fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
axios (source)	1.15.1 → 1.15.2
cypress (source)	15.14.0 → 15.14.1
eslint-plugin-vue (source)	10.8.0 → 10.9.0
vue (source)	3.5.32 → 3.5.33
vue-router (source)	5.0.4 → 5.0.6

---

Release Notes

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

cypress-io/cypress (cypress)

v15.14.1

Compare Source

Changelog: https://docs.cypress.io/app/references/changelog#15-14-1

vuejs/eslint-plugin-vue (eslint-plugin-vue)

v10.9.0

Compare Source

Minor Changes

• Added "inject" to groups option in vue/no-unused-properties rule (#​3052)

• Added new ignores option to vue/no-literals-in-template rule (#​3072)

• Added support for :single-line/:multi-line pseudo-classes in vue/padding-line-between-tags (#​3025)

• Added new vue/prefer-v-model rule (#​3062)

• Added new vue/prefer-single-event-payload rule (#​3058)

Patch Changes

• Added error end positions for vue/no-irregular-whitespace (#​3065)

• Updated resources: add Attrs and AllowedAttrs type definitions (#​3059)

• Improved error positions in vue/max-len (#​3066)

• Improve performance in vue/no-child-content rule (#​3068)

• Migrate configs to TypeScript (#​3002)

• Updated resources: geolocation HTML element and ClassValue and InputAutoCompleteAttribute Vue 3 export (#​3040)

vuejs/core (vue)

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

vuejs/router (vue-router)

v5.0.6

Compare Source

   🐞 Bug Fixes

• Missing closing quote in generated import  -  by @​zjy040525 and @​posva in #​2688 (32f78)

    View changes on GitHub

v5.0.5

Compare Source

   🚀 Features

• Enable standard schema param parsers  -  by @​posva (ea8e3)
• Normalize param parsers once  -  by @​posva (48087)

   🐞 Bug Fixes

• Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
• Avoid double decoding hash on string location  -  by @​posva (1578c)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying jonprentice-me with    Cloudflare Pages

Latest commit:	9a62897
Status:	⚡️  Build in progress...

View logs

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}