Commit 7ddffe5
authored
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
chore: bump axios from 1.13.6 to 1.15.1 (#11515)
Bumps [axios](https://github.com/axios/axios) from 1.13.6 to 1.15.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/releases">axios's
releases</a>.</em></p>
<blockquote>
<h2>v1.15.1</h2>
<p>This release ships a coordinated set of security hardening fixes
across headers, body/redirect limits, multipart handling, and
XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes,
test migrations, and threat-model documentation updates.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li><strong>Header Injection Hardening:</strong> Tightened validation
and sanitisation across request header construction to close the
header-injection attack surface. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10749">#10749</a></strong>)</li>
<li><strong>CRLF Stripping in Multipart Headers:</strong> Correctly
strips CR/LF from multipart header values to prevent injection via field
names and filenames. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10758">#10758</a></strong>)</li>
<li><strong>Prototype Pollution / Auth Bypass:</strong> Replaced unsafe
<code>in</code> checks with <code>hasOwnProperty</code> to prevent
authentication bypass via prototype pollution on config objects, with
additional regression tests. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10761">#10761</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10760">#10760</a></strong>)</li>
<li><strong><code>withXSRFToken</code> Truthy Bypass:</strong>
Short-circuits on any truthy non-boolean value, so an ambiguous config
no longer silently leaks the XSRF token cross-origin. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10762">#10762</a></strong>)</li>
<li><strong><code>maxBodyLength</code> With Zero Redirects:</strong>
Enforces <code>maxBodyLength</code> even when <code>maxRedirects</code>
is set to <code>0</code>, closing a bypass path for oversized request
bodies. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10753">#10753</a></strong>)</li>
<li><strong>Streamed Response <code>maxContentLength</code>
Bypass:</strong> Applies <code>maxContentLength</code> to streamed
responses that previously bypassed the cap. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10754">#10754</a></strong>)</li>
<li><strong>Follow-up CVE Completion:</strong> Completes an earlier
incomplete CVE fix to fully close the regression window. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10755">#10755</a></strong>)</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong>AI-Based Docs Translations:</strong> Initial scaffold for
AI-assisted translations of the documentation site. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10705">#10705</a></strong>)</li>
<li><strong><code>Location</code> Request Header Type:</strong> Adds
<code>Location</code> to <code>CommonRequestHeadersList</code> for
accurate typing of redirect-aware requests. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7528">#7528</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>FormData Handling:</strong> Removes
<code>Content-Type</code> when no boundary is present on
<code>FormData</code> fetch requests, supports multi-select fields,
cancels <code>request.body</code> instead of the source stream on fetch
abort, and fixes a recursion bug in form-data serialisation. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7314">#7314</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10676">#10676</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10702">#10702</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10726">#10726</a></strong>)</li>
<li><strong>HTTP Adapter:</strong> Handles socket-only request errors
without leaking keep-alive listeners. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10576">#10576</a></strong>)</li>
<li><strong>Progress Events:</strong> Clamps <code>loaded</code> to
<code>total</code> for computable upload/download progress events.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7458">#7458</a></strong>)</li>
<li><strong>Types:</strong> Aligns <code>runWhen</code> type with the
runtime behaviour in <code>InterceptorManager</code> and makes response
header keys case-insensitive. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7529">#7529</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10677">#10677</a></strong>)</li>
<li><strong><code>buildFullPath</code>:</strong> Uses strict equality in
the base/relative URL check. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7252">#7252</a></strong>)</li>
<li><strong><code>AxiosURLSearchParams</code> Regex:</strong> Improves
the regex used for param serialisation to avoid edge-case mismatches.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10736">#10736</a></strong>)</li>
<li><strong>Resilient Value Parsing:</strong> Parses out header/config
values instead of throwing on malformed input. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10687">#10687</a></strong>)</li>
<li><strong>Docs Artefact Cleanup:</strong> Removes the docs content
that was incorrectly committed. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10727">#10727</a></strong>)</li>
</ul>
<h2>🔧 Maintenance & Chores</h2>
<ul>
<li><strong>Threat Model & Security Docs:</strong> Ongoing
refinement of <code>THREATMODEL.md</code>, including Hopper security
update, TLS and tag-replay wording, mitigation descriptions,
decompression-bomb guidance, and further cleanup. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10672">#10672</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10715">#10715</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10718">#10718</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10722">#10722</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10763">#10763</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10765">#10765</a></strong>)</li>
<li><strong>Test Coverage & Migration:</strong> Expanded
<code>shouldBypassProxy</code> coverage for wildcard/IPv6/edge cases,
documented and tested <code>AxiosError.status</code>, and migrated
<code>progressEventReducer</code> tests to Vitest. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10723">#10723</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10725">#10725</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10741">#10741</a></strong>)</li>
<li><strong>Type Refactor:</strong> Uses TypeScript utility types to
deduplicate literal unions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7520">#7520</a></strong>)</li>
<li><strong>Repo & CI:</strong> Adds <code>CODEOWNERS</code>,
switches v1.x releases to an ephemeral release branch, and removes
orphaned Bower support. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10739">#10739</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10738">#10738</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10746">#10746</a></strong>)</li>
<li><strong>Changelog Backfill:</strong> Added missing version entries
to the changelog. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10704">#10704</a></strong>)</li>
<li><strong>Dependencies:</strong> Bumped <code>follow-redirects</code>
(<code>1.15.11</code> → <code>1.16.0</code>) in root and docs,
<code>axios</code> (<code>1.14.0</code> → <code>1.15.0</code>) in docs,
and a group of 5 development dependencies. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10717">#10717</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10716">#10716</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10684">#10684</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10709">#10709</a></strong>)</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/curiouscoder-cmd"><code>@curiouscoder-cmd</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7252">#7252</a></strong>)</li>
<li><strong><a
href="https://github.com/tryonelove"><code>@tryonelove</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7520">#7520</a></strong>)</li>
<li><strong><a
href="https://github.com/darwin808"><code>@darwin808</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/7314">#7314</a></strong>)</li>
<li><strong><a
href="https://github.com/zoontek"><code>@zoontek</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10702">#10702</a></strong>)</li>
<li><strong><a
href="https://github.com/AKIB473"><code>@AKIB473</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10725">#10725</a></strong>)</li>
</ul>
<p><a
href="https://github.com/axios/axios/compare/v1.15.0...v1.15.1">Full
Changelog</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v1.15.0 — April 7, 2026</h2>
<p>This release delivers two critical security patches targeting header
injection and SSRF via proxy bypass, adds official runtime support for
Deno and Bun, and includes significant CI security hardening.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li>
<p><strong>Header Injection (CRLF):</strong> Rejects any header value
containing <code>\r</code> or <code>\n</code> characters to block CRLF
injection chains that could be used to exfiltrate cloud metadata (IMDS).
Behavior change: headers with CR/LF now throw <code>"Invalid
character in header content"</code>. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10660">#10660</a></strong>)</p>
</li>
<li>
<p><strong>SSRF via <code>no_proxy</code> Bypass:</strong> Introduces a
<code>shouldBypassProxy</code> helper that normalises hostnames (strips
trailing dots, handles bracketed IPv6) before evaluating
<code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that
could cause loopback or internal hosts to be inadvertently proxied.
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10661">#10661</a></strong>)</p>
</li>
</ul>
<h2>🚀 New Features</h2>
<ul>
<li><strong>Deno & Bun Runtime Support:</strong> Added full smoke
test suites for Deno and Bun, with CI workflows that run both runtimes
before any release is cut. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10652">#10652</a></strong>)</li>
</ul>
<h2>🐛 Bug Fixes</h2>
<ul>
<li><strong>Node.js v22 Compatibility:</strong> Replaced deprecated
<code>url.parse()</code> calls with the WHATWG
<code>URL</code>/<code>URLSearchParams</code> API across examples,
sandbox, and tests, eliminating <code>DEP0169</code> deprecation
warnings on Node.js v22+. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li>
</ul>
<h2>🔧 Maintenance & Chores</h2>
<ul>
<li>
<p><strong>CI Security Hardening:</strong> Added <a
href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions
security scanner; switched npm publish to OIDC Trusted Publishing
(removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all
action references to full commit SHAs; narrowed workflow permissions to
least privilege; gated the publish step behind a dedicated
<code>npm-publish</code> environment; and blocked the sponsor-block
workflow from running on forks. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10627">#10627</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</p>
</li>
<li>
<p><strong>Docs:</strong> Clarified HTTP/2 support and the unsupported
<code>httpVersion</code> option; added documentation for header case
preservation; improved the <code>beforeRedirect</code> example to
prevent accidental credential leakage. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10654">#10654</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>)</p>
</li>
<li>
<p><strong>Dependencies:</strong> Bumped <code>picomatch</code>,
<code>handlebars</code>, <code>serialize-javascript</code>,
<code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4
additional dev dependencies to latest versions. (<strong><a
href="https://redirect.github.com/axios/axios/issues/10564">#10564</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10565">#10565</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10567">#10567</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10568">#10568</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10572">#10572</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10574">#10574</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10663">#10663</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10664">#10664</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10665">#10665</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10669">#10669</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10670">#10670</a></strong>)</p>
</li>
</ul>
<h2>🌟 New Contributors</h2>
<p>We are thrilled to welcome our new contributors. Thank you for
helping improve axios:</p>
<ul>
<li><strong><a
href="https://github.com/Kilros0817"><code>@Kilros0817</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10625">#10625</a></strong>)</li>
<li><strong><a
href="https://github.com/shaanmajid"><code>@shaanmajid</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10616">#10616</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10617">#10617</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10618">#10618</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10619">#10619</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10637">#10637</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10641">#10641</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10666">#10666</a></strong>)</li>
<li><strong><a
href="https://github.com/ashstrc"><code>@ashstrc</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10624">#10624</a></strong>,
<strong><a
href="https://redirect.github.com/axios/axios/issues/10644">#10644</a></strong>)</li>
<li><strong><a
href="https://github.com/Abhi3975"><code>@Abhi3975</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10589">#10589</a></strong>)</li>
<li><strong><a
href="https://github.com/raashish1601"><code>@raashish1601</code></a></strong>
(<strong><a
href="https://redirect.github.com/axios/axios/issues/10573">#10573</a></strong>)</li>
</ul>
<p><a
href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full
Changelog</a></p>
<hr />
<h2>v1.14.0 — March 27, 2026</h2>
<p>This release fixes a security vulnerability in the
<code>formidable</code> dependency, resolves a CommonJS compatibility
regression, hardens proxy and HTTP/2 handling, and modernises the build
and test toolchain.</p>
<h2>🔒 Security Fixes</h2>
<ul>
<li><strong>Formidable Vulnerability:</strong> Upgraded
<code>formidable</code> from v2 to v3 to address a reported
arbitrary-file vulnerability. Updated test server and assertions to
align with the v3 API. (<strong><a
href="https://redirect.github.com/axios/axios/issues/7533">#7533</a></strong>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/axios/axios/commit/ac42446be51300fe214ba3c6e40cc95f34fd6871"><code>ac42446</code></a>
chore(release): prepare release 1.15.1 (<a
href="https://redirect.github.com/axios/axios/issues/10767">#10767</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/908f2206b6bfeff67236784abce85935698ac1d9"><code>908f220</code></a>
docs: update threatmodel (<a
href="https://redirect.github.com/axios/axios/issues/10765">#10765</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/f93f8155250c2e066205521eda05ae22983a1f6d"><code>f93f815</code></a>
docs: added docs around potential decompressions bomb (<a
href="https://redirect.github.com/axios/axios/issues/10763">#10763</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/1728aa1b15b8857f970611fd8983c06b423fc486"><code>1728aa1</code></a>
fix: short-circuits on any truthy non-boolean in withXSRFToken (<a
href="https://redirect.github.com/axios/axios/issues/10762">#10762</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/42eb721eebc95cfded8d6c70cf62f3fbe83f3246"><code>42eb721</code></a>
fix: replace in with has own prop util (<a
href="https://redirect.github.com/axios/axios/issues/10761">#10761</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/75873270a59bd5d895322eee145738e95fb89258"><code>7587327</code></a>
fix: strip crlf correctly (<a
href="https://redirect.github.com/axios/axios/issues/10758">#10758</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/f0b98673b32677643a3b608431270d36e997473c"><code>f0b9867</code></a>
chore: added additional testing for this issue (<a
href="https://redirect.github.com/axios/axios/issues/10760">#10760</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/e033f243a08e3514c03e510f76658da1e0fac3bd"><code>e033f24</code></a>
fix: incomplete fix for cve (<a
href="https://redirect.github.com/axios/axios/issues/10755">#10755</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/e8904af03385b040e53f1263a444e825db4335d9"><code>e8904af</code></a>
fix: stream response bypassed max content length (<a
href="https://redirect.github.com/axios/axios/issues/10754">#10754</a>)</li>
<li><a
href="https://github.com/axios/axios/commit/1c7f6d76e58359daddf38a6e636dd801ffd9c61b"><code>1c7f6d7</code></a>
fix: enforce max body length when max redirects is 0 (<a
href="https://redirect.github.com/axios/axios/issues/10753">#10753</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/axios/axios/compare/v1.13.6...v1.15.1">compare
view</a></li>
</ul>
</details>
<details>
<summary>Install script changes</summary>
<p>This version modifies <code>prepare</code> script that runs during
installation. Review the package contents before updating.</p>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/vaadin/web-components/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>1 parent 4eebbbe commit 7ddffe5
1 file changed
Lines changed: 9 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2931 | 2931 | | |
2932 | 2932 | | |
2933 | 2933 | | |
2934 | | - | |
2935 | | - | |
2936 | | - | |
| 2934 | + | |
| 2935 | + | |
| 2936 | + | |
2937 | 2937 | | |
2938 | 2938 | | |
2939 | 2939 | | |
2940 | | - | |
| 2940 | + | |
2941 | 2941 | | |
2942 | 2942 | | |
2943 | 2943 | | |
| |||
8958 | 8958 | | |
8959 | 8959 | | |
8960 | 8960 | | |
| 8961 | + | |
| 8962 | + | |
| 8963 | + | |
| 8964 | + | |
| 8965 | + | |
8961 | 8966 | | |
8962 | 8967 | | |
8963 | 8968 | | |
| |||
0 commit comments