mirror of
https://github.com/googleapis/genai-toolbox.git
synced 2026-05-02 03:00:36 -04:00
binary-npx
1880 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Twisha Bansal
|
0583843555 | Merge branch 'main' into binary-npx | ||
|
Dr. Strangelove
|
9e8dfd3972 |
docs(looker): fix search tags (#3150)
## Description minor change to fix tags ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [X] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change 🛠️ |
||
|
Dr. Strangelove
|
7132e332e5 |
docs(looker): Looker OAuth for Claude Desktop (#3148)
## Description Detailed instructions for configuring Claude Desktop with Looker OAuth. ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Averi Kitsch <akitsch@google.com> |
||
|
Dr. Strangelove
|
76412a3605 |
docs(looker): MCP Toolbox for Looker in Google Cloud Run (#3149)
## Description Detailed sample on setting up MCP Toolbox in Google Cloud Run for use with Looker. ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> |
||
|
Jiahua Huang
|
b225fc44cc |
feat(source/cloud-storage): add write/copy/move/delete object tools (#3139)
## Description Adds four new Cloud Storage object mutation tools: - `cloud-storage-write-object` - write text content directly to a GCS object - `cloud-storage-copy-object` - copy an object within or across buckets - `cloud-storage-move-object` - atomic rename within a bucket via the native move API - `cloud-storage-delete-object` - delete a single object Coverage: - Unit tests for each new tool, including YAML parsing and Invoke validation. - Integration test config wiring for the new Cloud Storage tools. - Source and integration docs added for all four new tools. ## PR Checklist - [x] Make sure to open an issue as a bug/issue before writing your code! - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involves a breaking change ## Issue Reference Fixes # 🦕 Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
Yuan Teoh
|
0ee259d05f |
docs: update broken links (#3146)
Update broken links in deploy-to/cloud-run |
||
|
Dr. Strangelove
|
8ae0266a51 |
docs: Add info on compiling on Windows (#3145)
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> |
||
|
Twisha Bansal
|
e785cddd76 | add docs | ||
|
Twisha Bansal
|
4a81585693 | auto update versions with release please | ||
|
Twisha Bansal
|
1a02ce0af2 | delete files | ||
|
Twisha Bansal
|
11c240b6b9 | move files | ||
|
Twisha Bansal
|
db9230d78a | Merge branch 'main' into binary-npx | ||
|
dependabot[bot]
|
bc8092e932 |
chore(deps): bump protobufjs from 7.5.4 to 7.5.5 in /docs/en/documentation/getting-started/quickstart/js/adk (#3105)
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.4 to 7.5.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/releases">protobufjs's releases</a>.</em></p> <blockquote> <h2>v7.5.5</h2> <p>This release backports two reported security issues to 7.x branch.</p> <ul> <li>fix: do not allow setting <code>__proto__</code> in Message constructor (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2126">#2126</a>)</li> <li>fix: filter invalid characters from the type name (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2127">#2127</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.4...protobufjs-v7.5.5">https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.5.4...protobufjs-v7.5.5</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md">protobufjs's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v8.0.0...protobufjs-v8.0.1">8.0.1</a> (2026-03-11)</h2> <h3>Bug Fixes</h3> <ul> <li>bump protobufjs dependency version for cli package (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2128">#2128</a>) (<a href=" |
||
|
Twisha Bansal
|
0192baef90 | Merge branch 'main' into binary-npx | ||
|
Mend Renovate
|
0917e5bf75 |
chore(deps): update module github.com/jackc/pgx/v5 to v5.9.2 [security] (#3133)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [github.com/jackc/pgx/v5](https://redirect.github.com/jackc/pgx) |
`v5.9.1` → `v5.9.2` |
|
|
---
### pgx: SQL Injection via placeholder confusion with dollar quoted
string literals
[GHSA-j88v-2chj-qfwx](https://redirect.github.com/advisories/GHSA-j88v-2chj-qfwx)
<details>
<summary>More information</summary>
#### Details
##### Impact
SQL Injection can occur when:
1. The non-default simple protocol is used.
2. A dollar quoted string literal is used in the SQL query.
3. That string literal contains text that would be would be interpreted
as a placeholder outside of a string literal.
4. The value of that placeholder is controllable by the attacker.
e.g.
```go
attackValue := `$tag$; drop table canary; --`
_, err = tx.Exec(ctx, `select $tag$ $1 $tag$, $1`, pgx.QueryExecModeSimpleProtocol, attackValue)
```
This is unlikely to occur outside of a contrived scenario.
##### Patches
The problem is resolved in v5.9.2.
##### Workarounds
Do not use the simple protocol to execute queries matching all the above
conditions.
#### Severity
- CVSS Score: 2.3 / 10 (Low)
- Vector String:
`CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx](https://redirect.github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx)
-
[
|
||
|
Jiahua Huang
|
8de9bcf1e2 |
feat(source/cloud-storage): add bucket and object management tools (#3129)
## Description Adds four native Cloud Storage tools: - `cloud-storage-list-buckets` for project bucket discovery - `cloud-storage-get-object-metadata` for object metadata inspection without reading payloads - `cloud-storage-download-object` for downloading Cloud Storage objects to the Toolbox server filesystem - `cloud-storage-upload-object` for uploading server-local files to Cloud Storage objects This also wires the tool registrations, adds path validation and Cloud Storage error classification for local file operations, expands unit and integration coverage, and updates the Cloud Storage integration docs for the new tool surface. ## PR Checklist - [x] Make sure to open an issue as a bug/issue before writing your code! - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involves a breaking change --------- Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
Yuan Teoh
|
5243c7d400 |
chore(prebuiltconfigs): update prebuilt file to flat format (#3123)
Migrate prebuilt config to flat format. |
||
|
Yuan Teoh
|
4476d7f550 |
ci: remove old bucket from release pipeline (#3122)
Remove old bucket from release pipeline. Moving forward, we will only release binary to the new GCS bucket. The old bucket will remain available, just without new releases. |
||
|
Yuan Teoh
|
2280fe871c |
chore: update docs and logs to be more concise on security risks (#3125)
Update docs and logs to be more clear on security risks. Related: #3113 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> |
||
|
Yuan Teoh
|
8bc385d7d6 |
feat: add support for HTTPS/TLS listener (#3126)
This PR introduces the ability to run the Toolbox server over HTTPS.
While the server still defaults to HTTP for local development, users can
now enable TLS encryption via command-line flags. This is essential for
secure communication when the Toolbox is exposed over a network or used
in production-like environments.
**New Flags:**
* `--tls`: Boolean flag to enable HTTPS.
* `--tls-cert`: String flag specifying the path to the PEM-encoded
certificate file.
* `--tls-key`: String flag specifying the path to the PEM-encoded
private key file.
**Use Case: How the Server Obtains .pem Files**
In a typical deployment, the server does not generate these files
itself; it expects them to be provided by the environment.
1. Local Development: Users can use tools like mkcert to generate a
locally-trusted cert.pem and key.pem.
2. Production (Manual): Users obtain certificates from a Certificate
Authority (CA) like Let's Encrypt via Certbot. Certbot handles the
domain validation and saves the .pem files to a specific directory
(e.g., /etc/letsencrypt/live/).
3. Execution: The user starts the Toolbox and points it to those
specific paths:
```
./toolbox --tls --tls-cert=cert.pem --tls-key=key.pem
```
4. Loading: The server uses tls.LoadX509KeyPair to read these files from
the disk and injects them into the listener before the HTTP server
starts processing requests.
🛠️ Related https://github.com/googleapis/mcp-toolbox/issues/3113
|
||
|
Jiahua Huang
|
da27b3754d |
feat(source/cloud-storage): add Cloud Storage source with list_objects and read_object tools (#3081)
## Description Adds Google Cloud Storage as a first-class source in MCP Toolbox, enabling LLM agents to work with objects across buckets in a GCP project. The source is project-scoped and authenticates via Application Default Credentials, mirroring Firestore/Bigtable. This first PR ships the source plus two read-only tools from the approved design (14 total): - **`cloud-storage-list-objects`** — prefix filter, delimiter-based grouping (returns `prefixes`), and pagination via `max_results` / `page_token`. Passes through whatever metadata the GCS client returns (`*storage.ObjectAttrs`) so we don't have to plumb new fields later. - **`cloud-storage-read-object`** — reads an object's bytes, textual data only, with optional HTTP-style byte ranges (`bytes=0-999`, `bytes=-500`, `bytes=500-`). GCS-aware error categorization (per [DEVELOPER.md](../blob/main/DEVELOPER.md#tool-invocation--error-handling)) is implemented in a new `cloudstoragecommon` helper that maps GCS sentinels and `*googleapi.Error` codes to Agent errors (missing bucket/object, bad request, unsatisfiable range) vs. Server errors (auth, IAM denial, quota, 5xx, context cancellation). This replaces the coarse `util.ProcessGcpError` for the two new tools. Remaining 12 tools from the design doc (`list_buckets`, `create_bucket`, `copy/move/delete_object`, etc.) will land in follow-up PRs. **CI note:** the `cloud-storage` shard in `.ci/integration.cloudbuild.yaml` expects `CLOUD_STORAGE_PROJECT=$PROJECT_ID` and requires the test service account to have a Cloud Storage admin role in the test project. Integration test self-manages its own UUID-suffixed bucket with defer-based cleanup. ## PR Checklist - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea (communicated internally) - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [x] Appropriate docs were updated (if necessary) - [x] Make sure to add `!` if this involve a breaking change ## What's included - New source: `internal/sources/cloudstorage/` (+ YAML-parse unit tests) - Two tools: `internal/tools/cloudstorage/cloudstoragelistobjects/`, `.../cloudstoragereadobject/` (+ YAML-parse + range-parser unit tests) - New `cloudstoragecommon` error classifier (+ 17-case unit test covering sentinels, HTTP statuses, `context.Canceled`/`DeadlineExceeded`, and fallback) - Integration test: `tests/cloudstorage/cloud_storage_integration_test.go` — 12 sub-tests against a real bucket (self-created, self-cleaned) - Docs: `docs/en/integrations/cloud-storage/` (source + both tool pages; passes `.ci/lint-docs-{source,tool}-page.sh`) - CI shard: `cloud-storage` in `.ci/integration.cloudbuild.yaml` - Dependency: `cloud.google.com/go/storage v1.62.1` Opening as **draft** for initial review — happy to split the error-classifier refactor into a separate commit if reviewers prefer. |
||
|
dependabot[bot]
|
746d18f864 |
chore(deps): bump axios from 1.13.5 to 1.15.1 in /docs/en/documentation/getting-started/quickstart/js/llamaindex (#3104)
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.1</h2> <p>This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Header Injection Hardening:</strong> Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (<strong><a href="https://redirect.github.com/axios/axios/issues/10749">#10749</a></strong>)</li> <li><strong>CRLF Stripping in Multipart Headers:</strong> Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (<strong><a href="https://redirect.github.com/axios/axios/issues/10758">#10758</a></strong>)</li> <li><strong>Prototype Pollution / Auth Bypass:</strong> Replaced unsafe <code>in</code> checks with <code>hasOwnProperty</code> to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (<strong><a href="https://redirect.github.com/axios/axios/issues/10761">#10761</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10760">#10760</a></strong>)</li> <li><strong><code>withXSRFToken</code> Truthy Bypass:</strong> Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (<strong><a href="https://redirect.github.com/axios/axios/issues/10762">#10762</a></strong>)</li> <li><strong><code>maxBodyLength</code> With Zero Redirects:</strong> Enforces <code>maxBodyLength</code> even when <code>maxRedirects</code> is set to <code>0</code>, closing a bypass path for oversized request bodies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10753">#10753</a></strong>)</li> <li><strong>Streamed Response <code>maxContentLength</code> Bypass:</strong> Applies <code>maxContentLength</code> to streamed responses that previously bypassed the cap. (<strong><a href="https://redirect.github.com/axios/axios/issues/10754">#10754</a></strong>)</li> <li><strong>Follow-up CVE Completion:</strong> Completes an earlier incomplete CVE fix to fully close the regression window. (<strong><a href="https://redirect.github.com/axios/axios/issues/10755">#10755</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>AI-Based Docs Translations:</strong> Initial scaffold for AI-assisted translations of the documentation site. (<strong><a href="https://redirect.github.com/axios/axios/issues/10705">#10705</a></strong>)</li> <li><strong><code>Location</code> Request Header Type:</strong> Adds <code>Location</code> to <code>CommonRequestHeadersList</code> for accurate typing of redirect-aware requests. (<strong><a href="https://redirect.github.com/axios/axios/issues/7528">#7528</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>FormData Handling:</strong> Removes <code>Content-Type</code> when no boundary is present on <code>FormData</code> fetch requests, supports multi-select fields, cancels <code>request.body</code> instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (<strong><a href="https://redirect.github.com/axios/axios/issues/7314">#7314</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10676">#10676</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10702">#10702</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10726">#10726</a></strong>)</li> <li><strong>HTTP Adapter:</strong> Handles socket-only request errors without leaking keep-alive listeners. (<strong><a href="https://redirect.github.com/axios/axios/issues/10576">#10576</a></strong>)</li> <li><strong>Progress Events:</strong> Clamps <code>loaded</code> to <code>total</code> for computable upload/download progress events. (<strong><a href="https://redirect.github.com/axios/axios/issues/7458">#7458</a></strong>)</li> <li><strong>Types:</strong> Aligns <code>runWhen</code> type with the runtime behaviour in <code>InterceptorManager</code> and makes response header keys case-insensitive. (<strong><a href="https://redirect.github.com/axios/axios/issues/7529">#7529</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10677">#10677</a></strong>)</li> <li><strong><code>buildFullPath</code>:</strong> Uses strict equality in the base/relative URL check. (<strong><a href="https://redirect.github.com/axios/axios/issues/7252">#7252</a></strong>)</li> <li><strong><code>AxiosURLSearchParams</code> Regex:</strong> Improves the regex used for param serialisation to avoid edge-case mismatches. (<strong><a href="https://redirect.github.com/axios/axios/issues/10736">#10736</a></strong>)</li> <li><strong>Resilient Value Parsing:</strong> Parses out header/config values instead of throwing on malformed input. (<strong><a href="https://redirect.github.com/axios/axios/issues/10687">#10687</a></strong>)</li> <li><strong>Docs Artefact Cleanup:</strong> Removes the docs content that was incorrectly committed. (<strong><a href="https://redirect.github.com/axios/axios/issues/10727">#10727</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Threat Model & Security Docs:</strong> Ongoing refinement of <code>THREATMODEL.md</code>, including Hopper security update, TLS and tag-replay wording, mitigation descriptions, decompression-bomb guidance, and further cleanup. (<strong><a href="https://redirect.github.com/axios/axios/issues/10672">#10672</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10715">#10715</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10718">#10718</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10722">#10722</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10763">#10763</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10765">#10765</a></strong>)</li> <li><strong>Test Coverage & Migration:</strong> Expanded <code>shouldBypassProxy</code> coverage for wildcard/IPv6/edge cases, documented and tested <code>AxiosError.status</code>, and migrated <code>progressEventReducer</code> tests to Vitest. (<strong><a href="https://redirect.github.com/axios/axios/issues/10723">#10723</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10725">#10725</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10741">#10741</a></strong>)</li> <li><strong>Type Refactor:</strong> Uses TypeScript utility types to deduplicate literal unions. (<strong><a href="https://redirect.github.com/axios/axios/issues/7520">#7520</a></strong>)</li> <li><strong>Repo & CI:</strong> Adds <code>CODEOWNERS</code>, switches v1.x releases to an ephemeral release branch, and removes orphaned Bower support. (<strong><a href="https://redirect.github.com/axios/axios/issues/10739">#10739</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10738">#10738</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10746">#10746</a></strong>)</li> <li><strong>Changelog Backfill:</strong> Added missing version entries to the changelog. (<strong><a href="https://redirect.github.com/axios/axios/issues/10704">#10704</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>follow-redirects</code> (<code>1.15.11</code> → <code>1.16.0</code>) in root and docs, <code>axios</code> (<code>1.14.0</code> → <code>1.15.0</code>) in docs, and a group of 5 development dependencies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10717">#10717</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10716">#10716</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10684">#10684</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10709">#10709</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/curiouscoder-cmd"><code>@curiouscoder-cmd</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7252">#7252</a></strong>)</li> <li><strong><a href="https://github.com/tryonelove"><code>@tryonelove</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7520">#7520</a></strong>)</li> <li><strong><a href="https://github.com/darwin808"><code>@darwin808</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7314">#7314</a></strong>)</li> <li><strong><a href="https://github.com/zoontek"><code>@zoontek</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10702">#10702</a></strong>)</li> <li><strong><a href="https://github.com/AKIB473"><code>@AKIB473</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10725">#10725</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.15.0...v1.15.1">Full Changelog</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v1.15.0 — April 7, 2026</h2> <p>This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection (CRLF):</strong> Rejects any header value containing <code>\r</code> or <code>\n</code> characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw <code>"Invalid character in header content"</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</p> </li> <li> <p><strong>SSRF via <code>no_proxy</code> Bypass:</strong> Introduces a <code>shouldBypassProxy</code> helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating <code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</p> </li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Deno & Bun Runtime Support:</strong> Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Node.js v22 Compatibility:</strong> Replaced deprecated <code>url.parse()</code> calls with the WHATWG <code>URL</code>/<code>URLSearchParams</code> API across examples, sandbox, and tests, eliminating <code>DEP0169</code> deprecation warnings on Node.js v22+. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li> <p><strong>CI Security Hardening:</strong> Added <a href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated <code>npm-publish</code> environment; and blocked the sponsor-block workflow from running on forks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</p> </li> <li> <p><strong>Docs:</strong> Clarified HTTP/2 support and the unsupported <code>httpVersion</code> option; added documentation for header case preservation; improved the <code>beforeRedirect</code> example to prevent accidental credential leakage. (<strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>picomatch</code>, <code>handlebars</code>, <code>serialize-javascript</code>, <code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4 additional dev dependencies to latest versions. (<strong><a href="https://redirect.github.com/axios/axios/issues/10564">#10564</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10565">#10565</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10567">#10567</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>)</p> </li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/shaanmajid"><code>@shaanmajid</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10617">#10617</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full Changelog</a></p> <hr /> <h2>v1.14.0 — March 27, 2026</h2> <p>This release fixes a security vulnerability in the <code>formidable</code> dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Formidable Vulnerability:</strong> Upgraded <code>formidable</code> from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (<strong><a href="https://redirect.github.com/axios/axios/issues/7533">#7533</a></strong>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Mend Renovate
|
c604fdcc4c |
chore(deps): update actions/setup-node digest to 48b55a0 (#3102)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](
|
||
|
Mend Renovate
|
2375ffcff1 |
chore(deps): update module github.com/snowflakedb/gosnowflake to v2 (#2618)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/snowflakedb/gosnowflake](https://redirect.github.com/snowflakedb/gosnowflake) | `v1.18.1` → `v2.0.0` |  |  | --- ### Release Notes <details> <summary>snowflakedb/gosnowflake (github.com/snowflakedb/gosnowflake)</summary> ### [`v2.0.0`](https://redirect.github.com/snowflakedb/gosnowflake/releases/tag/v2.0.0): Release [Compare Source](https://redirect.github.com/snowflakedb/gosnowflake/compare/v1.19.0...v2.0.0) - Please check Snowflake [Go Snowflake for release notes](https://docs.snowflake.com/en/release-notes/clients-drivers/golang). ### [`v1.19.0`](https://redirect.github.com/snowflakedb/gosnowflake/releases/tag/v1.19.0): Release [Compare Source](https://redirect.github.com/snowflakedb/gosnowflake/compare/v1.18.1...v1.19.0) - Please check Snowflake [Go Snowflake for release notes](https://docs.snowflake.com/en/release-notes/clients-drivers/golang). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/genai-toolbox). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> |
||
|
Toka Nani
|
fbe87de05c |
docs: fix typo in extensions command in README (#3096)
### 🛠️ Fix typo in Gemini CLI section This pull request fixes a typo in the **Gemini CLI** section of the README. * Corrected `/exttensions list` → `/extensions list` ### ✅ Why this change? The incorrect command may confuse users when trying to list extensions in the CLI. ### 📌 Scope * Documentation update only * No code changes --- Let me know if any changes are needed. Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> |
||
|
Jack Larch
|
7ed92c8023 |
fix(tools/bigquery-execute-sql): avoid surfacing invalid queries as MCP 500s (#3056)
## Description Route `bigquery-execute-sql` dry-run validation failures through the shared GCP error processor instead of hardcoding them as internal server errors. This keeps normal BigQuery query mistakes in the tool-error path rather than escalating them into MCP transport failures. ## PR Checklist - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change Notes: - I could not run `go test` locally in this environment because the Go toolchain is not installed on this machine. - I added a focused regression test around `ProcessGcpError` so the intended classification is explicit in CI. 🛠️ Fixes #3055 Made with [Cursor](https://cursor.com) Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> |
||
|
Steven van Rossum
|
6b860f4486 |
fix(sources/postgres): apply URL encoding to query string params (#3020)
## Description Fixes an URL encoding issue in PostgreSQL connection strings. Keys and values of query parameter maps are currently not escaped during encoding, which could result in misconfiguration and poses a minor security risk if the specification of query parameter maps were to be restricted by the application or deployment tooling. ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/mcp-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/mcp-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #<issue_number_goes_here> --------- Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
Yuan Teoh
|
eb4036f61f |
chore: avoid silent exit by printing server error (#3095)
printing server startup error if an error was discovered. Previously it will just exit silently if theres an unknown flag caught by Cobra. 🛠️ Fixes #3063 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> |
||
|
Yuan Teoh
|
36ab2a98f9 |
fix: allow converting string literal block with list (#3050)
This PR updates the following: * Fix YAML String Block Conversion: Resolved an issue where multiline strings (like tool descriptions) containing list syntax were being re-encoded as double-quoted strings with explicit \n characters. They now correctly use the | literal block style as expected. ``` description: | this is the description this tool uses the following parameter: - param_1 - param_2 # will turn into description: "this is the description\nthis tool uses the following parameter:\n-param_1\n-param_2" ``` * Updated the converter to identify and retain initial comment lines/license headers at the top of configuration files. * Updated migration completion status to reflect "ended" state. * Update to use "v1" -> "nested format" and "v2" -> "flat format" * Remove "authSources" when checking for keys. We had previously removed support for "authSources". Fixes #3023 |
||
|
Wenxin Du
|
9859f4e10b | docs: add read-only configuration guide (#3094) | ||
|
dependabot[bot]
|
4a9abe8e40 |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/getting-started/quickstart/js/adk (#3090)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
86c02be649 |
chore(deps): bump protobufjs from 7.5.4 to 7.5.5 in /docs/en/documentation/configuration/pre-post-processing/js/adk (#3089)
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.4 to 7.5.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md">protobufjs's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v8.0.0...protobufjs-v8.0.1">8.0.1</a> (2026-03-11)</h2> <h3>Bug Fixes</h3> <ul> <li>bump protobufjs dependency version for cli package (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2128">#2128</a>) (<a href=" |
||
|
dependabot[bot]
|
f22b66446f |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/getting-started/quickstart/js/genkit (#3088)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4711058584 |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/getting-started/quickstart/js/genAI (#3087)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
a078377312 |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/getting-started/quickstart/js/langchain (#3086)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
98e4ddf0bb |
chore(deps): bump protobufjs from 7.5.4 to 7.5.5 in /docs/en/documentation/getting-started/quickstart/js/genkit (#3085)
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.5.4 to 7.5.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md">protobufjs's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/protobufjs/protobuf.js/compare/protobufjs-v8.0.0...protobufjs-v8.0.1">8.0.1</a> (2026-03-11)</h2> <h3>Bug Fixes</h3> <ul> <li>bump protobufjs dependency version for cli package (<a href="https://redirect.github.com/protobufjs/protobuf.js/issues/2128">#2128</a>) (<a href=" |
||
|
dependabot[bot]
|
5e624b4166 |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/configuration/pre-post-processing/js/langchain (#3084)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Mend Renovate
|
d1c36e8c38 |
chore(deps): update go (#3015)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | Type | Update | Pending | |---|---|---|---|---|---|---| | [cloud.google.com/go/bigtable](https://redirect.github.com/googleapis/google-cloud-go) | `v1.45.0` → `v1.46.0` |  |  | require | minor | | | [cloud.google.com/go/dataplex](https://redirect.github.com/googleapis/google-cloud-go) | `v1.30.0` → `v1.32.0` |  |  | require | minor | | | [cloud.google.com/go/dataproc/v2](https://redirect.github.com/googleapis/google-cloud-go) | `v2.17.0` → `v2.19.0` |  |  | require | minor | | | [cloud.google.com/go/geminidataanalytics](https://redirect.github.com/googleapis/google-cloud-go) | `v0.9.0` → `v0.11.0` |  |  | require | minor | | | [cloud.google.com/go/logging](https://redirect.github.com/googleapis/google-cloud-go) | `v1.13.2` → `v1.16.0` |  |  | require | minor | | | [cloud.google.com/go/longrunning](https://redirect.github.com/googleapis/google-cloud-go) | `v0.9.0` → `v0.11.0` |  |  | require | minor | | | [github.com/ClickHouse/clickhouse-go/v2](https://redirect.github.com/ClickHouse/clickhouse-go) | `v2.44.0` → `v2.45.0` |  |  | require | minor | | | [github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go) | `v0.55.0` → `v0.56.0` |  |  | require | minor | | | [github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go) | `v1.31.0` → `v1.32.0` |  |  | require | minor | | | [github.com/snowflakedb/gosnowflake](https://redirect.github.com/snowflakedb/gosnowflake) | `v1.19.0` → `v1.19.1` |  |  | require | patch | | | [github.com/testcontainers/testcontainers-go](https://redirect.github.com/testcontainers/testcontainers-go) | `v0.41.0` → `v0.42.0` |  |  | require | minor | | | [github.com/testcontainers/testcontainers-go/modules/cockroachdb](https://redirect.github.com/testcontainers/testcontainers-go) | `v0.41.0` → `v0.42.0` |  |  | require | minor | | | [github.com/testcontainers/testcontainers-go/modules/couchbase](https://redirect.github.com/testcontainers/testcontainers-go) | `v0.41.0` → `v0.42.0` |  |  | require | minor | | | [github.com/valkey-io/valkey-go](https://redirect.github.com/valkey-io/valkey-go) | `v1.0.73` → `v1.0.74` |  |  | require | patch | | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | `1.26.1` → `1.26.2` |  |  | toolchain | patch | | | [go.opentelemetry.io/contrib/propagators/autoprop](https://redirect.github.com/open-telemetry/opentelemetry-go-contrib) | `v0.67.0` → `v0.68.0` |  |  | require | minor | | | [google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client) | `v0.274.0` → `v0.275.0` |  |  | require | minor | `v0.276.0` | | [google.golang.org/genai](https://redirect.github.com/googleapis/go-genai) | `v1.52.1` → `v1.54.0` |  |  | require | minor | | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.48.1` → `v1.48.2` |  |  | require | patch | | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/363) for more information. --- ### Release Notes <details> <summary>googleapis/google-cloud-go (cloud.google.com/go/geminidataanalytics)</summary> ### [`v0.11.0`](https://redirect.github.com/googleapis/google-cloud-go/blob/HEAD/CHANGES.md#v0110) [Compare Source](https://redirect.github.com/googleapis/google-cloud-go/compare/v0.10.0...v0.11.0) - Clients for spanner, pubsub and video are now in beta. - New client for DLP. - spanner: performance and testing improvements. - storage: requester-pays buckets are supported. - storage, profiler, bigtable, bigquery: bug fixes and other minor improvements. - pubsub: bug fixes and other minor improvements ### [`v0.10.0`](https://redirect.github.com/googleapis/google-cloud-go/blob/HEAD/CHANGES.md#v0100) [Compare Source](https://redirect.github.com/googleapis/google-cloud-go/compare/v0.9.0...v0.10.0) - pubsub: Subscription.ModifyPushConfig replaced with Subscription.Update. - pubsub: Subscription.Receive now runs concurrently for higher throughput. - vision: cloud.google.com/go/vision is deprecated. Use cloud.google.com/go/vision/apiv1 instead. - translation: now stable. - trace: several changes to the surface. See the link below. ##### Code changes required from v0.9.0 - pubsub: Replace ``` sub.ModifyPushConfig(ctx, pubsub.PushConfig{Endpoint: "https://example.com/push"}) ``` with ``` sub.Update(ctx, pubsub.SubscriptionConfigToUpdate{ PushConfig: &pubsub.PushConfig{Endpoint: "https://example.com/push"}, }) ``` - trace: traceGRPCServerInterceptor will be provided from \*trace.Client. Given an initialized `*trace.Client` named `tc`, instead of ``` s := grpc.NewServer(grpc.UnaryInterceptor(trace.GRPCServerInterceptor(tc))) ``` write ``` s := grpc.NewServer(grpc.UnaryInterceptor(tc.GRPCServerInterceptor())) ``` - trace trace.GRPCClientInterceptor will also provided from \*trace.Client. Instead of ``` conn, err := grpc.Dial(srv.Addr, grpc.WithUnaryInterceptor(trace.GRPCClientInterceptor())) ``` write ``` conn, err := grpc.Dial(srv.Addr, grpc.WithUnaryInterceptor(tc.GRPCClientInterceptor())) ``` - trace: We removed the deprecated `trace.EnableGRPCTracing`. Use the gRPC interceptor as a dial option as shown below when initializing Cloud package clients: ``` c, err := pubsub.NewClient(ctx, "project-id", option.WithGRPCDialOption(grpc.WithUnaryInterceptor(tc.GRPCClientInterceptor()))) if err != nil { ... } ``` </details> <details> <summary>ClickHouse/clickhouse-go (github.com/ClickHouse/clickhouse-go/v2)</summary> ### [`v2.45.0`](https://redirect.github.com/ClickHouse/clickhouse-go/blob/HEAD/CHANGELOG.md#v2450-2026-04-13----Release-notes-generated-using-configuration-in-githubreleaseyml-at-main---) [Compare Source](https://redirect.github.com/ClickHouse/clickhouse-go/compare/v2.44.0...v2.45.0) #### What's Changed ##### Bug Fixes 🐛 - fix: set req.Host for Host header in HTTP transport by [@​binger-li-dd](https://redirect.github.com/binger-li-dd) in [#​1826](https://redirect.github.com/ClickHouse/clickhouse-go/pull/1826) ##### Other Changes 🛠 - chore: pass explicity github token for claude review by [@​kavirajk](https://redirect.github.com/kavirajk) in [#​1818](https://redirect.github.com/ClickHouse/clickhouse-go/pull/1818) #### New Contributors - [@​binger-li-dd](https://redirect.github.com/binger-li-dd) made their first contribution in [#​1826](https://redirect.github.com/ClickHouse/clickhouse-go/pull/1826) **Full Changelog**: <https://github.com/ClickHouse/clickhouse-go/compare/v2.44.0...v2.45.0> </details> <details> <summary>GoogleCloudPlatform/opentelemetry-operations-go (github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric)</summary> ### [`v0.56.0`](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/releases/tag/v0.56.0): v1.32.0/v0.56.0 [Compare Source](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/v0.55.0...v0.56.0) #### What's Changed - Support universe domains in collector exporter client configuration by [@​dashpole](https://redirect.github.com/dashpole) in [#​1097](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1097) - Don't pass credentials fetched using FindDefaultCredentials by [@​dashpole](https://redirect.github.com/dashpole) in [#​1098](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1098) - googleclientauthextension: support Proxy-Authorization header by [@​lindeskar](https://redirect.github.com/lindeskar) in [#​1105](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1105) - Improve unit tests for gcp auth extension by [@​dashpole](https://redirect.github.com/dashpole) in [#​1103](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1103) - Allow providing a context to create the monitoring client by [@​dashpole](https://redirect.github.com/dashpole) in [#​1096](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1096) - Add support for go 1.26 by [@​dashpole](https://redirect.github.com/dashpole) in [#​1107](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1107) - chore(deps): update module golang.org/x/crypto to v0.45.0 \[security] by [@​renovate-bot](https://redirect.github.com/renovate-bot) in [#​1102](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1102) - Don't allow modifying the default scopes by [@​dashpole](https://redirect.github.com/dashpole) in [#​1109](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1109) - Ignore versions in the user agent header when comparing fixtures by [@​dashpole](https://redirect.github.com/dashpole) in [#​1115](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1115) - Bump go version to resolve govulncheck failures by [@​dashpole](https://redirect.github.com/dashpole) in [#​1114](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1114) - Separate out govulncheck into its own CI job by [@​dashpole](https://redirect.github.com/dashpole) in [#​1113](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1113) - Normalize user agents in span attributes as well by [@​dashpole](https://redirect.github.com/dashpole) in [#​1117](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1117) - fix(deps): update module google.golang.org/grpc to v1.79.3 \[security] by [@​jefferbrecht](https://redirect.github.com/jefferbrecht) in [#​1131](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1131) - Prepare for v1.32.0/v0.56.0 by [@​dashpole](https://redirect.github.com/dashpole) in [#​1132](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1132) #### New Contributors - [@​lindeskar](https://redirect.github.com/lindeskar) made their first contribution in [#​1105](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1105) - [@​jefferbrecht](https://redirect.github.com/jefferbrecht) made their first contribution in [#​1131](https://redirect.github.com/GoogleCloudPlatform/opentelemetry-operations-go/pull/1131) **Full Changelog**: <https://github.com/GoogleCloudPlatform/opentelemetry-operations-go/compare/v0.55.0...v0.56.0> </details> <details> <summary>snowflakedb/gosnowflake (github.com/snowflakedb/gosnowflake)</summary> ### [`v1.19.1`](https://redirect.github.com/snowflakedb/gosnowflake/releases/tag/v1.19.1): Release [Compare Source](https://redirect.github.com/snowflakedb/gosnowflake/compare/v1.19.0...v1.19.1) - Please check Snowflake [Go Snowflake for release notes](https://docs.snowflake.com/en/release-notes/clients-drivers/golang). </details> <details> <summary>testcontainers/testcontainers-go (github.com/testcontainers/testcontainers-go)</summary> ### [`v0.42.0`](https://redirect.github.com/testcontainers/testcontainers-go/releases/tag/v0.42.0) [Compare Source](https://redirect.github.com/testcontainers/testcontainers-go/compare/v0.41.0...v0.42.0) ### What's Changed #### ⚠️ Breaking Changes - chore!: migrate to moby modules ([#​3591](https://redirect.github.com/testcontainers/testcontainers-go/issues/3591)) [@​thaJeztah](https://redirect.github.com/thaJeztah) #### 🔒 Security - chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 ([#​3634](https://redirect.github.com/testcontainers/testcontainers-go/issues/3634)) [@​thaJeztah](https://redirect.github.com/thaJeztah) #### 🐛 Bug Fixes - fix: return an error when docker host cannot be retrieved ([#​3613](https://redirect.github.com/testcontainers/testcontainers-go/issues/3613)) [@​ash2k](https://redirect.github.com/ash2k) #### 🧹 Housekeeping - chore: gitignore Gas Town agent artifacts ([#​3633](https://redirect.github.com/testcontainers/testcontainers-go/issues/3633)) [@​mdelapenya](https://redirect.github.com/mdelapenya) - fix(usage-metrics): include last release in the legend pop over ([#​3630](https://redirect.github.com/testcontainers/testcontainers-go/issues/3630)) [@​mdelapenya](https://redirect.github.com/mdelapenya) - chore: update usage metrics (2026-04) ([#​3621](https://redirect.github.com/testcontainers/testcontainers-go/issues/3621)) @​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) - fix(usage-metrics): order of actions matters ([#​3623](https://redirect.github.com/testcontainers/testcontainers-go/issues/3623)) [@​mdelapenya](https://redirect.github.com/mdelapenya) - fix(usage-metrics): reduce rate-limit cascade errors ([#​3622](https://redirect.github.com/testcontainers/testcontainers-go/issues/3622)) [@​mdelapenya](https://redirect.github.com/mdelapenya) - fix(usage-metrics): replace the per-version inline retry with a multi-pass approach ([#​3620](https://redirect.github.com/testcontainers/testcontainers-go/issues/3620)) [@​mdelapenya](https://redirect.github.com/mdelapenya) #### 📦 Dependency updates - chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.28.0 to 1.43.0 in /modules/grafana-lgtm ([#​3639](https://redirect.github.com/testcontainers/testcontainers-go/issues/3639)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 in /modules/compose ([#​3641](https://redirect.github.com/testcontainers/testcontainers-go/issues/3641)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 in /modules/compose ([#​3645](https://redirect.github.com/testcontainers/testcontainers-go/issues/3645)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump mkdocs-include-markdown-plugin from 7.2.1 to 7.2.2 ([#​3626](https://redirect.github.com/testcontainers/testcontainers-go/issues/3626)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.2 to 1.97.3 in /modules/localstack ([#​3638](https://redirect.github.com/testcontainers/testcontainers-go/issues/3638)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.41.0 to 1.43.0 in /modules/grafana-lgtm ([#​3643](https://redirect.github.com/testcontainers/testcontainers-go/issues/3643)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump go.opentelemetry.io/otel/sdk from 1.41.0 to 1.43.0 in /modules/milvus ([#​3644](https://redirect.github.com/testcontainers/testcontainers-go/issues/3644)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore: update to Go 1.25.9, 1.26.9 ([#​3647](https://redirect.github.com/testcontainers/testcontainers-go/issues/3647)) [@​thaJeztah](https://redirect.github.com/thaJeztah) - chore(deps): bump bump github.com/klauspost/compress v1.18.5, github.com/docker/compose v5.1.2 ([#​3646](https://redirect.github.com/testcontainers/testcontainers-go/issues/3646)) [@​thaJeztah](https://redirect.github.com/thaJeztah) - chore(deps): bump moby/client v0.4.0, moby/api v1.54.1 ([#​3634](https://redirect.github.com/testcontainers/testcontainers-go/issues/3634)) [@​thaJeztah](https://redirect.github.com/thaJeztah) - chore(deps): bump golang.org/x/sys from 0.41.0 to 0.42.0 ([#​3629](https://redirect.github.com/testcontainers/testcontainers-go/issues/3629)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump github.com/moby/patternmatcher from 0.6.0 to 0.6.1 ([#​3628](https://redirect.github.com/testcontainers/testcontainers-go/issues/3628)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump github.com/shirou/gopsutil/v4 from 4.26.2 to 4.26.3 ([#​3627](https://redirect.github.com/testcontainers/testcontainers-go/issues/3627)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - fix(localstack): accept community-archive as a valid tag ([#​3601](https://redirect.github.com/testcontainers/testcontainers-go/issues/3601)) [@​johnduhart](https://redirect.github.com/johnduhart) - chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /modules/gcloud ([#​3632](https://redirect.github.com/testcontainers/testcontainers-go/issues/3632)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ([#​3625](https://redirect.github.com/testcontainers/testcontainers-go/issues/3625)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump pygments from 2.19.2 to 2.20.0 ([#​3615](https://redirect.github.com/testcontainers/testcontainers-go/issues/3615)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/milvus ([#​3612](https://redirect.github.com/testcontainers/testcontainers-go/issues/3612)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/etcd ([#​3611](https://redirect.github.com/testcontainers/testcontainers-go/issues/3611)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/ollama ([#​3610](https://redirect.github.com/testcontainers/testcontainers-go/issues/3610)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/pinecone ([#​3609](https://redirect.github.com/testcontainers/testcontainers-go/issues/3609)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/couchbase ([#​3608](https://redirect.github.com/testcontainers/testcontainers-go/issues/3608)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump requests from 2.32.4 to 2.33.0 ([#​3604](https://redirect.github.com/testcontainers/testcontainers-go/issues/3604)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/meilisearch ([#​3607](https://redirect.github.com/testcontainers/testcontainers-go/issues/3607)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 in /modules/compose ([#​3605](https://redirect.github.com/testcontainers/testcontainers-go/issues/3605)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/qdrant ([#​3606](https://redirect.github.com/testcontainers/testcontainers-go/issues/3606)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump github.com/modelcontextprotocol/go-sdk from 1.3.1 to 1.4.1 in /modules/dockermcpgateway ([#​3599](https://redirect.github.com/testcontainers/testcontainers-go/issues/3599)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.69.2 to 1.79.3 in /modules/dockermodelrunner ([#​3594](https://redirect.github.com/testcontainers/testcontainers-go/issues/3594)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.71.0 to 1.79.3 in /modules/toxiproxy ([#​3595](https://redirect.github.com/testcontainers/testcontainers-go/issues/3595)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.72.0 to 1.79.3 in /modules/weaviate ([#​3596](https://redirect.github.com/testcontainers/testcontainers-go/issues/3596)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/compose ([#​3597](https://redirect.github.com/testcontainers/testcontainers-go/issues/3597)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /modules/grafana-lgtm ([#​3598](https://redirect.github.com/testcontainers/testcontainers-go/issues/3598)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) - chore(deps): bump google.golang.org/grpc from 1.67.0 to 1.79.3 in /modules/gcloud ([#​3593](https://redirect.github.com/testcontainers/testcontainers-go/issues/3593)) @​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) </details> <details> <summary>valkey-io/valkey-go (github.com/valkey-io/valkey-go)</summary> ### [`v1.0.74`](https://redirect.github.com/valkey-io/valkey-go/releases/tag/v1.0.74): 1.0.74 [Compare Source](https://redirect.github.com/valkey-io/valkey-go/compare/v1.0.73...v1.0.74) ### Changes - feat: add SetOnInvalidations to DedicatedClient - feat: make valkeycompat.Pipeliner a Cmdable - fix: premature recycles in MGet/MSet helpers - fix: remove incorrect Start/Stop swap in valkeycompat.ZRange Rev - fix: add expiration key to valkeylimiter script execution #### Contributors We'd like to thank all the contributors who worked on this release! [@​Luis729](https://redirect.github.com/Luis729), [@​jinbum-kim](https://redirect.github.com/jinbum-kim), [@​junsred](https://redirect.github.com/junsred), [@​rueian](https://redirect.github.com/rueian) and [@​tmchow](https://redirect.github.com/tmchow) </details> <details> <summary>golang/go (go)</summary> ### [`v1.26.2`](https://redirect.github.com/golang/go/compare/go1.26.1...go1.26.2) </details> <details> <summary>googleapis/google-api-go-client (google.golang.org/api)</summary> ### [`v0.275.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.275.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.274.0...v0.275.0) ##### Features - **all:** Auto-regenerate discovery clients ([#​3557](https://redirect.github.com/googleapis/google-api-go-client/issues/3557)) ([2b2ef99]( |
||
|
dependabot[bot]
|
b1d7d3b33c |
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.43.0 in /docs/en/documentation/getting-started/quickstart/go/adkgo (#3019)
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.43.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.43.0/0.65.0/0.19.0] 2026-04-02</h2> <h3>Added</h3> <ul> <li>Add <code>IsRandom</code> and <code>WithRandom</code> on <code>TraceFlags</code>, and <code>IsRandom</code> on <code>SpanContext</code> in <code>go.opentelemetry.io/otel/trace</code> for <a href="https://www.w3.org/TR/trace-context-2/#random-trace-id-flag">W3C Trace Context Level 2 Random Trace ID Flag</a> support. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012">#8012</a>)</li> <li>Add service detection with <code>WithService</code> in <code>go.opentelemetry.io/otel/sdk/resource</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642">#7642</a>)</li> <li>Add <code>DefaultWithContext</code> and <code>EnvironmentWithContext</code> in <code>go.opentelemetry.io/otel/sdk/resource</code> to support plumbing <code>context.Context</code> through default and environment detectors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051">#8051</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Support attributes with empty value (<code>attribute.EMPTY</code>) in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Add support for per-series start time tracking for cumulative metrics in <code>go.opentelemetry.io/otel/sdk/metric</code>. Set <code>OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true</code> to enable. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060">#8060</a>)</li> <li>Add <code>WithCardinalityLimitSelector</code> for metric reader for configuring cardinality limits specific to the instrument kind. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855">#7855</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Introduce the <code>EMPTY</code> Type in <code>go.opentelemetry.io/otel/attribute</code> to reflect that an empty value is now a valid value, with <code>INVALID</code> remaining as a deprecated alias of <code>EMPTY</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> <li>Improve slice handling in <code>go.opentelemetry.io/otel/attribute</code> to optimize short slice values with fixed-size fast paths. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039">#8039</a>)</li> <li>Improve performance of span metric recording in <code>go.opentelemetry.io/otel/sdk/trace</code> by returning early if self-observability is not enabled. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067">#8067</a>)</li> <li>Improve formatting of metric data diffs in <code>go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073">#8073</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>INVALID</code> in <code>go.opentelemetry.io/otel/attribute</code>. Use <code>EMPTY</code> instead. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038">#8038</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Return spec-compliant <code>TraceIdRatioBased</code> description. This is a breaking behavioral change, but it is necessary to make the implementation <a href="https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased">spec-compliant</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027">#8027</a>)</li> <li>Fix a race condition in <code>go.opentelemetry.io/otel/sdk/metric</code> where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056">#8056</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li>Limit HTTP response body to 4 MiB in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108">#8108</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>kenv</code> command on BSD. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113">#8113</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp</code> to correctly handle HTTP2 GOAWAY frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096">#8096</a>)</li> </ul> <h2>[1.42.0/0.64.0/0.18.0/0.0.16] 2026-03-06</h2> <h3>Added</h3> <ul> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.40.0</code> package. The package contains semantic conventions from the <code>v1.40.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.40.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.39.0</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7985">#7985</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Mend Renovate
|
7d24dab11d |
chore(deps): update github actions (#3026)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/cache](https://redirect.github.com/actions/cache) ([changelog]( |
||
|
Mend Renovate
|
f6391beb62 |
chore(deps): update dependency pytest to v9.0.3 [security] (#3047)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [pytest](https://redirect.github.com/pytest-dev/pytest) ([changelog](https://docs.pytest.org/en/stable/changelog.html)) | `==9.0.2` → `==9.0.3` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/363) for more information. ### GitHub Vulnerability Alerts #### [CVE-2025-71176](https://nvd.nist.gov/vuln/detail/CVE-2025-71176) pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges. ##### Severity - CVSS Score: 6.8 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L` --- ### Release Notes <details> <summary>pytest-dev/pytest (pytest)</summary> ### [`v9.0.3`](https://redirect.github.com/pytest-dev/pytest/releases/tag/9.0.3) [Compare Source](https://redirect.github.com/pytest-dev/pytest/compare/9.0.2...9.0.3) ### pytest 9.0.3 (2026-04-07) #### Bug fixes - [#​12444](https://redirect.github.com/pytest-dev/pytest/issues/12444): Fixed `pytest.approx` which now correctly takes into account `~collections.abc.Mapping` keys order to compare them. - [#​13634](https://redirect.github.com/pytest-dev/pytest/issues/13634): Blocking a `conftest.py` file using the `-p no:` option is now explicitly disallowed. Previously this resulted in an internal assertion failure during plugin loading. Pytest now raises a clear `UsageError` explaining that conftest files are not plugins and cannot be disabled via `-p`. - [#​13734](https://redirect.github.com/pytest-dev/pytest/issues/13734): Fixed crash when a test raises an exceptiongroup with `__tracebackhide__ = True`. - [#​14195](https://redirect.github.com/pytest-dev/pytest/issues/14195): Fixed an issue where non-string messages passed to <span class="title-ref">unittest.TestCase.subTest()</span> were not printed. - [#​14343](https://redirect.github.com/pytest-dev/pytest/issues/14343): Fixed use of insecure temporary directory (CVE-2025-71176). #### Improved documentation - [#​13388](https://redirect.github.com/pytest-dev/pytest/issues/13388): Clarified documentation for `-p` vs `PYTEST_PLUGINS` plugin loading and fixed an incorrect `-p` example. - [#​13731](https://redirect.github.com/pytest-dev/pytest/issues/13731): Clarified that capture fixtures (e.g. `capsys` and `capfd`) take precedence over the `-s` / `--capture=no` command-line options in `Accessing captured output from a test function <accessing-captured-output>`. - [#​14088](https://redirect.github.com/pytest-dev/pytest/issues/14088): Clarified that the default `pytest_collection` hook sets `session.items` before it calls `pytest_collection_finish`, not after. - [#​14255](https://redirect.github.com/pytest-dev/pytest/issues/14255): TOML integer log levels must be quoted: Updating reference documentation. #### Contributor-facing changes - [#​12689](https://redirect.github.com/pytest-dev/pytest/issues/12689): The test reports are now published to Codecov from GitHub Actions. The test statistics is visible [on the web interface](https://app.codecov.io/gh/pytest-dev/pytest/tests). \-- by `aleguy02` </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/mcp-toolbox). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
dependabot[bot]
|
a0d0ef9e9b |
chore(deps): bump axios from 1.13.5 to 1.15.0 in /docs/en/documentation/getting-started/quickstart/js/genkit (#3041)
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.0</h2> <p>This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Deprecation:</strong> <code>url.parse()</code> usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Proxy Handling:</strong> Fixed a <code>no_proxy</code> hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</li> <li><strong>Header Injection:</strong> Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Support:</strong> Added compatibility checks and documentation for Deno and Bun environments. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10653">#10653</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CI Security:</strong> Hardened workflow permissions to least privilege, added the <code>zizmor</code> security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>serialize-javascript</code>, <code>handlebars</code>, <code>picomatch</code>, <code>vite</code>, and <code>denoland/setup-deno</code> to latest versions. Added a 7-day Dependabot cooldown period. (<strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>)</li> <li><strong>Documentation:</strong> Unified docs, improved <code>beforeRedirect</code> credential leakage example, clarified <code>withCredentials</code>/<code>withXSRFToken</code> behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10649">#10649</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7471">#7471</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong>Housekeeping:</strong> Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10584">#10584</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10650">#10650</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10582">#10582</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10640">#10640</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10659">#10659</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a></strong>)</li> <li><strong>Tests:</strong> Added regression coverage for urlencoded <code>Content-Type</code> casing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve Axios:</p> <ul> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>)</li> </ul> <h2>v1.14.0</h2> <p>This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Breaking Changes:</strong> None identified in this release.</li> <li><strong>Action Required:</strong> If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably <code>proxy-from-env</code> v2 alignment and <code>main</code> entry compatibility fix).</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Features:</strong> No new end-user features were introduced in this release.</li> <li><strong>Test Coverage Expansion:</strong> Added broader smoke/module test coverage for CJS and ESM package usage. (<a href="https://redirect.github.com/axios/axios/pull/7510">#7510</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Headers:</strong> Trim trailing CRLF in normalised header values. (<a href="https://redirect.github.com/axios/axios/pull/7456">#7456</a>)</li> <li><strong>HTTP/2:</strong> Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (<a href="https://redirect.github.com/axios/axios/pull/7457">#7457</a>)</li> <li><strong>Fetch Adapter:</strong> Cancel <code>ReadableStream</code> created during request-stream capability probing to prevent async resource leaks. (<a href="https://redirect.github.com/axios/axios/pull/7515">#7515</a>)</li> <li><strong>Proxy Handling:</strong> Fixed env proxy behavior with <code>proxy-from-env</code> v2 usage. (<a href="https://redirect.github.com/axios/axios/pull/7499">#7499</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h2>v1.15.0 — April 7, 2026</h2> <p>This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection (CRLF):</strong> Rejects any header value containing <code>\r</code> or <code>\n</code> characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw <code>"Invalid character in header content"</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</p> </li> <li> <p><strong>SSRF via <code>no_proxy</code> Bypass:</strong> Introduces a <code>shouldBypassProxy</code> helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating <code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</p> </li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Deno & Bun Runtime Support:</strong> Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Node.js v22 Compatibility:</strong> Replaced deprecated <code>url.parse()</code> calls with the WHATWG <code>URL</code>/<code>URLSearchParams</code> API across examples, sandbox, and tests, eliminating <code>DEP0169</code> deprecation warnings on Node.js v22+. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li> <p><strong>CI Security Hardening:</strong> Added <a href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated <code>npm-publish</code> environment; and blocked the sponsor-block workflow from running on forks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</p> </li> <li> <p><strong>Docs:</strong> Clarified HTTP/2 support and the unsupported <code>httpVersion</code> option; added documentation for header case preservation; improved the <code>beforeRedirect</code> example to prevent accidental credential leakage. (<strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>picomatch</code>, <code>handlebars</code>, <code>serialize-javascript</code>, <code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4 additional dev dependencies to latest versions. (<strong><a href="https://redirect.github.com/axios/axios/issues/10564">#10564</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10565">#10565</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10567">#10567</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>)</p> </li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/shaanmajid"><code>@shaanmajid</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10617">#10617</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full Changelog</a></p> <hr /> <h2>v1.14.0 — March 27, 2026</h2> <p>This release fixes a security vulnerability in the <code>formidable</code> dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Formidable Vulnerability:</strong> Upgraded <code>formidable</code> from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (<strong><a href="https://redirect.github.com/axios/axios/issues/7533">#7533</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4dca261cd3 |
chore(deps): bump langsmith from 0.5.6 to 0.5.20 in /docs/en/documentation/getting-started/quickstart/js/langchain (#3069)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.5.6 to 0.5.20. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits">compare view</a></li> </ul> </details> <details> <summary>Install script changes</summary> <p>This version modifies <code>prepublish</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
dependabot[bot]
|
aabdf5d128 |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/getting-started/quickstart/js/llamaindex (#3065)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Haoyu Wang
|
d10d2caeb7 |
fix: prevent test.db from being created during unit tests (#3042)
This PR updates the unit tests to use in-memory SQLite databases (:memory:) instead of creating physical test.db files on disk. While using tmp directory for managing the test.db file is a plausible approach, it will encounter file-locking conflicts on Windows during test cleanup which prevents the clean-up of database files located in tmp directory. --------- Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
Mend Renovate
|
5fdc00a693 |
chore(deps): update dependency gohugoio/hugo to v0.160.1 (#3031)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gohugoio/hugo](https://redirect.github.com/gohugoio/hugo) | patch | `0.160.0` → `0.160.1` | --- ### Release Notes <details> <summary>gohugoio/hugo (gohugoio/hugo)</summary> ### [`v0.160.1`](https://redirect.github.com/gohugoio/hugo/releases/tag/v0.160.1) [Compare Source](https://redirect.github.com/gohugoio/hugo/compare/v0.160.0...v0.160.1) ##### What's Changed - Fix panic when passthrough elements are used in headings [`8b00030`](https://redirect.github.com/gohugoio/hugo/commit/8b00030b) [@​bep](https://redirect.github.com/bep) [#​14677](https://redirect.github.com/gohugoio/hugo/issues/14677) - Fix panic on edit of legacy mapped template names that's also a valid path in the new setup [`c485516`](https://redirect.github.com/gohugoio/hugo/commit/c4855167) [@​bep](https://redirect.github.com/bep) [#​14740](https://redirect.github.com/gohugoio/hugo/issues/14740) - Fix RenderShortcodes leaking context markers when indented [`161d0d4`](https://redirect.github.com/gohugoio/hugo/commit/161d0d47) [@​bep](https://redirect.github.com/bep) [#​12457](https://redirect.github.com/gohugoio/hugo/issues/12457) - Strip nested page context markers from standalone RenderShortcodes [`45e4596`](https://redirect.github.com/gohugoio/hugo/commit/45e45966) [@​bep](https://redirect.github.com/bep) [#​14732](https://redirect.github.com/gohugoio/hugo/issues/14732) - Rename deprecated cascade.\_target to cascade.target in tests [`58927aa`](https://redirect.github.com/gohugoio/hugo/commit/58927aa1) [@​bep](https://redirect.github.com/bep) - Fix auto-creation of root sections in multilingual sites [`ce009e3`](https://redirect.github.com/gohugoio/hugo/commit/ce009e3a) [@​bep](https://redirect.github.com/bep) [#​14681](https://redirect.github.com/gohugoio/hugo/issues/14681) - readme: Fix links [`0755872`](https://redirect.github.com/gohugoio/hugo/commit/07558724) [@​chicks-net](https://redirect.github.com/chicks-net) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/mcp-toolbox). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
dependabot[bot]
|
111c896a0c |
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /docs/en/documentation/configuration/pre-post-processing/js/adk (#3066)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0. <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
4f87e1ce7c |
chore(deps): bump langsmith from 0.5.4 to 0.5.20 in /docs/en/documentation/configuration/pre-post-processing/js/langchain (#3070)
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.5.4 to 0.5.20. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/langchain-ai/langsmith-sdk/commits">compare view</a></li> </ul> </details> <details> <summary>Install script changes</summary> <p>This version modifies <code>prepublish</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> |
||
|
dependabot[bot]
|
78abe0612e |
chore(deps): bump axios from 1.13.5 to 1.15.0 in /docs/en/documentation/configuration/pre-post-processing/js/adk (#3073)
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.0</h2> <p>This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Deprecation:</strong> <code>url.parse()</code> usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Proxy Handling:</strong> Fixed a <code>no_proxy</code> hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</li> <li><strong>Header Injection:</strong> Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Support:</strong> Added compatibility checks and documentation for Deno and Bun environments. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10653">#10653</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CI Security:</strong> Hardened workflow permissions to least privilege, added the <code>zizmor</code> security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>serialize-javascript</code>, <code>handlebars</code>, <code>picomatch</code>, <code>vite</code>, and <code>denoland/setup-deno</code> to latest versions. Added a 7-day Dependabot cooldown period. (<strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>)</li> <li><strong>Documentation:</strong> Unified docs, improved <code>beforeRedirect</code> credential leakage example, clarified <code>withCredentials</code>/<code>withXSRFToken</code> behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10649">#10649</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7471">#7471</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong>Housekeeping:</strong> Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10584">#10584</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10650">#10650</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10582">#10582</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10640">#10640</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10659">#10659</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a></strong>)</li> <li><strong>Tests:</strong> Added regression coverage for urlencoded <code>Content-Type</code> casing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve Axios:</p> <ul> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>)</li> </ul> <h2>v1.14.0</h2> <p>This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Breaking Changes:</strong> None identified in this release.</li> <li><strong>Action Required:</strong> If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably <code>proxy-from-env</code> v2 alignment and <code>main</code> entry compatibility fix).</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Features:</strong> No new end-user features were introduced in this release.</li> <li><strong>Test Coverage Expansion:</strong> Added broader smoke/module test coverage for CJS and ESM package usage. (<a href="https://redirect.github.com/axios/axios/pull/7510">#7510</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Headers:</strong> Trim trailing CRLF in normalised header values. (<a href="https://redirect.github.com/axios/axios/pull/7456">#7456</a>)</li> <li><strong>HTTP/2:</strong> Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (<a href="https://redirect.github.com/axios/axios/pull/7457">#7457</a>)</li> <li><strong>Fetch Adapter:</strong> Cancel <code>ReadableStream</code> created during request-stream capability probing to prevent async resource leaks. (<a href="https://redirect.github.com/axios/axios/pull/7515">#7515</a>)</li> <li><strong>Proxy Handling:</strong> Fixed env proxy behavior with <code>proxy-from-env</code> v2 usage. (<a href="https://redirect.github.com/axios/axios/pull/7499">#7499</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h2>v1.15.0 — April 7, 2026</h2> <p>This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection (CRLF):</strong> Rejects any header value containing <code>\r</code> or <code>\n</code> characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw <code>"Invalid character in header content"</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</p> </li> <li> <p><strong>SSRF via <code>no_proxy</code> Bypass:</strong> Introduces a <code>shouldBypassProxy</code> helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating <code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</p> </li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Deno & Bun Runtime Support:</strong> Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Node.js v22 Compatibility:</strong> Replaced deprecated <code>url.parse()</code> calls with the WHATWG <code>URL</code>/<code>URLSearchParams</code> API across examples, sandbox, and tests, eliminating <code>DEP0169</code> deprecation warnings on Node.js v22+. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li> <p><strong>CI Security Hardening:</strong> Added <a href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated <code>npm-publish</code> environment; and blocked the sponsor-block workflow from running on forks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</p> </li> <li> <p><strong>Docs:</strong> Clarified HTTP/2 support and the unsupported <code>httpVersion</code> option; added documentation for header case preservation; improved the <code>beforeRedirect</code> example to prevent accidental credential leakage. (<strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>picomatch</code>, <code>handlebars</code>, <code>serialize-javascript</code>, <code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4 additional dev dependencies to latest versions. (<strong><a href="https://redirect.github.com/axios/axios/issues/10564">#10564</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10565">#10565</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10567">#10567</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>)</p> </li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/shaanmajid"><code>@shaanmajid</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10617">#10617</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full Changelog</a></p> <hr /> <h2>v1.14.0 — March 27, 2026</h2> <p>This release fixes a security vulnerability in the <code>formidable</code> dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Formidable Vulnerability:</strong> Upgraded <code>formidable</code> from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (<strong><a href="https://redirect.github.com/axios/axios/issues/7533">#7533</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
669e1fdc08 |
chore(deps): bump axios from 1.13.5 to 1.15.0 in /docs/en/documentation/getting-started/quickstart/js/adk (#3074)
Bumps [axios](https://github.com/axios/axios) from 1.13.5 to 1.15.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.15.0</h2> <p>This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Deprecation:</strong> <code>url.parse()</code> usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Proxy Handling:</strong> Fixed a <code>no_proxy</code> hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</li> <li><strong>Header Injection:</strong> Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Support:</strong> Added compatibility checks and documentation for Deno and Bun environments. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10653">#10653</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CI Security:</strong> Hardened workflow permissions to least privilege, added the <code>zizmor</code> security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>serialize-javascript</code>, <code>handlebars</code>, <code>picomatch</code>, <code>vite</code>, and <code>denoland/setup-deno</code> to latest versions. Added a 7-day Dependabot cooldown period. (<strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>)</li> <li><strong>Documentation:</strong> Unified docs, improved <code>beforeRedirect</code> credential leakage example, clarified <code>withCredentials</code>/<code>withXSRFToken</code> behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10649">#10649</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7471">#7471</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong>Housekeeping:</strong> Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10584">#10584</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10650">#10650</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10582">#10582</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10640">#10640</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10659">#10659</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a></strong>)</li> <li><strong>Tests:</strong> Added regression coverage for urlencoded <code>Content-Type</code> casing. (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve Axios:</p> <ul> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a></strong>)</li> </ul> <h2>v1.14.0</h2> <p>This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.</p> <h2>⚠️ Important Changes</h2> <ul> <li><strong>Breaking Changes:</strong> None identified in this release.</li> <li><strong>Action Required:</strong> If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably <code>proxy-from-env</code> v2 alignment and <code>main</code> entry compatibility fix).</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Runtime Features:</strong> No new end-user features were introduced in this release.</li> <li><strong>Test Coverage Expansion:</strong> Added broader smoke/module test coverage for CJS and ESM package usage. (<a href="https://redirect.github.com/axios/axios/pull/7510">#7510</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Headers:</strong> Trim trailing CRLF in normalised header values. (<a href="https://redirect.github.com/axios/axios/pull/7456">#7456</a>)</li> <li><strong>HTTP/2:</strong> Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (<a href="https://redirect.github.com/axios/axios/pull/7457">#7457</a>)</li> <li><strong>Fetch Adapter:</strong> Cancel <code>ReadableStream</code> created during request-stream capability probing to prevent async resource leaks. (<a href="https://redirect.github.com/axios/axios/pull/7515">#7515</a>)</li> <li><strong>Proxy Handling:</strong> Fixed env proxy behavior with <code>proxy-from-env</code> v2 usage. (<a href="https://redirect.github.com/axios/axios/pull/7499">#7499</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h2>v1.15.0 — April 7, 2026</h2> <p>This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection (CRLF):</strong> Rejects any header value containing <code>\r</code> or <code>\n</code> characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw <code>"Invalid character in header content"</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</p> </li> <li> <p><strong>SSRF via <code>no_proxy</code> Bypass:</strong> Introduces a <code>shouldBypassProxy</code> helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating <code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (<strong><a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</p> </li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>Deno & Bun Runtime Support:</strong> Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (<strong><a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Node.js v22 Compatibility:</strong> Replaced deprecated <code>url.parse()</code> calls with the WHATWG <code>URL</code>/<code>URLSearchParams</code> API across examples, sandbox, and tests, eliminating <code>DEP0169</code> deprecation warnings on Node.js v22+. (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li> <p><strong>CI Security Hardening:</strong> Added <a href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated <code>npm-publish</code> environment; and blocked the sponsor-block workflow from running on forks. (<strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</p> </li> <li> <p><strong>Docs:</strong> Clarified HTTP/2 support and the unsupported <code>httpVersion</code> option; added documentation for header case preservation; improved the <code>beforeRedirect</code> example to prevent accidental credential leakage. (<strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>picomatch</code>, <code>handlebars</code>, <code>serialize-javascript</code>, <code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4 additional dev dependencies to latest versions. (<strong><a href="https://redirect.github.com/axios/axios/issues/10564">#10564</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10565">#10565</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10567">#10567</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>)</p> </li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li> <li><strong><a href="https://github.com/shaanmajid"><code>@shaanmajid</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10617">#10617</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li> <li><strong><a href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>)</li> <li><strong><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li> <li><strong><a href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full Changelog</a></p> <hr /> <h2>v1.14.0 — March 27, 2026</h2> <p>This release fixes a security vulnerability in the <code>formidable</code> dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Formidable Vulnerability:</strong> Upgraded <code>formidable</code> from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (<strong><a href="https://redirect.github.com/axios/axios/issues/7533">#7533</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |