Skip to content

chore(deps): Bump axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth#116

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-146b3b257f
Open

chore(deps): Bump axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth#116
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-146b3b257f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps axios to 1.18.0 and updates ancestor dependencies axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth. These dependencies need to be updated together.

Updates axios from 1.8.4 to 1.18.0

Release notes

Sourced from axios's releases.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.18.0 — June 13, 2026

This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

🔒 Security Fixes

  • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

  • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

🐛 Bug Fixes

  • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

🔧 Maintenance & Chores

  • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

  • Dependencies: Bumped @babel/core, @babel/preset-env, @commitlint/cli, @commitlint/config-conventional, @rollup/plugin-babel, @rollup/plugin-commonjs, @vitest/browser, @vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

  • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)

... (truncated)

Commits
  • 2d06f96 chore(release): prepare release 1.18.0 (#11003)
  • 32fc489 fix: malformed http urls (#11000)
  • b40ce49 chore(deps-dev): bump the development_dependencies group with 10 updates (#10...
  • fe964f9 docs: mark proxy config as Node.js only (#10995)
  • 5f229d2 chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...
  • fae9d4e docs: clarify package update PR policy (#10992)
  • 28ab2ce chore(deps-dev): bump the development_dependencies group with 2 updates (#10989)
  • a8e4f13 fix(core): keep default validateStatus when request passes undefined (#10899)
  • 614f455 docs: publish v1.17.0 release notes (#10988)
  • 6bb12c1 fix: custom auth headers not stripped on cross-origin redirects (#10892)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @xboxreplay/xboxlive-auth from 4.1.0 to 5.1.0

Release notes

Sourced from @​xboxreplay/xboxlive-auth's releases.

5.1.0

5.0.2

5.0.1

  • [fix]: Wrong exported type

5.0.0

https://github.com/XboxReplay/xboxlive-auth/blob/master/docs/90-Migration_From_v4.md

Commits

Updates minecraft-protocol from 1.57.0 to 1.66.2

Release notes

Sourced from minecraft-protocol's releases.

Release 1.66.2

1.66.2

Release 1.66.1

1.66.1

Release 1.66.0

1.66.0

Release 1.65.0

1.65.0

Release 1.64.1

1.64.1

Release 1.64.0

1.64.0

Release 1.63.0

1.63.0

Release 1.62.0

1.62.0

Release 1.61.0

1.61.0

Release 1.60.1

1.60.1

Release 1.60.0

1.60.0

Release 1.59.0

1.59.0

Release 1.58.0

1.58.0

Changelog

Sourced from minecraft-protocol's changelog.

1.66.2

1.66.1

1.66.0

1.65.0

1.64.1

1.64.0

1.63.0

1.62.0

1.61.0

1.60.1

1.60.0

1.59.0

1.58.0

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for minecraft-protocol since your current version.


Updates prismarine-auth from 2.7.0 to 3.1.1

Release notes

Sourced from prismarine-auth's releases.

Release 3.1.1

3.1.1

Release 3.1.0

3.1.0

Release 3.0.0

3.0.0

Changelog

Sourced from prismarine-auth's changelog.

3.1.1

3.1.0

3.0.0

Commits
  • b795199 Release 3.1.1 (#166)
  • 91264e3 bedrock: Fix attainment of new multiplayer session token (#165)
  • 43b676d Release 3.1.0 (#164)
  • 6ad5670 Update CI to Node 24 (#163)
  • 2d62147 Rename workflow back to publish.yml to match npm trusted publisher config (#162)
  • d3edb32 Update Node.js version to 24 in workflow
  • df10ea7 Rename publish.yml to npm-publish.yml
  • 59d9e7e Release 3.0.0 (#161)
  • c14f3f1 bedrock: Return new Minecraft session token in .getMinecraftBedrockToken() (#...
  • b7b4408 Fix publish condition for npm-publish v4 (#159)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for prismarine-auth since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade networking and auth dependencies for security hardening and protocol compatibility. Bumps axios to 1.18.0 and aligns @xboxreplay/xboxlive-auth v5 and prismarine-auth v3; pulls newer minecraft-protocol.

  • Dependencies

    • axios: 1.18.0 in frontend and backend (stricter redirect/URL handling).
    • @xboxreplay/xboxlive-auth: 5.1.0 (major).
    • prismarine-auth: 3.1.1 (major, updated Bedrock token flow).
    • Indirect: minecraft-protocol to 1.66.x. These upgrades must ship together.
  • Migration

    • Node 16+ required.
    • Check any usage of @xboxreplay/xboxlive-auth v4 APIs and update to v5.
    • If relying on custom headers surviving cross-origin redirects in axios, update callers (headers are now stripped).
    • Reinstall packages to update lockfiles.

Written for commit 820f901. Summary will update on new commits.

Review in cubic

…l and prismarine-auth

Bumps [axios](https://github.com/axios/axios) to 1.18.0 and updates ancestor dependencies [axios](https://github.com/axios/axios), [@xboxreplay/xboxlive-auth](https://github.com/XboxReplay/xboxlive-auth), [minecraft-protocol](https://github.com/PrismarineJS/node-minecraft-protocol) and [prismarine-auth](https://github.com/PrismarineJS/prismarine-auth). These dependencies need to be updated together.


Updates `axios` from 1.8.4 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.8.4...v1.18.0)

Updates `@xboxreplay/xboxlive-auth` from 4.1.0 to 5.1.0
- [Release notes](https://github.com/XboxReplay/xboxlive-auth/releases)
- [Commits](XboxReplay/xboxlive-auth@4.1.0...5.1.0)

Updates `minecraft-protocol` from 1.57.0 to 1.66.2
- [Release notes](https://github.com/PrismarineJS/node-minecraft-protocol/releases)
- [Changelog](https://github.com/PrismarineJS/node-minecraft-protocol/blob/master/docs/HISTORY.md)
- [Commits](PrismarineJS/node-minecraft-protocol@1.57.0...1.66.2)

Updates `prismarine-auth` from 2.7.0 to 3.1.1
- [Release notes](https://github.com/PrismarineJS/prismarine-auth/releases)
- [Changelog](https://github.com/PrismarineJS/prismarine-auth/blob/master/HISTORY.md)
- [Commits](PrismarineJS/prismarine-auth@2.7.0...3.1.1)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: direct:production
- dependency-name: "@xboxreplay/xboxlive-auth"
  dependency-version: 5.1.0
  dependency-type: direct:production
- dependency-name: minecraft-protocol
  dependency-version: 1.66.2
  dependency-type: indirect
- dependency-name: prismarine-auth
  dependency-version: 3.1.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants