Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@opentelemetry/instrumentation (source)	0.214.0 → 0.216.0
@sentry/node (source)	10.48.0 → 10.51.0
@sentry/profiling-node (source)	10.48.0 → 10.51.0
axios (source)	1.15.0 → 1.16.0
discord.js (source)	14.26.2 → 14.26.4

---

Release Notes

open-telemetry/opentelemetry-js (@​opentelemetry/instrumentation)

v0.216.0

Compare Source

v0.215.0

Compare Source

getsentry/sentry-javascript (@​sentry/node)

v10.51.0

Compare Source

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#​20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects.
  This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#​20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options.
  Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@​sentry/hono/node';
  
  Sentry.init({
    dsn: '__DSN__',
    tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#​19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig.
  Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

• deps(minimatch): Upgrade patch version to use new brace-expansion peer-dep (#​20198)
• docs: Add deprecation notices to bin scripts (#​20570)
• feat(astro): Drop prerendered http.server filter via ignoreSpans (#​20513)
• feat(aws-serverless): Validate extension tunnel DSN against SENTRY_DSN (#​20528)
• feat(browser): Add ingest_settings to span v2 envelope payload (#​20411)
• feat(browser): Add support for streamed spans in httpContextIntegration (#​20464)
• feat(core): Backfill otel attributes on streamed spans (#​20439)
• feat(core): clear up integrations on dispose (#​20407)
• feat(core): Instrument langgraph createReactAgent (#​20344)
• feat(core): Support attribute matching in ignoreSpans (#​20512)
• feat(feedback): allow error messages to be customized (#​20474)
• feat(hono): Support middleware spans defined in app groups (#​20465)
• feat(nextjs): Filter unwanted segments when span streaming is enabled (#​20384)
• feat(nextjs): Migrate edge event processors to span-first APIs (#​20551)
• feat(nextjs): Migrate server event processors to span-first APIs (#​20527)
• feat(nextjs): Set global attribute for turbopack usage (#​20558)
• feat(nitro): Nitro SDK (#​19224)
• feat(react-router): Clean up bogus * http.route attribute on segment spans (#​20471)
• feat(react-router): Drop low-quality transactions via ignoreSpans (#​20514)
• feat(sveltekit): Support span streaming in svelteKitSpansEnhancement integration (#​20496)
• feat(tanstackstart-react): Add dynamic tunnel route helper and generator (#​20264)
• fix: update prisma v7 spans descriptions (#​20456)
• fix(core): Avoid parse-time SyntaxError on Safari <16.4 in postgresjs (#​20498)
• fix(core): Ensure isSentryRequest handles subdomains properly (#​20530)
• fix(core): Ensure ip address headers are stripped when lower case (#​20484)
• fix(core): Filter more cookie names for PII (#​20485)
• fix(core): Use symbol for normalization checks (#​20486)
• fix(hono): Distinguish .use() middleware in sub-apps from .all() handlers (#​20554)
• fix(nextjs): Ensure we do not match tunnel endpoints too broadly (#​20488)
• fix(opentelemetry): Add conditional browser export to avoid node deps (#​20556)
• fix(replay): Avoid main-thread blocking in WorkerHandler under event bursts (#​20548)
• fix(replay): Ensure maskAttributes works with maskAllText=false (#​20491)
• fix(supabase): Consider sendDefaultPii for supabase integration (#​20490)

Internal Changes

• chore: Add size limit reports on PRs for Cloudflare (#​20055)
• chore: Update CODEOWNERS (#​20559)
• chore(build): Opt-out of nx analytics (#​20487)
• chore(ci): Automatically bump size limit every week (#​20531)
• chore(ci): Bump pnpm/action-setup to v5 and pin to commit SHA (#​20462)
• chore(ci): Do not report flaky test issues if we cannot find a test name (#​20589)
• chore(ci): Streamline CI setup to split bundle, layer, tarball generation (#​20396)
• chore(ci): Vendor nx-affected-list action, drop dkhunt27 dependency (#​20463)
• chore(e2e): Add vue and vue-router to nuxt-4 canary build step to fix rollup resolution (#​20519)
• chore(e2e): Remove @​tanstack/start-plugin-core override (#​20518)
• chore(size-limit): weekly auto-bump (#​20572)
• chore(skill): Add skill for writing unit and E2E tests (#​20561)
• chore(test): Reduce unneeded idleTimeout test config (#​20467)
• ci(size-bump): Fix path in size-limit auto-bump workflow (#​20566)
• fix(e2e/tanstackstart-react): pin @​tanstack/start-plugin-core to unblock CI (#​20482)
• fix(tests): Remove nitro canary test job (#​20473)
• ref(browser): Use safeSetSpanJSONAttributes in cultureContext integration (#​20481)
• test(browser): Unflake some more tests (#​20591)
• test(nextjs): Pin eslint-config-next package to major (#​20552)
• test(node): Fix flaky ANR test (#​20592)
• test(node): Fix flaky worker thread integration test (#​20588)
• test(node): Unflake postgres tests (#​20593)
• test(node): Update timeout for cron integration tests (#​20586)
• test(supabase): Stop supabase before initializing (#​20563)
• test(tanstack): Prefix test labels (#​20569)

Bundle size 📦

Path	Size
@​sentry/browser	25.54 KB
@​sentry/browser - with treeshaking flags	24.06 KB
@​sentry/browser (incl. Tracing)	43.08 KB
@​sentry/browser (incl. Tracing + Span Streaming)	45.07 KB
@​sentry/browser (incl. Tracing, Profiling)	47.91 KB
@​sentry/browser (incl. Tracing, Replay)	81.5 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	71.23 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	86.07 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	98.42 KB
@​sentry/browser (incl. Feedback)	42.38 KB
@​sentry/browser (incl. sendFeedback)	30.24 KB
@​sentry/browser (incl. FeedbackAsync)	35.3 KB
@​sentry/browser (incl. Metrics)	26.8 KB
@​sentry/browser (incl. Logs)	26.95 KB
@​sentry/browser (incl. Metrics & Logs)	27.62 KB
@​sentry/react	27.25 KB
@​sentry/react (incl. Tracing)	45.26 KB
@​sentry/vue	30.3 KB
@​sentry/vue (incl. Tracing)	44.87 KB
@​sentry/svelte	25.57 KB
CDN Bundle	28.16 KB
CDN Bundle (incl. Tracing)	45.61 KB
CDN Bundle (incl. Logs, Metrics)	29.54 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	46.68 KB
CDN Bundle (incl. Replay, Logs, Metrics)	67.71 KB
CDN Bundle (incl. Tracing, Replay)	81.91 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	82.95 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	87.59 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	88.66 KB
CDN Bundle - uncompressed	82.57 KB
CDN Bundle (incl. Tracing) - uncompressed	136.41 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	86.67 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	139.79 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	207.73 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	251.45 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	254.82 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	264.83 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	268.18 KB
@​sentry/nextjs (client)	47.7 KB
@​sentry/sveltekit (client)	43.52 KB
@​sentry/node-core	57.57 KB
@​sentry/node	166.25 KB
@​sentry/node - without tracing	94.54 KB
@​sentry/aws-serverless	111 KB
@​sentry/cloudflare (withSentry) - minified	160.29 KB
@​sentry/cloudflare (withSentry)	405.47 KB

v10.50.0

Compare Source

v10.49.0

Compare Source

Important Changes

• feat(browser): Add View Hierarchy integration (#​14981)

  A new viewHierarchyIntegration captures the DOM structure when an error occurs, providing a snapshot of the page state for debugging. Enable it in your Sentry configuration:

  import * as Sentry from '@​sentry/browser';
  
  Sentry.init({
    dsn: '__DSN__',
    integrations: [Sentry.viewHierarchyIntegration()],
  });

• feat(cloudflare): Split alarms into multiple traces and link them (#​19373)

  Durable Object alarms now create separate traces for each alarm invocation, with proper linking between related alarms for better observability.

• feat(cloudflare): Enable RPC trace propagation with enableRpcTracePropagation (#​19991, #​20345)

  A new enableRpcTracePropagation option enables automatic trace propagation for Cloudflare RPC calls via .fetch(), ensuring distributed traces flow correctly across service bindings.

• feat(core): Add enableTruncation option to AI integrations (#​20167, #​20181, #​20182, #​20183, #​20184)

  All AI integrations (OpenAI, Anthropic, Google GenAI, LangChain, LangGraph) now support an enableTruncation option to control whether large AI inputs/outputs are truncated.

• feat(opentelemetry): Vendor AsyncLocalStorageContextManager (#​20243)

  The OpenTelemetry context manager is now vendored internally, reducing external dependencies and ensuring consistent behavior across environments.

Other Changes

• feat(core): Export a reusable function to add tracing headers (#​20076)
• feat(core): Expose rewriteSources top level option (#​20142)
• feat(deps): bump defu from 6.1.4 to 6.1.6 (#​20104)
• feat(node-native): Add support for V8 v14 (Node v25+) (#​20125)
• feat(node): Include global scope for eventLoopBlockIntegration (#​20108)
• fix(core, node): Support loading Express options lazily (#​20211)
• fix(core): Set conversation_id only on gen_ai spans (#​20274)
• fix(core): Use ai.operationId for Vercel AI V6 operation name mapping (#​20285)
• fix(deno): Avoid inferring invalid span op from Deno tracer (#​20128)
• fix(deno): Handle reader.closed rejection from releaseLock() in streaming (#​20187)
• fix(nextjs): Preserve directive prologues in turbopack loaders (#​20103)
• fix(nextjs): Skip custom browser tracing setup for bot user agents (#​20263)
• fix(opentelemetry): Use WeakRef for context stored on scope to prevent memory leak (#​20328)
• fix(replay): Use live click attributes in breadcrumbs (#​20262)

Internal Changes

• chore: Add PR review reminder workflow (#​20175)
• chore: Fix lint warnings (#​20250)
• chore(bugbot): Add rules to flag test-flake-provoking patterns (#​20192)
• chore(ci): Bump actions/cache to v5 and actions/download-artifact to v7 (#​20249)
• chore(ci): Bump dorny/paths-filter from v3.0.1 to v4.0.1 (#​20251)
• chore(ci): Remove codecov steps from jobs that produce no coverage/JUnit data (#​20244)
• chore(ci): Remove craft changelog preview (#​20271)
• chore(ci): Remove node-overhead GitHub Action (#​20246)
• chore(ci): Replace pr-labels-action with native GitHub expressions (#​20252)
• chore(ci): Skip flaky issue creation for optional tests (#​20288)
• chore(deps-dev): Bump @​sveltejs/kit from 2.53.3 to 2.57.1 (#​20216)
• chore(deps-dev): Bump vite from 7.2.0 to 7.3.2 in /dev-packages/e2e-tests/test-applications/tanstackstart-react (#​20107)
• chore(deps): Bump axios from 1.13.5 to 1.15.0 (#​20180)
• chore(deps): Bump axios from 1.13.5 to 1.15.0 in /dev-packages/e2e-tests/test-applications/nestjs-basic (#​20179)
• chore(deps): Bump hono from 4.12.7 to 4.12.12 (#​20118)
• chore(deps): Bump hono from 4.12.7 to 4.12.12 in /dev-packages/e2e-tests/test-applications/cloudflare-hono (#​20119)
• chore(deps): Bump next from 16.1.7 to 16.2.3 in nextjs-16-cf-workers (#​20289)
• chore(size-limit): Bump failing size limit scenario (#​20186)
• ci: Add automatic flaky test detector (#​18684)
• ci: Extract test names for flaky test issues (#​20298)
• ci: Remove Docker container for Verdaccio package publishing (#​20329)
• fix(ci): Prevent command injection in ci-metadata workflow (#​19899)
• fix(e2e-tests): Remove flaky navigation breadcrumb assertions from parameterized-routes tests (#​20202)
• fix(e2e): Add op check to waitForTransaction in React Router e2e tests (#​20193)
• fix(node-integration-tests): Fix flaky kafkajs test race condition (#​20189)
• ref(core): Add registry in Vercel ai integration (#​20098)
• ref(core): Automatically disable truncation when span streaming is enabled in Anthropic AI integration (#​20228)
• ref(core): Automatically disable truncation when span streaming is enabled in Google GenAI integration (#​20229)
• ref(core): Automatically disable truncation when span streaming is enabled in LangChain integration (#​20230)
• ref(core): Automatically disable truncation when span streaming is enabled in LangGraph integration (#​20231)
• ref(core): Automatically disable truncation when span streaming is enabled in OpenAI integration (#​20227)
• ref(core): Automatically disable truncation when span streaming is enabled in Vercel AI integration (#​20232)
• ref(core): Merge embeddings operations constants (#​20095)
• ref(core): Remove unused constants from vercel-ai-attributes.ts (#​20096)
• ref(nextjs): Refactor findInjectionIndexAfterDirectives for better readability (#​20310)
• ref(opentelemetry): Replace @opentelemetry/resources with inline getSentryResource() (#​20327)
• test: Fix flaky ANR test by increasing blocking duration (#​20239)
• test(bun): Add bun integration test folder (#​20286)
• test(cloudflare): Skip flaky durableobject-spans test (#​20282)
• test(openai): Use multi-message scenario in no-truncation test (#​20194)
• test(react): Remove duplicated test mock (#​20200)
• tests(ai): Fix streaming+truncation integration tests across AI integrations (#​20326)

Bundle size 📦

Path	Size
@​sentry/browser	25.18 KB
@​sentry/browser - with treeshaking flags	23.71 KB
@​sentry/browser (incl. Tracing)	42.59 KB
@​sentry/browser (incl. Tracing + Span Streaming)	44.26 KB
@​sentry/browser (incl. Tracing, Profiling)	47.37 KB
@​sentry/browser (incl. Tracing, Replay)	80.8 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	70.55 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	85.38 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	97.34 KB
@​sentry/browser (incl. Feedback)	41.59 KB
@​sentry/browser (incl. sendFeedback)	29.74 KB
@​sentry/browser (incl. FeedbackAsync)	34.62 KB
@​sentry/browser (incl. Metrics)	26.44 KB
@​sentry/browser (incl. Logs)	26.57 KB
@​sentry/browser (incl. Metrics & Logs)	27.24 KB
@​sentry/react	26.89 KB
@​sentry/react (incl. Tracing)	44.81 KB
@​sentry/vue	29.89 KB
@​sentry/vue (incl. Tracing)	44.38 KB
@​sentry/svelte	25.2 KB
CDN Bundle	27.79 KB
CDN Bundle (incl. Tracing)	43.64 KB
CDN Bundle (incl. Logs, Metrics)	29.13 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	44.7 KB
CDN Bundle (incl. Replay, Logs, Metrics)	67.12 KB
CDN Bundle (incl. Tracing, Replay)	79.74 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	80.79 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	85.13 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	86.17 KB
CDN Bundle - uncompressed	81.17 KB
CDN Bundle (incl. Tracing) - uncompressed	130.51 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	85.22 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	133.84 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	205.7 KB
CDN Bundle (incl. Tracing, Replay) - uncompressed	244.99 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed	248.31 KB
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	257.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed	260.91 KB
@​sentry/nextjs (client)	47.28 KB
@​sentry/sveltekit (client)	43.02 KB
@​sentry/node-core	56.58 KB
@​sentry/node	170.68 KB
@​sentry/node - without tracing	95.57 KB
@​sentry/aws-serverless	112.42 KB

axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

discordjs/discord.js (discord.js)

v14.26.4

Compare Source

Bug Fixes

• MessageCreateAction: Receive DMs in uncached DMChannels again (#​11495) (b8d8812)

v14.26.3

Compare Source

Bug Fixes

• TeamMember: Allow a default permissions (dced197)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.