Skip to content

chore(repo): Update dependencies#776

Merged
danadajian merged 2 commits intomainfrom
renovate/dependencies
Apr 27, 2026
Merged

chore(repo): Update dependencies#776
danadajian merged 2 commits intomainfrom
renovate/dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 20, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@actions/core (source) 3.0.03.0.1 age confidence
@actions/github (source) 9.1.09.1.1 age confidence
@types/bun (source) 1.3.121.3.13 age confidence
axios (source) 1.15.01.15.2 age confidence
bun (source) 1.3.121.3.13 age confidence
eslint (source) 10.2.010.2.1 age confidence
prettier (source) 3.8.23.8.3 age confidence
typescript (source) 6.0.26.0.3 age confidence
typescript-eslint (source) 8.58.18.59.0 age confidence

Release Notes

actions/toolkit (@​actions/core)

v3.0.1

  • Bump undici from 6.23.0 to 6.24.1 #​2348
actions/toolkit (@​actions/github)

v9.1.1

  • Bump undici from 6.23.0 to 6.24.0 #​2346
axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

  • Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
  • SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
  • Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

  • allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

  • Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

  • Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

oven-sh/bun (bun)

v1.3.13: Bun v1.3.13

Compare Source

To install Bun v1.3.13

curl -fsSL https://bun.sh/install | bash

# or you can use npm
# npm install -g bun

Windows:

powershell -c "irm bun.sh/install.ps1|iex"

To upgrade to Bun v1.3.13:

bun upgrade
Read Bun v1.3.13's release notes on Bun's blog
Thanks to 8 contributors!
eslint/eslint (eslint)

v10.2.1

Compare Source

prettier/prettier (prettier)

v3.8.3

Compare Source

microsoft/TypeScript (typescript)

v6.0.3

Compare Source

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

Compare Source

🩹 Fixes
  • remove tsbuildinfo cache file from published packages (#​12187)
❤️ Thank You

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

@renovate renovate Bot added dependencies Pull requests that update a dependency file patch-version renovate labels Apr 20, 2026
@renovate renovate Bot requested a review from a team as a code owner April 20, 2026 01:02
@renovate renovate Bot added the renovate label Apr 20, 2026
@renovate renovate Bot force-pushed the renovate/dependencies branch from 32097f3 to 873b602 Compare April 27, 2026 13:10
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 27, 2026

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@danadajian danadajian enabled auto-merge (squash) April 27, 2026 13:10
@danadajian danadajian merged commit a50b126 into main Apr 27, 2026
3 checks passed
@danadajian danadajian deleted the renovate/dependencies branch April 27, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danadajian danadajian danadajian approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file minor-version patch-version renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danadajian