Bump the minor-updates group across 1 directory with 17 updates

[dependabot]

Bumps the minor-updates group with 17 updates in the / directory:

Package	From	To
@tanstack/vue-form	1.28.5	1.29.0
@tanstack/vue-query	5.92.12	5.99.2
chroma-js	3.1.2	3.2.0
focus-trap	8.0.0	8.0.1
parse-duration	2.1.5	2.1.6
reka-ui	2.9.2	2.9.6
@playwright/test	1.58.2	1.59.1
@vitejs/plugin-vue	6.0.5	6.0.6
@vue/tsconfig	0.8.1	0.9.1
autoprefixer	10.4.27	10.5.0
axios	1.13.6	1.15.1
postcss	8.5.8	8.5.10
prettier	3.8.1	3.8.3
typescript-eslint	8.57.1	8.58.2
vite-plugin-checker	0.12.0	0.13.0
vue	3.5.30	3.5.32
vue-tsc	3.2.6	3.2.7

Updates @tanstack/vue-form from 1.28.5 to 1.29.0

Release notes

Sourced from @​tanstack/vue-form's releases.

@​tanstack/vue-form@​1.29.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/form-core@​1.29.0

@​tanstack/vue-form@​1.28.6

Patch Changes

• Updated dependencies [7a1428d]:
  • @​tanstack/form-core@​1.28.6

Changelog

Sourced from @​tanstack/vue-form's changelog.

1.29.0

Patch Changes

• Updated dependencies []:
  • @​tanstack/form-core@​1.29.0

1.28.6

Patch Changes

• Updated dependencies [7a1428d]:
  • @​tanstack/form-core@​1.28.6

Commits

• 254f157 ci: Version Packages (#2105)
• 2d5f557 ci: Version Packages (#2097)
• See full diff in compare view

Updates @tanstack/vue-query from 5.92.12 to 5.99.2

Release notes

Sourced from @​tanstack/vue-query's releases.

@​tanstack/vue-query@​5.99.2

Patch Changes

• fix(vue-query): allow computed ref and other reactive values as enabled property in queryOptions (#10465)

  This fixes a regression introduced in #10452 where queryOptions only accepted getter functions for the enabled property, but not computed refs or other reactive values.

  Now the enabled property in queryOptions correctly accepts:

  • boolean values
  • Ref<boolean>
  • ComputedRef<boolean>
  • () => boolean getter functions
  • (query) => boolean query predicate functions

• Updated dependencies []:

  • @​tanstack/query-core@​5.99.2

@​tanstack/vue-query@​5.99.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

@​tanstack/vue-query@​5.99.0

Minor Changes

• feat(vue-query): add 'mutationOptions' (#10381)

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.0

@​tanstack/vue-query@​5.98.0

Minor Changes

• Add usePrefetchQuery and usePrefetchInfiniteQuery to vue-query. (#10372)

Patch Changes

• fix(vue-query): fix type of queryOptions to allow plain properies or getters (#10452)

• Updated dependencies []:

  • @​tanstack/query-core@​5.98.0

@​tanstack/vue-query@​5.97.0

Patch Changes

• Updated dependencies [2bfb12c]:

... (truncated)

Changelog

Sourced from @​tanstack/vue-query's changelog.

5.99.2

Patch Changes

• fix(vue-query): allow computed ref and other reactive values as enabled property in queryOptions (#10465)

  This fixes a regression introduced in #10452 where queryOptions only accepted getter functions for the enabled property, but not computed refs or other reactive values.

  Now the enabled property in queryOptions correctly accepts:

  • boolean values
  • Ref<boolean>
  • ComputedRef<boolean>
  • () => boolean getter functions
  • (query) => boolean query predicate functions

• Updated dependencies []:

  • @​tanstack/query-core@​5.99.2

5.99.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.1

5.99.0

Minor Changes

• feat(vue-query): add 'mutationOptions' (#10381)

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.99.0

5.98.0

Minor Changes

• Add usePrefetchQuery and usePrefetchInfiniteQuery to vue-query. (#10372)

Patch Changes

• fix(vue-query): fix type of queryOptions to allow plain properies or getters (#10452)

• Updated dependencies []:

  • @​tanstack/query-core@​5.98.0

5.97.0

... (truncated)

Commits

• a3ec7b3 ci: Version Packages (#10520)
• c2d0dff fix(vue-query): allow computed ref as enabled property in queryOptions (#10465)
• 69d2757 ci: Version Packages (#10514)
• 8826b43 test(vue-query/mutationOptions): reorder getter tests to group by feature and...
• c9109b6 test(vue-query/mutationOptions): add reactive 'mutationKey' test for getter o...
• 4c489e4 test(vue-query/mutationOptions): add shallow ref test for getter overload (#1...
• c8de088 test(vue-query/mutationOptions): add 'useMutationState' tests for getter over...
• 8fc02cc test(vue-query/mutationOptions): add 'queryClient.isMutating' tests for gette...
• 70a216d test(vue-query/mutationOptions): add 'useIsMutating' tests for getter overloa...
• 7d3b86c test(vue-query/mutationOptions): add identity tests for getter overloads (#10...
• Additional commits viewable in compare view

Updates chroma-js from 3.1.2 to 3.2.0

Release notes

Sourced from chroma-js's releases.

v3.2.0

What's Changed

• Update domain function to return all scaled-positions rather than only [min, max] by @​jo-chemla in gka/chroma.js#380
• fix scale.domain implementation by @​gka in gka/chroma.js#381

New Contributors

• @​jo-chemla made their first contribution in gka/chroma.js#380

Full Changelog: gka/chroma.js@v3.1.4...v3.2.0

v3.1.4

What's Changed

• docs: fix discord link (resolves #373) by @​gka in gka/chroma.js#379
• feat: chroma.random accepts rng as argument by @​gka in gka/chroma.js#378

Full Changelog: gka/chroma.js@v3.1.3...v3.1.4

v3.1.3

What's Changed

• Fix link on chroma.random in gka/chroma.js#372
• Docs UI Improvement: Make Sidebar Fixed & Scrollable by @​abhishek-junghare in gka/chroma.js#374
• chore: bump dependencies by @​gka in gka/chroma.js#375

New Contributors

• @​abhishek-junghare made their first contribution in gka/chroma.js#374

Full Changelog: gka/chroma.js@v3.1.2...v3.1.3

Changelog

Sourced from chroma-js's changelog.

3.2.0

• scale.domain now returns the original domain array when called with no arguments

3.1.3

• updated dependencies

Commits

• 91eee62 release v3.2.0
• 919d003 fix scale.domain implementation (#381)
• 4e4df90 Update domain function to return all scaled-positions rather than only [min, ...
• f50528f release 3.1.4
• b35ee49 3.1.4
• f681455 feat: chroma.random accepts rng as argument (#378)
• b525407 docs: fix discord link (resolves #373) (#379)
• 873a383 docs: changelog
• 36ed86a 3.1.3
• 48854c0 docs: link to package on unpkg instead of cdnjs
• Additional commits viewable in compare view

Updates focus-trap from 8.0.0 to 8.0.1

Release notes

Sourced from focus-trap's releases.

v8.0.1

Patch Changes

• 7d5010e: Loosen checkCanFocusTrap Promise resolution type to unknown to make it easier to use Promise.all() or Promise.allSettled() as the returned Promise (Promise<void> was causing issues because those Promise APIs do not resolve with a void value).

Changelog

Sourced from focus-trap's changelog.

8.0.1

Patch Changes

• 7d5010e: Loosen checkCanFocusTrap Promise resolution type to unknown to make it easier to use Promise.all() or Promise.allSettled() as the returned Promise (Promise<void> was causing issues because those Promise APIs do not resolve with a void value).

Commits

• c2dfa70 Version Packages (#1813)
• 7d5010e #1811 Fix checkCanFocusTrap return type (#1812)
• 41c8ecd [DEPENDABOT]: Bump jest-environment-jsdom from 30.2.0 to 30.3.0 (#1805)
• 2201358 [DEPENDABOT]: Bump @​types/node from 25.4.0 to 25.5.0 (#1809)
• 8b5f5d2 [DEPENDABOT]: Bump @​babel/preset-env from 7.29.0 to 7.29.2 (#1804)
• 6e9c772 [DEPENDABOT]: Bump jest from 30.2.0 to 30.3.0 (#1806)
• d9b80cd [DEPENDABOT]: Bump cypress from 15.11.0 to 15.12.0 (#1808)
• 4b333df [DEPENDABOT]: Bump @​typescript-eslint/eslint-plugin from 8.56.1 to 8.57.1 (#1...
• a7a0deb [DEPENDABOT]: Bump @​rollup/plugin-babel from 6.1.0 to 7.0.0 (#1796)
• 3233eb1 [DEPENDABOT]: Bump babel-jest from 30.2.0 to 30.3.0 (#1800)
• Additional commits viewable in compare view

Updates parse-duration from 2.1.5 to 2.1.6

Commits

• 201bc57 v2.1.6
• b0563da feat: add sideEffects false for tree-shaking
• See full diff in compare view

Updates reka-ui from 2.9.2 to 2.9.6

Release notes

Sourced from reka-ui's releases.

v2.9.6

   🐞 Bug Fixes

• Export missing TimeRange type  -  by @​Bahtya in unovue/reka-ui#2590 (70e72)
• MonthPicker, YearPicker: Preserve day/month when selecting  -  by @​zernonia and Claude Opus 4.6 (1M context) in unovue/reka-ui#2594 (836f2)
• TimeField: Change focus after pressing 0 more than once on hour segment with 12 hour locales  -  by @​zomakus in unovue/reka-ui#2581 (1d772)

    View changes on GitHub

v2.9.5

   🐞 Bug Fixes

• core: Prevent /#PURE/ annotation inside function declarations  -  by @​zernonia and Claude Sonnet 4.6 in unovue/reka-ui#2585 (d7349)

    View changes on GitHub

v2.9.4

   🐞 Bug Fixes

• Automate namespaced components generation on build  -  by @​mateusznarowski in unovue/reka-ui#2571 (07951)
• Improve production tree-shaking  -  by @​zernonia and Claude Opus 4.6 (1M context) in unovue/reka-ui#2577 (6ff20)
• DateField: Fixed direct incorrect passing of date values to input element  -  by @​rastuhacode in unovue/reka-ui#2549 (9c098)
• ListboxVirtualizer: Ignore non-element VNodes in slot children  -  by @​zernonia and Claude Opus 4.6 (1M context) in unovue/reka-ui#2578 (06042)
• Select: Normalize hidden control  -  by @​CTOJoe in unovue/reka-ui#2572 and unovue/reka-ui#2573 (172ea)
• TimeField,DateField: Avoid changing focus prematurely with previous segment value of 0  -  by @​zomakus in unovue/reka-ui#2568 (c04be)

    View changes on GitHub

v2.9.3

   🐞 Bug Fixes

• Autocomplete: Add IME composition input handling  -  by @​kricsleo in unovue/reka-ui#2541 (987ca)
• ColorField/ColorArea: Forward custom attributes in ColorFieldRoot  -  by @​zernonia and Claude Sonnet 4.6 in unovue/reka-ui#2559 (700c8)
• Combobox: Prevent addOnBlur from adding raw input when selecting item  -  by @​kricsleo in unovue/reka-ui#2514 (bc1db)
• FocusScope: Don't move focus if DOM mutation occurred before any nodes had focus  -  by @​romansp in unovue/reka-ui#2546 (91023)
• Listbox: Restore highlightOnHover behavior  -  by @​zernonia and Claude Sonnet 4.6 in unovue/reka-ui#2558 (ffde5)
• PinInput: Paste only numeric text in numeric mode  -  by @​kricsleo in unovue/reka-ui#2516 (bf719)
• Select: Export SelectItemEmits type  -  by @​CTOJoe in unovue/reka-ui#2526 and unovue/reka-ui#2527 (49d1d)
• tooltip,hovercard: Close when scrollable ancestor is scrolled  -  by @​zernonia and Claude Sonnet 4.6 in unovue/reka-ui#2557 (a987a)
• useForwardProps: Return Partial to correctly type optional boolean props  -  by @​zernonia and Claude Sonnet 4.6 in unovue/reka-ui#2561 (c22a4)
• useGraceArea: Add nil guard for hover target in grace area creation  -  by @​kricsleo in unovue/reka-ui#2553 (67fb1)

    View changes on GitHub

Commits

• e5667c2 chore: release v2.9.6
• 836f2e9 fix(MonthPicker, YearPicker): preserve day/month when selecting (#2594)
• 1d77296 fix(TimeField): change focus after pressing 0 more than once on hour segment ...
• fbd9f04 chore(deps): update dependency vite to ^8.0.8 (#2592)
• 70e7286 fix: export missing TimeRange type (#2590)
• 68a490b Revert "chore(deps): bump vite from 5.4.21 to 8.0.5 (#2584)"
• e655d29 chore: release v2.9.5
• ef016f2 chore(deps): bump vite from 5.4.21 to 8.0.5 (#2584)
• d7349e7 fix(core): prevent /#PURE/ annotation inside function declarations (#2585)
• 5cc56e0 chore(deps-dev): bump vite from 8.0.3 to 8.0.5 (#2582)
• Additional commits viewable in compare view

Updates @playwright/test from 1.58.2 to 1.59.1

Release notes

Sourced from @​playwright/test's releases.

v1.59.1

Bug Fixes

• [Windows] Reverted hiding console window when spawning browser processes, which caused regressions including broken codegen, --ui and show commands (#39990)

v1.59.0

🎬 Screencast

New page.screencast API provides a unified interface for capturing page content with:

• Screencast recordings
• Action annotations
• Visual overlays
• Real-time frame capture
• Agentic video receipts

Screencast recording — record video with precise start/stop control, as an alternative to the recordVideo option:

await page.screencast.start({ path: 'video.webm' });
// ... perform actions ...
await page.screencast.stop();

Action annotations — enable built-in visual annotations that highlight interacted elements and display action titles during recording:

await page.screencast.showActions({ position: 'top-right' });

screencast.showActions() accepts position ('top-left', 'top', 'top-right', 'bottom-left', 'bottom', 'bottom-right'), duration (ms per annotation), and fontSize (px). Returns a disposable to stop showing actions.

Action annotations can also be enabled in test fixtures via the video option:

// playwright.config.ts
export default defineConfig({
  use: {
    video: {
      mode: 'on',
      show: {
        actions: { position: 'top-left' },
        test: { position: 'top-right' },
      },
</tr></table> 

... (truncated)

Commits

• d466ac5 chore: mark v1.59.1 (#40005)
• 530e7e5 cherry-pick(#4004): fix(cli): kill-all should kill dashboard
• 9aa216c cherry-pick(#39994): Revert "fix(windows): hide console window when spawning ...
• 01b2b15 cherry-pick(#39980): chore: more release notes fixes
• a5cb6c9 cherry-pick(#39972): chore: expose browser.bind and browser.unbind APIs
• 99a17b5 cherry-pick(#39975): chore: support opening .trace files via .link indirection
• 43607c3 cherry-pick(#39974): chore(webkit): update Safari user-agent version to 26.4
• 62cabe1 cherry-pick(#39969): chore(npm): include all *.md from lib (#39970)
• 0c65a75 cherry-pick(#39968): chore: screencast.showActions api
• f04155b cherry-pick(#39958): chore: release notes for langs v1.59
• Additional commits viewable in compare view

Updates @vitejs/plugin-vue from 6.0.5 to 6.0.6

Release notes

Sourced from @​vitejs/plugin-vue's releases.

plugin-vue@6.0.6

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-vue's changelog.

6.0.6 (2026-04-13)

Features

• plugin-vue: propagate multiRoot for template-only vapor components (#745) (9e07ae9)

Bug Fixes

• deps: update all non-major dependencies (#738) (050c996)

Miscellaneous Chores

• deps: update dependency rollup to ^4.59.0 (#749) (a0e1ef8)
• remove unused deps (#760) (6d834d8)

Commits

• 51dbf4b release: plugin-vue@6.0.6
• 9e07ae9 feat(plugin-vue): propagate multiRoot for template-only vapor components (#745)
• 050c996 fix(deps): update all non-major dependencies (#738)
• 6d834d8 chore: remove unused deps (#760)
• a0e1ef8 chore(deps): update dependency rollup to ^4.59.0 (#749)
• See full diff in compare view

Updates @vue/tsconfig from 0.8.1 to 0.9.1

Release notes

Sourced from @​vue/tsconfig's releases.

v0.9.1

Notable Changes

• Align the TypeScript peer dependency requirement with the documentation (>= 5.8, including TypeScript 6)

Full Changelog: vuejs/tsconfig@v0.9.0...v0.9.1

v0.9.0

Noticeable Changes

• feat: update lib to ES2022 by @​Slessi in vuejs/tsconfig#41
• chore: move noUncheckedIndexedAccess from base config to the lib config [fa4423b]
  • This is because noUncheckedIndexedAccess may have false positives, making it hard for existing codebases to upgrade.
  • But for new codebases, it’s still recommended to enable this flag from the beginning.

New Contributors

• @​Slessi made their first contribution in vuejs/tsconfig#41

Full Changelog: vuejs/tsconfig@v0.8.1...v0.9.0

Commits

• dc7af0b 0.9.1
• e73ef3c fix: align typescript peer dependency with documentation
• 3569685 0.9.0
• fa4423b chore: move noUncheckedIndexedAccess from base config to the lib config
• 051d720 docs: update TypeScript version requirement
• 3db886a feat: update lib to ES2022 (#41)
• df9d3d4 docs: note the default value of types in TS 6+ has been changed to []
• 0e39087 docs: note that strict mode is on by default in TS 6
• ae3b1dc chore: make GitHub render tsconfig.*.json as JSONC
• See full diff in compare view

Updates autoprefixer from 10.4.27 to 10.5.0

Release notes

Sourced from autoprefixer's releases.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Changelog

Sourced from autoprefixer's changelog.

10.5.0 “Each Endeavouring, All Achieving”

• Added mask-position-x and mask-position-y support (by @​toporek).

Commits

• faf456a Release 10.5 version
• b841fc5 Update dependencies
• 47d6e68 Update email
• 45cfc08 Replace ESLint and Prettier to oxlint and oxfmt
• 7e3ec7d Add prefixing support for mask-position-x and mask-position-y (#1548)
• See full diff in compare view

Updates axios from 1.13.6 to 1.15.1

Release notes

Sourced from axios's releases.

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)
• Docs Artefact Cleanup: Removes the docs content that was incorrectly committed. (#10727)

🔧 Maintenance & Chores

• Threat Model & Security Docs: Ongoing refinement of THREATMODEL.md, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (#10672, #10715, #10718, #10722, #10763, #10765)
• Test Coverage & Migration: Expanded shouldBypassProxy coverage for wildcard/IPv6/edge cases, documented and tested AxiosError.status, and migrated progressEventReducer tests to Vitest. (#10723, #10725, #10741)
• Type Refactor: Uses TypeScript utility types to deduplicate literal unions. (#7520)
• Repo & CI: Adds CODEOWNERS, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (#10739, #10738, #10746)
• Changelog Backfill: Added missing version entries to the changelog. (#10704)
• Dependencies: Bumped follow-redirects (1.15.11 → 1.16.0) in root and docs, axios (1.14.0 → 1.15.0) in docs, and a group of 5 development dependencies. (#10717, #10716, #10684, #10709)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​curiouscoder-cmd (#7252)
• @​tryonelove (#7520)
• @​darwin808 (#7314)
• @​zoontek (#10702)
• @​AKIB473 (#10725)

Full Changelog

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

• Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

... (truncated)

Commits

• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (