chore(deps): Bump the npm_and_yarn group across 2 directories with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 24 updates in the / directory:

Package	From	To
react-router	6.30.1	6.30.2
@backstage/backend-defaults	0.13.0	0.16.0
@backstage/plugin-auth-backend	0.25.5	0.27.1
@backstage/plugin-scaffolder-backend	3.0.0	3.1.5
@backstage/cli-common	0.1.15	0.1.18
@backstage/integration	1.18.1	1.20.1
@backstage/plugin-techdocs-node	1.13.8	1.14.4
@smithy/config-resolver	4.1.4	4.4.13
@xmldom/xmldom	0.8.10	0.8.12
axios	1.10.0	1.14.0
basic-ftp	5.0.5	5.2.0
diff	4.0.2	4.0.4
fast-xml-parser	4.5.3	4.5.5
handlebars	4.7.8	4.7.9
immutable	3.8.2	3.8.3
js-yaml	3.14.1	3.14.2
jsonpath	1.1.1	1.3.0
jws	3.2.2	3.2.3
multer	2.0.2	2.1.1
node-forge	1.3.1	1.4.0
picomatch	2.3.1	2.3.2
rollup	4.45.1	4.60.1
svgo	2.8.0	2.8.2
yauzl	3.2.0	3.3.0

Bumps the npm_and_yarn group with 2 updates in the /packages/backend directory: @backstage/backend-defaults and @backstage/plugin-auth-backend.

Updates react-router from 6.30.1 to 6.30.2

Release notes

Sourced from react-router's releases.

v6.30.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

Changelog

Sourced from react-router's changelog.

v6.30.2

Date: 2025-11-13

Security Notice

This release addresses 1 security vulnerability:

• Unexpected external redirect via untrusted paths

Patch Changes

• Normalize double-slashes in resolvePath (#14537)

Full Changelog: v6.30.1...v6.30.2

Commits

• 26b5d45 chore: Update version for release (#14541)
• 919f8a8 chore: Update version for release (pre-v6) (#14540)
• 69bf705 Normalize double slashes in resolvePath (#14537)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for react-router since your current version.

Updates @backstage/backend-defaults from 0.13.0 to 0.16.0

Changelog

Sourced from @​backstage/backend-defaults's changelog.

0.16.0

Minor Changes

• 42960f1: The actions registry invoke endpoint now accepts direct user credentials in addition to service principals, enabling CLI and other direct user clients to invoke actions.
• 0e7d8f9: The scheduler service now uses the metrics service to create metrics, providing plugin-scoped attribution.
• 527cf88: BREAKING Removed deprecated BitbucketUrlReader. Use the BitbucketCloudUrlReader or the BitbucketServerUrlReader instead.

Patch Changes

• cc8348e: Added permissions integration to the actions registry. Actions registered with a visibilityPermission field are now checked against the permissions framework when listing and invoking. Denied actions are filtered from list results, and invoking a denied action returns a 404 Not Found as if the action does not exist. Permissions are automatically registered with the PermissionsRegistryService so they appear in the permission policy system.
• dee4283: Added pluginId field to ActionsServiceAction type, populated from the registering plugin's metadata.
• 015668c: Added cancelTask method to the SchedulerService interface and implementation, allowing cancellation of currently running scheduled tasks. For global tasks, the database lock is released and a periodic liveness check aborts the running task function. For local tasks, the task's abort signal is triggered directly. A new POST /.backstage/scheduler/v1/tasks/:id/cancel endpoint is also available.
• 638e6c7: chore(deps): bump yauzl from 3.2.0 to 3.2.1
• 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
• 62f0a53: Fixed error forwarding in the actions registry so that known errors like InputError and NotFoundError thrown by actions preserve their original status codes and messages instead of being wrapped in ForwardedError and coerced to 500.
• d933f62: Add configurable throttling and retry mechanism for GitLab integration.
• b99158a: Fixed yarn backstage-cli config:check --strict --config app-config.yaml config validation error by adding an optional default type discriminator to PostgreSQL connection configuration, allowing config:check to properly validate default connection configurations.
• 1ee5b28: Adds an alpha MetricsService to provide a unified interface for metrics instrumentation across Backstage plugins.
• 5fcbef2: Updated dependency express-rate-limit to ^8.0.0.
• a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0
  • @​backstage/cli-node@​0.3.0
  • @​backstage/integration@​2.0.0
  • @​backstage/config-loader@​1.10.9
  • @​backstage/plugin-permission-common@​0.9.7
  • @​backstage/plugin-permission-node@​0.10.11
  • @​backstage/plugin-auth-node@​0.6.14
  • @​backstage/backend-app-api@​1.6.0
  • @​backstage/plugin-events-node@​0.4.20

0.16.0-next.2

Patch Changes

• 015668c: Added cancelTask method to the SchedulerService interface and implementation, allowing cancellation of currently running scheduled tasks. For global tasks, the database lock is released and a periodic liveness check aborts the running task function. For local tasks, the task's abort signal is triggered directly. A new POST /.backstage/scheduler/v1/tasks/:id/cancel endpoint is also available.
• 5fcbef2: Updated dependency express-rate-limit to ^8.0.0.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/integration@​2.0.0-next.2
  • @​backstage/backend-app-api@​1.6.0-next.1
  • @​backstage/plugin-auth-node@​0.6.14-next.2
  • @​backstage/plugin-events-node@​0.4.20-next.1
  • @​backstage/plugin-permission-node@​0.10.11-next.1

0.16.0-next.1

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-auth-backend from 0.25.5 to 0.27.1

Changelog

Sourced from @​backstage/plugin-auth-backend's changelog.

@​backstage/plugin-auth-backend

0.28.0-next.1

Patch Changes

• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0-next.1
  • @​backstage/plugin-auth-node@​0.7.0-next.1
  • @​backstage/plugin-catalog-node@​2.1.1-next.1

0.28.0-next.0

Minor Changes

• d7c67cd: BREAKING: The setting auth.omitIdentityTokenOwnershipClaim has had its default value switched to true.

  With this setting Backstage user tokens issued by the auth backend will no longer contain an ent claim - the one with the user's ownership entity refs. This means that tokens issued in large orgs no longer risk hitting HTTP header size limits.

  To get ownership info for the current user, code should use the userInfo core service. In practice code will typically already conform to this since the ent claim has not been readily exposed in any other way for quite some time. But code which explicitly decodes Backstage tokens - which is strongly discouraged - may be affected by this change.

  The setting will remain for some time to allow it to be set back to false if need be, but it will be removed entirely in a future release.

Patch Changes

• dc87ac1: Fixed CIMD redirect URI matching to allow any port for localhost addresses per RFC 8252 Section 7.3. Native CLI clients use ephemeral ports for OAuth callbacks, which are now accepted when the registered redirect URI uses a localhost address.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.1-next.0
  • @​backstage/plugin-auth-node@​0.6.15-next.0
  • @​backstage/plugin-catalog-node@​2.1.1-next.0
  • @​backstage/catalog-model@​1.7.7
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/types@​1.2.2

0.27.2

Patch Changes

• 1ccad86: Added who-am-i action to the auth backend actions registry. Returns the catalog entity and user info for the currently authenticated user.
• d0f4cd2: Added optional client metadata document endpoint at /.well-known/oauth-client/cli.json relative to the auth backend base URL for CLI authentication. Enabled when auth.experimentalClientIdMetadataDocuments.enabled is set to true.
• 6738cf0: build(deps): bump minimatch from 9.0.5 to 10.2.1
• e9b6e97: Fixed a security vulnerability where the CIMD metadata fetch could follow HTTP redirects to internal hosts, bypassing SSRF protections.
• 0f9d673: Improved redirect URI validation in the experimental OIDC provider to match against normalized URLs rather than raw strings.
• a49a40d: Updated dependency zod to ^3.25.76 || ^4.0.0 & migrated to /v3 or /v4 imports.
• 634eded: Fixed a foreign key constraint violation when issuing refresh tokens for CIMD clients, and prevented a failed refresh token issuance from failing the entire token exchange. Fixed AWS ALB auth provider incorrectly returning HTTP 500 instead of 401 for JWT validation failures, which caused retry loops and memory pressure under load.
• 619be54: Update migrations to be reversible

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/plugin-scaffolder-backend from 3.0.0 to 3.1.5

Changelog

Sourced from @​backstage/plugin-scaffolder-backend's changelog.

@​backstage/plugin-scaffolder-backend

3.3.0-next.1

Minor Changes

• 309b712: Added a new execute-template actions registry action that executes a scaffolder template with provided input values and returns a task ID for tracking progress.

Patch Changes

• 4559806: Removed unnecessary empty examples array from actions bridged via the actions registry.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.9.0-next.1
  • @​backstage/backend-openapi-utils@​0.6.8-next.1
  • @​backstage/plugin-catalog-node@​2.1.1-next.1
  • @​backstage/plugin-events-node@​0.4.21-next.1
  • @​backstage/plugin-permission-node@​0.10.12-next.1
  • @​backstage/plugin-scaffolder-node@​0.13.1-next.1

3.2.1-next.0

Patch Changes

• 79453c0: Updated dependency wait-for-expect to ^4.0.0.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.1-next.0
  • @​backstage/plugin-permission-node@​0.10.12-next.0
  • @​backstage/backend-openapi-utils@​0.6.8-next.0
  • @​backstage/plugin-catalog-node@​2.1.1-next.0
  • @​backstage/plugin-events-node@​0.4.21-next.0
  • @​backstage/plugin-scaffolder-node@​0.13.1-next.0
  • @​backstage/catalog-model@​1.7.7
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration@​2.0.0
  • @​backstage/types@​1.2.2
  • @​backstage/plugin-permission-common@​0.9.7
  • @​backstage/plugin-scaffolder-common@​2.0.0

3.2.0

Minor Changes

• c9b11eb: Added a new list-scaffolder-tasks action that allows querying scaffolder tasks with optional ownership filtering and pagination support
• 1b42218: Adds a new get-scaffolder-task-logs action to @backstage/plugin-scaffolder-backend that retrieves log events for a given scaffolder task, with optional support for retrieving only new events after a given event ID.
• 0fbcf23: Migrated OpenAPI schemas to 3.1.
• 7695dd2: Added a new list-scaffolder-actions action that returns all installed scaffolder actions with their schemas and examples
• e8736ea: Added secrets schema validation for task creation, retry, and dry-run endpoints. When a template defines spec.secrets.schema, the API validates provided secrets against the schema and returns a 400 error if validation fails.

Patch Changes

... (truncated)

Commits

• See full diff in compare view

Updates @backstage/cli-common from 0.1.15 to 0.1.18

Changelog

Sourced from @​backstage/cli-common's changelog.

0.1.18

Patch Changes

• 7455dae: Use node prefix on native imports

0.1.18-next.0

Patch Changes

• 7455dae: Use node prefix on native imports
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.17

Patch Changes

• ae4dd5d: Move some of the symlink resolution to isChildPath

0.1.16

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.
• c8c2329: Add proxy configuration from env-vars to create-app tasks
• 2bae83a: Bumped dev dependencies @types/node

0.1.16-next.2

Patch Changes

• 2bae83a: Bumped dev dependencies @types/node
• Updated dependencies
  • @​backstage/errors@​1.2.7

0.1.16-next.1

Patch Changes

• 5cfb2a4: Added new run, runOutput, and runCheck utilities to help run child processes in a safe and portable way.

0.1.16-next.0

Patch Changes

• c8c2329: Add proxy configuration from env-vars to create-app tasks

Commits

• See full diff in compare view

Updates @backstage/integration from 1.18.1 to 1.20.1

Changelog

Sourced from @​backstage/integration's changelog.

@​backstage/integration

2.0.0

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Minor Changes

• d933f62: Add configurable throttling and retry mechanism for GitLab integration.

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.
• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.

2.0.0-next.2

Patch Changes

• 1513a0b: Fixed a security vulnerability where path traversal sequences in SCM URLs could be used to access unintended API endpoints using server-side integration credentials.

2.0.0-next.1

Major Changes

• 527cf88: BREAKING Removed deprecated Azure DevOps, Bitbucket, Gerrit and GitHub code:

  • For Azure DevOps, the long deprecated token string and credential object have been removed from the config.d.ts. Use the credentials array object instead.
  • For Bitbucket, the long deprecated bitbucket object has been removed from the config.d.ts. Use the bitbucketCloud or bitbucketServer objects instead.
  • For Gerrit, the parseGerritGitilesUrl function has been removed, use parseGitilesUrlRef instead. The buildGerritGitilesArchiveUrl function has also been removed, use buildGerritGitilesArchiveUrlFromLocation instead.
  • For GitHub, the getGitHubRequestOptions function has been removed.

Patch Changes

• 993a598: Fixed Azure integration config schema visibility annotations to use per-field @visibility secret instead of @deepVisibility secret on parent objects, so that non-secret fields like clientId, tenantId, organizations, and managedIdentityClientId are no longer incorrectly marked as secret.
• Updated dependencies
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7

1.21.0-next.0

Minor Changes

... (truncated)

Commits

• c8a8aac Version Packages
• 4aa43f6 chore(deps): update dependency cross-fetch to v4
• f577e11 Version Packages (next)
• 11153a0 Merge remote-tracking branch 'upstream/master' into entra-rename
• ad7d38c fix tests
• 243c655 Updated Azure Active Directory to Entra ID
• 8cdb8c2 Version Packages
• e43d3eb Version Packages (next)
• 0b55f77 Removed some unused dependencies
• bea3617 Version Packages (next)
• Additional commits viewable in compare view

Updates @backstage/plugin-techdocs-node from 1.13.8 to 1.14.4

Changelog

Sourced from @​backstage/plugin-techdocs-node's changelog.

1.14.4

Patch Changes

• cb7c6b1: Added techdocs.generator.mkdocs.dangerouslyAllowAdditionalKeys configuration option to explicitly bypass MkDocs configuration key restrictions. This enables support for additional MkDocs configuration keys beyond the default safe allow list, such as the hooks key which some MkDocs plugins require.
• e96f6d9: Removed INHERIT from the ALLOWED_MKDOCS_KEYS set to address a security concern with MkDocs configuration inheritance.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0
  • @​backstage/integration@​2.0.0
  • @​backstage/catalog-model@​1.7.7

1.14.4-next.2

Patch Changes

• e96f6d9: Removed INHERIT from the ALLOWED_MKDOCS_KEYS set to address a security concern with MkDocs configuration inheritance.
• Updated dependencies
  • @​backstage/backend-plugin-api@​1.8.0-next.1
  • @​backstage/integration@​2.0.0-next.2

1.14.3-next.1

Patch Changes

• cb7c6b1: Added techdocs.generator.mkdocs.dangerouslyAllowAdditionalKeys configuration option to explicitly bypass MkDocs configuration key restrictions. This enables support for additional MkDocs configuration keys beyond the default safe allow list, such as the hooks key which some MkDocs plugins require.
• Updated dependencies
  • @​backstage/integration@​2.0.0-next.1
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.3-next.0

Patch Changes

• Updated dependencies
  • @​backstage/integration@​1.21.0-next.0
  • @​backstage/backend-plugin-api@​1.7.1-next.0
  • @​backstage/catalog-model@​1.7.6
  • @​backstage/config@​1.3.6
  • @​backstage/errors@​1.2.7
  • @​backstage/integration-aws-node@​0.1.20
  • @​backstage/plugin-search-common@​1.2.22
  • @​backstage/plugin-techdocs-common@​0.1.1

1.14.2

... (truncated)

Commits

• See full diff in compare view

Updates @smithy/config-resolver from 4.1.4 to 4.4.13

Release notes

Sourced from @​smithy/config-resolver's releases.

@​smithy/config-resolver@​4.4.13

Patch Changes

• b1f0dba: fix(middleware-endpoint): update type of useDualStackEndpoint/useFipsEndpoint input config fix(config-resolver): add alternate values for NODE_USE_DUALSTACK_ENDPOINT_CONFIG_OPTIONS and NODE_USE_FIPS_ENDPOINT_CONFIG_OPTIONS

@​smithy/config-resolver@​4.4.12

Patch Changes

• 4b5602d: fix: update default value to undefined for dualstack/fips config

Changelog

Sourced from @​smithy/config-resolver's changelog.

4.4.13

Patch Changes

• b1f0dba: fix(middleware-endpoint): update type of useDualStackEndpoint/useFipsEndpoint input config fix(config-resolver): add alternate values for NODE_USE_DUALSTACK_ENDPOINT_CONFIG_OPTIONS and NODE_USE_FIPS_ENDPOINT_CONFIG_OPTIONS

4.4.12

Patch Changes

• 4b5602d: fix: update default value to undefined for dualstack/fips config

4.4.11

Patch Changes

• Updated dependencies [5340b11]
  • @​smithy/types@​4.13.1
  • @​smithy/node-config-provider@​4.3.12
  • @​smithy/util-endpoints@​3.3.3
  • @​smithy/util-middleware@​4.2.12

4.4.10

Patch Changes

• a4d95e6: Set downlevel types to be used in typescript@'<4.5'
• Updated dependencies [a4d95e6]
  • @​smithy/node-config-provider@​4.3.11
  • @​smithy/util-config-provider@​4.2.2
  • @​smithy/util-middleware@​4.2.11
  • @​smithy/util-endpoints@​3.3.2

4.4.9

Patch Changes

• Updated dependencies [d0954cc]
  • @​smithy/types@​4.13.0
  • @​smithy/node-config-provider@​4.3.10
  • @​smithy/util-endpoints@​3.3.1
  • @​smithy/util-middleware@​4.2.10

4.4.8

Patch Changes

• Updated dependencies [2bf677c]
  • @​smithy/util-endpoints@​3.3.0

... (truncated)

Commits

• 9328be2 Version NPM packages
• b1f0dba fix(config-resolver): add new config selectors (#1927)
• e3a0f6f Version NPM packages
• 4b5602d fix(config-resolver): update default value to undefined for dualstack/FIPS co...
• 0bdca15 Version NPM packages
• 5eab7ea Version NPM packages
• a4d95e6 fix: set downlevel types to be used in typescript@'<4.5' (#1906)
• 2acebec Version NPM packages
• 06793cc Version NPM packages
• 1f51a0c Version NPM packages
• Additional commits viewable in compare view

Updates @xmldom/xmldom from 0.8.10 to 0.8.12

Release notes

Sourced from @​xmldom/xmldom's releases.

0.8.12

Commits

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

xmldom/xmldom#357

0.8.11

0.8.11

Fixed

• update ownerDocument when moving nodes between documents [#933](https://github.com/xmldom/xmldom/issues/933) / [#932](https://github.com/xmldom/xmldom/issues/932)

Thank you, @​shunkica, for your contributions

Changelog

Sourced from @​xmldom/xmldom's changelog.

0.8.12

Fixed

• preserve trailing whitespace in ProcessingInstruction data [#962](https://github.com/xmldom/xmldom/issues/962) / [#42](https://github.com/xmldom/xmldom/issues/42)
• Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
• Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

Thank you, @​thesmartshadow, @​stevenobiajulu, for your contributions

0.8.11

Fixed

• update ownerDocument when moving nodes between documents [#933](https://github.com/xmldom/xmldom/issues/933) / [#932](https://github.com/xmldom/xmldom/issues/932)

Thank you, @​shunkica, for your contributions

0.9.8

Fixed

• fix: replace \u2029 as part of normalizeLineEndings [#839](https://github.com/xmldom/xmldom/issues/839) / [#838](https://github.com/xmldom/xmldom/issues/838)
• perf: speed up line detection [#847](https://github.com/xmldom/xmldom/issues/847) / [#838](https://github.com/xmldom/xmldom/issues/838)

Chore

• updated dependencies
• drop jazzer and rxjs devDependencies [#845](https://github.com/xmldom/xmldom/issues/845)

Thank you, @​kboshold, @​Ponynjaa, for your contributions.

0.9.7

Added

• Implementation of hasAttributes [#804](https://github.com/xmldom/xmldom/issues/804)

Fixed

• locator is now true even when other options are being used for the DOMParser [#802](https://github.com/xmldom/xmldom/issues/802) / [#803](https://github.com/xmldom/xmldom/issues/803)

... (truncated)

Commits

• 189cb78 0.8.12
• ed08df7 fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp) (#968)
• a5b929b chore: clean up generated test artefacts before running ci-local
• 4e37a20 ci: run format:check in lint job
• ac0ac77 chore: ignore generated files when checking formatting
• 968c893 chore: add local CI script and format:check script
• ac40424 fix: preserve trailing whitespace in ProcessingInstruction data (#962)
• cece752 chore: add .nvmrc pointing to node version 18
• cbf44d9 docs: improve links to changes in most recent release
• c0f1401 0.8.11
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by karfau, a new releaser for @​xmldom/xmldom since your current version.

Updates axios from 1.10.0 to 1.14.0

Release notes

Sourced from axios's releases.

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (#7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (#7533, #10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (#7484, #7489, #7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. (#7508, #7509, #7522)
• Documentation: Clarified JSON parsing and adapter-related docs/comments. (#7398, #7460, #7478)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​aviu16 (#7456)
• @​NETIZEN-11 (#7460)
• @​fedotov (#7457)
• @​nthbotast (#7478)
• @​veeceey (#7398)
• @​penkzhou (#7515)

Full Changelog: v1.13.6...v1.14.0

v1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @​moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:
  • Fixed module exports for React Native and Browserify environments. (#7386)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 46bee3d chore(release): prepare release 1.14.0 (#10563)
• 518aff5 chore: add AI Moderator workflow for spam detection (#10551)
• b7dfda3 chore(sponsor): update sponsor block (#10557)
• 9aa34d5 fix: updated release flow to match the current flows (#10562)
• e9e5ebe Update packages to latest version (#10556)
• 4d8931c fix: formidable dependency vulnerable to arbitrary (#7533)
• 3a6f5c1 chore(deps-dev): bump @​babel/preset-env (#7531)
• bcfd299 fix: bug axios breaks commonjs compatibility main entry (#7532)
• d6dcbfd fix: dependabot uses the correct labels (#7530)
• 5dd7ba7 chore: upgrade to latest ts (#7522)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates basic-ftp from 5.0.5 to 5.2.0

Release notes

Sourced from basic-ftp's releases.

5.2.0

• Changed: Skip files with invalid name in downloadToDir.

5.1.0

• Added: Add the option to prevent the use of separate transfer host IPs when using PASV. (