fix: bump the version-updates group across 1 directory with 10 updates

[dependabot]

Bumps the version-updates group with 10 updates in the / directory:

Package	From	To
@reduxjs/toolkit	2.9.0	2.9.2
axios	1.12.2	1.13.1
dompurify	3.2.7	3.3.0
@testing-library/jest-dom	6.8.0	6.9.1
commander	14.0.1	14.0.2
esbuild	0.25.10	0.25.12
eslint-plugin-react-refresh	0.4.22	0.4.24
rollup	4.52.3	4.52.5
typescript	5.9.2	5.9.3
typescript-eslint	8.45.0	8.46.2

Updates @reduxjs/toolkit from 2.9.0 to 2.9.2

Release notes

Sourced from @​reduxjs/toolkit's releases.

v2.9.2

This bugfix release fixes a potential internal data leak in SSR environments, improves handling of headers in fetchBaseQuery, improves retry handling for unexpected errors and request aborts, and fixes a longstanding issue with prefetch leaving an unused subscription. We've also shipped a new graphqlRequestBaseQuery release with updated dependencies and better error handling.

Changelog

Internal Subscription Handling

We had a report that a Redux SSR app had internal subscription data showing up across different requests. After investigation, this was a bug introduced by the recent RTKQ perf optimizations, where the internal subscription fields were hoisted outside of the middleware setup and into createApi itself. This meant they existed outside of the per-store-instance lifecycle. We've reworked the logic to ensure the data is per-store again. We also fixed another issue that miscalculated when there was an active request while checking for cache entry cleanup.

Note that no actual app data was leaked in this case, just the internal subscription IDs that RTKQ uses in its own middleware to track the existence of subscriptions per cache entry.

fetchBaseQuery Headers

We've updated fetchBaseQuery to avoid setting content-type in cases where a non-JSONifiable value like FormData is being passed as the request body, so that the browser can set that content type itself. It also now sets the accept header based on the selected responseHandler (JSON or text).

retry Behavior and Cleanup

The retry util now respects the maxRetries option when catching unknown errors in addition to the existing known errors logic. It also now checks the request's AbortSignal and will stop retrying if aborted.

In conjunction with that, dispatching resetApiState will now abort all in-flight requests.

The prefetch util and usePrefetch hook had a long-standing issue where they would create a subscription for a cache entry, but there was no way to clean up that subscription. This meant that the cache entry was effectively permanent. They now initiate the request without adding a subscription. This will fetch the cache entry and leave it in the store for the keepUnusedDataFor period as intended, giving your app time to actually subscribe to the value (such as prefetching the cache entry in a route handler, and then subscribing in a component).

graphqlRequestBaseQuery

We've published @rtk-query/graphql-request-base-query v2.3.2, which updates the graphql-request dep to ^7. We also fixed an issue where the error handling rethrew unknown errors - it now returns {error} as a base query is supposed to.

What's Changed

• Fix potential subscription leakage in SSR environments by @​markerikson in reduxjs/redux-toolkit#5111
• Improve fetchBaseQuery default headers handling by @​markerikson in reduxjs/redux-toolkit#5112
• Respect maxRetries for unexpected errors by @​markerikson in reduxjs/redux-toolkit#5113
• fix: update graphql-request dependency to include version ^7.0.0 by @​eyesfocus in reduxjs/redux-toolkit#4987
• Add retry abort handling and abort on resetApiState by @​markerikson in reduxjs/redux-toolkit#5114
• Don't create subscriptions for prefetch calls by @​markerikson in reduxjs/redux-toolkit#5116

Full Changelog: reduxjs/redux-toolkit@v2.9.1...v2.9.2

v2.9.1

This bugfix release fixes how sorted entity adapters handle duplicate IDs, tweaks the TS types for RTKQ query state cache entries to improve how the data field is handled, and adds better cleanup for long-running listener middleware effects.

What's Changed

• fix(entityAdapter): ensure sorted addMany keeps first occurrence of duplicate ids by @​demyanm in reduxjs/redux-toolkit#5097
• fix(entityAdapter): ensure sorted setMany keeps just unique IDs in state.ids by @​demyanm in reduxjs/redux-toolkit#5107
• fix(types): ensure non-undefined data on isSuccess with exactOptionalPropertyTypes by @​CO0Ki3 in reduxjs/redux-toolkit#5088
• Allow executing effects that have become unsubscribed to be canceled by listenerMiddleware.clearListeners by @​chris-chambers in reduxjs/redux-toolkit#5102

Full Changelog: reduxjs/redux-toolkit@v2.9.0...v2.9.1

Commits

• 32887d7 Release 2.9.2
• 4432629 Don't create subscriptions for prefetch calls (#5116)
• c86d948 Add retry abort handling and abort on resetApiState (#5114)
• 02630d2 fix: update graphql-request dependency to include version ^7.0.0 (#4987)
• 1b95037 Respect maxRetries for unexpected errors (#5113)
• c490b19 Improve fetchBaseQuery default headers handling (#5112)
• 7b7faea Fix potential subscription leakage in SSR environments (#5111)
• fde0be7 Release 2.9.1
• 47e7d81 Release @​rtk-query/codegen-openapi 2.1.0
• b4b7d17 Allow executing effects that have become unsubscribed to be canceled by `list...
• Additional commits viewable in compare view

Updates axios from 1.12.2 to 1.13.1

Release notes

Sourced from axios's releases.

Release v1.13.1

Release notes:

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

Release v1.13.0

Release notes:

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma
• Abhishek3880
• Dhvani Maktuporia
• Usama Ayoub
• ikuy1203
• Nikhil Simon Toppo
• Jane Wangari
• Supakorn Ieamgomol
• Kian-Meng Ang
• UTSUMI Keiji

Changelog

Sourced from axios's changelog.

1.13.1 (2025-10-28)

Bug Fixes

• http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

Contributors to this release

• Anchal Singh
• Dmitriy Mozgovoy

1.13.0 (2025-10-27)

Bug Fixes

• fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
• resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

Features

• http: add HTTP2 support; (#7150) (d676df7)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Aviraj2929
• prasoon patel
• Samyak Dandge
• Anchal Singh
• Rahul Kumar
• Amit Verma
• Abhishek3880
• Dhvani Maktuporia
• Usama Ayoub
• ikuy1203
• Nikhil Simon Toppo
• Jane Wangari
• Supakorn Ieamgomol
• Kian-Meng Ang
• UTSUMI Keiji

Commits

• 1ef8e72 chore(release): v1.13.1 (#7194)
• bcd5581 fix(http): fixed a regression that caused the data stream to be interrupted f...
• c9b3371 chore: enhance styling and responsiveness in client.html (#7173)
• 9ead04d [Release] v1.13.0 (#7189)
• d000fbf fix(http2): fix possible race condition when handling http2 stream on almost ...
• 08db960 docs: added example for improved network error handling (with Wrapper/Middlew...
• 46e1981 refactor: form data handling in index.html (#7170)
• 889f8ef docs: fix mismatched return type (#7172)
• 7b197ef fix: sandbox ui updated (#7175)
• 6dff629 chore: fix typos in examples (#7166)
• Additional commits viewable in compare view

Updates dompurify from 3.2.7 to 3.3.0

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

Commits

• 36d1fbc Getting 3.x branch ready for 3.3.0 release (#1157)
• See full diff in compare view

Updates @testing-library/jest-dom from 6.8.0 to 6.9.1

Release notes

Sourced from @​testing-library/jest-dom's releases.

v6.9.1

6.9.1 (2025-10-01)

Bug Fixes

• Fix undefined Node error (nodejs) (#707) (0ff8904)

v6.9.0

6.9.0 (2025-09-30)

Features

• Add .toAppearBefore/.toAppearAfter matcher (#702) (95f870a)

Commits

• 0ff8904 fix: Fix undefined Node error (nodejs) (#707)
• 95f870a feat: Add .toAppearBefore/.toAppearAfter matcher (#702)
• d6663f5 docs: add nossbigg as a contributor for code, and test (#703)
• See full diff in compare view

Updates commander from 14.0.1 to 14.0.2

Release notes

Sourced from commander's releases.

v14.0.2

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

Changelog

Sourced from commander's changelog.

[14.0.2] (2025-10-25)

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

Commits

• 0692be5 Prepare for 14.0.2 (#2437)
• 88a348e Bump actions/setup-node from 5 to 6 (#2438)
• 3fe83d6 Bump github/codeql-action from 3 to 4 (#2435)
• 0b7988e Bump globals from 16.3.0 to 16.4.0 (#2429)
• 8005253 Bump typescript-eslint from 8.42.0 to 8.45.0 (#2430)
• 213e679 Bump ts-jest from 29.4.1 to 29.4.4 (#2431)
• 7ede91b Bump jest from 30.1.3 to 30.2.0 (#2432)
• 8c91f34 Bump typescript from 5.9.2 to 5.9.3 (#2433)
• ff1d2ce Improve negative test (#2428)
• 1a6dba5 Clarify deprecated routine (#2427)
• See full diff in compare view

Updates esbuild from 0.25.10 to 0.25.12

Release notes

Sourced from esbuild's releases.

v0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @view-transition {
    navigation: auto;
    types: check;
  }
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  /* New output */
  @​view-transition {
  navigation: auto;
  types: check;

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.25.12

• Fix a minification regression with CSS media queries (#4315)

  The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.

• Update the list of known JavaScript globals (#4310)

  This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

  From ES2017:

  • Atomics
  • SharedArrayBuffer

  From ES2020:

  • BigInt64Array
  • BigUint64Array

  From ES2021:

  • FinalizationRegistry
  • WeakRef

  From ES2025:

  • Float16Array
  • Iterator

  Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:

  // This can now be tree-shaken by esbuild:
  class ExampleIterator extends Iterator {}

• Add support for the new @view-transition CSS rule (#4313)

  With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):

  /* Original code */
  @view-transition {
    navigation: auto;
    types: check;
  }
  /* Old output */
  @​view-transition { navigation: auto; types: check; }
  /* New output */
  @​view-transition {
  navigation: auto;

... (truncated)

Commits

• 208f539 publish 0.25.12 to npm
• 5f03afd update release notes
• 6b2ee78 minify: remove css rules containing empty :is()
• f361deb add some additional known static methods
• 07aa646 automatically mark "RegExp.escape()" calls as pure
• 9039c46 simplify some call expression checks
• 188944d add some additional known static methods
• d3c67f9 fix #4310: add Iterator and other known globals
• 4a51f0b fix: escape dev server breadcrumb hrefs properly (#4316)
• 26b29ed fix #4315: @media deduplication bug edge case
• Additional commits viewable in compare view

Updates eslint-plugin-react-refresh from 0.4.22 to 0.4.24

Release notes

Sourced from eslint-plugin-react-refresh's releases.

v0.4.24

• Add "generateImageMetadata", "generateSitemaps" & "generateStaticParams" to allowExportNames in Next config

v0.4.23

• Add "metadata", "generateMetadata" & "generateViewport" to allowExportNames in Next config

Changelog

Sourced from eslint-plugin-react-refresh's changelog.

0.4.24

• Add "generateImageMetadata", "generateSitemaps" & "generateStaticParams" to allowExportNames in Next config

0.4.23

• Add "metadata", "generateMetadata" & "generateViewport" to allowExportNames in Next config

Commits

• 6368815 Add generate{ImageMetadata,Sitemaps,StaticParams} to Next config [publish] (#92)
• 1d436ff More allowExportNames in Next config (fixes #90) [publish]
• See full diff in compare view

Updates rollup from 4.52.3 to 4.52.5

Release notes

Sourced from rollup's releases.

v4.52.5

4.52.5

2025-10-18

Bug Fixes

• Always produce valid UUIDs as debugIds in sourcemaps (#6144)

Pull Requests

• #6135: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6140: chore(deps): update peter-evans/create-or-update-comment action to v5 (@​renovate[bot])
• #6141: chore(deps): update peter-evans/find-comment action to v4 (@​renovate[bot])
• #6142: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6143: chore: eslint enable concurrency option (@​btea)
• #6144: fix: generation of debugIDs with invalid length (@​pablomatiasgomez, @​lukastaegert)
• #6146: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6147: chore(deps): update actions/setup-node action to v6 (@​renovate[bot])

v4.52.4

4.52.4

2025-10-03

Bug Fixes

• Fix an issue where the wrong branch of nullish coalescing was picked (#6133)

Pull Requests

• #6128: Enable npm OIDC publishing (@​lukastaegert)
• #6133: Correct nullish coalescing branch resolution for symbol left value (@​TrickyPi)
• #6134: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

Changelog

Sourced from rollup's changelog.

4.52.5

2025-10-18

Bug Fixes

• Always produce valid UUIDs as debugIds in sourcemaps (#6144)

Pull Requests

• #6135: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6140: chore(deps): update peter-evans/create-or-update-comment action to v5 (@​renovate[bot])
• #6141: chore(deps): update peter-evans/find-comment action to v4 (@​renovate[bot])
• #6142: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6143: chore: eslint enable concurrency option (@​btea)
• #6144: fix: generation of debugIDs with invalid length (@​pablomatiasgomez, @​lukastaegert)
• #6146: chore(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6147: chore(deps): update actions/setup-node action to v6 (@​renovate[bot])

4.52.4

2025-10-03

Bug Fixes

• Fix an issue where the wrong branch of nullish coalescing was picked (#6133)

Pull Requests

• #6128: Enable npm OIDC publishing (@​lukastaegert)
• #6133: Correct nullish coalescing branch resolution for symbol left value (@​TrickyPi)
• #6134: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

Commits

• 55a8fd5 4.52.5
• 58f5a7b fix: generation of debugIDs with invalid length (#6144)
• 0b816b0 chore(deps): lock file maintenance minor/patch updates (#6146)
• a973ed8 chore: eslint enable concurrency option (#6143)
• bfa9e9f chore(deps): update actions/setup-node action to v6 (#6147)
• 69a9336 fix(deps): lock file maintenance minor/patch updates (#6142)
• 88b18b9 chore(deps): update peter-evans/create-or-update-comment action to v5 (#6140)
• c9ab522 chore(deps): update peter-evans/find-comment action to v4 (#6141)
• 01f02bd chore(deps): lock file maintenance minor/patch updates (#6135)
• cd81da7 4.52.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Updates typescript from 5.9.2 to 5.9.3

Release notes

Sourced from typescript's releases.

TypeScript 5.9.3

Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.

For release notes, check out the release announcement

• fixed issues query for Typescript 5.9.0 (Beta).
• fixed issues query for Typescript 5.9.1 (RC).
• No specific changes for TypeScript 5.9.2 (Stable)
• fixed issues query for Typescript 5.9.3 (Stable).

Downloads are available on:

• npm

Commits

• c63de15 Bump version to 5.9.3 and LKG
• 8428ca4 🤖 Pick PR #62438 (Fix incorrectly ignored dts file fr...) into release-5.9 (#...
• a131cac 🤖 Pick PR #62351 (Add missing Float16Array constructo...) into release-5.9 (#...
• 0424333 🤖 Pick PR #62423 (Revert PR 61928) into release-5.9 (#62425)
• bdb641a 🤖 Pick PR #62311 (Fix parenthesizer rules for manuall...) into release-5.9 (#...
• 0d9b9b9 🤖 Pick PR #61978 (Restructure CI to prepare for requi...) into release-5.9 (#...
• 2dce0c5 Intentionally regress one buggy declaration output to an older version (#62163)
• See full diff in compare view

Updates typescript-eslint from 8.45.0 to 8.46.2

Release notes

Sourced from typescript-eslint's releases.

v8.46.2

8.46.2 (2025-10-20)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] skip optional chaining when it could change the result (#11702)
• typescript-estree: forbid invalid modifiers in object methods (#11689)

❤️ Thank You

• fisker Cheung @​fisker
• mdm317

You can read about our versioning strategy and releases on our website.

v8.46.1

8.46.1 (2025-10-13)

🩹 Fixes

• ast-spec: cleanup TSLiteralType (#11624)
• eslint-plugin: [prefer-optional-chain] include mixed "nullish comparison style" chains in checks (#11533)
• eslint-plugin: [no-misused-promises] special-case .finally not to report when a promise returning function is provided as an argument (#11667)

❤️ Thank You

• Abraham Guo
• mdm317
• Ronen Amiel

You can read about our versioning strategy and releases on our website.

v8.46.0

8.46.0 (2025-10-06)

🚀 Features

• eslint-plugin: [no-unsafe-member-access] add allowOptionalChaining option (#11659)
• eslint-plugin-internal: [no-dynamic-tests] new internal Lint rule to ban dynamic syntax in generating tests (#11323)
• rule-schema-to-typescript-types: clean up and make public (#11633)
• typescript-eslint: export util types (#10848, #10849)
• typescript-estree: mention file specifics in project service allowDefaultProject error (#11635)
• typescript-estree: private identifiers can only appear on LHS of in expressions (#9232)

🩹 Fixes

• eslint-plugin: [no-floating-promises] remove excess parentheses in suggestions (#11487)
• eslint-plugin: [unbound-method] improve wording around this: void and binding (#11634)
• eslint-plugin: [no-deprecated] ignore deprecated export imports (#11603)
• eslint-plugin: removed error type previously deprecated (#11674)

... (truncated)

Changelog

Sourced from typescript-eslint's changelog.

8.46.2 (2025-10-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.46.1 (2025-10-13)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.46.0 (2025-10-06)

🚀 Features

• typescript-eslint: export util types (#10848, #10849)

❤️ Thank You

• Mister-Hope @​Mister-Hope

You can read about our versioning strategy and releases on our website.

Commits

• 55ca033 chore(release): publish 8.46.2
• 3f5fbf6 chore(release): publish 8.46.1
• aec785e chore(release): publish 8.46.0
• 5c1a159 feat(typescript-eslint): export util types (close #10848) (#10849)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.