chore(deps): bump the npm-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the npm-dependencies group with 10 updates in the / directory:

Package	From	To
@casl/ability	6.8.0	6.8.1
axios	1.15.0	1.15.2
express-rate-limit	8.3.2	8.4.1
jose	6.2.2	6.2.3
@commitlint/cli	20.5.0	20.5.2
@typescript-eslint/eslint-plugin	8.58.2	8.59.1
@typescript-eslint/parser	8.58.2	8.59.1
jest-mock-extended	4.0.0	4.0.1
nock	14.0.12	14.0.13
prettier	3.8.2	3.8.3

Updates @casl/ability from 6.8.0 to 6.8.1

Release notes

Sourced from @​casl/ability's releases.

@​casl/ability: v6.8.1

6.8.1 (2026-04-20)

Performance Improvements

• improves perf of edge cases (#1191) (f25a32a)
• lazily create a new array during rule field filtering (#1194) (119f000)

Changelog

Sourced from @​casl/ability's changelog.

6.8.1 (2026-04-20)

Performance Improvements

• improves perf of edge cases (#1191) (f25a32a)
• lazily create a new array during rule field filtering (#1194) (119f000)

Commits

• 49b5bcd chore: release master (#1192)
• 119f000 perf: lazily create a new array during rule field filtering (#1194)
• f25a32a perf: improves perf of edge cases (#1191)
• See full diff in compare view

Updates axios from 1.15.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.3.2 to 8.4.1

Commits

• 69568d4 8.4.1
• c686acd v8.4.1 changelog
• ba71353 test: bump timeout in flakey skipFailedRequests test (#618)
• dd4c894 feat: allow usage of custom logger (#616)
• 2bb343c resolve Jest timeout for server-based tests (#617)
• See full diff in compare view

Updates jose from 6.2.2 to 6.2.3

Release notes

Sourced from jose's releases.

v6.2.3

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Changelog

Sourced from jose's changelog.

6.2.3 (2026-04-27)

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

Commits

• 41ad7e9 chore(release): 6.2.3
• 988e90f chore: account for commit-and-tag-version instead of standard-version
• 4b24656 chore: update CHANGELOG.md header
• 0cdb851 refactor: cleanly reject invalid PBES2 p2c
• a0b261e test: update Bun expectations
• b39dc1a chore: use fs.globSync
• 0675be1 build: replace rollup umd build with a custom esbuild iife wrap
• 9b03323 chore: bump packages
• 914b73d chore(deps-dev): bump lodash
• 9dce817 chore: bump packages
• Additional commits viewable in compare view

Updates @commitlint/cli from 20.5.0 to 20.5.2

Release notes

Sourced from @​commitlint/cli's releases.

v20.5.2

20.5.2 (2026-04-25)

Just minor dep updates before the next breaking change

Chore & Docs

• chore: remove codesandbox ci integration by @​escapedcat in conventional-changelog/commitlint#4680
• docs: add Windows UTF-8 encoding note to getting started guide by @​Chessing234 in conventional-changelog/commitlint#4699
• docs: improve parserPreset documentation with examples and options reference by @​Chessing234 in conventional-changelog/commitlint#4700
• docs: fix subject-case rule default from 'always' to 'never' by @​Chessing234 in conventional-changelog/commitlint#4703

New Contributors

• @​Chessing234 made their first contribution in conventional-changelog/commitlint#4699

Full Changelog: conventional-changelog/commitlint@v20.5.1...v20.5.2

v20.5.1

20.5.1 (2026-03-31)

Bug Fixes

• fix(cz-commitlint): add VS16 to single character emojis by @​mrt181 in conventional-changelog/commitlint#4666
• fix(cz-commitlint): handle modifiers correctly by @​mrt181 in conventional-changelog/commitlint#4667

Reverts

• Revert "fix: update dependency global-directory to v5 (#4671)" by @​escapedcat in conventional-changelog/commitlint#4677

Core & co

• chore: deps and CI improvements by @​escapedcat in conventional-changelog/commitlint#4660
• ci: restore push on all branches, avoid duplicate runs by @​escapedcat in conventional-changelog/commitlint#4665

Full Changelog: conventional-changelog/commitlint@v20.5.0...v20.5.1

Changelog

Sourced from @​commitlint/cli's changelog.

20.5.2 (2026-04-25)

Note: Version bump only for package @​commitlint/cli

Commits

• 7fe86b2 v20.5.2
• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5245793 chore(release): publish 8.59.1
• 3cef124 chore(eslint-plugin): switch auto-generated test cases to hand-written in dot...
• 27c507b test: make sort-type-constituents tests fully static (#12262)
• a03b31d chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• a7099a7 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• bfbd4a5 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• b49d4b1 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• 3097e72 chore(eslint-plugin): switch auto-generated test cases to hand-written in nam...
• 676191b chore(eslint-plugin): switch auto-generated test cases to hand-written in mem...
• e9dce8b fix(eslint-plugin): [no-unnecessary-condition] treat void as nullish in no-un...
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.58.2 to 8.59.1

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.1 (2026-04-27)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Updates jest-mock-extended from 4.0.0 to 4.0.1

Release notes

Sourced from jest-mock-extended's releases.

4.0.1

Patch release containing the recently merged fixes after 4.0.0.

Changes

• Added TypeScript 6 compatibility.

  • Updated dev dependency support for TypeScript 6.
  • Expanded the TypeScript peer dependency range to include ^6.0.0.

• Fixed calledWith matching for object arguments.

  • calledWith now compares literal object arguments by value instead of only by reference.
  • This allows calls like mockFn.calledWith({ id: 1 }) to match later calls with equivalent object literals.
  • Added regression coverage for nested object literal matching.

• Fixed overloaded function support in mock proxy types.

  • Restored inferred argument and return types for mocked function properties.
  • Improves typing for overloaded methods on both flat mocks and deep mocks.
  • Adds regression coverage for overloaded method mocks.

Commits

• 3784780 bump version - to 4.0.1.
• fe30345 Merge pull request #141 from gzm0/leave-infer
• b51d866 Merge pull request #145 from marchaos/pr-127-resolved
• d66a39d fix: allow objects as a parameter in the 'calledWith' method
• 7479be9 Merge pull request #143 from brunotp99/chore/upgrade-deps/jest-30-typescript-6
• dc4e958 chore: use original indentation
• 7ac0b14 chore: remove package lock
• 784f526 chore(deps): upgrade typescript major dependency and tsconfig
• 2a762bb Fix overloads: Revive infer statements from 3.0.7
• See full diff in compare view

Updates nock from 14.0.12 to 14.0.13

Commits

• 07fbfab fix(types): align Definition with runtime; add rawHeaders, drop headers (#2955)
• fe2c3ea chore(deps-dev): bump lodash-es from 4.17.23 to 4.18.1 (#2961)
• ee49b4f chore(deps-dev): bump flatted from 3.2.5 to 3.4.2
• 11bf183 chore(deps-dev): bump undici from 6.23.0 to 6.24.1 (#2954)
• 6b80154 chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#2960)
• 4cbf6cc chore(deps): bump tar and npm (#2952)
• See full diff in compare view

Updates prettier from 3.8.2 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions