build(deps): Bump the production group in /services with 15 updates

[dependabot]

Bumps the production group in /services with 15 updates:

Package	From	To
@mean-stream/nestx	0.14.0	0.15.0
@nestjs/common	11.1.17	11.1.19
@nestjs/core	11.1.18	11.1.19
@nestjs/event-emitter	3.0.1	3.1.0
@nestjs/platform-express	11.1.17	11.1.19
@nestjs/schedule	6.1.1	6.1.3
@nestjs/swagger	11.2.6	11.4.2
@nestjs/websockets	11.1.17	11.1.19
@sentry/nestjs	10.46.0	10.51.0
@sentry/node	10.46.0	10.51.0
axios	1.15.0	1.15.2
dockerode	4.0.10	5.0.0
jsdom	29.0.1	29.1.1
mongoose	9.3.3	9.6.1
openai	6.33.0	6.35.0

Updates @mean-stream/nestx from 0.14.0 to 0.15.0

Updates @nestjs/common from 11.1.17 to 11.1.19

Release notes

Sourced from @​nestjs/common's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• a39e345 refactor(common): change console logger helpers to protected
• 34f0f28 chore(deps): bump file-type from 21.3.3 to 21.3.4
• 0e96b0a chore(deps): bump file-type from 21.3.2 to 21.3.3
• 5a05f52 chore: update readme
• See full diff in compare view

Updates @nestjs/core from 11.1.18 to 11.1.19

Release notes

Sourced from @​nestjs/core's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

Commits

• 6730995 chore(release): publish v11.1.19 release
• See full diff in compare view

Updates @nestjs/event-emitter from 3.0.1 to 3.1.0

Release notes

Sourced from @​nestjs/event-emitter's releases.

Release 3.1.0

What's Changed

• fix(event-emitter): replace deprecated scanFromPrototype with getAllMethodNames by @​kim-sung-jee in nestjs/event-emitter#1616
• feat(loader): inherit request context id in request-scoped listeners by @​kyungseopk1m in nestjs/event-emitter#1715

New Contributors

• @​kim-sung-jee made their first contribution in nestjs/event-emitter#1617
• @​kyungseopk1m made their first contribution in nestjs/event-emitter#1715

Full Changelog: nestjs/event-emitter@3.0.1...3.1.0

Commits

• 35b9313 chore(): release v3.1.0
• 53d3b82 Merge pull request #1708 from nestjs/renovate/cimg-node-24.x
• eb7bde2 Merge pull request #1715 from kyungseopk1m/feat/inherit-request-context-id
• c06defe feat(loader): inherit request context id in request-scoped listeners
• f711eb5 chore(deps): update dependency @​commitlint/cli to v20.5.2 (#1714)
• e684d68 chore(deps): update dependency release-it to v20.0.1 (#1713)
• 85f0265 chore(deps): update dependency vite to v8.0.10 (#1712)
• 770cc24 chore(deps): update dependency vitest to v4.1.5 (#1711)
• 85bb425 chore(deps): update dependency oxlint to v1.61.0 (#1710)
• 6be695c chore(deps): update dependency vite to v8.0.9 (#1709)
• Additional commits viewable in compare view

Updates @nestjs/platform-express from 11.1.17 to 11.1.19

Release notes

Sourced from @​nestjs/platform-express's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 0ca5440 Merge pull request #16627 from ankitbelal/refactor/centralize-headers-and-par...
• 25d4fde fix(deps): update dependency path-to-regexp to v8.4.2
• 5c0b11e fix(deps): update dependency path-to-regexp to v8.4.1
• d0a9dc9 fix(deps): update dependency path-to-regexp to v8.4.0
• 1a14884 refactor(core): centralize headers for streamable file responses
• 5a05f52 chore: update readme
• See full diff in compare view

Updates @nestjs/schedule from 6.1.1 to 6.1.3

Release notes

Sourced from @​nestjs/schedule's releases.

6.1.3

What's Changed

• feat(cron): add initialDelay option to defer first job execution by @​kyungseopk1m in nestjs/schedule#2251

Full Changelog: nestjs/schedule@6.1.2...6.1.3

Release 6.1.2

• Merge pull request #2247 from kyungseopk1m/feat/cron-initial-delay (a57ce2c)
• chore(deps): update dependency prettier to v3.8.3 (#2248) (bb3490d)
• feat(cron): add initialDelay option to defer first job execution (1c5677f)
• Merge pull request #2245 from nestjs/renovate/nest-monorepo (59046bd)
• Merge pull request #2246 from nestjs/renovate/oxlint-monorepo (be4eee3)
• chore(deps): update dependency oxlint to v1.60.0 (32a9ce2)
• chore(deps): update nest monorepo to v11.1.19 (7d3844f)
• chore: migrate to oxlint, vitest, ts6 (29de71b)
• chore(deps): update dependency globals to v17.5.0 (#2244) (6c62cca)
• chore(deps): update dependency sinon to v21.1.2 (#2243) (ee3b31a)
• chore(deps): update dependency sinon to v21.1.1 (#2241) (eba9799)
• Merge pull request #2242 from nestjs/renovate/prettier-3.x (c3ad0f7)
• chore(deps): update dependency prettier to v3.8.2 (798e2a9)
• Merge pull request #2199 from nestjs/renovate/cimg-node-24.x (a05354a)
• chore(deps): update dependency typescript-eslint to v8.58.1 (#2240) (0367ac1)
• chore(deps): update dependency eslint to v10.2.0 (#2239) (fa93e06)
• chore(deps): update nest monorepo to v11.1.18 (#2238) (8cd4c02)
• chore(deps): update dependency @​types/node to v24.12.2 (#2237) (01482df)
• chore(deps): update dependency @​types/sinon to v21.0.1 (#2236) (f05b5bd)
• chore(deps): update dependency ts-jest to v29.4.9 (#2235) (af545e6)
• chore(deps): update dependency typescript-eslint to v8.58.0 (#2233) (4dad22a)
• chore(deps): update node.js to v24.14.1 (28db9bc)
• chore(deps): update dependency eslint to v10.1.0 (#2232) (413f390)
• chore(deps): update nest monorepo to v11.1.17 (#2230) (46c2bc5)
• chore(deps): update dependency typescript-eslint to v8.57.1 (#2231) (8fd063b)
• chore(deps): update dependency sinon to v21.0.3 (#2229) (1671ad9)
• chore(deps): update commitlint monorepo to v20.5.0 (#2228) (2ecd2f1)
• chore(deps): update dependency lint-staged to v16.4.0 (#2227) (aa0de01)
• chore(deps): update commitlint monorepo to v20.4.4 (#2226) (75034fe)
• chore(deps): update dependency lint-staged to v16.3.3 (#2225) (f1c7d31)
• chore(deps): update dependency jest to v30.3.0 (#2224) (1a208d4)
• chore(deps): update dependency typescript-eslint to v8.57.0 (#2223) (60dd2c9)
• chore(deps): update dependency eslint to v10.0.3 (#2221) (791b6ba)
• chore(deps): update dependency @​eslint/eslintrc to v3.3.5 (#2220) (0da1ca7)
• chore(deps): update dependency @​types/node to v24.12.0 (#2219) (934a93e)
• chore(deps): update nest monorepo to v11.1.16 (#2218) (5f44e9b)
• chore(deps): update dependency sinon to v21.0.2 (#2217) (b807746)
• chore(deps): update dependency lint-staged to v16.3.2 (#2216) (4ca32bd)
• chore(deps): update commitlint monorepo to v20.4.3 (#2215) (d3ceb76)
• chore(deps): update nest monorepo to v11.1.15 (#2214) (b084ffc)
• chore(deps): update dependency lint-staged to v16.3.1 (#2213) (8a201b2)
• chore(deps): update dependency globals to v17.4.0 (#2212) (6f61793)
• chore(deps): update dependency lint-staged to v16.3.0 (#2211) (aa9213a)

... (truncated)

Commits

• 059f196 Merge pull request #2249 from nestjs/renovate/release-it-20.x
• 557730e Merge pull request #2251 from kyungseopk1m/feat/cron-initial-delay-v2
• 14f5b80 feat(cron): add initialDelay option to defer first job execution
• 536367d chore(deps): update dependency release-it to v20
• 57e2861 Merge pull request #2250 from nestjs/revert-2247-feat/cron-initial-delay
• e08f457 Revert "feat(cron): add initialDelay option to defer first job execution"
• 3198abe chore(): release v6.1.2
• a57ce2c Merge pull request #2247 from kyungseopk1m/feat/cron-initial-delay
• bb3490d chore(deps): update dependency prettier to v3.8.3 (#2248)
• 1c5677f feat(cron): add initialDelay option to defer first job execution
• Additional commits viewable in compare view

Updates @nestjs/swagger from 11.2.6 to 11.4.2

Release notes

Sourced from @​nestjs/swagger's releases.

Release 11.4.2

11.4.2 (2026-04-27)

Bug fixes

• #3867 fix(plugin): keep auto-inferred default response when only error Api*Response decorators are present (@​PeterTheOne)
• #3876 fix(plugin): handle IsIn enum inference when type falls back to Object (@​y-hsgw)

Committers: 2

• Peter Grassberger (@​PeterTheOne)
• Yukihiro Hasegawa (@​y-hsgw)

Release 11.4.1

11.4.1 (2026-04-22)

Bug fixes

• #3871 fix(plugin): avoid duplicate keys when auto-generating @​ApiOperation (@​yogeshwaran-c)

Committers: 1

• Yogeshwaran C (@​yogeshwaran-c)

Release 11.4.0

11.4.0 (2026-04-22)

Features

• #3868 feat(plugin): auto-mark optional @​Query parameters as required: false (@​yogeshwaran-c)
• #3725 feat(swagger): add OpenAPI 3.2 hierarchical tags support (@​apt-bh)

Bug fixes

• #3874 fix(document-builder): accept multi-digit OpenAPI version segments (@​yogeshwaran-c)
• #3873 fix(plugin): strip regex delimiters and flags from @​Matches patterns (@​yogeshwaran-c)
• #3870 fix(decorators): forward all OpenAPI parameter fields in @​ApiHeader (@​yogeshwaran-c)
• #3872 fix(plugin): emit @​throws descriptions as proper string literals (@​yogeshwaran-c)
• #3782 fix(schema): preserve example metadata for non-body params with named types (@​maruthang)
• #3761 fix(plugin): support boolean literal types and boolean enum values (@​lucreiss)

Enhancements

• #3865 feat(schema-object-factory): include class name chain in circular dependency errors (@​yogeshwaran-c)

Committers: 4

• Lu R A (@​lucreiss)
• Maruthan G (@​maruthang)
• Yogeshwaran C (@​yogeshwaran-c)
• @​apt-bh

Release 11.3.2

What's Changed

• fix(plugin): remap import paths within rootDir to outDir by @​alex-all3dp in nestjs/swagger#3858

New Contributors

• @​alex-all3dp made their first contribution in nestjs/swagger#3858

... (truncated)

Commits

• 3f58449 chore(): release v11.4.2
• b0a35f3 Merge pull request #3867 from PeterTheOne/fix-error-only-response-decorators-...
• f01f6aa refactor(plugin): make isSuccessOrRedirectApiResponseArg a private method
• 7999f78 test: inspect @​ApiResponse status arg and extend fixture with redirect/500 cases
• 977a139 fix(plugin): keep auto-inferred default response when only error Api*Response...
• a51cf09 Merge pull request #3876 from y-hsgw/fix/plugin-string-literal-union-type
• a8acf7a chore(deps): update dependency @​commitlint/cli to v20.5.2 (#3878)
• e054058 chore(deps): update dependency release-it to v20.0.1 (#3877)
• 9a3745b fix(plugin): enhance enum handling for literal union types in schema generation
• 6e1bb8f Merge pull request #3875 from nestjs/renovate/vite-8.x-lockfile
• Additional commits viewable in compare view

Updates @nestjs/websockets from 11.1.17 to 11.1.19

Release notes

Sourced from @​nestjs/websockets's releases.

v11.1.19 (2026-04-13)

Bug fixes

• microservices
  • #16762 fix(microservices): use backing field for consumer CRASH event listener (@​burhanharoon)
  • #16764 fix(microservices): prevent stack overflow in jsonsocket.handledata() (@​kamilmysliwiec)

Committers: 2

• Burhan Haroon⚡ (@​burhanharoon)
• Kamil Mysliwiec (@​kamilmysliwiec)

v11.1.18 (2026-04-03)

Bug fixes

• microservices
  • #16675 fix(microservices): preserve packet headers in nats serializer (@​wwenrr)
• core
  • #16683 fix(core): prevent injector hang when design:paramtypes is missing (@​Youmoo)
  • #16637 fix(core): dependency injection edge case with moduleref.create (@​JakobStaudinger)
  • nestjs/nest#16686 fix(core): sanitize sse message

Dependencies

• core, platform-express, platform-fastify
  • #16679 fix(deps): update dependency path-to-regexp to v8.4.2 (@​renovate[bot])
• platform-fastify
  • #16623 fix(deps): update dependency fastify to v5.8.4 (@​renovate[bot])
• platform-ws
  • #16618 chore(deps): bump ws from 8.19.0 to 8.20.0 (@​dependabot[bot])
• common
  • #16619 chore(deps): bump file-type from 21.3.3 to 21.3.4 (@​dependabot[bot])

Committers: 6

• Ankit San (@​ankitbelal)
• Jakob Staudinger (@​JakobStaudinger)
• Kamil Mysliwiec (@​kamilmysliwiec)
• Krishna Chaitanya (@​Krishnachaitanyakc)
• MK (@​wwenrr)
• youmoo (@​Youmoo)

Commits

• 6730995 chore(release): publish v11.1.19 release
• 3c1cc5f chore(release): publish v11.1.18 release
• 5a05f52 chore: update readme
• See full diff in compare view

Updates @sentry/nestjs from 10.46.0 to 10.51.0

Release notes

Sourced from @​sentry/nestjs's releases.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Changelog

Sourced from @​sentry/nestjs's changelog.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Commits

• dc0b839 release: 10.51.0
• b3cabee Merge pull request #20599 from getsentry/prepare-release/10.51.0
• 3be99a9 meta(changelog): Update changelog for 10.51.0
• bea1aad test(browser): Unflake some more tests (#20591)
• 50aa085 test(node): Unflake postgres tests (#20593)
• 1166839 fix(hono): Distinguish .use() middleware in sub-apps from .all() handlers...
• 217ad4a test(node): Fix flaky ANR test (#20592)
• 91ffb3f test(node): Fix flaky worker thread integration test (#20588)
• c4e3902 chore(ci): Do not report flaky test issues if we cannot find a test name (#20...
• c0005cd test(node): Update timeout for cron integration tests (#20586)
• Additional commits viewable in compare view

Updates @sentry/node from 10.46.0 to 10.51.0

Release notes

Sourced from @​sentry/node's releases.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Commits

• dc0b839 release: 10.51.0
• b3cabee Merge pull request #20599 from getsentry/prepare-release/10.51.0
• 3be99a9 meta(changelog): Update changelog for 10.51.0
• bea1aad test(browser): Unflake some more tests (#20591)
• 50aa085 test(node): Unflake postgres tests (#20593)
• 1166839 fix(hono): Distinguish .use() middleware in sub-apps from .all() handlers...
• 217ad4a test(node): Fix flaky ANR test (#20592)
• 91ffb3f test(node): Fix flaky worker thread integration test (#20588)
• c4e3902 chore(ci): Do not report flaky test issues if we cannot find a test name (#20...
• c0005cd test(node): Update timeout for cron integration tests (#20586)
• Additional commits viewable in compare view

Updates axios from 1.15.0 to 1.15.2

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (