Update docs npm deps non-major

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@easyops-cn/docusaurus-search-local (source)	0.55.1 → 0.55.2
@types/react (source)	19.2.15 → 19.2.16
axios (source)	1.16.1 → 1.17.0
concurrently	10.0.0 → 10.0.3
fuse.js (source)	7.4.0 → 7.4.1
pnpm (source)	11.5.0 → 11.5.1
react (source)	19.2.6 → 19.2.7
react-dom (source)	19.2.6 → 19.2.7

---

Release Notes

easyops-cn/docusaurus-search-local (@​easyops-cn/docusaurus-search-local)

v0.55.2

Compare Source

Bug Fixes

• some languages need lunr wordcut (1e60641)
• some languages need lunr wordcut (d871555), closes #​438

axios/axios (axios)

v1.17.0

Compare Source

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

• Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#​10901, #​10922)
• Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#​10926)

🚀 New Features

• HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#​6792, #​10920)

🐛 Bug Fixes

• Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#​10929, #​10896)
• Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#​10957)
• React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#​10898)
• Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#​10875)
• Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#​10812)
• Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#​10891)
• Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#​10956, #​10952)
• Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#​10931)

🔧 Maintenance & Chores

• HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#​10861)
• Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#​10939)
• CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#​10907, #​10911, #​10916, #​10927, #​10935, #​10983)
• Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#​10925, #​10914, #​10958)
• Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#​10890, #​10889, #​10921, #​10945, #​10905, #​10933, #​10915, #​10887, #​10955)
• Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#​10871, #​10879, #​10918, #​10919, #​10934, #​10947, #​10954, #​10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​BasixKOR (#​6792)
• @​carladams1299-lab (#​10861)
• @​LaplaceYoung (#​10812)
• @​JamieMagee (#​10939)
• @​RonGamzu (#​10905)
• @​sapirbaruch (#​10891)
• @​nezukoagent (#​10901)
• @​devareddy05 (#​10929)
• @​Mohammad-Faiz-Cloud-Engineer (#​10922)
• @​azandabot (#​10931)
• @​niksy (#​10896)

Full Changelog

open-cli-tools/concurrently (concurrently)

v10.0.3

Compare Source

Republish of https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.1 with Trusted Publishing enabled (see #​595)

Full Changelog: open-cli-tools/concurrently@v10.0.2...v10.0.3

v10.0.1

Compare Source

• Ensure FlowController type is exported - #​594

Full Changelog: open-cli-tools/concurrently@v10.0.0...v10.0.1

krisk/Fuse (fuse.js)

v7.4.1

Compare Source

pnpm/pnpm (pnpm)

v11.5.1

Compare Source

Patch Changes

• Improve pnpm audit performance by pruning non-vulnerable lockfile subtrees and stopping path enumeration once vulnerable findings reach the path cap.
• Avoid crashing when the workspace state cache is partially written or malformed.
• Set npm_config_user_agent for root lifecycle scripts during headless installs.
• Preserve the integrity field of a remote (non-registry) tarball dependency when its lockfile entry is rebuilt. Re-resolving such a dependency without re-fetching it (for example via pnpm update, or when another dependency changes) produced a resolution with no integrity — URL/tarball resolvers only learn the integrity after the tarball is downloaded — so the previously recorded integrity was dropped, making later installs fail with ERR_PNPM_MISSING_TARBALL_INTEGRITY #​12067.
• Normalize a string repository field into the { type, url } object form when creating the publish manifest, matching npm's behavior. Some registries (e.g. Gitea/Codeberg) reject a string repository with a 500 Internal Server Error during pnpm publish #​12099.
• Preserve compatible optional peer versions already present in the lockfile when resolving dependencies.
• Fixed inconsistent resolution of a peer dependency that is shared through a diamond. When a package peer-depends on both another package and one of that package's own peer dependencies (for example @typescript-eslint/eslint-plugin peer-depends on both @typescript-eslint/parser and typescript, and @typescript-eslint/parser peer-depends on typescript), pnpm no longer reuses a hoisted instance of the shared peer that was resolved against a different version #​12079.

facebook/react (react)

v19.2.7

Compare Source

facebook/react (react-dom)

v19.2.7

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[woodpecker-bot]

Surge PR preview deployment was removed