chore(deps-dev): bump axios from 1.13.5 to 1.15.0 in /apps/vs-code-designer

[dependabot]

Bumps axios from 1.13.5 to 1.15.0.

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes microsoft/TypeScript#33471

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

📊 Coverage check completed. See workflow run for details.

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps-dev): bump axios from 1.13.5 to 1.15.0 in /apps/vs-code-designer
• Issue: None — title is clear and follows conventional commit style and indicates the package and path updated.
• Recommendation: You can optionally append a short reason (e.g. security fixes) if you want to signal urgency, but this is not required.

---

❌ Commit Type

• The PR body does not include the repo's required PR template checkboxes for Commit Type. The template expects one of the listed options (feature, fix, refactor, perf, docs, test, chore).
• Note: For a dependency bump like this, choose chore.
• Recommendation: Update the PR body to include the PR template and mark - [x] chore under "Commit Type".

---

❌ Risk Level

• Assessment: Missing. The PR does not include the Risk Level selection in the required template. Also the repository is missing a risk:* label on this PR (current labels: javascript, dependencies).
• Advice / Assessment: Based on the code diff (only a single package.json dependency bump of axios from 1.13.5 -> 1.15.0) and the release notes included in the dependabot description (security fixes for SSRF and header injection, CI changes, compatibility notes), the advised risk level is Medium.
  • Rationale: This is a dependency upgrade that contains security fixes; it's low surface (only packages.json changed) but dependency behavior could impact runtime (proxy/env behavior or adapter changes). Marking as Medium helps ensure appropriate review and testing.
• Recommendation:
  • Add the appropriate risk checkbox to the PR body: - [x] Medium - Moderate changes, some user impact.
  • Add a repo label: risk:medium (or whichever label set your team uses). Ensure the label matches the Risk Level you select in the template.

---

⚠️ What & Why

• Current: The dependabot-generated body contains a long release note and changelog excerpt (Bumps axios...).
• Issue: The repository's PR template expects a short, specific "What & Why" section. While the dependabot body contains the details, it does not follow the required templated section.
• Recommendation: Add a concise "What & Why" to the top of the PR body. Example you can paste:
  "Bumps axios from 1.13.5 to 1.15.0 in /apps/vs-code-designer to pick up security fixes (SSRF and header injection) and other maintenance improvements. No breaking changes identified in upstream changelog, but please validate proxy/env behavior and extension HTTP integrations."

---

❌ Impact of Change

• Issue: The PR body does not include the templated Impact of Change section with Users/Developers/System bullets.
• Recommendation: Add a short Impact section tailored to this change. Example:
  • Users: No UI changes expected. If the extension makes HTTP requests, there is potential behavior improvement/fix (security).
  • Developers: Dependency bump; run CI and integration tests. No API changes expected.
  • System: No infra or runtime changes expected, but validate proxy/env-based behavior (per axios notes).

---

❌ Test Plan

• Assessment: Failing — the PR contains no new/updated unit or E2E tests, and the PR body does not explain why tests were omitted.

• Repo rule: If no unit or E2E tests are added and there's no explanation for why, this check must fail.

• Recommendation: Do one of the following before this PR can pass template validation:

  1. Add or update relevant tests that exercise HTTP calls made by the VS Code extension (unit tests or a small integration test), or
  2. Provide a clear Manual testing section that explains exactly how the change was validated (e.g., steps to run the VS Code extension test harness, commands to reproduce the extension behavior, CI job names that were run). Example manual test steps to include:
     • npm install in /apps/vs-code-designer
     • Run the extension's test suite: npm run test (or the repo's test command) and report results
     • Launch the extension in a test VS Code instance and exercise any flows that perform HTTP requests
  3. If this package is only used at build-time / dev-time, explain that and include CI job output showing green tests.

  Without one of these, the PR must not be auto-approved.

---

⚠️ Contributors

• Assessment: Not provided. This section is optional.
• Recommendation: If other engineers or security reviewers contributed or validated the upgrade, list them here. If nothing to add, you can leave blank.

---

⚠️ Screenshots/Videos

• Assessment: Not applicable (no UI change).
• Recommendation: N/A

---

Summary Table

Section	Status	Recommendation
Title	✅	Title is clear; optional: append security fixes if you want urgency shown.
Commit Type	❌	Mark - [x] chore in the PR template.
Risk Level	❌	Select Medium in the template and add label risk:medium.
What & Why	⚠️	Add a short summary: reason & security fixes.
Impact of Change	❌	Add Users/Developers/System bullets.
Test Plan	❌	Add unit/E2E tests or detailed manual testing steps and CI output.
Contributors	⚠️	Optional: add contributors if applicable.
Screenshots/Videos	⚠️	N/A (no UI change).

---

Final Notes

• This PR currently does not pass the repository PR-body requirements because the template sections for Commit Type, Risk Level, Impact of Change and Test Plan are missing or incomplete. Because there are no tests and no test justification, the check fails.
• Advised risk level: Medium (this is higher than the PR's currently-assigned risk label — the PR has no risk:* label). Please add risk:medium to the PR labels and select Medium in the PR template.

Please update the PR body to include the sections above (Commit Type, Risk Level, What & Why, Impact, Test Plan). Add at minimum the manual testing steps and CI results or a unit/e2e test for the affected area. Once updated, re-request review.

Thank you for keeping dependencies up-to-date — the changelog you included is useful. After you add the template items and test evidence, this should be straightforward to approve.

---

Last updated: Fri, 10 Apr 2026 06:07:32 GMT