Bump the minor-and-patch group across 1 directory with 3 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates in the / directory: axios, i18next-http-backend and vite.

Updates axios from 1.15.0 to 1.15.1

Release notes

Sourced from axios's releases.

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)
• Docs Artefact Cleanup: Removes the docs content that was incorrectly committed. (#10727)

🔧 Maintenance & Chores

• Threat Model & Security Docs: Ongoing refinement of THREATMODEL.md, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (#10672, #10715, #10718, #10722, #10763, #10765)
• Test Coverage & Migration: Expanded shouldBypassProxy coverage for wildcard/IPv6/edge cases, documented and tested AxiosError.status, and migrated progressEventReducer tests to Vitest. (#10723, #10725, #10741)
• Type Refactor: Uses TypeScript utility types to deduplicate literal unions. (#7520)
• Repo & CI: Adds CODEOWNERS, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (#10739, #10738, #10746)
• Changelog Backfill: Added missing version entries to the changelog. (#10704)
• Dependencies: Bumped follow-redirects (1.15.11 → 1.16.0) in root and docs, axios (1.14.0 → 1.15.0) in docs, and a group of 5 development dependencies. (#10717, #10716, #10684, #10709)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​curiouscoder-cmd (#7252)
• @​tryonelove (#7520)
• @​darwin808 (#7314)
• @​zoontek (#10702)
• @​AKIB473 (#10725)

Full Changelog

Changelog

Sourced from axios's changelog.

Changelog

Commits

• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• 42eb721 fix: replace in with has own prop util (#10761)
• 7587327 fix: strip crlf correctly (#10758)
• f0b9867 chore: added additional testing for this issue (#10760)
• e033f24 fix: incomplete fix for cve (#10755)
• e8904af fix: stream response bypassed max content length (#10754)
• 1c7f6d7 fix: enforce max body length when max redirects is 0 (#10753)
• Additional commits viewable in compare view

Updates i18next-http-backend from 3.0.4 to 3.0.5

Changelog

Sourced from i18next-http-backend's changelog.

3.0.5

Security release — all issues found via an internal audit. See published advisory GHSA-q89c-q3h5-w34g.

• security: refuse to build request URLs when lng or ns values contain path-traversal, URL-structure (?, #, %, @, whitespace), path separators, control characters, prototype keys, or exceed 128 chars. Prevents path traversal / SSRF / URL injection via attacker-controlled language-code values. isSafeUrlSegment is permissive for legitimate i18next language codes (any BCP-47-like shape, underscores, hyphens, dots, +-joined multi-language requests) (GHSA-q89c-q3h5-w34g)
• security: per-instance omitFetchOptions — the fetch-options-stripping fallback is now scoped to a single backend instance via options._omitFetchOptions instead of a module-level boolean. One instance hitting a "not implemented" fetch error no longer permanently strips requestOptions (including credentials, mode, cache) from every other backend instance in the same process
• security: strip CR/LF/NUL and other C0/C1 control characters from lng/ns / URL values before they appear in error-callback strings (CWE-117 log forging)
• security: redact user:password credentials from URLs before including them in error-callback strings — prevents leaking basic-auth credentials embedded in loadPath / addPath
• security: iterate own enumerable keys only (Object.keys + prototype-key guard) in addQueryString and in the customHeaders loop in XHR mode — prevents prototype-pollution amplification into the URL and request headers
• chore: ignore .env* and *.pem/*.key files in .gitignore

Commits

• 5757fa3 3.0.5
• 4cee84f security: hardening for 3.0.5
• 4cbc487 Bump next from 16.2.1 to 16.2.3 in /example/next (#180)
• 0d7dcbb make last change more clear
• c740e01 year
• e1dc72b changelog fix
• See full diff in compare view

Updates vite from 8.0.8 to 8.0.9

Release notes

Sourced from vite's releases.

v8.0.9

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.9 (2026-04-20)

Features

• update rolldown to 1.0.0-rc.16 (#22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#22039) (374bb5d)
• deps: update all non-major dependencies (#22219) (4cd0d67)
• deps: update all non-major dependencies (#22268) (c28e9c1)
• detect Deno workspace root (fix #22237) (#22238) (1b793c0)
• dev: handle errors in watchChange hook (#22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#22231) (44c42b9)
• fix reuses wording in dev environment comment (#22173) (9163412)
• fix wording in sass error comment (#22214) (bc5c6a7)
• update build CLI defaults (#22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#22271) (0a3887d)

Commits

• ce729f5 release: v8.0.9
• 605bb97 docs: update build CLI defaults (#22261)
• c28e9c1 fix(deps): update all non-major dependencies (#22268)
• 0a3887d chore(deps): update dependency dotenv-expand to v13 (#22271)
• 868f141 fix(bundled-dev): reject requests to HMR patch files in non potentially trust...
• 3ec9cda fix: skip fallback sourcemap generation for ?raw imports (#22148)
• 3f24533 fix(optimizer): handle more chars that will be sanitized (#22208)
• 1b793c0 fix: detect Deno workspace root (fix #22237) (#22238)
• fc08bda fix(dev): handle errors in watchChange hook (#22188)
• 374bb5d fix(css): use unique key for cssEntriesMap to prevent same-basename collision...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Use docker or podman to test this pull request locally.

Run test server using develop.opencast.org as backend:

podman run --rm -it -p 127.0.0.1:3000:3000 ghcr.io/opencast/admin-interface:pr-1582

Specify a different backend like stable.opencast.org:

podman run --rm -it -p 127.0.0.1:3000:3000 -e PROXY_TARGET=https://stable.opencast.org ghcr.io/opencast/admin-interface:pr-1582

It may take a few seconds for the interface to spin up.
It will then be available at http://127.0.0.1:3000.
For more options you can pass on to the proxy, take a look at the README.md.