build(deps): bump the minor-patches group across 1 directory with 33 updates

[dependabot]

Bumps the minor-patches group with 32 updates in the / directory:

Package	From	To
@google-cloud/cloud-sql-connector	1.9.0	1.10.0
@nestjs/common	11.1.12	11.1.19
@nestjs/config	4.0.2	4.0.4
@nestjs/core	11.1.12	11.1.19
@nestjs/platform-express	11.1.12	11.1.19
@nestjs/swagger	11.2.5	11.4.2
@nestjs/typeorm	11.0.0	11.0.1
@upstash/redis	1.36.1	1.37.0
axios	1.13.2	1.16.0
class-validator	0.14.3	0.15.1
handlebars	4.7.8	4.7.9
nestjs-minio	2.6.3	2.8.0
@aws-sdk/client-s3	3.1009.0	3.1041.0
@aws-sdk/s3-request-presigner	3.1009.0	3.1041.0
pdfkit	0.17.2	0.18.0
pg	8.17.1	8.20.0
react	19.2.3	19.2.5
@types/react	19.2.8	19.2.14
react-dom	19.2.3	19.2.5
@eslint/eslintrc	3.3.3	3.3.5
@nestjs/cli	11.0.16	11.0.21
@nestjs/schematics	11.0.9	11.1.0
@nestjs/testing	11.1.12	11.1.19
@swc/cli	0.6.0	0.8.1
@swc/core	1.15.8	1.15.33
@types/multer	2.0.0	2.1.0
globals	17.0.0	17.6.0
jest-html-reporter	4.3.0	4.4.0
prettier	3.8.0	3.8.3
ts-jest	29.4.6	29.4.9
ts-loader	9.5.4	9.5.7
typescript-eslint	8.53.0	8.59.1

Updates @google-cloud/cloud-sql-connector from 1.9.0 to 1.10.0

Release notes

Sourced from @​google-cloud/cloud-sql-connector's releases.

v1.10.0

1.10.0 (2026-04-17)

Features

• re-export auth types and ConnectorOptions (fixes #555) (#556) (90b50d4)

v1.9.2

1.9.2 (2026-03-18)

Bug Fixes

• bump dependencies to latest (#550) (f6475e1)

v1.9.1

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Changelog

Sourced from @​google-cloud/cloud-sql-connector's changelog.

1.10.0 (2026-04-17)

Features

• re-export auth types and ConnectorOptions (fixes #555) (#556) (90b50d4)

1.9.2 (2026-03-18)

Bug Fixes

• bump dependencies to latest (#550) (f6475e1)

1.9.1 (2026-02-19)

Bug Fixes

• update dependencies to latest (#534) (dbb56d2)

Commits

• 253d8cd chore(main): release 1.10.0 (#558)
• 262ef4d chore(deps-dev): bump flatted from 3.4.1 to 3.4.2 (#553)
• 0096512 chore(deps): bump picomatch (#554)
• 631d6f5 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#559)
• 5ba164c chore(deps): bump express-rate-limit from 8.2.1 to 8.2.2 in /examples/cloudru...
• a0e2320 chore: Update dependencies to latest (#560)
• 738b7bb chore: update blunderbuss (#557)
• 90b50d4 feat: re-export auth types and ConnectorOptions (fixes #555) (#556)
• ba9a1e8 chore(main): release 1.9.2 (#551)
• f6475e1 fix: bump dependencies to latest (#550)
• Additional commits viewable in compare view

Updates @nestjs/common from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/common's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• a39e345 refactor(common): change console logger helpers to protected
• 34f0f28 chore(deps): bump file-type from 21.3.3 to 21.3.4
• 0e96b0a chore(deps): bump file-type from 21.3.2 to 21.3.3
• 5a05f52 chore: update readme
• 447a373 chore(release): publish v11.1.17 release
• 99ed6e6 fix(deps): update dependency file-type to v21.3.2
• 268a283 fix(deps): update dependency file-type to v21.3.1
• 315e698 chore(release): publish v11.1.16 release
• Additional commits viewable in compare view

Updates @nestjs/config from 4.0.2 to 4.0.4

Release notes

Sourced from @​nestjs/config's releases.

Release 4.0.4

• fix(deps): update dependency dotenv to v17.4.1 (6bc5737)
• fix(deps): update dependency lodash to v4.18.1 [security] (f31ee98)

Release 4.0.3

What's Changed

• fix(deps): update dependency lodash to v4.17.23 [security] by @​renovate[bot] in nestjs/config#2250
• fix(deps): update dependency dotenv-expand to v12.0.3 by @​renovate[bot] in nestjs/config#2146
• fix(deps): update dependency dotenv to v17 by @​renovate[bot] in nestjs/config#2100

Full Changelog: nestjs/config@4.0.2...4.0.3

Commits

• 3b5d592 chore(): release v4.0.4
• 4fbcb03 Merge pull request #2263 from nestjs/renovate/dotenv-17.x
• 33dae89 Merge pull request #2269 from nestjs/renovate/cimg-node-24.x
• 0a727c3 Merge pull request #2313 from nestjs/renovate/npm-lodash-vulnerability
• 6bc5737 fix(deps): update dependency dotenv to v17.4.1
• f31ee98 fix(deps): update dependency lodash to v4.18.1 [security]
• 059314c chore(deps): update dependency typescript-eslint to v8.58.1 (#2315)
• 0f81e2d chore(deps): update dependency eslint to v10.2.0 (#2314)
• e673ab2 chore(deps): update dependency @​types/node to v24.12.2 (#2311)
• b1ede30 chore(deps): update nest monorepo to v11.1.18 (#2312)
• Additional commits viewable in compare view

Updates @nestjs/core from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/core's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0f962c7 fix(core): sanitize sse message
• 94aa424 Merge pull request #16679 from nestjs/renovate/path-to-regexp-8.x
• 368691c fix(core): prevent injector hang when design:paramtypes is missing
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• f7d4460 Merge pull request #16637 from JakobStaudinger/moduleref-create-transient-sco...
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 4677434 feat(core): export IEntryNestModule type
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 11.1.12 to 11.1.19

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

v11.1.17 (2026-03-16)

Enhancements

• microservices
  • #16218 feat(microservices): add redis driver identification (@​vchomakov)

Bugs

• platform-fastify
  • auto-run middleware for HEAD requests as fastify redirects them to GET handlers (effectively skipping middleware execution) nestjs/nest@cbdf737 (@​kamilmysliwiec)

... (truncated)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0ca5440 Merge pull request #16627 from ankitbelal/refactor/centralize-headers-and-par...
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 1a14884 refactor(core): centralize headers for streamable file responses
• 5a05f52 chore: update readme
• 447a373 chore(release): publish v11.1.17 release
• 315e698 chore(release): publish v11.1.16 release
• Additional commits viewable in compare view

Updates @nestjs/swagger from 11.2.5 to 11.4.2

Release notes

Sourced from @​nestjs/swagger's releases.

Release 11.4.2

11.4.2 (2026-04-27)

Bug fixes

• #3867 fix(plugin): keep auto-inferred default response when only error Api*Response decorators are present (@​PeterTheOne)
• #3876 fix(plugin): handle IsIn enum inference when type falls back to Object (@​y-hsgw)

Committers: 2

• Peter Grassberger (@​PeterTheOne)
• Yukihiro Hasegawa (@​y-hsgw)

Release 11.4.1

11.4.1 (2026-04-22)

Bug fixes

• #3871 fix(plugin): avoid duplicate keys when auto-generating @​ApiOperation (@​yogeshwaran-c)

Committers: 1

• Yogeshwaran C (@​yogeshwaran-c)

Release 11.4.0

11.4.0 (2026-04-22)

Features

• #3868 feat(plugin): auto-mark optional @​Query parameters as required: false (@​yogeshwaran-c)
• #3725 feat(swagger): add OpenAPI 3.2 hierarchical tags support (@​apt-bh)

Bug fixes

• #3874 fix(document-builder): accept multi-digit OpenAPI version segments (@​yogeshwaran-c)
• #3873 fix(plugin): strip regex delimiters and flags from @​Matches patterns (@​yogeshwaran-c)
• #3870 fix(decorators): forward all OpenAPI parameter fields in @​ApiHeader (@​yogeshwaran-c)
• #3872 fix(plugin): emit @​throws descriptions as proper string literals (@​yogeshwaran-c)
• #3782 fix(schema): preserve example metadata for non-body params with named types (@​maruthang)
• #3761 fix(plugin): support boolean literal types and boolean enum values (@​lucreiss)

Enhancements

• #3865 feat(schema-object-factory): include class name chain in circular dependency errors (@​yogeshwaran-c)

Committers: 4

• Lu R A (@​lucreiss)
• Maruthan G (@​maruthang)
• Yogeshwaran C (@​yogeshwaran-c)
• @​apt-bh

Release 11.3.2

What's Changed

• fix(plugin): remap import paths within rootDir to outDir by @​alex-all3dp in nestjs/swagger#3858

New Contributors

• @​alex-all3dp made their first contribution in nestjs/swagger#3858

... (truncated)

Commits

• 3f58449 chore(): release v11.4.2
• b0a35f3 Merge pull request #3867 from PeterTheOne/fix-error-only-response-decorators-...
• f01f6aa refactor(plugin): make isSuccessOrRedirectApiResponseArg a private method
• 7999f78 test: inspect @​ApiResponse status arg and extend fixture with redirect/500 cases
• 977a139 fix(plugin): keep auto-inferred default response when only error Api*Response...
• a51cf09 Merge pull request #3876 from y-hsgw/fix/plugin-string-literal-union-type
• a8acf7a chore(deps): update dependency @​commitlint/cli to v20.5.2 (#3878)
• e054058 chore(deps): update dependency release-it to v20.0.1 (#3877)
• 9a3745b fix(plugin): enhance enum handling for literal union types in schema generation
• 6e1bb8f Merge pull request #3875 from nestjs/renovate/vite-8.x-lockfile
• Additional commits viewable in compare view

Updates @nestjs/typeorm from 11.0.0 to 11.0.1

Release notes

Sourced from @​nestjs/typeorm's releases.

Release 11.0.1

What's Changed

• feat: support v1 of TypeORM by @​naorpeled in nestjs/typeorm#2562

New Contributors

• @​naorpeled made their first contribution in nestjs/typeorm#2562

Full Changelog: nestjs/typeorm@11.0.0...11.0.1

Commits

• 57bcd24 chore(): release v11.0.1
• d08fc02 Merge pull request #2528 from nestjs/renovate/postgres-18.x
• 3d42a8e Merge pull request #2566 from nestjs/renovate/cimg-node-24.x
• 180b9c9 Merge pull request #2562 from naorpeled/feat/support-v1-of-typeorm
• 429caa3 chore(deps): update dependency ts-jest to v29.4.9 (#2569)
• 4473f7b chore(deps): update dependency typescript-eslint to v8.58.0 (#2568)
• ed9f679 fix: resolve lock sync issues
• 574b654 fix: Use ^1.0.0-dev for typeorm peer dependency range
• f8a656a chore(deps): update node.js to v24.14.1
• 70e63ed chore: Remove unnecessary unit tests
• Additional commits viewable in compare view

Updates @upstash/redis from 1.36.1 to 1.37.0

Release notes

Sourced from @​upstash/redis's releases.

@​upstash/redis@​1.37.0

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

@upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424
• DX-2445: use pnpm publish for search packages to resolve workspace:* deps by @​CahidArda in upstash/redis-js#1425

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312092231-7405c30f6a505815bbeb69b713a22978f104ec1f

@​upstash/redis@​1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

What's Changed

• DX-2445: redis package version and changeset for search release by @​CahidArda in upstash/redis-js#1423
• DX-2445: fix redis version, add repository.url to search packages by @​CahidArda in upstash/redis-js#1424

Full Changelog: https://github.com/upstash/redis-js/compare/@​upstash/redis@1.30.3-canary-20260312082754-96a99a4e83fc560b77c36808627213e528c2f110...@​upstash/redis@1.37.0-canary-20260312084440-fba95e89e54d8ba63f020400247a1ef0dbdd2c84

Commits

• 7e8fbed chore: version packages (#1420)
• 703f6d4 fix: handle FROM field option in SEARCH.DESCRIBE deserialization (#1426)
• 15b4fc9 fix: use pnpm publish for search packages to resolve workspace:* deps (#1425)
• fba95e8 DX-2445: fix redis version, add repository.url to search packages (#1424)
• 6f2a831 fix: redis package version and changeset for search release (#1423)
• 96a99a4 DX-2445: Add new search client packages (#1422)
• efd3bc6 DX-2445: use workflow_run instead of release event for npm publish (#1421)
• 2dc4212 fix: add commit message (#1419)
• 3980b45 DX-2445: Add monorepo structure (#1418)
• 89cc220 DX-2381: Redis Search (#1409)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​upstash/redis since your current version.

Updates axios from 1.13.2 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security FixesDescription has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.