Bump the all-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the all-dependencies group with 10 updates in the / directory:

Package	From	To
axios	1.13.2	1.13.5
react	19.2.3	19.2.4
react-dom	19.2.3	19.2.4
react-router-dom	7.11.0	7.13.0
recharts	2.15.4	3.7.0
@vitejs/plugin-react	4.7.0	5.1.3
vite	6.4.1	7.3.1
dotenv	17.2.3	17.2.4
pg	8.16.3	8.18.0
sequelize-cli	6.6.3	6.6.5

Updates axios from 1.13.2 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates react from 19.2.3 to 19.2.4

Release notes

Sourced from react's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates react-dom from 19.2.3 to 19.2.4

Release notes

Sourced from react-dom's releases.

19.2.4 (January 26th, 2026)

React Server Components

• Add more DoS mitigations to Server Actions, and harden Server Components (#35632 by @​gnoff, @​lubieowoce, @​sebmarkbage, @​unstubbable)

Commits

• 90ab3f8 Version 19.2.4
• See full diff in compare view

Updates react-router-dom from 7.11.0 to 7.13.0

Release notes

Sourced from react-router-dom's releases.

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.15
  • react-router-dom@6.4.0-pre.15

Changelog

Sourced from react-router-dom's changelog.

7.13.0

Patch Changes

• Updated dependencies:
  • react-router@7.13.0

7.12.0

Patch Changes

• Updated dependencies:
  • react-router@7.12.0

Commits

• 5557ba3 chore: Update version for release (#14749)
• 62c6e0e chore: Update version for release (pre) (#14738)
• 26653a6 chore: Update version for release (#14712)
• 7ac2346 chore: Update version for release (pre) (#14709)
• See full diff in compare view

Updates recharts from 2.15.4 to 3.7.0

Release notes

Sourced from recharts's releases.

v3.7.0

What's Changed

📢 Cell is now deprecated and will be removed in the next major version. Please migrate all Cell usage to use the shape prop of respective chart elements. ‼️

Feat

New Hooks

• useIsTooltipActive: returns if the tooltip is active by @​PavelVanecek in recharts/recharts#6880
• useActiveTooltipCoordinate: returns current tooltip coordinate by @​PavelVanecek in recharts/recharts#6880

Other

• Tooltip: allow offset prop to accept Coordinate object by @​bigsaigon333 in recharts/recharts#6868 X/YAxis add new axis type: "auto" by @​PavelVanecek in recharts/recharts#6823
  • sets the type to "category" for categorical axes, and "number" for numeric axis.
• X/YAxis: replace tick: any with explicit type by @​PavelVanecek in recharts/recharts#6911
• Bar/TypeScript: add BarShapeProps type to fix Bar.shape type by @​PavelVanecek in recharts/recharts#6900
• TypeScript: add missing useful type exports for content, shape functions, etc. @​PavelVanecek in recharts/recharts#6852

Fix

• BarChart: fix stackOffset=sign for charts with 3 or more positive values in one series by @​PavelVanecek in recharts/recharts#6807
• BarStack: fix circular dependency when building with vite by @​jkr2255 in recharts/recharts#6777
• BarStack: fix BarStack clipPath in charts with stackOffset=sign by @​PavelVanecek in recharts/recharts#6806
• BarStack: apply bar stack radius to active bars by @​PavelVanecek in recharts/recharts#6906

Chore

• Enabled strict tsconfig by @​PavelVanecek in recharts/recharts#6842

Docs

We've started auto-generating our docs for the most part so you should see large improvements in accuracy of the docs between the code, the website, and the storybook. Huge shoutout to @​PavelVanecek 🚀

• Dark mode 🕶️ by @​cloud-walker in recharts/recharts#6828
  • Thanks @​cloud-walker
• Recharts devtools has been added to all website examples for easier issue debugging

New Contributors

• @​jkr2255 made their first contribution in recharts/recharts#6777
• @​cloud-walker made their first contribution in recharts/recharts#6824
• @​bigsaigon333 made their first contribution in recharts/recharts#6868
• @​huangkevin-apr made their first contribution in recharts/recharts#6872

Full Changelog: recharts/recharts@v3.6.0...v3.7.0

... (truncated)

Commits

• d1bc41c 3.7.0 (#6913)
• 8ea7355 Replace tick: any with explicit type (#6911)
• 5586fb2 Deprecate Cell, move all examples to shape, export ScatterShapeProps (#6904)
• 9644f29 chore(deps-dev): bump typescript-eslint from 8.53.0 to 8.53.1 (#6910)
• 3f9dbd0 chore(deps): bump eventemitter3 from 5.0.1 to 5.0.4 (#6908)
• 6529696 chore(deps-dev): bump @​testing-library/react from 16.3.1 to 16.3.2 (#6909)
• bef3630 Clarify docs (#6907)
• 2548a9f Apply BarStackClipLayer on active bars (#6906)
• 0374d8e Remove duplicate stories (#6901)
• 23a42f4 [Omnidoc] Link examples from each prop (#6899)
• Additional commits viewable in compare view

Updates @vitejs/plugin-react from 4.7.0 to 5.1.3

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@5.1.3

No release notes provided.

plugin-react@5.1.2

No release notes provided.

plugin-react@5.1.1

Update code to support newer rolldown-vite (#976)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

plugin-react@5.1.0

Add @vitejs/plugin-react/preamble virtual module for SSR HMR (#890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Fix raw Rolldown support for Rolldown 1.0.0-beta.44+ (#930)

Rolldown 1.0.0-beta.44+ removed the top-level jsx option in favor of transform.jsx. This plugin now uses the transform.jsx option to support Rolldown 1.0.0-beta.44+.

plugin-react@5.0.4

Perf: use native refresh wrapper plugin in rolldown-vite (#881)

plugin-react@5.0.3

HMR did not work for components imported with queries with rolldown-vite (#872)

Perf: simplify refresh wrapper generation (#835)

plugin-react@5.0.2

Skip transform hook completely in rolldown-vite in dev if possible (#783)

plugin-react@5.0.1

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#734)

Respect tsconfig jsxImportSource (#726)

Fix reactRefreshHost option on rolldown-vite (#716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#708)

Skip babel-plugin-react-compiler on non client environment (689)

plugin-react@5.0.0

(Same content as v5.0.0-beta.0 https://github.com/vitejs/vite-plugin-react/releases/tag/plugin-react%405.0.0-beta.0)

Use Oxc for react refresh transform in rolldown-vite

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react's changelog.

5.1.3 (2026-02-02)

5.1.2 (2025-12-08)

5.1.1 (2025-11-12)

Update code to support newer rolldown-vite (#976)

rolldown-vite will remove optimizeDeps.rollupOptions in favor of optimizeDeps.rolldownOptions soon. This plugin now uses optimizeDeps.rolldownOptions to support newer rolldown-vite. Please update rolldown-vite to the latest version if you are using an older version.

5.1.0 (2025-10-24)

Add @vitejs/plugin-react/preamble virtual module for SSR HMR (#890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Fix raw Rolldown support for Rolldown 1.0.0-beta.44+ (#930)

Rolldown 1.0.0-beta.44+ removed the top-level jsx option in favor of transform.jsx. This plugin now uses the transform.jsx option to support Rolldown 1.0.0-beta.44+.

5.0.4 (2025-09-27)

Perf: use native refresh wrapper plugin in rolldown-vite (#881)

5.0.3 (2025-09-17)

HMR did not work for components imported with queries with rolldown-vite (#872)

Perf: simplify refresh wrapper generation (#835)

5.0.2 (2025-08-28)

Skip transform hook completely in rolldown-vite in dev if possible (#783)

5.0.1 (2025-08-19)

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#734)

Respect tsconfig jsxImportSource (#726)

Fix reactRefreshHost option on rolldown-vite (#716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#708)

Skip babel-plugin-react-compiler on non client environment (689)

... (truncated)

Commits

• cf0cb8a release: plugin-react@5.1.3
• 99e480c fix(deps): update all non-major dependencies (#1090)
• 77f5e42 fix(deps): update react 19.2.4 (#1084)
• e327da4 fix(deps): update all non-major dependencies (#1083)
• 3d3dbc2 chore: add metadata for vite-plugin-registry (#1078)
• 58dfb9d fix(deps): update all non-major dependencies (#1066)
• fefad3d fix(deps): update all non-major dependencies (#1048)
• 36704df chore: setup oxfmt for formatting (#997)
• 54231d9 docs(plugin-react): add docs for exclude option (#1046)
• 6d203af fix(deps): update all non-major dependencies (#1030)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​vitejs/plugin-react since your current version.

Updates vite from 6.4.1 to 7.3.1

Release notes

Sourced from vite's releases.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

v7.1.11

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.1 (2026-01-07)

Features

• add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

• deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

• plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

• config: handle shebang properly (#21158) (df5a30d)
• deps: update all non-major dependencies (#21146) (a3cd262)
• deps: update all non-major dependencies (#21175) (72e398a)
• fix external: true merging (#21164) (5ef557a)
• shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

• deps: replace debug with obug (#21137) (203a551)

Documentation

• clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

Bug Fixes

• revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

7.2.3 (2025-11-20)

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#21103) (5909efd)
• deps: update all non-major dependencies (#21096) (6a34ac3)
• deps: update all non-major dependencies (#21128) (4f8171e)

Performance Improvements

... (truncated)

Commits

• 95e8923 release: v7.3.1
• 9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
• acf7e05 release: v7.3.0
• cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
• 317b3b2 release: v7.2.7
• 721f163 fix: plugin shortcut support (#21211)
• bda5dbb release: v7.2.6
• 3aa7527 release: v7.2.5
• 72e398a fix(deps): update all non-major dependencies (#21175)
• 3765f7b fix: shortcuts not rebound after server restart (#21166)
• Additional commits viewable in compare view

Updates dotenv from 17.2.3 to 17.2.4

Changelog

Sourced from dotenv's changelog.

17.2.4 (2026-02-05)

Changed

• Make DotenvPopulateInput accept NodeJS.ProcessEnv type (#915)

• Give back to dotenv by checking out my newest project vestauth. It is auth for agents. Thank you for using my software.

Commits

• See full diff in compare view

Updates pg from 8.16.3 to 8.18.0

Changelog

Sourced from pg's changelog.

pg@8.18.0

• Return the client instance as the result of calling connect (previously it was void).

pg@8.17.0

• Throw correct error if database URL parsing fails.

pg@8.16.0

• Add support for min connection pool size.

pg@8.15.0

• Add support for esm importing. CommonJS importing is still also supported.

pg@8.14.0

• Add support from SCRAM-SAH-256-PLUS i.e. channel binding.

pg@8.13.0

• Add ability to specify query timeout on per-query basis.

pg@8.12.0

• Add queryMode config option to force use of the extended query protocol on queries without any parameters.

pg-pool@8.10.0

• Emit release event when client is returned to the pool.

pg@8.9.0

• Add support for stream factory.
• Better errors for SASL authentication.
• Use native crypto module for SASL authentication.

pg@8.8.0

• Bump minimum required version of native bindings.
• Catch previously uncatchable errors thrown in pool.query.
• Prevent the pool from blocking the event loop if all clients are idle (and allowExitOnIdle is enabled).
• Support lock_timeout in client config.
• Fix errors thrown in callbacks from interfering with cleanup.

pg-pool@3.5.0

• Add connection lifetime limit config option.

... (truncated)

Commits

• fc4de3c Publish
• 0d1541d Always check if activeQuery is null before using it (#3586)
• 57e93b5 Return the client instance in the connect() method (#3564)
• 5b68a11 Publish
• ea06db5 Remove node: prefix from imports (#3584)
• a3a4567 remove unused variable (#3562)
• 4eb7529 Publish
• b94c8e1 Don't use prefix import as it breaks in old nodes. (#3578)
• 6bf475c Improve Deno compatibility: config-first and safe env access (#3547)
• d10e09c Publish
• Additional commits viewable in compare view

Updates sequelize-cli from 6.6.3 to 6.6.5

Release notes

Sourced from sequelize-cli's releases.

v6.6.5

6.6.5 (2026-01-05)

Bug Fixes

• move to trusted publishing (#1551) (d59e20d)
• replace fs.R_OK with fs.constants.R_OK (#1540) (3f63857)

Commits

• 4d8fb6e meta: update version to current version (#1559)
• d6b4da8 ci: fix release command (#1555)
• d59e20d fix: move to trusted publishing (#1551)
• 031ee87 build(deps): lock file maintenance (#1538)
• 3f63857 fix: replace fs.R_OK with fs.constants.R_OK (#1540)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for sequelize-cli since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.