Bump the production-minor-patch group with 9 updates

[dependabot]

Bumps the production-minor-patch group with 9 updates:

Package	From	To
axios	1.16.1	1.17.0
vue-i18n	11.4.4	11.4.5
@emnapi/core	1.10.0	1.11.0
@emnapi/runtime	1.10.0	1.11.0
@types/node	25.9.1	25.9.2
@vue/eslint-config-typescript	14.7.0	14.8.0
@vue/test-utils	2.4.10	2.4.11
eslint-plugin-vue	10.9.1	10.9.2
vue-tsc	3.3.3	3.3.4

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Commits

• 4306df2 chore: add fun 88 sponsorship
• 931cc8f chore(release): prepare release 1.17.0 (#10983)
• 38ba1b3 fix(fetch): support basic auth from URL (#10896)
• 32e2515 fix: replace ternary side effect in script (#10931)
• 030e722 chore(deps): bump axios from 1.15.2 to 1.16.1 in /docs (#10960)
• ec63164 chore: remove openspec (#10958)
• 3dec28f fix(http): preserve TLS options for proxy tunnels (#10957)
• a2390a5 fix: correct isCancel type to narrow to CanceledError<T> (#10952)
• fa01b92 chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /docs (#10954)
• 2d2314a fix: AxiosHeaders toJSON() return types (#10956)
• Additional commits viewable in compare view

Updates vue-i18n from 11.4.4 to 11.4.5

Release notes

Sourced from vue-i18n's releases.

v11.4.5

What's Changed

⚡ Improvement Features

• fix(core-base): respect part option when format key is omitted in number/datetime by @​kazupon in intlify/vue-i18n#2522

Full Changelog: intlify/vue-i18n@v11.4.4...v11.4.5

Commits

• 6b97bfd release: v11.4.5
• See full diff in compare view

Updates @emnapi/core from 1.10.0 to 1.11.0

Release notes

Sourced from @​emnapi/core's releases.

v1.11.0

What's Changed

• feat: add napi_create_external_sharedarraybuffer (#211)
• feat: support SharedArrayBuffer in napi_create_typedarray (#212)
• refactor: remove use of PThread.runningWorkers (#216)

Full Changelog: toyobayashi/emnapi@v1.10.0...v1.11.0

Commits

• e4a7825 1.11.0
• c9a3f2c refactor: remove use of PThread.runningWorkers (#216)
• a0a7953 ci: workflow_dispatch
• 96d67bf feat: support SharedArrayBuffer in napi_create_typedarray (#212)
• 3802768 feat: add napi_create_external_sharedarraybuffer (#211)
• ccea8c7 test: sync tsfn abort test
• See full diff in compare view

Updates @emnapi/runtime from 1.10.0 to 1.11.0

Release notes

Sourced from @​emnapi/runtime's releases.

v1.11.0

What's Changed

• feat: add napi_create_external_sharedarraybuffer (#211)
• feat: support SharedArrayBuffer in napi_create_typedarray (#212)
• refactor: remove use of PThread.runningWorkers (#216)

Full Changelog: toyobayashi/emnapi@v1.10.0...v1.11.0

Commits

• e4a7825 1.11.0
• c9a3f2c refactor: remove use of PThread.runningWorkers (#216)
• a0a7953 ci: workflow_dispatch
• 96d67bf feat: support SharedArrayBuffer in napi_create_typedarray (#212)
• 3802768 feat: add napi_create_external_sharedarraybuffer (#211)
• ccea8c7 test: sync tsfn abort test
• See full diff in compare view

Updates @types/node from 25.9.1 to 25.9.2

Commits

• See full diff in compare view

Updates @vue/eslint-config-typescript from 14.7.0 to 14.8.0

Release notes

Sourced from @​vue/eslint-config-typescript's releases.

v14.8.0

What's Changed

• feat: add includeDotFolders option by @​mlmoravek in vuejs/eslint-config-typescript#278

New Contributors

• @​arpitjain099 made their first contribution in vuejs/eslint-config-typescript#285
• @​mlmoravek made their first contribution in vuejs/eslint-config-typescript#278

Full Changelog: vuejs/eslint-config-typescript@v14.7.0...v14.8.0

Commits

• e169409 14.8.0
• ac937a3 chore: align redefine-plugin-vue fixture deps
• d003778 docs: document includeDotFolders option
• dd31946 chore(deps): lock file maintenance (#301)
• 0d40d25 chore(deps): lock file maintenance (#296)
• 08da67c chore(deps): update dependency @​quasar/extras to v2 (#299)
• eda6e41 chore(deps): update v0.x to ^0.14.1 (#298)
• 735c0dd chore(deps): update dependency vite to ^8.0.14 (#295)
• c065c57 chore(deps): update all non-major dependencies (#297)
• f3bc5ce chore(deps): update dependency npm-run-all2 to v9 (#300)
• Additional commits viewable in compare view

Updates @vue/test-utils from 2.4.10 to 2.4.11

Release notes

Sourced from @​vue/test-utils's releases.

v2.4.11

compare changes

🩹 Fixes

• Drop legacy Mutation Event listener entries (#2844)
• Handle setData() correctly for components using both setup() and data() (#2846)
• Export GlobalMountOptions type (#2851)
• Set spec-compliant event.code on keydown/keyup (#2850)

❤️ Contributors

• Cédric Exbrayat (@​cexbrayat)
• Renato de Leão (@​renatodeleao)
• Matt Van Horn (@​mvanhorn)
• Carsten Brachem (@​cbrachem)
• Ahmad Hanan (@​AhmadHannan037)
• Paul Cochrane (@​paultcochrane)
• Arpit Jain (@​arpitjain099)

Commits

• 5e48e1e v2.4.11
• b73ee1d chore(deps): update dependency oxfmt to v0.53.0
• 39e32ec chore(deps): update all non-major dependencies to v17.0.7 (#2881)
• 0621772 chore(deps): update actions/checkout digest to df4cb1c (#2880)
• 81fde07 chore(deps): update all non-major dependencies (#2879)
• 4ad4255 chore(deps): update dependency oxfmt to v0.52.0 (#2878)
• 8d3d26e chore(deps): update pnpm to v11.3.0 (#2877)
• bc79eff chore(deps): update all non-major dependencies (#2876)
• 58db8f7 chore(deps): update all non-major dependencies (#2874)
• 9ad31cb chore: enable renovate minimum release age for npm
• Additional commits viewable in compare view

Updates eslint-plugin-vue from 10.9.1 to 10.9.2

Release notes

Sourced from eslint-plugin-vue's releases.

v10.9.2

Patch Changes

• Fixed vue/custom-event-name-casing to check segments of colon-separated event names like update:foo-bar (#3079)
• Fixed vue/one-component-per-file to not report functions not imported from Vue (#3063)
• Fixed vue/prefer-import-from-vue to not report imports/exports of names that are not re-exported by vue (#3081)
• Fixed vue/return-in-computed-property and vue/require-render-return to not report exhaustive switch statements when TypeScript type information is available (#3067)

Changelog

Sourced from eslint-plugin-vue's changelog.

10.9.2

Patch Changes

• Fixed vue/custom-event-name-casing to check segments of colon-separated event names like update:foo-bar (#3079)
• Fixed vue/one-component-per-file to not report functions not imported from Vue (#3063)
• Fixed vue/prefer-import-from-vue to not report imports/exports of names that are not re-exported by vue (#3081)
• Fixed vue/return-in-computed-property and vue/require-render-return to not report exhaustive switch statements when TypeScript type information is available (#3067)

Commits

• 9aa463a Version Packages (#3080)
• 517347c Add error positions (#3085)
• b582b7e fix: false positive for returns in exhaustive switch (#3067)
• 91a136c fix(one-component-per-file): Ignore members imported from elsewhere (#3063)
• d37d17b fix(prefer-import-from-vue): don't report names not exported by vue (#3081)
• 836aa95 fix(custom-event-name-casing): check segments of colon-separated names (#3079)
• See full diff in compare view

Updates vue-tsc from 3.3.3 to 3.3.4

Release notes

Sourced from vue-tsc's releases.

v3.3.4

language-core

• fix: only exclude already-set props from inherited attrs when checkRequiredFallthroughAttributes is enabled (#6088) - Thanks to @​KazariEX!
• fix: camelize slot props regardless of htmlAttributes option (#6089) - Thanks to @​KazariEX!
• fix: detect duplicate event listeners across name formats (#6094) - Thanks to @​whysopaul!

language-service

• fix: respect var hoisting for destructured props hints (#6092) - Thanks to @​KazariEX!

typescript-plugin

• fix: do not treat class and style as a boolean property (#6081) - Thanks to @​KazariEX!

Our Sponsors ❤️

... (truncated)

Changelog

Sourced from vue-tsc's changelog.

3.3.4 (2026-06-08)

language-core

• fix: only exclude already-set props from inherited attrs when checkRequiredFallthroughAttributes is enabled (#6088) - Thanks to @​KazariEX!
• fix: camelize slot props regardless of htmlAttributes option (#6089) - Thanks to @​KazariEX!
• fix: detect duplicate event listeners across name formats (#6094) - Thanks to @​whysopaul!

language-service

• fix: respect var hoisting for destructured props hints (#6092) - Thanks to @​KazariEX!

typescript-plugin

• fix: do not treat class and style as a boolean property (#6081) - Thanks to @​KazariEX!

Commits

• 043a77b v3.3.4 (#6095)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions