chore(deps): update all-minor-updates #9
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lucasoskorep/mta-sign#9
Reference in New Issue
Block a user
Delete Branch "renovate/minor"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
25.5.0→25.6.010.4.27→10.5.01.14.0→1.15.110.1.0→10.2.116.2.1→16.2.416.2.1→16.2.425.8.2→25.9.08.5.8→8.5.1019.2.4→19.2.519.2.4→19.2.54.1.2→4.1.44.13.0→4.14.1Release Notes
postcss/autoprefixer (autoprefixer)
v10.5.0Compare Source
mask-position-xandmask-position-ysupport (by @toporek).axios/axios (axios)
v1.15.1Compare Source
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
🔒 Security Fixes
inchecks withhasOwnPropertyto prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)withXSRFTokenTruthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)maxBodyLengthWith Zero Redirects: EnforcesmaxBodyLengtheven whenmaxRedirectsis set to0, closing a bypass path for oversized request bodies. (#10753)maxContentLengthBypass: AppliesmaxContentLengthto streamed responses that previously bypassed the cap. (#10754)🚀 New Features
LocationRequest Header Type: AddsLocationtoCommonRequestHeadersListfor accurate typing of redirect-aware requests. (#7528)🐛 Bug Fixes
Content-Typewhen no boundary is present onFormDatafetch requests, supports multi-select fields, cancelsrequest.bodyinstead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)loadedtototalfor computable upload/download progress events. (#7458)runWhentype with the runtime behaviour inInterceptorManagerand makes response header keys case-insensitive. (#7529, #10677)buildFullPath: Uses strict equality in the base/relative URL check. (#7252)AxiosURLSearchParamsRegex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)🔧 Maintenance & Chores
THREATMODEL.md, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (#10672, #10715, #10718, #10722, #10763, #10765)shouldBypassProxycoverage for wildcard/IPv6/edge cases, documented and testedAxiosError.status, and migratedprogressEventReducertests to Vitest. (#10723, #10725, #10741)CODEOWNERS, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (#10739, #10738, #10746)follow-redirects(1.15.11→1.16.0) in root and docs,axios(1.14.0→1.15.0) in docs, and a group of 5 development dependencies. (#10717, #10716, #10684, #10709)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v1.15.0Compare Source
Bug Fixes
Features
Contributors to this release
PRs
1.2.6 (2023-01-28)
Bug Fixes
CommonRequestHeadersList&CommonResponseHeadersListtypes to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
1.2.5 (2023-01-26)
Bug Fixes
Contributors to this release
PRs
1.2.4 (2023-01-22)
Bug Fixes
RawAxiosRequestConfigback toAxiosRequestConfig; (#5486) (2a71f49)AxiosRequestConfiggeneric; (#5478) (9bce81b)Contributors to this release
PRs
1.2.3 (2023-01-10)
Bug Fixes
Contributors to this release
PRs
[1.2.2] - 2022-12-29
Fixed
Chores
Contributors to this release
[1.2.1] - 2022-12-05
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.2.0] - 2022-11-10
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.1.3] - 2022-10-15
Added
Fixed
Chores
Contributors to this release
PRs
[1.1.2] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.1] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.0] - 2022-10-06
Fixed
Contributors to this release
PRs
[1.0.0] - 2022-10-04
Added
Changed
Deprecated
Removed
Fixed
Chores
Security
Contributors to this release
Bertrand Marron
Dmitriy Mozgovoy
Dan Mooney
Michael Li
aong
Des Preston
Ted Robertson
zhoulixiang
Arthur Fiorette
Kumar Shanu
JALAL
Jingyi Lin
Philipp Loose
Alexander Shchukin
Dave Cardwell
Cat Scarlet
Luca Pizzini
Kai
Maxime Bargiel
Brian Helba
reslear
Jamie Slome
Landro3
rafw87
Afzal Sayed
Koki Oyatsu
Dave
暴走老七
Spencer
Adrian Wieprzkowicz
Jamie Telin
毛呆
Kirill Shakirov
Rraji Abdelbari
Jelle Schutter
Tom Ceuppens
Johann Cooper
Dimitris Halatsis
chenjigeng
João Gabriel Quaresma
Victor Augusto
neilnaveen
Pavlos
Kiryl Valkovich
Naveen
wenzheng
hcwhan
Bassel Rachid
Grégoire Pineau
felipedamin
Karl Horky
Yue JIN
Usman Ali Siddiqui
WD
Günther Foidl
Stephen Jennings
C.T.Lin
mia-z
Parth Banathia
parth0105pluang
Marco Weber
Luca Pizzini
Willian Agostini
Huyen Nguyen
eslint/eslint (eslint)
v10.2.1Compare Source
Bug Fixes
14be92bfix: model generator yield resumption paths in code path analysis (#20665) (sethamus)84a19d2fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)af764affix: clarify language and processor validation errors (#20729) (Pixel998)e251b89fix: update eslint (#20715) (renovate[bot])Documentation
ca92ca0docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)57d2ee2docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)c1621b9docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)1418d52docs: Update README (GitHub Actions Bot)39771e6docs: Update README (GitHub Actions Bot)71e0469docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)22119cedocs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)8f3fb77docs: documentmeta.docs.dialects(#20718) (Pixel998)Chores
7ddfea9chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])fac40e1ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])7246f92test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)4f34b1echore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])51080ebtest: processor service (#20731) (kuldeep kumar)e7e1889chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)4e1a87ctest: remove redundant async/await in flat config array tests (#20722) (Pixel998)066eabbtest: add rule metadata coverage forlanguagesanddocs.dialects(#20717) (Pixel998)v10.2.0Compare Source
Features
586ec2ffeat: Addmeta.languagessupport to rules (#20571) (Copilot)14207defeat: addTemporaltono-obj-calls(#20675) (Pixel998)bbb2c93feat: add Temporal to ES2026 globals (#20672) (Pixel998)Bug Fixes
542cb3efix: update first-party dependencies (#20714) (Francesco Trotta)Documentation
a2af743docs: addlanguageto configuration objects (#20712) (Francesco Trotta)845f23fdocs: Update README (GitHub Actions Bot)5fbcf59docs: removesourceTypefrom ts playground link (#20477) (Tanuj Kanti)8702a47docs: Update README (GitHub Actions Bot)ddeadeddocs: Update README (GitHub Actions Bot)2b44966docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)eab65c7docs: updateeslintversions in examples (#20664) (루밀LuMir)3e4a299docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)Chores
8120e30refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)46e8469chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])01ed3aatest: add unit tests for unicode utilities (#20622) (Manish chaudhary)811f493ci: remove--legacy-peer-depsfrom types integration tests (#20667) (Milos Djermanovic)6b86fcfchore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])632c4f8chore: addprettierupdate commit to.git-blame-ignore-revs(#20662) (루밀LuMir)b0b0f21chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)228a2ddchore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)3ab4d7etest: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)vercel/next.js (eslint-config-next)
v16.2.4Compare Source
Core Changes
Credits
Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!
v16.2.3Compare Source
Core Changes
Credits
Huge thanks to @icyJoseph, @sokra, @wbinnssmith, @eps1lon and @ztanner for helping!
v16.2.2Compare Source
Core Changes
Credits
Huge thanks to @nextjs-bot, @icyJoseph, @ijjk, @gaojude, @wbinnssmith, @lukesandberg, and @bgw for helping!
nodejs/node (node)
v25.9.0: 2026-04-01, Version 25.9.0 (Current), @aduh95Compare Source
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExportandMockModuleOptions.namedExportshave beenconsolidated into a single option
MockModuleOptions.exportsto align with userexpectations and other test runners.
A
defaultproperty onMockModuleOptions.exportsrepresents the defaultexport, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #6167462d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #6218867b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066Commits
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #618712fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #622807dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #6211562d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621833009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #618754d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #6216993d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #621703d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #6216495c7fc67ba] - deps: update googletest to2461743(Node.js GitHub Bot) #62484e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051180c150122] - deps: V8: cherry-pickcf1bce4(Richard Lau) #62449bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448f1b28612c4] - deps: V8: cherry-pickb25cd62(Yagiz Nizipli) #62354757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #622843bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256a9703d194a] - deps: update googletest to73a63ea(Node.js GitHub Bot) #6192785138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #621230093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #623950b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #624568d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #6249208ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #6248261cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #6242364cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #621391020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #622069caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #623029e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #622437f37c17516] - doc: minor typo fix (Jeff Matson) #62358eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #6232117e5aee6c5] - doc: fix small environment_variables typo (chris) #62279193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #621204a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208f976c9214d] - doc: clarify that any truthy value ofshellis part of DEP0190 (Antoine du Hamel) #622494d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #6220271f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204670c80893b] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #620752ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #622446c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #624751cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #624154f4ff15794] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #62080088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #622610250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #6230792ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #6222640a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #621333ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #623353c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #6216567b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #623430e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #6210302980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #6206603839fb087] - stream: preserve error over AbortError in pipeline (Marco) #621130000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #620873796a73719] - test: update WPT for WebCryptoAPI to2cb332d(Node.js GitHub Bot) #62483ad8309415b] - test: update WPT for url tofc3e651(Node.js GitHub Bot) #62379bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #620661b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #6222647a2132269] - test: update WPT for WebCryptoAPI to6a1c545(Node.js GitHub Bot) #621872c63d3006c] - test_runner: add exports option for module mocks (sangwook) #6172744ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #592721865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #622820252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #624393368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #624375e47c359f5] - tools: adopt the--check-for-duplicatesNCU flag (Antoine du Hamel) #624784a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #623567a2fcc6d41] - tools: do not swallow error inlint-nixworkflow (Antoine du Hamel) #62292c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #6209356dfeb06df] - tools: fix timeout errors inlint-nixjob (Antoine du Hamel) #6226522fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #6225067c69750f4] - tools: validate all commits that are pushed tomain(Antoine du Hamel) #622467d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #621676c8fa42ba2] - typings: rationalise TypedArray types (René) #62174531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #614772000caccde] - util: allow color aliases in styleText (sangwook) #621800aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325postcss/postcss (postcss)
v8.5.10Compare Source
</style>in non-bundler cases (by @TharVid).v8.5.9Compare Source
facebook/react (react)
v19.2.5: 19.2.5 (April 8th, 2026)Compare Source
React Server Components
vitest-dev/vitest (vitest)
v4.1.4Compare Source
🚀 Experimental Features
skipFullif agent detected - by @hi-ogawa in #10018 (53757)assertionas a public field - by @sheremet-va in #10095 (a120e)🐞 Bug Fixes
expect(..., message)consistent as error message prefix - by @hi-ogawa and Codex in #10068 (a1b5f)View changes on GitHub
v4.1.3Compare Source
🚀 Experimental Features
experimental.preParseflag - by @sheremet-va in #10070 (78273)browser.locators.exactoption - by @sheremet-va in #10013 (48799)TestAttachment.bodyEncoding- by @hi-ogawa in #9969 (89ca0)🐞 Bug Fixes
expect.pollinterval - by @hi-ogawa and Claude Sonnet 4.6 in #10022 (3f5bf)@vitest/coverage-v8and@vitest/coverage-istanbulas optional dependency - by @alan-agius4 in #10025 (146d4)defineHelperfor webkit async stack trace + update playwright 1.59.0 - by @hi-ogawa in #10036 (5a5fa)JestExtendError.contextfrom verbose error reporting - by @hi-ogawa in #9983 (66751)vitest- by @hi-ogawa and Codex in #10042 (691d3)View changes on GitHub
yarnpkg/berry (yarn)
v4.14.1Compare Source
v4.14.0Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.