fix(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@aws-sdk/client-s3 (source)	3.1045.0 → 3.1062.0			dependencies	minor	3.1067.0 (+4)
@aws-sdk/lib-storage (source)	3.1045.0 → 3.1062.0			dependencies	minor	3.1067.0 (+4)
@typescript-eslint/parser (source)	8.59.2 → 8.60.1			devDependencies	minor	8.61.0
actions/checkout	v6.0.2 → v6.0.3			action	patch
actions/create-github-app-token	v3.1.1 → v3.2.0			action	minor
amaro	1.1.9 → 1.1.10			dependencies	patch
axios (source)	1.16.0 → 1.17.0			devDependencies	minor
docker/build-push-action	v7.1.0 → v7.2.0			action	minor
docker/login-action	v4.1.0 → v4.2.0			action	minor
docker/metadata-action	v6.0.0 → v6.1.0			action	minor
docker/setup-buildx-action	v4.0.0 → v4.1.0			action	minor
easy-ocsp (source)	1.3.1 → 1.3.2			dependencies	patch
graphql	16.14.0 → 16.14.1			dependencies	patch	16.14.2
mocha (source)	11.7.5 → 11.7.6			devDependencies	patch
node (source)	24.15.0 → 24.16.0				minor
oxlint (source)	1.63.0 → 1.68.0			devDependencies	minor	1.69.0
semver	7.8.0 → 7.8.2			dependencies	patch	7.8.4 (+1)
sinon (source)	21.0.3 → 21.1.2			devDependencies	minor
systeminformation (source)	5.31.6 → 5.31.7			dependencies	patch
tsx (source)	4.21.0 → 4.22.4			devDependencies	minor
typescript-eslint (source)	8.59.2 → 8.60.1			devDependencies	minor	8.61.0
undici (source)	7.25.0 → 7.27.1			devDependencies	minor	7.27.2
ws	8.20.0 → 8.21.0			dependencies	minor

---

Release Notes

aws/aws-sdk-js-v3 (@​aws-sdk/client-s3)

v3.1062.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1061.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1060.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1059.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1058.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1057.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1056.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1055.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1054.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1053.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1052.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1051.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1050.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1049.0

Compare Source

Bug Fixes

• client-sts: update imports to new module locations (#​8025) (be183b6)

v3.1048.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1047.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

v3.1046.0

Compare Source

Note: Version bump only for package @​aws-sdk/client-s3

aws/aws-sdk-js-v3 (@​aws-sdk/lib-storage)

v3.1062.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1061.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1060.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1059.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1058.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1057.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1056.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1055.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1054.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1053.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1052.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1051.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1050.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1049.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1048.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1047.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

v3.1046.0

Compare Source

Note: Version bump only for package @​aws-sdk/lib-storage

typescript-eslint/typescript-eslint (@​typescript-eslint/parser)

v8.60.1

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.60.0

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.4

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.3

Compare Source

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

nodejs/amaro (amaro)

v1.1.10

Compare Source

Miscellaneous

• build wasm from swc v1.15.33 (626debc)
• build wasm from swc v1.15.40 (04c080d)
• declare workflow-level contents: read on ci and build-swc (a147e52)
• deps: bump docker/setup-buildx-action from 4.0.0 to 4.1.0 (e51115b)
• deps: bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.19 (80a7332)
• deps: bump github/codeql-action from 4.35.2 to 4.35.4 (7f1ee48)
• deps: bump github/codeql-action from 4.35.4 to 4.36.0 (5eb6bc7)
• deps: bump googleapis/release-please-action from 4.4.1 to 5.0.0 (5b35ea8)
• deps: bump step-security/harden-runner from 2.18.0 to 2.19.1 (5d24781)
• deps: bump step-security/harden-runner from 2.19.1 to 2.19.4 (271d785)
• update swc to v1.15.33 (0b909f8)
• update swc to v1.15.40 (f5a64f3)

axios/axios (axios)

v1.17.0

Compare Source

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#​10901, #​10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#​10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#​6792, #​10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#​10929, #​10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#​10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#​10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#​10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#​10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#​10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#​10956, #​10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#​10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#​10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#​10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#​10907, #​10911, #​10916, #​10927, #​10935, #​10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#​10925, #​10914, #​10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#​10890, #​10889, #​10921, #​10945, #​10905, #​10933, #​10915, #​10887, #​10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#​10871, #​10879, #​10918, #​10919, #​10934, #​10947, #​10954, #​10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#​6792)
• @​carladams1299-lab (#​10861)
• @​LaplaceYoung (#​10812)
• @​JamieMagee (#​10939)
• @​RonGamzu (#​10905)
• @​sapirbaruch (#​10891)
• @​nezukoagent (#​10901)
• @​devareddy05 (#​10929)
• @​Mohammad-Faiz-Cloud-Engineer (#​10922)
• @​azandabot (#​10931)
• @​niksy (#​10896)

Full Changelog

v1.16.1

Compare Source

docker/build-push-action (docker/build-push-action)

v7.2.0

Compare Source

docker/login-action (docker/login-action)

v4.2.0

Compare Source

• Bump @​actions/core from 3.0.0 to 3.0.1 in #​976
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1050.0 in #​960
• Bump @​docker/actions-toolkit from 0.86.0 to 0.90.0 in #​970
• Bump brace-expansion from 2.0.1 to 5.0.6 in #​993
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in #​985
• Bump fast-xml-parser from 5.3.6 to 5.8.0 in #​963
• Bump http-proxy-agent and https-proxy-agent to 9.0.0 in #​961
• Bump postcss from 8.5.6 to 8.5.10 in #​979
• Bump tar from 6.2.1 to 7.5.15 in #​991
• Bump vite from 7.3.1 to 7.3.3 in #​986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​613
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​658 #​630
• Bump csv-parse from 6.1.0 to 6.2.1 in #​617
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​620
• Bump flatted from 3.3.3 to 3.4.2 in #​623
• Bump glob from 10.3.15 to 10.5.0 in #​621
• Bump handlebars from 4.7.8 to 4.7.9 in #​629
• Bump lodash from 4.17.23 to 4.18.1 in #​639
• Bump moment-timezone from 0.6.0 to 0.6.1 in #​619
• Bump picomatch from 4.0.3 to 4.0.4 in #​626
• Bump postcss from 8.5.6 to 8.5.10 in #​649
• Bump tar from 6.2.1 to 7.5.15 in #​657
• Bump undici from 6.23.0 to 6.25.0 in #​614
• Bump vite from 7.3.1 to 7.3.2 in #​637

Full Changelog: docker/metadata-action@v6.0.0...v6.1.0

docker/setup-buildx-action (docker/setup-buildx-action)

v4.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​489
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​547 #​508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​496
• Bump flatted from 3.3.3 to 3.4.2 in #​499
• Bump glob from 10.3.12 to 13.0.6 in #​495
• Bump handlebars from 4.7.8 to 4.7.9 in #​504
• Bump lodash from 4.17.23 to 4.18.1 in #​523
• Bump picomatch from 4.0.3 to 4.0.4 in #​503
• Bump postcss from 8.5.6 to 8.5.10 in #​537
• Bump tar from 6.2.1 to 7.5.15 in #​545
• Bump undici from 6.23.0 to 6.25.0 in #​492
• Bump vite from 7.3.1 to 7.3.2 in #​520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

timokoessler/easy-ocsp (easy-ocsp)

v1.3.2

Compare Source

Changed

• Use npm staged publishing to enhance security
• Harden GitHub Actions and add additional security scanning
• Update dependencies & switch formatter to oxfmt

graphql/graphql-js (graphql)

v16.14.1

Compare Source

v16.14.1 (2026-06-02)

Docs 📝

9 PRs were merged

• #​4737 docs: refresh upgrade guide and v17 topics (@​yaacovCR)
• #​4741 docs: add v16 API docs lint coverage (@​yaacovCR)
• #​4748 docs: update banner (@​yaacovCR)
• #​4750 docs: use api docs generated from inline jsdoc comments (@​yaacovCR)
• #​4754 docs: update website caniuse-lite data (@​yaacovCR)
• #​4755 docs: hide internal type member __validationErrors (@​yaacovCR)
• #​4757 docs: fix inline examples, deprecation descriptions, type category (@​yaacovCR)
• #​4759 docs: fix static export redirect config (@​yaacovCR)
• #​4767 docs: fix Post_body example variable (@​fallintoplace)

Polish 💅

• #​4738 chore(tests): add test for directive extensions without flag enabled (@​yaacovCR)

Internal 🏠

• #​4778 fix: generated version documentation (@​yaacovCR)

Committers: 2

• Minh Vu(@​fallintoplace)
• Yaacov Rydzinski (@​yaacovCR)

mochajs/mocha (mocha)

v11.7.6

Compare Source

🩹 Fixes

• make describe().timeout() work (aafe6fd)
• test: replace wmic usage with native Windows API (#​5694) (73ebdfa)

🧹 Chores

• format all code (#​5629) (0696784)
• remove Netlify (#​5630) (8d01d33)

nodejs/node (node)

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "before 9am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​8.59.2 ⏵ 8.60.1
	typescript-eslint@​8.59.2 ⏵ 8.60.1			+1
	systeminformation@​5.31.6 ⏵ 5.31.7
	tsx@​4.21.0 ⏵ 4.22.4	+1		+1
	easy-ocsp@​1.3.2
	@​aws-sdk/​lib-storage@​3.1045.0 ⏵ 3.1062.0	+1			+1
	sinon@​21.0.3 ⏵ 21.1.2	+1		+1
	oxlint@​1.63.0 ⏵ 1.68.0			+1
	amaro@​1.1.9 ⏵ 1.1.10
	axios@​1.16.0 ⏵ 1.17.0	-1
	ws@​8.20.0 ⏵ 8.21.0	+1	+2
	mocha@​11.7.5 ⏵ 11.7.6	+1		+1
	semver@​7.8.0 ⏵ 7.8.2	+1		+1
	undici@​7.25.0 ⏵ 7.27.1			+1
	@​aws-sdk/​client-s3@​3.1045.0 ⏵ 3.1062.0	+2
	graphql@​16.14.0 ⏵ 16.14.1	+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/typescript-eslint@8.60.1 → npm/@typescript-eslint/eslint-plugin@8.60.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.60.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report