Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@sentry/vue (source)	10.49.0 → 10.50.0
axios (source)	1.15.0 → 1.15.2
geojs	1.19.0 → 1.19.1
ipython	==9.12.0 → ==9.13.0
maplibre-gl (source)	5.23.0 → 5.24.0
pydantic (changelog)	==2.13.2 → ==2.13.3
vue (source)	3.5.32 → 3.5.33
vue-router (source)	5.0.4 → 5.0.6

---

Release Notes

getsentry/sentry-javascript (@​sentry/vue)

v10.50.0

Compare Source

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

OpenGeoscience/geojs (geojs)

v1.19.1

Compare Source

Bug Fixes

• webgl: add osm layer context lost test (626c8d4)
• webgl: context dirty management and restoration (7016bc9)
• webgl: handle dirty context for textures/quads (e5c3cc8)
• webgl: restore renderer setup call on contextrestored (bf54180)
• webgl: webgl context lost/restore test (37052c7)
• webgl: webgl force context reload (a301b84)

ipython/ipython (ipython)

v9.13.0

Compare Source

maplibre/maplibre-gl-js (maplibre-gl)

v5.24.0

Compare Source

✨ Features and improvements

• GPU performance optimization: Render halo and glyph in a single pass (-40% Time Reduction) (#​7436) (by @​xavierjs)
• Optimize matrix inversions and reduce GPU stalls (#​7367) (by @​xavierjs)
• Add example showing how to measure map performance using built-in events (load, idle, render) (#​7077) (by @​CommanderStorm)

🐞 Bug fixes

• Fix Popup not updating its position when switching between terrain/globe projections (#​7468) (by @​CommanderStorm)
• Skip fog computation when fog opacity is zero (#​7476) (by @​CommanderStorm)

pydantic/pydantic (pydantic)

v2.13.3

Compare Source

GitHub release

What's Changed

Fixes

• Handle AttributeError subclasses with from_attributes by @​Viicos in #​13096

vuejs/core (vue)

v3.5.33

Compare Source

Bug Fixes

• compiler-sfc: handle nested :deep in selector pseudos (#​14725) (bb9d265), closes #​14724
• reactivity: unlink effect scopes on out-of-order off (#​14734) (e7659be), closes #​14733
• runtime-dom: preserve textarea resize dimensions (#​14747) (11fb2fd), closes #​14741
• teleport: don't move teleport children if not mounted (#​14702) (6a61f44), closes #​14701
• transition: preserve placeholder for conditional explicit default slots (#​14748) (45990ce), closes #​14727

vuejs/router (vue-router)

v5.0.6

Compare Source

   🐞 Bug Fixes

• Missing closing quote in generated import  -  by @​zjy040525 and @​posva in #​2688 (32f78)

    View changes on GitHub

v5.0.5

Compare Source

   🚀 Features

• Enable standard schema param parsers  -  by @​posva (ea8e3)
• Normalize param parsers once  -  by @​posva (48087)

   🐞 Bug Fixes

• Track definePage imports per-file to fix named view race condition  -  by @​posva (11191)
• Avoid double decoding hash on string location  -  by @​posva (1578c)

    View changes on GitHub

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying bats-ai with    Cloudflare Pages

Latest commit:	39d2a92
Status:	✅  Deploy successful!
Preview URL:	https://6c0c8bae.bats-ai.pages.dev
Branch Preview URL:	https://renovate-all-minor-patch.bats-ai.pages.dev

View logs