chore(deps): bump the npm_and_yarn group across 5 directories with 5 updates by dependabot[bot] · Pull Request #18 · JohnDaWalka/x402

dependabot · 2026-03-04T20:15:25Z

Bumps the npm_and_yarn group with 2 updates in the /e2e directory: axios and hono.
Bumps the npm_and_yarn group with 4 updates in the /examples/typescript directory: axios, hono, next and @modelcontextprotocol/sdk.
Bumps the npm_and_yarn group with 2 updates in the /examples/typescript/mcp-embedded-wallet directory: axios and @modelcontextprotocol/sdk.
Bumps the npm_and_yarn group with 3 updates in the /typescript directory: axios, hono and next.
Bumps the npm_and_yarn group with 1 update in the /typescript/site directory: next.

Updates axios from 1.10.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates hono from 4.8.3 to 4.12.4

Release notes

Sourced from hono's releases.

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

fix(client): preserve route schema in ApplyGlobalResponse by @agumy in honojs/hono#4777

fix(utils/url): specify the return type of tryDecodeURI by @yusukebe in honojs/hono#4779

New Contributors

@agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in honojs/hono#4753

fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in honojs/hono#4754

fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in honojs/hono#4764

fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in honojs/hono#4768

fix(types): correct middleware types by @hmnd in honojs/hono#4774

fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in honojs/hono#4759

New Contributors

@YevheniiKotyrlo made their first contribution in honojs/hono#4768

@hmnd made their first contribution in honojs/hono#4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

... (truncated)

Commits

19d20d2 4.12.4
44ae0c8 Merge commit from fork
f4123ed Merge commit from fork
80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
6a0607a Merge commit from fork
0768232 fix(client): preserve route schema in ApplyGlobalResponse (#4777)
790c57b 4.12.3
bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
0f505f4 fix(types): correct middleware types (#4774)
eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
Additional commits viewable in compare view

Updates next from 15.4.0-canary.113 to 16.2.0-canary.78

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472

https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

60a2aa9 v15.5.10
e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
bf9f084 Sync DoS mitigations for React Flight
c5de33e v15.5.9
dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
7526cd6 v15.5.8
1e9ec41 Update React Version (#41)
16141e5 Update React Version (#30)
e01e589 Backport Next.js changes to v15.5.8 (#23)
Additional commits viewable in compare view

Updates axios from 1.11.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

fix: issues with version 1.13.3 (#7352) (ee90dfc)

Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)

interceptor: handle the error in the same interceptor (#6269) (5945e40)

main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)

package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)

silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)

turn AxiosError into a native error (#5394) (#5558) (1c6a86d)

types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)

types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)

unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

add undefined as a value in AxiosRequestConfig (#5560) (095033c)

add automatic minor and patch upgrades to dependabot (#6053) (65a7584)

add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)

added copilot instructions (3f83143)

compatibility with frozen prototypes (#6265) (860e033)

enhance pipeFileToResponse with error handling (#7169) (88d7884)

types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298

deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

Ashvin Tiwari

Nikunj Mochi

Anchal Singh

jasonsaayman

Julian Dax

Akash Dhar Dubey

Madhumita

Tackoil

Justin Dhillon

Rudransh

WuMingDao

codenomnom

Nandan Acharya

Eric Dubé

Tibor Pilz

Gabriel Quaresma

Turadg Aleahmad

... (truncated)

Commits

29f7542 chore(release): prepare release 1.13.5 (#7379)
431c3a3 ci: fix run condition (#7373)
9ff3a78 ci: update ymls (#7372)
265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
475e75a feat: add input validation to isAbsoluteURL (#7326)
28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
04cf019 docs: clarify object check comment (#7323)
696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
569f028 fix: added a option to choose between legacy and the new request/response int...
44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates hono from 4.9.2 to 4.12.4

Release notes

Sourced from hono's releases.

v4.12.4

Security fixes

This release includes fixes for the following security issues:

SSE Control Field Injection

Affects: streamSSE() in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in event, id, and retry. GHSA-p6xx-57qc-3wxr

Cookie Attribute Injection in setCookie()

Affects: setCookie() from hono/cookie. Fixes cookie attribute manipulation by rejecting ;, \r, and \n in domain and path options. GHSA-5pq2-9x2x-5p6w

Middleware Bypass in Serve Static

Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. GHSA-q5qw-h33p-qvwr

Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.

Other changes

fix(client): preserve route schema in ApplyGlobalResponse by @agumy in honojs/hono#4777

fix(utils/url): specify the return type of tryDecodeURI by @yusukebe in honojs/hono#4779

New Contributors

@agumy made their first contribution in honojs/hono#4777

Full Changelog: honojs/hono@v4.12.3...v4.12.4

v4.12.3

What's Changed

fix(validator): prevent type diff bug in form data parsing by @EdamAme-x in honojs/hono#4753

fix(jwt): use Math.floor instead of bitwise OR for safe timestamp by @EdamAme-x in honojs/hono#4754

fix(jwt): fix JwtVariables for ContextVariableMap by @yusukebe in honojs/hono#4764

fix(types): remove DOM type dependencies from ClientResponse and request method by @YevheniiKotyrlo in honojs/hono#4768

fix(types): correct middleware types by @hmnd in honojs/hono#4774

fix(jwt): prevent memory leak by avoiding mutation of options object by @EdamAme-x in honojs/hono#4759

New Contributors

@YevheniiKotyrlo made their first contribution in honojs/hono#4768

@hmnd made their first contribution in honojs/hono#4774

Full Changelog: honojs/hono@v4.12.2...v4.12.3

v4.12.2

Security fix

Fixed incorrect handling of X-Forwarded-For in the AWS Lambda adapter behind ALB that could allow IP-based access control bypass. The detail: GHSA-xh87-mx6m-69f3

... (truncated)

Commits

19d20d2 4.12.4
44ae0c8 Merge commit from fork
f4123ed Merge commit from fork
80a9837 fix(utils/url): specify the return type of tryDecodeURI (#4779)
6a0607a Merge commit from fork
0768232 fix(client): preserve route schema in ApplyGlobalResponse (#4777)
790c57b 4.12.3
bda46ac fix(jwt): prevent memory leak by avoiding mutation of options object (#4759)
0f505f4 fix(types): correct middleware types (#4774)
eb9c112 fix(types): remove DOM type dependencies from ClientResponse and request meth...
Additional commits viewable in compare view

Updates next from 15.5.0 to 15.5.10

Release notes

Sourced from next's releases.

v15.5.10

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472

https://vercel.com/changelog/summary-of-cve-2026-23864

Commits

60a2aa9 v15.5.10
e5b834d fetch(next/image): reduce maximumResponseBody from 300MB to 50MB (#88588)
39a2f6a feat(next/image)!: add images.maximumResponseBody config (#88183)
bf9f084 Sync DoS mitigations for React Flight
c5de33e v15.5.9
dd23399 Backport facebook/react#35351 for 15.5.8 (#87086)
7526cd6 v15.5.8
1e9ec41 Update React Version (#41)
16141e5 Update React Version (#30)
e01e589 Backport Next.js changes to v15.5.8 (#23)
Additional commits viewable in compare view

Updates bn.js from 4.12.2 to 4.12.3

Commits

39fe438 4.12.3
67ecb35 backport(4.x): fix imaskn state (#317)
See full diff in compare view

Updates @modelcontextprotocol/sdk from 1.17.3 to 1.26.0

Release notes

Sourced from @modelcontextprotocol/sdk's releases.

v1.26.0

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

chore: bump v1.25.3 for backport fixes by @pcarleton in modelcontextprotocol/typescript-sdk#1412

fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x backport) by @samuv in modelcontextprotocol/typescript-sdk#1382

Fix #1430: Client Credentials providers scopes support (backported) by @NSeydoux in modelcontextprotocol/typescript-sdk#1442

chore: bump version to 1.26.0 by @pcarleton in modelcontextprotocol/typescript-sdk#1479

New Contributors

@samuv made their first contribution in modelcontextprotocol/typescript-sdk#1382

@NSeydoux made their first contribution in modelcontextprotocol/typescript-sdk#1442

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

v1.25.3

What's Changed

[v1.x backport] Use correct schema for client sampling validation when tools are present by @olaservo in modelcontextprotocol/typescript-sdk#1407

fix: prevent Hono from overriding global Response object (v1.x) by @mattzcarey in modelcontextprotocol/typescript-sdk#1411

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.2...v1.25.3

v1.25.2

What's Changed

ci: trigger workflow on v1.x branch by @felixweinberger in modelcontextprotocol/typescript-sdk#1319

fix: README badges links destinations by @antonpk1 in modelcontextprotocol/typescript-sdk#907

fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @pcarleton in modelcontextprotocol/typescript-sdk#1365

New Contributors

@antonpk1 made their first contribution in modelcontextprotocol/typescript-sdk#907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

1.25.1

What's Changed

spec types - backwards compatibility changes by @KKonstantinov in modelcontextprotocol/typescript-sdk#1306

chore: bump version for patch fix by @felixweinberger in modelcontextprotocol/typescript-sdk#1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

1.25.0

What's Changed

list changed handlers on client constructor by @mattzcarey in modelcontextprotocol/typescript-sdk#1206

Role - moved from inline to reusable type by @KKonstantinov in modelcontextprotocol/typescript-sdk#1221

fix: use versioned npm tag for non-main branch releases by @pcarleton in modelcontextprotocol/typescript-sdk#1236

No automatic completion support unless needed - Revisited yet again by @cliffhall in modelcontextprotocol/typescript-sdk#1237

fix: Support updating output schema by @vincent0426 in modelcontextprotocol/typescript-sdk#1048

... (truncated)

Commits

fe9c07b chore: bump version to 1.26.0 (#1479)
4f01e7e fix: add non-null assertions for optional setupServer fields in stateful test
a05be17 Merge commit from fork
50d9fa3 Fix #1430: Client Credentials providers scopes support (backported) (#1442)
aa81a66 fix(deps): resolve npm audit vulnerabilities and bump dependencies (v1.x back...
6aba065 chore: bump v1.25.3 for backport fixes (#1412)
6e8f7e1 fix: prevent Hono from overriding global Response object (v1.x) (#1411)
12ae856 [v1.x backport] Use correct schema for client sampling validation when tools ...
b392f02 fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) (#1365)
a0c9b13 fix: README badges links destinations (#907)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by pcarleton, a new releaser for @modelcontextprotocol/sdk since your current version.

Updates axios from 1.10.0 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)

Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

Fix/5657. (PR #7313)

Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

Add input validation to isAbsoluteURL. (PR #7326)

Refactor: bump minor package versions. (PR #7356)

Documentation

Clarify object-check comment. (PR #7323)

Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

Chore: fix issues with YAML. (PR #7355)

CI: update workflow YAMLs. (PR #7372)

CI: fix run condition. (PR #7373)

Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)

Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

@sachin11063 (first contribution — PR #7323)

@asmitha-16 (first contribution — PR #7326)

...
Description has been truncated

…updates Bumps the npm_and_yarn group with 2 updates in the /e2e directory: [axios](https://github.com/axios/axios) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 4 updates in the /examples/typescript directory: [axios](https://github.com/axios/axios), [hono](https://github.com/honojs/hono), [next](https://github.com/vercel/next.js) and [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk). Bumps the npm_and_yarn group with 2 updates in the /examples/typescript/mcp-embedded-wallet directory: [axios](https://github.com/axios/axios) and [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk). Bumps the npm_and_yarn group with 3 updates in the /typescript directory: [axios](https://github.com/axios/axios), [hono](https://github.com/honojs/hono) and [next](https://github.com/vercel/next.js). Bumps the npm_and_yarn group with 1 update in the /typescript/site directory: [next](https://github.com/vercel/next.js). Updates `axios` from 1.10.0 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.10.0...v1.13.5) Updates `hono` from 4.8.3 to 4.12.4 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.8.3...v4.12.4) Updates `next` from 15.4.0-canary.113 to 16.2.0-canary.78 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.0...v15.5.10) Updates `axios` from 1.11.0 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.10.0...v1.13.5) Updates `hono` from 4.9.2 to 4.12.4 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.8.3...v4.12.4) Updates `next` from 15.5.0 to 15.5.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.0...v15.5.10) Updates `bn.js` from 4.12.2 to 4.12.3 - [Release notes](https://github.com/indutny/bn.js/releases) - [Changelog](https://github.com/indutny/bn.js/blob/master/CHANGELOG.md) - [Commits](indutny/bn.js@v4.12.2...v4.12.3) Updates `@modelcontextprotocol/sdk` from 1.17.3 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.17.3...v1.26.0) Updates `axios` from 1.10.0 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.10.0...v1.13.5) Updates `@modelcontextprotocol/sdk` from 1.16.0 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@1.17.3...v1.26.0) Updates `axios` from 1.11.0 to 1.13.5 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.10.0...v1.13.5) Updates `hono` from 4.9.6 to 4.12.4 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.8.3...v4.12.4) Updates `next` from 15.5.0 to 15.5.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.0...v15.5.10) Updates `next` from 15.5.0 to 15.5.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.0...v15.5.10) --- updated-dependencies: - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.4 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 16.2.0-canary.78 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.4 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: bn.js dependency-version: 4.12.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: axios dependency-version: 1.13.5 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.4 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.10 dependency-type: direct:production dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 4, 2026

This was referenced Mar 4, 2026

chore(deps): bump the npm_and_yarn group across 4 directories with 5 updates #16

Closed

chore(deps): bump the npm_and_yarn group across 4 directories with 4 updates #17

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the npm_and_yarn group across 5 directories with 5 updates#18

chore(deps): bump the npm_and_yarn group across 5 directories with 5 updates#18
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/e2e/npm_and_yarn-480815137d

dependabot Bot commented on behalf of github Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 4, 2026

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Fixes

Features / Improvements

Documentation

CI / Maintenance

New Contributors

v1.13.4

Overview

What's New in v1.13.4

Bug Fixes

Changelog

1.13.3 (2026-01-20)

Bug Fixes

Features

Reverts

Contributors to this release

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

Middleware Bypass in Serve Static

Other changes

New Contributors

v4.12.3

What's Changed

New Contributors

v4.12.2

Security fix

v15.5.10

v1.13.5

Release 1.13.5

Highlights

Changes

Security

Fixes

Features / Improvements

Documentation

CI / Maintenance

New Contributors

v1.13.4

Overview

What's New in v1.13.4

Bug Fixes

Changelog

1.13.3 (2026-01-20)

Bug Fixes

Features

Reverts

Contributors to this release

v4.12.4

Security fixes

SSE Control Field Injection

Cookie Attribute Injection in setCookie()

Middleware Bypass in Serve Static

Other changes

New Contributors

v4.12.3

What's Changed

New Contributors

v4.12.2

Security fix

v15.5.10

v1.26.0

What's Changed

New Contributors

v1.25.3

What's Changed

v1.25.2

What's Changed

New Contributors

1.25.1

What's Changed

1.25.0

What's Changed

Cookie Attribute Injection in `setCookie()`

Cookie Attribute Injection in `setCookie()`