Update non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@actions/core (source)	3.0.0 → 3.0.1			dependencies	patch
actions/setup-node	v6.3.0 → v6.4.0			action	minor
axios (source)	1.15.1 → 1.16.0			dependencies	minor
typescript-eslint (source)	8.58.2 → 8.59.1			devDependencies	minor
yaml (source)	2.8.3 → 2.8.4			devDependencies	patch
zod (source)	4.3.6 → 4.4.2			dependencies	minor

---

Release Notes

actions/toolkit (@​actions/core)

v3.0.1

• Bump undici from 6.23.0 to 6.24.1 #​2348

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

axios/axios (axios)

v1.16.0

Compare Source

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#​10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#​10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#​10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#​10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#​7378)
• transformRequest input typing change was reverted. The typing change introduced in #​10745 was reverted in #​10810 after follow-up review — net behavior is unchanged from 1.15.2. (#​10745, #​10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#​10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #​6485). (#​10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#​6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#​10794, #​10800, #​6241, #​10822, #​10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#​10708, #​10819, #​7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#​10795, #​10772, #​10806, #​7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#​10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#​10724, #​7276, #​10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#​7414, #​6389, #​6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#​7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#​10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#​10588, #​7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#​10820, #​10791, #​10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#​10821, #​10782, #​10759, #​10804)
• Reverted: Reverted the transformRequest input typing change from #​10745 after follow-up review. (#​10745, #​10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#​10785, #​10813, #​10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#​10790, #​10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#​10588)
• @​cuiweixie (#​7419)
• @​iruizsalinas (#​10787)
• @​MarcosNocetti (#​10680)
• @​deepview-autofix (#​10729)
• @​atharvasingh7007 (#​10745)
• @​OfekDanny (#​10772)
• @​mnahkies (#​7414)
• @​tboyila (#​10759)
• @​Kingo64 (#​6897)
• @​ramram1048 (#​6389)
• @​FLNacif (#​6460)
• @​zozo123 (#​10806)
• @​pierluigilenoci (#​10802)
• @​afurm (#​10708)
• @​karan-lrn (#​7378)
• @​ebeigarts (#​7149)
• @​Raymondo97 (#​10782)
• @​mixelburg (#​10821)
• @​ashishkr96 (#​10822)
• @​cyphercodes (#​10819)
• @​Jye10032 (#​7260)
• @​VeerShah41 (#​7276)

Full Changelog

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

typescript-eslint/typescript-eslint (typescript-eslint)

v8.59.1

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

Compare Source

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

eemeli/yaml (yaml)

v2.8.4

Compare Source

• Disable alias resolution with maxAliasCount:0 (#​677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#​676)

colinhacks/zod (zod)

v4.4.2

Compare Source

v4.4.1

Compare Source

v4.4.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

This update refreshes CI workflows by upgrading the Node setup action to v6.4.0 and bumps several core dependencies in both pr-review and pr-summary packages to their latest patch versions. These chore-based changes improve build stability, security, and align the project with the newest bug fixes.

Walkthrough

• Chore: Upgraded actions/setup-node from v6.3.0 to v6.4.0 in CI workflows (build.yaml, code-quality.yaml).
• Chore: Updated dependencies in pr-review and pr-summary packages:
  • @actions/core 3.0.0 → 3.0.1
  • axios 1.15.1 → 1.15.2
  • typescript-eslint 8.58.2 → 8.59.0

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1371 | Completion Tokens: 643}

[github-actions]

Here is a friendly overview of your code enhanced by AI. Some suggestions are educated guesses rather than definitive answers, so feel free to pick what fits your style. You guide the process—AI is here to offer support and encouragement.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 2092 | Completion Tokens: 2776}

[github-actions]

Consider using a floating version tag (e.g., @v6) or a setup-node release name rather than pinning to a specific SHA. This will make it easier to pick up non-breaking updates without continually updating your workflow. For example:

- name: Setup Node (PR Summary)
  uses: actions/setup-node@v6
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

If you need strict reproducibility, you can still pin a major version to balance stability and convenience.

[github-actions]

You have nearly identical "Setup Node" steps for PR Summary and PR Review. To DRY this up, you can use YAML anchors or a reusable workflow. Here’s an example with anchors:

# at the top of your file
defaults: &setup-node-defaults
  uses: actions/setup-node@v6
  with:
    node-version-file: source-folder/.tool-versions
    cache: npm

jobs:
  pr_summary:
    steps:
      - name: Setup Node (PR Summary)
        <<: *setup-node-defaults

  pr_review:
    steps:
      - name: Setup Node (PR Review)
        <<: *setup-node-defaults

This reduces duplication and centralizes configuration.

[github-actions]

You’re repeating the same checkout and Node setup steps multiple times. Consider extracting them into a reusable workflow or using YAML anchors. This makes maintenance easier and ensures consistency. For example:

# Define an anchor
steps:
  - &checkout-and-setup
    - name: Checkout source branch
      uses: actions/checkout@v6
    - name: Setup Node
      uses: actions/setup-node@v6
      with:
        node-version-file: .tool-versions
        cache: npm

# Reuse it
jobs:
  lint:
    steps:
      <<: *checkout-and-setup
      - name: Run linter
        run: npm run lint

  test:
    steps:
      <<: *checkout-and-setup
      - name: Run tests
        run: npm test

[github-actions]

By reusing the same anchor (or calling a reusable workflow), you avoid duplication in both sections. This approach also ensures that if you need to update the checkout or setup logic, you only do it once.

[github-actions]

Your dependencies are pinned to exact patch versions. To get non-breaking updates automatically while still respecting semver, consider using caret ranges (^). It simplifies version maintenance and ensures you get important patches:

"dependencies": {
  "@actions/core": "^3.0.1",
  "@actions/github": "^7.0.0",
  "axios": "^1.15.2",
  "typescript-eslint": "^8.59.0",
  // …
}

You can lock down critical dependencies manually if needed, but for most packages, caret ranges are a good balance between stability and automatic patch updates.

[github-actions]

Similar to the pr-review package, switching to caret ranges (^) for dependencies reduces the overhead of manual upgrades and ensures you receive backward-compatible fixes automatically. For example:

"dependencies": {
  "@actions/core": "^3.0.1",
  "axios": "^1.15.2",
  "typescript-eslint": "^8.59.0",
  // …
}

If a breaking change appears, you can still pin that specific package at the next major version.

[github-actions]

This update bumps the Node setup action in CI workflows to v6.4.0 and upgrades key dependencies across both PR review and PR summary packages for improved compatibility and maintenance.

Walkthrough

• Chore: Updated actions/setup-node to v6.4.0 in build and code-quality workflows.
• Chore: Upgraded @actions/core to 3.0.1 in both pr-review and pr-summary.
• Chore: Bumped axios to 1.15.2 and typescript-eslint to 8.59.1 in both packages.

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1371 | Completion Tokens: 596 | Diff Range: fb70ea2...1f93dd5}

[github-actions]

Thank you for letting me review your code. I’ve included AI-supported suggestions to help you sharpen your work. These are gentle pointers, not hard rules, so use what resonates with your approach. You know your project best—AI is here to support your vision, while you remain in the driver’s seat.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 816 | Completion Tokens: 1735 | Diff Range: fb70ea2...1f93dd5}

[github-actions]

It’s generally a best practice to use a semver range operator (caret ^ or tilde ~) rather than pinning to an exact patch version. This allows you to automatically pick up backward-compatible bug fixes and minor improvements without manual bumps. For example:

{
  "typescript-eslint": "^8.59.1"
}

You can still control breaking changes by sticking to major versions, while safely receiving patches.

[github-actions]

Similar to the above, consider switching to a semver range operator (e.g., ^8.59.1) instead of an exact match. This helps avoid frequent manual updates for non-breaking fixes:

{  
  "typescript-eslint": "^8.59.1"
}

Also, keep your devDependencies consistent across packages to prevent drift and simplify maintenance.

[github-actions]

This update improves CI consistency and security by bumping the GitHub Actions Node setup to v6.4.0 and upgrading several package dependencies across the PR review and summary tools.

Walkthrough

• Chore: Upgraded actions/setup-node in build and code-quality workflows to v6.4.0 for better caching and compatibility.
• Chore: Bumped @actions/core, axios, zod, typescript-eslint, and other libraries in pr-review to their latest patch versions.
• Chore: Mirrored the same dependency upgrades in pr-summary for alignment and stability.

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1489 | Completion Tokens: 663 | Diff Range: 1f93dd5...b548348}

[github-actions]

Provide a gentle code review with AI support. Suggestions are just options, not absolute truths. Pick what fits your style. You’re in the driver’s seat—AI is here to help.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1170 | Completion Tokens: 3776 | Diff Range: 1f93dd5...b548348}

[github-actions]

You’re pinning axios to an exact patch version. To allow compatible patch and minor fixes automatically while avoiding unexpected breaking changes, consider using a caret (^) range instead of a fixed version. For example:

"dependencies": {
  "axios": "^1.15.2",
  // …other deps
}

This reduces maintenance overhead for routine updates and works well with tooling like Dependabot.

[github-actions]

Similar to axios, zod is pinned exactly to 4.4.1. Switching to a caret range will let you pick up patch releases (bug fixes) automatically:

"dependencies": {
  "zod": "^4.4.1",
  // …other deps
}

Also, double-check the changelog for any potential breaking changes between 4.3.6 and 4.4.1 before rolling this out.

[github-actions]

@actions/core has been bumped to 3.0.1. Pinning exact versions can lead to duplication across multiple packages. Consider using:

"dependencies": {
  "@actions/core": "^3.0.1",
  // …other deps
}

This approach lets you get non-breaking updates automatically. If this is a monorepo, you can further hoist this dependency into the root package.json using workspaces.

[github-actions]

You’ve applied the same axios bump here. To avoid drift and duplication, you can switch to a caret range:

"dependencies": {
  "axios": "^1.15.2",
  // …other deps
}

Or, if you maintain both packages together, consider defining shared dependencies in a root-level package.json and enabling npm/Yarn workspaces to hoist them.

[github-actions]

zod is also updated here. Align it with a caret range so that patch updates flow through both packages without manual bumps:

"dependencies": {
  "zod": "^4.4.1",
  // …other deps
}

This keeps your versions consistent and lowers the friction of upgrades.

[github-actions]

This update refreshes CI workflows and package dependencies to their latest patch releases, ensuring consistency across build, code-quality, PR summary, and PR review processes without altering user-facing features.

Walkthrough

• Chore: Upgraded actions/setup-node in build and code-quality workflows from v6.3.0 to v6.4.0
• Chore: Bumped @actions/core to 3.0.1 in both pr-summary and pr-review packages
• Chore: Updated axios to 1.15.2, zod to 4.4.2, and typescript-eslint to 8.59.1
• Chore: General dependency refresh to align minor/patch versions across projects

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1489 | Completion Tokens: 617 | Diff Range: b548348...dfa60d2}

[github-actions]

Welcome to your AI-supported code review. These insights are based on predictions and may not apply in every situation, so choose what resonates with your goals. Your expertise guides the way, and the AI is here to help you explore ideas and improve your code.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1170 | Completion Tokens: 2172 | Diff Range: b548348...dfa60d2}

[github-actions]

I recommend switching from exact version pins to caret (^) ranges for axios and zod. This allows you to pick up non-breaking patches and minor updates automatically without manual bumps. For example:

{
  "dependencies": {
    "axios": "^1.15.2",
    "zod": "^4.4.2",
    // other deps...
  }
}

This change improves maintainability by ensuring you receive backwards-compatible updates while avoiding unexpected breaking changes.

[github-actions]

Since pr-summary and pr-review share many of the same dependencies (like axios, zod, etc.), you could consolidate them in your monorepo’s root package.json using npm workspaces. This prevents version drift and keeps everything in sync.

Root package.json:

{
  "workspaces": ["pr-review", "pr-summary"],
  "dependencies": {
    "axios": "^1.15.2",
    "zod": "^4.4.2"
  }
}

Then in each package you can reference the workspace versions:

{
  "dependencies": {
    "axios": "workspace:^",
    "zod": "workspace:^"
  }
}

This setup centralizes version management, ensures consistency across packages, and simplifies upgrades.

[github-actions]

Updated the CI workflows to use the latest setup-node action and bumped several dependencies in the PR review and PR summary packages for maintenance and patch fixes.

Walkthrough

• Chore: Upgraded actions/setup-node in build and code-quality workflows to v6.4.0 for consistent Node setup.
• Chore: Bumped @actions/core to 3.0.1, axios to 1.15.2, zod to 4.4.2, typescript-eslint to 8.59.1, and yaml to 2.8.4 in both pr-review and pr-summary packages for minor improvements and patches.

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1515 | Completion Tokens: 536 | Diff Range: dfa60d2...ac2e470}

[github-actions]

I’m here to help review your code with AI support by offering suggestions that you’re welcome to adopt or adapt as needed. Some insights are predictive and may not always apply, so trust your own judgment. In the end, your choices guide the process—AI is here to assist, not to decide.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 850 | Completion Tokens: 1803 | Diff Range: dfa60d2...ac2e470}

[github-actions]

These dependency bumps are fine, but to reduce future churn and allow non-breaking updates you can switch to caret ranges instead of pinning exact versions. This will let you pick up patch and minor updates without needing another change. Also consider centralizing shared devDependencies in the root if this is a monorepo. For example:

"devDependencies": {
  "typescript-eslint": "^8.59.1",
  "yaml": "^2.8.4"
}

Don’t forget to regenerate your lockfile (npm install or yarn install) after making these changes to keep everyone in sync.

[github-actions]

Same suggestion here: use caret ranges to automatically accept compatible updates and avoid manual bumps for every patch. If you’re managing multiple packages in a monorepo, you could also hoist these shared devDependencies to the root package.json to DRY up your configuration. For example:

"devDependencies": {
  "typescript-eslint": "^8.59.1",
  "yaml": "^2.8.4"
}

Run your install command afterwards to update the lockfile and ensure consistency across environments.

[github-actions]

This update refreshes CI workflows to use the latest setup-node action and bumps several dependencies in the PR summary and review packages. The changes ensure you’re on the newest patch releases for core GitHub Actions, HTTP utilities, validation schemas, and dev tooling. These upgrades improve build reliability, security, and compatibility without altering any end-user deliverables.

Walkthrough

• Chore: Upgraded GitHub Action setup-node to v6.4.0 for consistent Node.js environments.
• Chore: Bumped core Action SDK and HTTP client (@actions/core, axios) to latest patches.
• Chore: Updated validation library (zod) to 4.4.2 to include recent fixes and improvements.
• Chore: Refreshed dev tools (typescript-eslint, yaml) for improved linting and parsing stability.

_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1515 | Completion Tokens: 1028 | Diff Range: ac2e470...82649ba}

[github-actions]

We’ve reviewed your code and provided AI-backed suggestions. While these insights aim to guide you, they aren’t guaranteed facts, so choose what suits you best. You remain in charge of your decisions—AI is here simply to support your process.
_{Model: o4-mini-2025-04-16 | Prompt Tokens: 1170 | Completion Tokens: 2719 | Diff Range: ac2e470...82649ba}

[github-actions]

You’ve pinned dependencies (axios and zod) to exact versions, which means every non-breaking patch or minor release will require a manual bump. Consider using caret (^) ranges to automatically receive compatible updates:

"dependencies": {
  "axios": "^1.16.0",
  "zod": "^4.4.2"
}

[github-actions]

Similarly here, switching from exact versions to caret ranges lets you pull in non-breaking updates without manual intervention. For example:

"dependencies": {
  "axios": "^1.16.0",
  "zod": "^4.4.2"
}

[github-actions]

After bumping dependencies, remember to run your package manager so the lockfile is updated, then commit it (package-lock.json or yarn.lock). This ensures everyone installs the exact same dependency tree:

npm install
git add package-lock.json