Skip to content

dev: bump the safe group across 1 directory with 2 updates#7914

Open
dependabot[bot] wants to merge 1 commit into
v3.36from
dependabot/npm_and_yarn/sdk/js/safe-e647398a9a
Open

dev: bump the safe group across 1 directory with 2 updates#7914
dependabot[bot] wants to merge 1 commit into
v3.36from
dependabot/npm_and_yarn/sdk/js/safe-e647398a9a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the safe group with 2 updates in the /sdk/js directory: axios and web-streams-polyfill.

Updates axios from 1.13.5 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Commits
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates web-streams-polyfill from 4.2.0 to 4.3.0

Release notes

Sourced from web-streams-polyfill's releases.

v4.3.0

  • 🚀 Optimize reading from a ReadableStream with buffered chunks. (#170)
    • When the stream has a chunk available in its internal queue, defaultReader.read() and byobReader.read(view) will now immediately return a resolved promise using Promise.resolve(). This turns out to be (slightly) faster than creating a new Promise and then immediately resolving it.
  • 🚀 Optimize piping from a ReadableStream with buffered chunks. (#170)
    • When the stream has one or more chunks available in its internal queue, pipeTo() will now read all available chunks in a single batch and write them to the destination (while still respecting backpressure).
    • These optimizations were inspired by Node.js.
Changelog

Sourced from web-streams-polyfill's changelog.

4.3.0 (2026-05-15)

  • 🚀 Optimize reading from a ReadableStream with buffered chunks. (#170)
    • When the stream has a chunk available in its internal queue, defaultReader.read() and byobReader.read(view) will now immediately return a resolved promise using Promise.resolve(). This turns out to be (slightly) faster than creating a new Promise and then immediately resolving it.
  • 🚀 Optimize piping from a ReadableStream with buffered chunks. (#170)
    • When the stream has one or more chunks available in its internal queue, pipeTo() will now read all available chunks in a single batch and write them to the destination (while still respecting backpressure).
    • These optimizations were inspired by Node.js.
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for web-streams-polyfill since your current version.


Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
web-streams-polyfill [>= 3.a, < 4]
axios [>= 0.27.a, < 0.28]

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 19, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 19, 2026 08:22
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 19, 2026
@dependabot dependabot Bot requested a review from PavelJankoski May 19, 2026 08:22
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/sdk/js/safe-e647398a9a branch from d3f42ea to 17a301f Compare May 26, 2026 04:18
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/sdk/js/safe-e647398a9a branch from 17a301f to 43d7e23 Compare June 3, 2026 14:00
@dependabot
dev: bump the safe group across 1 directory with 2 updates
1d6ead0 
Bumps the safe group with 2 updates in the /sdk/js directory: [axios](https://github.com/axios/axios) and [web-streams-polyfill](https://github.com/MattiasBuelens/web-streams-polyfill).


Updates `axios` from 1.13.5 to 1.17.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.17.0)

Updates `web-streams-polyfill` from 4.2.0 to 4.3.0
- [Release notes](https://github.com/MattiasBuelens/web-streams-polyfill/releases)
- [Changelog](https://github.com/MattiasBuelens/web-streams-polyfill/blob/master/CHANGELOG.md)
- [Commits](MattiasBuelens/web-streams-polyfill@v4.2.0...v4.3.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
- dependency-name: web-streams-polyfill
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: safe
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/sdk/js/safe-e647398a9a branch from 43d7e23 to 1d6ead0 Compare June 8, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PavelJankoski PavelJankoski Awaiting requested review from PavelJankoski PavelJankoski is a code owner automatically assigned from TheThingsNetwork/stack-reviewers-3

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants