Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#11

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/npm_and_yarn-45fd203cd5
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#11
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/frontend/npm_and_yarn-45fd203cd5

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 9, 2026

Bumps the npm_and_yarn group with 5 updates in the /frontend directory:

Package From To
axios 1.10.0 1.15.0
vite 5.4.19 6.4.2
flatted 3.3.3 3.4.2
js-yaml 4.1.0 4.1.1
yaml 1.10.2 1.10.3

Updates axios from 1.10.0 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

  • Breaking Changes: None identified in this release.
  • Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

  • Runtime Features: No new end-user features were introduced in this release.
  • Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

  • Headers: Trim trailing CRLF in normalised header values. (#7456)
  • HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
  • Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
  • Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates vite from 5.4.19 to 6.4.2

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

v6.4.1

Please refer to CHANGELOG.md for details.

v6.4.0

Please refer to CHANGELOG.md for details.

v6.3.7

Please refer to CHANGELOG.md for details.

v6.3.6

Please refer to CHANGELOG.md for details.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

6.4.1 (2025-10-20)

6.4.0 (2025-10-15)

  • feat: allow passing down resolved config to vite's createServer (#20932) (ca6455e), closes #20932

6.3.7 (2025-10-14)

  • fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940) (c59a222), closes #20940

6.3.6 (2025-09-08)

6.3.5 (2025-05-05)

6.3.4 (2025-04-30)

  • fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
  • fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
  • refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

6.3.3 (2025-04-24)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for vite since your current version.


Updates esbuild from 0.21.5 to 0.25.12

Release notes

Sourced from esbuild's releases.

v0.25.12

  • Fix a minification regression with CSS media queries (#4315)

    The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

  • Update the list of known JavaScript globals (#4310)

    This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

    From ES2017:

    • Atomics
    • SharedArrayBuffer

    From ES2020:

    • BigInt64Array
    • BigUint64Array

    From ES2021:

    • FinalizationRegistry
    • WeakRef

    From ES2025:

    • Float16Array
    • Iterator

    Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

    // This can now be tree-shaken by esbuild:
class ExampleIterator extends Iterator {}

  • Add support for the new @view-transition CSS rule (#4313)

    With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

    /* Original code */
@view-transition {
  navigation: auto;
  types: check;
}
/* Old output */
@​view-transition { navigation: auto; types: check; }
/* New output */
@​view-transition {
navigation: auto;
types: check;

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

  • Fix regression with --define and import.meta (#4010, #4012, #4013)

    The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

    This fix was contributed by @​sapphi-red.

0.24.1

  • Allow es2024 as a target in tsconfig.json (#4004)

    TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

    {
  "compilerOptions": {
    "target": "ES2024"
  }
}

    As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

    This fix was contributed by @​billyjanitsch.

  • Allow automatic semicolon insertion after get/set

    This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

    class Foo {
  get
  *x() {}
  set
  *y() {}
}

    The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

  • Allow quoted property names in --define and --pure (#4008)

    The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

    

    • 






... (truncated)





Commits

    

  • 208f539 publish 0.25.12 to npm
    • 

  • 5f03afd update release notes
    • 

  • 6b2ee78 minify: remove css rules containing empty :is()
    • 

  • f361deb add some additional known static methods
    • 

  • 07aa646 automatically mark "RegExp.escape()" calls as pure
    • 

  • 9039c46 simplify some call expression checks
    • 

  • 188944d add some additional known static methods
    • 

  • d3c67f9 fix #4310: add Iterator and other known globals
    • 

  • 4a51f0b fix: escape dev server breadcrumb hrefs properly (#4316)
    • 

  • 26b29ed fix #4315: @media deduplication bug edge case
    • 

  • Additional commits viewable in compare view
    • 







Updates flatted from 3.3.3 to 3.4.2



Commits

    

  • 3bf0909 3.4.2
    • 

  • 885ddcc fix CWE-1321
    • 

  • 0bdba70 added flatted-view to the benchmark
    • 

  • 2a02dce 3.4.1
    • 

  • fba4e8f Merge pull request #89 from WebReflection/python-fix
    • 

  • 5fe8648 added "when in Rome" also a test for PHP
    • 

  • 53517ad some minor improvement
    • 

  • b3e2a0c Fixing recursion issue in Python too
    • 

  • c4b46db Add SECURITY.md for security policy and reporting
    • 

  • f86d071 Create dependabot.yml for version updates
    • 

  • Additional commits viewable in compare view
    • 







Updates js-yaml from 4.1.0 to 4.1.1



Changelog

Sourced from js-yaml's changelog.




[4.1.1] - 2025-11-12


Security


    

  • Fix prototype pollution issue in yaml merge (<<) operator.
    • 








Commits






Updates rollup from 4.43.0 to 4.60.1



Release notes

Sourced from rollup's releases.




v4.60.1


4.60.1


2026-03-30


Bug Fixes


    

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)
    • 



Pull Requests



v4.60.0


4.60.0


2026-03-22


Features


    

  • Support source phase imports as long as they are external (#6279)
    • 



Pull Requests



v4.59.1


4.59.1


2026-03-21


Bug Fixes


    

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)
    • 



Pull Requests






... (truncated)





Changelog

Sourced from rollup's changelog.




4.60.1


2026-03-30


Bug Fixes


    

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)
    • 



Pull Requests



4.60.0


2026-03-22


Features


    

  • Support source phase imports as long as they are external (#6279)
    • 



Pull Requests



4.59.1


2026-03-21


Bug Fixes


    

  • Fix a crash when using lazy dynamic imports with moduleSideEffects:false (#6306)
    • 



Pull Requests






... (truncated)





Commits





Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.





Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.






Updates yaml from 1.10.2 to 1.10.3



Commits

    

  • cfe8f04 1.10.3
    • 

  • 7abcf45 fix: Catch stack overflow during CST composition
    • 

  • a0252f8 chore: Add rules avoiding processing of tests/json-test-suite
    • 

  • a5e83b0 style: Apply updates Prettier rules
    • 

  • b8ddca0 chore: Refresh lockfile
    • 

  • 395f892 ci: Use a different (working) submodule checkout
    • 

  • 6fd2720 test-events: Add {} and [] indicators to flow maps & sequences
    • 

  • See full diff in compare view
    • 







Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.





Dependabot commands and options



You can trigger Dependabot actions by commenting on this PR:


    

  • @dependabot rebase will rebase this PR
    • 

  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • 

  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
    • 

  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
    • 

  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
    • 

  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
    • 

  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    
You can disable automated security fix PRs for this repo from the Security Alerts page.
    • 




    

  
  



      


          

          
  
  

    
  
    
    

  

  

  



                    

          
        





  





    



      

  
        

  

      

  
  

  
          

  

    

      


  

      
        @dependabot
  




      

        
          chore(deps): bump the npm_and_yarn group across 1 directory with 7 up…
        

          
                        
      


      

        

    
    
    

  

    


      


      

        

          

    
    
    

  

  

    
  



        

      


      

        
          461df64
        
      

    

  

    

      
…dates

Bumps the npm_and_yarn group with 5 updates in the /frontend directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.10.0` | `1.15.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `5.4.19` | `6.4.2` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [yaml](https://github.com/eemeli/yaml) | `1.10.2` | `1.10.3` |



Updates `axios` from 1.10.0 to 1.15.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.10.0...v1.15.0)

Updates `vite` from 5.4.19 to 6.4.2
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite)

Updates `esbuild` from 0.21.5 to 0.25.12
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md)
- [Commits](evanw/esbuild@v0.21.5...v0.25.12)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `rollup` from 4.43.0 to 4.60.1
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.43.0...v4.60.1)

Updates `yaml` from 1.10.2 to 1.10.3
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v1.10.2...v1.10.3)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 6.4.2
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.25.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: rollup
  dependency-version: 4.60.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yaml
  dependency-version: 1.10.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

    







  








      

  
            

    

      
    

    


      


          @dependabot
dependabot
bot



            added
      

  dependencies

  Pull requests that update a dependency file

      

  javascript

  Pull requests that update javascript code

  labels


      Apr 9, 2026

    

  



  

  

    
  


  

      


    @dependabot
dependabot
bot


    mentioned this pull request
    
      Apr 9, 2026
    





  


  

      
   Closed

  







  













  
  

    

      

  










  








  
      

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  










      

  

    
    

    

  

    Reviewers
  


    

    No reviews






    
    
    

    

  


      
  

    Assignees
  



        


    No one assigned







      


  


  

    Labels
  



    

      

    dependencies

  Pull requests that update a dependency file
  

    javascript

  Pull requests that update javascript code








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    

      
        

          
  

    Development
  



            


Successfully merging this pull request may close these issues.





  
  



      
    

  




      

    

  
        

  

    

      0 participants