1.4.2
• 372bee8 Merge pull request #43 from diplodoc-platform/update-mermaid-11.12
• fb23572 fix: update mermaid 11.12.2
• 61e2ea7 Merge pull request #40 from diplodoc-platform/release-please--branches--maste...
• ea1b2a3 chore(master): release 1.4.1
• 0acfd73 Merge pull request #42 from diplodoc-platform/fix/unhandled_rejection
• 5e9f223 chore: Update dev deps
• 4943754 fix: handle mermaid unhandled exception
• 5098b91 Merge pull request #41 from diplodoc-platform/DOCSTOOLS-4947-mermaid
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​diplodoc/mermaid-extension since your current version.

Updates @diplodoc/page-constructor-extension from 0.13.2 to 0.13.3

Release notes

Sourced from @​diplodoc/page-constructor-extension's releases.

v0.13.3

0.13.3 (2026-04-22)

Bug Fixes

• fixed (ac793b7)
• moved the createPageConstructorElement export to a separate bundle (73c6ac4)
• moved the createPageConstructorElement export to a separate bundle (9b13ed5)

Changelog

Sourced from @​diplodoc/page-constructor-extension's changelog.

0.13.3 (2026-04-22)

Bug Fixes

• fixed (ac793b7)
• moved the createPageConstructorElement export to a separate bundle (73c6ac4)
• moved the createPageConstructorElement export to a separate bundle (9b13ed5)

Commits

• 8c9787d Merge pull request #58 from diplodoc-platform/release-please--branches--maste...
• 7b0a696 chore(master): release 0.13.3
• d3b53d6 Merge pull request #57 from diplodoc-platform/rollback-to-8e8315-2
• 615fe61 fix
• 65e1fcf Revert "fix: moved the createPageConstructorElement export to a separate bundle"
• 4bbe25b Merge pull request #55 from diplodoc-platform/release-please--branches--maste...
• e9e9087 chore(master): release 0.13.3
• 73c6ac4 Merge pull request #54 from diplodoc-platform/pc-editor
• 6a94eee chore: Update package-lock.json
• ac793b7 fix: fixed
• Additional commits viewable in compare view

Updates @types/async from 3.2.15 to 3.2.25

Commits

• See full diff in compare view

Updates @types/html-escaper from 3.0.0 to 3.0.4

Commits

• See full diff in compare view

Updates @types/node from 22.19.0 to 22.19.17

Commits

• See full diff in compare view

Updates ajv from 8.17.1 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

v8.18.0

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in ajv-validator/ajv#2480
• fix: #2482 Infinity and NaN serialise to null by @​jasoniangreen in ajv-validator/ajv#2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in ajv-validator/ajv#2508
• fix: typos in schema-language.md by @​monteiro-renato in ajv-validator/ajv#2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in ajv-validator/ajv#2586

New Contributors

• @​josdejong made their first contribution in ajv-validator/ajv#2480
• @​monteiro-renato made their first contribution in ajv-validator/ajv#2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• 142ce84 8.18.0
• 720a23f fix(pattern): use configured RegExp engine with $data keyword to mitigate ReD...
• 82735a1 fix: typos in schema-language.md (#2507)
• b17ec32 fix: small grammatical error in managing-schemas.md (#2508)
• 69568d0 fix: #2482 Infinity and NaN serialise to null (#2487)
• Additional commits viewable in compare view

Updates axios from 1.12.2 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

... (truncated)

Commits

• df53d7d chore(release): prepare release 1.16.0 (#10834)
• 9d92bcd fix: gadgets and smaller issues (#10833)
• 5107ee6 fix: prevent undefined error codes in settle (#7276)
• e573499 fix(fetch): defer global access in fetch adapter (#7260)
• ad68e1a fix(http): honor timeout during connect without redirects (#10819)
• 2a51828 fix(http): decode URL basic auth credentials (#10825)
• 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
• 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
• 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
• cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates esbuild from 0.27.3 to 0.28.0

Release notes

Sourced from esbuild's releases.

v0.28.0

• Add support for with { type: 'text' } imports (#4435)

  The import text proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by Deno and Bun. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing text loader. Here's an example:

  import string from './example.txt' with { type: 'text' }
  console.log(string)

• Add integrity checks to fallback download path (#4343)

  Installing esbuild via npm is somewhat complicated with several different edge cases (see esbuild's documentation for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the npm command, and then with a HTTP request to registry.npmjs.org as a last resort).

  This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level esbuild package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.

• Update the Go compiler from 1.25.7 to 1.26.1

  This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:

  • It now uses the new garbage collector that comes with Go 1.26.
  • The Go compiler is now more aggressive with allocating memory on the stack.
  • The executable format that the Go linker uses has undergone several changes.
  • The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.

  You can read the Go 1.26 release notes for more information.

Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependabot. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.