fix(deps): vuln minor upgrades — 9 packages (minor: 4 · patch: 5)

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 9 packages upgraded (MINOR changes included)

Manifests changed:

• . (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	1.13.6	1.15.1	minor	Direct	2 MODERATE
@types/node	25.4.0	25.6.0	minor	Direct	-
globals	17.4.0	17.5.0	minor	Direct	-
jest	30.2.0	30.3.0	minor	Direct	-
@datadog/datadog-ci	5.9.0	5.9.1	patch	Direct	-
@datadog/datadog-ci-base	5.9.0	5.9.1	patch	Direct	-
eslint-plugin-jest	29.15.0	29.15.2	patch	Direct	-
prettier	3.8.1	3.8.3	patch	Direct	-
typescript-eslint	8.57.0	8.57.2	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

ℹ️ Other Vulnerabilities (2)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.13.6	1.15.0
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	1.13.6	1.15.0

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

axios (1.13.6 → 1.15.1) — GitHub Release

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursi

(truncated)

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regress

(truncated)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (https://github.com/axios/axios/issues/7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (https://github.com/axios/axios/issues/7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (https://github.com/axios/axios/issues/7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (https://github.com/axios/axios/issues/7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (https://github.com/axios/axios/issues/7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (https://github.com/axios/axios/issues/7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (https://github.com/axios/axios/issues/7533, https://github.com/axios/axios/issues/10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (https://github.com/axios/axios/issues/7484, https://github.com/axios/axios/issues/7489, https://github.com/axios/axios/issues/7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. ([https://github.com/refactor: upgrade to the latest rollup axios/axios#7508](https://github.com/axios/axios

(truncated)

globals (17.4.0 → 17.5.0) — GitHub Release

v17.5.0

• Update globals (2026-04-12) (Update globals (2026-04-12) sindresorhus/globals#342) 5d84602

---

sindresorhus/globals@v17.4.0...v17.5.0

jest (30.2.0 → 30.3.0) — GitHub Release

v30.3.0

Features

• [jest-config] Add defineConfig and mergeConfig helpers for type-safe Jest config (https://github.com/jestjs/jest/issues/15844)
• [jest-fake-timers] Add setTimerTickMode to configure how timers advance
• [*] Reduce token usage when run through LLMs (3f17932)

Fixes

• [jest-config] Keep CLI coverage output when using --json with --outputFile (https://github.com/jestjs/jest/issues/15918)
• [jest-mock] Use Symbol from test environment (https://github.com/jestjs/jest/issues/15858)
• [jest-reporters] Fix issue where console output not displayed for GHA reporter even with silent: false option (https://github.com/jestjs/jest/issues/15864)
• [jest-runtime] Fix issue where user cannot utilize dynamic import despite specifying --experimental-vm-modules Node option (https://github.com/jestjs/jest/issues/15842)
• [jest-test-sequencer] Fix issue where failed tests due to compilation errors not getting re-executed even with --onlyFailures CLI option (https://github.com/jestjs/jest/issues/15851)
• [jest-util] Make sure process.features.require_module is false (https://github.com/jestjs/jest/issues/15867)

Chore & Maintenance

• [*] Replace remaining micromatch uses with picomatch
• [deps] Update to sinon/fake-timers v15
• [docs] Update V30 migration guide to notify users on jest.mock() work with case-sensitive path (https://github.com/jestjs/jest/issues/15849)
• Updated Twitter icon to match the latest brand guidelines (https://github.com/jestjs/jest/issues/15869)

@datadog/datadog-ci (5.9.0 → 5.9.1) — GitHub Release

What's Changed

datadog-ci

• chore: consolidate api helpers by @ava-silver in chore: consolidate api helpers datadog-ci#2137
• chore: add api helper tests by @ava-silver in chore: add api helper tests datadog-ci#2143
• Only add safe.directory to git global config in CI and Docker contexts by @Drarig29 in Only add safe.directory to git global config in CI and Docker contexts datadog-ci#2152

Dependencies

• [chore] Bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in [chore] Bump actions/upload-artifact from 6.0.0 to 7.0.0 datadog-ci#2134
• [chore] Bump actions/download-artifact from 7.0.0 to 8.0.0 by @dependabot[bot] in [chore] Bump actions/download-artifact from 7.0.0 to 8.0.0 datadog-ci#2133
• [chore] Bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot[bot] in [chore] Bump actions/setup-node from 6.2.0 to 6.3.0 datadog-ci#2153
• [dep] Bump simple-git to 3.33.0 by @Drarig29 in [dep] Bump simple-git to 3.33.0 datadog-ci#2155

Full Changelog: DataDog/datadog-ci@v5.9.0...v5.9.1

@datadog/datadog-ci-base (5.9.0 → 5.9.1) — GitHub Release

What's Changed

datadog-ci

• chore: consolidate api helpers by @ava-silver in chore: consolidate api helpers datadog-ci#2137
• chore: add api helper tests by @ava-silver in chore: add api helper tests datadog-ci#2143
• Only add safe.directory to git global config in CI and Docker contexts by @Drarig29 in Only add safe.directory to git global config in CI and Docker contexts datadog-ci#2152

Dependencies

• [chore] Bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in [chore] Bump actions/upload-artifact from 6.0.0 to 7.0.0 datadog-ci#2134
• [chore] Bump actions/download-artifact from 7.0.0 to 8.0.0 by @dependabot[bot] in [chore] Bump actions/download-artifact from 7.0.0 to 8.0.0 datadog-ci#2133
• [chore] Bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot[bot] in [chore] Bump actions/setup-node from 6.2.0 to 6.3.0 datadog-ci#2153
• [dep] Bump simple-git to 3.33.0 by @Drarig29 in [dep] Bump simple-git to 3.33.0 datadog-ci#2155

Full Changelog: DataDog/datadog-ci@v5.9.0...v5.9.1

eslint-plugin-jest (29.15.0 → 29.15.2) — GitHub Release

v29.15.2

29.15.2 (2026-04-09)

Bug Fixes

• valid-mock-module-path: don't report virtual mocks (fix(valid-mock-module-path): don't report virtual mocks jest-community/eslint-plugin-jest#1946) (a1916d1)

v29.15.1

29.15.1 (2026-03-24)

Bug Fixes

• allow TypeScript@7 in peer dependency (fix: allow TypeScript@7 in peer dependency jest-community/eslint-plugin-jest#1949) (0498c1e)

prettier (3.8.1 → 3.8.3) — GitHub Release

3.8.3

• SCSS: Prevent trailing comma in if() function (Prevent trailing comma for scss if-function syntax prettier/prettier#18471 by @kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

typescript-eslint (8.57.0 → 8.57.2) — GitHub Release

v8.57.2

8.57.2 (2026-03-23)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (https://github.com/typescript-eslint/typescript-eslint/issues/11865)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (https://github.com/typescript-eslint/typescript-eslint/issues/11971)
• eslint-plugin: [no-restricted-types] flag banned generics in extends or implements (https://github.com/typescript-eslint/typescript-eslint/issues/12120)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (https://github.com/typescript-eslint/typescript-eslint/issues/12125)
• eslint-plugin: [no-unsafe-return] false positive on unwrapping generic (https://github.com/typescript-eslint/typescript-eslint/issues/12125)
• eslint-plugin: [no-useless-default-assignment] skip reporting false positives for unresolved type parameters (https://github.com/typescript-eslint/typescript-eslint/issues/12127)
• eslint-plugin: [prefer-readonly-parameter-types] preserve type alias infomation (https://github.com/typescript-eslint/typescript-eslint/issues/11954)
• typescript-estree: skip createIsolatedProgram fallback for projectService (https://github.com/typescript-eslint/typescript-eslint/issues/12066, Bug: createIsolatedProgram fallback incorrectly triggered with projectService when external parser calls parseAndGenerateServices multiple times typescript-eslint/typescript-eslint#12065)

❤️ Thank You

• Kirk Waiblinger @kirkwaiblinger
• Konv Suu
• mdm317
• Newton Yuan @NewtonYuan
• RyoheiYamamoto
• SungHyun627 @SungHyun627
• Tamashoo @Tamashoo

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.1

8.57.1 (2026-03-16)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] no report for property on intersection type (https://github.com/typescript-eslint/typescript-eslint/issues/12126)

❤️ Thank You

• Newton Yuan @NewtonYuan

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

---

Generated by ADMS Sources: 8 GitHub Releases, 1 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.