build(deps): bump the npm_and_yarn group across 4 directories with 27 updates

[dependabot]

Bumps the npm_and_yarn group with 22 updates in the /superset-frontend directory:

Package	From	To
lodash	4.17.21	4.18.1
storybook	8.1.11	8.6.17
webpack	5.97.1	5.106.2
underscore	1.13.7	1.13.8
dompurify	3.2.3	3.4.0
handlebars	4.7.8	4.7.9
js-yaml	3.13.1	3.14.2
ajv	6.12.6	6.14.0
axios	1.7.4	1.15.0
basic-ftp	5.0.5	5.3.0
path-to-regexp	0.1.10	2.4.0
fast-xml-parser	4.5.1	4.5.6
fastify	4.28.1	5.8.5
flatted	3.1.0	3.4.2
jws	4.0.0	4.0.1
node-forge	1.3.1	1.4.0
on-headers	1.0.2	1.1.0
picomatch	2.3.1	2.3.2
serialize-javascript	6.0.2	7.0.5
svgo	3.3.2	3.3.3
tar	6.2.1	removed
yaml	1.10.2	1.10.3

Bumps the npm_and_yarn group with 9 updates in the /docs directory:

Package	From	To
lodash	4.17.21	4.18.1
webpack	5.97.1	5.104.1
axios	1.7.8	1.15.0
follow-redirects	1.15.6	1.16.0
immutable	3.8.2	3.8.3
node-forge	1.3.1	1.4.0
picomatch	2.3.1	2.3.2
svgo	3.2.0	3.3.3
yaml	1.10.2	1.10.3

Bumps the npm_and_yarn group with 4 updates in the /superset-websocket/utils/client-ws-app directory: qs, path-to-regexp, jws and on-headers.
Bumps the npm_and_yarn group with 8 updates in the /superset-websocket directory:

Package	From	To
lodash	4.17.21	4.18.1
js-yaml	3.14.1	3.14.2
ajv	6.12.6	6.14.0
brace-expansion	1.1.11	1.1.14
minimatch	3.1.2	3.1.5
flatted	3.3.1	3.4.2
jws	3.2.2	3.2.3
picomatch	2.3.1	2.3.2

Updates lodash from 4.17.21 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates storybook from 8.1.11 to 8.6.17

Release notes

Sourced from storybook's releases.

v8.6.17

8.6.17

• Harden websocket connection

v8.6.16

8.6.16

• No-op release. No changes.

v8.6.15

8.6.15

• Core: Fix .env-file parsing, thanks @​jreinhold!

Changelog

Sourced from storybook's changelog.

8.6.17

• Harden websocket connection

8.6.16

• No-op release. No changes.

8.6.14

• CLI: Add skip onboarding, recommended/minimal config - #30930, thanks @​shilman!
• Core: Fix using dates in expect statements - #28413, thanks @​yann-combarnous!
• React Native Web: Fix expo router by setting JSX to automatic - #31484, thanks @​dannyhw!
• Test: Make sure that lit arrays are not cloned - #31435, thanks @​kasperpeulen!

8.6.13

• Controls: Fix boxShadow on empty controls - #27193, thanks @​H0onnn!
• React Native Web: Update react-native-web - #31324, thanks @​ndelangen!

8.6.12

• CLI: Only install Visual Test Addon if test feature is selected - #30966, thanks @​ghengeveld!
• Core: Fix telemetry error on Storybook UI - #30953, thanks @​yannbf!
• Ember: Fix ember-template-compiler import for ember 6+ - #30682, thanks @​leoeuclids!
• Next: Update vite-plugin-storybook-nextjs to 2.0.0--canary.33.17a2310.0 - #30997, thanks @​kasperpeulen!
• Svelte: Exclude node_modules from docgen - #30981, thanks @​JReinhold!

8.6.11

• Angular: Fix zone.js support for Angular libraries - #30941, thanks @​valentinpalkovic!

8.6.10

• Addon-docs: Fix non-string handling in Stories block - #30913, thanks @​JamesIves!
• Nextjs: Fix styled-jsx optimize vite warnings - #30932, thanks @​kasperpeulen!
• React: Fix actImplementation is not a function - #30929, thanks @​kasperpeulen!

8.6.9

• Next: Fix react aliases in next vite plugin - #30914, thanks @​kasperpeulen!

8.6.8

• Angular: Export all files in Angular package.json - #30849, thanks @​kasperpeulen!
• CLI: Don't add packageManager entry to package.json automatically - #30855, thanks @​kasperpeulen!
• React: Allow portable stories to be used in SSR - #30847, thanks @​kasperpeulen!
• Svelte: Adjust Svelte typings to include Svelte 5 function components - #30852, thanks @​dummdidumm!
• Telemetry: Make sure that telemetry doesn't fail on init - #30857, thanks @​kasperpeulen!
• Vite: Update HMR filter to target specific story file types - #30845, thanks @​kasperpeulen!

... (truncated)

Commits

• c6e550a Bump version from "8.6.16" to "8.6.17" [skip ci]
• 9cf9d89 Core: Require token for websocket connections
• 7e51515 Bump version from "8.6.15" to "8.6.16" [skip ci]
• 3812b43 Bump version from 8.6.14 to 8.6.15 MANUALLY
• 4a04cb2 filter env vars from .env files
• ab87178 Bump version from "8.6.13" to "8.6.14" [skip ci]
• b210eed Update frameworks.ts
• fe5ea89 Fix lint
• 8c12257 Merge branch 'latest-release'
• 8fa9049 Bump version from "8.6.12" to "8.6.13" [skip ci]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for storybook since your current version.

Updates webpack from 5.97.1 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

... (truncated)

Commits

• 0d7e3e0 chore(release): new release (#20815)
• d5df118 chore(deps): bump actions/cache in the dependencies group (#20839)
• 5f0874b fix: make asset modules available in JS when referenced from CSS and lazy JS ...
• b63ab37 chore(deps): bump test/test262-cases in the dependencies group (#20792)
• 313dfc5 ci: improve time for windows (#20840)
• a553f61 test: update test262 (#20841)
• 1ef747c fix: CSS @​import should inherit parent's exportType over parser config (#20838)
• 485d4ce chore(deps): update open-cli (#20834)
• 46042b9 chore(deps): no outdated strip-ansi (#20835)
• 8c7700b fix: handle @charset at-rules in CSS modules
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Updates underscore from 1.13.7 to 1.13.8

Commits

• 9374840 Merge branch 'release/1.13.8'
• 309ad7e Re-generate annotated sources and minified codemaps
• a1ac1d3 Add links to diff and docs in 1.13.8 change log entry
• b579595 Mention CVE-2026-27601 in comments and documentation (#3011)
• 45ea015 Revert obfuscations from 42823bb.
• 4a4019e Update minified bundles
• 1ccfdd0 Add preliminary release notes for 1.13.8
• 42823bb Temporarily obfuscate comments
• a6e23ae Make _.isEqual nonrecursive
• f2b5164 Add regression test against stack overflow in _.isEqual
• Additional commits viewable in compare view

Updates dompurify from 3.2.3 to 3.4.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth
• Fixed an issue with USE_PROFILES prototype pollution, thanks @​christos-eth
• Fixed an issue leading to possible mXSS via Re-Contextualization, thanks @​researchatfluidattacks and others
• Fixed an issue with closing tags leading to possible mXSS, thanks @​frevadiscor
• Fixed a problem with the type dentition patcher after Node version bump
• Fixed freezing BS runs by reducing the tested browsers array
• Bumped several dependencies where possible
• Added needed files for OpenSSF scorecard checks

Published Advisories are here: https://github.com/cure53/DOMPurify/security/advisories?state=published

DOMPurify 3.3.3

• Fixed an engine requirement for Node 20 which caused hiccups, thanks @​Rotzbua

DOMPurify 3.3.2

• Fixed a possible bypass caused by jsdom's faulty raw-text tag parsing, thanks multiple reporters
• Fixed a prototype pollution issue when working with custom elements, thanks @​christos-eth
• Fixed a lenient config parsing in _isValidAttribute, thanks @​christos-eth
• Bumped and removed several dependencies, thanks @​Rotzbua
• Fixed the test suite after bumping dependencies, thanks @​Rotzbua

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

DOMPurify 3.2.6

... (truncated)

Commits

• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• 8bcbf73 chore: Preparing 3.3.3 release
• 5faddd6 fix: engine requirement (#1210)
• 0f91e3a Update README.md
• d5ff1a8 Merge branch 'main' of github.com:cure53/DOMPurify
• c3efd48 fix: moved back from jsdom 28 to jsdom 20
• 988b888 fix: moved back from jsdom 28 to jsdom 20
• 2726c74 chore: Preparing 3.3.2 release
• 6202c7e build(deps): bump @​tootallnate/once and jsdom (#1204)
• 302b51d fix: Expanded the regex ever so slightly to also cover script
• Additional commits viewable in compare view

Updates handlebars from 4.7.8 to 4.7.9

Release notes

Sourced from handlebars's releases.

v4.7.9

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

Changelog

Sourced from handlebars's changelog.

v4.7.9 - March 26th, 2026

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5

Commits

Commits

• dce542c v4.7.9
• 8a41389 Update release notes
• 68d8df5 Fix security issues
• b2a0831 Fix browser tests
• 9f98c16 Fix release script
• 45443b4 Revert "Improve partial indenting performance"
• 8841a5f Fix CI errors with linting
• e0137c2 fix: enable shell mode for spawn to resolve Windows EINVAL issue
• e914d60 Improve rendering performance
• 7de4b41 Upgrade GitHub Actions checkout and setup-node on 4.x branch
• Additional commits viewable in compare view

Updates js-yaml from 3.13.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• 34e5072 3.14.0 released
• 7b25c83 Browser files rebuild
• 6f73473 Dev deps bump
• 0c29349 Travis-CI: drop old nodejs versions
• Additional commits viewable in compare view

Updates ajv from 6.12.6 to 6.14.0

Commits

• e3af0a7 6.14.0
• b552ed6 add regExp option to address $data exploit via a regular expression (CVE-2025...
• 72f2286 docs: update v7 info
• 231e52b Merge pull request #1320 from philsturgeon/patch-1
• d3475fc Add spectral, an AJV util from a sponsor
• 413afe0 docs: v7.0.0-beta.3
• 11e997b update readme for v7
• See full diff in compare view

Updates axios from 1.7.4 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with pr...

  Description has been truncated

[dependabot]

Superseded by #3.