chore(deps): bump axios, zwave-js, @alcalzone/release-script, @alcalzone/release-script-plugin-iobroker and @iobroker/adapter-dev

[dependabot]

Bumps axios, zwave-js, @alcalzone/release-script, @alcalzone/release-script-plugin-iobroker and @iobroker/adapter-dev. These dependencies needed to be updated together.
Updates axios from 1.6.3 to 1.13.5

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Updates zwave-js from 10.23.6 to 15.20.1

Release notes

Sourced from zwave-js's releases.

Release v15.20.1

Bugfixes

• Fixed an issue where devices whose device config was previously incorrectly marked as changed after updating to 15.18.0 or 15.19.0 would again be marked as changed after updating to 15.20.0 (#8571)

Config file changes

• Add Zooz Zen57 240V XS Relay (#8561)
• Add MCO Home MH-5900 thermostat (#8553)
• Update Zooz ZEN35 config to firmware 1.10+ (#8560)
• Update Zooz ZEN14 config for firmware 2.20 (#8562)

Release v15.20.0

Features

• Support ranges with gaps and step sizes in config parameter definitions (#8547, #8555)
• Automatically reset toneId to 0 after tone duration elapses (#8546)
• Support connecting ESPHome Z-Wave proxies with API encryption (#8526)
• Try to find Z-Wave QR code strings in longer strings (#8545)
• Add option to include user code and status in notification events (#8541)

Bugfixes

• Avoid false-positive in hasDeviceConfigChanged after upgrading from a version before 15.19.0 (#8554)

Config file changes

• Update Zooz ZEN16 to support 800 series version (#8542)

Release v15.19.0

Features

• Add option to force associations without checking if they are valid/allowed (#8490)
• Devices that failed to include with Security S2 are no longer interviewed (#8162)

Bugfixes

• During the initial interview after inclusion, user codes are now cleared unless queryAllUserCodes driver option is set (#8525)
• The ConfigurationCCDefaultReset command now uses Supervision if supported (#8530)
• Correct log messages for SoundSwitchCCConfigurationSet (#8531)
• Fixed an issue where setValue calls with disableOptimisticValueUpdate would cause the next value updated event to have an incorrect previous value (#8532)
• Fixed an issue where some 500 series controllers could hang during an NVM backup (#8534)

Config file changes

• Add missing parameter for latest VZW31-SN firmware (#8513)
• Correct manual link metadata for Inovelli VZW31-SN and VZW32-SN (#8492)
• Label endpoints of Shelly Wave Shutter (#8521)
• Remove unnecessary firmware version check from Zooz ZEN35 (#8472)
• Add fingerprint for Kwikset HC620 (#8474)
• Add Zooz Zen58 Low Voltage XS Relay (#8444)
• Hide VZW32-SN test parameter from production use (#8512)
• Add Aeotec ZWA050 SmokeShield for Ei Smoke Detectors (#8493)

Changes under the hood

• Support sdkVersion in configuration file conditions (#8529)
• Add support for "hidden" config property to linter (#8533)
• Fix lint:configjson scripts (#8535)

... (truncated)

Changelog

Sourced from zwave-js's changelog.

15.20.1 (2026-01-26)

Bugfixes

• Fixed an issue where devices whose device config was previously incorrectly marked as changed after updating to 15.18.0 or 15.19.0 would again be marked as changed after updating to 15.20.0 (#8571)

Config file changes

• Add Zooz Zen57 240V XS Relay (#8561)
• Add MCO Home MH-5900 thermostat (#8553)
• Update Zooz ZEN35 config to firmware 1.10+ (#8560)
• Update Zooz ZEN14 config for firmware 2.20 (#8562)

15.20.0 (2026-01-15)

Features

• Support ranges with gaps and step sizes in config parameter definitions (#8547, #8555)
• Automatically reset toneId to 0 after tone duration elapses (#8546)
• Support connecting ESPHome Z-Wave proxies with API encryption (#8526)
• Try to find Z-Wave QR code strings in longer strings (#8545)
• Add option to include user code and status in notification events (#8541)

Bugfixes

• Avoid false-positive in hasDeviceConfigChanged after upgrading from a version before 15.19.0 (#8554)

Config file changes

• Update Zooz ZEN16 to support 800 series version (#8542)

15.19.0 (2026-01-06)

Features

• Add option to force associations without checking if they are valid/allowed (#8490)
• Devices that failed to include with Security S2 are no longer interviewed (#8162)

Bugfixes

• During the initial interview after inclusion, user codes are now cleared unless queryAllUserCodes driver option is set (#8525)
• The ConfigurationCCDefaultReset command now uses Supervision if supported (#8530)
• Correct log messages for SoundSwitchCCConfigurationSet (#8531)
• Fixed an issue where setValue calls with disableOptimisticValueUpdate would cause the next value updated event to have an incorrect previous value (#8532)
• Fixed an issue where some 500 series controllers could hang during an NVM backup (#8534)

Config file changes

• Add missing parameter for latest VZW31-SN firmware (#8513)
• Correct manual link metadata for Inovelli VZW31-SN and VZW32-SN (#8492)
• Label endpoints of Shelly Wave Shutter (#8521)
• Remove unnecessary firmware version check from Zooz ZEN35 (#8472)
• Add fingerprint for Kwikset HC620 (#8474)
• Add Zooz Zen58 Low Voltage XS Relay (#8444)
• Hide VZW32-SN test parameter from production use (#8512)
• Add Aeotec ZWA050 SmokeShield for Ei Smoke Detectors (#8493)

Changes under the hood

• Support sdkVersion in configuration file conditions (#8529)
• Add support for "hidden" config property to linter (#8533)
• Fix lint:configjson scripts (#8535)

... (truncated)

Commits

• 208e9a0 chore: release v15.20.1
• 755ffe3 chore: update changelog
• 733335b fix: migrate broken v2 device config hash to a fixed format on load (#8571)
• 4df722d feat(config): add Zooz Zen57 240V XS Relay (#8561)
• 7d4a2dd feat(config): add MCO Home MH-5900 thermostat (#8553)
• 4180973 fix(config): update Zooz ZEN35 config to firmware 1.10+ (#8560)
• 0bcc40c feat(config): update Zooz ZEN14 config for firmware 2.20 (#8562)
• 690452d chore: release v15.20.0
• f5c5662 chore: update changelog
• 05a5dbd fix: handle allowed field in device config hash comparison (#8555)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for zwave-js since your current version.

Updates @alcalzone/release-script from 3.5.9 to 3.8.0

Release notes

Sourced from @​alcalzone/release-script's releases.

Release v3.8.0

• git plugin: allow to skip push stage via noPush option

Release v3.7.3

• package plugin: Support monorepos managed with Yarn v4

Release v3.7.2

• iobroker plugin: Fixed issue in changelog cleanup routine introduced in 3.7.1

Release v3.7.1

• iobroker plugin: Detect more author names and @ mentions in the changelog

Release v3.7.0

• Added -lf option to run the lock file update with the --force flag
• Dependency upgrades

Release v3.6.0

• git plugin: Add the --tagOnly flag to only create a tag without pushing the commit to the release branch.

Changelog

Sourced from @​alcalzone/release-script's changelog.

3.8.0 (2024-07-23)

• git plugin: allow to skip push stage via noPush option

3.7.3 (2024-07-05)

• package plugin: Support monorepos managed with Yarn v4

3.7.2 (2024-06-24)

• iobroker plugin: Fixed issue in changelog cleanup routine introduced in 3.7.1

3.7.1 (2024-06-12)

• iobroker plugin: Detect more author names and @ mentions in the changelog

3.7.0 (2023-11-29)

• Added -lf option to run the lock file update with the --force flag
• Dependency upgrades

3.6.0 (2023-07-03)

• git plugin: Add the --tagOnly flag to only create a tag without pushing the commit to the release branch.

Commits

• 9a14f20 chore: release v3.8.0
• a0c7d17 feat: add option to skip pushing to remote (#172)
• 4da181d chore: release v3.7.3
• a4982dc fix: only set --all flag for Yarn 4
• aff2d0f fix: yarn v4 support for monorepos (#171)
• 0ce8359 chore: release v3.7.2
• 564ae9b fix: set unicode flag for author name regex (#170)
• 74822d4 chore: release v3.7.1
• 3c0c9fd Run workflows with node 20, dropped node 14 and 16 support (#169)
• ee8c4b4 build: bump tar from 6.1.11 to 6.2.1 (#167)
• Additional commits viewable in compare view

Updates @alcalzone/release-script-plugin-iobroker from 3.5.9 to 3.7.2

Release notes

Sourced from @​alcalzone/release-script-plugin-iobroker's releases.

Release v3.7.2

• iobroker plugin: Fixed issue in changelog cleanup routine introduced in 3.7.1

Release v3.7.1

• iobroker plugin: Detect more author names and @ mentions in the changelog

Release v3.7.0

• Added -lf option to run the lock file update with the --force flag
• Dependency upgrades

Release v3.6.0

• git plugin: Add the --tagOnly flag to only create a tag without pushing the commit to the release branch.

Changelog

Sourced from @​alcalzone/release-script-plugin-iobroker's changelog.

3.7.2 (2024-06-24)

• iobroker plugin: Fixed issue in changelog cleanup routine introduced in 3.7.1

3.7.1 (2024-06-12)

• iobroker plugin: Detect more author names and @ mentions in the changelog

3.7.0 (2023-11-29)

• Added -lf option to run the lock file update with the --force flag
• Dependency upgrades

3.6.0 (2023-07-03)

• git plugin: Add the --tagOnly flag to only create a tag without pushing the commit to the release branch.

Commits

• 0ce8359 chore: release v3.7.2
• 564ae9b fix: set unicode flag for author name regex (#170)
• 74822d4 chore: release v3.7.1
• 3c0c9fd Run workflows with node 20, dropped node 14 and 16 support (#169)
• ee8c4b4 build: bump tar from 6.1.11 to 6.2.1 (#167)
• 78a3509 build: bump @​babel/traverse from 7.17.3 to 7.24.1 (#163)
• c5f0fdb build: bump ip from 1.1.5 to 1.1.9 (#164)
• a7afb52 build: bump follow-redirects from 1.15.4 to 1.15.6 (#166)
• 0ad727c build: bump follow-redirects from 1.15.3 to 1.15.4 (#157)
• fe5aa0d fix: match non-ASCII author names and @ (#161)
• Additional commits viewable in compare view

Updates @iobroker/adapter-dev from 1.2.0 to 1.5.0

Release notes

Sourced from @​iobroker/adapter-dev's releases.

Release v1.5.0

• (@Apollon77/@​copilot) Add DeepL API support for higher quality translations. Set DEEPL_API_KEY environment variable to use DeepL as the preferred translation service. DeepL is prioritized over Google Translate when available.
• (@Apollon77/@​copilot) Add remove-translations (rt) and remove-key (rk) commands for translation management. New commands allow removing translation keys from language files efficiently
• (@Apollon77/@​copilot) Enhanced translation error messages for empty string keys with clearer error context and actionable guidance
• (@Apollon77/@​copilot) Add --rebuild option to translate command for complete regeneration of translation files
• (@Apollon77/@​copilot) Detect and preserve original indentation in JSON files during translation. Files using tab indentation or different space amounts are now preserved correctly instead of being converted to 4-space indentation.
• (@Apollon77/@​copilot) Sort JSON keys alphabetically in all generated translation files
• (@Apollon77/@​copilot) ESM support for TypeScript build format option. The --typescriptFormat option now accepts both cjs (CommonJS) and esm (ES modules) formats
• (@Apollon77/@​copilot) Enhanced handling of rate limits for translations and persist as much progress as possible.

Release v1.4.0

• (ticaki) rimraf replaced by by internal tool.
• (hombach) change year to 2025
• (hombach) Fix two vulnerabilities
• (hombach) Bump dev dependencies
• (hombach) add tests for node.js 22, remove node 16 tests
• (@​GermanBluefox) Added convert command to convert old i18n structure to new one
• (@​GermanBluefox) Packages were updated
• (@​UncleSamSwiss) Change default path for translation JSON files to admin/i18n/en.json; the old path is still supported for existing repositories

Release v1.3.0

• (kleinOr/Apollon77) Detects and keeps space indentation of io-package
• (Steiger04) Fix handling of dot keys for esbuild
• (Steiger04) Update esbuild and adjust watch mode
• (Steiger04) process.env.NODE_ENV is now also available server side

Commits

• 794bbcb chore: release v1.5.0
• ee70cbb prepare release
• 21def91 Add DeepL API support for higher quality translations (#367)
• 7b36516 Stop translation attempts when rate-limited by Google Translate API and prese...
• bc33748 changelog
• f664fea Add remove-translations and remove-key commands for translation management (#...
• e7568f6 Enhance translation error messages for empty string keys (#365)
• b16a67f Migrate to ESLint 9 and @​iobroker/eslint-config (#363)
• 6830f1e Add --rebuild option to translate command for complete regeneration of transl...
• 4e80716 Detect and preserve original indentation in JSON files during translation (#356)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.