chore(deps): bump the npm_and_yarn group across 13 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the / directory: hono, axios, inngest and next.
Bumps the npm_and_yarn group with 7 updates in the /docs directory:

Package	From	To
hono	4.7.7	4.12.18
axios	1.11.0	1.16.0
next	15.2.4	15.5.18
fast-xml-parser	4.4.1	5.7.2
langsmith	0.3.33	0.6.3
protobufjs	7.5.0	7.5.6
dompurify	3.2.4	3.4.2

Bumps the npm_and_yarn group with 1 update in the /examples/ai-sdk-useChat directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/ai-sdk-v5 directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/assistant-ui directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/bird-checker-with-nextjs directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/bird-checker-with-nextjs-and-eval directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/crypto-chatbot directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/openapi-spec-writer directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/travel-app directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/voice/interactive-story directory: next.
Bumps the npm_and_yarn group with 1 update in the /examples/voice/voice-memo-app directory: next.
Bumps the npm_and_yarn group with 2 updates in the /scripts/gh-issue-triage directory: hono and protobufjs.

Updates hono from 4.8.12 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Updates axios from 1.11.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates inngest from 3.40.1 to 3.54.0

Release notes

Sourced from inngest's releases.

inngest@3.52.7

Patch Changes

• #1359 b4d9833f Thanks @​Linell! - fix: use deterministic IDs for correct checkpointed parenting

• #1370 037336dc Thanks @​amh4r! - Fix mishandling drain message (Connect only)

inngest@3.52.6

Patch Changes

• #1350 470fdb98 Thanks @​amh4r! - Fix false NESTING_STEPS error

• #1356 2e961c21 Thanks @​amh4r! - Fix checkpointing maxRuntime causing function run hang

inngest@3.52.5

Patch Changes

• #1340 335703d7 Thanks @​Linell! - fix: fallback to async flow on checkpoint error

inngest@3.52.4

Patch Changes

• #1338 4f45adb7 Thanks @​jakobevangelista! - Fix signing key propagation from serve() options to InngestApi for outgoing API calls

inngest@3.52.3

Patch Changes

• #1329 d079c0be Thanks @​Linell! - fix: flush checkpoint buffer

inngest@3.52.2

Patch Changes

• #1318 d81d29bc Thanks @​amh4r! - Fix undefined step in transformOutput middleware

inngest@3.52.1

Patch Changes

• #1258 e17a148f Thanks @​amh4r! - Connect: add worker thread support

• #1313 bbdab785 Thanks @​tonyhb! - Add step names and IDs to step not found error

• #1306 b74bd1b9 Thanks @​amh4r! - Add a log before the 405 response

inngest@3.52.0

Minor Changes

• #1288 daf858f0 Thanks @​jpwilliams! - Add the ability to create Durable Endpoint Proxies, used to redirect to Inngest run results using a user's own domain.

  import { Inngest, step } from "inngest";

... (truncated)

Changelog

Sourced from inngest's changelog.

inngest

4.3.0

Minor Changes

• #1504 5c8f50e1 Thanks @​scottnuma! - Accept Temporal.Duration, Temporal.Instant, and Temporal.ZonedDateTime (and their *Like variants) wherever a timeout or sleep duration is taken: step.sleep(), step.waitForEvent(), step.waitForSignal(), step.invoke(), and function-level cancelOn timeouts. Durations are treated as relative waits; instants and zoned date-times as absolute deadlines.

Patch Changes

• #1480 60cda73f Thanks @​mar-inngest! - Fix Connect shutdown getting stuck when a late lease-extension ACK recreates a stale in-flight lease entry after request completion or lease loss

4.2.6

Patch Changes

• #1492 68dcd8aa Thanks @​amh4r! - Reduce response info when unauthorized

• #1490 a8027116 Thanks @​amh4r! - Authed introspection returns partial signing key hash

4.2.5

Patch Changes

• #1479 6b9769ca Thanks @​scottnuma! - Fix step.sendSignal() return type to match runtime: Promise<InngestApi.SendSignalResponse> ({ runId: string | undefined }) instead of Promise<null>

• #1483 d0a59629 Thanks @​Linell! - Fix run IDs not URL encoded in Durable Endpoints

• #1481 970ded9b Thanks @​Linell! - Improves HMAC signature verification by using a constant-time comparison, which mitigates a potential timing-based signature-recovery attack against the request signature. Also improves handling of timestamps in signatures, including malformed or future-dated values.

• #1472 9df36dee Thanks @​Linell! - Fix empty body on Vercel serverless Node handlers

• #1482 e34972d3 Thanks @​Linell! - Hash the signing key used when exporting OTel traces

4.2.4

Patch Changes

• #1466 68de9150 Thanks @​amh4r! - Fix checkpointing maxRuntime causing duplicate execution

4.2.3

Patch Changes

• #1460 ce5110de Thanks @​amh4r! - Fix multi-byte UTF-8 chars corrupted when split over chunks

• #1461 d75b59ce Thanks @​amh4r! - Fix CountQueuingStrategy erroring when stubbed in edge runtimes

4.2.2

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by linell_inngest, a new releaser for inngest since your current version.

Updates next from 15.3.4 to 15.5.15

Release notes

Sourced from next's releases.

v15.5.15

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

v15.5.13

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: patch http-proxy to prevent request smuggling in rewrites (See: CVE-2026-29057)

Credits

Huge thanks to @​ztanner for helping!

Commits

• 412eb90 v15.5.15
• cb90de9 [15.x] Avoid consuming cyclic models multiple times (#74)
• fffef9e Fix CI for glibc linux builds
• d7b012d v15.5.14
• 2b05251 [backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...
• f88cee9 Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...
• cfd5f53 v15.5.13
• 15f2891 [backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...
• d23f41c v15.5.12
• 8e75765 fix unlock in publish-native
• Additional commits viewable in compare view

Updates langsmith from 0.3.33 to 0.3.87

Release notes

Sourced from langsmith's releases.

v0.6.1

What's Changed

• ci: test more bundlers by @​langchain-infra in langchain-ai/langsmith-sdk#2263
• feat(python sdk): Add support for setting commit tags when pushing a prompt by @​bees in langchain-ai/langsmith-sdk#2265
• feat: Pass in Cache, rename by @​langchain-infra in langchain-ai/langsmith-sdk#2264
• chore: bump sdk by @​langchain-infra in langchain-ai/langsmith-sdk#2268

Full Changelog: langchain-ai/langsmith-sdk@v0.6.0...v0.6.1

v0.6.0

What's Changed

• chore(js): bump JS to 0.4.3 by @​dqbd in langchain-ai/langsmith-sdk#2253
• Revert "feat: add js prompt caching" by @​angus-langchain in langchain-ai/langsmith-sdk#2258
• Revert "feat: Replace UUID5 with deterministic UUID7 for replicas" by @​angus-langchain in langchain-ai/langsmith-sdk#2257
• release(js): bump to 0.4.4 by @​dqbd in langchain-ai/langsmith-sdk#2259
• feat: add prompt cache back and setup environment tests by @​langchain-infra in langchain-ai/langsmith-sdk#2260
• feat(python): Bump pydantic to v2 by @​angus-langchain in langchain-ai/langsmith-sdk#2248

Full Changelog: langchain-ai/langsmith-sdk@v0.5.2...v0.6.0

v0.6.0rc0

What's Changed

• feat(js): Add support for tracing AI SDK 6 by @​jacoblee93 in langchain-ai/langsmith-sdk#2237
• fix(js): Remove default Jestlike timeout by @​jacoblee93 in langchain-ai/langsmith-sdk#2243
• feat(js): Add support for tracing tool loop agent by @​jacoblee93 in langchain-ai/langsmith-sdk#2244
• feat: Replace UUID5 with deterministic UUID7 for replicas by @​angus-langchain in langchain-ai/langsmith-sdk#2249
• feat: add prompt caching to python sdk by @​langchain-infra in langchain-ai/langsmith-sdk#2246
• feat: add js prompt caching by @​langchain-infra in langchain-ai/langsmith-sdk#2251
• fix(claude): correctly parse llm and tool inputs in claude agent sdk by @​angus-langchain in langchain-ai/langsmith-sdk#2255
• bump(python): 0.5.2 by @​angus-langchain in langchain-ai/langsmith-sdk#2256

Full Changelog: langchain-ai/langsmith-sdk@v0.5.1...v0.6.0rc0

v0.5.2

What's Changed

• feat(js): Add support for tracing AI SDK 6 by @​jacoblee93 in langchain-ai/langsmith-sdk#2237
• fix(js): Remove default Jestlike timeout by @​jacoblee93 in langchain-ai/langsmith-sdk#2243
• feat(js): Add support for tracing tool loop agent by @​jacoblee93 in langchain-ai/langsmith-sdk#2244
• feat: Replace UUID5 with deterministic UUID7 for replicas by @​angus-langchain in langchain-ai/langsmith-sdk#2249
• feat: add prompt caching to python sdk by @​langchain-infra in langchain-ai/langsmith-sdk#2246
• feat: add js prompt caching by @​langchain-infra in langchain-ai/langsmith-sdk#2251
• fix(claude): correctly parse llm and tool inputs in claude agent sdk by @​angus-langchain in langchain-ai/langsmith-sdk#2255
• bump(python): 0.5.2 by @​angus-langchain in langchain-ai/langsmith-sdk#2256

Full Changelog: langchain-ai/langsmith-sdk@v0.5.1...v0.5.2

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for langsmith since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates hono from 4.7.7 to 4.12.18

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

v4.12.12

Security fixes

This release includes fixes for the following security issues:

... (truncated)

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Updates axios from 1.11.0 to 1.16.0

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart h...

  Description has been truncated