Bump the npm-production group across 1 directory with 4 updates

[dependabot]

Bumps the npm-production group with 4 updates in the / directory: @clack/prompts, @commander-js/extra-typings, axios and commander.

Updates @clack/prompts from 0.11.0 to 1.5.1

Release notes

Sourced from @​clack/prompts's releases.

@​clack/prompts@​1.5.1

Patch Changes

• #548 2356e97 Thanks @​43081j! - Remove sourcemaps and enable pretty-ish build output.

• #546 56e9d67 Thanks @​ghostdevv! - docs: add jsdoc for date, limit-options, and messages

• Updated dependencies [2356e97]:

  • @​clack/core@​1.4.1

@​clack/prompts@​1.5.0

Minor Changes

• #543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

  Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

  Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

  import { text } from '@clack/prompts';
  import { type } from 'arktype';
  const name = await text({
  message: 'Enter your email',
  
  validate: type('string.email').describe('Invalid email'),
  });

Patch Changes

• #542 adb6af9 Thanks @​ghostdevv! - docs: add jsdoc for box, group, and group-multi-select

• #534 3dcb31a Thanks @​MattStypa! - Fixed spaces and uppercase characters in multiline prompt

• #540 3170ed9 Thanks @​ghostdevv! - docs: add jsdoc for autocomplete, confirm, and path prompts

• Updated dependencies [83428ac, 3dcb31a]:

  • @​clack/core@​1.4.0

@​clack/prompts@​1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

• aab46a2: docs: add jsdoc for text, password, and multiline prompts
• 54be8d7: Fix line wrapping and overflow computation in group multi-select and other list-like prompts.
• Updated dependencies [54be8d7]

... (truncated)

Changelog

Sourced from @​clack/prompts's changelog.

1.5.1

Patch Changes

• #548 2356e97 Thanks @​43081j! - Remove sourcemaps and enable pretty-ish build output.

• #546 56e9d67 Thanks @​ghostdevv! - docs: add jsdoc for date, limit-options, and messages

• Updated dependencies [2356e97]:

  • @​clack/core@​1.4.1

1.5.0

Minor Changes

• #543 83428ac Thanks @​florian-lefebvre! - Adds support for Standard Schema validation

  Prompts accept an optional validate() function to validate user input. While a function provides more flexibility and customization over your validation, it can be a bit verbose. To help solve this, there are libraries that provide schema-based validation to make shorthand and type-strict validation substantially easier.

  Libraries following the Standard Schema specification are now natively supported. For example, using Arktype:

  import { text } from '@clack/prompts';
  import { type } from 'arktype';
  const name = await text({
  message: 'Enter your email',
  
  validate: type('string.email').describe('Invalid email'),
  });

Patch Changes

• #542 adb6af9 Thanks @​ghostdevv! - docs: add jsdoc for box, group, and group-multi-select

• #534 3dcb31a Thanks @​MattStypa! - Fixed spaces and uppercase characters in multiline prompt

• #540 3170ed9 Thanks @​ghostdevv! - docs: add jsdoc for autocomplete, confirm, and path prompts

• Updated dependencies [83428ac, 3dcb31a]:

  • @​clack/core@​1.4.0

1.4.0

Minor Changes

• 284677e: Support scrolling and maxItems option for groupMultiselect, and removes indent when withGuide is set to false

Patch Changes

... (truncated)

Commits

• 02ae191 [ci] release (#549)
• 56e9d67 docs: add jsdoc for date, limit-options, and messages (#546)
• 030ba4d [ci] release (#539)
• 83428ac feat: standard schema for validation (#543)
• adb6af9 docs: add jsdoc for box, group, and group-multi-select (#542)
• 3170ed9 docs: add jsdoc for autocomplete, confirm, and path prompts (#540)
• 3dcb31a fix: spaces and uppercase characters in multiline input (#534)
• fe2bcd2 [ci] release (#530)
• aab46a2 docs: add jsdoc for text, password, and multiline prompts (#523)
• 54be8d7 fix: trim lines from correct end (#532)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​clack/prompts since your current version.

Updates @commander-js/extra-typings from 14.0.0 to 15.0.0

Release notes

Sourced from @​commander-js/extra-typings's releases.

v15.0.0

@commander-js/extra-typings 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of @commander-js/extra-typings 15 moves version 14 into maintenance. @commander-js/extra-typings 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• Release Policy document

Changed

• Breaking: migrated implementation from CommonJS to ESM (#178)
• Breaking: peer dependency on Commander 15.0.x which requires Node.js 22.12 or higher
• update dependencies
• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date
• only lone negated option defaults option value to true (matching Commander 15) (#179)
• now reexporting the global program singleton from Commander rather than creating a separate one

Migration Tips

@commander-js/extra-typings 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, Deno, and TypeScript. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using @commander-js/extra-typings 15 in your environment, one option is stay on version 14 for now. @commander-js/extra-typings 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

Changelog

Sourced from @​commander-js/extra-typings's changelog.

[15.0.0] (2026-05-29)

@commander-js/extra-typings 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of @commander-js/extra-typings 15 moves version 14 into maintenance. @commander-js/extra-typings 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• Release Policy document

Changed

• Breaking: migrated implementation from CommonJS to ESM (#178)
• Breaking: peer dependency on Commander 15.0.x which requires Node.js 22.12 or higher
• update dependencies
• old major versions now supported for 12 months instead of just previous major version, to give predictable end-of-life date
• only lone negated option defaults option value to true (matching Commander 15) (#179)
• now reexporting the global program singleton from Commander rather than creating a separate one

Migration Tips

@commander-js/extra-typings 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, Deno, and TypeScript. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using @commander-js/extra-typings 15 in your environment, one option is stay on version 14 for now. @commander-js/extra-typings 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

Commits

• 5a1af3d Merge develop to main for 15.0.0
• 4bed262 Merge branch 'main' into develop
• 73ad76d Update Commander dependency to 15.0.0
• 06f0b4f Add Changelog entry for move to ESM
• b8f81f3 Recognise negative then positive combo (#179)
• 6d0ea59 Switch to esm (#178)
• 1c37944 Pin GitHub actions with hash (#180)
• 3df3727 Revert "Recognise negative then positive combo"
• 48fff8a Recognise negative then positive combo
• 686c1f3 Update docs and prepare for 15.0.0 (#177)
• Additional commits viewable in compare view

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Commits

• 4306df2 chore: add fun 88 sponsorship
• 931cc8f chore(release): prepare release 1.17.0 (#10983)
• 38ba1b3 fix(fetch): support basic auth from URL (#10896)
• 32e2515 fix: replace ternary side effect in script (#10931)
• 030e722 chore(deps): bump axios from 1.15.2 to 1.16.1 in /docs (#10960)
• ec63164 chore: remove openspec (#10958)
• 3dec28f fix(http): preserve TLS options for proxy tunnels (#10957)
• a2390a5 fix: correct isCancel type to narrow to CanceledError<T> (#10952)
• fa01b92 chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /docs (#10954)
• 2d2314a fix: AxiosHeaders toJSON() return types (#10956)
• Additional commits viewable in compare view

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

• ba6d13d Fix release dates in changelog (#2523)
• a752ed9 Pin GitHub actions with hash (#2521)
• 74d5dfe Drop EOL node 20 from test matrix, and add node 26 (#2520)
• 6df9b68 Update details for 15.0.0 release (#2519)
• 01ce5d0 Remove jest esm examples (#2517)
• d785d8b Update dependencies (#2518)
• 9098b48 Update dependencies (#2506)
• 373f660 Use node:util stripVTControlCharacters instead of own code (#2486)
• 987f289 Use simple match in test (to avoid warning about expensive regex) (#2485)
• 0ea3bb3 Update dependecies and lint (#2489)
• Additional commits viewable in compare view