chore(deps): bump axios from 1.13.5 to 1.15.0

[dependabot]

Bumps axios from 1.13.5 to 1.15.0.

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

• Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

• Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
• Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

• Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

• CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
• Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
• Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
• Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
• Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @​raashish1601 (#10573)
• @​Kilros0817 (#10625)
• @​ashstrc (#10624)
• @​Abhi3975 (#10589)
• @​theamodhshetty (#7452)

v1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.0 — April 7, 2026

This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening.

🔒 Security Fixes

• Header Injection (CRLF): Rejects any header value containing \r or \n characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw "Invalid character in header content". (#10660)

• SSRF via no_proxy Bypass: Introduces a shouldBypassProxy helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating no_proxy/NO_PROXY rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (#10661)

🚀 New Features

• Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (#10652)

🐛 Bug Fixes

• Node.js v22 Compatibility: Replaced deprecated url.parse() calls with the WHATWG URL/URLSearchParams API across examples, sandbox, and tests, eliminating DEP0169 deprecation warnings on Node.js v22+. (#10625)

🔧 Maintenance & Chores

• CI Security Hardening: Added zizmor GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived NODE_AUTH_TOKEN); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated npm-publish environment; and blocked the sponsor-block workflow from running on forks. (#10618, #10619, #10627, #10637, #10641, #10666)

• Docs: Clarified HTTP/2 support and the unsupported httpVersion option; added documentation for header case preservation; improved the beforeRedirect example to prevent accidental credential leakage. (#10644, #10654, #10624)

• Dependencies: Bumped picomatch, handlebars, serialize-javascript, vite (×3), denoland/setup-deno, and 4 additional dev dependencies to latest versions. (#10564, #10565, #10567, #10568, #10572, #10574, #10663, #10664, #10665, #10669, #10670)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​Kilros0817 (#10625)
• @​shaanmajid (#10616, #10617, #10618, #10619, #10637, #10641, #10666)
• @​ashstrc (#10624, #10644)
• @​Abhi3975 (#10589)
• @​raashish1601 (#10573)

Full Changelog

---

v1.14.0 — March 27, 2026

This release fixes a security vulnerability in the formidable dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain.

🔒 Security Fixes

• Formidable Vulnerability: Upgraded formidable from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (#7533)

🐛 Bug Fixes

... (truncated)

Commits

• 772a4e5 chore(release): prepare release 1.15.0 (#10671)
• 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
• 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
• fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
• 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
• 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
• e66530e ci: require npm-publish environment for releases (#10666)
• 49f23cb chore(sponsor): update sponsor block (#10668)
• 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
• fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps): bump axios from 1.13.5 to 1.15.0
• Issue: None — title is clear, follows conventional commit style, and accurately describes the change.
• Recommendation: Keep as-is.

---

❌ Commit Type

• The PR body does not follow the repository PR template (the explicit Commit Type checkbox selections are missing). I can infer from the title that this is a chore, but the template requires the author to explicitly mark a Commit Type block.
• Recommendation: add the Commit Type section to the PR body and check only one of the boxes. Example to paste into the PR body under the template header:
  • chore - Maintenance/tooling

---

❌ Risk Level

• The PR has no risk:* label and the PR body did not select a Risk Level. Every PR must include one of: risk:low, risk:medium, or risk:high as a GitHub label and the same selection in the PR template.
• Assessment: Based on the code diff (axios bumped 1.13.5 -> 1.15.0, follow-redirects and proxy-from-env updated in lockfile), I advise Medium risk. Reason: while axios 1.15.0 includes security fixes (SSR F and header injection) and statements of no breaking changes, behavior changes (headers with CR/LF now throw, proxy/no_proxy hostname normalization changes, and proxy-from-env bump) can cause runtime errors in code that relied on prior behavior. Please add the risk:medium label and mark Medium in the Risk Level section of the PR body. If you believe the impact is lower, justify it in the PR body (for example: "we validated our usage of axios headers/proxy and are not using header values with CR/LF or env-based proxy behavior").

---

❌ What & Why

• Current: (Not provided in the required template format — the PR body contains Dependabot release notes instead of the repository template fields.)
• Issue: The PR body does not include the repository's required "What & Why" short summary in the requested template fields. The long release notes are fine to keep, but the template requires a concise "What & Why" section.
• Recommendation: Add a short, 1–2 sentence summary at the top following the template. Example:
  • What & Why:
    "Bumps axios from 1.13.5 to 1.15.0 to pick up recent security fixes (header injection and SSRF fixes) and dependency updates. This reduces the risk of metadata exfiltration and normalizes proxy hostname handling."

---

❌ Impact of Change

• Issue: The PR does not include the Impact section in the required template format.
• Recommendation: Add a short impact list. Example:
  • Users: No direct UI changes expected. Potential runtime errors only if code passes CR/LF characters in headers or depends on previous proxy/no_proxy behavior.
  • Developers: Validate code paths that set request headers or configure proxies; check any internal HTTP client utilities that modify headers.
  • System: Minor dependency upgrades; CI should run after upgrade to validate behavior.

---

❌ Test Plan

• Assessment: No unit or E2E tests were added in this PR (diff shows package.json and lockfile updates only). For a dependency bump that includes security fixes and behavior changes, the PR should at minimum describe how the change was validated and list required checks.
• Recommendation: Update the Test Plan section in the PR body. At minimum include:
  • Run full CI (unit + e2e) and paste CI link(s)
  • Run local smoke tests for the webapp and VS Code extension flows that make HTTP requests via axios
  • Validate any code that programmatically sets header values — ensure none rely on CR/LF in header content (headers with CR or LF now throw)
  • Validate proxy/no_proxy-related integrations (the bump normalizes hostnames and may change bypass behavior)
  • If you cannot run E2E tests here, explain why and include a rationale for manual testing coverage performed.

---

⚠️ Contributors

• Assessment: Optional. PR body currently does not include a Contributors section. This is not required to pass but it is good practice to credit people/teams who helped.
• Recommendation: If others helped validate the upgrade, add them here (e.g., QA, platform owners).

---

⚠️ Screenshots/Videos

• Assessment: Not applicable for this non-visual change. No action needed.

---

Summary Table

Section	Status	Recommendation
Title	✅	Title is good; keep as-is.
Commit Type	❌	Add the template Commit Type selection (check only chore).
Risk Level	❌	Add label risk:medium and mark Medium in the template; explain reasons.
What & Why	❌	Add a concise What & Why summary (1-2 sentences).
Impact of Change	❌	Add Users/Developers/System bullet list describing impact.
Test Plan	❌	Add CI run + smoke tests + validation steps; run them.
Contributors	⚠️	Optional: list contributors if any.
Screenshots/Videos	⚠️	Not applicable.

---

Final message:
Please update the PR body to use the repository PR template. Specifically:

• Add the Commit Type section and mark chore.
• Add the Risk Level selection and apply the GitHub label risk:medium (advised: Medium — see reasoning above). If you disagree, explain why and provide validation evidence.
• Add a concise "What & Why" summary at the top (one or two sentences).
• Fill the Impact of Change section with Users/Developers/System bullets.
• Update the Test Plan: run CI, run local smoke tests that exercise axios requests (including header-setting paths and proxy/no_proxy usage), and include results/links.
• Optionally add Contributors if relevant.

Because the PR body currently does not follow the required template and is missing a risk label and test plan, this review cannot pass. After you update the PR body and add the risk:medium label and the test plan / validation results, please re-request review.

Notes on technical risk (why Medium):

• axios 1.15.0 includes security fixes (header injection/SSRF) and behavior changes: values containing CR/LF now throw an error and proxy/no_proxy hostname normalization changed. These can cause runtime failures if any code relied on the previous behavior. The lockfile also upgrades proxy-from-env to 2.x — review any proxy-related assumptions.

If you want, here's a minimal block you can paste at the top of the PR body to satisfy the template quickly:

Commit Type

• chore - Maintenance/tooling

Risk Level

• Medium - Moderate changes, some user impact

What & Why

Bumps axios from 1.13.5 to 1.15.0 to pull in security fixes (header injection and SSRF fixes) and dependency updates. This reduces risk of metadata exfiltration and improves proxy hostname normalization.

Impact of Change

• Users: No UI changes expected; possible runtime errors if any code sets headers containing CR/LF.
• Developers: Validate HTTP client utilities and any header-setting code. Validate proxy/no_proxy behavior.
• System: Lockfile and dependency updates; run CI to ensure no regressions.

Test Plan

• Unit tests: run pnpm -w test (or repo equivalent) and ensure all tests pass.
• E2E tests: run smoke/e2e pipelines that exercise network requests.
• Manual/CI checks: run local smoke scenarios that set headers and use proxies; confirm no unexpected errors.

---

Thank you — once you update the PR body and add the requested label and test results I will re-review.

---

Last updated: Mon, 13 Apr 2026 18:07:17 GMT

[github-actions]

📊 Coverage Check

No source files changed in this PR.