Bump the legacy-ui-package-updates group across 1 directory with 23 updates

[dependabot]

Bumps the legacy-ui-package-updates group with 22 updates in the /airflow/www directory:

Package	From	To
axios	1.13.6	1.15.0
lodash	4.17.23	4.18.1
moment-timezone	0.6.0	0.6.1
react	19.2.4	19.2.5
react-dom	19.2.4	19.2.5
react-router-dom	7.13.1	7.14.0
swagger-ui-dist	5.32.0	5.32.2
type-fest	5.4.4	5.5.0
validator	13.15.26	13.15.35
@babel/preset-env	7.29.0	7.29.2
@types/color	4.2.0	4.2.1
@typescript-eslint/parser	8.56.1	8.58.1
babel-jest	30.2.0	30.3.0
babel-loader	10.0.0	10.1.1
globals	17.4.0	17.5.0
jest	30.2.0	30.3.0
jest-environment-jsdom	30.2.0	30.3.0
mini-css-extract-plugin	2.10.0	2.10.2
prettier	3.8.1	3.8.2
stylelint	17.4.0	17.7.0
terser-webpack-plugin	5.3.17	5.4.0
webpack	5.105.4	5.106.1

Updates axios from 1.13.6 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

• Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates chakra-react-select from 4.0.3 to 4.10.1

Release notes

Sourced from chakra-react-select's releases.

4.10.1

What's Changed

• fix: Reduce selected menu option styles specificity by @​csandman in csandman/chakra-react-select#338

Full Changelog: csandman/chakra-react-select@v4.10.0...v4.10.1

4.10.0

What's Changed

• fix: Switch peer dependencies to depend on @chakra-ui/react instead of sub-packages by @​csandman in csandman/chakra-react-select#336

Full Changelog: csandman/chakra-react-select@v4.9.2...v4.10.0

4.9.2

What's Changed

• fix: Change package type back to default of "commonjs" by @​csandman in csandman/chakra-react-select#331
  • This was to fix #329, which was being caused by Jest importing the wrong build of the package.

Full Changelog: csandman/chakra-react-select@v4.9.1...v4.9.2

4.9.1

What's Changed

• fix: Fix react-select core Props type export by @​csandman in csandman/chakra-react-select#324

Full Changelog: csandman/chakra-react-select@v4.9.0...v4.9.1

4.9.0

What's Changed

• chore: Switch to tsup for building and update dependencies by @​csandman in csandman/chakra-react-select#298
  • This change should finally make this package fully support ESM, where as before it didn't really which was causing some issues. It should fix an issue with the ID prop not matching mentioned in #260, without the need for a workaround. Check the PR description for full details!

I tested this change in a few different environments with different module resolution setups but it's possible I missed a case. If it ends up not working for your particular setup, please open a bug report with as much specific information as you can give me, such as:

• Chakra Package Versions
• React Version
• TypeScript or Vanilla
• Yarn or NPM (and which version of the package manager you're on)
• Your jsconfig/tsconfig setup

I'm not likely to figure out what's going on if I can't replicate the environment locally, so the more information you can provide the better!

Full Changelog: csandman/chakra-react-select@v4.8.0...v4.9.0

4.8.0

What's Changed

• chore: Update all dependencies by @​csandman in csandman/chakra-react-select#315

... (truncated)

Commits

• b49461f 4.10.1
• 2269b85 Merge pull request #338 from csandman/fix/selected-menu-option-styles
• 61bfe64 Generalize the dependency version of react-select
• f806801 Reduce selected menu option styles specificity
• 9b9ddcc 4.10.0
• 12d7cc6 Merge pull request #336 from csandman/fix/switch-to-chakra-ui-react-imports
• f9822c4 Remove CodeSandbox CI
• b495516 Update TSConfig once more
• cef98ce Switch to using the single package import approach for @​chakra-ui/react
• c68d4a7 4.9.2
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates lodash from 4.17.23 to 4.18.1

Release notes

Sourced from lodash's releases.

4.18.1

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See lodash/lodash#6167

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

4.18.0

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#6099)
• Document lower > upper behavior in _.random (#6115)
• Fix quotes in _.compact jsdoc (#6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

Commits

• cb0b9b9 release(patch): bump main to 4.18.1 (#6177)
• 75535f5 chore: prune stale advisory refs (#6170)
• 62e91bc docs: remove n_ Node.js < 6 REPL note from README (#6165)
• 59be2de release(minor): bump to 4.18.0 (#6161)
• af63457 fix: broken tests for _.template 879aaa9
• 1073a76 fix: linting issues
• 879aaa9 fix: validate imports keys in _.template
• fe8d32e fix: block prototype pollution in baseUnset via constructor/prototype traversal
• 18ba0a3 refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)
• b819080 ci: add dist sync validation workflow (#6137)
• Additional commits viewable in compare view

Updates moment-timezone from 0.6.0 to 0.6.1

Release notes

Sourced from moment-timezone's releases.

Release 0.6.1

• Updated data to IANA TZDB 2026a. #1140

NOTE: This release does not include recently-announced DST changes for British Columbia, Canada. Those changes will likely be in 2026b.

Changelog

Sourced from moment-timezone's changelog.

0.6.1 2026-03-18

• Updated data to IANA TZDB 2026a. #1140

Commits

• 13e724c Build moment-timezone 0.6.1
• 22070ff Bump version to 0.6.1
• b4ebddb Merge pull request #1140 from moment/automated/data-update
• cb47a65 data: Add 2026a
• 026466a build(deps): bump lodash from 4.17.21 to 4.17.23 (#1137)
• 6dc5413 Update Antarctica guess tests for 2026
• 0efed48 build(deps): bump js-yaml from 3.14.1 to 3.14.2 (#1136)
• See full diff in compare view

Updates react from 19.2.4 to 19.2.5

Release notes

Sourced from react's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-dom from 19.2.4 to 19.2.5

Release notes

Sourced from react-dom's releases.

19.2.5 (April 8th, 2026)

React Server Components

• Add more cycle protections (#36236 by @​eps1lon and @​unstubbable)

Commits

• 23f4f9f 19.2.5
• See full diff in compare view

Updates react-router-dom from 7.13.1 to 7.14.0

Changelog

Sourced from react-router-dom's changelog.

7.14.0

Patch Changes

• Updated dependencies:
  • react-router@7.14.0

7.13.2

Patch Changes

• Updated dependencies:
  • react-router@7.13.2

Commits

• e31077b chore: Update version for release (#14945)
• 6683e85 chore: Update version for release (pre) (#14943)
• aadb56f chore: Update version for release (#14908)
• c68a9b3 chore: Update version for release (pre) (#14893)
• See full diff in compare view

Updates swagger-ui-dist from 5.32.0 to 5.32.2

Release notes

Sourced from swagger-ui-dist's releases.

v5.32.2

5.32.2 (2026-04-07)

Bug Fixes

• docker: bump libpng and zlib versions to fix CVE-2026-33416, CVE-2026-33636 and CVE-2026-22184 (#10802) (c200a69)

v5.32.1

5.32.1 (2026-03-17)

Bug Fixes

• invalidate models components cache based on location (#10764) (fb78dd2)
• style: use container queries for responsive design (#10763) (e35000e)

Commits

• d02a2df chore(release): cut the 5.32.2 release
• c200a69 fix(docker): bump libpng and zlib versions to fix CVE-2026-33416, CVE-2026-33...
• eff82c1 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#10801)
• 860ade2 chore(deps): bump defu from 6.1.4 to 6.1.6 (#10797)
• 749ec50 chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#10777)
• b339e55 chore(deps): bump node-forge from 1.3.3 to 1.4.0 (#10781)
• 692e0ac chore(deps-dev): bump serialize-javascript from 7.0.4 to 7.0.5 (#10782)
• 14cc424 chore(deps-dev): bump brace-expansion from 1.1.12 to 1.1.13 (#10783)
• 076c188 chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#10778)
• f251747 chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 (#10774)
• Additional commits viewable in compare view

Updates type-fest from 5.4.4 to 5.5.0

Release notes

Sourced from type-fest's releases.

v5.5.0

New types

• Optional (#1374) 9b52980
• ExcludeExactly (#1349) 0f923d0
• ArrayLength (#1344) 59bd056
• UnionMember (#1368) 878b6df
• SomeExtend (#1380) bbce298
• AndAll (#1383) 94aa3f8
• OrAll (#1378) 4c42d89

Improvements

• Add function parameter constraint examples to numeric comparison types (#1357) 24be93d
• UnionToTuple: Fix behavior when a union member is a supertype of another (#1349) 0f923d0
• ConditionalPickDeep: Fix returning {} instead of never when no keys match (#1360) 6af847a
• ConditionalPick: Fix returning {} instead of never when no keys match (#1359) 3995003
• GreaterThan / LessThan / GreaterThanOrEqual / LessThanOrEqual: Fix behavior with the number type (#1363) cfea505

---

sindresorhus/type-fest@v5.4.4...v5.5.0

Commits

• 0329b2b 5.5.0
• 0f923d0 UnionToTuple: Fix behavior when a union member is a supertype of another; A...
• 94aa3f8 Add AndAll type (#1383)
• 4c42d89 Add OrAll type (#1378)
• 878b6df Add UnionMember type (#1368)
• bbce298 Add SomeExtend type (#1380)
• d3302ce Validate twoslash types against different verbosity levels (#1364)
• 9b52980 Add Optional type (#1374)
• b0a606b Merge: Improve documentation (#1375)
• 76bd9cd Fix typos
• Additional commits viewable in compare view

Updates validator from 13.15.26 to 13.15.35

Release notes

Sourced from validator's releases.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

New Contributors

• @​Manaskarthik28 made their first contribution in validatorjs/validator.js#2658
• @​johanpoirier-d4 made their first contribution in validatorjs/validator.js#2663
• @​yuna0831 made their first contribution in validatorjs/validator.js#2661
• @​easedu made their first contribution in validatorjs/validator.js#2644
• @​jesroffrouk made their first contribution in validatorjs/validator.js#2643
• @​Kartikeya-guthub made their first contribution in validatorjs/validator.js#2676
• @​moogblob made their first contribution in validatorjs/validator.js#2682
• @​noritaka1166 made their first contribution in validatorjs/validator.js#2592
• @​relu91 made their first contribution in validatorjs/validator.js#2690
• @​Shrawak made their first contribution in validatorjs/validator.js#2693

Full Changelog: validatorjs/validator.js@13.15.26...13.15.35

Changelog

Sourced from validator's changelog.

13.15.35

Fixes, New Locales and Enhancements

• #2663 isISO31661Alpha2/isISO31661Alpha3: add support for Kosovo (XK / XXK) @​johanpoirier-d4
• #2661 isHexColor: ignore non-object options @​yuna0831
• isTaxID
  • #2644 improve pt-BR locale by adding support for alphanumeric CNPJ format @​easedu
  • #2675 improve pt-BR locale by adding support for formatted CPF values @​easedu
• #2643 isPassportNumber: improve MX locale @​jesroffrouk
• #2676 isMobilePhone: add fr-DJ locale @​Kartikeya-guthub
• #2682 isPostalCode: add MC locale @​moogblob
• #2690 isJSON: allow any valid JSON value to pass @​relu91
• #2693 isSlug: restrict allowed characters to valid slug charset @​Shrawak
• Doc fixes and others:
  • #2658 @​Manaskarthik28
  • #2592 @​noritaka1166
  • #2591 @​noritaka1166

Commits

• 7a80797 maintenance: 2604 release (#2695)
• 941db7f fix(isSlug): restrict allowed characters to valid slug charset (#2693)
• 2758f70 chore: fix typo in comment (#2591)
• fcfbff5 feat(isJson): allow any valid JSON value to pass (#2690)
• f06caee refactor: replace if-then-else flow by a single return statement (#2592)
• 9fa1e3a feat(isPostalCode): Add postal code for Monaco (#2682)
• b1aea75 feat(isMobilePhone): add Djibouti (fr-DJ) mobile phone validation (#2676)
• f715cdd fix(isPassportNumber): improve MX locale (#2643)
• e8c6914 fix(isTaxID): add formatted CPF support and additional test cases for pt-BR l...
• 90b0a9a fix(isTaxID): improve pt-BR locale by adding support for alphanumeric CNPJ ...
• Additional commits viewable in compare view

Updates @babel/preset-env from 7.29.0 to 7.29.2

Release notes

Sourced from @​babel/preset-env's releases.

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env
  • #17789 [7.x backport] preset-env include/exclude should accept bugfix plugins (@​JLHwung)

🏠 Internal

• #17813 chore: update eslint peer deps (@​JLHwung)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

v7.29.1 (2026-02-04)

🐛 Bug Fix

• babel-standalone
  • #17771 [7.x backport] fix: ensure targets.esmodules is validated (@​JLHwung)
• babel-generator
  • #17776 [7.x backport] Fix undefined when 64 indents (@​liuxingbaoyu)

Committers: 2

• Huáng Jùnliàng (@​JLHwung)
• @​liuxingbaoyu

Commits

• 37d5595 v7.29.2