chore(deps-dev): bump the npm-dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the npm-dependencies group with 8 updates in the / directory:

Package	From	To
@apidevtools/json-schema-ref-parser	15.3.5	15.4.0
@redocly/cli	2.31.6	2.34.0
@types/glob	7.2.0	9.0.0
@types/node	25.9.1	26.0.0
axios	1.17.0	1.18.0
js-yaml	4.2.0	5.0.0
openapi-to-postmanv2	6.0.1	6.1.0
prettier	3.8.3	3.8.4

Updates @apidevtools/json-schema-ref-parser from 15.3.5 to 15.4.0

Release notes

Sourced from @​apidevtools/json-schema-ref-parser's releases.

v15.4.0

15.4.0 (2026-06-19)

Features

• preserve compound schema refs when bundling (fa3cccb)

v15.3.6

15.3.6 (2026-06-11)

Bug Fixes

• block unsafe pointer set tokens (a786bc6)
• harden safe URL resolver (dea50b0)

Commits

• fa3cccb feat: preserve compound schema refs when bundling
• 53d0c1e Remove Claude config
• 5b1aee5 chore: migrate to pnpm
• dea50b0 fix: harden safe URL resolver
• a786bc6 fix: block unsafe pointer set tokens
• See full diff in compare view

Updates @redocly/cli from 2.31.6 to 2.34.0

Release notes

Sourced from @​redocly/cli's releases.

@​redocly/cli@​2.34.0

Minor Changes

• Improved CLI install speed by bundling the CLI into a dependency-free package.

  Warning: The published package no longer ships runtime dependencies in node_modules. Plugins that relied on importing packages hoisted from the CLI (such as @redocly/openapi-core) must now declare those packages as their own dependencies.

@​redocly/cli@​2.33.2

Patch Changes

• Fixed a path traversal in the split command that might have written files outside the chosen --outDir.
• Updated @​redocly/openapi-core to v2.33.2.

@​redocly/cli@​2.33.1

Patch Changes

• Updated @​redocly/openapi-core to v2.33.1.

@​redocly/cli@​2.33.0

Minor Changes

• Added the --component-names-strategy option to the bundle command. This option allows a choice of how inline Schema components are named: basename (default) or title (from each schema's title field).

Patch Changes

• Updated @​redocly/openapi-core to v2.33.0.

@​redocly/cli@​2.32.2

Patch Changes

• Updated @​redocly/respect-core to v2.32.2.

@​redocly/cli@​2.32.1

Patch Changes

• Updated @​redocly/openapi-core to v2.32.1.

@​redocly/cli@​2.32.0

Minor Changes

• Added support for junit output in the lint command.

Patch Changes

• Updated @​redocly/openapi-core to v2.32.0.

Commits

• 9df1224 chore: 🔖 release new versions (#2899)
• c6304a4 chore!: bundle CLI with esbuild (#2866)
• 7027460 chore: refactor file extension detection and export spec types (#2897)
• fb7c148 chore: 🔖 release new versions (#2896)
• 26a0f29 fix: path traversal in the split command (#2891)
• d32cd86 chore: 🔖 release new versions (#2892)
• 57ccaf9 chore: update opentelemetry dependencies (#2895)
• 2e7f3ff chore: bump js-yaml to v4.2.0 (#2893)
• 4dfc176 chore: add comment of perf benchmark results to the external PR's (#2871)
• 44887ee chore: refactor async3 types (#2880)
• Additional commits viewable in compare view

Updates @types/glob from 7.2.0 to 9.0.0

Commits

• See full diff in compare view

Updates @types/node from 25.9.1 to 26.0.0

Commits

• See full diff in compare view

Updates axios from 1.17.0 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

• Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

• URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

• Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

• Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

• Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

• Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​drori12 (#10984)
• @​eyupcanakman (#10899)
• @​Adi-Beker (#10995)

Full Changelog

Commits

• 2d06f96 chore(release): prepare release 1.18.0 (#11003)
• 32fc489 fix: malformed http urls (#11000)
• b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
• fe964f9 docs: mark proxy config as Node.js only (#10995)
• 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
• fae9d4e docs: clarify package update PR policy (#10992)
• 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
• a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
• 614f455 docs: publish v1.17.0 release notes (#10988)
• 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
• Additional commits viewable in compare view

Updates js-yaml from 4.2.0 to 5.0.0

Changelog

Sourced from js-yaml's changelog.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.
• Deprecated the loadAll signature with an iterator (still works, but is a candidate for removal).

Removed

• Removed deprecated safeLoad(), safeLoadAll() and safeDump() exports.
• Removed DEFAULT_SCHEMA and the nested types export.
• Removed loader options onWarning, legacy and listener.
• Removed dumper options styles, replacer, noCompatMode, condenseFlow, quotingType and forceQuotes. Renamed noArrayIndent to seqNoIndent. Formatting and representation are now configured through presenter options,

... (truncated)

Commits

• 75148bc 5.0.0 released
• 704b25d Quote document markers followed by whitespace
• 42dea28 Support complex !!pairs keys with realMapTag
• 6cf374e Fix dumping strings that collide with YAML markers
• 65b8d94 Clarify !!omap/!!pairs support
• 33e3640 Move tagname helpers to common/ and remove unused exports
• 4dd582b Cleanup export types
• 39b3792 Add types export
• 0cd01e9 docs: update for v5
• c5a61a4 Fix presenter coverage
• Additional commits viewable in compare view

Updates openapi-to-postmanv2 from 6.0.1 to 6.1.0

Changelog

Sourced from openapi-to-postmanv2's changelog.

[v6.1.0] - 2026-06-09

Commits

• f447553 Merge pull request #948 from postmanlabs/release/v6.1.0
• 960bf68 Prepare release v6.1.0
• db6bf14 feat: [AB-2326] add OpenAPI 3.2 support
• 1f84328 test(32X): add OAS 3.2 fixtures and unit tests mirroring 3.1 coverage
• 841712e feat(version): detect and dispatch OAS 3.2 documents
• 2163b55 feat(32X): add OAS 3.2 schema utils, input validation and bundle rules
• 70c1da6 Merge pull request #941 from postmanlabs/release/v6.0.1
• See full diff in compare view

Updates prettier from 3.8.3 to 3.8.4

Release notes

Sourced from prettier's releases.

3.8.4

• Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (prettier/prettier#17746 by @​byplayer)

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.4

diff

Markdown: Fix blank lines between list items and nested sub-lists being removed in Markdown/MDX (#17746 by @​byplayer)

Prettier was removing blank lines between list items and their nested sub-lists, converting loose lists into tight lists and changing their semantic meaning.

<!-- Input -->
- a


b


c

d



<!-- Prettier 3.8.3 -->

a

b


c

d



<!-- Prettier 3.8.4 -->


a

b



c

d

Commits

• 1c6ba55 Release 3.8.4
• 4a673dc Fix blank lines between list items and nested sub-lists being removed in Mark...
• 074aaed Replace main branch in changelog link with tags (#19054)
• c22a003 Bump Prettier dependency to 3.8.3
• 07bad1f Clean changelog_unreleased
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions