fix(deps): update non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update
@actions/github (source)	9.1.0 → 9.1.1			dependencies	patch
@dotenvx/dotenvx	1.61.0 → 1.61.5			dependencies	patch
@kong/spec-renderer	1.107.12 → 1.107.14			dependencies	patch
algoliasearch (source)	5.50.2 → 5.51.0			dependencies	minor
axios (source)	1.15.0 → 1.15.2			dependencies	patch
instantsearch.css	8.13.0 → 8.14.0			dependencies	minor
liquid-c (source)	4.0.1 → 4.2.0				minor
node (source)	24.14.0 → 24.15.0				minor
ruby (source)	3.4.4 → 3.4.9				patch
snowflake-sdk	2.3.4 → 2.4.0			dependencies	minor
step-security/harden-runner	v2.18.0 → v2.19.0			action	minor
vue (source)	3.5.32 → 3.5.33			dependencies	patch
vue-instantsearch	4.24.4 → 4.25.0			dependencies	minor
yarn (source)	4.9.2 → 4.14.1			packageManager	minor

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/toolkit (@​actions/github)

v9.1.1

• Bump undici from 6.23.0 to 6.24.0 #​2346

dotenvx/dotenvx (@​dotenvx/dotenvx)

v1.61.5

Compare Source

Changed

• Support --hostname flag to dotenvx-ops.login (#​801)

v1.61.4

Compare Source

Changed

• Respect SIGINT handler completion (#​798)

v1.61.3

Compare Source

Changed

• Tighten up ext precommit --install message (#​797)

v1.61.2

Compare Source

Changed

• For Ops ⛨ users surface stderr (#​796)

v1.61.1

Compare Source

• Faster coldstarts! (#​781)
• Patch dotenvx precommit|prebuild shorthand (#​793)

Kong/spec-renderer (@​kong/spec-renderer)

v1.107.14

Compare Source

Bug Fixes

• deps: update all non-major dependencies with stable versions (#​840) (fabda00)

v1.107.13

Compare Source

Bug Fixes

• example-generation: do not generate sample values for optional params [TDX-7895] (#​850) (e54ebeb)

algolia/algoliasearch-client-javascript (algoliasearch)

v5.51.0

Compare Source

BREAKING CHANGES: this minor version includes breaking changes in the Composition API. See below for more details.

• 00271b6ba0 feat(javascript): add transformationOptions and fix ingestion config leak (#​6252) by @​eric-zaharia
• 39ea2c5cb3 refactor(specs): split injection schema (#​6224) by @​ClaraMuller
• 544091a5f2 feat(specs): introduce recommend source in Comp API client (#​6227) by @​ClaraMuller
• f73d69aae4 fix(specs): clarify getIndexingTime (#​6276) by @​kai687
• 78ffb45894 fix(javascript): increase default retry max (#​6278) by @​eric-zaharia
• e48d5c4bbf feat(specs): query categorization (#​6258) by @​eric-zaharia

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

algolia/instantsearch (instantsearch.css)

v8.14.0

Compare Source

Features

• chat: add greeting screen component (#​6965) (8797bad)
• chat: add sidepanel layout to chat widgets (#​6923) (c127355)
• instantsearch.css: add experimental Nova theme (#​6949) (5289c69)
• searchbox: introduce AI Mode (#​6944) (e64c784)

nodejs/node (node)

v24.15.0

Compare Source

v24.14.1

Compare Source

snowflakedb/snowflake-connector-nodejs (snowflake-sdk)

v2.4.0

Compare Source

New features:

• Added browserRedirectPort connection option to customize the port of the local server that receives the EXTERNALBROWSER authentication callback (#​1004)

Changes:

• Bumped @aws-sdk/* dependencies to address fast-xml-parser vulnerability (#​1355)
• Improved keep-alive HTTP agents with a 30-second idle socket timeout that proactively discards stale connections before the server closes them, preventing socket hang up and ECONNRESET errors (#​1352)

Bugfixes:

• Fixed connection pools re-prompting browser authentication for every pooled connection when using EXTERNALBROWSER or OAUTH_AUTHORIZATION_CODE authenticators; the first connection now completes auth and caches tokens before subsequent pool connections start (#​1359)
• Fixed session token renewal failing due to a malformed request, which caused long-running connections to disconnect instead of refreshing their expired session token (#​1357)
• Fixed query context cache not being updated on failed queries, which could cause stale cache when subsequent queries land on a different GS node (#​1375)

Internal:

• Included spcs_token when driver runs inside SPCS (#​1372)

v2.3.6

Compare Source

New features:

• connect() now supports every authenticator type (including external browser and Okta), matching connectAsync() (#​1342)

Changes:

• Removed @google-cloud/storage dependency, GCS transfers now use the JSON API directly; the forceGCPUseDownscopedCredential connection option has been removed as it is no longer needed (#​1341)
• Updated default jsonColumnVariantParser to fall back to eval-based parsing for non-JSON-compliant variant values (e.g. undefined, NaN, Infinity), restoring pre-2.3.5 behavior while keeping JSON.parse as the primary parser (#​1351)

Bugfixes:

• Fixed OAUTH_AUTHORIZATION_CODE authenticator not honoring openExternalBrowserCallback connection option (#​1353)
• Fixed createConnection() and createPool() types to accept no arguments, matching runtime behavior of loading configuration from connections.toml (#​1347)
• Fixed account field in ConnectionOptions type to be optional, since it can be derived from accessUrl or host (#​1347)
• Fixed external browser SSO authentication crashing when the SSO URL request returns a server-side error (#​1350)

v2.3.5

Compare Source

• Added ability to skip token file permission checks using SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION env variable (#​1314)
• Added Node 18+ to engines, which is our minimum officially supported version since the 2.x release (#​1268)
• Added PLATFORM field to login-request telemetry (#​1269)
• Added request retries to previously uncovered query execution paths (#​1280)
• Added rowStreamHighWaterMark connection option to control how many rows are buffered when streaming query results via statement.streamRows() (#​1289)
• Added a warning when converting query result to JavaScript numbers with precision loss (#​1295, #​1296)
• Added snake_case key support when loading connections.toml via createConnection() with no arguments (#​1304)
• Exported normalizeConnectionOptions() utility to convert snake_case connection keys to camelCase, with key aliases and acronym overrides (#​1304)
• Added LIBC_FAMILY and LIBC_VERSION fields to login-request telemetry (#​1310)
• Added crlDownloadMaxSize config option to enforce a maximum response size limit when downloading CRL files (#​1321)
• Added RSASSA-PSS signature verification support to CRL validation (#​1325)
• Improved error details when OAuth fails (#​1302)
• Changed default jsonColumnVariantParser to JSON.parse (#​1300)
• Updated Linux GNU minicore binaries to target glibc 2.18 for broader compatibility with older Linux distributions (#​1332)
• Fixed OAuth crashing when using bundlers (#​1266)
• Fixed Binds typing to allow readonly arrays (#​1270)
• Fixed connectAsync() method resolving before connection is completed (#​1276)
• Fixed incorrect handling of callback argument that should be optional in connect() and connectAsync() (#​1276)
• Fixed a bug where invalid JWT was generated if user accidentally set both the account and the host in the config (#​1283)
• Fixed a bug where parsing the JSON media type failed when it included an optional parameter from Microsoft Identity Platform v2.0 tokens, failing OAuth Client Credentials flow (#​1301)
• Fixed disableSamlUrlCheck typing to use correct casing: disableSamlURLCheck (#​1304)
• Fixed getDefaultCacheDir() crashing in environments where no user home directory is configured by falling back to os.tmpdir() (#​1312)
• Fixed SF_OCSP_RESPONSE_CACHE_DIR not being used directly as the OCSP cache directory (#​1313)
• Fixed bugs in noProxy and NO_PROXY handling:
  • .domain.com wildcard format was not correctly matching the destination host (#​1309)
  • . was incorrectly matching as any character instead of a literal dot (#​1315)
  • Partial strings were incorrectly matching instead of requiring full destination match (#​1315)
• Fixed CRL ADVISORY mode to log failures at warn level instead of debug (#​1321)
• Fixed OAuth Authorization Code reauthentication not using the refreshed access token when the cached access token is expired (#​1318)
• Fixed OAuth Authorization Code refresh token being removed from cache when the IDP does not return a new one (#​1319)
• Fixed unhandled promise rejection when server returns malformed query responses (#​1329)
• Replaced ESLint with oxlint for better performance and out-of-the-box TypeScript support (#​1254)
• Bumped fast-xml-parser requirement to latest 5.4.1 to address CVE-2026-26278 and CVE-2026-27942 (#​1281 and #​1311)
• Removed bn.js dependency (#​1294)

step-security/harden-runner (step-security/harden-runner)

v2.19.0

Compare Source

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

vuejs/core (vue)

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

yarnpkg/berry (yarn)

v4.14.1

Compare Source

v4.14.0

Compare Source

v4.13.0

Compare Source

v4.12.0

Compare Source

v4.11.0

Compare Source

v4.10.3

Compare Source

v4.10.2

Compare Source

v4.10.1

Compare Source

v4.10.0

Compare Source

v4.9.4

Compare Source

v4.9.3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for kongdeveloper ready!

Name	Link
🔨 Latest commit	5756dd6
🔍 Latest deploy log	https://app.netlify.com/projects/kongdeveloper/deploys/69e94c493969f0000a80db29
😎 Deploy Preview	https://deploy-preview-4923--kongdeveloper.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.