Skip to content

Bump the minor-and-patch group across 1 directory with 14 updates#1608

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/minor-and-patch-41b62d7d63
Open

Bump the minor-and-patch group across 1 directory with 14 updates#1608
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/minor-and-patch-41b62d7d63

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 12, 2026

Bumps the minor-and-patch group with 14 updates in the / directory:

Package From To
axios 1.15.1 1.16.0
dompurify 3.4.0 3.4.2
focus-trap-react 12.0.0 12.0.1
i18next 26.0.7 26.1.0
react 19.2.5 19.2.6
react-dom 19.2.5 19.2.6
react-hotkeys-hook 5.2.4 5.3.2
react-i18next 17.0.4 17.0.7
react-router 7.14.1 7.15.0
react-tooltip 6.0.0 6.0.2
@types/node 25.6.0 25.7.0
typescript-eslint 8.58.2 8.59.3
vite 8.0.9 8.0.12
vitest 4.1.4 4.1.6

Updates axios from 1.15.1 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Commits
  • df53d7d chore(release): prepare release 1.16.0 (#10834)
  • 9d92bcd fix: gadgets and smaller issues (#10833)
  • 5107ee6 fix: prevent undefined error codes in settle (#7276)
  • e573499 fix(fetch): defer global access in fetch adapter (#7260)
  • ad68e1a fix(http): honor timeout during connect without redirects (#10819)
  • 2a51828 fix(http): decode URL basic auth credentials (#10825)
  • 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
  • 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
  • 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
  • cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
  • Additional commits viewable in compare view

Updates dompurify from 3.4.0 to 3.4.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.2

  • Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
  • Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
  • Updated existing workflows, fuzzer, release signing, etc., added more tests
  • Bumped several dependencies where possible

DOMPurify 3.4.1

  • Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
  • Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
  • Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
  • Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
  • Removed a duplicate slot entry from the default HTML attribute allow-list
  • Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
  • Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
  • Extended CodeQL analysis to run on 3.x and 2.x maintenance branches
Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates focus-trap-react from 12.0.0 to 12.0.1

Release notes

Sourced from focus-trap-react's releases.

v12.0.1

Patch Changes

  • 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).
Changelog

Sourced from focus-trap-react's changelog.

12.0.1

Patch Changes

  • 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).
Commits
  • 95347d3 Version Packages (#1890)
  • 93c93e9 Bump focus-trap to 8.1.0 (#1889)
  • fd3fe32 [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.58.2 to 8.59.0 (#1...
  • 591f8af [DEPENDABOT]: Bump @​changesets/cli from 2.30.0 to 2.31.0 (#1883)
  • 2d283a7 [DEPENDABOT]: Bump typescript from 6.0.2 to 6.0.3 (#1885)
  • b6e21d9 [DEPENDABOT]: Bump @​typescript-eslint/parser from 8.58.2 to 8.59.0 (#1886)
  • 912a5cc [DEPENDABOT]: Bump cypress from 15.13.1 to 15.14.1 (#1887)
  • 1ce7b6b [DEPENDABOT]: Bump eslint-plugin-react-hooks from 7.0.1 to 7.1.1 (#1888)
  • b5dcc57 [DEPENDABOT]: Bump eslint-plugin-cypress from 6.2.3 to 6.3.1 (#1874)
  • 65d02f5 [DEPENDABOT]: Bump prettier from 3.8.1 to 3.8.3 (#1876)
  • Additional commits viewable in compare view

Updates i18next from 26.0.7 to 26.1.0

Release notes

Sourced from i18next's releases.

v26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

v26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

v26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

v26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425
Changelog

Sourced from i18next's changelog.

26.1.0

  • feat: enableSelector: 'strict' (TypeOptions + runtime option). Opt-in mode that drops the flattened-primary form from NsResource at the type level — every namespace (primary included) is exposed only under its own key on $, uniformly across single- and multi-ns hooks. At runtime, a leading selector path segment matching the scope's namespace list is always rewritten as a namespace prefix, including the primary. Eliminates the silent-miss surface area where t($ => $.primary.foo) typechecks but doesn't resolve under the default mode (see #2429). Backward-compatible: default enableSelector: false | true | 'optimize' behavior is unchanged. Note: strict mode is incompatible with the #2405 pattern (keys whose names match sibling namespaces) — those users should stay on default mode.

26.0.10

  • feat: getFixedT accepts a fourth optional fixedOpts argument carrying scopeNs — the full namespace list the bound t was created for. The selector API uses scopeNs to detect when a path's first segment is a namespace prefix, without changing resolution scope. Resolution still uses the bound ns (a single primary string in the typical react-i18next setup), so plain t('key') lookups stay isolated to the primary namespace exactly as before — only t($ => $.secondaryNs.foo) selectors now route correctly under useTranslation([nsA, nsB]). Fixes the runtime side of #2429 for the react-i18next default-nsMode case. The 4th argument is opt-in: existing 3-arg getFixedT(lng, ns, keyPrefix) callers see no behavior change.

26.0.9

  • fix(types): unformatted interpolation values are now typed as string | number (was string). i18next stringifies values at runtime, so requiring callers to wrap numbers in String(...) for plain {{var}} placeholders was unnecessary friction — and could mask the real problem when a non-string value was passed alongside multiple interpolation slots (the t() overload resolution would fall through to the 3-arg form and report a confusing "not assignable to string" error against the options object). Typed format specifiers like {{x, number}}, {{x, currency}}, {{x, datetime}}, etc. keep their precise types; this only relaxes the no-format default. The count variable remains number-only

26.0.8

  • fix(types): restore the pre-v25.10.4 ExistsFunction shape so plain arrow functions can again be assigned to ExistsFunction-typed variables (TypeScript cannot infer type predicates through multi-overload assignment). Direct i18next.exists(key) calls still narrow key to SelectorKey — the predicate is now declared inline on i18n.exists. Custom wrappers that want the narrowing can type themselves as typeof i18next.exists 2425
Commits
  • 5af0475 26.1.0
  • 85c0951 feat: enableSelector: 'strict' — explicit-ns selector mode, no flattened prim...
  • 8fec684 docs(types): clarify ExistsFunction note re: narrowing through wrappers
  • 61eaf5b 26.0.10
  • 47fd92f feat: getFixedT 4th-arg scopeNs decouples selector ns-detection from resoluti...
  • caf33f6 26.0.9
  • eed0146 fix(types): relax unformatted interpolation values to string | number
  • 170fb0a Modernize locize.com URLs and refresh UTM tags
  • 3ea438f 26.0.8
  • 5176bbd retry version bump
  • Additional commits viewable in compare view

Updates react from 19.2.5 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates react-dom from 19.2.5 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

Commits

Updates react-hotkeys-hook from 5.2.4 to 5.3.2

Release notes

Sourced from react-hotkeys-hook's releases.

v5.3.2

  • The previous release was pointing to a broken entry point

What's Changed

Full Changelog: JohannesKlauss/react-hotkeys-hook@v5.3.0...v5.3.1

v5.3.1

What's Changed

Full Changelog: JohannesKlauss/react-hotkeys-hook@v5.3.0...v5.3.1

v5.3.0

What's Changed

New Contributors

Full Changelog: JohannesKlauss/react-hotkeys-hook@v5.2.4...v5.3.0

Commits
  • d0ea7a8 Release v5.3.1
  • 6c71ffc Merge pull request #1333 from JohannesKlauss/fix/enabled-regression
  • ca452ab fix: dynamic enabled option no longer triggers event listeners in v5.3.0
  • 331799c Merge pull request #1331 from JohannesKlauss/dependabot/npm_and_yarn/svgo-3.3.3
  • d41a76c Merge pull request #1330 from JohannesKlauss/dependabot/npm_and_yarn/follow-r...
  • ede7d2c Bump svgo from 3.3.2 to 3.3.3
  • 780a5d0 Bump follow-redirects from 1.15.11 to 1.16.0
  • 2b7f60c Merge pull request #1328 from JohannesKlauss/dependabot/npm_and_yarn/multi-bf...
  • 6e07397 Merge pull request #1329 from JohannesKlauss/dependabot/npm_and_yarn/path-to-...
  • aa8920b Update doc content
  • Additional commits viewable in compare view

Updates react-i18next from 17.0.4 to 17.0.7

Changelog

Sourced from react-i18next's changelog.

17.0.7

  • feat: useTranslation([nsA, nsB, ...]) now passes its full namespace list to getFixedT via the new scopeNs opt (requires i18next ≥ v26.0.10). This makes selector calls with a secondary-namespace prefix resolve correctly under default nsMode: t($ => $.nsB.foo) previously missed silently because the bound ns was the primary string only and i18next's selector rewrite needed an array. Resolution semantics are unchanged — plain t('key') lookups still stay isolated to the primary namespace by default; use nsMode: 'fallback' to opt into multi-ns fallback resolution as before. Fixes i18next#2429 for useTranslation-based callers.

17.0.6

  • fix: restore the v17 nodesToString output format consumed by i18next-cli's extractor while still rendering 1919 correctly
    • 17.0.5 fixed 1919 by changing what nodesToString produced, which inadvertently changed the extracted translation strings for keep-tags wrapping non-keep React elements
    • The fix now lives in the renderer: indexed <N> placeholders nested inside a keep-tag are scoped to that tag's own original React children (matching kept tags by name and positional occurrence at each level), so the translation string format produced by nodesToString is unchanged

17.0.5

  • fix: <Trans /> no longer breaks child rendering when a kept HTML node (transKeepBasicHtmlNodesFor) wraps a non-keep React element 1919 — superseded by 17.0.6, which keeps the same runtime fix without changing the nodesToString output
Commits
  • 5e892a2 17.0.7
  • c8f4c6b feat: useTranslation([nsA,nsB]) routes selector secondary-ns prefix via getFi...
  • 084f9a6 Modernize locize.com URLs and refresh UTM tags
  • cb20d18 17.0.6
  • b8ad5e4 fix: scope indexed placeholders inside keep-tags at render time #1919
  • 75ce985 17.0.5
  • 9803bb8 fix: <Trans /> no longer breaks child rendering when a kept HTML node (transK...
  • ec37a48 chore: ignore .env*, *.pem, *.key in .gitignore
  • See full diff in compare view

Updates react-router from 7.14.1 to 7.15.0

Release notes

Sourced from react-router's releases.

v7.15.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7150

v7.14.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7142

Changelog

Sourced from react-router's changelog.

v7.15.0

Minor Changes

  • Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

    • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

Patch Changes

  • Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

  • Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#15012)

  • Improve server-side route matching performance by pre-computing flattened/cached route branches (#14967) (af5d49b)

    • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

  • Mark mask as an optional field in Location for easier mocking in unit tests (#14999)

  • Cache flattened/ranked route branches to optimize server-side route matching (#14967)

  • Improve route matching performance in Framework/Data Mode (

@dependabot
Bump the minor-and-patch group across 1 directory with 14 updates
9582fd2 
Bumps the minor-and-patch group with 14 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.15.1` | `1.16.0` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.4.0` | `3.4.2` |
| [focus-trap-react](https://github.com/focus-trap/focus-trap-react) | `12.0.0` | `12.0.1` |
| [i18next](https://github.com/i18next/i18next) | `26.0.7` | `26.1.0` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.6` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.6` |
| [react-hotkeys-hook](https://github.com/JohannesKlauss/react-keymap-hook) | `5.2.4` | `5.3.2` |
| [react-i18next](https://github.com/i18next/react-i18next) | `17.0.4` | `17.0.7` |
| [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) | `7.14.1` | `7.15.0` |
| [react-tooltip](https://github.com/ReactTooltip/react-tooltip) | `6.0.0` | `6.0.2` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.6.0` | `25.7.0` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.58.2` | `8.59.3` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.9` | `8.0.12` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.4` | `4.1.6` |



Updates `axios` from 1.15.1 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.15.1...v1.16.0)

Updates `dompurify` from 3.4.0 to 3.4.2
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.4.0...3.4.2)

Updates `focus-trap-react` from 12.0.0 to 12.0.1
- [Release notes](https://github.com/focus-trap/focus-trap-react/releases)
- [Changelog](https://github.com/focus-trap/focus-trap-react/blob/master/CHANGELOG.md)
- [Commits](focus-trap/focus-trap-react@v12.0.0...v12.0.1)

Updates `i18next` from 26.0.7 to 26.1.0
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.0.7...v26.1.0)

Updates `react` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react)

Updates `react-dom` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom)

Updates `react-hotkeys-hook` from 5.2.4 to 5.3.2
- [Release notes](https://github.com/JohannesKlauss/react-keymap-hook/releases)
- [Changelog](https://github.com/JohannesKlauss/react-hotkeys-hook/blob/main/CHANGELOG.md)
- [Commits](JohannesKlauss/react-hotkeys-hook@v5.2.4...v.5.3.2)

Updates `react-i18next` from 17.0.4 to 17.0.7
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/react-i18next@v17.0.4...v17.0.7)

Updates `react-router` from 7.14.1 to 7.15.0
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router@7.15.0/packages/react-router)

Updates `react-tooltip` from 6.0.0 to 6.0.2
- [Release notes](https://github.com/ReactTooltip/react-tooltip/releases)
- [Changelog](https://github.com/ReactTooltip/react-tooltip/blob/master/CHANGELOG.md)
- [Commits](ReactTooltip/react-tooltip@v6.0.0...v6.0.2)

Updates `@types/node` from 25.6.0 to 25.7.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `typescript-eslint` from 8.58.2 to 8.59.3
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.3/packages/typescript-eslint)

Updates `vite` from 8.0.9 to 8.0.12
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.12/packages/vite)

Updates `vitest` from 4.1.4 to 4.1.6
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/vitest)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: dompurify
  dependency-version: 3.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: focus-trap-react
  dependency-version: 12.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: i18next
  dependency-version: 26.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-hotkeys-hook
  dependency-version: 5.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-i18next
  dependency-version: 17.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-router
  dependency-version: 7.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-tooltip
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@types/node"
  dependency-version: 25.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: typescript-eslint
  dependency-version: 8.59.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: vite
  dependency-version: 8.0.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: vitest
  dependency-version: 4.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the type:dependencies Pull requests that update a dependency file label May 12, 2026
This was referenced May 12, 2026
Closed
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

Use docker or podman to test this pull request locally.

Run test server using develop.opencast.org as backend:

podman run --rm -it -p 127.0.0.1:3000:3000 ghcr.io/opencast/admin-interface:pr-1608

Specify a different backend like stable.opencast.org:

podman run --rm -it -p 127.0.0.1:3000:3000 -e PROXY_TARGET=https://stable.opencast.org ghcr.io/opencast/admin-interface:pr-1608

It may take a few seconds for the interface to spin up.
It will then be available at http://127.0.0.1:3000.
For more options you can pass on to the proxy, take a look at the README.md.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants