Skip to content

chore(deps): bump the npm-minor-and-patch group across 1 directory with 4 updates#231

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-415dfc90dd
Open

chore(deps): bump the npm-minor-and-patch group across 1 directory with 4 updates#231
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm-minor-and-patch-415dfc90dd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-minor-and-patch group with 4 updates in the / directory: axios, mongodb, node-cron and prettier.

Updates axios from 1.17.0 to 1.18.1

Release notes

Sourced from axios's releases.

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

  • AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
  • Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
  • Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
  • AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)

🔧 Maintenance & Chores

  • Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)

  • Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits
  • a209bfb chore(release): prepare release 1.18.1 (#11027)
  • fa6a55e chore(deps-dev): bump multer from 2.1.1 to 2.2.0 (#11026)
  • 40e7be8 docs: clarifies that request data is request-specific in axios (#11025)
  • a446b39 fix(AxiosURLSearchParams): use arrow function so encoder.call(this) receives ...
  • cf1306a docs: add Deno to install instructions (#11023)
  • b32880a fix: incorrect use of error (#11021)
  • 1792eda fix: ensure maxBodyLength is explicitly passed to follow-redirects (#10993)
  • 30499d6 fix: various runtime crashes and type definition mismatches (#10959)
  • 20ce9c4 fix(http): defer env proxy handling to Node (#10942)
  • e64bcf9 chore(deps): merge branch 'v1.x' into tests/module/cjs (#11014)
  • Additional commits viewable in compare view

Updates mongodb from 7.3.0 to 7.4.0

Release notes

Sourced from mongodb's releases.

v7.4.0

7.4.0 (2026-06-25)

The MongoDB Node.js team is pleased to announce version 7.4.0 of the mongodb package!

Release Notes

Explicit resource management is now stable

The Symbol.asyncDispose methods on MongoClient, ClientSession, ChangeStream, and cursors enable await using for automatic cleanup. These methods were introduced as experimental in v6.9.0. Since then, TC39 Explicit Resource Management proposal reached Stage 4 in 2025, and Node.js enabled explicit resource management as a stable feature in Node.js 24, so the experimental flags have been removed from our APIs and the APIs are now officially supported.

afterClusterTime now sent on writes in causally-consistent sessions

When a session has causal consistency enabled, write operations now include readConcern.afterClusterTime, matching the existing read behavior. This maintains the "read your own writes" guarantee across primary failovers in shareded clusters. There are no API changes.

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)

Documentation

We invite you to try the mongodb library immediately, and report any issues to the NODE project.

Changelog

Sourced from mongodb's changelog.

7.4.0 (2026-06-25)

Features

  • NODE-7634: remove experimental tag from async dispose methods (#4976) (43ce3eb)
  • NODE-7549: send afterClusterTime on writes in causally-consistent sessions (#4963) (3abfd26)
Commits
  • 1c4333e chore(main): release 7.4.0 (#4974)
  • 43ce3eb feat(NODE-7634): remove experimental tag from async dispose methods (#4976)
  • 3abfd26 fix(NODE-7549): send afterClusterTime on writes in causally-consistent sessio...
  • 88ec159 chore(NODE-7418): skip csot tests on latest (#4969)
  • 1f5ac37 chore(NODE-7473): upgrade to chai 5 (#4958)
  • b17288c chore: skip csfle tests and fix related broken tests (#4965)
  • 5b401aa test(NODE-7493): enable source maps and add nyc-free debug scripts (#4947)
  • 3ba2dd2 docs: clarify release notes verification steps (#4960)
  • 0a434d3 docs: add 7.3 docs (#4959)
  • See full diff in compare view

Updates node-cron from 4.2.1 to 4.5.0

Release notes

Sourced from node-cron's releases.

v4.5.0

Added

  • lastRun() introspection getter on ScheduledTask: returns { date, result } after a successful execution, { date, error } after a failed one, or null before the first run.
  • Extended day-of-week tokens: <weekday>#<nth> (nth weekday of the month, e.g. 1#1 for the first Monday) and <weekday>L (last weekday of the month, e.g. 5L for the last Friday).

Performance

  • Cache Intl.DateTimeFormat instances per timezone instead of rebuilding on every call.
  • Parse the cron expression once per TimeMatcher instead of re-parsing in MatcherWalker.
  • Compute the GMT offset lazily (only when formatting ISO strings, not during the next-run search).
  • Replace crypto.randomBytes with crypto.randomUUID for internal ID generation.
  • Skip setTimeout jitter wrapper when maxRandomDelay is zero.
  • Bundle dist into flat files instead of preserving the module tree (reduces import time).

Fixed

  • Flaky should schedule a task test: poll for the first execution instead of asserting an exact count after a fixed sleep.

Changed

  • Renamed internal functions interprete to interpret and appendSeccondExpression to appendSecondExpression.
  • Rewritten README and package metadata to surface scheduling capabilities (overlap prevention, distributed coordination, background tasks).

v4.4.1

Patch release.

Changed

  • Renamed the distributedTtl task option to distributedLease (same meaning: the safety lease, in ms, for lease-based run coordinators). distributedTtl was the only abbreviation in the options API and shipped just days ago in 4.4.0, so it's removed without an alias. If you adopted distributedTtl from 4.4.0, rename it to distributedLease. (#551)

Full Changelog: node-cron/node-cron@v4.4.0...v4.4.1

v4.4.0

Features

  • Distributed run coordination — opt-in distributed: true runs a task on a single instance per fire across a fleet (the #477 use case). Ships a built-in NODE_CRON_RUN env-var default (one designated runner, no dependencies) and a pluggable RunCoordinator (via setRunCoordinator, or the per-task runCoordinator option) for high-availability, per-fire coordination (e.g. a Redis lock). Adds the distributedTtl option and an execution:skipped event carrying a reason ('not-elected' | 'coordinator-error'). Works for inline and background tasks. (#549, closes #477)
  • Task introspection on ScheduledTask: getNextRuns(n) (preview the next N run times), match(date), msToNext(), isBusy(), runsLeft() and getPattern(). (#547)
  • cron.parse(expression) and cron.validateDetailed(expression) — decompose an expression into its fields, or get every field-level problem (without throwing) for tooling and richer error messages. (#548)

Fixes

  • getNextMatch no longer scans every time of day on a day that matches the day-of-month but not the weekday. A dense expression constrained by both (e.g. * * * 15 * 1) could take minutes to resolve; it is now instant. (#542)

Internal

  • Cleanups with no public API change: fixed the milisecondmillisecond spelling and the convertion/conversion/ directory name. (#543)

Docs

  • New Distributed Coordination guide, plus pages for task introspection and parse/validateDetailed, at nodecron.com.

Full Changelog: node-cron/node-cron@v4.3.0...v4.4.0

v4.3.0

Features

  • L (last day of month) in the day-of-month field — e.g. 0 0 12 L * *, leap-year aware, and combinable with explicit days (15,L). (#396, closes #147 — thanks @​antonidasyang)
  • missedExecutionTolerance option (ms, default 1000): a heartbeat that wakes a little late still runs its slot instead of being reported as missed. Always capped to the gap to the next slot. (#534, closes #485)
  • startTimeout option for background tasks (ms, default 5000). (#535)

... (truncated)

Changelog

Sourced from node-cron's changelog.

[4.5.0] - 2026-06-21

Added

  • lastRun() introspection getter on ScheduledTask: returns { date, result } after a successful execution, { date, error } after a failed one, or null before the first run. (#557)
  • Extended day-of-week tokens: <weekday>#<nth> (nth weekday of the month, e.g. 1#1 for the first Monday) and <weekday>L (last weekday of the month, e.g. 5L for the last Friday). (#560)

Performance

  • Cache Intl.DateTimeFormat instances per timezone instead of rebuilding on every call. (#561)
  • Parse the cron expression once per TimeMatcher instead of re-parsing in MatcherWalker. (#562)
  • Compute the GMT offset lazily (only when formatting ISO strings, not during the next-run search). (#563)
  • Replace crypto.randomBytes with crypto.randomUUID for internal ID generation. (#564)
  • Skip setTimeout jitter wrapper when maxRandomDelay is zero. (#565)
  • Bundle dist into flat files instead of preserving the module tree (reduces import time). (#566)

Fixed

  • Flaky should schedule a task test: poll for the first execution instead of asserting an exact count after a fixed sleep.

Changed

  • Renamed internal functions interprete to interpret and appendSeccondExpression to appendSecondExpression. (#567)
  • Rewritten README and package metadata to surface scheduling capabilities (overlap prevention, distributed coordination, background tasks). (#568)

[4.4.1] - 2026-06-18

Changed

  • Renamed the distributedTtl option to distributedLease (same meaning: the safety lease, in ms, for lease-based coordinators). The old name was the only abbreviation in the options API; the new one groups with distributed. distributedTtl was introduced in 4.4.0 and is removed without an alias.

[4.4.0] - 2026-06-17

Added

  • Task introspection on ScheduledTask: getNextRuns(n) (preview the next N run times), match(date), msToNext(), isBusy(), runsLeft() and getPattern(). (#547)
  • cron.parse(expression) and cron.validateDetailed(expression): decompose an expression into its fields, or get every field-level problem (without throwing) for tooling and richer error messages. (#548)

... (truncated)

Commits
  • cd9a5a7 chore(release): 4.5.0 (#569)
  • fbdd883 Rewrite README to surface scheduling capabilities (#568)
  • c80a396 perf(build): bundle dist into flat files instead of preserving modules (#566)
  • b71b9b1 Fix typos in internal function names (#567)
  • 7c5015c perf(id): drop crypto.randomBytes from internal id generation (#564)
  • dd0a2a9 perf(pattern): parse cron expression once per TimeMatcher (#562)
  • cf69f32 perf(time): cache Intl.DateTimeFormat instances per timezone (#561)
  • dad56e1 perf(runner): run inline when no random delay is configured (#565)
  • a309d5f perf(time): compute the GMT offset lazily (#563)
  • c2db9d1 feat: support extended day-of-week tokens (# nth weekday and L last weekday) ...
  • Additional commits viewable in compare view

Updates prettier from 3.8.4 to 3.9.4

Release notes

Sourced from prettier's releases.

3.9.4

  • Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

🔗 Changelog

3.9.3

🔗 Changelog

3.9.1

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.4

diff

Angular: Format @content(name) -> @content (name) to align with other block syntax (#19499 by @​fisker)

<!-- Input -->
<FancyButton [label]="title">
  @content (icon) {
    <span>Icon!</span>
  }
  @content (description) {
    <span>Description text</span>
  }
  <span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.3 -->
<FancyButton [label]="title">
@​content(icon) {
<span>Icon!</span>
}
@​content(description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>
<!-- Prettier 3.9.4 -->
<FancyButton [label]="title">
@​content (icon) {
<span>Icon!</span>
}
@​content (description) {
<span>Description text</span>
}
<span>Other children</span>
</FancyButton>

3.9.3

diff

Markdown: Fix unexpected removal of characters in liquid syntax (#19489 by @​seiyab)

</tr></table> 

... (truncated)

Commits
  • b693cb2 Release 3.9.4
  • 2e92ac0 Angular: Format @content(name) -> @content (name) to align with other blo...
  • abed2c2 Bump Prettier dependency to 3.9.3
  • 6cfbc00 Clean changelog_unreleased
  • 3732e1d Release 3.9.3
  • a74a7b0 Allow decorators to be used with declare on class fields (#19492)
  • bd9e11a Correct text identification in liquid syntax (#19489)
  • 269eee3 Bump Prettier dependency to 3.9.1
  • ec7ccd1 Clean changelog_unreleased
  • c47654c Release 3.9.1
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…th 4 updates

Bumps the npm-minor-and-patch group with 4 updates in the / directory: [axios](https://github.com/axios/axios), [mongodb](https://github.com/mongodb/node-mongodb-native), [node-cron](https://github.com/node-cron/node-cron) and [prettier](https://github.com/prettier/prettier).


Updates `axios` from 1.17.0 to 1.18.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.17.0...v1.18.1)

Updates `mongodb` from 7.3.0 to 7.4.0
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases)
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/main/HISTORY.md)
- [Commits](mongodb/node-mongodb-native@v7.3.0...v7.4.0)

Updates `node-cron` from 4.2.1 to 4.5.0
- [Release notes](https://github.com/node-cron/node-cron/releases)
- [Changelog](https://github.com/node-cron/node-cron/blob/main/CHANGELOG.md)
- [Commits](node-cron/node-cron@v4.2.1...v4.5.0)

Updates `prettier` from 3.8.4 to 3.9.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.4)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: mongodb
  dependency-version: 7.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: node-cron
  dependency-version: 4.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants