build: bump the all-frontend-deps group across 1 directory with 36 updates

[dependabot]

Bumps the all-frontend-deps group with 36 updates in the /src/frontend directory:

Package	From	To
@fluentui/react	8.122.9	8.125.6
@fluentui/react-components	9.58.2	9.74.1
@fluentui/react-file-type-icons	8.12.7	8.18.0
@fluentui/react-icons	2.0.274	2.0.328
@reduxjs/toolkit	2.5.1	2.12.0
@tailwindcss/vite	4.0.3	4.3.0
autoprefixer	10.4.20	10.5.0
axios	1.7.9	1.17.0
lucide-react	0.471.2	1.17.0
postcss	8.5.1	8.5.15
react	18.3.1	19.2.7
@types/react	18.3.18	19.2.16
react-dom	18.3.1	19.2.7
@types/react-dom	18.3.5	19.2.3
react-dropzone	14.3.5	15.0.0
react-icons	5.5.0	5.6.0
react-redux	9.2.0	9.3.0
react-router-dom	7.1.5	7.16.0
react-syntax-highlighter	15.6.1	16.1.1
sql-formatter	15.4.11	15.8.0
tailwind-merge	2.6.0	3.6.0
tailwindcss	3.4.17	4.3.0
uuid	11.0.5	14.0.0
@azure/msal-browser	4.7.0	5.11.0
@azure/msal-react	3.0.6	5.4.2
@eslint/js	9.19.0	10.0.1
@vitejs/plugin-react	4.3.4	6.0.2
eslint	9.19.0	10.4.1
eslint-plugin-react	7.37.4	7.37.5
eslint-plugin-react-hooks	5.1.0	7.1.1
eslint-plugin-react-refresh	0.4.18	0.5.2
globals	15.14.0	17.6.0
rollup	4.34.4	4.61.0
rollup-plugin-dts	6.1.1	6.4.1
vite	6.1.0	8.0.16
vite-plugin-svgr	4.3.0	5.2.0

Updates @fluentui/react from 8.122.9 to 8.125.6

Release notes

Sourced from @​fluentui/react's releases.

@​fluentui/react v8.125.6

Patches

• Bump @​fluentui/foundation-legacy to v8.6.6 (commit)
• Bump @​fluentui/font-icons-mdl2 to v8.5.73 (commit)
• Bump @​fluentui/react-focus to v8.10.6 (commit)
• Bump @​fluentui/style-utilities to v8.15.1 (commit)

Commits

• 6c654e6 release: applying package updates - react v8
• 04bf7a7 release: applying package updates - web-components
• 39041d7 fix: update CDN bundle configurations, enable setTheme on globalThis (#36113)
• db347c7 fix(docs): Card examples reflow at small widths (#36086)
• 7b586d7 Updates for shortcut folders, markdown and other filetype icon fixes. (#35945)
• 094b22f feat(react-storybook-addon): add render-prop slots to FluentDocsPage (#36115)
• 3f57751 fix(react-combobox): use role attribute instead of classname for active desce...
• b9cadd1 release: applying package updates - react-headless
• 6411342 fix(Menu): Highlight expanded menuitem (#36098)
• 4fa64db docs(motion): home pages for motion system & motion components (#35737)
• Additional commits viewable in compare view

Updates @fluentui/react-components from 9.58.2 to 9.74.1

Release notes

Sourced from @​fluentui/react-components's releases.

@​fluentui/react-components v9.74.0

Minor changes

• feat: export contexts for headless (PR #36229 by mainframev)
• feat: export base hooks (PR #36200 by mainframev)
• feat: expose react-menu base hooks (PR #36087 by mainframev)
• feat(react-motion): add replayKey prop to replay motion without remounting (PR #36108 by robertpenner)
• feat: add base hooks and expose them (PR #35812 by dmytrokirpa)
• feat: add OverflowReorderObserver to recompute overflow when items are reordered via React state without a container resize (PR #36231 by layershifter)
• chore: fix after broken release (PR #36037 by layershifter)
• Make Card base hooks tabster-free; expose shouldRestrictTriggerAction on CardBaseProps (PR #36004 by dmytrokirpa)
• feat: re-export motionSlot and presenceMotionSlot from @​fluentui/react-motion (PR #35922 by robertpenner)
• feat: re-export OverflowReorderObserver from @​fluentui/react-overflow (PR #36231 by layershifter)
• feat: expose inline drawer types and base hooks (PR #36042 by dmytrokirpa)

Patches

• chore: bump tabster to ^8.8.0 and keyborg to ^2.14.1 (PR #36082 by layershifter)
• fix: dismiss Tooltip when the document becomes hidden (e.g. tab backgrounded or app switched on mobile) (PR #36023 by Copilot)
• fix(react-tree): support indentation for TreeItem levels greater than 10 via inline CSS variable fallback (PR #36014 by Copilot)
• style: replace deprecated assertion syntax that causes issues to babel tsx (PR #36185 by Hotell)
• fix(Menu): Menu item with expanded submenu should be highlighted (PR #36098 by jurokapsiar)
• fix: update useMenuTriggerBase hook signature (PR #36237 by dmytrokirpa)
• feat: add headless Menu components (PR #36110 by mainframev)
• chore: extract useMenuItemBase_unstable into a separate module (PR #36234 by mainframev)
• fix: close Popover when focus escapes outside while trapFocus is enabled (PR #35995 by petdud)
• revert: revert removal of Griffel dependency from usePortalMount #35994 (PR #36235 by dmytrokirpa)
• fix: avoid pulling griffel in CardHeader and CardPreview base hooks (PR #36194 by dmytrokirpa)
• refactor: move isSafeUrl to chart-utilities package and update imports (PR #36206 by dmytrokirpa)
• safeurl related bug fix (PR #36121 by v-baambati)
• fix(Option): when disabled, hover styles should not show (PR #36077 by smhigley)
• fix: use role attribute instead of classname for active descendant (PR #36109 by dmytrokirpa)

Commits

• 277f63a release: applying package updates - react-components
• 5e0f816 release: applying package updates - web-components
• 1d15557 feat(react-toast): add base hooks/types and re-exports for headless compositi...
• 0aa62de feat: add triage-issues + triage-board skills (+ visual-test hardening) (#36012)
• c70f899 fix(react-tags): decouple useTagGroupBase_unstable from Tabster + export cont...
• 6cdfd51 fix(react-headless-components-preview): update non-modal dialog implementatio...
• 1321fff fix(react-headless-components-preview): descendant clicks no longer trigger d...
• 980c56f release: applying package updates - react v8
• 9317e51 release: applying package updates - react-components
• 116265d fix(ci): install latest 22.x Node to satisfy @​microsoft/fast-build engines (#...
• Additional commits viewable in compare view

Updates @fluentui/react-file-type-icons from 8.12.7 to 8.18.0

Release notes

Sourced from @​fluentui/react-file-type-icons's releases.

@​fluentui/react-file-type-icons v8.18.0

Minor changes

• Support for new markdown, "special folder" filetype icon (default "shortcuts" folder) and other fixes (PR #35945 by bigbadcapers)
• Bump @​fluentui/style-utilities to v8.15.1 (commit)

Commits

• 6c654e6 release: applying package updates - react v8
• 04bf7a7 release: applying package updates - web-components
• 39041d7 fix: update CDN bundle configurations, enable setTheme on globalThis (#36113)
• db347c7 fix(docs): Card examples reflow at small widths (#36086)
• 7b586d7 Updates for shortcut folders, markdown and other filetype icon fixes. (#35945)
• 094b22f feat(react-storybook-addon): add render-prop slots to FluentDocsPage (#36115)
• 3f57751 fix(react-combobox): use role attribute instead of classname for active desce...
• b9cadd1 release: applying package updates - react-headless
• 6411342 fix(Menu): Highlight expanded menuitem (#36098)
• 4fa64db docs(motion): home pages for motion system & motion components (#35737)
• Additional commits viewable in compare view

Updates @fluentui/react-icons from 2.0.274 to 2.0.328

Commits

• See full diff in compare view

Updates @reduxjs/toolkit from 2.5.1 to 2.12.0

Release notes

Sourced from @​reduxjs/toolkit's releases.

v2.12.0

This feature release adds RTK usage skills files (via TanStack Intent) exports the RTK Query hook options types for reusability, fixes issues with infinite query status flags and batching handling, and makes some small TS improvements.

Changelog

Skills Files

We've generated agent skill files that are now included in the RTK package itself in a skills folder. They cover using and migrating to modern RTK, client and server state management, and handling side effects. You can point your agent at these skills yourself, or use TanStack Intent to pick them up.

TypeScript Improvements

The types for our RTK Query hook options are now exported, which lets you stop using Parameters to extract those types for use in your own code.

The types for listener middleware matchers were tweaked to allow interface-based type guards, not just type-based definitions.

The internal IgnorePaths type was renamed to IgnoredPaths for consistency.

We now use the built-in NoInfer util that comes with TS 5.4+.

Fixes

We fixed handling of the isSuccess status flag when switching infinite query cache entries. This should prevent accidental UI flashes that were occurring due to this flag accidentally flipping.

We've added a 100ms timeout fallback to the autoBatch enhancer's requestAnimationFrame timer. We had several reports that rAF didn't work correctly when used in background tabs / opened windows, and that RTK never updated the UI. This should ensure that the updates flush correctly.

What's Changed

• Export hook options types for RTK Query hooks by @​veeceey in reduxjs/redux-toolkit#5218
• Add TanStack Intent skills for Redux Toolkit by @​phryneas in reduxjs/redux-toolkit#5249
• Keep isSuccess: true when switching infinite query cache entries by @​riqts in reduxjs/redux-toolkit#5268
• fix: allow interface-based type guards as listener matcher by @​riqts in reduxjs/redux-toolkit#5269
• fix: add setTimeout fallback to raf autoBatch strategy for background tabs by @​riqts in reduxjs/redux-toolkit#5273
• chore(toolkit): rename IgnorePaths type to IgnoredPaths by @​Ri5ha6h in reduxjs/redux-toolkit#5284
• feat(toolkit)!: switch to native NoInfer utility type by @​aryaemami59 in reduxjs/redux-toolkit#5289

Full Changelog: reduxjs/redux-toolkit@v2.11.2...v2.12.0

v2.11.2

This bugfix release updates the AbortSignal handling to fall back if DOMException isn't available (such as RN environments), and updates the TypedUseInfiniteQueryHookResult type to correctly include fetchNextPage/fetchPreviousPage fields.

Changelog

Bugfixes

The AbortSignal changes in 2.11.1 used DOMException in a couple places to match the expected behavior of AbortSignal, but turns out that's not available in environments like React Native. We've updated the logic to fall back to a plain Error if DOMException isn't available.

The TypedUseInfiniteQueryHookResult type wasn't correctly including the fetchNextPage/fetchPreviousPage fields, and now it does.

What's Changed

... (truncated)

Commits

• 576a02f Release 2.12.0
• de2d55e Merge pull request #5237 from aryaemami59/fix/codegen/generateEndpoints-retur...
• ac807c3 fix(codegen): narrow generateEndpoints return type
• 01ed3ba Merge pull request #5289 from aryaemami59/feat/toolkit/switch-to-native-NoInfer
• 1f16db1 Merge pull request #5290 from aryaemami59/build/toolkit/exclude-test-files-fr...
• 23783c1 build(toolkit): exclude test files from final bundle
• 91b8b0a feat(toolkit)!: switch to native NoInfer utility type
• 0b37f1a Merge pull request #5286 from aryaemami59/docs/toolkit/fix-typos
• 3cd62c8 fix unforwardedActions
• 64853cc chore: fix various typos
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​reduxjs/toolkit since your current version.

Updates @tailwindcss/vite from 4.0.3 to 4.3.0

Release notes

Sourced from @​tailwindcss/vite's releases.

v4.3.0

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

v4.2.4

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

v4.2.3

Fixed

• Canonicalization: improve canonicalizations for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)
• Upgrade: ensure files are not emptied out when killing the upgrade process while it's running (#19846)
• Upgrade: use config.content when migrating from Tailwind CSS v3 to Tailwind CSS v4 (#19846)
• Upgrade: never migrate files that are ignored by git (#19846)

... (truncated)

Changelog

Sourced from @​tailwindcss/vite's changelog.

[4.3.0] - 2026-05-08

Added

• Add @container-size utility (#18901)
• Add scrollbar-{auto,thin,none} utilities for scrollbar-width, and scrollbar-thumb-* / scrollbar-track-* color utilities for scrollbar-color (#19981, #20019)
• Add scrollbar-gutter-* utilities (#20018)
• Add zoom-* utilities (#20020)
• Add tab-* utilities (#20022)
• Allow using @variant with stacked variants (e.g. @variant hover:focus { … }) (#19996)
• Allow using @variant with compound variants (e.g. @variant hover, focus { … }) (#19996)
• Support --default(…) in --value(…) and --modifier(…) for functional @utility definitions (#19989)

Fixed

• Ensure @plugin resolves package JavaScript entries instead of browser CSS entries when using @tailwindcss/vite (#19949)
• Fix relative @import and @plugin paths resolving from the wrong directory when using @tailwindcss/vite (#19965)
• Ensure CSS files containing @variant are processed by @tailwindcss/vite (#19966)
• Resolve imports relative to base when result.opts.from is not provided when using @tailwindcss/postcss (#19980)
• Canonicalization: preserve significant _ whitespace in arbitrary values (#19986)
• Canonicalization: add parentheses when removing whitespace from arbitrary values would hurt readability (e.g. w-[calc(100%---spacing(60))] → w-[calc(100%-(--spacing(60)))]) (#19986)
• Canonicalization: preserve the original unit in arbitrary values instead of normalizing to base units (e.g. -mt-[20in] → mt-[-20in], not mt-[-1920px]) (#19988)
• Canonicalization: migrate arbitrary :has() variants from [&:has(…)] to has-[…] (#19991)
• Upgrade: don’t migrate inline style attributes (e.g. style="flex-grow: 1" → style="flex-grow: 1", not style="grow: 1") (#19918)
• Allow multiple @utility definitions with the same name but different value types (#19777)
• Export missing PluginWithConfig type from tailwindcss/plugin to fix errors when inferring plugin config types (#19707)
• Ensure start and end legacy utilities without values do not generate CSS (#20003)
• Ensure --value(…) is required in functional @utility definitions (#20005)
• Canonicalization: preserve required whitespace around operators in negated arbitrary values (e.g. -left-[(var(--a)+var(--b))]) (#20011)

[4.2.4] - 2026-04-21

Fixed

• Ensure imports in @import and @plugin still resolve correctly when using Vite aliases in @tailwindcss/vite (#19947)

[4.2.3] - 2026-04-20

Fixed

• Canonicalization: improve canonicalization for tracking-* utilities by preferring non-negative utilities (e.g. -tracking-tighter → tracking-wider) (#19827)
• Fix crash due to invalid characters in candidate (exceeding valid unicode code point range) (#19829)
• Ensure query params in imports are considered unique resources when using @tailwindcss/webpack (#19723)
• Canonicalization: collapse arbitrary values into shorthand utilities (e.g. px-[1.2rem] py-[1.2rem] → p-[1.2rem]) (#19837)
• Canonicalization: collapse border-{t,b}-* into border-y-*, border-{l,r}-* into border-x-*, and border-{t,r,b,l}-* into border-* (#19842)
• Canonicalization: collapse scroll-m{t,b}-* into scroll-my-*, scroll-m{l,r}-* into scroll-mx-*, and scroll-m{t,r,b,l}-* into scroll-m-* (#19842)
• Canonicalization: collapse scroll-p{t,b}-* into scroll-py-*, scroll-p{l,r}-* into scroll-px-*, and scroll-p{t,r,b,l}-* into scroll-p-* (#19842)
• Canonicalization: collapse overflow-{x,y}-* into overflow-* (#19842)
• Canonicalization: collapse overscroll-{x,y}-* into overscroll-* (#19842)
• Read from --placeholder-color instead of --background-color for placeholder-* utilities (#19843)

... (truncated)

Commits

• 588bd73 4.3.0 (#20023)
• d194d4c docs: fix various typos in comments and documentation (#19878)
• db27049 fix(@​tailwindcss/vite): include @​variant in feature detection (#19966)
• 5a79990 Always resolve relative files, relative to the current .css file (#19965)
• f3fdda2 fix(vite): avoid resolving JS plugins to browser CSS entries (#19949)
• 69ad7cc 4.2.4 (#19948)
• 685c19e Fix issue around resolving paths in @tailwindcss/vite (#19947)
• 2e3fa49 4.2.3 (#19944)
• 5cb1efd fix(vite): resolve tsconfig paths in CSS and JS resolvers (#19803)
• d596b0c 4.2.2 (#19821)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tailwindcss/vite since your current version.

Updates autoprefixer from 10.4.20 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

10.4.27

• Removed development key from package.json.

10.4.26

• Reduced package size.

10.4.25

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

10.4.24

• Made Autoprefixer a little faster (by @​Cherry).

10.4.23

• Reduced dependencies (by @​hyperz111).

10.4.22

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

10.4.21

• Fixed old -moz- prefix for :placeholder-shown (by @​Marukome0743).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• 360f2d9 Release 10.4.27 version
• ab5260c Update clean-publish
• 09e9dd1 Release 10.4.26 version
• ec75540 Ignore local patches
• 59601b8 Update c8 and clean-publish
• Additional commits viewable in compare view

Updates axios from 1.7.9 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (