Skip to content

fix(deps): update all non-major dependencies#563

Merged
kriszyp merged 4 commits into
mainfrom
renovate/all-minor-patch
May 18, 2026
Merged

fix(deps): update all non-major dependencies#563
kriszyp merged 4 commits into
mainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 18, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence Type Update Pending
@aws-sdk/client-s3 (source) 3.1042.03.1045.0 age confidence dependencies minor 3.1048.0 (+2)
@aws-sdk/lib-storage (source) 3.1037.03.1045.0 age confidence dependencies minor 3.1048.0 (+2)
@typescript-eslint/parser (source) 8.59.08.59.2 age confidence devDependencies patch 8.59.3
actions/setup-node v6.3.0v6.4.0 age confidence action minor
actions/upload-artifact v7.0.0v7.0.1 age confidence action patch
amaro 1.1.81.1.9 age confidence dependencies patch
axios (source) 1.15.21.16.0 age confidence devDependencies minor 1.16.1
fastify (source) 5.8.45.8.5 age confidence dependencies patch
fs-extra 11.3.411.3.5 age confidence dependencies patch
graphql 16.13.216.14.0 age confidence dependencies minor
msgpackr 1.11.101.11.12 age confidence dependencies patch
oxlint (source) 1.58.01.63.0 age confidence devDependencies minor 1.65.0 (+1)
prettier (source) 3.8.23.8.3 age confidence devDependencies patch
semver 7.7.47.8.0 age confidence dependencies minor
sinon (source) 21.0.321.1.2 age confidence devDependencies minor
slackapi/slack-github-action v3.0.2v3.0.3 age confidence action patch
systeminformation (source) 5.31.55.31.6 age confidence dependencies patch
typescript-eslint (source) 8.58.08.59.2 age confidence devDependencies minor 8.59.3
undici (source) 7.24.77.25.0 age confidence devDependencies minor
uuid 11.1.011.1.1 age confidence dependencies patch
yaml (source) 2.8.32.9.0 age confidence dependencies minor

Release Notes

aws/aws-sdk-js-v3 (@​aws-sdk/client-s3)

v3.1045.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1044.0

Compare Source

Features
  • client-s3: Validate outpost access point resource name (bee88a5)

v3.1043.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

aws/aws-sdk-js-v3 (@​aws-sdk/lib-storage)

v3.1045.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1044.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1043.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1042.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1041.0

Compare Source

Bug Fixes
  • lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#​7982) (8a58046)

v3.1040.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1039.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1038.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.59.2

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

nodejs/amaro (amaro)

v1.1.9

Compare Source

Core
  • remove mention of node_modules (2b4249f)
Miscellaneous
  • build wasm from swc v1.15.21 (dfd333f)
  • build wasm from swc v1.15.24 (6eba3b9)
  • build wasm from swc v1.15.30 (10f015a)
  • deps: bump actions/setup-node from 6.2.0 to 6.3.0 (b4b9d53)
  • deps: bump actions/setup-node from 6.3.0 to 6.4.0 (a5b009a)
  • deps: bump actions/upload-artifact from 7.0.0 to 7.0.1 (3a1b232)
  • deps: bump biomejs/setup-biome from 2.7.0 to 2.7.1 (db5c7ad)
  • deps: bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (f39649c)
  • deps: bump github/codeql-action from 4.32.6 to 4.34.1 (bbc38d5)
  • deps: bump github/codeql-action from 4.34.1 to 4.35.1 (f169d7d)
  • deps: bump github/codeql-action from 4.35.1 to 4.35.2 (8906d16)
  • deps: bump googleapis/release-please-action from 4.4.0 to 4.4.1 (97e8bb7)
  • deps: bump step-security/harden-runner from 2.15.0 to 2.15.1 (1037205)
  • deps: bump step-security/harden-runner from 2.15.1 to 2.16.0 (169e82e)
  • deps: bump step-security/harden-runner from 2.16.0 to 2.16.1 (9c2d95f)
  • deps: bump step-security/harden-runner from 2.16.1 to 2.17.0 (797d9c2)
  • deps: bump step-security/harden-runner from 2.17.0 to 2.18.0 (b88f27a)
  • update swc to v1.15.21 (3a1702b)
  • update swc to v1.15.24 (402f99e)
  • update swc to v1.15.30 (f0645e2)
axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
  • transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
  • Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

fastify/fastify (fastify)

v5.8.5

Compare Source

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed
New Contributors

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

jprichardson/node-fs-extra (fs-extra)

v11.3.5

Compare Source

  • Fix ensureLink*/ensureSymlink* identical file detection on Windows (#​1068)
  • Fix error handling in timestamp preservation code (#​1065, #​1069)
  • Fix potential file descriptor leak on error in synchronous timestamp preservation code (#​1066)
graphql/graphql-js (graphql)

v16.14.0

Compare Source

v16.14.0 (2026-05-03)

New Feature 🚀
Bug Fix 🐞
Docs 📝
Committers: 4
kriszyp/msgpackr (msgpackr)

v1.11.12

Compare Source

v1.11.11

Compare Source

oxc-project/oxc (oxlint)

v1.63.0

Compare Source

📚 Documentation

v1.62.0

Compare Source

🚀 Features
  • 348f46c linter: Add respectEslintDisableDirectives option (#​21384) (Christian Vuerings)
🐛 Bug Fixes
  • 8c425db linter: Allow string for jest version in config schema (#​21649) (camc314)

v1.61.1

Compare Source

v1.61.0

Compare Source

🚀 Features
  • 38d8090 linter/jest: Implemented jest version settings in config file. (#​21522) (Said Atrahouch)

v1.60.0

Compare Source

📚 Documentation
  • cfd8a4f linter: Don't rely on old eslint doc for available globals (#​21334) (Nicolas Le Cam)

v1.59.0

Compare Source

prettier/prettier (prettier)

v3.8.3

Compare Source

npm/node-semver (semver)

v7.8.0

Compare Source

Features
Bug Fixes
Documentation
Chores
sinonjs/sinon (sinon)

v21.1.2

Compare Source

  • 53817f7d
    Upgrade to ESLint 10 and new shared config (#​2696) (Carl-Erik Kopseng)
    • Upgrade to ESLint 10 and new shared config
    • Update deps
  • d7a682e0
    fix: move npm-run-all to devDeps (#​2694) (Avi Vahl)

    used only during dev, and caused a considerable dep count jump downstream

  • 5b8720ec
    use latest shared eslint-config (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2026-04-11.

v21.1.1

Compare Source

  • 3c8b023b
    Update deps (Carl-Erik Kopseng)
  • 2eabf5da
    fix(#​2692): Remove ESM-only supports-color as it breaks CJS exports (#​2693) (Carl-Erik Kopseng)
    • fix(#​2692): Remove ESM-only supports-color as it breaks CJS exports

Released by Carl-Erik Kopseng on 2026-04-10.

v21.1.0

Compare Source

  • 0a5526c5
    updated deps (Carl-Erik Kopseng)
  • 5262204f
    fix: build artifacts before running bundled tests (Carl-Erik Kopseng)
  • 819bb64b
    Migration to ECMAScript modules (ESM) (#​2683) (Carl-Erik Kopseng)

    This allowed us to finally consume ESM-only dependencies and has broken us free from some CJS shackes. Now produce the same API surface for CJS consumers, as well, by generating ./lib

    • Modern ignores 😁
    • test: add distribution harness
    • test: verify packed cjs and esm entrypoints
    • test: lock distribution api manifest
    • test: smoke test built pkg artifacts
    • docs: require contract tests for package migration
    • test: guard esm migration regressions
    • docs: require contract gate for esm migration
    • build: generate cjs lib from esm source entries
    • refactor: port root api surface to esm
    • build: clean port of root api to esm
    • docs: include implementation plans
    • fix: align lint and smoke tests with esm migration
    • refactor: complete esm port of all core components
    • refactor: finalize esm migration with sandbox and naming fixes
    • fix: finish esm migration stabilization
    • chore: stop tracking generated lib output
    • remove plans
    • prettier
    • linting
    • fix: make distribution tests self-contained
    • fix: build before coverage test bundle
    • refactor: move simple unit tests to src
    • refactor: flatten test and coverage script chains
    • refactor: use parallel mocha for node tests
    • test: restore fake timers cleanup
    • refactor: remove node test runner script
    • remove unneccessary clutter
    • fix: make mocha watch use polling
    • simplify
    • Increase coverage
    • Fix coverage by removing duplicated tests

    These were covering the generated lib/ folder.

    • Move shared util into esm dir
    • fix package dep issues
    • Adjust coverage
    • Upgrade all dependencies

    npx npm-check-updates -u

  • cd2bf5a3
    Use newer endpoint (Carl-Erik Kopseng)

Released by Carl-Erik Kopseng on 2026-04-09.

slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.3

Compare Source

sebhildebrandt/systeminformation (systeminformation)

v5.31.6

Compare Source

Full Changelog: sebhildebrandt/systeminformation@v5.31.5...v5.31.6

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.2

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

Compare Source

🩹 Fixes
  • remove tsbuildinfo cache file from published packages (#​12187)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

nodejs/undici (undici)

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

uuidjs/uuid (uuid)

v11.1.1

Compare Source

eemeli/yaml (yaml)

v2.9.0

Compare Source

v2.8.4

Compare Source

  • Disable alias resolution with maxAliasCount:0 (#​677)
  • Handle invalid unicode escapes (e1a1a77)
  • Apply minFractionDigits only to decimal strings (#​676)

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "before 9am on Monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from a team as code owners May 18, 2026 04:46
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 18, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​typescript-eslint/​parser@​8.59.0 ⏵ 8.59.21001007198100
Updatedtypescript-eslint@​8.58.0 ⏵ 8.59.21001007498100
Updatedsysteminformation@​5.31.5 ⏵ 5.31.685 -1100 +1610093100
Updated@​aws-sdk/​lib-storage@​3.1037.0 ⏵ 3.1045.01001008598100
Updatedaxios@​1.15.2 ⏵ 1.16.087 -210010096100
Updatedsemver@​7.7.4 ⏵ 7.8.0100 +1100100 +190100
Updatedfs-extra@​11.3.4 ⏵ 11.3.5100 +110010090100
Updatedamaro@​1.1.8 ⏵ 1.1.993 +110010090100
Updatedoxlint@​1.62.0 ⏵ 1.63.099 +110091 +196100
Updatedmsgpackr@​1.11.10 ⏵ 1.11.1298 +1100100 +192100
Addeduuid@​11.1.110010010092100
Updatedyaml@​2.8.3 ⏵ 2.9.099 +110010093100
Updatedgraphql@​16.13.2 ⏵ 16.14.097 +110010096100
Updated@​aws-sdk/​client-s3@​3.1042.0 ⏵ 3.1045.098 +110010098100

View full report

@renovate renovate Bot force-pushed the renovate/all-minor-patch branch from 1a4d85d to f88ca66 Compare May 18, 2026 12:54
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 18, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@dawsontoth dawsontoth force-pushed the renovate/all-minor-patch branch from 2bd8d03 to 391ca17 Compare May 18, 2026 16:11
@dawsontoth dawsontoth requested a review from a team May 18, 2026 16:24
dawsontoth
dawsontoth reviewed May 18, 2026
View reviewed changes
Comment thread package.json
@dawsontoth dawsontoth requested a review from a team May 18, 2026 21:26
@dawsontoth dawsontoth mentioned this pull request May 18, 2026
Merged
2 tasks
@kriszyp kriszyp added the patch label May 18, 2026
@kriszyp kriszyp merged commit ff3db79 into main May 18, 2026
42 of 44 checks passed
@kriszyp kriszyp deleted the renovate/all-minor-patch branch May 18, 2026 21:37
@kriszyp kriszyp mentioned this pull request May 18, 2026
Merged
2 tasks
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026

@-

1 similar comment
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 19, 2026

@-

kriszyp pushed a commit that referenced this pull request May 19, 2026
@claude @kriszyp
cherry-pick: fix(deps): update all non-major dependenciesv5.0
c49bf17 
…(PR #563)

Squashed application of PR #563 onto v5.0:
- package.json: bump axios, @aws-sdk/lib-storage, fs-extra, msgpackr,
  semver, sinon, uuid, yaml to versions matched by PR #563 final state
- package-lock.json: regenerated via npm install
- .github/workflows: bump slackapi/slack-github-action v3.0.1→v3.0.3,
  actions/setup-node v6.3.0→v6.4.0, actions/upload-artifact v7.0.0→v7.0.1
- renovate.json: group sinon on its own
- unitTests/dataLayer/update.test.js: sandbox.resetHistory() (PR #563)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dawsontoth dawsontoth dawsontoth approved these changes

Assignees

No one assigned

Labels

patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dawsontoth @kriszyp