build(deps): bump google-auth-library from 9.15.1 to 10.6.1

[dependabot]

Bumps google-auth-library from 9.15.1 to 10.6.1.

Release notes

Sourced from google-auth-library's releases.

google-auth-library: v10.6.1

10.6.1 (2026-02-20)

Bug Fixes

• DefaultAwsSecurityCredentialSupplier fetches aws-credentials correctly from credential-url (#901) (8c50526)

google-auth-library: v10.6.0

10.6.0 (2025-12-17)

Features

• auth: Use gtoken from internal class instead of dependency (#815) (a38857c)

Changelog

Sourced from google-auth-library's changelog.

10.6.1 (2026-02-20)

Bug Fixes

• DefaultAwsSecurityCredentialSupplier fetches aws-credentials correctly from credential-url (#901) (8c50526)

10.6.0 (2025-12-17)

Features

• auth: Use gtoken from internal class instead of dependency (#815) (a38857c)

10.5.0 (2025-10-30)

Features

• Support scopes from impersonated JSON (#2170) (f50cb67)

10.4.2 (2025-10-23)

Bug Fixes

• Export ExternalAccountAuthorizedUserCredential (#2166) (c128149)

10.4.1 (2025-10-14)

Bug Fixes

• deps: Update dependency @​googleapis/iam to v33 (#2146) (bbee39e)
• deps: Update dependency @​googleapis/iam to v34 (#2159) (0006ae2)
• deps: Update dependency dotenv to v17 (#2150) (5b2c7c5)
• deps: Update dependency gcp-metadata to v8 (#2158) (7e547d4)
• Disable linkinator until 429 issue is fixed. (#2138) (2f54532)
• Link to customCredentialSupplierOktaWorkload (#2149) (3cdef01)

10.4.0 (2025-09-30)

Features

• Add console warnings for mitigating file based credential load … (#2143) (cae596b)

10.3.1 (2025-09-26)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[SumiyaE]

This PR would also resolve #2935.

Upgrading google-auth-library from v9 to v10 updates gaxios from v6 to v7, which replaces node-fetch@^2 with node-fetch@^3. This eliminates the transitive dependency on whatwg-url@5 → [email protected] → built-in punycode, resolving the [DEP0040] deprecation warning on Node.js 21+.

It also resolves the [DEP0169] (url.parse()) warning, since node-fetch@2 uses the deprecated url.parse() internally.

CI is all green — would love to see this merged!

[SumiyaE]

@lahirumaramba This PR addresses the issue you investigated in #2935. Could you take a look when you get a chance?

[lahirumaramba]

Thanks @SumiyaE! I was hesitant to merge this earlier because it's a major version bump of google-auth-library. I'm assuming the exception we implemented for the fast-xml-parser fix allowed the CI to pass... I think merging this is reasonable.