chore(deps): bump the minor-and-patch group with 13 updates

[dependabot]

Bumps the minor-and-patch group with 13 updates:

Package	From	To
@types/node	25.5.2	25.6.0
axios	1.14.0	1.15.0
lucide-react	1.7.0	1.8.0
simple-git	3.33.0	3.36.0
@typescript-eslint/eslint-plugin	8.58.0	8.58.1
@typescript-eslint/parser	8.58.0	8.58.1
globals	17.4.0	17.5.0
@anthropic-ai/sdk	0.82.0	0.88.0
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
jsdom	29.0.1	29.0.2
vite	8.0.5	8.0.8
vitest	4.1.2	4.1.4

Updates @types/node from 25.5.2 to 25.6.0

Commits

• See full diff in compare view

Updates axios from 1.14.0 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Updates lucide-react from 1.7.0 to 1.8.0

Release notes

Sourced from lucide-react's releases.

Version 1.8.0

What's Changed

• docs(packages/angular): add packageDirname for @​lucide/angular by @​rhutchison in lucide-icons/lucide#4211
• chore(icons): Username change knarlix to RajnishKMehta by @​RajnishKMehta in lucide-icons/lucide#4208
• ci(@​lucide/angular): Fix publishing problem by @​ericfennis in lucide-icons/lucide#4213
• docs: fix broken links in pull_request_template.md (got 404 page) by @​whoisBugsbunny in lucide-icons/lucide#4224
• fix(lucide-static): add viewBox to sprite symbol elements by @​TomaTV in lucide-icons/lucide#4223
• docs: Fix link to icon design principles in statement by @​whoisBugsbunny in lucide-icons/lucide#4225
• feat(docs): add Zephyr Cloud to Hero Backers tier by @​karsa-mistmere in lucide-icons/lucide#4226
• fix(icons): fixes gap issues in radio-off.svg by @​karsa-mistmere in lucide-icons/lucide#4227
• fix(icons): renamed text-select to square-dashed-text by @​jguddas in lucide-icons/lucide#3943
• fix(docs): improve mobile layout of v1 banner by @​karsa-mistmere in lucide-icons/lucide#4254
• fix(@​lucide/svelte): aria-hidden="true" was never set by @​blt-r in lucide-icons/lucide#4234
• fix(icons): remove ui/ux tag from heart-minus, add delete instead by @​karsa-mistmere in lucide-icons/lucide#4266
• chore(deps-dev): bump vite from 7.3.1 to 7.3.2 by @​dependabot[bot] in lucide-icons/lucide#4276
• chore(deps): bump lodash-es from 4.17.23 to 4.18.1 by @​dependabot[bot] in lucide-icons/lucide#4251
• chore(deps): bump vite from 5.4.21 to 6.4.2 by @​dependabot[bot] in lucide-icons/lucide#4286
• feat(docs): use initOnMounted: true for useSessionStorage in CarbonAdOverlay by @​karsa-mistmere in lucide-icons/lucide#4275
• feat(icons): added bookmark-off icon by @​ZeenatLawal in lucide-icons/lucide#4283

New Contributors

• @​rhutchison made their first contribution in lucide-icons/lucide#4211
• @​whoisBugsbunny made their first contribution in lucide-icons/lucide#4224
• @​TomaTV made their first contribution in lucide-icons/lucide#4223
• @​blt-r made their first contribution in lucide-icons/lucide#4234
• @​ZeenatLawal made their first contribution in lucide-icons/lucide#4283

Full Changelog: lucide-icons/lucide@1.7.0...1.8.0

Commits

• 7623e23 feat(docs): add Zephyr Cloud to Hero Backers tier & rework updateSponsors scr...
• See full diff in compare view

Updates simple-git from 3.33.0 to 3.36.0

Release notes

Sourced from simple-git's releases.

simple-git@3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

simple-git@3.35.2

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

simple-git@3.35.1

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

Changelog

Sourced from simple-git's changelog.

3.36.0

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

3.35.2

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

3.35.1

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

3.35.0

Minor Changes

• 3d8708b: Updating publish config

Patch Changes

• Updated dependencies [3d8708b]
  • @​simple-git/args-pathspec@​1.0.1
  • @​simple-git/argv-parser@​1.0.1

3.34.0

... (truncated)

Commits

• 7dc1a53 Version Packages
• 76f5376 Merge pull request #1061 from Vinzent03/fix/buffer-import
• 89a2294 Environment Parsing (#1156)
• 1b91b76 fix: remove explicit node:buffer import
• e390685 Version Packages
• 3c9e4b8 Pin version of @​simple-git/args-pathspec
• 94ee21f Export pathspec types through simple-git for backward compatibility
• 6d7cb51 Version Packages
• 0de400e Switch to semver from workspace revisions
• 2264722 Version Packages
• Additional commits viewable in compare view

Updates @typescript-eslint/eslint-plugin from 8.58.0 to 8.58.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5311ed3 chore(release): publish 8.58.1
• c3f8ed5 fix(eslint-plugin): [no-unused-vars] fix false negative for type predicate pa...
• e372a66 Revert: feat(eslint-plugin): [no-unnecessary-type-arguments] report inferred ...
• See full diff in compare view

Updates @typescript-eslint/parser from 8.58.0 to 8.58.1

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (#12004)

❤️ Thank You

• MinJae @​Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.58.1 (2026-04-08)

This was a version bump only for parser to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5311ed3 chore(release): publish 8.58.1
• See full diff in compare view

Updates globals from 17.4.0 to 17.5.0

Release notes

Sourced from globals's releases.

v17.5.0

• Update globals (2026-04-12) (#342) 5d84602

---

sindresorhus/globals@v17.4.0...v17.5.0

Commits

• b8170c8 17.5.0
• 5d84602 Update globals (2026-04-12) (#342)
• 1b727e5 Fix build script for ES globals (#341)
• See full diff in compare view

Updates @anthropic-ai/sdk from 0.82.0 to 0.88.0

Release notes

Sourced from @​anthropic-ai/sdk's releases.

sdk: v0.88.0

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

sdk: v0.87.0

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

Features

• api: Add beta advisor tool (1e99a8d)

sdk: v0.86.1

0.86.1 (2026-04-08)

Full Changelog: sdk-v0.86.0...sdk-v0.86.1

Chores

• update @​anthropic-ai/sdk dependency version (#870) (036342b)

sdk: v0.86.0

0.86.0 (2026-04-08)

Full Changelog: sdk-v0.85.0...sdk-v0.86.0

Features

• api: add support for Claude Managed Agents (2ef732a)

Chores

• internal: codegen related update (d644830)

sdk: v0.85.0

0.85.0 (2026-04-07)

... (truncated)

Changelog

Sourced from @​anthropic-ai/sdk's changelog.

0.88.0 (2026-04-10)

Full Changelog: sdk-v0.87.0...sdk-v0.88.0

Features

• vertex eu region (#882) (1933857)

Documentation

• improve examples (de4f483)
• update examples (454e1c5)

0.87.0 (2026-04-09)

Full Changelog: sdk-v0.86.1...sdk-v0.87.0

Features

• api: Add beta advisor tool (1e99a8d)

0.86.1 (2026-04-08)

Full Changelog: sdk-v0.86.0...sdk-v0.86.1

Chores

• update @​anthropic-ai/sdk dependency version (#870) (036342b)

0.86.0 (2026-04-08)

Full Changelog: sdk-v0.85.0...sdk-v0.86.0

Features

• api: add support for Claude Managed Agents (2ef732a)

Chores

• internal: codegen related update (d644830)

0.85.0 (2026-04-07)

Full Changelog: sdk-v0.84.0...sdk-v0.85.0

Features

• client: Create Bedrock Mantle client (#810) (2f1f4a1)

... (truncated)

Commits

• 089fe05 chore: release main (#987)
• 73f128f chore: release main (#985)
• fd6cf54 chore: release main (#983)
• 79d1d73 chore: release main (#982)
• 4ade5b1 chore: release main (#979)
• 4368602 chore: release main (#978)
• 4105fd6 chore: release main (#973)
• 0b536ae chore: release main (#970)
• See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates jsdom from 29.0.1 to 29.0.2

Release notes

Sourced from jsdom's releases.

v29.0.2

• Significantly improved and sped up getComputedStyle(). Computed value rules are now applied across a broader set of properties, and include fixes related to inheritance, defaulting keywords, custom properties, and color-related values such as currentcolor and system colors. (@​asamuzaK)
• Fixed CSS 'background' and 'border' shorthand parsing. (@​asamuzaK)

Commits

• 2a1e2cd 29.0.2
• 4097d66 Resolve computed CSS values lazily in CSSStyleDeclaration
• cf5523f Add more test cases for nested color-mix with currentColor
• b33b616 Add test that getComputedStyle() works with !important
• 6bf559c Add test for custom property inheritance in computed styles
• 6817657 Fix border shorthand handling
• 470f5c5 Consolidate color helpers
• 3db53cb Fix background shorthand handlers
• 678e840 Remove some longhand property files
• d526a07 Add regression test for getComputedStyle() liveness
• See full diff in compare view

Updates vite from 8.0.5 to 8.0.8

Release notes

Sourced from vite's releases.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.8 (2026-04-09)

Features

• update rolldown to 1.0.0-rc.15 (#22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#22199) (e137601)

8.0.7 (2026-04-07)

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

• update rolldown to 1.0.0-rc.13 (#22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#22168) (bdc53ab)
• replace remaining prettier script (#22179) (af71fb2)

Commits

• 6e585dc release: v8.0.8
• e137601 fix(ssr): class property keys hoisting matching imports (#22199)
• 15f1c15 fix: avoid dns.getDefaultResultOrder temporary (#22202)
• 6baf587 feat: update rolldown to 1.0.0-rc.15 (#22201)
• fdb2e6f release: v8.0.7
• 5c05b04 fix: use sync dns.getDefaultResultOrder instead of dns.promises (#22185)
• 7b3086f release: v8.0.6
• af71fb2 chore: replace remaining prettier script (#22179)
• 51d3e48 feat: update rolldown to 1.0.0-rc.13 (#22097)
• 17a8f9e fix(optimize-deps): hoist CJS interop assignment (#22156)
• Additional commits viewable in compare view

Updates vitest from 4.1.2 to 4.1.4

Release notes

Sourced from vitest's releases.

v4.1.4

   🚀 Experimental Features

• coverage:
  • Default to text reporter skipFull if agent detected  -  by @​hi-ogawa in vitest-dev/vitest#10018 (53757)
• experimental:
  • Expose assertion as a public field  -  by @​sheremet-va in vitest-dev/vitest#10095 (a120e)
  • Support aria snapshot  -  by @​hi-ogawa, Claude Opus 4.6 (1M context), @​AriPerkkio, Codex and @​sheremet-va in vitest-dev/vitest#9668 (d4fbb)
• reporter:
  • Add filterMeta option to json reporter  -  by @​nami8824 and @​sheremet-va in vitest-dev/vitest#10078 (b77de)

   🐞 Bug Fixes

• Use "black" foreground for labeled terminal message to ensure contrast  -  by @​hi-ogawa in vitest-dev/vitest#10076 (203f0)
• Make expect(..., message) consistent as error message prefix  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10068 (a1b5f)
• Do not hoist imports whose names match class properties .  -  by @​SunsetFi in vitest-dev/vitest#10093 and vitest-dev/vitest#10094 (0fc4b)
• browser: Spread user server options into browser Vite server in project  -  by @​GoldStrikeArch in vitest-dev/vitest#10049 (65c9d)

    View changes on GitHub

v4.1.3

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in vitest-dev/vitest#10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in vitest-dev/vitest#10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in vitest-dev/vitest#9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in vitest-dev/vitest#9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in vitest-dev/vitest#10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in vitest-dev/vitest#10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in vitest-dev/vitest#9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.