Bump the minor-and-patch group across 1 directory with 13 updates

[dependabot]

Bumps the minor-and-patch group with 13 updates in the / directory:

Package	From	To
@pixiv/three-vrm	3.5.1	3.5.2
@vitejs/plugin-basic-ssl	2.2.0	2.3.0
axios	1.13.6	1.16.0
gsap	3.14.2	3.15.0
ktx2-encoder	0.5.1	0.5.3
postprocessing	6.38.3	6.39.1
react	19.2.4	19.2.6
react-colorful	5.6.1	5.7.0
react-dom	19.2.4	19.2.6
three	0.183.2	0.184.0
wrangler	4.72.0	4.90.0
sass	1.98.0	1.99.0
vite-plugin-node-polyfills	0.25.0	0.26.0

Updates @pixiv/three-vrm from 3.5.1 to 3.5.2

Release notes

Sourced from @​pixiv/three-vrm's releases.

v3.5.2

pixiv/three-vrm@v3.5.1...v3.5.2 https://github.com/pixiv/three-vrm/tree/v3.5.2

---

📢 NOTE FOR DEVS

• #1829: Development and release workflows have moved from Yarn v1 to pnpm. Contributors should use pnpm going forward.

---

🐛 Bugfixes

• #1833: fix: change version specifier of workspace dependencies to workspace:*

📦 Deps

• #1829: chore: yarn v1 -> pnpm 10.33.0
• #1832: Bump deps (bulk)

Commits

• 9d12558 v3.5.2
• 5fdbe3c fix: change version specifier of workspace dependencies to workspace:*
• 8e572d0 deps: bump typescript from 5.9.3 to 6.0.2
• 9ad8b16 chore: yarn v1 -> pnpm 10.33.0
• See full diff in compare view

Updates @vitejs/plugin-basic-ssl from 2.2.0 to 2.3.0

Release notes

Sourced from @​vitejs/plugin-basic-ssl's releases.

v2.3.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from @​vitejs/plugin-basic-ssl's changelog.

2.3.0 (2026-03-24)

Features

• add optional ttlDays parameter (#98) (eb373f0)

Miscellaneous Chores

• deps: update all non-major dependencies (#100) (34ef8a0)
• deps: update all non-major dependencies (#96) (acb0779)
• deps: update dependency vite to v8 (#99) (987fb1a)
• deps: update pnpm/action-setup action to v5 (#101) (4b9d639)

Build System

• refactor post-build code (#102) (2499cce)

Commits

• ab892e4 release: v2.3.0
• 2499cce build: refactor post-build code (#102)
• eb373f0 feat: add optional ttlDays parameter (#98)
• 4b9d639 chore(deps): update pnpm/action-setup action to v5 (#101)
• 34ef8a0 chore(deps): update all non-major dependencies (#100)
• acb0779 chore(deps): update all non-major dependencies (#96)
• 987fb1a chore(deps): update dependency vite to v8 (#99)
• See full diff in compare view

Updates axios from 1.13.6 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

• Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
• Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
• Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
• parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
• Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
• transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

• QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
• ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
• Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

• HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
• HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
• Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
• XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
• Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
• Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
• UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
• Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

• Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
• Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
• Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
• Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
• Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
• Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​singhankit001 (#10588)
• @​cuiweixie (#7419)
• @​iruizsalinas (#10787)
• @​MarcosNocetti (#10680)
• @​deepview-autofix (#10729)

... (truncated)

Commits

• df53d7d chore(release): prepare release 1.16.0 (#10834)
• 9d92bcd fix: gadgets and smaller issues (#10833)
• 5107ee6 fix: prevent undefined error codes in settle (#7276)
• e573499 fix(fetch): defer global access in fetch adapter (#7260)
• ad68e1a fix(http): honor timeout during connect without redirects (#10819)
• 2a51828 fix(http): decode URL basic auth credentials (#10825)
• 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
• 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
• 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
• cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates gsap from 3.14.2 to 3.15.0

Commits

• 13e2b79 3.15.0
• See full diff in compare view

Updates ktx2-encoder from 0.5.1 to 0.5.3

Release notes

Sourced from ktx2-encoder's releases.

v0.5.3

No significant changes

    View changes on GitHub

Commits

• 5812848 chore: release v0.5.3
• 89f5587 chore: release v0.5.2
• bcdbbf6 fix: release BasisEncoder WASM allocation per encode call (#32)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for ktx2-encoder since your current version.

Updates postprocessing from 6.38.3 to 6.39.1

Release notes

Sourced from postprocessing's releases.

v6.39.1

Requires three ≥ 0.168.0 < 0.185.0

What's Changed

• Resolution: removed resizable property #742, 0933567
• Updated dependencies

Full Changelog: pmndrs/postprocessing@v6.39.0...v6.39.1

Special Thanks

Thanks @​juliangarnier and @​donmccurdy for the continued support! ✨

v6.39.0

Requires three ≥ 0.168.0 < 0.184.0

ℹ️ The minimum version of three was raised to r168

What's Changed

• Fix recursive depth texture binding issues in EffectComposer by @​Ameobea in pmndrs/postprocessing#740
• Change default type of internal depth textures to FloatType 67b277c
• Fix depth texture management #225, 1bcdefa
• EffectComposer: Remove unused constructor param alpha 5477fce
• EffectComposer: Remove createBuffer 3faeb4e, dd2bf69
• Pass: Add needsDepthBlit ab99cd1

New Contributors

• @​Ameobea made their first contribution in pmndrs/postprocessing#740

Full Changelog: pmndrs/postprocessing@v6.38.3...v6.39.0

Special Thanks

Thanks @​juliangarnier and @​donmccurdy for the continued support! ❤️

Commits

• a0dce6d Merge pull request #743 from pmndrs/dev
• 985534e Remove tslib
• 0ee0472 Version 6.39.1
• 10ea9ce Update pnpm-lock.yaml
• 047cb2c Update eslint.config.js
• 9481fd2 Update tsconfig.json
• f42880c Update package.json
• beca990 Remove tiny-glob
• fe06536 Update .gitignore
• 0933567 Remove resizable
• Additional commits viewable in compare view

Updates react from 19.2.4 to 19.2.6

Release notes

Sourced from react's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-colorful from 5.6.1 to 5.7.0

Release notes

Sourced from react-colorful's releases.

v5.7.0 (onChangeEnd)

Added onChangeEnd callback that fires when the user finishes changing a color (on mouse up, touch end, or arrow key up). Useful for undo/redo, saving to a database, or other expensive operations. (via #230)

<HexColorPicker
  color={color}
  onChange={setColor}
  onChangeEnd={(color) => saveToDatabase(color)}
/>

v5.6.2 (React 19 support)

Fix React 19 TypeScript compatibility (via #229)

Commits

• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.6

Release notes

Sourced from react-dom's releases.

19.2.6 (May 6th, 2026)

React Server Components

• Type hardening and performance improvements (#36425 by @​eps1lon and @​unstubbable)

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• eaf3e95 Version 19.2.6
• 23f4f9f 19.2.5
• See full diff in compare view

Updates three from 0.183.2 to 0.184.0

Commits

• See full diff in compare view

Updates wrangler from 4.72.0 to 4.90.0

Release notes

Sourced from wrangler's releases.

wrangler@4.90.0

Minor Changes

• #12279 248bc08 Thanks @​penalosa! - Add deprecation warning for delivery_delay in queue producer bindings

  The delivery_delay setting in [[queues.producers]] was silently having no effect since 2024. This change adds a deprecation warning when the setting is used, informing users that queue-level settings should be configured using wrangler queues update instead. The setting will be removed in a future version.

Patch Changes

• #13853 8852b0c Thanks @​gpanders! - Fix Containers SSH config

• #13858 e414e56 Thanks @​penalosa! - Fix wrangler whoami and account selection failing for Account API Tokens

  The /memberships fallback for Account API Tokens was checking for code 9109, but /memberships actually returns 9106 for that case. Correct the code so the fallback to /accounts triggers as intended.

• Updated dependencies []:

  • miniflare@4.20260507.1

wrangler@4.89.1

Patch Changes

• #13824 dd3baf3 Thanks @​emily-shen! - Fix container deployment being skipped for Workers for Platforms user workers

  Previously, deploying a worker with --dispatch-namespace would early-exit before calling deployContainers(), meaning container-app registration that links the image to the Durable Object namespace was never executed for WfP user workers. Container deployment now runs before the WfP early exit.

• Updated dependencies [5cf6f81]:

  • miniflare@4.20260507.1

wrangler@4.89.0

Minor Changes

• #13055 f3fed88 Thanks @​GregBrimble! - Introducing the cache configuration option for Workers.

  You can now set { cache: { enabled: true } } in your Wrangler configuration file to enable a HTTP cache in front of your Worker's fetch handler. This is also supported in [previews] configuration — previews.cache overrides the top-level cache setting for preview deployments, and falls back to the top-level value when absent. More information can be found in our documentation.

• #13776 1a54ac5 Thanks @​petebacondarwin! - wrangler dev and other Miniflare-backed commands now run the local workerd runtime with TZ=UTC to match production

  Previously, wrangler dev (and other commands that spin up Miniflare, such as wrangler kv, wrangler d1, wrangler r2, wrangler check) inherited the host machine's timezone, so Date and Intl APIs inside a Worker observed the developer's local timezone during local development but UTC in production. This caused subtle, hard-to-debug differences between local and deployed behaviour.

  Local development now matches production. Code that previously relied on the host timezone during wrangler dev will need to either accept UTC (the production behaviour) or explicitly construct dates/formatters with the desired timezone.

Patch Changes

• #13829 2284f20 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260504.1	1.20260506.1

... (truncated)

Commits

• 14d4768 Version Packages (#13856)
• e414e56 [wrangler] Fix Account API Tokens failing on /memberships (#13858)
• 8852b0c Fix Containers SSH config (#13853)
• 1527003 Migrate Workers AI references off deprecated models (#13850)
• e0c97ad Version Packages (#13851)
• dd3baf3 [wrangler] Fix container deployment being skipped for WfP user workers (#13824)
• 553aaa2 Version Packages (#13826)
• cf09891 Revert "Support stream (but keep pipeline backwards compatible) binding for P...
• 18e833d [wrangler] fix: throw clear error when _routes.json contains invalid JSON (#1...
• b6cea17 [wrangler] fix: ensure types --check --env-file does not falsely report stale...
• Additional commits viewable in compare view

Updates sass from 1.98.0 to 1.99.0

Release notes

Sourced from sass's releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Changelog

Sourced from sass's changelog.

1.99.0

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

Commits

• 83c39fe Support the top-level parent selector (#2758)
• ec85871 Bump EndBug/add-and-commit from 9 to 10 (#2756)
• a604acd [Function Name] Implement changes (#2731)
• See full diff in compare view

Updates vite-plugin-node-polyfills from 0.25.0 to 0.26.0

Release notes

Sourced from vite-plugin-node-polyfills's releases.

v0.26.0

• Add support for Vite v8 (thanks to @​sapphi-red)

Commits

• bef9c95 Release v0.26.0
• da9a42b feat: add Vite 8 to peer deps range (#151)
• See full diff in compare view