chore(deps): bump the npm-non-major group across 2 directories with 28 updates

[dependabot]

Bumps the npm-non-major group with 24 updates in the / directory:

Package	From	To
@aws-sdk/credential-providers	3.992.0	3.1064.0
@fontsource/roboto	5.2.9	5.2.10
@primer/octicons-react	19.21.2	19.28.1
axios	1.16.1	1.17.0
express-rate-limit	8.5.1	8.5.2
isomorphic-git	1.36.3	1.38.4
openid-client	6.8.1	6.8.4
parse-diff	0.11.1	0.12.0
validator	13.15.26	13.15.35
@babel/core	7.29.0	7.29.7
@babel/preset-react	7.28.5	7.29.7
@eslint/compat	2.0.2	2.1.0
@types/express-session	1.18.2	1.19.0
@types/lodash	4.17.23	4.17.24
cypress	15.9.0	15.16.0
fast-check	4.5.3	4.8.0
lint-staged	17.0.5	17.0.7
prettier	3.8.1	3.8.3
tsx	4.21.0	4.22.4
typescript-eslint	8.56.0	8.61.0
@esbuild/darwin-arm64	0.27.2	0.28.0
@esbuild/darwin-x64	0.27.2	0.28.0
@esbuild/linux-x64	0.27.2	0.28.0
@esbuild/win32-x64	0.27.2	0.28.0

Bumps the npm-non-major group with 5 updates in the /website directory:

Package	From	To
axios	1.15.2	1.17.0
react	19.2.5	19.2.7
react-dom	19.2.5	19.2.7
eslint	10.3.0	10.4.1
@mermaid-js/layout-elk	0.1.9	0.2.1

Updates @aws-sdk/credential-providers from 3.992.0 to 3.1064.0

Release notes

Sourced from @​aws-sdk/credential-providers's releases.

v3.1064.0

3.1064.0(2026-06-08)

Chores

• scripts: update pkg json linting (#8082) (86792c5e)

New Features

• client-cost-optimization-hub: Adds new Idle Recommendation types in the Cost Optimization Hub API (872710e9)
• client-deadline: Added optional identityCenterRegion parameter to AssociateMember APIs to allow managing memberships for users and groups in other regions. (5f03ea0e)
• client-devops-agent: Add Asset APIs for managing versioned assets and asset files in AWS DevOps Agent agent spaces. (bcef9614)
• client-mgn: AWS Transform discovery tool now supported as network migration input source. You can now use the AWS Transform Discovery tool as a source for network migration alongside modelizeIT, enabling hybrid network migrations for environments running both VMware and non-VMware workloads. (2cff08e6)
• client-mediapackagev2: Adds support for DASH Audio Timeline Patternization. This enables your DASH manifests to templatize the repeating patterns that emerge in audio segment timelines. This compacts the total timeline length, utilizing the repeat notation, such that manifests don't grow indefinitely long. (5aad0234)
• client-observabilityadmin: CloudWatch Observability Admin extends CentralizationRuleForOrganization APIs to support metrics, enabling centralization of metrics across accounts and Regions alongside logs. (823cc1d6)
• client-compute-optimizer: Adds new Idle Recommendation Resource types in the AWS Compute Optimizer API (503a9b0a)
• client-omics: StartRunBatch API - Add EngineSettings (0df4009f)
• client-taxsettings: Adds support for additional tax information fields for Philippines, Belgium, Chile, France, Poland, and Italy in the Tax Settings API. (f4ab1b2b)
• lib-transfer-manager: add @​aws-sdk/lib-transfer-manager as private package (#8074) (3d051b5d)

---

For list of updated packages, view updated-packages.md in assets-3.1064.0.zip

v3.1063.0

3.1063.0(2026-06-05)

Chores

• update author URL in package.json (#8080) (9bd1a86b)
• crt-loader: update to latest aws-crt (#8079) (8c2bdabd)

New Features

• clients: update client endpoints as of 2026-06-05 (fe9a398f)
• client-sagemaker: This release adds support for MLflow experiment tracking in SageMaker inference optimization. CreateAIRecommendationJob and CreateAIBenchmarkJob now accept an optional OutputConfig.MlflowConfig (MLflow App ARN, experiment, run name) to stream benchmark metrics and artifacts to your own MLflow App. (39430442)
• client-emr-serverless: Adds support for updating max capacity and custom fields while application is started (6c9cce08)
• client-dynamodb: Adding new BDD representation of endpoint ruleset (416005d4)
• client-mediaconvert: Adds support for configurable number of Clear Lead segments at the beginning of encrypted output. Adds support for multiple trickplay variants. (40eb4c6b)
• client-payment-cryptography: Adds CloudFormation support for resource-based policies on AWS Payment Cryptography keys. (c32019a8)
• client-quicksight: Adds support for Knowledge Base APIs and Index Capacity API (8205152f)

Bug Fixes

• core/httpAuthSchemes: fix concurrent skew correction (#8078) (83e48928)

Tests

• middleware-endpoint-discovery: remove integration tests (#8077) (02363831)

... (truncated)

Changelog

Sourced from @​aws-sdk/credential-providers's changelog.

3.1064.0 (2026-06-08)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1063.0 (2026-06-05)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1062.0 (2026-06-04)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1061.0 (2026-06-03)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1060.0 (2026-06-03)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1059.0 (2026-06-02)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1058.0 (2026-06-01)

... (truncated)

Commits

• bac7175 Publish v3.1064.0
• 86792c5 chore(scripts): update pkg json linting (#8082)
• 85dabf4 Publish v3.1063.0
• 9bd1a86 chore: update author URL in package.json (#8080)
• f5235bb Publish v3.1062.0
• 71df2cc Publish v3.1061.0
• 8aeb92d Publish v3.1060.0
• 75bb4fc Publish v3.1059.0
• 6b082a6 chore(codegen): sync for adaptive retry fix, EAI_AGAIN transient error (#8067)
• d7602d4 Publish v3.1058.0
• Additional commits viewable in compare view

Updates @fontsource/roboto from 5.2.9 to 5.2.10

Commits

• See full diff in compare view

Updates @primer/octicons-react from 19.21.2 to 19.28.1

Release notes

Sourced from @​primer/octicons-react's releases.

v19.28.1

Patch Changes

• #1215 378d7af0 Thanks @​ktravers! - Remove fill from StackRemove and StackCheck icons

• #1221 9d7b366a Thanks @​CameronFoxly! - Add stack-add-16.svg

v19.28.0

Minor Changes

• #1208 eddab3ff Thanks @​dylanatsmith! - Fix vscode icon: update 16px, add 24px, remove 32px and 48px

v19.27.0

Minor Changes

• #1203 a69618e4 Thanks @​ericwbailey! - Add flag icon

Patch Changes

• #1212 02bd1ef8 Thanks @​ericwbailey! - remove hardcoded fill from flag icon

v19.26.0

Minor Changes

• #1197 b45f1d35 Thanks @​lukasoppermann! - Add repo-forked-locked icon

Patch Changes

• #1209 9a7e2146 Thanks @​siddharthkp! - fix: remove hardcoded fill from sandbox icon

v19.25.0

Minor Changes

• #1193 b6efea4a Thanks @​kylewaynebenson! - Added StackRemove & StackCheck icons

• #1194 7d7ca421 Thanks @​kylewaynebenson! - Added Sandbox icon

v19.24.1

Patch Changes

• #1190 38dfb0d4 Thanks @​francinelucca! - Allow data-component attribute to be overridden by consumers

v19.24.0

Minor Changes

• #1185 25e257ff Thanks @​francinelucca! - Add data-component="Octicon" attribute to all SVG elements for easier identification and styling

v19.23.1

... (truncated)

Changelog

Sourced from @​primer/octicons-react's changelog.

19.28.1

Patch Changes

• #1215 378d7af0 Thanks @​ktravers! - Remove fill from StackRemove and StackCheck icons

• #1221 9d7b366a Thanks @​CameronFoxly! - Add stack-add-16.svg

19.28.0

Minor Changes

• #1208 eddab3ff Thanks @​dylanatsmith! - Fix vscode icon: update 16px, add 24px, remove 32px and 48px

19.27.0

Minor Changes

• #1203 a69618e4 Thanks @​ericwbailey! - Add flag icon

Patch Changes

• #1212 02bd1ef8 Thanks @​ericwbailey! - remove hardcoded fill from flag icon

19.26.0

Minor Changes

• #1197 b45f1d35 Thanks @​lukasoppermann! - Add repo-forked-locked icon

Patch Changes

• #1209 9a7e2146 Thanks @​siddharthkp! - fix: remove hardcoded fill from sandbox icon

19.25.0

Minor Changes

• #1193 b6efea4a Thanks @​kylewaynebenson! - Added StackRemove & StackCheck icons

• #1194 7d7ca421 Thanks @​kylewaynebenson! - Added Sandbox icon

19.24.1

Patch Changes

• #1190 38dfb0d4 Thanks @​francinelucca! - Allow data-component attribute to be overridden by consumers

19.24.0

... (truncated)

Commits

• 6d9dcd9 Version Packages (#1216)
• 9d7b366 Save stack-add-16.svg (#1221)
• 4e8731c Fix optimize pathspec to match icons in root directory (#1220)
• c6a8229 Scope SVG optimize workflow to only changed icons (#1218)
• 378d7af Remove hard-coded fill from StackRemove and StackCheck icons (#1215)
• f17b0be Bump @​tootallnate/once from 2.0.0 to 2.0.1 in /lib/octicons_react (#1213)
• fef9ded Version Packages (#1214)
• eddab3f Fix VSCode icon and remove unnecessary size variants (#1208)
• 067ee62 Bump lodash from 4.17.23 to 4.18.1 in /lib/octicons_react (#1201)
• 7ee4aaf Version Packages (#1210)
• Additional commits viewable in compare view

Updates axios from 1.16.1 to 1.17.0

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

Full Changelog

Commits

• 4306df2 chore: add fun 88 sponsorship
• 931cc8f chore(release): prepare release 1.17.0 (#10983)
• 38ba1b3 fix(fetch): support basic auth from URL (#10896)
• 32e2515 fix: replace ternary side effect in script (#10931)
• 030e722 chore(deps): bump axios from 1.15.2 to 1.16.1 in /docs (#10960)
• ec63164 chore: remove openspec (#10958)
• 3dec28f fix(http): preserve TLS options for proxy tunnels (#10957)
• a2390a5 fix: correct isCancel type to narrow to CanceledError<T> (#10952)
• fa01b92 chore(deps-dev): bump tmp from 0.2.5 to 0.2.7 in /docs (#10954)
• 2d2314a fix: AxiosHeaders toJSON() return types (#10956)
• Additional commits viewable in compare view

Updates express-rate-limit from 8.5.1 to 8.5.2

Release notes

Sourced from express-rate-limit's releases.

v8.5.2

You can view the changelog here.

Commits

• 9774693 8.5.2
• 0e94cc0 v8.5.2 changelog
• 9a583c5 feat: simplify IPv6 key generation (#633)
• 4f4b3fb chore(deps-dev): bump lint-staged from 16.4.0 to 17.0.4 (#632)
• 3c1d6c5 chore(deps-dev): bump the development-dependencies group with 7 updates (#631)
• 18884b6 chore(deps): bump basic-ftp from 5.2.0 to 5.3.1 (#630)
• dacc980 chore(deps): bump handlebars from 4.7.8 to 4.7.9 (#629)
• 486d0c6 chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#627)
• See full diff in compare view

Updates isomorphic-git from 1.36.3 to 1.38.4

Release notes

Sourced from isomorphic-git's releases.

v1.38.4

1.38.4 (2026-06-02)

Bug Fixes

• pass credential config username to auth callbacks (#2346) (d9920c5)

v1.38.3

1.38.3 (2026-05-26)

Bug Fixes

• Improve internal error reporting guidance (#2345) (955acf3)

v1.38.2

1.38.2 (2026-05-25)

Bug Fixes

• add bot authoring to release commit (#2329) (328b1ba)
• add Clever Cloud logo to Acknowledgments in README (#2334) (89f441d)

v1.38.1

1.38.1 (2026-05-18)

Bug Fixes

• add cloudflare logo (#2316) (a71a835)

v1.38.0

1.38.0 (2026-05-15)

Bug Fixes

• Fix images in README (#2315) (007951f)

Features

• add refresh option to status and statusMatrix (#2313) (a7420b7)

v1.37.9

1.37.9 (2026-05-15)

... (truncated)

Commits

• d9920c5 fix: pass credential config username to auth callbacks (#2346)
• 955acf3 fix: Improve internal error reporting guidance (#2345)
• 89f441d fix: add Clever Cloud logo to Acknowledgments in README (#2334)
• 328b1ba fix: add bot authoring to release commit (#2329)
• a71a835 fix: add cloudflare logo (#2316)
• a7420b7 feat: add refresh option to status and statusMatrix (#2313)
• 007951f fix: Fix images in README (#2315)
• 6e99054 fix: point "jsdelivr" field to minified browser build (#2312)
• 6972b1e fix: remove duplicated contriobutors (#2311)
• 199714a fix: browser entrypoint not being used in some non-node build contexts (#2309)
• Additional commits viewable in compare view

Updates openid-client from 6.8.1 to 6.8.4

Release notes

Sourced from openid-client's releases.

v6.8.4

Fixes

• apply optional non-repudiation on generic grant ID Tokens (6202888)
• filter jwe decryption keys by algorithm (34e2ffd)
• preserve poll abort signals on requests (96a2d17)
• retry dpop nonce errors for generic grants (498c4d9)

v6.8.3

Documentation

• note a workaround for redirect_uri with query string or bare origin (e9689de), closes #868

Fixes

• passport: delete one-time state on callback (1e7dd2e)

v6.8.2

Fixes

• use duplex: half for fetchProtectedResource with ReadableStream body input (f6f84e2)

Changelog

Sourced from openid-client's changelog.

6.8.4 (2026-04-27)

Fixes

• apply optional non-repudiation on generic grant ID Tokens (6202888)
• filter jwe decryption keys by algorithm (34e2ffd)
• preserve poll abort signals on requests (96a2d17)
• retry dpop nonce errors for generic grants (498c4d9)

6.8.3 (2026-04-13)

Documentation

• note a workaround for redirect_uri with query string or bare origin (e9689de), closes #868

Fixes

• passport: delete one-time state on callback (1e7dd2e)

6.8.2 (2026-02-07)

Fixes

• use duplex: half for fetchProtectedResource with ReadableStream body input (f6f84e2)

Commits

• c645695 chore(release): 6.8.4
• ee60464 chore: update CHANGELOG.md header
• 96a2d17 fix: preserve poll abort signals on requests
• 34e2ffd fix: filter jwe decryption keys by algorithm
• 6202888 fix: apply optional non-repudiation on generic grant ID Tokens
• 498c4d9 fix: retry dpop nonce errors for generic grants
• 35042cf chore: cleanup after release
• 66e4082 chore(release): 6.8.3
• fa292f2 test: fix typings build issues
• 0600c91 test: deflake pollBackchannelAuthenticationGrant
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for openid-client since your current version.

Updates parse-diff from 0.11.1 to 0.12.0

Commits

• f0828af Release 0.12.0
• 5a66fd9 chore: build with esbuild
• a3b0c75 feat: use esbuild
• 07dbcd6 chore: biome auto fixes
• 4e60b97 feat(devx): try biome
• 8231f95 chore: up eslint v10
• c032d55 chore: up deps
• e563b14 chore: use node v24
• 251d359 Merge pull request #51 from andyfeller/af/handle-empty-lines
• a3180a5 fix: handle empty context lines in unified diffs
• Additional commits viewable in compare view

Updates validator from 13.15.26 to 13.15.35

Release notes

Sourced from validator's releases.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	cd7653e
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a2b9f5ae8253400088217c1

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ❌ 1 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.
• ⚠️ 1 packages with OpenSSF Scorecard issues.

View full job summary

[06kellyjac]

Only blocker is bowser@2.14.1 – License: MIT AND MITNFA

https://spdx.org/licenses/MITNFA.html

Bowser has always listed itself as MIT but it includes this block:

Distributions of all or part of the Software intended to be used
by the recipients as they would use the unmodified Software,
containing modifications that substantially alter, remove, or
disable functionality of the Software, outside of the documented
configuration mechanisms provided by the Software, shall be
modified such that the Original Author's bug reporting email
addresses and urls are either replaced with the contact information
of the parties responsible for the changes, or removed entirely.

Which is only in the MIT +no-false-attribs License edition.

cc @TheJuanAndOnly99
Can you check MITNFA is approved within FINOS? :)

[TheJuanAndOnly99]

Hi @06kellyjac MITNFA is unfortunately not OSI approved as it includes additional clauses to the MIT license. I will follow up with the LF legal team about this and see what they have to say.

If I understand correctly, the dependency chain looks like this:

Optional Feature: @aws-sdk/credential-provider (which pulls in bowser) is imported in Git Proxy as a MongoDB database helper specifically to support optional AWS IAM authentication.

Non-Default Path: This code path is tied strictly to the MongoDB persistence option, not the default setup.

Disabled by Default: Git Proxy’s default persistence backend is fs. While MongoDB is documented as the production-oriented option, it is disabled by default in the shipped proxy.config.json.

[06kellyjac]

Yes, it's an optional feature.
To make the distinction more solid we could do a dynamic import so it's only imported when opted-in, not just un-used.
It could also go in optionalDependencies

[dependabot]

Superseded by #1592.

[TheJuanAndOnly99]

@06kellyjac Doing both would improve the git-proxy compliance posture while we wait on legal, however it doesn't get us out of the problem if legal comes back saying MITNFA is not approved (which I suspect they might).

Would it be possible to make this a peerDependency? You could then also add a clear note in the README or documentation right next to the MongoDB/AWS setup instructions calling out that utilizing AWS IAM authentication for MongoDB requires explicitly installing @aws-sdk/credential-provider as a peer dependency and that the dependency includes components licensed under MITNFA.