Skip to content

build(deps): bump axios, stream-chat and stream-chat-react#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-6778fea3ff
Open

build(deps): bump axios, stream-chat and stream-chat-react#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-6778fea3ff

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 5, 2026

Copy link
Copy Markdown

Bumps axios to 1.17.0 and updates ancestor dependencies axios, stream-chat and stream-chat-react. These dependencies need to be updated together.

Updates axios from 0.22.0 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates stream-chat from 6.3.0 to 9.45.1

Release notes

Sourced from stream-chat's releases.

v9.45.1

9.45.1 (2026-06-05)

Bug Fixes

  • only run husky in a git checkout so npm consumers don't break (#1764) (88dbdb6)

v9.45.0

9.45.0 (2026-06-04)

Features

Chores

  • deps: bump fast-uri from 3.0.6 to 3.1.2 (#1753) (d4e74de)
  • deps: bump handlebars from 4.7.7 to 4.7.9 (#1757) (9dc1fb6)
  • deps: bump lodash from 4.17.21 to 4.18.1 (#1751) (05495fe)
  • deps: bump lodash-es from 4.17.21 to 4.18.1 (#1756) (fa95e18)

v9.44.2

9.44.2 (2026-05-15)

Bug Fixes

  • channels sorting with predefined filters (#1747) (5ee79f7)

v9.44.1

9.44.1 (2026-05-14)

Bug Fixes

v9.44.0

9.44.0 (2026-05-13)

Bug Fixes

  • ignore draft WS events while editing messages (#1739) (31e66f3)
  • prevent deleteUserMessages crash when hard-deleting a self-quoting message (#1741) (b2a00bb), closes #1736
  • prevent dispatchEvent crash on uninitialized channels via muteStatus (#1740) (eea0a47), closes #1732

Features

  • webhooks: verifyAndParse* API for compressed payloads (CHA-3071) (#1735) (288a34c)

... (truncated)

Changelog

Sourced from stream-chat's changelog.

9.45.1 (2026-06-05)

Bug Fixes

  • only run husky in a git checkout so npm consumers don't break (#1764) (88dbdb6)

9.45.0 (2026-06-04)

Features

Chores

  • deps: bump fast-uri from 3.0.6 to 3.1.2 (#1753) (d4e74de)
  • deps: bump handlebars from 4.7.7 to 4.7.9 (#1757) (9dc1fb6)
  • deps: bump lodash from 4.17.21 to 4.18.1 (#1751) (05495fe)
  • deps: bump lodash-es from 4.17.21 to 4.18.1 (#1756) (fa95e18)

9.44.2 (2026-05-15)

Bug Fixes

  • channels sorting with predefined filters (#1747) (5ee79f7)

9.44.1 (2026-05-14)

Bug Fixes

9.44.0 (2026-05-13)

Bug Fixes

  • ignore draft WS events while editing messages (#1739) (31e66f3)
  • prevent deleteUserMessages crash when hard-deleting a self-quoting message (#1741) (b2a00bb), closes #1736
  • prevent dispatchEvent crash on uninitialized channels via muteStatus (#1740) (eea0a47), closes #1732

Features

  • webhooks: verifyAndParse* API for compressed payloads (CHA-3071) (#1735) (288a34c)

9.43.2 (2026-05-08)

Bug Fixes

... (truncated)

Commits
  • 3f5438b chore(release): 9.45.1 [skip ci]
  • 88dbdb6 fix: only run husky in a git checkout so npm consumers don't break (#1764)
  • 90abda5 chore(release): 9.45.0 [skip ci]
  • 4892d10 feat: add enhanced mentions (#1743)
  • e39e8d6 chore: fix size check action (#1762)
  • 79d3af8 feat(MessageComposer): control command sendability (#1746)
  • da02271 feat: [CHA-3267] before_message_send_hook_attempt_timeout_ms (#1755)
  • 05495fe chore(deps): bump lodash from 4.17.21 to 4.18.1 (#1751)
  • d4e74de chore(deps): bump fast-uri from 3.0.6 to 3.1.2 (#1753)
  • fa95e18 chore(deps): bump lodash-es from 4.17.21 to 4.18.1 (#1756)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for stream-chat since your current version.

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Updates stream-chat-react from 8.0.0 to 14.4.1

Release notes

Sourced from stream-chat-react's releases.

v14.4.1

14.4.1 (2026-06-05)

Bug Fixes

  • only run husky in a git checkout so npm consumers don't break (#3211) (640bf4b)

v14.4.0

14.4.0 (2026-06-05)

Bug Fixes

  • compat: restore React 17/18 compatibility in certain components (#3197) (b513b69)
  • general performance and bug fixes (#3201) (57c5795)
  • interop: unwrap CJS default exports (react-player, @​emoji-mart/react) (#3199) (4cddb02)
  • maintain topmost modal non-inert (#3206) (7ad98fa)

Features

  • allow to stack modals on top of each other (#3203) (4c934ae)
  • display notifications above modals (#3200) (0433090)
  • Reactions: send emoji_code with reactions for push notification rendering (#3209) (2faa620)

Performance Improvements

  • Message: hoist regex compilation in message text rendering (#3202) (8c018a4)
  • VideoPlayer: lazy-load react-player to keep it out of the main bundle (#3204) (18dc966)

v14.3.0

14.3.0 (2026-05-26)

Bug Fixes

  • ContextMenu: show focus outline for auto-focused context menu items (#3193) (237b139)
  • extended reactions button visibility adjustments in MessageReactionsDetail (#3186) (52b0b59), closes #3172

Features

  • Notifications: swap snackbar notifications after minDisplayMs dwell (#3196) (dec271f)
  • reflect predefined filters in the channel list ordering (#3194) (a422d4b)

v14.2.0

14.2.0 (2026-05-11)

Bug Fixes

  • allow content overflow in generic Button (#3167) (6735fa1)
  • Avatar: fall back to initials when imageUrl is an empty string (#3168) (541eef8)
  • Channel: respect false shouldGenerateVideoThumbnail prop (#3184) (340af2b)
  • decouple modern-normalize from the SDK (#3180) (bcaf1f6), closes #3134

... (truncated)

Changelog

Sourced from stream-chat-react's changelog.

14.4.1 (2026-06-05)

Bug Fixes

  • only run husky in a git checkout so npm consumers don't break (#3211) (640bf4b)

14.4.0 (2026-06-05)

Bug Fixes

  • compat: restore React 17/18 compatibility in certain components (#3197) (b513b69)
  • general performance and bug fixes (#3201) (57c5795)
  • interop: unwrap CJS default exports (react-player, @​emoji-mart/react) (#3199) (4cddb02)
  • maintain topmost modal non-inert (#3206) (7ad98fa)

Features

  • allow to stack modals on top of each other (#3203) (4c934ae)
  • display notifications above modals (#3200) (0433090)
  • Reactions: send emoji_code with reactions for push notification rendering (#3209) (2faa620)

Performance Improvements

  • Message: hoist regex compilation in message text rendering (#3202) (8c018a4)
  • VideoPlayer: lazy-load react-player to keep it out of the main bundle (#3204) (18dc966)

14.3.0 (2026-05-26)

Bug Fixes

  • ContextMenu: show focus outline for auto-focused context menu items (#3193) (237b139)
  • extended reactions button visibility adjustments in MessageReactionsDetail (#3186) (52b0b59), closes #3172

Features

  • Notifications: swap snackbar notifications after minDisplayMs dwell (#3196) (dec271f)
  • reflect predefined filters in the channel list ordering (#3194) (a422d4b)

14.2.0 (2026-05-11)

Bug Fixes

  • allow content overflow in generic Button (#3167) (6735fa1)
  • Avatar: fall back to initials when imageUrl is an empty string (#3168) (541eef8)
  • Channel: respect false shouldGenerateVideoThumbnail prop (#3184) (340af2b)
  • decouple modern-normalize from the SDK (#3180) (bcaf1f6), closes #3134
  • extended reactions button adjustments (#3172) (5259c17)
  • prevent messages being squashed in narrow message lists (#3153) (a1cc63f)
  • prevent overriding active channel UI on ChannelList pagination error (#3164) (0c0d65c)
  • remove visual glitches in ModalGallery, placeholder color, borders (#3178) (32dcace)

... (truncated)

Commits
  • 2418025 chore(release): 14.4.1 [skip ci]
  • 640bf4b fix: only run husky in a git checkout so npm consumers don't break (#3211)
  • e2c53c2 chore(release): 14.4.0 [skip ci]
  • 2faa620 feat(Reactions): send emoji_code with reactions for push notification renderi...
  • f7cfa8a chore(demo): support api_key query param in vite example (#3210)
  • 7ad98fa fix: maintain topmost modal non-inert (#3206)
  • 4c057bb docs(examples/tutorial): update theming tokens to --str-chat__ prefix (#3207)
  • 4c934ae feat: allow to stack modals on top of each other (#3203)
  • 32ed33e chore(demo): support local reference to stream-chat-js (#3205)
  • 0433090 feat: display notifications above modals (#3200)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for stream-chat-react since your current version.

Install script changes

This version adds postinstall script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump axios, stream-chat and stream-chat-react
fedd121 
Bumps [axios](https://github.com/axios/axios) to 1.17.0 and updates ancestor dependencies [axios](https://github.com/axios/axios), [stream-chat](https://github.com/GetStream/stream-chat-js) and [stream-chat-react](https://github.com/GetStream/stream-chat-react). These dependencies need to be updated together.


Updates `axios` from 0.22.0 to 1.17.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.22.0...v1.17.0)

Updates `stream-chat` from 6.3.0 to 9.45.1
- [Release notes](https://github.com/GetStream/stream-chat-js/releases)
- [Changelog](https://github.com/GetStream/stream-chat-js/blob/master/CHANGELOG.md)
- [Commits](GetStream/stream-chat-js@v6.3.0...v9.45.1)

Updates `stream-chat-react` from 8.0.0 to 14.4.1
- [Release notes](https://github.com/GetStream/stream-chat-react/releases)
- [Changelog](https://github.com/GetStream/stream-chat-react/blob/master/CHANGELOG.md)
- [Commits](GetStream/stream-chat-react@v8.0.0...v14.4.1)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: indirect
- dependency-name: stream-chat
  dependency-version: 9.45.1
  dependency-type: direct:production
- dependency-name: stream-chat-react
  dependency-version: 14.4.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 5, 2026
@dependabot dependabot Bot mentioned this pull request Jun 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants