chore(deps): bump the server-deps group across 1 directory with 20 updates

[dependabot]

Bumps the server-deps group with 20 updates in the / directory:

Package	From	To
ip-address	10.1.0	10.2.0
@tanstack/react-query	5.96.2	5.100.11
@tiptap/extension-placeholder	3.22.2	3.23.5
@tiptap/react	3.22.2	3.23.5
@tiptap/starter-kit	3.22.2	3.23.5
axios	1.14.0	1.16.1
dompurify	3.3.3	3.4.5
react	19.2.4	19.2.6
@types/react	19.2.14	19.2.15
react-dom	19.2.4	19.2.6
react-router-dom	7.14.0	7.15.1
@prisma/adapter-pg	7.7.0	7.8.0
@prisma/client	7.7.0	7.8.0
dotenv	17.4.1	17.4.2
nodemailer	8.0.5	8.0.7
pg	8.20.0	8.21.0
prisma	7.7.0	7.8.0
puppeteer	24.40.0	25.0.4
sanitize-html	2.17.2	2.17.4
zod	4.3.6	4.4.3

Updates ip-address from 10.1.0 to 10.2.0

Commits

• See full diff in compare view

Updates @tanstack/react-query from 5.96.2 to 5.100.11

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-next-experimental@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query-persist-client@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.11
  • @​tanstack/react-query@​5.100.11

@​tanstack/react-query@​5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

• Updated dependencies [3d21cac]:
  • @​tanstack/query-devtools@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-next-experimental@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-persist-client@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query@​5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

5.100.7

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

5.100.5

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

5.100.4

... (truncated)

Commits

• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• 8c3d523 ci: Version Packages (#10630)
• 9800c8f ci: Version Packages (#10623)
• 3ae4261 ci: Version Packages (#10620)
• 87f7ccf ci: Version Packages (#10604)
• 441204b ci: Version Packages (#10582)
• 55afb3e ci: Version Packages (#10581)
• fe287cc ci: Version Packages (#10579)
• Additional commits viewable in compare view

Updates @tiptap/extension-placeholder from 3.22.2 to 3.23.5

Release notes

Sourced from @​tiptap/extension-placeholder's releases.

v3.23.5

@​tiptap/markdown

Patch Changes

• 7bf0e73: Fix extra mark tokens after inline atom nodes during Markdown serialization
• 7bf0e73: Fix adjacent marks of the same type with different attributes being merged during Markdown serialization
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/core

Patch Changes

• 7bf0e73: Fix $pos() returning correct node for non-text atom nodes instead of doc node
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• @​tiptap/pm@​3.23.5

@​tiptap/react

Patch Changes

• 7bf0e73: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/vue-2

Patch Changes

• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry.

... (truncated)

Changelog

Sourced from @​tiptap/extension-placeholder's changelog.

3.23.5

Patch Changes

• @​tiptap/extensions@​3.23.5

3.23.4

Patch Changes

• Updated dependencies [57e53c1]
  • @​tiptap/extensions@​3.23.4

3.23.3

Patch Changes

• @​tiptap/extensions@​3.23.3

3.23.2

Patch Changes

• @​tiptap/extensions@​3.23.2

3.23.1

Patch Changes

• @​tiptap/extensions@​3.23.1

3.23.0

Patch Changes

• @​tiptap/extensions@​3.23.0

3.22.5

Patch Changes

• @​tiptap/extensions@​3.22.5

3.22.4

Patch Changes

• 27ea931: Fix dependencies installation after packages updates producing peer dependency resolution conflicts
• Updated dependencies [27ea931]
  • @​tiptap/extensions@​3.22.4

... (truncated)

Commits

• d9daae0 chore(release): publish a new stable version (#7835)
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• a48290e chore(release): publish a new stable version (#7808)
• 0520d9d chore(release): publish a new stable version (#7784)
• 898a8ed chore(release): publish a new stable version (#7756)
• dec9735 chore(release): publish a new stable version (#7727)
• 27ea931 fix: restrict peer dependency ranges to avoid npm resolution conflicts (#7593)
• 626b052 chore(release): publish a new stable version (#7714)
• See full diff in compare view

Updates @tiptap/react from 3.22.2 to 3.23.5

Release notes

Sourced from @​tiptap/react's releases.

v3.23.5

@​tiptap/markdown

Patch Changes

• 7bf0e73: Fix extra mark tokens after inline atom nodes during Markdown serialization
• 7bf0e73: Fix adjacent marks of the same type with different attributes being merged during Markdown serialization
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/core

Patch Changes

• 7bf0e73: Fix $pos() returning correct node for non-text atom nodes instead of doc node
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• @​tiptap/pm@​3.23.5

@​tiptap/react

Patch Changes

• 7bf0e73: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/vue-2

Patch Changes

• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry.

... (truncated)

Changelog

Sourced from @​tiptap/react's changelog.

3.23.5

Patch Changes

• b5f34fc: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.

• 95e138c: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking

  NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().

• Updated dependencies [835caf5]

• Updated dependencies [95e138c]

  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

3.23.4

Patch Changes

• @​tiptap/core@​3.23.4
• @​tiptap/pm@​3.23.4

3.23.3

Patch Changes

• @​tiptap/core@​3.23.3
• @​tiptap/pm@​3.23.3

3.23.2

Patch Changes

• 30e0b58: Default immediatelyRender to false in SSR environments instead of throwing an error

  Previously, omitting immediatelyRender in an SSR environment (e.g. Next.js) would throw an error in development and silently return null in production. This was a common source of crashes, especially when AI-generated code set up the editor without explicitly passing immediatelyRender: false. The hook now defaults immediatelyRender to true, but automatically sets it to false when SSR is detected, logging a warning in development instead of throwing.

• Updated dependencies [f98eaaf]

  • @​tiptap/core@​3.23.2
  • @​tiptap/pm@​3.23.2

3.23.1

Patch Changes

• @​tiptap/core@​3.23.1
• @​tiptap/pm@​3.23.1

... (truncated)

Commits

• d9daae0 chore(release): publish a new stable version (#7835)
• 95e138c fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking...
• b5f34fc fix(react): respect explicit immediatelyRender on client-side Next.js
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• 30e0b58 fix(react): default immediatelyRender to false in SSR environments (#7761)
• a48290e chore(release): publish a new stable version (#7808)
• 0520d9d chore(release): publish a new stable version (#7784)
• 898a8ed chore(release): publish a new stable version (#7756)
• Additional commits viewable in compare view

Updates @tiptap/starter-kit from 3.22.2 to 3.23.5

Release notes

Sourced from @​tiptap/starter-kit's releases.

v3.23.5

@​tiptap/markdown

Patch Changes

• 7bf0e73: Fix extra mark tokens after inline atom nodes during Markdown serialization
• 7bf0e73: Fix adjacent marks of the same type with different attributes being merged during Markdown serialization
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/core

Patch Changes

• 7bf0e73: Fix $pos() returning correct node for non-text atom nodes instead of doc node
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• @​tiptap/pm@​3.23.5

@​tiptap/react

Patch Changes

• 7bf0e73: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.
• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().
• Updated dependencies [7bf0e73]
• Updated dependencies [7bf0e73]
  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

@​tiptap/vue-2

Patch Changes

• 7bf0e73: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry.

... (truncated)

Changelog

Sourced from @​tiptap/starter-kit's changelog.

3.23.5

Patch Changes

• Updated dependencies [835caf5]
• Updated dependencies [95e138c]
  • @​tiptap/core@​3.23.5
  • @​tiptap/extension-blockquote@​3.23.5
  • @​tiptap/extension-bold@​3.23.5
  • @​tiptap/extension-code@​3.23.5
  • @​tiptap/extension-code-block@​3.23.5
  • @​tiptap/extension-document@​3.23.5
  • @​tiptap/extension-hard-break@​3.23.5
  • @​tiptap/extension-heading@​3.23.5
  • @​tiptap/extension-horizontal-rule@​3.23.5
  • @​tiptap/extension-italic@​3.23.5
  • @​tiptap/extension-link@​3.23.5
  • @​tiptap/extension-list@​3.23.5
  • @​tiptap/extension-paragraph@​3.23.5
  • @​tiptap/extension-strike@​3.23.5
  • @​tiptap/extension-text@​3.23.5
  • @​tiptap/extension-underline@​3.23.5
  • @​tiptap/extensions@​3.23.5
  • @​tiptap/extension-list-item@​3.23.5
  • @​tiptap/extension-list-keymap@​3.23.5
  • @​tiptap/extension-bullet-list@​3.23.5
  • @​tiptap/extension-ordered-list@​3.23.5
  • @​tiptap/extension-dropcursor@​3.23.5
  • @​tiptap/extension-gapcursor@​3.23.5
  • @​tiptap/pm@​3.23.5

3.23.4

Patch Changes

• Updated dependencies [57e53c1]
  • @​tiptap/extensions@​3.23.4
  • @​tiptap/extension-dropcursor@​3.23.4
  • @​tiptap/extension-gapcursor@​3.23.4
  • @​tiptap/extension-list-item@​3.23.4
  • @​tiptap/extension-list-keymap@​3.23.4
  • @​tiptap/core@​3.23.4
  • @​tiptap/extension-blockquote@​3.23.4
  • @​tiptap/extension-bold@​3.23.4
  • @​tiptap/extension-bullet-list@​3.23.4
  • @​tiptap/extension-code@​3.23.4
  • @​tiptap/extension-code-block@​3.23.4
  • @​tiptap/extension-document@​3.23.4
  • @​tiptap/extension-hard-break@​3.23.4
  • @​tiptap/extension-heading@​3.23.4

... (truncated)

Commits

• d9daae0 chore(release): publish a new stable version (#7835)
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• a48290e chore(release): publish a new stable version (#7808)
• 0520d9d chore(release): publish a new stable version (#7784)
• 898a8ed chore(release): publish a new stable version (#7756)
• dec9735 chore(release): publish a new stable version (#7727)
• 626b052 chore(release): publish a new stable version (#7714)
• See full diff in compare view

Updates axios from 1.14.0 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#10836)
• @​tommyhgunz14 (#7413)
• @​abhu85 (#10829)
• @​divyanshuraj1095 (#10853)
• @​sagodi97 (#10856)
• @​rkdfx (#10868)
• @​Liuwei1125 (#10866)

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Commits

• 1337d6b chore(release): prepare release 1.16.1 (#10877)
• 858a790 fix: remove all caches (#10882)
• 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
• 847d89b fix: support URL object as config.url input (#10866)
• 4094886 fix(progress): guard malformed XHR upload events (#10868)
• 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
• 64e1095 chore: update PR and issue template to use h2 (#10865)
• 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
• c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
• caa00a9 fix: https data in cleartext to proxy (#10858)
• Additional commits viewable in compare view

Updates dompurify from 3.3.3 to 3.4.5

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

DOMPurify 3.4.4

• Added the selectedcontent element to default allow-list, thanks @​lukewarlow
• Added the command and commandfor attributes to default allowed-list, thanks @​lukewarlow
• Added better template scrubbing for IN_PLACE operations, thanks @​DEMON1A
• Added stronger checks for cross-realm windows, thanks @​DEMON1A & @​fg0x0
• Updated demo website and made sure it uses the latest from main
• Updated existing workflows, fuzzer, dependabot, etc., added more tests
• Bumped several dependencies where possible

🚨 This release had been flagged as deprecated, please use DOMPurify 3.4.5 instead 🚨

DOMPurify 3.4.3

• Fixed an issue with handling of nested Shadow DOM trees, thanks @​fishjojo1
• Fixed the template regexes to be more robust against ReDoS attacks, thanks @​aleung27
• Updated the node iteration code to catch more Shadow DOM related issues
• Updated Playwright and added Node 26 to test matrix
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

DOMPurify 3.4.0

Most relevant changes:

• Fixed a problem with FORBID_TAGS not winning over ADD_TAGS, thanks @​kodareef5
• Fixed several minor problems and typos regarding MathML attributes, thanks @​DavidOliver
• Fixed ADD_ATTR/ADD_TAGS function leaking into subsequent array-based calls, thanks @​1Jesper1
• Fixed a missing SAFE_FOR_TEMPLATES scrub in RETURN_DOM path, thanks @​bencalif
• Fixed a prototype pollution via CUSTOM_ELEMENT_HANDLING, thanks @​trace37labs
• Fixed an issue with ADD_TAGS function form bypassing FORBID_TAGS, thanks @​eddieran
• Fixed an issue with ADD_ATTR predicates skipping URI validation, thanks @​christos-eth

... (truncated)

Commits

• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• 5b16e0b Getting 3.x branch ready for 3.4.0 release (#1250)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates `@types/re...

Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.