(chore): Bump the ci-dependencies group with 11 updates

[dependabot]

Bumps the ci-dependencies group with 11 updates:

Package	From	To
@formatjs/cli	6.14.3	6.14.4
@formatjs/fast-memoize	3.1.2	3.1.3
@formatjs/icu-messageformat-parser	3.5.5	3.5.6
@formatjs/intl	4.1.7	4.1.8
@formatjs/intl-localematcher	0.8.4	0.8.5
globals	17.5.0	17.6.0
axios	1.15.2	1.16.0
ts-patch	3.3.0	4.0.1
cypress	15.14.1	15.14.2
yaml	2.8.3	2.8.4
msw	2.13.6	2.14.2

Updates @formatjs/cli from 6.14.3 to 6.14.4

Release notes

Sourced from @​formatjs/cli's releases.

@​formatjs/cli@​6.14.4

6.14.4 (2026-04-29)

Bug Fixes

• formatjs_cli: extract formatMessage from callbacks inside optional chains (#6460) (cb7bb23) - by @​walkerburgin

Commits

• 19952b1 build: publish
• bd4cb1d fix(@​formatjs/intl-durationformat): use BigDecimal for sub-second rollups (#6...
• 2fcf7f3 fix(@​formatjs/unplugin): strip query/hash in transformInclude (#6465)
• cff6ade build(eslint-plugin-formatjs): enable gazelle for BUILD.bazel (#6464)
• f1720fc build(deps): switch gazelle_ts to official BCR v0.3.3 release (#6463)
• 6a8f1b4 chore(formatjs_cli): bump version to 1.1.2 (#6461)
• cb7bb23 fix(formatjs_cli): extract formatMessage from callbacks inside optional chain...
• c281a36 fix(deps): update dependency oxc-parser to ^0.128.0 (#6457)
• 76202f0 chore(deps): update dependency @​typescript/native-preview to v7.0.0-dev.20260...
• 924e6ef chore(deps): update dependency oxlint to v1.62.0 (#6453)
• Additional commits viewable in compare view

Updates @formatjs/fast-memoize from 3.1.2 to 3.1.3

Commits

• 19952b1 build: publish
• bd4cb1d fix(@​formatjs/intl-durationformat): use BigDecimal for sub-second rollups (#6...
• 2fcf7f3 fix(@​formatjs/unplugin): strip query/hash in transformInclude (#6465)
• cff6ade build(eslint-plugin-formatjs): enable gazelle for BUILD.bazel (#6464)
• f1720fc build(deps): switch gazelle_ts to official BCR v0.3.3 release (#6463)
• 6a8f1b4 chore(formatjs_cli): bump version to 1.1.2 (#6461)
• cb7bb23 fix(formatjs_cli): extract formatMessage from callbacks inside optional chain...
• c281a36 fix(deps): update dependency oxc-parser to ^0.128.0 (#6457)
• 76202f0 chore(deps): update dependency @​typescript/native-preview to v7.0.0-dev.20260...
• 924e6ef chore(deps): update dependency oxlint to v1.62.0 (#6453)
• Additional commits viewable in compare view

Updates @formatjs/icu-messageformat-parser from 3.5.5 to 3.5.6

Changelog

Sourced from @​formatjs/icu-messageformat-parser's changelog.

3.5.6 (2026-04-29)

Note: Version bump only for package @​formatjs/icu-messageformat-parser

Commits

• 19952b1 build: publish
• 303ee14 build(deps): migrate gazelle TS plugin to hermeticbuild/gazelle_plugins (#6438)
• f17ee2c build: migrate Rust toolchain from rules_rust to rules_rs (#6423)
• See full diff in compare view

Updates @formatjs/intl from 4.1.7 to 4.1.8

Commits

• 19952b1 build: publish
• bd4cb1d fix(@​formatjs/intl-durationformat): use BigDecimal for sub-second rollups (#6...
• 2fcf7f3 fix(@​formatjs/unplugin): strip query/hash in transformInclude (#6465)
• cff6ade build(eslint-plugin-formatjs): enable gazelle for BUILD.bazel (#6464)
• f1720fc build(deps): switch gazelle_ts to official BCR v0.3.3 release (#6463)
• 6a8f1b4 chore(formatjs_cli): bump version to 1.1.2 (#6461)
• cb7bb23 fix(formatjs_cli): extract formatMessage from callbacks inside optional chain...
• c281a36 fix(deps): update dependency oxc-parser to ^0.128.0 (#6457)
• 76202f0 chore(deps): update dependency @​typescript/native-preview to v7.0.0-dev.20260...
• 924e6ef chore(deps): update dependency oxlint to v1.62.0 (#6453)
• Additional commits viewable in compare view

Updates @formatjs/intl-localematcher from 0.8.4 to 0.8.5

Commits

• 19952b1 build: publish
• bd4cb1d fix(@​formatjs/intl-durationformat): use BigDecimal for sub-second rollups (#6...
• 2fcf7f3 fix(@​formatjs/unplugin): strip query/hash in transformInclude (#6465)
• cff6ade build(eslint-plugin-formatjs): enable gazelle for BUILD.bazel (#6464)
• f1720fc build(deps): switch gazelle_ts to official BCR v0.3.3 release (#6463)
• 6a8f1b4 chore(formatjs_cli): bump version to 1.1.2 (#6461)
• cb7bb23 fix(formatjs_cli): extract formatMessage from callbacks inside optional chain...
• c281a36 fix(deps): update dependency oxc-parser to ^0.128.0 (#6457)
• 76202f0 chore(deps): update dependency @​typescript/native-preview to v7.0.0-dev.20260...
• 924e6ef chore(deps): update dependency oxlint to v1.62.0 (#6453)
• Additional commits viewable in compare view

Updates globals from 17.5.0 to 17.6.0

Release notes

Sourced from globals's releases.

v17.6.0

• Update globals (2026-05-01) (#343) 00a4dd9

---

sindresorhus/globals@v17.5.0...v17.6.0

Commits

• 6b15870 17.6.0
• 00a4dd9 Update globals (2026-05-01) (#343)
• See full diff in compare view

Updates axios from 1.15.2 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

Commits

• df53d7d chore(release): prepare release 1.16.0 (#10834)
• 9d92bcd fix: gadgets and smaller issues (#10833)
• 5107ee6 fix: prevent undefined error codes in settle (#7276)
• e573499 fix(fetch): defer global access in fetch adapter (#7260)
• ad68e1a fix(http): honor timeout during connect without redirects (#10819)
• 2a51828 fix(http): decode URL basic auth credentials (#10825)
• 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
• 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
• 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
• cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
• Additional commits viewable in compare view

Updates ts-patch from 3.3.0 to 4.0.1

Release notes

Sourced from ts-patch's releases.

v4.0.1

4.0.1 (2026-05-01)

⚠ BREAKING CHANGES

• Support TS v6
• raises the Node.js floor to >=22.15.0 for module.registerHooks(). TypeScript transformer loading no longer uses ts-node; transformer module format is inferred from TypeScript compiler semantics, and the public isEsm option has been removed.
• removes the optional esm package fallback. ESM transformer loading now relies on Node >=22.12.0 native ESM support. Configuring isEsm: true on a .cts transformer entry is now rejected.
• Node.js 22.12.0 or newer is now required.

Features

• Dropped ts-node, replaced with pure TS compiler API & Swapped require wrap with module.registerHooks (987a199)
• Support TS v6 (e9c000f)
• use native Node ESM loading for transformer plugins (4c4e837)

Build System

• raise Node.js floor to 22.12.0 (d8f0a8f)

Changelog

Sourced from ts-patch's changelog.

4.0.1 (2026-05-01)

4.0.0 (2026-05-01)

⚠ BREAKING CHANGES

• Support TS v6
• raises the Node.js floor to >=22.15.0 for module.registerHooks(). TypeScript transformer loading no longer uses ts-node; transformer module format is inferred from TypeScript compiler semantics, and the public isEsm option has been removed.
• removes the optional esm package fallback. ESM transformer loading now relies on Node >=22.12.0 native ESM support. Configuring isEsm: true on a .cts transformer entry is now rejected.
• Node.js 22.12.0 or newer is now required.

Features

• Dropped ts-node, replaced with pure TS compiler API & Swapped require wrap with module.registerHooks (987a199)
• Support TS v6 (e9c000f)
• use native Node ESM loading for transformer plugins (4c4e837)

Build System

• raise Node.js floor to 22.12.0 (d8f0a8f)

Commits

• d4e0571 chore(release): 4.0.1
• 63fc87f build(ci): Updated for new Trusted Publisher based publish
• 3ac3aeb chore(release): 4.0.0
• aea4d89 build: Updated perf script
• 3da7d77 build(deps): Bumped deps to latest
• eeb60e1 build(ci): Updated CI scripts
• e9c000f feat!: Support TS v6
• 6c5da08 test: restore transformer behavior coverage
• 1485588 build: Updated .gitignore
• 987a199 feat!: Dropped ts-node, replaced with pure TS compiler API & Swapped require ...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ts-patch since your current version.

Updates cypress from 15.14.1 to 15.14.2

Release notes

Sourced from cypress's releases.

v15.14.2

Changelog: https://docs.cypress.io/app/references/changelog#15-14-2

Commits

• 545556e dependency(listr): upgrade listr 3.x to 9.x (#33640)
• ea98906 test: fix flake in readFile retries assertions until they pass (#33692)
• f159200 chore: upgrades ts-loader to 9.5.7 (#33691)
• d4b0324 test: stabilize flaky 'Your tests are loading...' waits (#33689)
• 3442523 fix: guard cy.wait against undefined retry responses (#33651)
• 3592361 fix: set primary remote state before HTTP server accepts requests (#33686)
• 47bb659 chore: updating v8 snapshot cache (#33690)
• 9363b86 update axios (#33687)
• 56472e3 chore: skip adding the install comment on the commit (#33685)
• d86bc45 chore: updating v8 snapshot cache (#33683)
• Additional commits viewable in compare view

Updates yaml from 2.8.3 to 2.8.4

Release notes

Sourced from yaml's releases.

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

Commits

• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• 0f226a3 docs: Add trailingComma ToString option
• See full diff in compare view

Updates msw from 2.13.6 to 2.14.2

Release notes

Sourced from msw's releases.

v2.14.2 (2026-04-29)

Bug Fixes

• export the NetworkApi type (#2734) (f0c03214b59f906ca8e92e3f0bb5d08fdf7d6f5e) @​kettanaito

v2.14.1 (2026-04-29)

Bug Fixes

• export default handler controllers (#2733) (f8dc874a236a4bd376c23cce9dd55ed59b8279e2) @​kettanaito

v2.14.0 (2026-04-29)

Features

• support ws.onUpgrade for handling connection upgrades (#2732) (e00e4d693db34884a316f659b8dcfb507cd79dce) @​kettanaito

Bug Fixes

• do not clone user-provided responses (#2731) (6953307c8061626d31a3651e69d47c885c0e4b76) @​kettanaito
• HttpResponse: forward cookies only when response is used (#2728) (30668e68f403535636bfb8dc12c64299d9c1c6e6) @​kettanaito

Commits

• 4bc4a5c chore(release): v2.14.2
• f0c0321 fix: export the NetworkApi type (#2734)
• 52dca1e chore(release): v2.14.1
• f8dc874 fix: export default handler controllers (#2733)
• 7fd02bd chore(release): v2.14.0
• e00e4d6 feat: support ws.onUpgrade for handling connection upgrades (#2732)
• 6953307 fix: do not clone user-provided responses (#2731)
• 30668e6 fix(HttpResponse): forward cookies only when response is used (#2728)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.08%. Comparing base (3a18f65) to head (ae8f5ae).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5129   +/-   ##
=======================================
  Coverage   80.08%   80.08%           
=======================================
  Files         578      578           
  Lines       12401    12401           
  Branches     2968     2979   +11     
=======================================
  Hits         9931     9931           
+ Misses       2299     2298    -1     
- Partials      171      172    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.