Skip to content

deps: bump axios to 1.16.0+ (fixes multiple CVEs)#53

Merged
adrienpessu merged 3 commits into
mainfrom
copilot/bump-axios-dependency
Jul 2, 2026
Merged

deps: bump axios to 1.16.0+ (fixes multiple CVEs)#53
adrienpessu merged 3 commits into
mainfrom
copilot/bump-axios-dependency

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

The issue requested bumping axios from 1.13.6 to 1.15.1, but 1.15.1 itself contains multiple unpatched security vulnerabilities — all fixed in 1.16.0.

Changes

  • package.json: Updated axios from ^1.15.1^1.16.0
  • package-lock.json: Lock file updated; npm resolves ^1.16.0 to 1.18.1 (latest, also clean)
  • CHANGELOG.md: Added ### Security entry documenting the fixes

Vulnerabilities addressed (all patched in 1.16.0)

Issue Affected range
ReDoS via Cookie Name Injection >= 1.0.0, < 1.16.0
Prototype Pollution → credential theft / request hijacking >= 1.0.0, < 1.16.0
Proxy-Authorization header leak across HTTP→HTTPS redirects >= 1.0.0, < 1.16.0
MITM via config.proxy prototype pollution >= 1.0.0, < 1.16.0
IPv4-mapped IPv6 NO_PROXY bypass >= 1.0.0, < 1.16.0

Copilot AI changed the title [WIP] Update axios from 1.13.6 to 1.15.1 in production-dependencies deps: bump axios to 1.16.0+ (fixes multiple CVEs) Jul 2, 2026
@adrienpessu adrienpessu marked this pull request as ready for review July 2, 2026 13:26
@adrienpessu adrienpessu requested a review from a team as a code owner July 2, 2026 13:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the extension’s axios dependency to a version range that includes the security fixes introduced in axios@1.16.0, and refreshes the npm lockfile accordingly, while documenting the security-related change in the changelog.

Changes:

  • Bump axios in package.json from ^1.15.1 to ^1.16.0
  • Update package-lock.json (npm resolves the range to axios@1.18.1) and adjust transitive deps
  • Add a Security note to CHANGELOG.md describing the upgrade and vulnerability class coverage
Show a summary per file
File Description
package.json Updates the declared axios semver range to include patched versions.
package-lock.json Updates the resolved dependency tree to match the new axios range (now resolving to 1.18.1).
CHANGELOG.md Adds an Unreleased Security entry describing the axios security upgrade (needs a small correction).

Review details

  • Files reviewed: 2/3 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread CHANGELOG.md Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@adrienpessu adrienpessu merged commit 8dae6f0 into main Jul 2, 2026
5 checks passed
@adrienpessu adrienpessu deleted the copilot/bump-axios-dependency branch July 2, 2026 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants