build(deps): bump the dependencies group across 1 directory with 25 updates

[dependabot]

Bumps the dependencies group with 25 updates in the / directory:

Package	From	To
@nestjs/common	11.1.20	11.1.26
@nestjs/core	11.1.20	11.1.26
@nestjs/platform-express	11.1.20	11.1.26
@nestjs/testing	11.1.20	11.1.26
@nestjs/websockets	11.1.20	11.1.26
@sentry/node	10.53.1	10.57.0
@types/node	25.7.0	25.9.2
axios	1.16.1	1.17.0
bullmq	5.76.8	5.78.0
date-fns	4.1.0	4.4.0
express-rate-limit	8.5.1	8.5.2
graphql	16.14.0	16.14.2
helmet	8.1.0	8.2.0
ioredis	5.10.1	5.11.1
js-yaml	4.1.1	4.2.0
pg	8.20.0	8.21.0
puppeteer	24.43.1	25.1.0
rate-limiter-flexible	11.1.0	11.2.0
redis	5.12.1	6.0.0
stripe	22.1.1	22.2.0
@nestjs/cli	11.0.21	11.0.23
commander	14.0.3	15.0.0
concurrently	9.2.1	10.0.3
jest	29.7.0	30.4.2
@types/jest	29.5.14	30.0.0

Updates @nestjs/common from 11.1.20 to 11.1.26

Release notes

Sourced from @​nestjs/common's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

... (truncated)

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• 1634915 test(common): Add unit tests for cli-colors utility
• 380bf5c Merge pull request #17058 from Se3do/test/extend-metadata
• af4542b test(common): Add unit tests for assignCustomParameterMetadata
• b67aea1 test(common): Add unit tests for extendArrayMetadata
• e1e4014 test(common): Tighten throw assertions in validateModuleKeys spec
• 6b97771 test(common): Add unit tests for validateModuleKeys
• 5a57222 test(common): add unit test for Optional decorator
• deed1b3 docs(common): add @​see reference to Res alias JSDoc
• Additional commits viewable in compare view

Updates @nestjs/core from 11.1.20 to 11.1.26

Release notes

Sourced from @​nestjs/core's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

... (truncated)

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 0f398fd test: fix broken unit test
• d152eec fix(core): post sse endpoint empty response #17098
• 02f8041 chore(release): publish v11.1.25 release
• e2ad4e2 Update package.json
• 396cf81 refactor(core): avoid duplicating sse intercept call
• 55cd699 fix(core): preserve deferred SSE handlers
• 7b5ca83 fix(core): register SSE close listener before async setup
• d8a0ab8 chore(release): publish v11.1.24 release
• 3ed595e fix(core): keep dependency parent registry internal
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 11.1.20 to 11.1.26

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

... (truncated)

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• d8a0ab8 chore(release): publish v11.1.24 release
• 2dccece chore: update readmes
• b8be8c1 chore(release): publish v11.1.23 release
• 801c46f chore(release): publish v11.1.22 release
• 983dd52 chore(release): publish v11.1.21 release
• a0b0139 chore: update readme
• See full diff in compare view

Updates @nestjs/testing from 11.1.20 to 11.1.26

Release notes

Sourced from @​nestjs/testing's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

... (truncated)

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• d8a0ab8 chore(release): publish v11.1.24 release
• 2dccece chore: update readmes
• b8be8c1 chore(release): publish v11.1.23 release
• 801c46f chore(release): publish v11.1.22 release
• 983dd52 chore(release): publish v11.1.21 release
• a0b0139 chore: update readme
• See full diff in compare view

Updates @nestjs/websockets from 11.1.20 to 11.1.26

Release notes

Sourced from @​nestjs/websockets's releases.

v11.1.26

What's Changed

• fix(core): post sse endpoint empty response #17098 by @​kamilmysliwiec in nestjs/nest#17099

Full Changelog: nestjs/nest@v11.1.25...v11.1.26

v11.1.25

What's Changed

• fix(microservices): reject pending Redis requests on close by @​yudin-s in nestjs/nest#17024
• fix(core): register SSE close listener before async setup by @​fallintoplace in nestjs/nest#17018
• fix(platform-fastify): remove pathname ending slash by @​kamilmysliwiec in nestjs/nest#17094

New Contributors

• @​fallintoplace made their first contribution in nestjs/nest#17018
• @​DucMinhNe made their first contribution in nestjs/nest#17085
• @​iambeaukim made their first contribution in nestjs/nest#17091

Full Changelog: nestjs/nest@v11.1.24...v11.1.25

v11.1.24 (2026-05-25)

Bug fixes

• core
  • #17009 fix(core): reset dependency-tree cache on metadata changes (@​puneetdixit200)

Enhancements

• core
  • #16997 feat(core): warn on late websocket adapter registration (@​hbinhng)

Dependencies

• platform-ws
  • #17011 chore(deps): bump ws from 8.20.1 to 8.21.0 (@​dependabot[bot])

Committers: 2

• Nguyễn Hải Bình (@​hbinhng)
• Puneet Dixit (@​puneetdixit200)

v11.1.23 (2026-05-21)

Bug fixes

• core
  • nestjs/nest#16998 fix snapshot: true eagerly instantiates Terminus transient indicators since 11.1.20

Committers: 1

• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.22 (2026-05-21)

Bug fixes

... (truncated)

Commits

• 9ff83d5 chore(release): publish v11.1.26 release
• 02f8041 chore(release): publish v11.1.25 release
• d8a0ab8 chore(release): publish v11.1.24 release
• 2dccece chore: update readmes
• b8be8c1 chore(release): publish v11.1.23 release
• 801c46f chore(release): publish v11.1.22 release
• 983dd52 chore(release): publish v11.1.21 release
• a0b0139 chore: update readme
• See full diff in compare view

Updates @sentry/node from 10.53.1 to 10.57.0

Release notes

Sourced from @​sentry/node's releases.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

• chore: Bump volta node version from 20.19.2 to 20.19.5 (#21359)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.57.0

Important Changes

• feat(angular): Add support for Angular 22 (#21330)

  @sentry/angular now officially supports Angular 22.

• ref(core): Deprecate sendDefaultPii in favor of dataCollection (#21277)

  sendDefaultPii is deprecated and will be removed in v11. The new dataCollection option lets you control each category of collected data. sendDefaultPii: true still works and maps to enabling all dataCollection categories. dataCollection.userInfo defaults to true when dataCollection is provided, meaning auto-populated user.* fields (e.g. IP address from a request) are collected by default. Data you set explicitly (like via Sentry.setUser()) is always sent regardless. When dataCollection is not set at all, the legacy sendDefaultPii behavior applies (userInfo: false by default) to preserve backward compatibility.

  Note that an empty dataCollection: {} falls back to more permissive defaults than sendDefaultPii: false, so replicate the old behavior by opting out explicitly:

  Sentry.init({
    dataCollection: {
      userInfo: false,
      genAI: { inputs: false, outputs: false },
      httpBodies: [],
      httpHeaders: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      cookies: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
      queryParams: { deny: ['forwarded', '-ip', 'remote-', 'via', '-user'] },
    },
  });

Other Changes

• feat: Use dataCollection.frameContextLines for ContextLines integration (#21323)
• feat(cloudflare): Auto instrument D1 based on env (#21276)
• feat(core): Change default of dataCollection.userInfo to true (#21348)
• feat(core): Default dataCollection.httpBodies to all valid body types (#21352)
• feat(hono): Filter noisy transactions (favicon etc) (#21365)
• fix(cloudflare): Don't track negatively sampled spans (#21367)
• fix(core): Use safeDateNow calls for new Date() reads (#21351)
• fix(nextjs): Shim pinoIntegration on edge runtime (#21347)
• fix(node): Prevent PostgresJs integration from emitting duplicate spans per query (#21364)
• fix(node-core): Read __SENTRY_SERVER_MODULES__ lazily so Turbopack injection is honored (#21339)
• fix(react): Detect React Router v6/v7 navigations in a layout effect to propagate the correct trace (#21326)
• fix(react): Remove unused react.componentStack event context (#21183)
• fix(replays): Record sentry._internal.replay_is_buffering for spans (#21297)

... (truncated)

Commits

• 950cf97 release: 10.57.0
• 55f9343 Merge pull request #21369 from getsentry/prepare-release/10.57.0
• 88d9d30 meta(changelog): Update changelog for 10.57.0
• 03ffd25 fix(cloudflare): Don't track negatively sampled spans (#21367)
• 7c19ead ref(node): Streamline sql-common (#21360)
• 95df562 feat(hono): Filter noisy transactions (favicon etc) (#21365)
• 92eb5d2 feat(deps): Bump hono from 4.12.18 to 4.12.21 (#21341)
• c6f790b fix(node): Prevent PostgresJs integration from emitting duplicate spans per q...
• d645349 ref(node): Streamline lru-memoizer instrumentation (#21350)
• 4293015 feat(deps): Bump @​types/aws-lambda from 8.10.150 to 8.10.161 (#21105)
• Additional commits viewable in compare view

Updates @types/node from 25.7.0 to 25.9.2

Commits

• See full diff in compare view

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Commits

• 4306df2 chore: add fun 88 sponsorship
• 931cc8f chore(release): prepare release 1.17.0 (#10983)
• 38ba1b3 fix(fetch): support basic auth from URL (#10896)
• 32e2515 fix: replace ternary side effect in script (#10931)
• 030e722 chore(deps): bump axios from 1.15.2 to 1.16.1 in /docs (#10960)
• ec63164 chore: remove openspec (#10958)
• 3dec28f fix(http): preserve TLS options for proxy tunnels (#10957)
• a2390a5 fix: correct isCancel type to narrow to CanceledError<T> (#10952)
• fa01b92 chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /docs (#10954)
• 2d2314a fix: AxiosHeaders toJSON()Description has been truncated