Skip to content

chore(deps): Bump axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth#105

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-e0f4c4adb1
Open

chore(deps): Bump axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth#105
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-e0f4c4adb1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited by cubic-dev-ai Bot
Loading

Bumps axios to 1.16.1 and updates ancestor dependencies axios, @xboxreplay/xboxlive-auth, minecraft-protocol and prismarine-auth. These dependencies need to be updated together.

Updates axios from 1.8.4 to 1.16.1

Release notes

Sourced from axios's releases.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

  • Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
  • Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
  • CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

  • Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
  • Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
  • XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
  • Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
  • Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
  • URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

  • Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
  • composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
  • AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
  • Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
  • Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
  • Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

  • Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#7413)
  • Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#10858)
  • CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#10882)

🐛 Bug Fixes

  • Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#10829)
  • Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#10850)
  • XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#10868)
  • Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#10864)
  • Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#10837)
  • URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#10874)

🔧 Maintenance & Chores

  • Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#10832)
  • composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#10844)
  • AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#10835, #10841)
  • Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#10836, #10853, #10856)
  • Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#10843, #10859, #10869)
  • Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

... (truncated)

Commits
  • 1337d6b chore(release): prepare release 1.16.1 (#10877)
  • 858a790 fix: remove all caches (#10882)
  • 34adfd9 revert: "fix: support URL object as config.url input (#10866)" (#10874)
  • 847d89b fix: support URL object as config.url input (#10866)
  • 4094886 fix(progress): guard malformed XHR upload events (#10868)
  • 44f0c5b chore: change sponsorship link and add Twicsy advertisement (#10869)
  • 64e1095 chore: update PR and issue template to use h2 (#10865)
  • 3e6b4e1 fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...
  • c4453ba fix: add the ability to add additional sponsors to the process sponsors scrip...
  • caa00a9 fix: https data in cleartext to proxy (#10858)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @xboxreplay/xboxlive-auth from 4.1.0 to 5.1.0

Release notes

Sourced from @​xboxreplay/xboxlive-auth's releases.

5.1.0

5.0.2

5.0.1

  • [fix]: Wrong exported type

5.0.0

https://github.com/XboxReplay/xboxlive-auth/blob/master/docs/90-Migration_From_v4.md

Commits

Updates minecraft-protocol from 1.57.0 to 1.66.2

Release notes

Sourced from minecraft-protocol's releases.

Release 1.66.2

1.66.2

Release 1.66.1

1.66.1

Release 1.66.0

1.66.0

Release 1.65.0

1.65.0

Release 1.64.1

1.64.1

Release 1.64.0

1.64.0

Release 1.63.0

1.63.0

Release 1.62.0

1.62.0

Release 1.61.0

1.61.0

Release 1.60.1

1.60.1

Release 1.60.0

1.60.0

Release 1.59.0

1.59.0

Release 1.58.0

1.58.0

Changelog

Sourced from minecraft-protocol's changelog.

1.66.2

1.66.1

1.66.0

1.65.0

1.64.1

1.64.0

1.63.0

1.62.0

1.61.0

1.60.1

1.60.0

1.59.0

1.58.0

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for minecraft-protocol since your current version.


Updates prismarine-auth from 2.7.0 to 3.1.1

Release notes

Sourced from prismarine-auth's releases.

Release 3.1.1

3.1.1

Release 3.1.0

3.1.0

Release 3.0.0

3.0.0

Changelog

Sourced from prismarine-auth's changelog.

3.1.1

3.1.0

3.0.0

Commits
  • b795199 Release 3.1.1 (#166)
  • 91264e3 bedrock: Fix attainment of new multiplayer session token (#165)
  • 43b676d Release 3.1.0 (#164)
  • 6ad5670 Update CI to Node 24 (#163)
  • 2d62147 Rename workflow back to publish.yml to match npm trusted publisher config (#162)
  • d3edb32 Update Node.js version to 24 in workflow
  • df10ea7 Rename publish.yml to npm-publish.yml
  • 59d9e7e Release 3.0.0 (#161)
  • c14f3f1 bedrock: Return new Minecraft session token in .getMinecraftBedrockToken() (#...
  • b7b4408 Fix publish condition for npm-publish v4 (#159)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for prismarine-auth since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade networking and Minecraft auth/protocol dependencies to pick up security fixes and current protocol support. Major bumps to @xboxreplay/xboxlive-auth and prismarine-auth.

  • Dependencies

    • Backend: axios 1.16.1; @xboxreplay/xboxlive-auth 5.1.0; prismarine-auth 3.1.1.
    • Indirect: minecraft-protocol 1.66.2 (lockfile update).
    • Frontend: next changed to ^9.3.3; socket.io 4.5.4; socket.io-client ^4.2.0.

  • Migration

    • @xboxreplay/xboxlive-auth v5: follow upstream v4→v5 notes; requires Node ≥16.
    • prismarine-auth v3: verify Bedrock session token handling.
    • Frontend: confirm the next 9.x change; it conflicts with React 19 and eslint-config-next 16.x.

Written for commit 81b67e1. Summary will update on new commits. Review in cubic

@dependabot
chore(deps): Bump axios, @xboxreplay/xboxlive-auth, minecraft-protoco…
81b67e1 
…l and prismarine-auth

Bumps [axios](https://github.com/axios/axios) to 1.16.1 and updates ancestor dependencies [axios](https://github.com/axios/axios), [@xboxreplay/xboxlive-auth](https://github.com/XboxReplay/xboxlive-auth), [minecraft-protocol](https://github.com/PrismarineJS/node-minecraft-protocol) and [prismarine-auth](https://github.com/PrismarineJS/prismarine-auth). These dependencies need to be updated together.


Updates `axios` from 1.8.4 to 1.16.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.8.4...v1.16.1)

Updates `@xboxreplay/xboxlive-auth` from 4.1.0 to 5.1.0
- [Release notes](https://github.com/XboxReplay/xboxlive-auth/releases)
- [Commits](XboxReplay/xboxlive-auth@4.1.0...5.1.0)

Updates `minecraft-protocol` from 1.57.0 to 1.66.2
- [Release notes](https://github.com/PrismarineJS/node-minecraft-protocol/releases)
- [Changelog](https://github.com/PrismarineJS/node-minecraft-protocol/blob/master/docs/HISTORY.md)
- [Commits](PrismarineJS/node-minecraft-protocol@1.57.0...1.66.2)

Updates `prismarine-auth` from 2.7.0 to 3.1.1
- [Release notes](https://github.com/PrismarineJS/prismarine-auth/releases)
- [Changelog](https://github.com/PrismarineJS/prismarine-auth/blob/master/HISTORY.md)
- [Commits](PrismarineJS/prismarine-auth@2.7.0...3.1.1)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: direct:production
- dependency-name: "@xboxreplay/xboxlive-auth"
  dependency-version: 5.1.0
  dependency-type: direct:production
- dependency-name: minecraft-protocol
  dependency-version: 1.66.2
  dependency-type: indirect
- dependency-name: prismarine-auth
  dependency-version: 3.1.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 19, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 4 files

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="frontend/package.json">

<violation number="1" location="frontend/package.json:41">
P0: Next.js was downgraded from ^16.2.6 to ^9.3.3, which is incompatible with React 19 (^19.2.6) used elsewhere in this package.json. Next.js 9 was released in 2020 and supports at most React 16.x, not React 19's APIs or rendering model. This will break the build and the project's `next dev`/`next build` scripts. The PR title indicates a dependency bump for axios and related packages — this appears to be an accidental change and should be reverted back to ^16.2.6.</violation>
</file>

Tip: cubic can generate docs of your entire codebase and keep them up to date. Try it here.

Re-trigger cubic

Comment thread frontend/package.json
"ldrs": "^1.0.1",
"lucide-react": "^1.16.0",
"next": "^16.2.6",
"next": "^9.3.3",
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P0: Next.js was downgraded from ^16.2.6 to ^9.3.3, which is incompatible with React 19 (^19.2.6) used elsewhere in this package.json. Next.js 9 was released in 2020 and supports at most React 16.x, not React 19's APIs or rendering model. This will break the build and the project's next dev/next build scripts. The PR title indicates a dependency bump for axios and related packages — this appears to be an accidental change and should be reverted back to ^16.2.6.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At frontend/package.json, line 41:

<comment>Next.js was downgraded from ^16.2.6 to ^9.3.3, which is incompatible with React 19 (^19.2.6) used elsewhere in this package.json. Next.js 9 was released in 2020 and supports at most React 16.x, not React 19's APIs or rendering model. This will break the build and the project's `next dev`/`next build` scripts. The PR title indicates a dependency bump for axios and related packages — this appears to be an accidental change and should be reverted back to ^16.2.6.</comment>

<file context>
@@ -38,7 +38,7 @@
     "ldrs": "^1.0.1",
     "lucide-react": "^1.16.0",
-    "next": "^16.2.6",
+    "next": "^9.3.3",
     "next-themes": "^0.4.6",
     "react": "^19.2.6",
</file context>
Suggested change
"next": "^9.3.3",
"next": "^16.2.6",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants