chore(deps): update npm - website - website/package.json

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@docusaurus/core (source)	^3.10.0 → ^3.10.1
@docusaurus/plugin-google-gtag (source)	^3.10.0 → ^3.10.1
@docusaurus/preset-classic (source)	^3.10.0 → ^3.10.1
ajv (source)	^8.17.1 → ^8.20.0
axios (source)	^1.13.4 → ^1.16.0
eslint (source)	^9.39.2 → ^9.39.4
react (source)	^19.2.4 → ^19.2.5
react-dom (source)	^19.2.4 → ^19.2.5
webpack	~5.105.0 → ~5.106.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

webpack/webpack (webpack)

v5.106.2

Compare Source

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #​20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #​20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #​20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #​20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #​20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #​20831)

• Marked all experimental options in types. (by @​alexander-akait in #​20814)

v5.106.1

Compare Source

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #​20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #​20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #​20799)

v5.106.0

Compare Source

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #​20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #​20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #​20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #​20694)
  Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #​20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #​20275)

• Added source support for async WASM modules. (by @​magic-akari in #​20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #​20614)

• Included fragment groups in the conflicting order warning for CSS. (by @​aryanraj45 in #​20660)

• Avoid rendering unused top-level __webpack_exports__ declaration when output ECMA module library. (by @​hai-x in #​20669)

• Fixed resolving in CSS modules. (by @​alexander-akait in #​20771)

• Allow external modules place in async chunks when output ECMA module. (by @​hai-x in #​20662)

• Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @​bjohansebas in #​20432)

• Set .name to "default" for anonymous default export functions and classes per ES spec (by @​xiaoxiaojx in #​20773)

• Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @​xiaoxiaojx in #​20724)

• Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @​xiaoxiaojx in #​20648)

• Correct url() path resolution and preserve source maps for non-link CSS export types (style, text, css-style-sheet) (by @​xiaoxiaojx in #​20717)

• Emit error when proxy server returns non-200 status code in HttpUriPlugin instead of silently failing. (by @​xiaoxiaojx in #​20646)

• import.meta as standalone expression now returns a complete object with known properties (url, webpack, main, env) instead of an empty object ({}), and hoists it as a module-level variable to ensure import.meta === import.meta identity. In preserve-unknown mode (ESM output), the hoisted object merges runtime import.meta properties via Object.assign. (by @​xiaoxiaojx in #​20658)

• Fix incorrect condition in FileSystemInfo that always evaluated to false, preventing trailing slash removal from directory paths during build dependency resolution. (by @​xiaoxiaojx in #​20649)

• fix: VirtualUrlPlugin absolute path virtual module IDs getting concatenated with compiler context (by @​xiaoxiaojx in #​20656)

  When a virtual module ID is an absolute path (e.g. virtual:C:/project/user.js), the auto-derived context was incorrectly joined with compiler.context, producing a concatenated path like C:\cwd\C:\project. Now absolute-path contexts are used directly.

• All deprecated methods and options now have @deprecated flag in types. (by @​alexander-akait in #​20707)

• Fix CompatibilityPlugin to correctly rename __webpack_require__ when it appears as an arrow function parameter (e.g. (__webpack_module, __webpack_exports, __webpack_require__) => { ... }). (by @​hai-x in #​20661)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name	Link
🔨 Latest commit	fc8dba8
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/69fb2cde952b2400083cdb05
😎 Deploy Preview	https://deploy-preview-1428.git-proxy.preview.finos.org
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 7 package(s) with unknown licenses.

See the Details below.

License Issues

website/package.json

Package	Version	License	Issue Type
@docusaurus/core	^3.10.1	Null	Unknown License
@docusaurus/plugin-google-gtag	^3.10.1	Null	Unknown License
@docusaurus/preset-classic	^3.10.1	Null	Unknown License
ajv	^8.20.0	Null	Unknown License
eslint	^9.39.4	Null	Unknown License
react	^19.2.5	Null	Unknown License
react-dom	^19.2.5	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, Apache-2.0, BSD-3-Clause, BSD-3-Clause-Clear, ISC, BSD-2-Clause, Unlicense, CC0-1.0, 0BSD, X11, MPL-2.0, MPL-1.0, MPL-1.1, MPL-2.0, OFL-1.1, Zlib, BlueOak-1.0.0, Ubuntu-font-1.0, Artistic-2.0, Python-2.0

Excluded from license check:

pkg:npm/caniuse-lite, pkg:npm/path-is-inside, pkg:npm/unicode-match-property-value-ecmascript, pkg:npm/unicode-property-aliases-ecmascript, pkg:npm/uri-js

OpenSSF Scorecard

Package	Version	Score	Details
npm/axios	1.16.0	🟢 8.1	Details Check Score Reason Code-Review 🟢 7 Found 19/27 approved changesets -- score normalized to 7 Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits
npm/webpack	5.106.2	🟢 5.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 3 Found 6/20 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Binary-Artifacts ⚠️ 0 binaries present in source code Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
npm/@docusaurus/core	^3.10.1	Unknown	Unknown
npm/@docusaurus/plugin-google-gtag	^3.10.1	Unknown	Unknown
npm/@docusaurus/preset-classic	^3.10.1	Unknown	Unknown
npm/ajv	^8.20.0	Unknown	Unknown
npm/eslint	^9.39.4	Unknown	Unknown
npm/react	^19.2.5	Unknown	Unknown
npm/react-dom	^19.2.5	Unknown	Unknown

Scanned Files

• website/package-lock.json
• website/package.json

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.21%. Comparing base (b6d72fc) to head (fc8dba8).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1428   +/-   ##
=======================================
  Coverage   90.21%   90.21%           
=======================================
  Files          69       69           
  Lines        5511     5511           
  Branches      944      944           
=======================================
  Hits         4972     4972           
  Misses        521      521           
  Partials       18       18           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.