chore(deps)(deps): bump the production-dependencies group across 1 directory with 16 updates

[dependabot]

Bumps the production-dependencies group with 16 updates in the / directory:

Package	From	To
@aws-sdk/client-s3	3.1009.0	3.1041.0
@aws-sdk/client-ses	3.1009.0	3.1041.0
@aws-sdk/s3-request-presigner	3.1014.0	3.1041.0
@prisma/adapter-pg	7.5.0	7.8.0
@vercel/functions	3.4.3	3.5.0
axios	1.13.6	1.16.0
canvas	3.2.1	3.2.3
csv-parse	6.1.0	6.2.1
dotenv	17.3.1	17.4.2
jose	6.2.1	6.2.3
next	16.1.6	16.2.4
proj4	2.20.4	2.20.8
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-leaflet-cluster	4.0.0	4.1.3
zod	4.3.6	4.4.3

Updates @aws-sdk/client-s3 from 3.1009.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/client-s3

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/client-s3

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/client-s3

3.1038.0 (2026-04-27)

Bug Fixes

• xml-builder: use xml 1.1 parsing behavior for entities (#7964) (7a30bce)

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/client-s3

3.1036.0 (2026-04-23)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
• 3fbf6c5 Publish v3.1038.0
• e9f8d8a chore(codegen): sync for typed waiter-result values (#7965)
• 7a30bce fix(xml-builder): use xml 1.1 parsing behavior for entities (#7964)
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• 107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
• Additional commits viewable in compare view

Updates @aws-sdk/client-ses from 3.1009.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/client-ses's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-ses's changelog.

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/client-ses

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/client-ses

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/client-ses

3.1038.0 (2026-04-27)

Note: Version bump only for package @​aws-sdk/client-ses

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/client-ses

3.1036.0 (2026-04-23)

Note: Version bump only for package @​aws-sdk/client-ses

3.1035.0 (2026-04-22)

... (truncated)

Commits

• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3dfb72b chore(codegen): sync for adaptive retry fixes (#7970)
• 3fbf6c5 Publish v3.1038.0
• e9f8d8a chore(codegen): sync for typed waiter-result values (#7965)
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• 107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
• d8fbfbc Publish v3.1035.0
• Additional commits viewable in compare view

Updates @aws-sdk/s3-request-presigner from 3.1014.0 to 3.1041.0

Release notes

Sourced from @​aws-sdk/s3-request-presigner's releases.

v3.1041.0

3.1041.0(2026-05-01)

Chores

• core/client: emit warning for Node.js 20.x end-of-support (#7973) (00383767)
• workflows: migrate git-sync SSH key from GitHub secret to Secrets Manager via OIDC (#7978) (c056a2e3)
• codegen: smithy-aws-typescript-codegen 0.49.1 (#7980) (7bb42b39)

Documentation Changes

• client-iam: Added guidance for CreateOpenIDConnectProvider to include multiple thumbprints when OIDC discovery and JWKS endpoints use different hosts or certificates (b4bb6928)

New Features

• clients: update client endpoints as of 2026-05-01 (d48b40d5)
• client-iot: AWS IoT HTTP rule actions now support cross-topic batching, combining messages from different MQTT topics into single HTTP requests. (82edd29f)
• client-appstream: Amazon WorkSpaces Applications now enables AI agents to securely operate desktop applications. Administrators configure stacks to provide agents access to WorkSpaces. Agents can click, type, and take screenshots. Agents authenticate with AWS IAM credentials with activity logged in AWS CloudTrail. (5ca40b43)
• client-quicksight: Add IdentityProviderCACertificatesBundleS3Uri for private CA certs with OAuth datasources. 256-char limit for FontFamily in themes. ControlTitleFormatText on all 13 filters. ControlTitleFontConfiguration. ContextRegion for cross-region identity context. Story,scenario in CreateCustomCapability API. (a625879c)
• client-cloudwatch: This release adds tag support for CloudWatch Dashboards. The PutDashboard API now accepts a Tags parameter, allowing you to tag dashboards at creation time. Additionally, the TagResource, UntagResource, and ListTagsForResource APIs now support dashboard ARNs as resources. (e87c1479)
• client-entityresolution: Add support for transitive matching in AWS Entity Resolution rule-based matching workflows. When enabled, records that match through different rules are grouped together into the same match group, allowing related records to be connected across rule levels. (20487961)
• client-cloudwatch-logs: Adds support for filtering log groups by tags in the ListLogGroups API via the new logGroupTags parameter. (25dc6d23)
• client-qconnect: Added reasoning details, statusDescription, and timeToFirstTokenMs fields to the ListSpans response in Amazon Q in Connect to provide visibility into model thinking, error diagnostics, and inference latency metrics. (2c668c9d)

Bug Fixes

• lib-storage: use Math.ceil in default partSize calculation to prevent exceeding 10,000 parts (#7982) (8a58046b)

---

For list of updated packages, view updated-packages.md in assets-3.1041.0.zip

v3.1040.0

3.1040.0(2026-04-30)

New Features

• clients: update client endpoints as of 2026-04-30 (2620ccbd)
• client-bedrock-agentcore-control: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (6b9d13e3)
• client-route53globalresolver: Adds support for regions in the UpdateGlobalResolver input. (84b15b2e)
• client-sagemaker: Add InstancePools support to Endpoint for flexible provisioning across a prioritized list of instance types. Add Specifications support to InferenceComponent for per-instance-type model configurations. (05c49aa9)
• client-sso-admin: Add InstanceArn and IdentityStoreArn in the response of CreateApplication API and IdentityStoreArn in the response of DescribeApplication API (d46aaf53)
• client-payment-cryptography: Adds support for resource-based policies on AWS Payment Cryptography keys, enabling cross-account key sharing. Also adds Multi-Party Approval (MPA) team association APIs for protecting sensitive import root public key operations. (4d7fdfa8)
• client-datazone: Adds support for asynchronous notebook runs (e562cc0f)
• client-kafka: Adds support for ZookeeperAccess field to control the Client-Zookeeper connectivity. (34de26bd)
• client-observabilityadmin: Observability Admin enablement launch for AWS Kafka, Bedrock Agent Core Workload Identity and OTel metric enablement. (8cea5eb6)
• client-eks: Vended logs update param for capability vended logs feature (7741c8f5)
• client-bedrock-agentcore: AgentCore Identity now supports on-behalf-of token exchange OAuth2. AgentCore Memory now supports metadata for LongTerm Memory Records. (948fd098)

... (truncated)

Changelog

Sourced from @​aws-sdk/s3-request-presigner's changelog.

3.1041.0 (2026-05-01)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1040.0 (2026-04-30)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1039.0 (2026-04-29)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1038.0 (2026-04-27)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1037.0 (2026-04-24)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1036.0 (2026-04-23)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1035.0 (2026-04-22)

... (truncated)

Commits

• 5df4c01 Publish v3.1041.0
• 7736067 Publish v3.1040.0
• 51c8215 Publish v3.1039.0
• 3fbf6c5 Publish v3.1038.0
• 7babd8b Publish v3.1037.0
• 46e4ac5 Publish v3.1036.0
• 107aefc chore(codegen): sync for http2 session closure, retry longpoll backoff, and f...
• d8fbfbc Publish v3.1035.0
• d08b5a7 Publish v3.1034.0
• 273ad5b chore(codegen): sync for http2 session concurrency fixes (#7942)
• Additional commits viewable in compare view

Updates @prisma/adapter-pg from 7.5.0 to 7.8.0

Release notes

Sourced from @​prisma/adapter-pg's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

• Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

• Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
• Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
• Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
• Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
• Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

• Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
• Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
• Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

• @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

7.7.0

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

... (truncated)

Commits

• f2ca67e feat: pg statement name generator (#29395)
• 4131568 fix: set @​types/pg to ^8.16.0 (#29390)
• 33667c3 fix(adapter-pg): handle both quoted/unquoted column names in ColumnNotFound e...
• e97b3e0 feat(adapter-pg): accept connection string URL in PrismaPg constructor (#29287)
• See full diff in compare view

Updates @vercel/functions from 3.4.3 to 3.5.0

Release notes

Sourced from @​vercel/functions's releases.

@​vercel/functions@​3.5.0

Minor Changes

• c56f851: Upgrade to TypeScript 5.9

Patch Changes

• Updated dependencies [c56f851]
  • @​vercel/oidc@​3.4.0

@​vercel/functions@​3.4.6

Patch Changes

• Updated dependencies [bf07448]
  • @​vercel/oidc@​3.3.1

@​vercel/functions@​3.4.5

Patch Changes

• 56c9f89: add missing prettier dev dependency
• Updated dependencies [24686d0]
• Updated dependencies [56c9f89]
  • @​vercel/oidc@​3.3.0

@​vercel/functions@​3.4.4

Patch Changes

• Pin typedoc-plugin-markdown to 3.15.2 and typedoc-plugin-mdn-links to 3.0.3 to match the version used by @vercel/edge. The previous 4.1.2 version requires typedoc@0.26.x as a peer dependency but was paired with typedoc@0.24.6, which caused CI failures whenever pnpm hoisted the 4.x plugin (the plugin calls app.internationalization.addTranslations, which does not exist in typedoc 0.24). The choice of which plugin version got hoisted was non-deterministic, which is why the failure appeared as flaky Build @vercel/<pkg> steps in CI. (#16072)

• Updated dependencies [2aa78415831fe89d1b21dd89704706bd1ad5e78d]:

  • @​vercel/oidc@​3.2.1

Changelog

Sourced from @​vercel/functions's changelog.

3.5.0

Minor Changes

• c56f851: Upgrade to TypeScript 5.9

Patch Changes

• Updated dependencies [c56f851]
  • @​vercel/oidc@​3.4.0

3.4.6

Patch Changes

• Updated dependencies [bf07448]
  • @​vercel/oidc@​3.3.1

3.4.5

Patch Changes

• 56c9f89: add missing prettier dev dependency
• Updated dependencies [24686d0]
• Updated dependencies [56c9f89]
  • @​vercel/oidc@​3.3.0

3.4.4

Patch Changes

• Pin typedoc-plugin-markdown to 3.15.2 and typedoc-plugin-mdn-links to 3.0.3 to match the version used by @vercel/edge. The previous 4.1.2 version requires typedoc@0.26.x as a peer dependency but was paired with typedoc@0.24.6, which caused CI failures whenever pnpm hoisted the 4.x plugin (the plugin calls app.internationalization.addTranslations, which does not exist in typedoc 0.24). The choice of which plugin version got hoisted was non-deterministic, which is why the failure appeared as flaky Build @vercel/<pkg> steps in CI. (#16072)

• Updated dependencies [2aa78415831fe89d1b21dd89704706bd1ad5e78d]:

  • @​vercel/oidc@​3.2.1

Commits

• 58ce911 Version Packages (#16161)
• c56f851 Upgrade repo-wide TypeScript to 5.9 (#16169)
• 40d32a8 Version Packages (#16155)
• 02c78f5 Version Packages (#16151)
• 56c9f89 Add missing prettier devDependency to packages that rely on it (#16084)
• 4eec0e5 Version Packages (#16068)
• 4b3769c fix: pin typedoc-plugin-markdown to 3.15.2 to match typedoc 0.24.6 peer (#16059)
• 415ee0b swap lint to biome (#15371)
• 111543a chore(ci): remove prettier for biome (#15298)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vercel/functions since your current version.

Updates axios from 1.13.6 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to ...

  Description has been truncated

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dea-map	Error		May 4, 2026 7:59am