Bump the minor-and-patch group with 9 updates

[dependabot]

Bumps the minor-and-patch group with 9 updates:

Package	From	To
axios	1.15.1	1.15.2
dompurify	3.4.0	3.4.2
focus-trap-react	12.0.0	12.0.1
i18next-http-backend	3.0.5	3.0.6
react-hotkeys-hook	5.2.4	5.3.0
react-router	7.14.1	7.14.2
typescript-eslint	8.58.2	8.59.1
vite	8.0.9	8.0.10
vitest	4.1.4	4.1.5

Updates axios from 1.15.1 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• See full diff in compare view

Updates dompurify from 3.4.0 to 3.4.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitization
• Fixed the IN_PLACE root-node check to explicitly guard against non-string nodeName (DOM-clobbering robustness)
• Removed a duplicate slot entry from the default HTML attribute allow-list
• Strengthened the fast-check fuzz harness with explicit XSS invariants, an expanded seed-payload corpus, an additional idempotence property for SANITIZE_NAMED_PROPS, and a negative-control assertion ensuring the invariants actually fire
• Added regression and pinning tests covering the above fixes and two accepted-behavior contracts (SAFE_FOR_TEMPLATES greedy scrub, hook-added attribute handling)
• Extended CodeQL analysis to run on 3.x and 2.x maintenance branches

Commits

• 6f67fd3 Sync/3.4.2 (#1322)
• 5b0cdbb chore: merge main into 3.x for 3.4.1 release (#1301)
• 09f5911 test: added three more browsers to test setup (OSX, mobile)
• See full diff in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates focus-trap-react from 12.0.0 to 12.0.1

Release notes

Sourced from focus-trap-react's releases.

v12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

Changelog

Sourced from focus-trap-react's changelog.

12.0.1

Patch Changes

• 93c93e9: Update focus-trap dependency to 8.1.0 for new lifecycle hook improvements (onActivate, etc).

Commits

• 95347d3 Version Packages (#1890)
• 93c93e9 Bump focus-trap to 8.1.0 (#1889)
• fd3fe32 [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.58.2 to 8.59.0 (#1...
• 591f8af [DEPENDABOT]: Bump @​changesets/cli from 2.30.0 to 2.31.0 (#1883)
• 2d283a7 [DEPENDABOT]: Bump typescript from 6.0.2 to 6.0.3 (#1885)
• b6e21d9 [DEPENDABOT]: Bump @​typescript-eslint/parser from 8.58.2 to 8.59.0 (#1886)
• 912a5cc [DEPENDABOT]: Bump cypress from 15.13.1 to 15.14.1 (#1887)
• 1ce7b6b [DEPENDABOT]: Bump eslint-plugin-react-hooks from 7.0.1 to 7.1.1 (#1888)
• b5dcc57 [DEPENDABOT]: Bump eslint-plugin-cypress from 6.2.3 to 6.3.1 (#1874)
• 65d02f5 [DEPENDABOT]: Bump prettier from 3.8.1 to 3.8.3 (#1876)
• Additional commits viewable in compare view

Updates i18next-http-backend from 3.0.5 to 3.0.6

Changelog

Sourced from i18next-http-backend's changelog.

3.0.6

• fix: allow forward slashes in ns values so nested namespace names (mapping to URL layouts such as /locales/en/a/b.json) fetch correctly again. 3.0.5's security fix applied the same strict URL-segment check to both lng and ns, which was correct for lng (no BCP-47 shape contains /) but over-strict for ns — nested namespaces containing / were never officially supported, but the behaviour fell out of the implicit string-substitution semantics of loadPath and is common enough in the wild to be worth accommodating. isSafeUrlSegment is now split into isSafeLangUrlSegment (strict — still rejects /) and isSafeNsUrlSegment (loose — allows / but still rejects .., \, URL-structure characters, control chars, prototype keys, and oversized inputs). isSafeUrlSegment is kept as a backwards-compatible alias for the strict check. The 3.0.5 security fix remains in force for every concrete attack pattern from the original advisory.

Commits

• ddf1048 3.0.6
• d73cfdc fix: allow forward slashes in ns values
• 9abbdee Bump i18next-http-backend from 1.4.0 to 3.0.5 in /example/i18next-vue (#184)
• b4ca8bb Bump i18next-http-backend from 3.0.1 to 3.0.5 in /example/fallback (#183)
• dffddd4 Bump i18next-http-backend from 3.0.2 to 3.0.5 in /example/next (#182)
• fd29b40 Bump i18next-http-backend from 1.3.2 to 3.0.5 in /example/vue (#181)
• dc68dbe docs: link published GHSA advisory in v3.0.5 notes
• See full diff in compare view

Updates react-hotkeys-hook from 5.2.4 to 5.3.0

Release notes

Sourced from react-hotkeys-hook's releases.

v5.3.0

What's Changed

• chore(deps): update dependency vite to v7.3.2 [security] by @​renovate[bot] in JohannesKlauss/react-hotkeys-hook#1321
• fix: prevent mod hotkey from triggering on Super/Windows key on non-macOS platforms by @​samhoseinkhani in JohannesKlauss/react-hotkeys-hook#1325
• Update all non-major dependencies by @​renovate[bot] in JohannesKlauss/react-hotkeys-hook#1326
• #1313 Fixed missing ref re-assignment for conditionally rendered elements by @​oleksandr-danylchenko in JohannesKlauss/react-hotkeys-hook#1314
• Add Key Blacklist Support to useRecordHotkeys by @​vedmakk in JohannesKlauss/react-hotkeys-hook#1268
• Update dependency @​eslint/js to v10 by @​renovate[bot] in JohannesKlauss/react-hotkeys-hook#1327

New Contributors

• @​samhoseinkhani made their first contribution in JohannesKlauss/react-hotkeys-hook#1325
• @​oleksandr-danylchenko made their first contribution in JohannesKlauss/react-hotkeys-hook#1314
• @​vedmakk made their first contribution in JohannesKlauss/react-hotkeys-hook#1268

Full Changelog: JohannesKlauss/react-hotkeys-hook@v5.2.4...v5.3.0

Commits

• c026fec Improve docs, fixes #1181
• 9c0e979 Fix #1226
• 8e3928b Fix #1035 and #1015
• b404d47 Merge remote-tracking branch 'origin/main'
• b3579a2 Add regression tests for #1231
• 6f592bb Merge remote-tracking branch 'origin/main' into chor-upgrade-docs
• 2e6f494 Update docs
• e3ed1f0 Declare exports field in package.json
• 61dda85 Tell the agent to use gh for github related work
• 14d568e Merge remote-tracking branch 'origin/main'
• Additional commits viewable in compare view

Updates react-router from 7.14.1 to 7.14.2

Release notes

Sourced from react-router's releases.

v7.14.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7142

Changelog

Sourced from react-router's changelog.

v7.14.2

Patch Changes

• Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of Error and it's standard subtypes (SyntaxError, TypeError, etc.). ([aabf4a1)

• Properly handle parent middleware redirects during fetcher.load ([aabf4a1)

• Remove redundant Omit<RouterProviderProps, "flushSync"> from react-router/dom RouterProvider ([aabf4a1)

• Improved types for generatePath's param arg ([aabf4a1)

  Type errors when required params are omitted:

  // Before
  // Passes type checks, but throws at runtime 💥
  generatePath(":required", { required: null });
  // After
  generatePath(":required", { required: null });
  //                          ^^^^^^^^ Type 'null' is not assignable to type 'string'.ts(2322)

  Allow omission of optional params:

  // Before
  generatePath(":optional?", {});
  //                         ^^ Property 'optional' is missing in type '{}' but required in type '{ optional: string | null | undefined; }'.ts(2741)
  // After
  generatePath(":optional?", {});

  Allows extra keys:

  // Before
  generatePath(":a", { a: "1", b: "2" });
  //                           ^ Object literal may only specify known properties, and 'b' does not exist in type '{ a: string; }'.ts(2353)
  // After
  generatePath(":a", { a: "1", b: "2" });

Commits

• cf1d250 Release v7.14.2 (#14993)
• bc77b32 Adjust internal error serialization logic (#14992)
• 184bebe chore: format
• 9248834 Add hasOwnProperty to build-time env check
• 5981192 remove the un-documented custom error serialization logic (#14986)
• 8b9a55c chore: format
• 29b28e0 Improved types for generatePaths params arg (#14984)
• 142c703 Fix fetcher loader redirects from parent middleware (#14974)
• bb9433b fix: RouterProviderProps already omits flushSync (#14874)
• See full diff in compare view

Updates typescript-eslint from 8.58.2 to 8.59.1

Release notes

Sourced from typescript-eslint's releases.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (#11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.59.1 (2026-04-27)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• See full diff in compare view

Updates vite from 8.0.9 to 8.0.10

Release notes

Sourced from vite's releases.

v8.0.10

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.10 (2026-04-23)

Features

• update rolldown to 1.0.0-rc.17 (#22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#22278) (9437518)
• typecheck client directory (#22284) (40a0847)

Commits

• 32c2978 release: v8.0.10
• a4d06d9 feat: update rolldown to 1.0.0-rc.17 (#22299)
• a4d828f fix: hmrClient.logger.debug and hmrClient.logger.error looked different f...
• 83f0a78 fix(css): show filename in CSS minification warnings for .css?inline (#22292)
• b8a21cc fix: remove format sniffing module resolution from JS resolver (#22297)
• 40a0847 refactor: typecheck client directory (#22284)
• 5c7cec6 fix(optimizer): allow user transform.target to override default in optimizeDe...
• 9437518 refactor: enable some typecheck rules (#22278)
• See full diff in compare view

Updates vitest from 4.1.4 to 4.1.5

Release notes

Sourced from vitest's releases.

v4.1.5

   🚀 Experimental Features

• coverage: Istanbul to support instrumenter option  -  by @​BartWaardenburg and @​AriPerkkio in vitest-dev/vitest#10119 (0e0ff)

   🐞 Bug Fixes

• --project negation excludes browser instances  -  by @​felamaslen in vitest-dev/vitest#10131 (9423d)
• Project color label on html reporter  -  by @​hi-ogawa in vitest-dev/vitest#10142 (596f7)
• Fix vi.defineHelper called as object method  -  by @​hi-ogawa in vitest-dev/vitest#10163 (122c2)
• Alias agent reporter to minimal  -  by @​sheremet-va in vitest-dev/vitest#10157 (663b9)
• Respect diff config options in soft assertions  -  by @​Copilot, sheremet-va and @​sheremet-va in vitest-dev/vitest#8696 (9787d)
• Respect diff config options in soft assertions "  -  by @​sheremet-va in vitest-dev/vitest#8696 (7dc6d)
• ast-collect: Recognize _vi_import prefix in static test discovery  -  by @​Yejneshwar in vitest-dev/vitest#10129 (32546)
• coverage: Descriptive error message when reports directory is removed during test run  -  by @​DaveT1991 and @​AriPerkkio in vitest-dev/vitest#10117 (14133)
• snapshot: Increase default snapshot max output length  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10150 (21e66)
• ui: Fix jsx/tsx syntax highlight  -  by @​hi-ogawa in vitest-dev/vitest#10152 (f1b1f)
• web-worker: Support MessagePort objects referenced inside postMessage data  -  by @​whitphx and Claude Opus 4.6 (1M context) in vitest-dev/vitest#9927 and vitest-dev/vitest#10124 (7ad7d)
• api: Make test-specification options writable  -  by @​sheremet-va in vitest-dev/vitest#10154 (6abd5)

    View changes on GitHub

Commits

• e399846 chore: release v4.1.5
• 7dc6d54 Revert "fix: respect diff config options in soft assertions (#8696)"
• 9787ded fix: respect diff config options in soft assertions (#8696)
• 325463a fix(ast-collect): recognize _vi_import prefix in static test discovery (#10...
• 0e0ff41 feat(coverage): istanbul to support instrumenter option (#10119)
• 663b99f fix: alias agent reporter to minimal (#10157)
• 122c25b fix: fix vi.defineHelper called as object method (#10163)
• 6abd557 feat(api): make test-specification options writable (#10154)
• 596f739 fix: project color label on html reporter (#10142)
• 9423dc0 fix: --project negation excludes browser instances (#10131)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Use docker or podman to test this pull request locally.

Run test server using develop.opencast.org as backend:

podman run --rm -it -p 127.0.0.1:3000:3000 ghcr.io/opencast/admin-interface:pr-1592

Specify a different backend like stable.opencast.org:

podman run --rm -it -p 127.0.0.1:3000:3000 -e PROXY_TARGET=https://stable.opencast.org ghcr.io/opencast/admin-interface:pr-1592

It may take a few seconds for the interface to spin up.
It will then be available at http://127.0.0.1:3000.
For more options you can pass on to the proxy, take a look at the README.md.