Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/setup-node	action	minor	v6.3.0 → v6.4.0
alpine	final	patch	3.23.3 → 3.23.4
axios (source)	resolutions	patch	1.15.0 → 1.15.2
axios (source)	dependencies	patch	1.15.0 → 1.15.2
node-sarif-builder	dependencies	minor	4.0.0 → 4.1.0
nvuillam/github-dependents-info	action	minor	v3.0.0 → v3.1.0

---

Release Notes

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

axios/axios (axios)

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#​10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#​10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#​10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#​10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #​10780). (#​10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#​10781)

Full Changelog

v1.15.1

Compare Source

nvuillam/node-sarif-builder (node-sarif-builder)

v4.1.0

Compare Source

• Upgrade to Typescript v6
• Upgrade NPM dependencies

nvuillam/github-dependents-info (nvuillam/github-dependents-info)

v3.1.0

Compare Source

What's Changed

• Add summary example in README by @​nvuillam in #​779
• Update all non-major dependencies by @​renovate[bot] in #​778
• Update all non-major dependencies by @​renovate[bot] in #​940
• Update docker/setup-qemu-action action to v4 by @​renovate[bot] in #​948
• Update docker/build-push-action action to v7 by @​renovate[bot] in #​945
• Update docker/login-action action to v4 by @​renovate[bot] in #​946
• Update docker/setup-buildx-action action to v4 by @​renovate[bot] in #​947
• Update actions/upload-artifact action to v7 by @​renovate[bot] in #​934
• Update dependency tzdata to v2026 by @​renovate[bot] in #​944
• Update dependency isort to v8 by @​renovate[bot] in #​941
• Update dependency pytz to v2026 by @​renovate[bot] in #​942
• Update dependency rich to v15 by @​renovate[bot] in #​943
• ⬆️ Bump pydantic-core from 2.41.5 to 2.42.0 by @​dependabot[bot] in #​921
• ⬆️ Bump stevedore from 5.6.0 to 5.7.0 by @​dependabot[bot] in #​914
• ⬆️ Bump regex from 2025.11.3 to 2026.2.19 by @​dependabot[bot] in #​912
• ⬆️ Bump platformdirs from 4.5.1 to 4.9.2 by @​dependabot[bot] in #​905
• ⬆️ Bump tenacity from 9.1.2 to 9.1.4 by @​dependabot[bot] in #​882
• ⬆️ Bump astroid from 4.0.2 to 4.0.4 by @​dependabot[bot] in #​879
• ⬆️ Bump tqdm from 4.67.1 to 4.67.3 by @​dependabot[bot] in #​868
• ⬆️ Bump pycparser from 2.23 to 3.0 by @​dependabot[bot] in #​844
• Update dependency certifi to v2026 by @​renovate[bot] in #​791
• ⬆️ Bump packaging from 25.0 to 26.0 by @​dependabot[bot] in #​843
• ⬆️ Bump dill from 0.4.0 to 0.4.1 by @​dependabot[bot] in #​837
• ⬆️ Bump identify from 2.6.15 to 2.6.16 by @​dependabot[bot] in #​819
• ⬆️ Bump tomli from 2.3.0 to 2.4.0 by @​dependabot[bot] in #​820
• ⬆️ Bump tomlkit from 0.13.3 to 0.14.0 by @​dependabot[bot] in #​818
• ⬆️ Bump ruamel-yaml from 0.18.17 to 0.19.1 by @​dependabot[bot] in #​788
• [GitHub Dependents Info] Updated markdown file by @​github-actions[bot] in #​771
• changelog by @​nvuillam in #​950

Full Changelog: nvuillam/github-dependents-info@v3.0.0...v3.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ DOCKERFILE	hadolint	1		0	0	0.04s
✅ GROOVY	npm-groovy-lint	10	3	0	0	24.13s
✅ JAVASCRIPT	prettier	100	100	0	0	3.79s
✅ JSON	jsonlint	9		0	0	0.38s
✅ JSON	npm-package-json-lint	yes		no	no	0.58s
✅ JSON	prettier	9	4	0	0	1.85s
✅ JSON	v8r	9		0	0	10.94s
⚠️ MARKDOWN	markdownlint	8	3	3	0	2.7s
✅ MARKDOWN	markdown-table-formatter	8	6	0	0	0.75s
✅ REPOSITORY	checkov	yes		no	no	17.35s
✅ REPOSITORY	gitleaks	yes		no	no	8.12s
✅ REPOSITORY	git_diff	yes		no	no	0.09s
✅ REPOSITORY	grype	yes		no	no	32.04s
✅ REPOSITORY	secretlint	yes		no	no	0.95s
✅ REPOSITORY	trivy	yes		no	no	6.64s
✅ REPOSITORY	trufflehog	yes		no	no	2.53s
✅ SPELL	cspell	140		0	0	7.62s
⚠️ SPELL	lychee	20		16	0	43.59s
✅ XML	xmllint	1	0	0	0	0.22s
✅ YAML	prettier	3	0	0	0	1.19s
✅ YAML	v8r	3		0	0	6.9s
✅ YAML	yamllint	3		0	0	0.74s

Detailed Issues

⚠️ SPELL / lychee - 16 errors

[WARN ] Error creating request: InvalidPathToUri("/lib/java/logback.xml")
[403] https://www.npmjs.com/package/amplitude | Network error: Forbidden
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/amplitude | Error (cached)
[403] https://npmjs.org/package/npm-groovy-lint | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden
[403] https://www.npmjs.com/package/analytics | Error (cached)
[403] https://www.npmjs.com/package/insight | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/insight | Error (cached)
[404] https://github.com/vafgoettlich | Network error: Not Found
[IGNORED] git+https://github.com/nvuillam/npm-groovy-lint.git | Unsupported: Error creating request client: builder error for url (git+https://github.com/nvuillam/npm-groovy-lint.git)
[404] https://github.com/vafgoettlich/checkmk | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........455
✅ Successful.....430
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........8
❓ Unknown..........0
🚫 Errors..........16

Errors in README.md
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/amplitude | Network error: Forbidden
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Network error: Forbidden

Errors in CHANGELOG.md
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/insight | Network error: Forbidden

Errors in docs/CHANGELOG.md
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/analytics | Error (cached)
[403] https://www.npmjs.com/package/insight | Error (cached)

Errors in docs/github-dependents-info.md
[404] https://github.com/vafgoettlich | Network error: Not Found
[404] https://github.com/vafgoettlich/checkmk | Network error: Not Found

Errors in docs/index.md
[403] https://www.npmjs.com/package/amplitude | Error (cached)
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Error (cached)
[403] https://npmjs.org/package/npm-groovy-lint | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)

⚠️ MARKDOWN / markdownlint - 3 errors

docs/github-dependents-info.md:11:3 MD051/link-fragments Link fragments should be valid [Context: "[github.com/nvuillam/npm-groovy-lint](#package-github.comnvuillamnpm-groovy-lint)"]
docs/index.md:39:65 MD059/descriptive-link-text Link text should be descriptive [Context: "[**here**]"]
README.md:39:65 MD059/descriptive-link-text Link text should be descriptive [Context: "[**here**]"]

See detailed reports in MegaLinter artifacts

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	node-sarif-builder@​4.0.0 ⏵ 4.1.0	+1		+1	+3
	axios@​1.15.0 ⏵ 1.15.2	+9

View full report