From aa26f52959f08ac83e858d4deeab9bf5538dfcf1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:18:11 +0000 Subject: [PATCH 1/3] Initial plan From 25a2afd87765750891998f8c988cdef61de34cc3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:26:30 +0000 Subject: [PATCH 2/3] deps: bump axios from 1.13.6 to 1.16.0+ (security fix) --- CHANGELOG.md | 3 +++ package-lock.json | 21 +++++++++------------ package.json | 2 +- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1cc6299..865fde7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added explicit `types: ["node", "vscode"]` to `tsconfig.json` for TypeScript 6 compatibility (TypeScript 6 no longer implicitly includes `@types/node`) - Migrated ESLint configuration from `.eslintrc.json` to `eslint.config.js` (flat config) for ESLint 10 compatibility +### Security +- Bumped `axios` from 1.13.6 to 1.16.0+ to address multiple security vulnerabilities including ReDoS via cookie name injection, prototype pollution gadgets enabling credential theft and request hijacking, and proxy-authorization header leaks across HTTP-to-HTTPS redirects + ## [0.1.0] - 2025-06-26 ### Added diff --git a/package-lock.json b/package-lock.json index fb7d774..d0581f0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -10,7 +10,7 @@ "dependencies": { "@octokit/rest": "^22.0.1", "@types/js-yaml": "^4.0.9", - "axios": "^1.15.1", + "axios": "^1.16.0", "js-yaml": "^4.1.1" }, "devDependencies": { @@ -919,7 +919,6 @@ "version": "6.0.2", "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz", "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==", - "dev": true, "license": "MIT", "dependencies": { "debug": "4" @@ -994,13 +993,14 @@ "license": "MIT" }, "node_modules/axios": { - "version": "1.15.1", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.1.tgz", - "integrity": "sha512-WOG+Jj8ZOvR0a3rAn+Tuf1UQJRxw5venr6DgdbJzngJE3qG7X0kL83CZGpdHMxEm+ZK3seAbvFsw4FfOfP9vxg==", + "version": "1.18.1", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.18.1.tgz", + "integrity": "sha512-3nTvFlvpn9Zu/RkHUqtc7/+al4UpRW5az71ap5zccp6e8RAYEzhMTecX8Dz1wWDYrPpUoB1HAQEGEAEvUr7S9g==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.11", + "follow-redirects": "^1.16.0", "form-data": "^4.0.5", + "https-proxy-agent": "^5.0.1", "proxy-from-env": "^2.1.0" } }, @@ -1316,7 +1316,6 @@ "version": "4.4.3", "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", - "dev": true, "license": "MIT", "dependencies": { "ms": "^2.1.3" @@ -1819,9 +1818,9 @@ "license": "ISC" }, "node_modules/follow-redirects": { - "version": "1.15.11", - "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz", - "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==", + "version": "1.16.0", + "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz", + "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==", "funding": [ { "type": "individual", @@ -2142,7 +2141,6 @@ "version": "5.0.1", "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz", "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==", - "dev": true, "license": "MIT", "dependencies": { "agent-base": "6", @@ -2540,7 +2538,6 @@ "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", - "dev": true, "license": "MIT" }, "node_modules/natural-compare": { diff --git a/package.json b/package.json index 0376c34..a842d3c 100644 --- a/package.json +++ b/package.json @@ -304,7 +304,7 @@ "dependencies": { "@octokit/rest": "^22.0.1", "@types/js-yaml": "^4.0.9", - "axios": "^1.15.1", + "axios": "^1.16.0", "js-yaml": "^4.1.1" } } From 168b7adbe1e8df40b796e76e7a52f643ab123c87 Mon Sep 17 00:00:00 2001 From: Adrien Pessu <7055334+adrienpessu@users.noreply.github.com> Date: Thu, 2 Jul 2026 15:33:02 +0200 Subject: [PATCH 3/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 865fde7..eb87e5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Migrated ESLint configuration from `.eslintrc.json` to `eslint.config.js` (flat config) for ESLint 10 compatibility ### Security -- Bumped `axios` from 1.13.6 to 1.16.0+ to address multiple security vulnerabilities including ReDoS via cookie name injection, prototype pollution gadgets enabling credential theft and request hijacking, and proxy-authorization header leaks across HTTP-to-HTTPS redirects +- Bumped `axios` from 1.15.1 to 1.16.0+ to address multiple security vulnerabilities including ReDoS via cookie name injection, prototype pollution gadgets enabling credential theft and request hijacking, and proxy-authorization header leaks across HTTP-to-HTTPS redirects ## [0.1.0] - 2025-06-26