chore(deps): bump the minor-patch-updates group across 1 directory with 15 updates

[dependabot]

Bumps the minor-patch-updates group with 15 updates in the / directory:

Package	From	To
unpdf	1.6.0	1.6.2
uuid	11.1.0	11.1.1
@types/uuid	10.0.0	11.0.0
@typescript-eslint/eslint-plugin	8.58.2	8.59.1
@typescript-eslint/parser	8.58.2	8.59.1
ajv	8.18.0	8.20.0
eslint-plugin-no-only-tests	3.3.0	3.4.0
zod	4.3.6	4.4.2
@redocly/cli	1.34.11	1.34.14
jest-mock-extended	4.0.0-beta1	4.0.1
@tanstack/react-query	5.99.0	5.100.9
axios	1.15.0	1.16.0
react-router-dom	7.14.1	7.14.2
styled-components	6.4.0	6.4.1
msw	2.13.3	2.14.2

Updates unpdf from 1.6.0 to 1.6.2

Release notes

Sourced from unpdf's releases.

v1.6.2

   🐞 Bug Fixes

• Add ReadableStream async iterator polyfill  -  by @​johannschopplich in unjs/unpdf#51 (03066)

    View changes on GitHub

v1.6.1

   🐞 Bug Fixes

• Add Promise.try polyfill  -  by @​johannschopplich in unjs/unpdf#51 (47776)

    View changes on GitHub

Commits

• 0b841e4 chore: release v1.6.2
• 0306603 fix: add ReadableStream async iterator polyfill (refs #51)
• fd06680 chore: release v1.6.1
• 47776f6 fix: add Promise.try polyfill (closes #51)
• b4f513a chore: clean up tsconfig options
• See full diff in compare view

Updates uuid from 11.1.0 to 11.1.1

Release notes

Sourced from uuid's releases.

v11.1.1

11.1.1 (2026-04-29)

Bug Fixes

• backport GHSA-w5hq-g745-h8pq fix (32389c8)

Changelog

Sourced from uuid's changelog.

11.1.1 (2026-04-29)

Bug Fixes

• backport GHSA-w5hq-g745-h8pq fix (32389c8)

Commits

• 7269a96 chore(11.x): release 11.1.1 (#949)
• 32389c8 fix: backport GHSA-w5hq-g745-h8pq fix
• 2799f71 chore: update workflow
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for uuid since your current version.

Updates @types/uuid from 10.0.0 to 11.0.0

Commits

• See full diff in compare view

Updates @types/uuid from 10.0.0 to 11.0.0

Commits

• See full diff in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.2 to 8.59.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5245793 chore(release): publish 8.59.1
• 3cef124 chore(eslint-plugin): switch auto-generated test cases to hand-written in dot...
• 27c507b test: make sort-type-constituents tests fully static (#12262)
• a03b31d chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• a7099a7 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• bfbd4a5 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• b49d4b1 chore(eslint-plugin): switch auto-generated test cases to hand-written in no-...
• 3097e72 chore(eslint-plugin): switch auto-generated test cases to hand-written in nam...
• 676191b chore(eslint-plugin): switch auto-generated test cases to hand-written in mem...
• e9dce8b fix(eslint-plugin): [no-unnecessary-condition] treat void as nullish in no-un...
• Additional commits viewable in compare view

Updates @typescript-eslint/parser from 8.58.2 to 8.59.1

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.59.1 (2026-04-27)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Updates ajv from 8.18.0 to 8.20.0

Release notes

Sourced from ajv's releases.

v8.20.0

What's Changed

• fix: add support for node 22/24, drop node 16/21 by @​jasoniangreen in ajv-validator/ajv#2580
• fix: add ES2022.RegExp for RegExpIndicesArray by @​SignpostMarv in ajv-validator/ajv#2604

Full Changelog: ajv-validator/ajv@v8.19.0...v8.20.0

v8.19.0

What's Changed

• fix prototype pollution via format keyword using $data ref by @​epoberezkin in ajv-validator/ajv#2607

Full Changelog: ajv-validator/ajv@v8.18.0...v8.19.0

Commits

• 0fba0b8 8.20.0
• 9caf8d6 fix: add ES2022.RegExp for RegExpIndicesArray; fixes ajv-validator/ajv#2603 (...
• 2065350 fix: add support for node 22/24, drop node 16/21 (#2580)
• 154b58d 8.19.0
• e8d2bdc test/fix prototype pollution via $data ref with format keyword (#2607)
• See full diff in compare view

Updates eslint-plugin-no-only-tests from 3.3.0 to 3.4.0

Release notes

Sourced from eslint-plugin-no-only-tests's releases.

v3.4.0

What's Changed

• Bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#47
• Bump js-yaml from 4.1.0 to 4.1.1 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#51
• Update README for flat config by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#52
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#54
• Document oxlint setup by @​AndreyYolkin in levibuzolic/eslint-plugin-no-only-tests#53
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in levibuzolic/eslint-plugin-no-only-tests#55
• Add common framework setup docs for focused tests by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#57
• Optimize Oxlint integration and release v3.4.0 by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#58
• Update Actions for npm trusted publishing by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#59
• Remove npm registry auth from publish workflow by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#60
• Update release workflow for trusted publishing by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#61
• Fix GitHub release npm publish auth by @​levibuzolic in levibuzolic/eslint-plugin-no-only-tests#62

New Contributors

• @​AndreyYolkin made their first contribution in levibuzolic/eslint-plugin-no-only-tests#53

Full Changelog: levibuzolic/eslint-plugin-no-only-tests@v3.3.0...v3.4.0

Changelog

Sourced from eslint-plugin-no-only-tests's changelog.

v3.4.0

Added

• Add CLI E2E coverage for both ESLint and Oxlint, including --fix verification and config-specific assertions
• Add a package-contents check to ensure test assets are never published

Changed

• Optimize Oxlint usage by adopting Oxlint's performance-focused createOnce entrypoint while preserving ESLint compatibility

Internal

• Switch repository tooling from Yarn to Bun
• Replace Biome/Prettier usage with Oxlint and Oxfmt
• Update GitHub Actions to use Bun and a modern Node test matrix
• Move test infrastructure into a dedicated test/ directory
• Tighten package metadata and improve JSDoc/type coverage

v3.0.0

Added

• Block scope matchers can accept a trailing * to optionally match blocks by prefix #35

Breaking

• Block matchers no longer match prefixes of blocks by default, can now be configured via options #35

v2.6.0

• Disable auto fixing by default, allow it to be optionally enabled. #26

v2.5.0

• Add support for auto fixing violations - #19 @​tgreen7

v2.4.0

• Add support for defining 2 levels deep in blocks (ie. ava.default)

v2.3.1

• Bump js-yaml from 3.13.0 to 3.13.1 due to security vulnerability - #11

v2.3.0

• Allow test block names to be specified in options - #10

v2.2.0

... (truncated)

Commits

• 2279c51 Merge pull request #62 from levibuzolic/levi/fix-github-release-action
• e234e55 Use Publish environment for npm release
• d304af4 Fix npm release auth
• 435b3a2 Merge pull request #61 from levibuzolic/fix-release-script
• 968e9d9 Switch release workflow to published events
• a0edb1a Merge pull request #60 from levibuzolic/fix-release-script
• 42ca3d8 Remove npm registry auth from publish workflow
• b7051fc Merge pull request #59 from levibuzolic/fix-release-script
• 36e23a2 Update GitHub Actions for npm trusted publishing
• 17f7389 Fix release script
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for eslint-plugin-no-only-tests since your current version.

Updates zod from 4.3.6 to 4.4.2

Release notes

Sourced from zod's releases.

v4.4.2

Commits:

• 0c62df0ea19fd05abdf90473e9eef7eea530fab2 Clean up docs navigation and stale labels (#5901)
• 20cc794895cc8604fe0c87d83a5d1c3f89fad0ac chore: add security policy and refresh tooling deps
• 6fbe07b0177efdd1bf1c0b05160e70d7a0702337 fix(docs): heading anchor links now include the hash so it doesnt scoll all the way up, follows navbar logic (#5791)
• 4bbed1b1c73eca4ce9e59b1189ed236aa6c8b5bd Tighten discriminated union option typing
• bbac3e567e7fccfaaf7cdc97f1ce30c295e2c908 Update PR guidance for agents
• cf0dc942a32805c292fff59ade20a7ace980735a Merge remote-tracking branch 'origin/main' into fix-discriminated-union-key-constraint
• 292c894a5fd2aa42e527900b83d8d7a3009a709c docs: add Zernio gold sponsor
• 1fc9f311c28dcf80d0bb5a36b177086cbc3d8eca docs: document codec inversion
• 1373c85da9aeff704a9762d27bc58699618aefb7 docs: remove AI disclosure guidance
• e20d02b473c08e3a4e557bc610b1b5fac079b649 chore: ignore triage notes
• e58ea4d91b1dfe8194b73508203213cbc7e9c936 docs: test Zod Mini tab code heights
• 905761a5d127e8d5dd2ebb3bc88c75cb0b8149ff docs: document preprocess input type narrowing
• bf64bac850d4dee2b7dde7e64909d5d796d32043 chore: tighten test guidance in AGENTS.md
• 8ec4e73f4c4693b6361ad591be40fb41eb8a9f95 chore: update play.ts scratch
• 02c2baf7d0d615872fa4528a8020603b71211702 Make z.preprocess defer optionality to inner schema (#5929)
• 88015df8e25c44fb5385eb3ef28935119cd5edea fix(docs): drop deprecated baseUrl from tsconfig
• c59d4474e3b4cad1b323462186cf607178ce8267 4.4.2

v4.4.1

Commits:

• 481f7be4238c83ed58183f921b2646f340a91c6a ci: gate release publishing on full test workflow
• 95ccab423aec720b2523c3a64cdc7e3204537cc7 test(v3): restore optional undefined expectations
• cede2c63739a5823d6aa5093d291e9a111da943d fix(v4): reject tuple holes before required defaults (#5900)
• edd0bf0f5ada4a8dc581c259407d7bbad0a71ea7 release: 4.4.1
• 180d83d1dbe6a59260710cc8637a3dea2281ee56 docs: remove Jazz featured sponsor

v4.4.0

4.4.0

This is a minor release with a wide set of correctness and soundness fixes. Some fixes intentionally make Zod stricter, so code that depended on previously accepted invalid or ambiguous inputs may need small updates.

Potentially breaking bug fixes

Tuple defaults now materialize output values correctly

Fixed in #5661. Tuple parsing now more accurately reflects defaults, optional tails, explicit undefined, and under-filled inputs. The headline behavior is that defaults in tuple positions now properly appear in parsed output.

const schema = z.tuple([
  z.string(),
  z.string().default("fallback"),
]);
schema.parse(["a"]);
// ["a", "fallback"]

... (truncated)

Commits

• c59d447 4.4.2
• 88015df fix(docs): drop deprecated baseUrl from tsconfig
• 02c2baf Make z.preprocess defer optionality to inner schema (#5929)
• 8ec4e73 chore: update play.ts scratch
• bf64bac chore: tighten test guidance in AGENTS.md
• 905761a docs: document preprocess input type narrowing
• e58ea4d docs: test Zod Mini tab code heights
• e20d02b chore: ignore triage notes
• 1373c85 docs: remove AI disclosure guidance
• 1fc9f31 docs: document codec inversion
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for zod since your current version.

Updates @redocly/cli from 1.34.11 to 1.34.14

Release notes

Sourced from @​redocly/cli's releases.

@​redocly/cli@​1.34.14

Patch Changes

• Updated handlebars to v4.7.9.
• Updated @​redocly/openapi-core to v1.34.14.

@​redocly/cli@​1.34.13

Patch Changes

• Increased the default fetch timeout used by the push command to better support slower uploads.
• Updated @​redocly/openapi-core to v1.34.13.

@​redocly/cli@​1.34.12

Patch Changes

• Improved the stability of the push command.
• Updated @​redocly/openapi-core to v1.34.12.

Changelog

Sourced from @​redocly/cli's changelog.

1.34.14 (2026-04-30)

Patch Changes

• Updated handlebars to v4.7.9.
• Updated @​redocly/openapi-core to v1.34.14.

1.34.13 (2026-04-27)

Patch Changes

• Increased the default fetch timeout used by the push command to better support slower uploads.
• Updated @​redocly/openapi-core to v1.34.13.

1.34.12 (2026-04-20)

Patch Changes

• Improved the stability of the push command.
• Updated @​redocly/openapi-core to v1.34.12.

Commits

• 3721099 chore: 🔖 release new versions (#2790)
• 17e040d chore: update handlebars (#2787)
• 0d6dede chore: 🔖 release new versions (#2779)
• c743b2e fix: increase default fetch timeout for push command (#2777)
• fef0709 chore: 🔖 release new versions (#2757)
• b054a81 fix: improve push command stability (#2756)
• See full diff in compare view

Updates jest-mock-extended from 4.0.0-beta1 to 4.0.1

Release notes

Sourced from jest-mock-extended's releases.

4.0.1

Patch release containing the recently merged fixes after 4.0.0.

Changes

• Added TypeScript 6 compatibility.

  • Updated dev dependency support for TypeScript 6.
  • Expanded the TypeScript peer dependency range to include ^6.0.0.

• Fixed calledWith matching for object arguments.

  • calledWith now compares literal object arguments by value instead of only by reference.
  • This allows calls like mockFn.calledWith({ id: 1 }) to match later calls with equivalent object literals.
  • Added regression coverage for nested object literal matching.

• Fixed overloaded function support in mock proxy types.

  • Restored inferred argument and return types for mocked function properties.
  • Improves typing for overloaded methods on both flat mocks and deep mocks.
  • Adds regression coverage for overloaded method mocks.

4.0.0

Upgrade to jest 30

Commits

• See full diff in compare view

Updates @tanstack/react-query from 5.99.0 to 5.100.9

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

• Updated dependencies [3d21cac]:
  • @​tanstack/query-devtools@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-next-experimental@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-persist-client@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query@​5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

@​tanstack/react-query-devtools@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.8
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query-next-experimental@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query-persist-client@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.8
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query@​5.100.8

Patch Changes

• Updated dependencies []:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

5.100.7

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

5.100.5

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

5.100.4

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

5.100.3

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

... (truncated)

Commits

• 8c3d523 ci: Version Packages (#10630)
• 9800c8f ci: Version Packages (#10623)
• 3ae4261 ci: Version Packages (#10620)
• 87f7ccf ci: Version Packages (#10604)
• 441204b ci: Version Packages (#10582)
• 55afb3e ci: Version Packages (#10581)
• fe287cc ci: Version Packages (#10579)
• f85d825 Feature/use suspense queries combine (#10576)
• 93b2845 ci: Version Packages (#10575)
• ea4497e fix(query-core): stop wrapping persister generics in NoInfer (#10510)
• Additional commits viewable in compare view

Updates axios from 1.15.0 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 relea...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: npm, type: dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🎭 Playwright E2E: ✅ SUCCESS

Metric	Value
Shards	2
Burn-in	skipped

📦 Download Report & Traces

Includes merged HTML report and trace files for debugging failures