chore(deps): bump the server-deps group across 1 directory with 21 updates

[dependabot]

Bumps the server-deps group with 21 updates in the / directory:

Package	From	To
ip-address	10.1.0	10.2.0
@tanstack/react-query	5.96.2	5.101.0
@tiptap/extension-placeholder	3.22.2	3.25.0
@tiptap/react	3.22.2	3.25.0
@tiptap/starter-kit	3.22.2	3.25.0
axios	1.14.0	1.17.0
dompurify	3.3.3	3.4.8
react	19.2.4	19.2.7
@types/react	19.2.14	19.2.16
react-dom	19.2.4	19.2.7
react-router-dom	7.14.0	7.16.0
@prisma/adapter-pg	7.7.0	7.8.0
@prisma/client	7.7.0	7.8.0
dotenv	17.4.1	17.4.2
helmet	8.1.0	8.2.0
nodemailer	8.0.5	8.0.10
pg	8.20.0	8.21.0
prisma	7.7.0	7.8.0
puppeteer	24.40.0	25.1.0
sanitize-html	2.17.2	2.17.4
zod	4.3.6	4.4.3

Updates ip-address from 10.1.0 to 10.2.0

Commits

• 80fccaa 10.2.0
• abaeb4d Type Address4.addressMinusSuffix as non-nilable (closes #143)
• 2878c29 Preserve subnet prefix through Address6.to4() (closes #123) (#203)
• 586666e Reject trailing junk in Address6.fromURL (closes #158) (#202)
• 80bc76e Validate static factories instead of silently overflowing (#201)
• 98927be Clarify isValid() accepts CIDRs with host bits set (#81)
• a0eb073 Fix getScope() and broaden getType() classification (closes #122) (#200)
• ec52105 Add networkForm() for CIDR network-address strings (#199)
• a9443a7 Add isMapped4() predicate for IPv4-mapped IPv6 addresses (closes #62) (#198)
• f01d742 Add address-property predicates (private, ULA, loopback, link-local, etc.) (#...
• Additional commits viewable in compare view

Updates @tanstack/react-query from 5.96.2 to 5.101.0

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

• Updated dependencies [3042860, e631dc3]:
  • @​tanstack/query-devtools@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-next-experimental@​5.101.0

Patch Changes

• #10857 7cf5923 - fix(react-query-next-experimental): replace deprecated 'isServer' with 'environmentManager.isServer()'

• Updated dependencies []:

  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query-persist-client@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.101.0
  • @​tanstack/react-query@​5.101.0

@​tanstack/react-query@​5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-devtools@​5.100.14

@​tanstack/react-query-next-experimental@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14

@​tanstack/react-query-persist-client@​5.100.14

Patch Changes

• Updated dependencies [ed20b6d]:
  • @​tanstack/react-query@​5.100.14
  • @​tanstack/query-persist-client-core@​5.100.14

@​tanstack/react-query@​5.100.14

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.101.0

5.100.14

Patch Changes

• fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

• Updated dependencies []:

  • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

• Updated dependencies [d423168]:
  • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.11

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

... (truncated)

Commits

• f3d8d2a ci: Version Packages (#10774)
• 532bb29 fix(tests): disable local coverage instrumentation (#10776)
• ba6e7be ci: Version Packages (#10767)
• ed20b6d fix(react): do not go into optimistic fetching state when not subscribed (#10...
• 05cf2bc ci: Version Packages (#10758)
• d423168 fix(query-core): use built-in NoInfer for generic indexed-access types (#10593)
• 5ff4f69 ci: Version Packages (#10755)
• 3e85350 ci: Version Packages (#10706)
• 9d2692c ci: Version Packages (#10695)
• 74fa05e chore(tsconfig.json): narrow 'include' pattern to prevent TS6053 race conditi...
• Additional commits viewable in compare view

Updates @tiptap/extension-placeholder from 3.22.2 to 3.25.0

Release notes

Sourced from @​tiptap/extension-placeholder's releases.

v3.25.0

@​tiptap/core

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Add clearable mark option (default true). unsetAllMarks now skips marks with clearable: false, so semantic marks like comments are not removed by "clear formatting".

• 711c2e3: Add attrsEqual and marksEqual utility functions to @tiptap/core. attrsEqual compares two attribute objects for equality regardless of key ordering. marksEqual compares two arrays of mark objects by type and attributes using attrsEqual.

• 711c2e3: Fix plain-text copy of table cell selections including content from unselected cells in between. Each selected range is now serialized independently and joined in document order, so dragging upward (reverse selection) also produces output in document order.

• Updated dependencies [711c2e3]

  • @​tiptap/pm@​3.25.0

@​tiptap/extension-file-handler

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0
  • @​tiptap/pm@​3.25.0
  • @​tiptap/extension-text-style@​3.25.0

@​tiptap/extension-image

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Fix HTMLAttributes not being applied to the editor DOM when resize is enabled. The addNodeView path was using only the resolved node attributes and skipping the user-configured HTMLAttributes option. Now it merges them consistently with how renderHTML already works.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0

@​tiptap/extension-list

Minor Changes

• 711c2e3: ListKeymap's Backspace handler now lifts the current list item before merging. At the start of a non-first list item, the item is lifted out of its wrapping list (splitting the list around it) instead of immediately joining its content into the previous item. A second Backspace then hits the existing "paragraph after a list" branch and merges the lifted textblock's content into the previous list's last item. Mirrors the two-step behavior introduced for blockquote in #7891.

... (truncated)

Changelog

Sourced from @​tiptap/extension-placeholder's changelog.

3.25.0

Patch Changes

• Updated dependencies
  • @​tiptap/extensions@​3.25.0

3.24.0

Patch Changes

• Updated dependencies [2d05614]
  • @​tiptap/extensions@​3.24.0

3.23.6

Patch Changes

• Updated dependencies [937ff2e]
  • @​tiptap/extensions@​3.23.6

3.23.5

Patch Changes

• @​tiptap/extensions@​3.23.5

3.23.4

Patch Changes

• Updated dependencies [57e53c1]
  • @​tiptap/extensions@​3.23.4

3.23.3

Patch Changes

• @​tiptap/extensions@​3.23.3

3.23.2

Patch Changes

• @​tiptap/extensions@​3.23.2

3.23.1

Patch Changes

... (truncated)

Commits

• 5d50336 chore(release): publish a new stable version
• 6817d14 chore(release): publish a new stable version
• a42a8d6 chore: migrate linting and formatting from ESLint/Prettier to oxlint/oxfmt (o...
• 195b13f chore(release): publish a new stable version (#7854)
• d9daae0 chore(release): publish a new stable version (#7835)
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• a48290e chore(release): publish a new stable version (#7808)
• 0520d9d chore(release): publish a new stable version (#7784)
• Additional commits viewable in compare view

Updates @tiptap/react from 3.22.2 to 3.25.0

Release notes

Sourced from @​tiptap/react's releases.

v3.25.0

@​tiptap/core

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Add clearable mark option (default true). unsetAllMarks now skips marks with clearable: false, so semantic marks like comments are not removed by "clear formatting".

• 711c2e3: Add attrsEqual and marksEqual utility functions to @tiptap/core. attrsEqual compares two attribute objects for equality regardless of key ordering. marksEqual compares two arrays of mark objects by type and attributes using attrsEqual.

• 711c2e3: Fix plain-text copy of table cell selections including content from unselected cells in between. Each selected range is now serialized independently and joined in document order, so dragging upward (reverse selection) also produces output in document order.

• Updated dependencies [711c2e3]

  • @​tiptap/pm@​3.25.0

@​tiptap/extension-file-handler

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0
  • @​tiptap/pm@​3.25.0
  • @​tiptap/extension-text-style@​3.25.0

@​tiptap/extension-image

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Fix HTMLAttributes not being applied to the editor DOM when resize is enabled. The addNodeView path was using only the resolved node attributes and skipping the user-configured HTMLAttributes option. Now it merges them consistently with how renderHTML already works.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0

@​tiptap/extension-list

Minor Changes

• 711c2e3: ListKeymap's Backspace handler now lifts the current list item before merging. At the start of a non-first list item, the item is lifted out of its wrapping list (splitting the list around it) instead of immediately joining its content into the previous item. A second Backspace then hits the existing "paragraph after a list" branch and merges the lifted textblock's content into the previous list's last item. Mirrors the two-step behavior introduced for blockquote in #7891.

... (truncated)

Changelog

Sourced from @​tiptap/react's changelog.

3.25.0

Patch Changes

• Updated dependencies [ec291dd]
• Updated dependencies [454e9b8]
• Updated dependencies [9cf8db0]
• Updated dependencies [c1a2ce8]
• Updated dependencies [3d4f94c]
  • @​tiptap/core@​3.25.0
  • @​tiptap/pm@​3.25.0

3.24.0

Patch Changes

• Updated dependencies [7c0499b]
  • @​tiptap/pm@​3.24.0
  • @​tiptap/core@​3.24.0

3.23.6

Patch Changes

• Updated dependencies [d168376]
  • @​tiptap/core@​3.23.6
  • @​tiptap/pm@​3.23.6

3.23.5

Patch Changes

• b5f34fc: Respect explicit immediatelyRender: true in client-side Next.js. Previously, when running under Next.js (window.next present), the immediatelyRender option was forced to false even when the user explicitly passed true, breaking client-only Next.js apps that rely on the editor existing on the first render. The hook now only forces false when actual SSR is detected (typeof window === 'undefined'), or when running under Next.js with no explicit value.

• 95e138c: fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking

  NodeViews no longer re-render when decorations or position change without content changes. Added trackNodeViewPosition option — when enabled, the component re-renders on every position shift so calls to getPos() stay current in render output. Removed the internal nodeViewPositionRegistry. Added shallow prop comparison in ReactRenderer.updateProps().

• Updated dependencies [835caf5]

• Updated dependencies [95e138c]

  • @​tiptap/core@​3.23.5
  • @​tiptap/pm@​3.23.5

3.23.4

Patch Changes

... (truncated)

Commits

• 5d50336 chore(release): publish a new stable version
• 6817d14 chore(release): publish a new stable version
• a42a8d6 chore: migrate linting and formatting from ESLint/Prettier to oxlint/oxfmt (o...
• 195b13f chore(release): publish a new stable version (#7854)
• d9daae0 chore(release): publish a new stable version (#7835)
• 95e138c fix(nodeview): eliminate unnecessary re-renders, add opt-in position tracking...
• b5f34fc fix(react): respect explicit immediatelyRender on client-side Next.js
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• Additional commits viewable in compare view

Updates @tiptap/starter-kit from 3.22.2 to 3.25.0

Release notes

Sourced from @​tiptap/starter-kit's releases.

v3.25.0

@​tiptap/core

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Add clearable mark option (default true). unsetAllMarks now skips marks with clearable: false, so semantic marks like comments are not removed by "clear formatting".

• 711c2e3: Add attrsEqual and marksEqual utility functions to @tiptap/core. attrsEqual compares two attribute objects for equality regardless of key ordering. marksEqual compares two arrays of mark objects by type and attributes using attrsEqual.

• 711c2e3: Fix plain-text copy of table cell selections including content from unselected cells in between. Each selected range is now serialized independently and joined in document order, so dragging upward (reverse selection) also produces output in document order.

• Updated dependencies [711c2e3]

  • @​tiptap/pm@​3.25.0

@​tiptap/extension-file-handler

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0
  • @​tiptap/pm@​3.25.0
  • @​tiptap/extension-text-style@​3.25.0

@​tiptap/extension-image

Patch Changes

• 711c2e3: Fix: dragging an inline/resizable image within the editor no longer creates a duplicate

  When the Image extension was configured with inline: true or resize enabled, dragging an image within the editor could insert a duplicate at the drop position instead of moving it. This happened because the browser's native image drag behavior could populate dataTransfer.files, causing the FileHandler extension to intercept the drop before ProseMirror's internal move logic could run.

• 711c2e3: Fix HTMLAttributes not being applied to the editor DOM when resize is enabled. The addNodeView path was using only the resolved node attributes and skipping the user-configured HTMLAttributes option. Now it merges them consistently with how renderHTML already works.

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

• Updated dependencies [711c2e3]

  • @​tiptap/core@​3.25.0

@​tiptap/extension-list

Minor Changes

• 711c2e3: ListKeymap's Backspace handler now lifts the current list item before merging. At the start of a non-first list item, the item is lifted out of its wrapping list (splitting the list around it) instead of immediately joining its content into the previous item. A second Backspace then hits the existing "paragraph after a list" branch and merges the lifted textblock's content into the previous list's last item. Mirrors the two-step behavior introduced for blockquote in #7891.

... (truncated)

Changelog

Sourced from @​tiptap/starter-kit's changelog.

3.25.0

Patch Changes

• Updated dependencies [ec291dd]
• Updated dependencies [8dc5694]
• Updated dependencies [45237e7]
• Updated dependencies [454e9b8]
• Updated dependencies
• Updated dependencies [9cf8db0]
• Updated dependencies [c1a2ce8]
• Updated dependencies [3d4f94c]
• Updated dependencies [7d0ce2a]
  • @​tiptap/core@​3.25.0
  • @​tiptap/extension-list@​3.25.0
  • @​tiptap/extensions@​3.25.0
  • @​tiptap/pm@​3.25.0
  • @​tiptap/extension-code@​3.25.0
  • @​tiptap/extension-blockquote@​3.25.0
  • @​tiptap/extension-bold@​3.25.0
  • @​tiptap/extension-code-block@​3.25.0
  • @​tiptap/extension-document@​3.25.0
  • @​tiptap/extension-hard-break@​3.25.0
  • @​tiptap/extension-heading@​3.25.0
  • @​tiptap/extension-horizontal-rule@​3.25.0
  • @​tiptap/extension-italic@​3.25.0
  • @​tiptap/extension-link@​3.25.0
  • @​tiptap/extension-paragraph@​3.25.0
  • @​tiptap/extension-strike@​3.25.0
  • @​tiptap/extension-text@​3.25.0
  • @​tiptap/extension-underline@​3.25.0
  • @​tiptap/extension-list-item@​3.25.0
  • @​tiptap/extension-list-keymap@​3.25.0
  • @​tiptap/extension-bullet-list@​3.25.0
  • @​tiptap/extension-ordered-list@​3.25.0
  • @​tiptap/extension-dropcursor@​3.25.0
  • @​tiptap/extension-gapcursor@​3.25.0

3.24.0

Patch Changes

• Updated dependencies [7c0499b]
• Updated dependencies [2d05614]
  • @​tiptap/pm@​3.24.0
  • @​tiptap/extensions@​3.24.0
  • @​tiptap/core@​3.24.0
  • @​tiptap/extension-code-block@​3.24.0
  • @​tiptap/extension-horizontal-rule@​3.24.0
  • @​tiptap/extension-link@​3.24.0

... (truncated)

Commits

• 5d50336 chore(release): publish a new stable version
• 6817d14 chore(release): publish a new stable version
• a42a8d6 chore: migrate linting and formatting from ESLint/Prettier to oxlint/oxfmt (o...
• 195b13f chore(release): publish a new stable version (#7854)
• d9daae0 chore(release): publish a new stable version (#7835)
• 9d9cc06 chore(release): publish a new stable version (#7822)
• 0f05ae7 chore(release): publish a new stable version (#7821)
• 817c490 chore(release): publish a new stable version
• a48290e chore(release): publish a new stable version (#7808)
• 0520d9d chore(release): publish a new stable version (#7784)
• Additional commits viewable in compare view

Updates axios from 1.14.0 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10...

  Description has been truncated