chore(deps): bump axios to address high-severity advisories blocking security CI

[pchuri]

Summary

npm audit --audit-level moderate --omit=dev (run by the security job in .github/workflows/ci.yml) currently fails on every push because the pinned axios range ^1.15.0 resolves to 1.15.0/1.15.1, both of which carry recently disclosed high-severity advisories.

This is unrelated to any specific PR — the security check fails on main at the latest commit as well, and was the only blocker on #171 (now merged).

Reproduction

npm ci
npm audit --audit-level moderate --omit=dev
# exits 1 — 1 high severity vulnerability (axios 1.0.0 - 1.15.1)

Also visible in any recent CI run, e.g. https://github.com/pchuri/confluence-cli/actions/runs/25364389501 (main) and https://github.com/pchuri/confluence-cli/actions/runs/25389335951 (PR #171).

Affected advisories (axios 1.0.0 – 1.15.1)

• GHSA-w9j2-pvgh-6h63 — Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy
• GHSA-pmwg-cvhr-8vh7 — Incomplete Fix for CVE-2025-62718 (NO_PROXY bypass via 127.0.0.0/8)
• GHSA-3w6x-2g7m-8v23 — Invisible JSON Response Tampering via Prototype Pollution in parseReviver
• GHSA-q8qp-cvcw-x6jj — Prototype pollution read-side gadgets in HTTP adapter
• GHSA-xhjh-pmcv-23jw — Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams
• GHSA-445q-vr5w-6q77 — CRLF Injection in multipart/form-data via unsanitized blob.type
• GHSA-m7pr-hjqh-92cm — no_proxy bypass via IP alias allows SSRF
• GHSA-62hf-57xw-28j9 — Unbounded recursion in toFormData causes DoS
• GHSA-5c9x-8gcm-mpgx — HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0
• GHSA-vf2m-468p-8v99 — HTTP adapter streamed responses bypass maxContentLength
• GHSA-pf86-5x62-jrwf — Prototype Pollution Gadgets (Response Tampering, Data Exfiltration, Request Hijacking)
• GHSA-6chq-wfr3-2hj9 — Header Injection via Prototype Pollution
• GHSA-xx6v-rp6x-q39c — XSRF Token Cross-Origin Leakage via Prototype Pollution in withXSRFToken

Most are exploitable only when an attacker controls request configuration or response payloads, but several apply to any consumer (CRLF injection, no_proxy bypass, header injection).

Proposed fix

Bump axios to a fixed release and refresh the lockfile:

npm install axios@^1.15.2   # or whichever release contains the cluster of fixes
npm audit --audit-level moderate --omit=dev   # should be clean

Update package.json from "axios": "^1.15.0" to a range that excludes the affected versions. A quick smoke test of the auth/redirect paths (especially extractPageId tiny-link redirect handling and attachment uploads) is worth doing because some of these advisories patched HTTP-adapter behavior that the client relies on.

Tradeoffs / alternatives

• Pin to latest major: simplest, but axios occasionally lands subtle behavior changes — worth a CHANGELOG note.
• Suppress via --audit-level high or an .audit-ci allowlist: not recommended; these are real high-severity advisories.
• Wait for upstream: not applicable, fixes are already published.

Acceptance criteria

• npm audit --audit-level moderate --omit=dev exits 0 locally and in CI.
• All existing tests pass on Node 18.x / 20.x / 22.x.
• Manual smoke test of authenticated GET and a tiny-link redirect resolution.

[github-actions]

🎉 This issue has been resolved in version 2.5.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀