Skip to content

chore(deps)(deps): bump the production-dependencies group across 1 directory with 17 updates#230

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-03c2cbaf9a
Open

chore(deps)(deps): bump the production-dependencies group across 1 directory with 17 updates#230
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/production-dependencies-03c2cbaf9a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 17 updates in the / directory:

Package From To
@aws-sdk/client-s3 3.1009.0 3.1073.0
@aws-sdk/client-ses 3.1009.0 3.1073.0
@aws-sdk/s3-request-presigner 3.1014.0 3.1073.0
@prisma/adapter-pg 7.5.0 7.8.0
@vercel/functions 3.4.3 3.7.2
axios 1.13.6 1.18.0
canvas 3.2.1 3.2.3
dotenv 17.3.1 17.4.2
jose 6.2.1 6.2.3
next 16.1.6 16.2.9
papaparse 5.5.3 5.5.4
proj4 2.20.4 2.20.9
react 19.2.4 19.2.7
react-dom 19.2.4 19.2.7
react-leaflet-cluster 4.0.0 4.1.3
sharp 0.34.5 0.35.2
zod 4.3.6 4.4.3

Updates @aws-sdk/client-s3 from 3.1009.0 to 3.1073.0

Release notes

Sourced from @​aws-sdk/client-s3's releases.

v3.1073.0

3.1073.0(2026-06-19)

New Features
  • client-glue: Adds the SearchAssets operation for discovering assets in the AWS Glue Data Catalog using full-text search and filters. Minor naming refinements across the Glossary Terms and Attachment APIs for consistency. (ef204650)
  • client-connect: This is the release for point based scoring system and the evaluation form validation project (b19c162a)
  • client-bedrock-agent: Add support for metadata-only retrieval on GetFlow, GetFlowVersion, and GetPrompt APIs. (c9d5fb33)
  • client-appstream: Amazon WorkSpaces Agent Access now supports domain-joined fleets for enterprise identity integration, real-time agent observation with instant stop controls, and MCP tool forwarding for lower-latency, cost-effective desktop tool access. (d9c25f0b)
  • client-opensearch: This release introduces data source attachment APIs, enabling users to attach and detach Amazon OpenSearch Service domains and Amazon OpenSearch Serverless collections to an OpenSearch application. (6cce3d69)

For list of updated packages, view updated-packages.md in assets-3.1073.0.zip

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes
  • client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)
New Features
  • client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
  • client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
  • client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
  • client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
  • client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
  • client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
  • client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
  • client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
  • client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
  • client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
  • client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
  • client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features
  • client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
  • client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-s3's changelog.

3.1073.0 (2026-06-19)

Note: Version bump only for package @​aws-sdk/client-s3

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/client-s3

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/client-s3

3.1070.0 (2026-06-16)

Features

  • client-s3: Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata. (c555874)

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/client-s3

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-s3

... (truncated)

Commits

Updates @aws-sdk/client-ses from 3.1009.0 to 3.1073.0

Release notes

Sourced from @​aws-sdk/client-ses's releases.

v3.1073.0

3.1073.0(2026-06-19)

New Features
  • client-glue: Adds the SearchAssets operation for discovering assets in the AWS Glue Data Catalog using full-text search and filters. Minor naming refinements across the Glossary Terms and Attachment APIs for consistency. (ef204650)
  • client-connect: This is the release for point based scoring system and the evaluation form validation project (b19c162a)
  • client-bedrock-agent: Add support for metadata-only retrieval on GetFlow, GetFlowVersion, and GetPrompt APIs. (c9d5fb33)
  • client-appstream: Amazon WorkSpaces Agent Access now supports domain-joined fleets for enterprise identity integration, real-time agent observation with instant stop controls, and MCP tool forwarding for lower-latency, cost-effective desktop tool access. (d9c25f0b)
  • client-opensearch: This release introduces data source attachment APIs, enabling users to attach and detach Amazon OpenSearch Service domains and Amazon OpenSearch Serverless collections to an OpenSearch application. (6cce3d69)

For list of updated packages, view updated-packages.md in assets-3.1073.0.zip

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes
  • client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)
New Features
  • client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
  • client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
  • client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
  • client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
  • client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
  • client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
  • client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
  • client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
  • client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
  • client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
  • client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
  • client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features
  • client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
  • client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)

... (truncated)

Changelog

Sourced from @​aws-sdk/client-ses's changelog.

3.1073.0 (2026-06-19)

Note: Version bump only for package @​aws-sdk/client-ses

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/client-ses

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/client-ses

3.1070.0 (2026-06-16)

Note: Version bump only for package @​aws-sdk/client-ses

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/client-ses

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/client-ses

3.1067.0 (2026-06-11)

... (truncated)

Commits

Updates @aws-sdk/s3-request-presigner from 3.1014.0 to 3.1073.0

Release notes

Sourced from @​aws-sdk/s3-request-presigner's releases.

v3.1073.0

3.1073.0(2026-06-19)

New Features
  • client-glue: Adds the SearchAssets operation for discovering assets in the AWS Glue Data Catalog using full-text search and filters. Minor naming refinements across the Glossary Terms and Attachment APIs for consistency. (ef204650)
  • client-connect: This is the release for point based scoring system and the evaluation form validation project (b19c162a)
  • client-bedrock-agent: Add support for metadata-only retrieval on GetFlow, GetFlowVersion, and GetPrompt APIs. (c9d5fb33)
  • client-appstream: Amazon WorkSpaces Agent Access now supports domain-joined fleets for enterprise identity integration, real-time agent observation with instant stop controls, and MCP tool forwarding for lower-latency, cost-effective desktop tool access. (d9c25f0b)
  • client-opensearch: This release introduces data source attachment APIs, enabling users to attach and detach Amazon OpenSearch Service domains and Amazon OpenSearch Serverless collections to an OpenSearch application. (6cce3d69)

For list of updated packages, view updated-packages.md in assets-3.1073.0.zip

v3.1072.0

3.1072.0(2026-06-18)

Documentation Changes
  • client-ec2: Documentation updates clarifying CancelCapacityReservation cancellable states (e3723ba7)
New Features
  • client-compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations. (ded6618d)
  • client-application-auto-scaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling (95b3513a)
  • client-cognito-identity-provider: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS. (e8937787)
  • client-sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version. (fd33a5e4)
  • client-ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling. (93055ac9)
  • client-healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration (494fa59f)
  • client-gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers. (93cefd90)
  • client-eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers. (693db629)
  • client-lambda: Converging and fixing existing documentation gaps in Lambda SDK (6555a565)
  • client-synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state. (f2c8b480)
  • client-cloudwatch-logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024. (1be63ed9)
  • client-batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED (0e57e53b)

For list of updated packages, view updated-packages.md in assets-3.1072.0.zip

v3.1071.0

3.1071.0(2026-06-17)

New Features
  • client-partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction (7e8c98ab)
  • client-compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present. (ab2c616d)

... (truncated)

Changelog

Sourced from @​aws-sdk/s3-request-presigner's changelog.

3.1073.0 (2026-06-19)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1072.0 (2026-06-18)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1071.0 (2026-06-17)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1070.0 (2026-06-16)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1069.0 (2026-06-15)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1068.0 (2026-06-12)

Note: Version bump only for package @​aws-sdk/s3-request-presigner

3.1067.0 (2026-06-11)

... (truncated)

Commits

Updates @prisma/adapter-pg from 7.5.0 to 7.8.0

Release notes

Sourced from @​prisma/adapter-pg's releases.

7.8.0

Today, we are excited to share the 7.8.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

Highlights

ORM

Features

Prisma Client

  • Added a queryPlanCacheMaxSize option to the PrismaClient constructor for fine-grained control over the query plan cache. Pass 0 to disable the cache entirely, or omit it to use the default cache size. A larger value can improve performance in applications that execute many unique queries, while a smaller one can reduce memory usage. (#29503)

Bug Fixes

Prisma Client

  • Fixed an equality filter panic and incorrect ::jsonb cast when filtering on PostgreSQL JSON list columns. Queries using where: { jsonListField: { equals: [...] } }prisma/prisma-engines#5804
  • Fixed case-insensitive JSON field filtering (mode: insensitive), allowing where: { jsonField: { equals: "...", mode: "insensitive" } }prisma/prisma-engines#5806
  • Fixed incorrect parameterization of enum values that have a custom database name set via @map. (#29422)
  • Fixed a database parameter limit check (P2029), which could incorrectly reject or miss over-limit queries. (#29422)
  • Fixed a regression that caused missing SQL Server VARCHARprisma/prisma-engines#5801

Schema Engine

  • Fixed a misleading error message in prisma migrate diff that referenced the --shadow-database-url CLI flag, which was removed in Prisma 7. (#29455)
  • Fixed prisma migrate dev (and shadow database migration replay in general) failing with CREATE INDEX CONCURRENTLY cannot run inside a transaction blockprisma/prisma-engines#5799
  • Fixed PostgreSQL introspection silently dropping sequence defaults when the database returns the schema-qualified form pg_catalog.nextval('sequence_name'::regclass) instead of the bare nextval(...). Columns backed by sequences now correctly appear as @default(autoincrement())prisma/prisma-engines#5802

Driver Adapters

  • @​prisma/adapter-d1: Savepoint operations (createSavepoint, rollbackToSavepoint, releaseSavepoint) now silently no-op with debug logging instead of executing SQL statements, consistent with how the D1 adapter already treats top-level transactions. (#29499)

Open roles at Prisma

Interested in joining Prisma? We're growing and have several exciting opportunities across the company for developers who are passionate about building with Prisma. Explore our open positions on our Careers page and find the role that's right for you.

Enterprise support

Thousands of teams use Prisma and many of them already tap into our Enterprise & Agency Support Program for hands-on help with everything from schema integrations and performance tuning to security and compliance.

With this program you also get priority issue triage and bug fixes, expert scalability advice, and custom training so that your Prisma-powered apps stay rock-solid at any scale. Learn more or join: https://prisma.io/enterprise.

7.7.0

Today, we are excited to share the 7.7.0 stable release 🎉

🌟 Star this repo for notifications about new releases, bug fixes & features — or follow us on X!

... (truncated)

Commits
  • f2ca67e feat: pg statement name generator (#29395)
  • 4131568 fix: set @​types/pg to ^8.16.0 (#29390)
  • 33667c3 fix(adapter-pg): handle both quoted/unquoted column names in ColumnNotFound e...
  • e97b3e0 feat(adapter-pg): accept connection string URL in PrismaPg constructor (#29287)
  • See full diff in compare view

Updates @vercel/functions from 3.4.3 to 3.7.2

Release notes

Sourced from @​vercel/functions's releases.

@​vercel/functions@​3.7.2

Patch Changes

  • 071569d: Add a maxPayload option to experimental_upgradeWebSocket(), defaulting to 256 KiB.
    • @​vercel/oidc@​3.6.2

@​vercel/functions@​3.7.1

Patch Changes

  • a7f1f7c: Make ws an optional peer dependency
Changelog

Sourced from @​vercel/functions's changelog.

3.7.2

Patch Changes

  • 071569d: Add a maxPayload option to experimental_upgradeWebSocket(), defaulting to 256 KiB.
    • @​vercel/oidc@​3.6.2

3.7.1

Patch Changes

  • a7f1f7c: Make ws an optional peer dependency

3.7.0

Minor Changes

  • 3f3ef14: Add experimental_upgradeWebSocket() API

3.6.3

Patch Changes

  • Updated dependencies [01cf6c2]
    • @​vercel/oidc@​3.6.1

3.6.2

Patch Changes

  • Updated dependencies [fddeb55]
    • @​vercel/oidc@​3.6.0

3.6.1

Patch Changes

  • Updated dependencies [5a700dc]
    • @​vercel/oidc@​3.5.0

3.6.0

Minor Changes

  • 102f82b: getCache().set() now defaults options.name to the provided key when omitted, so cache entries get a human-readable label in o11y by default. Pass name: '' to suppress this behavior and use the hashed key.

3.5.1

Patch Changes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vercel/functions since your current version.


Updates axios from 1.13.6 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits
  • 2d06f96 chore(release): prepare release 1.18.0 (#11003)
  • 32fc489 fix: malformed http urls (#11000)
  • b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
  • fe964f9 docs: mark proxy config as Node.js only (#10995)
  • 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
  • fae9d4e docs: clarify package update PR policy (#10992)
  • 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
  • a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
  • 614f455 docs: publish v1.17.0 release notes (#10988)
  • 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates canvas from 3.2.1 to 3.2.3

Release notes

Sourced from canvas's releases.

v3.2.3

Fixed

  • Fix building with gcc (#2559)

v3.2.2

Fixed

  • Fix dangling env pointer in image MIME data cleanup (#2550)
  • Fix ctx.direction not affected by ctx.save and ctx.restore
  • Preserve rest of PDF pages when changing width and height (#2538)
  • Several security fixes for untrusted inputs to getImageData and putImageData. Thanks to Ethan Kim for the report.
Changelog

Sourced from canvas's changelog.

3.2.3

Fixed

  • Fix building with gcc (#2559)

3.2.2

Fixed

  • Fix dangling env pointer in image MIME data cleanup (#2550)
  • Fix ctx.direction not affected by ctx.save and ctx.restore
  • Preserve rest of PDF pages when changing width and height (#2538)
  • Several security fixes for untrusted inputs to getImageData and putImageData. Thanks to Ethan Kim for the report.
Commits
  • f91598e v3.2.3
  • 1541544 PAGE_SIZE shouldn't be unsigned
  • ac82fa7 v3.2.2
  • 103a620 add the last flurry of commits to CHANGELOG
  • 7304c7a avoid integer overflow in getImageData
  • f9fcc5f avoid inte...

    Description has been truncated

…rectory with 17 updates

Bumps the production-dependencies group with 17 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@aws-sdk/client-s3](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-s3) | `3.1009.0` | `3.1073.0` |
| [@aws-sdk/client-ses](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/clients/client-ses) | `3.1009.0` | `3.1073.0` |
| [@aws-sdk/s3-request-presigner](https://github.com/aws/aws-sdk-js-v3/tree/HEAD/packages/s3-request-presigner) | `3.1014.0` | `3.1073.0` |
| [@prisma/adapter-pg](https://github.com/prisma/prisma/tree/HEAD/packages/adapter-pg) | `7.5.0` | `7.8.0` |
| [@vercel/functions](https://github.com/vercel/vercel/tree/HEAD/packages/functions) | `3.4.3` | `3.7.2` |
| [axios](https://github.com/axios/axios) | `1.13.6` | `1.18.0` |
| [canvas](https://github.com/Automattic/node-canvas) | `3.2.1` | `3.2.3` |
| [dotenv](https://github.com/motdotla/dotenv) | `17.3.1` | `17.4.2` |
| [jose](https://github.com/panva/jose) | `6.2.1` | `6.2.3` |
| [next](https://github.com/vercel/next.js) | `16.1.6` | `16.2.9` |
| [papaparse](https://github.com/mholt/PapaParse) | `5.5.3` | `5.5.4` |
| [proj4](https://github.com/proj4js/proj4js) | `2.20.4` | `2.20.9` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.4` | `19.2.7` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.4` | `19.2.7` |
| [react-leaflet-cluster](https://github.com/akursat/react-leaflet-cluster) | `4.0.0` | `4.1.3` |
| [sharp](https://github.com/lovell/sharp) | `0.34.5` | `0.35.2` |
| [zod](https://github.com/colinhacks/zod) | `4.3.6` | `4.4.3` |



Updates `@aws-sdk/client-s3` from 3.1009.0 to 3.1073.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1073.0/clients/client-s3)

Updates `@aws-sdk/client-ses` from 3.1009.0 to 3.1073.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/clients/client-ses/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1073.0/clients/client-ses)

Updates `@aws-sdk/s3-request-presigner` from 3.1014.0 to 3.1073.0
- [Release notes](https://github.com/aws/aws-sdk-js-v3/releases)
- [Changelog](https://github.com/aws/aws-sdk-js-v3/blob/main/packages/s3-request-presigner/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-js-v3/commits/v3.1073.0/packages/s3-request-presigner)

Updates `@prisma/adapter-pg` from 7.5.0 to 7.8.0
- [Release notes](https://github.com/prisma/prisma/releases)
- [Commits](https://github.com/prisma/prisma/commits/7.8.0/packages/adapter-pg)

Updates `@vercel/functions` from 3.4.3 to 3.7.2
- [Release notes](https://github.com/vercel/vercel/releases)
- [Changelog](https://github.com/vercel/vercel/blob/main/packages/functions/CHANGELOG.md)
- [Commits](https://github.com/vercel/vercel/commits/@vercel/functions@3.7.2/packages/functions)

Updates `axios` from 1.13.6 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.6...v1.18.0)

Updates `canvas` from 3.2.1 to 3.2.3
- [Release notes](https://github.com/Automattic/node-canvas/releases)
- [Changelog](https://github.com/Automattic/node-canvas/blob/master/CHANGELOG.md)
- [Commits](Automattic/node-canvas@v3.2.1...v3.2.3)

Updates `dotenv` from 17.3.1 to 17.4.2
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v17.3.1...v17.4.2)

Updates `jose` from 6.2.1 to 6.2.3
- [Release notes](https://github.com/panva/jose/releases)
- [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md)
- [Commits](panva/jose@v6.2.1...v6.2.3)

Updates `next` from 16.1.6 to 16.2.9
- [Release notes](https://github.com/vercel/next.js/releases)
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js)
- [Commits](vercel/next.js@v16.1.6...v16.2.9)

Updates `papaparse` from 5.5.3 to 5.5.4
- [Release notes](https://github.com/mholt/PapaParse/releases)
- [Changelog](https://github.com/mholt/PapaParse/blob/master/CHANGELOG.md)
- [Commits](mholt/PapaParse@5.5.3...5.5.4)

Updates `proj4` from 2.20.4 to 2.20.9
- [Release notes](https://github.com/proj4js/proj4js/releases)
- [Changelog](https://github.com/proj4js/proj4js/blob/main/changelog.md)
- [Commits](proj4js/proj4js@v2.20.4...v2.20.9)

Updates `react` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react)

Updates `react-dom` from 19.2.4 to 19.2.7
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

Updates `react-leaflet-cluster` from 4.0.0 to 4.1.3
- [Release notes](https://github.com/akursat/react-leaflet-cluster/releases)
- [Commits](akursat/react-leaflet-cluster@v4.0.0...v4.1.3)

Updates `sharp` from 0.34.5 to 0.35.2
- [Release notes](https://github.com/lovell/sharp/releases)
- [Commits](lovell/sharp@v0.34.5...v0.35.2)

Updates `zod` from 4.3.6 to 4.4.3
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Commits](colinhacks/zod@v4.3.6...v4.4.3)

---
updated-dependencies:
- dependency-name: "@aws-sdk/client-s3"
  dependency-version: 3.1073.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@aws-sdk/client-ses"
  dependency-version: 3.1073.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@aws-sdk/s3-request-presigner"
  dependency-version: 3.1073.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@prisma/adapter-pg"
  dependency-version: 7.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: "@vercel/functions"
  dependency-version: 3.7.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: canvas
  dependency-version: 3.2.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: dotenv
  dependency-version: 17.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: jose
  dependency-version: 6.2.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: next
  dependency-version: 16.2.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: papaparse
  dependency-version: 5.5.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: proj4
  dependency-version: 2.20.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: react-leaflet-cluster
  dependency-version: 4.1.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: sharp
  dependency-version: 0.35.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: zod
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added automated dependencies Pull requests that update a dependency file labels Jun 22, 2026
@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dea-map Error Error Jun 22, 2026 7:11am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants