Update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/checkout	action	major	v4.1.7 → v6.0.2
actions/setup-node	action	major	v4.0.3 → v6.4.0
actions/upload-artifact	action	major	v4.4.0 → v7.0.1
axios (source)	dependencies	minor	1.7.7 → 1.15.2
babel-jest (source)	devDependencies	major	^29.0.0 → ^30.0.0
babel-loader	devDependencies	major	^9.0.0 → ^10.0.0
eslint (source)	devDependencies	major	9.10.0 → 10.2.1
eslint-plugin-jest	devDependencies	major	^28.8.3 → ^29.0.0
github/codeql-action	action	major	v3.26.6 → v4.35.2
jest (source)	devDependencies	major	^29.0.0 → ^30.0.0
jest-environment-jsdom (source)	devDependencies	major	^29.3.1 → ^30.0.0
nock	devDependencies	major	^13.0.0 → ^14.0.0
node	uses-with	major	18.x → 24.x
ossf/scorecard-action	action	patch	v2.4.0 → v2.4.3
step-security/harden-runner	action	minor	v2.9.1 → v2.19.0
webpack-cli (source)	devDependencies	major	^5.0.0 → ^7.0.0

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6-beta

Compare Source

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

Compare Source

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in #​2226
• Prepare v5.0.0 release by @​salmanmkc in #​2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v5

Compare Source

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v6

Compare Source

v5

Compare Source

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

Compare Source

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in #​98
• Add support for indented eslint output by @​fregante in #​1245

Enhancement:

• Support private mirrors by @​marco-ippolito in #​1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in #​1262

New Contributors

• @​FloEdelmann made their first contribution in #​98
• @​fregante made their first contribution in #​1245
• @​marco-ippolito made their first contribution in #​1240

Full Changelog: actions/setup-node@v4...v4.4.0

v4.3.0

Compare Source

What's Changed

Dependency updates

• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in #​1200
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​gowridurgad in #​1251
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​1203
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot in #​1220

New Contributors

• @​gowridurgad made their first contribution in #​1251

Full Changelog: actions/setup-node@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by @​aparnajyothi-y in #​1174
• Add recommended permissions section to readme by @​benwells in #​1193
• Configure Dependabot settings by @​HarithaVattikuti in #​1192
• Upgrade @actions/cache to ^4.0.0 by @​priyagupta108 in #​1191
• Upgrade pnpm/action-setup from 2 to 4 by @​dependabot in #​1194
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in #​1195
• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in #​1196
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot in #​1201
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in #​1205

New Contributors

• @​benwells made their first contribution in #​1193

Full Changelog: actions/setup-node@v4...v4.2.0

v4.1.0

Compare Source

What's Changed

• Resolve High Security Alerts by upgrading Dependencies by @​aparnajyothi-y in #​1132
• Upgrade IA Publish by @​Jcambass in #​1134
• Revise isGhes logic by @​jww3 in #​1148
• Add architecture to cache key by @​pengx17 in #​843
  This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts.
  Note: This change may break previous cache keys as they will no longer be compatible with the new format.

New Contributors

• @​jww3 made their first contribution in #​1148
• @​pengx17 made their first contribution in #​843

Full Changelog: actions/setup-node@v4...v4.1.0

v4.0.4

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​1125
• Enhance Windows ARM64 Setup and Update micromatch Dependency by @​priyagupta108 in #​1126

Documentation changes:

• Documentation update in the README file by @​suyashgaonkar in #​1106
• Correct invalid 'lts' version string reference by @​fulldecent in #​1124

New Contributors

• @​suyashgaonkar made their first contribution in #​1106
• @​priyagupta108 made their first contribution in #​1126
• @​Jcambass made their first contribution in #​1125
• @​fulldecent made their first contribution in #​1124

Full Changelog: actions/setup-node@v4...v4.0.4

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6

Compare Source

v6.0.0

Compare Source

v5

Compare Source

v5.0.0

Compare Source

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in #​662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in #​578
• Add new artifact-digest output by @​bdehamer in #​656

New Contributors

• @​hamirmahal made their first contribution in #​578
• @​bdehamer made their first contribution in #​656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

v4.4.3

Compare Source

What's Changed

• Undo indirect dependency updates from #​627 by @​joshmgross in #​632

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

• Bump @actions/artifact to 2.1.11 by @​robherley in #​627
  • Includes fix for relative symlinks not resolving properly

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

• Add a section about hidden files by @​joshmgross in #​607
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​621
• Update @​actions/artifact to latest version, includes symlink and timeout fixes by @​robherley in #​625

New Contributors

• @​Jcambass made their first contribution in #​621

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

v1.15.0

Compare Source

Bug Fixes

• headers: fixed & optimized clear method; (#​5507) (9915635)
• http: add zlib headers if missing (#​5497) (65e8d1e)

Features

• fomdata: added support for spec-compliant FormData & Blob types; (#​5316) (6ac574e)

Contributors to this release

• Dmitriy Mozgovoy
• ItsNotGoodName

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

• headers: added missed Authorization accessor; (#​5502) (342c0ba)
• types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#​5503) (5a3d0a3)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

• types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#​5499) (580f1e8)

Contributors to this release

• Dmitriy Mozgovoy
• Elliot Ford

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

• types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#​5486) (2a71f49)
• types: fix AxiosRequestConfig generic; (#​5478) (9bce81b)

Contributors to this release

• Dmitriy Mozgovoy
• Daniel Hillmann

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

• types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#​5420) (0811963)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

• fix(ci): fix release script inputs #​5392
• fix(ci): prerelease scipts #​5377
• fix(ci): release scripts #​5376
• fix(ci): typescript tests #​5375
• fix: Brotli decompression #​5353
• fix: add missing HttpStatusCode #​5345

Chores

• chore(ci): set conventional-changelog header config #​5406
• chore(ci): fix automatic contributors resolving #​5403
• chore(ci): improved logging for the contributors list generator #​5398
• chore(ci): fix release action #​5397
• chore(ci): fix version bump script by adding bump argument for target version #​5393
• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #​5342
• chore(ci): GitHub Actions Release script #​5384
• chore(ci): release scripts #​5364

Contributors to this release

• Dmitriy Mozgovoy
• Winnie

[1.2.1] - 2022-12-05

Changed

• feat(exports): export mergeConfig #​5151

Fixed

• fix(CancelledError): include config #​4922
• fix(general): removing multiple/trailing/leading whitespace #​5022
• fix(headers): decompression for responses without Content-Length header #​5306
• fix(webWorker): exception to sending form data in web worker #​5139

Refactors

• refactor(types): AxiosProgressEvent.event type to any #​5308
• refactor(types): add missing types for static AxiosError.from method #​4956

Chores

• chore(docs): remove README link to non-existent upgrade guide #​5307
• chore(docs): typo in issue template name #​5159

Contributors to this release

• Dmitriy Mozgovoy
• Zachary Lysobey
• Kevin Ennis
• Philipp Loose
• secondl1ght
• wenzheng
• Ivan Barsukov
• Arthur Fiorette

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

• changed: refactored module exports #​5162
• change: re-added support for loading Axios with require('axios').default #​5225

Fixed

• fix: improve AxiosHeaders class #​5224
• fix: TypeScript type definitions for commonjs #​5196
• fix: type definition of use method on AxiosInterceptorManager to match the the README #​5071
• fix: __dirname is not defined in the sandbox #​5269
• fix: AxiosError.toJSON method to avoid circular references #​5247
• fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #​5250

Refactors

• refactor: allowing adapters to be loaded by name #​5277

Chores

• chore: force CI restart #​5243
• chore: update ECOSYSTEM.md #​5077
• chore: update get/index.html #​5116
• chore: update Sandbox UI/UX #​5205
• chore:(actions): remove git credentials after checkout #​5235
• chore(actions): bump actions/dependency-review-action from 2 to 3 #​5266
• chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #​5295
• chore(packages): bump engine.io from 6.2.0 to 6.2.1 #​5294
• chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #​5241
• chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #​5245
• chore(docs): update Resources links in README #​5119
• chore(docs): update the link for JSON url #​5265
• chore(docs): fix broken links #​5218
• chore(docs): update

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.