Skip to content

Chore(deps): Bump the frontend-minor-patch group across 1 directory with 6 updates#1647

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/webroot/frontend-minor-patch-d6e3fb54b9
Open

Chore(deps): Bump the frontend-minor-patch group across 1 directory with 6 updates#1647
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/webroot/frontend-minor-patch-d6e3fb54b9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the frontend-minor-patch group with 6 updates in the /webroot directory:

Package From To
axios 1.16.1 1.17.0
caniuse-lite 1.0.30001793 1.0.30001797
libphonenumber-js 1.13.4 1.13.6
vue-responsiveness 0.2.4 0.2.5
@vue/test-utils 2.4.10 2.4.11
axe-core 4.11.4 4.12.0

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits

Updates caniuse-lite from 1.0.30001793 to 1.0.30001797

Commits

Updates libphonenumber-js from 1.13.4 to 1.13.6

Changelog

Sourced from libphonenumber-js's changelog.

1.13.6 / 5.6.2026

  • Updated metadata to version 9.0.32:
    • Updated phone metadata for region code(s): DZ, JP, NO, SJ, SO, UG
    • Updated carrier data for country calling code(s): 33 (en), 47 (en), 233 (en), 252 (en), 256 (en)

1.13.5 / 03.06.2026

  • Converted any "tagged" types back to simple strings. Originally, some developers lobbied the use of so-called "tagged" types in this package in order to return more "strict" values. My knowledge of TypeScript at that time was limited to just its title, so I naturally succumbed to that influence and merged whatever changes seemed to be consensual between the participants in the issue discussions. Now though I can see how the concept of "tagged" types is redundant and adds nothing, so I decided to revert any "tagged" types back to simple strings.

1.13.3 / 22.5.2026

  • Updated metadata to version 9.0.31:
    • Updated alternate formatting data for country calling code(s): 84
    • Updated phone metadata for region code(s): AI, BO, DZ, ET, GE, GM, IN, TR, UG, VN
    • Updated short number metadata for region code(s): IT
    • Updated geocoding data for country calling code(s): 213 (en)
    • Updated carrier data for country calling code(s): 34 (en), 43 (en), 84 (en), 90 (en), 220 (en), 251 (en), 256 (en), 354 (en), 591 (en), 1264 (en)

1.13.0 / 08.05.2026

  • Merged a pull request by Matt d'Entremont that adds ES6-only versions of min/max/mobile/core exports.

    • The new exports are:

      • minlibphonenumber-js/min/es6
      • maxlibphonenumber-js/max/es6
      • mobile — libphonenumber-js/mobile/es6
      • "custom" — libphonenumber-js/core/es6

    • The bundle size reduction is roughly 37 KB raw and 3.8-4.1 KB gzipped.

                        | legacy raw | modern raw | legacy gzip | modern gzip
  min                   | 177,666 B  | 140,563 B  | 42,081 B    | 38,223 B
  max                   | 251,327 B  | 214,224 B  | 62,690 B    | 58,750 B
  mobile                | 193,117 B  | 156,014 B  | 46,712 B    | 42,682 B
  core                  |  93,076 B  |  56,158 B  | 22,308 B    | 18,223 B

  • Updated libphonenumber-metadata-generator package. No functional changes, just cosmetics: renamed some API methods and parameters.

  • (TypeScript) Added a new exported type PhoneNumberType, which is same as the old exported NumberType type (which is now considered deprecated) except for undefined value.

... (truncated)

Commits

Updates vue-responsiveness from 0.2.4 to 0.2.5

Release notes

Sourced from vue-responsiveness's releases.

v0.2.5

Fixes TypeScript declaration packaging for vue-responsiveness.

This release restores generated .d.ts files in the published package and exposes them through exports.types, so TypeScript consumers can resolve the package correctly.

Also includes:

  • upgraded Vue/Vite/Vitest/ESLint/TypeScript tooling
  • Vite 8 / Rolldown config updates
  • explicit media query listener cleanup on app unmount
  • SSR install coverage
  • refreshed README and package badges
Commits

Updates @vue/test-utils from 2.4.10 to 2.4.11

Release notes

Sourced from @​vue/test-utils's releases.

v2.4.11

compare changes

🩹 Fixes

  • Drop legacy Mutation Event listener entries (#2844)
  • Handle setData() correctly for components using both setup() and data() (#2846)
  • Export GlobalMountOptions type (#2851)
  • Set spec-compliant event.code on keydown/keyup (#2850)

❤️ Contributors

Commits
  • 5e48e1e v2.4.11
  • b73ee1d chore(deps): update dependency oxfmt to v0.53.0
  • 39e32ec chore(deps): update all non-major dependencies to v17.0.7 (#2881)
  • 0621772 chore(deps): update actions/checkout digest to df4cb1c (#2880)
  • 81fde07 chore(deps): update all non-major dependencies (#2879)
  • 4ad4255 chore(deps): update dependency oxfmt to v0.52.0 (#2878)
  • 8d3d26e chore(deps): update pnpm to v11.3.0 (#2877)
  • bc79eff chore(deps): update all non-major dependencies (#2876)
  • 58db8f7 chore(deps): update all non-major dependencies (#2874)
  • 9ad31cb chore: enable renovate minimum release age for npm
  • Additional commits viewable in compare view

Updates axe-core from 4.11.4 to 4.12.0

Release notes

Sourced from axe-core's releases.

Release 4.12.0

In this release you'll find:

  1. A new aria-tab-name rule that tests role="tab" elements have an accessible name
  2. The landmark-complementary-is-top-level rule is deprecated, as ARIA no longer requires this
  3. Preparations for Element Internal support (behind a feature flag)
  4. Various other bug fixes for target-size, scrollable-region-focusable, and more

This release can see reveal new issues, as well as close out a few existing ones that might have come from false positives or the now deprecated rule.

Features

  • add gather-internals.js external script (#5099) (c61d58b), closes #5080
  • aria-allowed/prohibited-attr, aria-required-parent/children: partially support element internals role (#5080) (417b48a), closes #5039 #4259
  • axe.externalAPIs: add public api for setting elementInternal data (#5105) (63bab8f)
  • core: expose normalizeRunOptions (#4998) (b8e6a59)
  • expose axe.resetLocale() to restore the default locale (#5108) (c2b5292), closes #5107
  • getRules: include rule enabled state in returned objects (#5118) (75bf772), closes #5116
  • list,listitem: support element internals role (#5119) (7d9d696)
  • new-rule: check that aria-tab have an accessible name (#5001) (0d4e4e7), closes #4842
  • rules: deprecate landmark-complementary-is-top-level rules (#4992) (9e09139), closes #4950
  • utils: add getElementInternals function (#5077) (1c15f82)

Bug Fixes

  • aria-allowed-attr: restrict br and wbr elements to aria-hidden only (#4974) (c6245e7)
  • aria-conditional-attr: add support for radio (#5100) (8223c98)
  • aria-valid-attr-value: handle multiple aria-errormessage IDs (#4973) (0489e30)
  • aria: prevent getOwnedVirtual from returning duplicate nodes (#4987) (48ca955), closes #4840
  • commons/text: exclude natively hidden elements from aria-labelledby accessible name (#5076) (ea7202c), closes #4704
  • DqElement: avoid calling constructors with cloneNode (#5013) (0281fa1)
  • existing-rule: aria-busy now shows an error message for a use with unallowed children (#5017) (2067b87)
  • helpUrl: ensure axe.configure always updates the help URLs (#5114) (c4f60ff)
  • label-content-name-mismatch: match visible text with aria-label and exclude invisible text (#5096) (3a012a1)
  • locale: ensure all subtags are correctly set (#5112) (13005ed)
  • scrollable-region-focusable: clarify the issue is in safari (#4995) (4ec5211), closes WebKit#190870 WebKit#277290
  • scrollable-region-focusable: do not fail scroll areas when all content is visible without scrolling (#4993) (838707a)
  • target-size: determine offset using clientRects if target is display:inline (#5012) (a4b8091)
  • target-size: ignore position: fixed elements that are offscreen when page is scrolled (#5066) (1229a6e), closes #5065
  • target-size: ignore widgets that are inline with other inline elements (#5000) (a8dd81b)
  • utils/getAncestry: escape node name (#5079) (d1fabaa), closes #5078
  • utils: Add null check to parseCrossOriginStylesheet, closes #5074 (#5075) (f12ef32)
  • utils: update isShadowRoot to use spec-compliant custom element regex (#5059) (edc6ce2), closes #5030
Changelog

Sourced from axe-core's changelog.

4.12.0 (2026-06-01)

Features

  • add gather-internals.js external script (#5099) (c61d58b), closes #5080
  • aria-allowed/prohibited-attr, aria-required-parent/children: partially support element internals role (#5080) (417b48a), closes #5039 #4259
  • axe.externalAPIs: add public api for setting elementInternal data (#5105) (63bab8f)
  • core: expose normalizeRunOptions (#4998) (b8e6a59)
  • expose axe.resetLocale() to restore the default locale (#5108) (c2b5292), closes #5107
  • getRules: include rule enabled state in returned objects (#5118) (75bf772), closes #5116
  • list,listitem: support element internals role (#5119) (7d9d696)
  • new-rule: check that aria-tab have an accessible name (#5001) (0d4e4e7), closes #4842
  • rules: deprecate landmark-complementary-is-top-level rules (#4992) (9e09139), closes #4950
  • utils: add getElementInternals function (#5077) (1c15f82)

Bug Fixes

  • aria-allowed-attr: restrict br and wbr elements to aria-hidden only (#4974) (c6245e7)
  • aria-conditional-attr: add support for radio (#5100) (8223c98)
  • aria-valid-attr-value: handle multiple aria-errormessage IDs (#4973) (0489e30)
  • aria: prevent getOwnedVirtual from returning duplicate nodes (#4987) (48ca955), closes #4840
  • commons/text: exclude natively hidden elements from aria-labelledby accessible name (#5076) (ea7202c), closes #4704
  • DqElement: avoid calling constructors with cloneNode (#5013) (0281fa1)
  • existing-rule: aria-busy now shows an error message for a use with unallowed children (#5017) (2067b87)
  • helpUrl: ensure axe.configure always updates the help URLs (#5114) (c4f60ff)
  • label-content-name-mismatch: match visible text with aria-label and exclude invisible text (#5096) (3a012a1)
  • locale: ensure all subtags are correctly set (#5112) (13005ed)
  • scrollable-region-focusable: clarify the issue is in safari (#4995) (4ec5211), closes WebKit#190870 WebKit#277290
  • scrollable-region-focusable: do not fail scroll areas when all content is visible without scrolling (#4993) (838707a)
  • target-size: determine offset using clientRects if target is display:inline (#5012) (a4b8091)
  • target-size: ignore position: fixed elements that are offscreen when page is scrolled (#5066) (1229a6e), closes #5065
  • target-size: ignore widgets that are inline with other inline elements (#5000) (a8dd81b)
  • utils/getAncestry: escape node name (#5079) (d1fabaa), closes #5078
  • utils: Add null check to parseCrossOriginStylesheet, closes #5074 (#5075) (f12ef32)
  • utils: update isShadowRoot to use spec-compliant custom element regex (#5059) (edc6ce2), closes #5030
Commits
  • e260c7e ci: continue-on-error for text_examples (#5124)
  • 90e6c45 ci: continue-on-error for text_examples
  • 0016ef9 chore(release): v4.12.0 (#5122)
  • 1e9df5a chore(release): 4.12.0
  • 75bf772 feat(getRules): include rule enabled state in returned objects (#5118)
  • c621011 docs(check-options): fix duplicate "the" (passLength/failLength rows) (#5113)
  • f12ef32 fix(utils): Add null check to parseCrossOriginStylesheet, closes #5074 (#5075)
  • 7d9d696 feat(list,listitem): support element internals role (#5119)
  • c01a37d ci: ignore gather-internals.js from import deploy validation (#5110)
  • edc6ce2 fix(utils): update isShadowRoot to use spec-compliant custom element regex (#...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Chore(deps): Bump the frontend-minor-patch group across 1 directory w…
0cfe0f7 
…ith 6 updates

Bumps the frontend-minor-patch group with 6 updates in the /webroot directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.16.1` | `1.17.0` |
| [caniuse-lite](https://github.com/browserslist/caniuse-lite) | `1.0.30001793` | `1.0.30001797` |
| [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) | `1.13.4` | `1.13.6` |
| [vue-responsiveness](https://github.com/codemonk-digital/vue-responsiveness) | `0.2.4` | `0.2.5` |
| [@vue/test-utils](https://github.com/vuejs/test-utils) | `2.4.10` | `2.4.11` |
| [axe-core](https://github.com/dequelabs/axe-core) | `4.11.4` | `4.12.0` |



Updates `axios` from 1.16.1 to 1.17.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.16.1...v1.17.0)

Updates `caniuse-lite` from 1.0.30001793 to 1.0.30001797
- [Commits](browserslist/caniuse-lite@1.0.30001793...1.0.30001797)

Updates `libphonenumber-js` from 1.13.4 to 1.13.6
- [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/commits/master)

Updates `vue-responsiveness` from 0.2.4 to 0.2.5
- [Release notes](https://github.com/codemonk-digital/vue-responsiveness/releases)
- [Commits](https://github.com/codemonk-digital/vue-responsiveness/commits/v0.2.5)

Updates `@vue/test-utils` from 2.4.10 to 2.4.11
- [Release notes](https://github.com/vuejs/test-utils/releases)
- [Commits](vuejs/test-utils@v2.4.10...v2.4.11)

Updates `axe-core` from 4.11.4 to 4.12.0
- [Release notes](https://github.com/dequelabs/axe-core/releases)
- [Changelog](https://github.com/dequelabs/axe-core/blob/develop/CHANGELOG.md)
- [Commits](dequelabs/axe-core@v4.11.4...v4.12.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: caniuse-lite
  dependency-version: 1.0.30001797
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: libphonenumber-js
  dependency-version: 1.13.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vue-responsiveness
  dependency-version: 0.2.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vue/test-utils"
  dependency-version: 2.4.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: axe-core
  dependency-version: 4.12.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file frontend labels Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file frontend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants