chore(deps-dev): bump the npm-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the npm-dependencies group with 10 updates in the / directory:

Package	From	To
@apidevtools/json-schema-ref-parser	15.3.5	15.4.0
@redocly/cli	2.31.6	2.35.1
@types/glob	7.2.0	9.0.0
@types/node	25.9.1	26.0.1
axios	1.17.0	1.18.1
js-yaml	4.2.0	5.2.0
openapi-to-postmanv2	6.0.1	6.1.0
prettier	3.8.3	3.9.1
query-string	9.4.0	9.4.1
tar	7.5.16	7.5.19

Updates @apidevtools/json-schema-ref-parser from 15.3.5 to 15.4.0

Release notes

Sourced from @​apidevtools/json-schema-ref-parser's releases.

v15.4.0

15.4.0 (2026-06-19)

Features

• preserve compound schema refs when bundling (fa3cccb)

v15.3.6

15.3.6 (2026-06-11)

Bug Fixes

• block unsafe pointer set tokens (a786bc6)
• harden safe URL resolver (dea50b0)

Commits

• fa3cccb feat: preserve compound schema refs when bundling
• 53d0c1e Remove Claude config
• 5b1aee5 chore: migrate to pnpm
• dea50b0 fix: harden safe URL resolver
• a786bc6 fix: block unsafe pointer set tokens
• See full diff in compare view

Updates @redocly/cli from 2.31.6 to 2.35.1

Release notes

Sourced from @​redocly/cli's releases.

@​redocly/cli@​2.35.1

Patch Changes

• Updated undici to the 6.27.0 version.

@​redocly/cli@​2.35.0

Minor Changes

• Added support for validating Arazzo 1.1.0 descriptions syntax in the lint command.
• Added the spec-step-mutually-exclusive-fields Arazzo rule to flag steps that use more than one mutually exclusive operation field (operationId, operationPath, workflowId, channelPath, or x-operation).

@​redocly/cli@​2.34.0

Minor Changes

• Improved CLI install speed by bundling the CLI into a dependency-free package.

  Warning: The published package no longer ships runtime dependencies in node_modules. Plugins that relied on importing packages hoisted from the CLI (such as @redocly/openapi-core) must now declare those packages as their own dependencies.

@​redocly/cli@​2.33.2

Patch Changes

• Fixed a path traversal in the split command that might have written files outside the chosen --outDir.
• Updated @​redocly/openapi-core to v2.33.2.

@​redocly/cli@​2.33.1

Patch Changes

• Updated @​redocly/openapi-core to v2.33.1.

@​redocly/cli@​2.33.0

Minor Changes

• Added the --component-names-strategy option to the bundle command. This option allows a choice of how inline Schema components are named: basename (default) or title (from each schema's title field).

Patch Changes

• Updated @​redocly/openapi-core to v2.33.0.

@​redocly/cli@​2.32.2

Patch Changes

• Updated @​redocly/respect-core to v2.32.2.

@​redocly/cli@​2.32.1

Patch Changes

• Updated @​redocly/openapi-core to v2.32.1.

... (truncated)

Commits

• 9ae950e chore: 🔖 release new versions (#2916)
• 2c5679b fix: bump undici to 6.27.0 and use caret version (#2909)
• 926bfa7 chore: 🔖 release new versions (#2915)
• c24be70 feat: add support for validating Arazzo 1.1.0 (#2877)
• 57ee822 docs: add yaml parsing changes to the v2 migration guide (#2913)
• c6601f5 chore: update the formatting config and improve the contributing guide (#2910)
• bd0d0e0 chore: change cafe api domain (#2903)
• 5351433 chore: comment performance benchmark inline on same-repo PRs (#2900)
• 90e53cf chore: refactor specVersion binding for config and entities (#2876)
• 9df1224 chore: 🔖 release new versions (#2899)
• Additional commits viewable in compare view

Updates @types/glob from 7.2.0 to 9.0.0

Commits

• See full diff in compare view

Updates @types/node from 25.9.1 to 26.0.1

Commits

• See full diff in compare view

Updates axios from 1.17.0 to 1.18.1

Release notes

Sourced from axios's releases.

v1.18.1 — June 21, 2026

This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.

🐛 Bug Fixes

• AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
• Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
• Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
• AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)

🔧 Maintenance & Chores

• Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)

• Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​webdevelopersrinu (#10913)
• @​sijie-Z (#10993)
• @​bartlomieju (#11023)
• @​JSap0914 (#11019)

Full Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

Commits

• a209bfb chore(release): prepare release 1.18.1 (#11027)
• fa6a55e chore(deps-dev): bump multer from 2.1.1 to 2.2.0 (#11026)
• 40e7be8 docs: clarifies that request data is request-specific in axios (#11025)
• a446b39 fix(AxiosURLSearchParams): use arrow function so encoder.call(this) receives ...
• cf1306a docs: add Deno to install instructions (#11023)
• b32880a fix: incorrect use of error (#11021)
• 1792eda fix: ensure maxBodyLength is explicitly passed to follow-redirects (#10993)
• 30499d6 fix: various runtime crashes and type definition mismatches (#10959)
• 20ce9c4 fix(http): defer env proxy handling to Node (#10942)
• e64bcf9 chore(deps): merge branch 'v1.x' into tests/module/cjs (#11014)
• Additional commits viewable in compare view

Updates js-yaml from 4.2.0 to 5.2.0

Changelog

Sourced from js-yaml's changelog.

[5.2.0] - 2026-06-26

Added

• Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
• Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

• maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

• Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

• Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

• [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").

... (truncated)

Commits

• c28ed5e 5.2.0 released
• 125cd5a Add maxAliases option
• 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
• 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
• eb5cb5b fix: round-trip integers that stringify in exponential notation (#771)
• 89024c4 Update migration info, close #770
• f1e45cd 5.1.0 released
• 53b22be Fix constructor coverage
• a1eaa2b Fix quote style options and restore forceQuotes
• 0532e7d Add finalizers for immutable collection tags
• Additional commits viewable in compare view

Updates openapi-to-postmanv2 from 6.0.1 to 6.1.0

Changelog

Sourced from openapi-to-postmanv2's changelog.

[v6.1.0] - 2026-06-09

Commits

• f447553 Merge pull request #948 from postmanlabs/release/v6.1.0
• 960bf68 Prepare release v6.1.0
• db6bf14 feat: [AB-2326] add OpenAPI 3.2 support
• 1f84328 test(32X): add OAS 3.2 fixtures and unit tests mirroring 3.1 coverage
• 841712e feat(version): detect and dispatch OAS 3.2 documents
• 2163b55 feat(32X): add OAS 3.2 schema utils, input validation and bundle rules
• 70c1da6 Merge pull request #941 from postmanlabs/release/v6.0.1
• See full diff in compare view

Updates prettier from 3.8.3 to 3.9.1

Release notes

Sourced from prettier's releases.

3.9.1

• CLI: Fix ignored file has been cached incorrectly (#19483 by @​kovsu)

🔗 Changelog

3.9.0

diff

🔗 Prettier 3.9: Major parser upgrades and Formatting improvements

3.8.5

• Fix Flow variance annotation print (#19022 by @​marcoww6)

🔗 Changelog

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.9.1

diff

CLI: Fix ignored file has been cached incorrectly (#19483 by @​kovsu)

Bug details prettier/prettier#18016

3.9.0

diff

🔗 Release Notes

3.8.5

diff

Flow: Support readonly as a variance annotation (#19022 by @​marcoww6)

Flow now accepts readonly as a property variance annotation, equivalent to + (covariant/read-only).

// Input
type T = {
  readonly foo: string,
};
// Prettier 3.8.4
SyntaxError
// Prettier 3.8.5
type T = {
readonly foo: string,
};

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a
</tr></table> 

... (truncated)

Commits

• c47654c Release 3.9.1
• 06159aa Fix bug in release script
• 4bc5ab4 Update file-entry-cache to 11.1.5 (#19483)
• b7fd58b Release @prettier/plugin-oxc@0.2.0 and @prettier/plugin-hermes@0.2.0
• 3006400 Revert changes in release script
• 7bef7db Git blame ignore 3.9.0
• bb817b1 Bump Prettier dependency to 3.9.0
• 05cf896 Clean changelog_unreleased
• 79f6cdf Disable finished steps
• 3613b1e Add blog post for v3.9 (#19414)
• Additional commits viewable in compare view

Updates query-string from 9.4.0 to 9.4.1

Release notes

Sourced from query-string's releases.

v9.4.1

• Fix relative URLs with fragments 872fb6f

---

sindresorhus/query-string@v9.4.0...v9.4.1

Commits

• c69443c 9.4.1
• 872fb6f Fix relative URLs with fragments
• f5daa07 Create security.md
• See full diff in compare view

Updates tar from 7.5.16 to 7.5.19

Commits

• be440da 7.5.19
• 2812e93 add maxDecompressionRatio guard against explosive decompression
• 9ecd4d2 7.5.18
• 9e78bf0 refuse to let header size be less than 0
• e02a4e9 pax: parse values according to known types
• 9cbdb31 7.5.17
• 7a635c2 terminate pax strings on nul bytes
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions