@zuplo/cli 6.70.71 → 6.71.0

package/node_modules/@zuplo/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zuplo/core",
-  "version": "6.70.71",
+  "version": "6.71.0",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "type": "module",

package/node_modules/@zuplo/graphql/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/graphql",
   "type": "module",
-  "version": "6.70.71",
+  "version": "6.71.0",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/@zuplo/openapi-tools/package.json

@@ -2,7 +2,7 @@
   "name": "@zuplo/openapi-tools",
   "type": "module",
   "sideEffects": false,
-  "version": "6.70.71",
+  "version": "6.71.0",
   "description": "Tooling for OpenAPI files",
   "repository": {
     "type": "git",

package/node_modules/@zuplo/otel/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/otel",
   "type": "module",
-  "version": "6.70.71",
+  "version": "6.71.0",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/@zuplo/runtime/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zuplo/runtime",
   "type": "module",
-  "version": "6.70.71",
+  "version": "6.71.0",
   "repository": "https://github.com/zuplo/zuplo",
   "author": "Zuplo, Inc.",
   "exports": {

package/node_modules/axios/CHANGELOG.md

@@ -1,5 +1,56 @@
 # Changelog
 
+## v1.17.0 — June 1, 2026
+
+This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
+
+## 🔒 Security Fixes
+
+* **Config Hardening:** Guarded `socketPath`, `params`, and `paramsSerializer` reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (__#10901__, __#10922__)
+* **Release Publishing:** Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (__#10926__)
+
+## 🚀 New Features
+
+* **HTTP Compression:** Added Node HTTP adapter support for zstd response decompression, with `transitional.advertiseZstdAcceptEncoding` controlling whether `zstd` is advertised in `Accept-Encoding`. (__#6792__, __#10920__)
+
+## 🐛 Bug Fixes
+
+* **Authentication Handling:** Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (__#10929__, __#10896__)
+* **Proxy TLS:** Preserved user `httpsAgent` TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (__#10957__)
+* **React Native FormData:** Cleared default `Content-Type` for React Native `FormData` so multipart boundaries can be generated correctly. (__#10898__)
+* **Headers:** Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (__#10875__)
+* **Request Data Merging:** Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (__#10812__)
+* **Bundler Compatibility:** Converted `resolveConfig` from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (__#10891__)
+* **Types:** Corrected `AxiosHeaders.toJSON()` return types and updated CommonJS `isCancel` typings to narrow to `CanceledError<T>`. (__#10956__, __#10952__)
+* **Build Tooling:** Avoided emitting a null `Authorization` header from the GitHub build helper when `GITHUB_TOKEN` is unset. (__#10931__)
+
+## 🔧 Maintenance & Chores
+
+* **HTTP/2 Internals:** Extracted `Http2Sessions` into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (__#10861__)
+* **Package Publishing:** Reduced published package size by switching to a `files` allowlist and dropping unneeded unminified bundle source maps. (__#10939__)
+* **CI and Release Automation:** Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (__#10907__, __#10911__, __#10916__, __#10927__, __#10935__, __#10983__)
+* **Developer Workflow:** Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (__#10925__, __#10914__, __#10958__)
+* **Documentation and Policy:** Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (__#10890__, __#10889__, __#10921__, __#10945__, __#10905__, __#10933__, __#10915__, __#10887__, __#10955__)
+* **Dependencies:** Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, `fs-extra`, `qs`, docs dependencies, and GitHub Actions dependencies including `actions/dependency-review-action` and `zizmorcore/zizmor-action`. (__#10871__, __#10879__, __#10918__, __#10919__, __#10934__, __#10947__, __#10954__, __#10960__)
+
+## 🌟 New Contributors
+
+We are thrilled to welcome our new contributors. Thank you for helping improve axios:
+
+* __@BasixKOR__ (__#6792__)
+* __@carladams1299-lab__ (__#10861__)
+* __@LaplaceYoung__ (__#10812__)
+* __@JamieMagee__ (__#10939__)
+* __@RonGamzu__ (__#10905__)
+* __@sapirbaruch__ (__#10891__)
+* __@nezukoagent__ (__#10901__)
+* __@devareddy05__ (__#10929__)
+* __@Mohammad-Faiz-Cloud-Engineer__ (__#10922__)
+* __@azandabot__ (__#10931__)
+* __@niksy__ (__#10896__)
+
+[Full Changelog](https://github.com/axios/axios/compare/v1.16.1...v1.17.0)
+
 ## v1.16.1 — May 13, 2026
 
 This release ships a defence-in-depth fix for prototype pollution in `formDataToJSON`, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
@@ -1432,7 +1483,7 @@ This functionality is considered as a fix.
 
 - fix: improve AxiosHeaders class [#5224](https://github.com/axios/axios/pull/5224)
 - fix: TypeScript type definitions for commonjs [#5196](https://github.com/axios/axios/pull/5196)
-- fix: type definition of use method on AxiosInterceptorManager to match the the README [#5071](https://github.com/axios/axios/pull/5071)
+- fix: type definition of use method on AxiosInterceptorManager to match the README [#5071](https://github.com/axios/axios/pull/5071)
 - fix: \_\_dirname is not defined in the sandbox [#5269](https://github.com/axios/axios/pull/5269)
 - fix: AxiosError.toJSON method to avoid circular references [#5247](https://github.com/axios/axios/pull/5247)
 - fix: Z_BUF_ERROR when content-encoding is set but the response body is empty [#5250](https://github.com/axios/axios/pull/5250)

package/node_modules/axios/README.md

@@ -773,6 +773,7 @@ These config options are available for requests. Only `url` is required. Request
   // When no `transformRequest` is set, it must be of one of the following types:
   // - string, plain object, ArrayBuffer, ArrayBufferView, URLSearchParams
   // - Browser only: FormData, File, Blob
+  // - React Native: FormData
   // - Node only: Stream, Buffer, FormData (form-data package)
   data: {
     firstName: 'Fred'
@@ -877,10 +878,12 @@ These config options are available for requests. Only `url` is required. Request
     // Do whatever you want with the Axios progress event
   },
 
-  // `maxContentLength` defines the max size of the http response content in bytes allowed in node.js
+  // `maxContentLength` defines the max size of the response content in bytes.
+  // It is enforced by the Node.js HTTP adapter and the fetch adapter.
   maxContentLength: 2000,
 
-  // `maxBodyLength` (Node only option) defines the max size of the http request content in bytes allowed
+  // `maxBodyLength` defines the max size of the request content in bytes.
+  // It is enforced by the Node.js HTTP adapter and the fetch adapter when the body length can be determined.
   maxBodyLength: 2000,
 
   // `redact` masks matching config keys when AxiosError#toJSON() is called.
@@ -898,6 +901,12 @@ These config options are available for requests. Only `url` is required. Request
   // If set to 0, Axios follows no redirects.
   maxRedirects: 21, // default
 
+  // `sensitiveHeaders` (Node only option) lists custom secret-bearing headers
+  // to remove from cross-origin redirects. Matching is case-insensitive.
+  // Same-origin redirects keep these headers. If `maxRedirects` is 0, this
+  // option is not used.
+  sensitiveHeaders: ['X-API-Key'],
+
   // `beforeRedirect` defines a function that Axios calls before redirect.
   // Use this to adjust the request options upon redirecting,
   // to inspect the latest response headers,
@@ -1640,6 +1649,7 @@ server = app.listen(3000);
 
 To send data as `multipart/form-data`, pass a FormData instance as the payload.
 You do not need to set the `Content-Type` header. Axios detects it from the payload type.
+For browser, web worker, and React Native `FormData`, leave `Content-Type` unset so the runtime can add the multipart boundary.
 
 ```js
 const formData = new FormData();
@@ -2068,6 +2078,8 @@ The `rewrite` argument controls the overwriting behavior:
 
 The option can also accept a user-defined function that determines whether to overwrite the value.
 
+Empty or whitespace-only header names are ignored.
+
 Returns `this`.
 
 ### AxiosHeaders#get(header)
@@ -2243,6 +2255,8 @@ const { data } = fetchAxios.get(url);
 The adapter supports the same features as the `xhr` adapter, including upload and download progress capturing.
 It also supports response types such as `stream` and `formdata` when the environment supports them.
 
+When `auth` is omitted, the fetch adapter can read HTTP Basic auth credentials from the request URL, for example `https://user:pass@example.com`. Percent-encoded URL credentials are decoded before the `Authorization` header is generated, and `auth` takes precedence over URL-embedded credentials.
+
 ### Custom fetch
 
 Since `v1.12.0`, you can configure the fetch adapter to use a custom fetch API instead of environment globals.
@@ -2365,6 +2379,20 @@ try {
 }
 ```
 
+Use `axios.isCancel<T>()` to narrow cancellation errors to `CanceledError<T>`:
+
+```typescript
+const controller = new AbortController();
+
+try {
+  await axios.get<User>('/user?ID=12345', { signal: controller.signal });
+} catch (error) {
+  if (axios.isCancel<User>(error)) {
+    handleCancellation(error);
+  }
+}
+```
+
 Because axios publishes an ESM default export and a CJS `module.exports`, TypeScript has a few caveats.
 The recommended setting is `"moduleResolution": "node16"`, which is implied by `"module": "node16"`. This requires TypeScript 4.7 or greater.
 If you use ESM, your settings should be fine.