chore(deps): bump the minor-and-patch group across 1 directory with 9 updates

[dependabot]

Bumps the minor-and-patch group with 6 updates in the / directory:

Package	From	To
@quantcdn/quant-client	4.12.0	4.19.0
@types/node	24.12.0	24.13.2
@vercel/ncc	0.38.4	0.44.0
axios	1.14.0	1.18.0
es-object-atoms	1.1.1	1.1.2
form-data	4.0.5	4.0.6

Updates @quantcdn/quant-client from 4.12.0 to 4.19.0

Release notes

Sourced from @​quantcdn/quant-client's releases.

Release v4.19.0

Quant TypeScript SDK v4.19.0

Auto-generated from unified API specification.

Install:

npm install @quantcdn/quant-client@4.19.0

Changes: See commit history

Release v4.15.4

Quant TypeScript SDK v4.15.4

Auto-generated from unified API specification.

Install:

npm install @quantcdn/quant-client@4.15.4

Changes: See commit history

Release v4.12.2

Quant TypeScript SDK v4.12.2

Auto-generated from unified API specification.

Install:

npm install @quantcdn/quant-client@4.12.2

Changes: See commit history

Release v4.12.1

Quant TypeScript SDK v4.12.1

Auto-generated from unified API specification.

Install:

npm install @quantcdn/quant-client@4.12.1

Changes: See commit history

Commits

• 0690786 Merge pull request #171 from quantcdn/sdk/auto-update-v4.19.0
• f1f49a6 feat(sdk): v4.19.0 - Auto-generated from unified API spec
• 0b9ad92 Merge pull request #141 from quantcdn/sdk/auto-update-v4.15.4
• 5a5f39a feat(sdk): v4.15.4 - Auto-generated from unified API spec
• a0af94e chore: bump version to v4.12.2 [dependabot]
• 09304b1 Merge pull request #124 from quantcdn/dependabot/npm_and_yarn/v4/jest-30.3.0
• fdfb96f chore(deps-dev): bump jest from 30.2.0 to 30.3.0
• aa08813 chore: bump version to v4.12.1 [dependabot]
• b0bd7cf Merge pull request #131 from quantcdn/dependabot/npm_and_yarn/v4/axios-1.14.0
• af0446a chore(deps): bump axios from 1.13.6 to 1.14.0
• See full diff in compare view

Updates @types/node from 24.12.0 to 24.13.2

Commits

• See full diff in compare view

Updates @vercel/ncc from 0.38.4 to 0.44.0

Release notes

Sourced from @​vercel/ncc's releases.

0.44.0

0.44.0 (2026-06-09)

Features

• read permissions pr.yml (#1323) (5ea625e)

0.43.0

0.43.0 (2026-06-09)

Changes

• BREAKING CHANGE: add Node 24 and 26 support, remove 20 (#1318) (#1305)
• switch npm releases to trusted publishing (OIDC) (#1325) (#1327) (#1328) (#1329) (#1330) (#1331) (#1332)
• switch package management to pnpm (#1321)
• fix predictable global cache directory in /tmp enables symlink/hijack risks (#1314)
• reorder extension resolution to prioritise TypeScript over JSON (#1315)
• support TypeScript 6 transpile builds (#1316)

Commits

• 88be21f chore(deps): Bump actions/checkout from 5 to 6 (#1300)
• 5ea625e feat: read permissions pr.yml (#1323)
• a1ff315 feat: remove npm devDependency (#1332)
• 9e077ab feat: add publishConfig to package.json (#1331)
• 7290aa7 feat(ci): upgrade python and remove LLVM LTO flags from MSVC build to fix Nod...
• a428a10 feat: publish using node@24 (#1329)
• 3192116 feat: use canonical package repository metadata (#1328)
• 4461a52 feat: lock semantic-release publish dependencies (#1327)
• e00b2de feat: switch npm releases to trusted publishing (OIDC) (#1325)
• 5f8f509 feat: delete .github/CODEOWNERS (#1324)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vercel/ncc since your current version.

Updates axios from 1.14.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#6792)
• @​carladams1299-lab (#10861)
• @​LaplaceYoung (#10812)
• @​JamieMagee (#10939)
• @​RonGamzu (#10905)
• @​sapirbaruch (#10891)
• @​nezukoagent (#10901)
• @​devareddy05 (#10929)
• @​Mohammad-Faiz-Cloud-Engineer (#10922)
• @​azandabot (#10931)
• @​niksy (#10896)

... (truncated)

Commits

• 2d06f96 chore(release): prepare release 1.18.0 (#11003)
• 32fc489 fix: malformed http urls (#11000)
• b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
• fe964f9 docs: mark proxy config as Node.js only (#10995)
• 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
• fae9d4e docs: clarify package update PR policy (#10992)
• 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
• a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
• 614f455 docs: publish v1.17.0 release notes (#10988)
• 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
• Additional commits viewable in compare view

Updates es-object-atoms from 1.1.1 to 1.1.2

Changelog

Sourced from es-object-atoms's changelog.

v1.1.2 - 2026-05-22

Commits

• [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, auto-changelog, eslint, npmignore 41e3d94
• [types] improve isObject type 758edc2

Commits

• 9e62644 v1.1.2
• 41e3d94 [Dev Deps] update @ljharb/eslint-config, @ljharb/tsconfig, `auto-changelo...
• 758edc2 [types] improve isObject type
• See full diff in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits

• 0c23a22 Release version 1.16.0 of the npm package.
• 844c4d3 Add sensitiveHeaders option.
• 5e8b8d0 ci: add Node.js 24.x to the CI matrix
• 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
• 86dc1f8 Sanitizing input.
• See full diff in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Updates hasown from 2.0.2 to 2.0.4

Changelog

Sourced from hasown's changelog.

v2.0.4 - 2026-05-28

Commits

• [types] drop the dead key-narrowing overload fdab00e
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint 91f6247

v2.0.3 - 2026-04-17

Commits

• [actions] update workflows fb837b8
• [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, @ljharb/tsconfig, @types/tape, auto-changelog, eslint, mock-property, npmignore, tape f4b279b
• [Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config 7e415ce
• [Dev Deps] update eslint ef313da
• [meta] use npm audit instead of aud d5c6d4d
• [types] add overload that narrows the key cc03a09

Commits

• 97f3a85 v2.0.4
• fdab00e [types] drop the dead key-narrowing overload
• 91f6247 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint
• 27ebd40 v2.0.3
• fb837b8 [actions] update workflows
• cc03a09 [types] add overload that narrows the key
• f4b279b [Dev Deps] update @arethetypeswrong/cli, @ljharb/eslint-config, `@ljharb/...
• ef313da [Dev Deps] update eslint
• 7e415ce [Dev Deps] update eslint, @ljharb/eslint-config; migrate to flat config
• d5c6d4d [meta] use npm audit instead of aud
• See full diff in compare view

Updates undici-types from 7.16.0 to 7.18.2

Release notes

Sourced from undici-types's releases.

v7.18.2

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

What's Changed

• fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in nodejs/undici#4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

What's Changed

• Test and Fix running without SSL by @​mcollina in nodejs/undici#4727
• docs: add security warning for strictContentLength option by @​mcollina in nodejs/undici#4726
• build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @​dependabot[bot] in nodejs/undici#4718
• build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in nodejs/undici#4719

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

What's Changed

• chore: extract infra and encoding methods by @​Uzlopak in nodejs/undici#4523
• ci: remove h2 by @​Uzlopak in nodejs/undici#4534
• ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @​Uzlopak in nodejs/undici#4535
• ci: fix nightly shared library case by @​Uzlopak in nodejs/undici#4543
• test: consume bodies of fetch responses to fix failing macos 20 ci by @​Uzlopak in nodejs/undici#4528
• docs: add Cache Interceptor example to README by @​tawseefnabi in nodejs/undici#4393
• test: remove node20 version check by @​Uzlopak in nodejs/undici#4544
• types: use MessagePort instance type in MessageEvent by @​Renegade334 in nodejs/undici#4546
• ci: set write permissions on job level by @​Uzlopak in nodejs/undici#4537
• lint: activate n/no-process-exit by @​Uzlopak in nodejs/undici#4548
• ci: run benchmarks on pull_requests and by pushing on specific branches only by @​Uzlopak in nodejs/undici#4536
• chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @​Uzlopak in nodejs/undici#4547
• feat(H2): correct CONNECT behaviour by @​metcoder95 in nodejs/undici#4541
• test: fix plans by @​Uzlopak in nodejs/undici#4550
• feat: add runtime feature "detection" by @​Uzlopak in nodejs/undici#4545
• perf: use less promises in extractBody by @​Uzlopak in nodejs/undici#4458
• fix(proxy-agent): add missing return after callback-call by @​Uzlopak in nodejs/undici#4553
• fix: remove redundant line in retry-handler by @​Uzlopak in nodejs/undici#4554
• ci: add no-wasm-simd option by @​Uzlopak in nodejs/undici#4533
• fix: use lazyloaders for runtime feature detection by @​Uzlopak in nodejs/undici#4557
• fix: minor changes in dispatcher-base.js and types for Dispatcher by @​Uzlopak in nodejs/undici#4556

... (truncated)

Commits

• 7e5cb2d Bumped v7.18.2 (#4730)
• b04e3cb fix(decompress): limit Content-Encoding chain to 5 to prevent resource exhaus...
• 2bcb77b Bumped v7.18.1 (#4728)
• 58a12b7 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#4719)
• 5fa2930 build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 (#4718)
• fbbe283 docs: add security warning for strictContentLength option (#4726)
• ce12d9e fix: do not crash if Node.js is compiled without SSL (#4727)
• ebe3e33 Bumped v7.18.0 (#4725)
• 4e9b88b fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
• d560767 Bumped v7.17.0 (#4724)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Assignees

The following users could not be added as assignees: @stevenworley. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: dependencies, javascript. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.