🚨 [security] Update axios 1.4.0 → 1.6.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ axios (1.4.0 → 1.6.2) · Repo · Changelog

Security Advisories 🚨

🚨 Axios Cross-Site Request Forgery Vulnerability

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Release Notes

1.6.2

Release notes:

Features

• withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

• feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

• Dmitriy Mozgovoy
• Ng Choon Khon (CK)
• Muhammad Noman

1.6.1

Release notes:

Bug Fixes

• formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
• platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

Contributors to this release

• Dmitriy Mozgovoy
• Fabian Meyer

1.6.0

Release notes:

Bug Fixes

• CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
• dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
• types: fix AxiosHeaders types; (#5931) (a1c8ad0)

PRs

• CVE 2023 45857 ( #6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

• Dmitriy Mozgovoy
• Valentin Panov
• Rinku Chaudhari

1.5.1

Release notes:

Bug Fixes

• adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
• formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
• headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
• types: removed duplicated code (9e62056)

Contributors to this release

• Dmitriy Mozgovoy
• David Dallas
• Sean Sattler
• Mustafa Ateş Uzun
• Przemyslaw Motacki
• Michael Di Prisco

1.5.0

Release notes:

Bug Fixes

• adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#5837) (9a414bb)
• dns: fixed cacheable-lookup integration; (#5836) (b3e327d)
• headers: added support for setting header names that overlap with class methods; (#5831) (d8b4ca0)
• headers: fixed common Content-Type header merging; (#5832) (8fda276)

Features

• export getAdapter function (#5324) (ca73eb8)
• export: export adapters without unsafe prefix (#5839) (1601f4a)

Contributors to this release

• Dmitriy Mozgovoy
• 夜葬
• Jonathan Budiman
• Michael Di Prisco

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 41 commits:

• chore(release): v1.6.2 (#6082)
• chore(ci): removed redundant release action; (#6081)
• chore(docs): fix outdated grunt to npm scripts (#6073)
• chore(docs): update README.md (#6048)
• chore(ci): removed paths-ignore filter; (#6080)
• chore(ci): reworked ignoring files logic; (#6079)
• chore(ci): add paths-ignore config to testing action; (#6078)
• feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; (#6046)
• chore(ci): fixed release notification action; (#6064)
• chore(ci): fixed release notification action; (#6063)
• chore(ci): fix publish action content permission; (#6061)
• chore(release): v1.6.1 (#6060)
• chore(ci): Publish to NPM with provenance (#5835)
• chore(ci): added labeling and notification for published PRs; (#6059)
• fix(formdata): fixed content-type header normalization for non-standard browser environments; (#6056)
• fix(platform): fixed emulated browser detection in node.js environment; (#6055)
• chore(release): v1.6.0 (#6031)
• chore(ci): fix release-it arg; (#6032)
• fix(CSRF): fixed CSRF vulnerability CVE-2023-45857 (#6028)
• chore(tests): fixed tests to pass in node v19 and v20 with `keep-alive` enabled; (#6021)
• fix(dns): fixed lookup function decorator to work properly in node v20; (#6011)
• chore(docs): added AxiosHeaders docs; (#5932)
• fix(types): fix AxiosHeaders types; (#5931)
• chore(docs): update readme.md (#5889)
• chore(release): v1.5.1 (#5920)
• fix(adapters): improved adapters loading logic to have clear error messages; (#5919)
• fix(formdata): fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; (#5917)
• fix(headers): allow `content-encoding` header to handle case-insensitive values (#5890) (#5892)
• docs(paramsSerializer config within request config): update documentation for paramsSerializer
• Change isNaN to Number.isNaN
• docs: fix CommonJS usage note
• fix(types): removed duplicated code
• chore(release): v1.5.0 (#5838)
• feat(export): export adapters without `unsafe` prefix (#5839)
• docs: linting documentation notes (#5791)
• feat: export getAdapter function (#5324)
• fix(adapter): make adapter loading error more clear by using platform-specific adapters explicitly (#5837)
• fix(dns): fixed `cacheable-lookup` integration; (#5836)
• fix(headers): fixed common Content-Type header merging; (#5832)
• fix(headers): added support for setting header names that overlap with class methods; (#5831)
• docs: Add axios error type definitions in README.MD (#5788)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
genius-ai	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 16, 2023 3:01am