Update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	^0.31.0 → ^0.32.0
cheerio (source)	1.0.0-rc.12 → 1.2.0

---

Release Notes

axios/axios (axios)

v0.32.0

Compare Source

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#​10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#​10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#​10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#​10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#​10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#​10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#​10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#​10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#​10838)

Full Changelog

cheeriojs/cheerio (cheerio)

v1.2.0

Compare Source

What's Changed

• .val() now supports button values by @​kaioduarte in #​4175
• .find() now properly scopes :scope selectors by @​T0nd0Tara in #​4967
• The isHtml utility now runtime-validates input types by @​Mallikarjun-0 in #​4523

New Contributors

• @​noritaka1166 made their first contribution in #​4740
• @​kaioduarte made their first contribution in #​4175
• @​Mallikarjun-0 made their first contribution in #​4523
• @​T0nd0Tara made their first contribution in #​4967

Full Changelog: cheeriojs/cheerio@v1.1.2...v1.2.0

v1.1.2

Compare Source

What's Changed

• Fix fromURL baseURI issues by @​fb55 in #​4696

Full Changelog: cheeriojs/cheerio@v1.1.1...v1.1.2

v1.1.1

Compare Source

• Fix Undici issues (#​4689) 91a2b3d

---

v1.1.0

Compare Source

What's Changed

• fix(attributes): support .prop on document nodes by @​fb55 in #​4320
• fix(types): fix ExtractedValue type by @​ben-tilden in #​4334
• Add a field browser to package.json root by @​UNIDY2002 in #​4033
• Upgraded dependencies

Doc Improvements

• docs(blog): fix loading documents url by @​TonyRL in #​4002
• docs: fix function load() link by @​ya-luotao in #​4013
• docs: correct loadBuffer() name in example by @​arichardsmith in #​4270
• Update attr setter jsdoc by @​thyming in #​4469
• docs: use code block for install, mention yarn and bun by @​Electroid in #​4454
• docs: Replace .html with .prop for outerHTML by @​fb55 in #​4321

New Contributors

• @​TonyRL made their first contribution in #​4002
• @​ya-luotao made their first contribution in #​4013
• @​arichardsmith made their first contribution in #​4270
• @​UNIDY2002 made their first contribution in #​4033
• @​AzeemSup made their first contribution in #​4189
• @​ben-tilden made their first contribution in #​4334
• @​Electroid made their first contribution in #​4454
• @​thyming made their first contribution in #​4469

Full Changelog: cheeriojs/cheerio@v1.0.0...v1.1.0

v1.0.0

Compare Source

Cheerio 1.0 is here! 🎉

Announcement Blog Post

Breaking Changes

• The minimum NodeJS version is now 18.17 or higher #​3959

• Import paths were simplified. For example, use cheerio/slim instead of
  cheerio/lib/slim. #​3970

• The deprecated default Cheerio instance and static methods were removed. #​3974

  Before, it was possible to write code like this:

  import cheerio, { html } from 'cheerio';
  
  html(cheerio('<test></test>')); // ~ '<test></test>' -- NO LONGER WORKS

  Make sure to always load documents first:

  import * as cheerio from 'cheerio';
  
  cheerio.load('<test></test>').html();

• Node types previously re-exported by Cheerio must now be imported directly
  from (domhandler)(https://github.com/fb55/domhandler). #​3969

• htmlparser2 options now reside exclusively under the xml key (#​2916):

  const $ = cheerio.load('<html>', {
    xml: {
      withStartIndices: true,
    },
  });

New Features

• Add functions to load buffers, streams & URLs in NodeJS by @​fb55 in #​2857
• Add extract method by @​fb55 in #​2750

Fixes

• Allow imports of cheerio/utils by @​blixt in #​2601
• Allow empty string in data, and simplify by @​fb55 in #​2818
• Make closest be able to start from text nodes by @​Qualtagh in #​2811
• Fix potential github action smells by @​ceddy4395 in #​3826

Other

• Cheerio has a new website, featuring updated API docs and guides! #​2950

Full Changelog: cheeriojs/cheerio@v1.0.0-rc.12...v1.0.0

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.