Bump the npm_and_yarn group across 1 directory with 9 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
axios	1.7.6	1.13.5
happy-dom	17.1.0	20.7.0
vite	5.4.14	5.4.21
vite-plugin-static-copy	1.0.1	2.3.2
esbuild	0.21.5	0.27.3
glob	10.3.12	10.5.0

Updates axios from 1.7.6 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates happy-dom from 17.1.0 to 20.7.0

Release notes

Sourced from happy-dom's releases.

v20.7.0

🎨 Features

• Adds support for Window.getScreenDetails() - By @​TrevorBurnham in task #1923
• Extends Screen from EventTarget - By @​TrevorBurnham in task #1923

v20.6.5

👷‍♂️ Patch fixes

• Add clearImmediate to Jest environment global scope - By @​TrevorBurnham in task #1927

v20.6.4

👷‍♂️ Patch fixes

• Normalize invalid input type attribute to "text" per HTML spec - By @​atzzCokeK in task #2053

v20.6.3

👷‍♂️ Patch fixes

• Refactors query selector parser to be able to handle complex rules - By @​capricorn86 in task #1910
• Fixes issue related to using query selector for attribute in XML document - By @​capricorn86 in task #1912
• Fixes issue with using quotes within quotes for attribute query selector (e.g. [data-value="it's a test"]) - By @​capricorn86 in task #2034

v20.6.2

👷‍♂️ Patch fixes

• Update entities package version to resolve missing export for vue and vue-compat v3.5 - By @​acollins1991 in task #2066

v20.6.1

👷‍♂️ Patch fixes

• Support CSS gradients with rgba() - By @​atzzCokeK in task #2042
• Support unicode characters in selectors per CSS spec - By @​kaigritun in task #2057

v20.6.0

🎨 Features

• Adds support for register on import to the @happy-dom/global-registrator package - By @​capricorn86 in task #2060

v20.5.5

👷‍♂️ Patch fixes

• Correct caption element content model to allow flow content - By @​atzzCokeK in task #2052

v20.5.4

👷‍♂️ Patch fixes

• Implement Text.wholeText property - By @​aki05162525 in task #1959

v20.5.3

👷‍♂️ Patch fixes

• Node.replaceWith does not throw w/o parent - By @​lukeed

v20.5.2

👷‍♂️ Patch fixes

• Use entities package for HTML/XML encoding and decoding - By @​TrevorBurnham in task #1947

v20.5.1

👷‍♂️ Patch fixes

... (truncated)

Commits

• 4e0d1e3 feat: #1923 Adds support for getScreenDetails() (#2041)
• 78a2ff4 chore: #1867 Add regression test for TreeWalker sibling traversal (#2026)
• 46bab67 fix: #1927 Add clearImmediate to Jest environment global scope (#2029)
• ee81583 fix: #2053 Normalize invalid input type attribute to "text" per HTML spec (...
• e6a64da fix: #1910 Fixes issue when parsing complex query selector with has express...
• b869287 fix: #2066 Update entities package version to resolve missing export for vu...
• f8d8cad fix: #2042 Support CSS gradients with rgba() colors (#2059)
• d0fdf23 fix: #2057 Support Unicode characters in selectors per CSS spec (#2062)
• 48e675f feat: #2060 Adds support for register on import in global-registrator (#2061)
• fbef5d9 fix: #2052 Correct caption element content model to allow flow content (#2058)
• Additional commits viewable in compare view

Updates vite from 5.4.14 to 5.4.21

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Updates vite-plugin-static-copy from 1.0.1 to 2.3.2

Release notes

Sourced from vite-plugin-static-copy's releases.

vite-plugin-static-copy@2.3.2

Patch Changes

• 4627afb Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

vite-plugin-static-copy@2.3.1

Patch Changes

• #152 6aee6a3 Thanks @​sapphi-red! - improve performance of internal isSubdirectoryOrEqual function

vite-plugin-static-copy@2.3.0

Minor Changes

• 281f5b2 Thanks @​sapphi-red! - improve performance by coping files concurrently when possible

Patch Changes

• #149 a9f35c9 Thanks @​sapphi-red! - ensure .[cm]?[tj]sx? static assets are JS mime to align with Vite. vitejs/vite#19453

vite-plugin-static-copy@2.2.0

Minor Changes

• #141 88e513d Thanks @​sapphi-red! - add Vite 6 to peer dep

vite-plugin-static-copy@2.1.0

Minor Changes

• #133 b9c09bd Thanks @​rschristian! - Allows user to optionally configure when the plugin is ran by passing in a Rollup hook name

vite-plugin-static-copy@2.0.0

Major Changes

• #127 21304df Thanks @​tassioFront! - feat: throw an error when does not find file

vite-plugin-static-copy@1.0.6

Patch Changes

• #121 d68aec9 Thanks @​tobz1000! - The value of Content-Type header was inferred and set from the src file extension. It is now infered from the dest file extension.

vite-plugin-static-copy@1.0.5

Patch Changes

• 311ce4d Thanks @​sapphi-red! - generate provenance statements for the package

vite-plugin-static-copy@1.0.4

Patch Changes

• #107 5206534 Thanks @​sverben! - send headers set by server.headers in dev

vite-plugin-static-copy@1.0.3

... (truncated)

Changelog

Sourced from vite-plugin-static-copy's changelog.

2.3.2

Patch Changes

• 4627afb Thanks @​sapphi-red! - Files not included in src was possible to acess with a crafted request. See GHSA-pp7p-q8fx-2968 for more details.

2.3.1

Patch Changes

• #152 6aee6a3 Thanks @​sapphi-red! - improve performance of internal isSubdirectoryOrEqual function

2.3.0

Minor Changes

• 281f5b2 Thanks @​sapphi-red! - improve performance by coping files concurrently when possible

Patch Changes

• #149 a9f35c9 Thanks @​sapphi-red! - ensure .[cm]?[tj]sx? static assets are JS mime to align with Vite. vitejs/vite#19453

2.2.0

Minor Changes

• #141 88e513d Thanks @​sapphi-red! - add Vite 6 to peer dep

2.1.0

Minor Changes

• #133 b9c09bd Thanks @​rschristian! - Allows user to optionally configure when the plugin is ran by passing in a Rollup hook name

2.0.0

Major Changes

• #127 21304df Thanks @​tassioFront! - feat: throw an error when does not find file

1.0.6

Patch Changes

• #121 d68aec9 Thanks @​tobz1000! - The value of Content-Type header was inferred and set from the src file extension. It is now infered from the dest file extension.

1.0.5

Patch Changes

... (truncated)

Commits

• 326a79f chore: update versions (#197)
• 0f39cad ci: run release against v* branches
• 4627afb fix: only serve files under src (#195)
• 08cafec chore: update versions (#154)
• 6aee6a3 perf: improve isSubdirectoryOrEqual performance (#152)
• 5f707b6 chore: update versions (#147)
• 26cbffe chore: update pnpm to v10
• a9f35c9 fix: ensure .[cm]?[tj]sx? static assets are JS mime (#149)
• 94b04d5 chore: update packages (#148)
• 281f5b2 chore: add changeset for #146
• Additional commits viewable in compare view

Updates esbuild from 0.21.5 to 0.27.3

Release notes

Sourced from esbuild's releases.

v0.27.3

• Preserve URL fragments in data URLs (#4370)

  Consider the following HTML, CSS, and SVG:

  • index.html:

    <!DOCTYPE html>
    <html>
      <head><link rel="stylesheet" href="icons.css"></head>
      <body><div class="triangle"></div></body>
    </html>

  • icons.css:

    .triangle {
      width: 10px;
      height: 10px;
      background: currentColor;
      clip-path: url(./triangle.svg#x);
    }

  • triangle.svg:

    <svg xmlns="http://www.w3.org/2000/svg">
      <defs>
        <clipPath id="x">
          <path d="M0 0H10V10Z"/>
        </clipPath>
      </defs>
    </svg>

  The CSS uses a URL fragment (the #x) to reference the clipPath element in the SVG file. Previously esbuild's CSS bundler didn't preserve the URL fragment when bundling the SVG using the dataurl loader, which broke the bundled CSS. With this release, esbuild will now preserve the URL fragment in the bundled CSS:

  /* icons.css */
  .triangle {
    width: 10px;
    height: 10px;
    background: currentColor;
    clip-path: url('data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg"><defs><clipPath id="x"><path d="M0 0H10V10Z"/></clipPath></defs></svg>#x');
  }

... (truncated)

Changelog

Sourced from esbuild's changelog.

Changelog: 2024

This changelog documents all esbuild versions published in the year 2024 (versions 0.19.12 through 0.24.2).

0.24.2

• Fix regression with --define and import.meta (#4010, #4012, #4013)

  The previous change in version 0.24.1 to use a more expression-like parser for define values to allow quoted property names introduced a regression that removed the ability to use --define:import.meta=.... Even though import is normally a keyword that can't be used as an identifier, ES modules special-case the import.meta expression to behave like an identifier anyway. This change fixes the regression.

  This fix was contributed by @​sapphi-red.

0.24.1

• Allow es2024 as a target in tsconfig.json (#4004)

  TypeScript recently added es2024 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2024"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

  This fix was contributed by @​billyjanitsch.

• Allow automatic semicolon insertion after get/set

  This change fixes a grammar bug in the parser that incorrectly treated the following code as a syntax error:

  class Foo {
    get
    *x() {}
    set
    *y() {}
  }

  The above code will be considered valid starting with this release. This change to esbuild follows a similar change to TypeScript which will allow this syntax starting with TypeScript 5.7.

• Allow quoted property names in --define and --pure (#4008)

  The define and pure API options now accept identifier expressions containing quoted property names. Previously all identifiers in the identifier expression had to be bare identifiers. This change now makes --define and --pure consistent with --global-name, which already supported quoted property names. For example, the following is now possible:

... (truncated)

Commits

• 9129e00 publish 0.27.3 to npm
• e20e411 small fix to release notes
• 0dc0f2d fix #4322: parse and print CSS @scope rules
• 55fe391 update firefox css gradient support
• 2c35297 update gradient lowering transform
• 9209e44 Update Go to 1.25.7 (#4388)
• e8d861b close #4374: compat table for the using feature
• 19b8887 no longer need williamkapke/node-compat-table
• 7e44218 the kangax/compat-table repo moved to a new url
• 23b9338 run make update-compat-table
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for esbuild since your current version.

Updates glob from 10.3.12 to 10.5.0

Changelog

Sourced from glob's changelog.

changeglob

13

• Move the CLI program out to a separate package, glob-bin. Install that if you'd like to continue using glob from the command line.

12

• Remove the unsafe --shell option. The --shell option is now ONLY supported on known shells where the behavior can be implemented safely.

11.1

GHSA-5j98-mcp5-4vw2

• Add the --shell option for the command line, with a warning that this is unsafe. (It will be removed in v12.)
• Add the --cmd-arg/-g as a way to safely add positional arguments to the command provided to the CLI tool.
• Detect commands with space or quote characters on known shells, and pass positional arguments to them safely, avoiding shell:true execution.

11.0

• Drop support for node before v20

10.4

• Add includeChildMatches: false option
• Export the Ignore class

10.3

• Add --default -p flag to provide a default pattern
• exclude symbolic links to directories when follow and nodir are both set

10.2

• Add glob cli

10.1

• Return '.' instead of the empty string '' when the current working directory is returned as a match.
• Add posix: true option to return / delimited paths, even on

... (truncated)

Commits

• 56774ef 10.5.0
• 1e4e297 bin: Do not expose filenames to shell expansion
• 1f0c1ca 10.4.5
• eaf31dc whatever, just allow any engines
• 7827516 10.4.4
• d06c8f8 restore support for node 14.latest and 16.latest
• c14b787 10.4.3
• 8a69def node 14 no longer supported
• eef7ea3 10.4.2
• c76a7d2 use package-json-from-dist to look up package.json
• Additional commits viewable in compare view

Updates form-data from 4.0.0 to 4.0.5

Release notes

Sourced from form-data's releases.

v4.0.4

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)
• fix (npmignore): ignore temporary build files [#532](https://github.com/form-data/form-data/issues/532)

Fixed

• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available (#573) [#396](https://github.com/form-data/form-data/issues/396)
• [Fix] set Symbol.toStringTag when available [#396](https://github.com/form-data/form-data/issues/396)

Commits

... (truncated)

Changelog

Sourced from form-data's changelog.

v4.0.5 - 2025-11-17

Commits

• [Tests] Switch to newer v8 prediction library; enable node 24 testing 16e0076
• [Dev Deps] update @ljharb/eslint-config, eslint 5822467
• [Fix] set Symbol.toStringTag in the proper place 76d0dee

v4.0.4 - 2025-07-16

Commits

• [meta] add auto-changelog 811f682
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23 1d11a76
• [Fix] Switch to using crypto random for boundary values 3d17230
• [Tests] fix linting errors 5e34080
• [meta] actually ensure the readme backup isn’t published 316c82b
• [Dev Deps] update @ljharb/eslint-config 58c25d7
• [meta] fix readme capitalization 2300ca1

v4.0.3 - 2025-06-05

Fixed

• [Fix] append: avoid a crash on nullish values [#577](https://github.com/form-data/form-data/issues/577)

Commits

• [eslint] use a shared config 426ba9a
• [eslint] fix some spacing issues 2094191
• [Refactor] use hasown 81ab41b
• [Fix] validate boundary type in setBoundary() method 8d8e469
• [Tests] add tests to check the behavior of getBoundary with non-strings 837b8a1
• [Dev Deps] remove unused deps 870e4e6
• [meta] remove local commit hooks e6e83cc
• [Dev Deps] update eslint 4066fd6
• [meta] fix scripts to use prepublishOnly c4bbb13

v4.0.2 - 2025-02-14

Merged

• [Fix] set Symbol.toStringTag when available [#573](https://github.com/form-data/form-data/issues/573)
• [Fix] set Sym...

  Description has been truncated