build(deps): bump the minor-patches group across 1 directory with 32 updates

[dependabot]

Bumps the minor-patches group with 31 updates in the / directory:

Package	From	To
@google-cloud/cloud-sql-connector	1.9.0	1.10.0
@nestjs/common	11.1.12	11.1.19
@nestjs/config	4.0.2	4.0.4
@nestjs/core	11.1.12	11.1.19
@nestjs/platform-express	11.1.12	11.1.19
@nestjs/swagger	11.2.5	11.3.2
@nestjs/typeorm	11.0.0	11.0.1
@upstash/redis	1.36.1	1.37.0
axios	1.13.2	1.15.1
class-validator	0.14.3	0.15.1
handlebars	4.7.8	4.7.9
minio	8.0.6	8.0.7
nestjs-minio	2.6.3	2.7.6
pdfkit	0.17.2	0.18.0
pg	8.17.1	8.20.0
react	19.2.3	19.2.5
@types/react	19.2.8	19.2.14
react-dom	19.2.3	19.2.5
@eslint/eslintrc	3.3.3	3.3.5
@nestjs/cli	11.0.16	11.0.21
@nestjs/schematics	11.0.9	11.1.0
@nestjs/testing	11.1.12	11.1.19
@swc/cli	0.6.0	0.8.1
@swc/core	1.15.8	1.15.30
@types/multer	2.0.0	2.1.0
globals	17.0.0	17.5.0
jest-html-reporter	4.3.0	4.4.0
prettier	3.8.0	3.8.3
ts-jest	29.4.6	29.4.9
ts-loader	9.5.4	9.5.7
typescript-eslint	8.53.0	8.58.2

Updates @google-cloud/cloud-sql-connector from 1.9.0 to 1.10.0

Release notes

Sourced from @​google-cloud/cloud-sql-connector's releases.

v1.10.0

1.10.0 (2026-04-17)

Features

• re-export auth types and ConnectorOptions (fixes #555) (#556) (90b50d4)

v1.9.2

1.9.2 (2026-03-18)

Bug Fixes

• bump dependencies to latest (#550) (f6475e1)

v1.9.1

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Changelog

Sourced from @​google-cloud/cloud-sql-connector's changelog.

1.10.0 (2026-04-17)

Features

• re-export auth types and ConnectorOptions (fixes #555) (#556) (90b50d4)

1.9.2 (2026-03-18)

Bug Fixes

• bump dependencies to latest (#550) (f6475e1)

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Commits

• 253d8cd chore(main): release 1.10.0 (#558)
• 262ef4d chore(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#553)
• 0096512 chore(deps): bump picomatch (#554)
• 631d6f5 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#559)
• 5ba164c chore(deps): bump express-rate-limit from 8.2.1 to 8.2.2 in /examples/cloudru...
• a0e2320 chore: Update dependencies to latest (#560)
• 738b7bb chore: update blunderbuss (#557)
• 90b50d4 feat: re-export auth types and ConnectorOptions (fixes #555) (#556)
• ba9a1e8 chore(main): release 1.9.2 (#551)
• f6475e1 fix: bump dependencies to latest (#550)
• Additional commits viewable in compare view

Updates @nestjs/common from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/common's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• a39e345 refactor(common): change console logger helpers to protected
• 34f0f28 chore(deps): bump file-type from 21.3.3 to 21.3.4
• 0e96b0a chore(deps): bump file-type from 21.3.2 to 21.3.3
• 5a05f52 chore: update readme
• 447a373 chore(release): publish v11.1.17 release
• 99ed6e6 fix(deps): update dependency file-type to v21.3.2
• 268a283 fix(deps): update dependency file-type to v21.3.1
• 315e698 chore(release): publish v11.1.16 release
• Additional commits viewable in compare view

Updates @nestjs/config from 4.0.2 to 4.0.4

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.4

• fix(deps): update dependency dotenv to v17.4.1 (6bc5737)
• fix(deps): update dependency lodash to v4.18.1 [security] (f31ee98)

Release 4.0.3

What's Changed

• fix(deps): update dependency lodash to v4.17.23 [security] by @​renovate[bot] in nestjs/config#2250
• fix(deps): update dependency dotenv-expand to v12.0.3 by @​renovate[bot] in nestjs/config#2146
• fix(deps): update dependency dotenv to v17 by @​renovate[bot] in nestjs/config#2100

Full Changelog: nestjs/config@4.0.2...4.0.3

Commits

• 3b5d592 chore(): release v4.0.4
• 4fbcb03 Merge pull request #2263 from nestjs/renovate/dotenv-17.x
• 33dae89 Merge pull request #2269 from nestjs/renovate/cimg-node-24.x
• 0a727c3 Merge pull request #2313 from nestjs/renovate/npm-lodash-vulnerability
• 6bc5737 fix(deps): update dependency dotenv to v17.4.1
• f31ee98 fix(deps): update dependency lodash to v4.18.1 [security]
• 059314c chore(deps): update dependency typescript-eslint to v8.58.1 (#2315)
• 0f81e2d chore(deps): update dependency eslint to v10.2.0 (#2314)
• e673ab2 chore(deps): update dependency @​types/node to v24.12.2 (#2311)
• b1ede30 chore(deps): update nest monorepo to v11.1.18 (#2312)
• Additional commits viewable in compare view

Updates @nestjs/core from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/core's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0f962c7 fix(core): sanitize sse message
• 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
• 368691c fix(core): prevent injector hang when design:paramtypes is missing
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 4677434 feat(core): export IEntryNestModule type
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0ca5440 Merge pull request #16627 from ankitbelal/refactor/centralize-headers-and-par...
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 1a14884 refactor(core): centralize headers for streamable file responses
• 5a05f52 chore: update readme
• 447a373 chore(release): publish v11.1.17 release
• 315e698 chore(release): publish v11.1.16 release
• Additional commits viewable in compare view

Updates @nestjs/swagger from 11.2.5 to 11.3.2

Release notes

Sourced from @​nestjs/swagger's releases.

Release 11.3.2

What's Changed

• fix(plugin): remap import paths within rootDir to outDir by @​alex-all3dp in nestjs/swagger#3858

New Contributors

• @​alex-all3dp made their first contribution in nestjs/swagger#3858

Full Changelog: nestjs/swagger@11.3.1...11.3.2

Release 11.3.1

11.3.1 (2026-04-20)

Bug fixes

• #3847 fix(plugin): adjust relative import paths for tsconfig outDir depth (@​kyungseopk1m)
• #3781 fix(schema): prioritize oneOf/anyOf/allOf over inferred type resolution (@​maruthang)
• #3820 fix(schema): support enumName with oneOf and anyOf combinators (@​maruthang)

Enhancements

• #3854 fix(swagger-ui): replace hardcoded sentinel with per-call UUID in buildJSInitOptions (@​kyuna0312)

Committers: 5

• Kamil Mysliwiec (@​kamilmysliwiec)
• Maruthan G (@​maruthang)
• Yukihiro Hasegawa (@​y-hsgw)
• @​kyungseopk1m
• kyuna0312 (@​kyuna0312)

Release 11.3.0

11.3.0 (2026-04-15)

Bug fixes

• #3826 fix: support nullable field in @​ApiResponse decorator (@​Nedunchezhiyan-M)
• #3784 fix(schema): include type field when nullable is used with allOf (@​maruthang)
• #3774 fix enum issue (@​SupunGeethanjana)
• #3798 fix(plugin): normalize workspace package import paths in metadata generator (@​maruthang)
• #3821 fix(plugin): handle same-file type references in SWC readonly metadata generation (@​maruthang)
• #3822 fix(type-helpers): eagerly apply plugin metadata properties in mapped type helpers (@​maruthang)
• #3840 fix: use child class type when re-declaring an inherited @​ApiProperty (@​Nedunchezhiyan-M)

Enhancements

• #3449 feat(api-header): add example property to ApiHeader decorator (@​leemhoon00)
• #3787 feat(decorators): support RegExp instances in @​ApiProperty({ pattern }) (@​temrjan)
• #3699 feat(api-body): add support for encoding in ApiBody decorator (@​lamuertepeluda)
• #3824 feat: support async patchDocumentOnRequest hook (@​Nedunchezhiyan-M)
• #3834 feat: expose generateSchema utility for programmatic schema access (@​Nedunchezhiyan-M)
• #3836 feat(plugin): add autoFillEnumName option to suppress duplicate enum schemas (@​Nedunchezhiyan-M)
• #3837 feat: merge descriptions when multiple decorators share the same HTTP status code (@​Nedunchezhiyan-M)
• #3839 feat: add excludeDynamicDefaults option to strip runtime-evaluated schema defaults (@​Nedunchezhiyan-M)
• #3841 feat: add DeepPartialType mapped-type helper for recursive optional properties (@​Nedunchezhiyan-M)

... (truncated)

Commits

• e236c73 chore(): release v11.3.2
• b16a1e1 Merge pull request #3858 from alex-all3dp/fix/rootdir-import-path-resolution
• 7787b95 fix(plugin): remap import paths within rootDir to outDir in replaceImportPath
• 4d33856 chore(): release v11.3.1
• 93744af Merge pull request #3790 from y-hsgw/fix/is-in-each
• a272b8d Merge pull request #3856 from nestjs/revert-3781-fix/oneOf-references-object-...
• 0e6dd75 Revert "fix(schema): prioritize oneOf/anyOf/allOf over inferred type resolution"
• 936c465 Merge branch 'master' into fix/is-in-each
• 7ae819b Merge pull request #3847 from kyungseopk1m/fix/plugin-outdir-path-resolution
• cc68f11 Merge pull request #3781 from maruthang/fix/oneOf-references-object-3549
• Additional commits viewable in compare view

Updates @nestjs/typeorm from 11.0.0 to 11.0.1

Release notes

Sourced from @​nestjs/typeorm's releases.

Release 11.0.1

What's Changed

• feat: support v1 of TypeORM by @​naorpeled in nestjs/typeorm#2562

New Contributors

• @​naorpeled made their first contribution in nestjs/typeorm#2562

Full Changelog: nestjs/typeorm@11.0.0...11.0.1

Commits

• 57bcd24 chore(): release v11.0.1
• d08fc02 Merge pull request #2528 from nestjs/renovate/postgres-18.x
• 3d42a8e Merge pull request #2566 from nestjs/renovate/cimg-node-24.x
• 180b9c9 Merge pull request #2562 from naorpeled/feat/support-v1-of-typeorm
• 429caa3 chore(deps): update dependency ts-jest to v29.4.9 (#2569)
• 4473f7b chore(deps): update dependency typescript-eslint to v8.58.0 (#2568)
• ed9f679 fix: resolve lock sync issues
• 574b654 fix: Use ^1.0.0-dev for typeorm peer dependency range
• f8a656a chore(deps): update node.js to v24.14.1
• 70e63ed chore: Remove unnecessary unit tests
• Additional commits viewable in compare view

Updates @upstash/redis from 1.36.1 to 1.37.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.37.0

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

@upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424
• DX-2445: use pnpm publish for search packages to resolve workspace:* deps by @​CahidArda in upstash/redis-js#1425

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@​1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@​1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@​1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

Commits

• 7e8fbed chore: version packages (#1420)
• 703f6d4 fix: handle FROM field option in SEARCH.DESCRIBE deserialization (#1426)
• 15b4fc9 fix: use pnpm publish for search packages to resolve workspace:* deps (#1425)
• fba95e8 DX-2445: fix redis version, add repository.url to search packages (#1424)
• 6f2a831 fix: redis package version and changeset for search release (#1423)
• 96a99a4 DX-2445: Add new search client packages (#1422)
• efd3bc6 DX-2445: use workflow_run instead of release event for npm publish (#1421)
• 2dc4212 fix: add commit message (#1419)
• 3980b45 DX-2445: Add monorepo structure (#1418)
• 89cc220 DX-2381: Redis Search (#1409)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​upstash/redis since your current version.

Updates axios from 1.13.2 to 1.15.1

Release notes

Sourced from axios's releases.

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)
• Docs Artefact Cleanup: Removes the docs content that was incorrectly committed. (#10727)

🔧 Maintenance & Chores

• Threat Model & Security Docs: Ongoing refinement of THREATMODEL.md, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (#10672, #10715, #10718, #10722, #10763, #10765)
• Test Coverage & Migration: Expanded shouldBypassProxy coverage for wildcard/IPv6/edge cases, documented and tested AxiosError.status, and migrated progressEventReducer tests to Vitest. (#10723, #10725, #10741)
• Type Refactor: Uses TypeScript utility types to deduplicate literal unions. (#7520)
• Repo & CI: Adds CODEOWNERS, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (#10739, #10738, #10746)
• Changelog Backfill: Added missing version entries to the changelog. (#10704)
• Dependencies: Bumped follow-redirects (1.15.11 → 1.16.0) in root and docs, axios (1.14.0 → 1.15.0) in docs, and a group of 5 development dependencies. (#10717, #10716, #10684, #10709)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​curiouscoder-cmd (#7252)
• @​tryonelove (#7520)
• @​darwin808 (#7314)
• @​zoontek (#10702)
• @​AKIB473 (#10725)

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.