build(deps): bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
@sentry/node	10.47.0	10.48.0
axios	1.14.0	1.15.0
better-sqlite3	12.8.0	12.9.0
dotenv	17.4.0	17.4.2
knex	3.2.8	3.2.9
redis	5.11.0	5.12.1

Updates @sentry/node from 10.47.0 to 10.48.0

Release notes

Sourced from @​sentry/node's releases.

10.48.0

Important Changes

• feat(aws-serverless): Ship Lambda extension in npm package for container image Lambdas (#20133)

  The Sentry Lambda extension is now included in the npm package, enabling container image-based Lambda functions to use it. Copy the extension files into your Docker image and set the tunnel option:

  RUN mkdir -p /opt/sentry-extension
  COPY node_modules/@sentry/aws-serverless/build/lambda-extension/sentry-extension /opt/extensions/sentry-extension
  COPY node_modules/@sentry/aws-serverless/build/lambda-extension/index.mjs /opt/sentry-extension/index.mjs
  RUN chmod +x /opt/extensions/sentry-extension /opt/sentry-extension/index.mjs

  Sentry.init({
    dsn: '__DSN__',
    tunnel: 'http://localhost:9000/envelope',
  });

  This works with any Sentry SDK (@sentry/aws-serverless, @sentry/sveltekit, @sentry/node, etc.).

• feat(cloudflare): Support basic WorkerEntrypoint (#19884)

  withSentry now supports instrumenting classes extending Cloudflare's WorkerEntrypoint. This instruments fetch, scheduled, queue, and tail handlers.

  import * as Sentry from '@sentry/cloudflare';
  import { WorkerEntrypoint } from 'cloudflare:workers';
  class MyWorker extends WorkerEntrypoint {
  async fetch(request: Request): Promise<Response> {
  return new Response('Hello World!');
  }
  }
  export default Sentry.withSentry(env => ({ dsn: env.SENTRY_DSN, tracesSampleRate: 1.0 }), MyWorker);

• ref(core): Unify .do* span ops to gen_ai.generate_content (#20074)

  All Vercel AI do* spans (ai.generateText.doGenerate, ai.streamText.doStream, ai.generateObject.doGenerate, ai.streamObject.doStream) now use a single unified span op gen_ai.generate_content instead of separate ops like gen_ai.generate_text, gen_ai.stream_text, gen_ai.generate_object, and gen_ai.stream_object.

• ref(core): Remove provider-specific AI span attributes in favor of gen_ai attributes in sentry conventions (#20011)

  The following provider-specific span attributes have been removed from the OpenAI and Anthropic AI integrations. Use the standardized gen_ai.* equivalents instead:

  Removed attribute	Replacement

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.48.0

Important Changes

• feat(aws-serverless): Ship Lambda extension in npm package for container image Lambdas (#20133)

  The Sentry Lambda extension is now included in the npm package, enabling container image-based Lambda functions to use it. Copy the extension files into your Docker image and set the tunnel option:

  RUN mkdir -p /opt/sentry-extension
  COPY node_modules/@sentry/aws-serverless/build/lambda-extension/sentry-extension /opt/extensions/sentry-extension
  COPY node_modules/@sentry/aws-serverless/build/lambda-extension/index.mjs /opt/sentry-extension/index.mjs
  RUN chmod +x /opt/extensions/sentry-extension /opt/sentry-extension/index.mjs

  Sentry.init({
    dsn: '__DSN__',
    tunnel: 'http://localhost:9000/envelope',
  });

  This works with any Sentry SDK (@sentry/aws-serverless, @sentry/sveltekit, @sentry/node, etc.).

• feat(cloudflare): Support basic WorkerEntrypoint (#19884)

  withSentry now supports instrumenting classes extending Cloudflare's WorkerEntrypoint. This instruments fetch, scheduled, queue, and tail handlers.

  import * as Sentry from '@sentry/cloudflare';
  import { WorkerEntrypoint } from 'cloudflare:workers';
  class MyWorker extends WorkerEntrypoint {
  async fetch(request: Request): Promise<Response> {
  return new Response('Hello World!');
  }
  }
  export default Sentry.withSentry(env => ({ dsn: env.SENTRY_DSN, tracesSampleRate: 1.0 }), MyWorker);

• ref(core): Unify .do* span ops to gen_ai.generate_content (#20074)

  All Vercel AI do* spans (ai.generateText.doGenerate, ai.streamText.doStream, ai.generateObject.doGenerate, ai.streamObject.doStream) now use a single unified span op gen_ai.generate_content instead of separate ops like gen_ai.generate_text, gen_ai.stream_text, gen_ai.generate_object, and gen_ai.stream_object.

• ref(core): Remove provider-specific AI span attributes in favor of gen_ai attributes in sentry conventions (#20011)

  The following provider-specific span attributes have been removed from the OpenAI and Anthropic AI integrations. Use the standardized gen_ai.* equivalents instead:

  | Removed attribute | Replacement |

... (truncated)

Commits

• a67df4d release: 10.48.0
• e0732ff Merge pull request #20172 from getsentry/prepare-release/10.48.0
• d1ee40f meta(changelog): Update changelog for 10.48.0
• 2897297 feat(nuxt): Exclude tracing meta tags on cached pages in Nuxt 5 (#20168)
• 1cc3dd0 chore(deps-dev): Bump effect from 3.20.0 to 3.21.0 (#19999)
• c273167 fix(core): Fix withStreamedSpan typing error add missing exports (#20124)
• b6f7b86 feat(core): Apply ignoreSpans to streamed spans (#19934)
• 7bd8449 test(node,node-core): Add span streaming integration tests (#19806)
• 51fc6d1 feat(node-core): Add POtel server-side span streaming implementation (#19741)
• 77357c7 fix(core): Replace global interval with trace-specific interval based flushin...
• Additional commits viewable in compare view

Updates axios from 1.14.0 to 1.15.0

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Updates better-sqlite3 from 12.8.0 to 12.9.0

Release notes

Sourced from better-sqlite3's releases.

v12.9.0

What's Changed

• Update SQLite to version 3.53.0 in WiseLibs/better-sqlite3#1464

Full Changelog: WiseLibs/better-sqlite3@v12.8.0...v12.9.0

Commits

• 4058d24 12.9.0
• f653513 Update SQLite to version 3.53.0 (#1464)
• See full diff in compare view

Updates dotenv from 17.4.0 to 17.4.2

Changelog

Sourced from dotenv's changelog.

17.4.2 (2026-04-12)

Changed

• Improved skill files - tightened up details (#1009)

17.4.1 (2026-04-05)

Changed

• Change text injecting to injected (#1005)

Commits

• f116f70 17.4.2
• 3a81612 fix visual order of faq
• 13f55a8 Merge branch 'skill'
• 4bbbf73 reorganize faq
• c3da64b Merge pull request #1009 from motdotla/skill
• 6f743b1 update source
• fc2c624 update skill
• 972315b Tighten up skill
• 2795fce reorganize faq
• d5495d4 adjust skill
• Additional commits viewable in compare view

Updates knex from 3.2.8 to 3.2.9

Release notes

Sourced from knex's releases.

3.2.9

What's Changed

• fix(sqlite): append RETURNING statement when insert empty row by @​ylc395 in knex/knex#5471
• fix(postgres): escape double quotes in searchPath to prevent SQL injection by @​OlivierCavadenti in knex/knex#6411
• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't by @​erulabs in knex/knex#6429
• fix: add type support for Array which is supported in code but not in types. Add test to cover as well by @​erulabs in knex/knex#6428

New Contributors

• @​ylc395 made their first contribution in knex/knex#5471
• @​erulabs made their first contribution in knex/knex#6429

Full Changelog: knex/knex@3.2.8...3.2.9

Changelog

Sourced from knex's changelog.

3.2.9 - 3 April, 2026

Bug fixes

• fix: support DELETE... LIMIT in dialects that support it (mysql), but continue to disallow ones that don't #6429
• fix(postgres): escape double quotes in searchPath to prevent SQL injection #6411
• fix(sqlite): append RETURNING statement when insert empty row #5471
• fix: add type support for Array #6428

Commits

• b3847cd release 3.2.9
• 59c8f5f fix: add type support for Array<Buffer> (#6428)
• d40095c fix: support DELETE... LIMIT in dialects that support it (mysql), but continu...
• 7ae8857 fix(postgres): escape double quotes in searchPath to prevent SQL injection (#...
• f44f75a fix(sqlite): append RETURNING statement when insert empty row (#5471)
• See full diff in compare view

Updates redis from 5.11.0 to 5.12.1

Release notes

Sourced from redis's releases.

redis@5.12.0

✨ What's Changed

🚀 Features

• feat: expose sendCommand on multi for all clients by @​nkaradzhov in redis/node-redis#3181
• feat(sentinel): add sSubscribe/sUnsubscribe methods to Sentinel client by @​nkaradzhov in redis/node-redis#3178

🐛 Fixes

• fix(search): correct INDEXMISSING placement by @​nkaradzhov in redis/node-redis#3179
• Pool fixes by @​nkaradzhov in redis/node-redis#3182
• fix(search): use @redis/client dist imports in CREATE command by @​PavelPashov in redis/node-redis#3187
• fix(sentinel): preserve root seeds for outage recovery by @​nkaradzhov in redis/node-redis#3188
• fix: fallthrough bug in transformDoubleReply by @​rhymincymon in redis/node-redis#3213

🔭 Observability (OTEL + Diagnostics)

Node Redis now ships with first-class observability via OpenTelemetry metrics and Node.js diagnostics_channel. Initialize OpenTelemetry before creating clients (OpenTelemetry.init({ metrics: { enabled: true } })) and you can plug Redis client telemetry into your existing OTel SDK/exporter pipeline.

This enables visibility into command latency, connection lifecycle, resiliency/errors, Pub/Sub traffic, streaming behavior, and client-side caching activity. On top of metrics, diagnostics channels provide a more abstract, higher-level way to track runtime behavior through low-overhead event streams (commands, batches, connection events, maintenance notifications, pub/sub, cache, and pool wait timing), so APM tools or custom subscribers can observe the system without changing application code.

• add OpenTelemetry metrics instrumentation by @​PavelPashov in redis/node-redis#3110
• feat: implement diagnostic channels for observability by @​logaretm in redis/node-redis#3195

🧪 Tests & CI

• test(scho oss): add smigrating checks for new connections by @​nkaradzhov in redis/node-redis#3186
• Add self-report metrics step to CI workflow by @​bobymicroby in redis/node-redis#3199
• Add run tests action by @​dariaguy in redis/node-redis#3221

📚 Docs

• improve sentinel docs by @​cutiepoka in redis/node-redis#3189
• docs: clarify DUMP/RESTORE binary payload usage by @​nkaradzhov in redis/node-redis#3201
• fix(docs): configure typedoc entry points for monorepo by @​nkaradzhov in redis/node-redis#3220

🙌 New Contributors

• @​cutiepoka made their first contribution in redis/node-redis#3189
• @​rhymincymon made their first contribution in redis/node-redis#3213
• @​logaretm made their first contribution in redis/node-redis#3195
• @​dariaguy made their first contribution in redis/node-redis#3221

Full Changelog: https://github.com/redis/node-redis/compare/redis@5.11.0...redis@5.12.0

Commits

• 5cdad1b Release redis@5.12.1
• 6a44726 Release entraid@5.12.1
• 9f930f9 Release time-series@5.12.1
• de70920 Release search@5.12.1
• 9e7767c Release json@5.12.1
• 02cfd5a Release bloom@5.12.1
• 838c28d Release client@5.12.1
• 789d6d5 fix: decouple OTel public types from @​opentelemetry/api (#3228)
• 07aff33 Release redis@5.12.0
• b91d88f Release entraid@5.12.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions