Update dependency axios to v1.11.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.10.0 -> 1.11.0

GitHub Vulnerability Alerts

GHSA-rm8p-cx58-hcvx

Summary

A critical vulnerability exists in the form-data package used by [email protected]. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks.

This was submitted in issue #​6969 and addressed in pull request #​6970.

Details

The vulnerable package [email protected] is used by [email protected] as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.

This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.

Affected form-data versions:

• <2.5.4

• =3.0.0 <3.0.4

• =4.0.0 <4.0.4

Since [email protected] pulls in [email protected], it is exposed to this issue.

PoC

1. Install Axios: - npm install [email protected]
   2.Run snyk test:

Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.

✗ Predictable Value Range from Previous Values [Critical Severity]
in [email protected] via [email protected] > [email protected]

3. Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.

Impact

• Vulnerability Type: Predictable Value / HTTP Parameter Pollution
• Risk: Critical (CVSS 9.4)
• Impacted Users: Any application using [email protected] to submit multipart form-data

This could potentially allow attackers to:

• Interfere with multipart request parsing
• Inject unintended parameters
• Exploit backend deserialization logic depending on content boundaries

Related Links

GitHub Issue #​6969

Pull Request #xxxx (replace with actual link)

Snyk Advisory

form-data on npm

---

Release Notes

axios/axios (axios)

v1.11.0

Compare Source

Bug Fixes

• form-data npm pakcage (#​6970) (e72c193)
• prevent RangeError when using large Buffers (#​6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#​6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Updated the Axios HTTP client dependency from version 1.10.0 to 1.11.0 across both the PR review and PR summary modules. This ensures any patches, performance tweaks, or security fixes included in the newer Axios release are now available without altering existing functionality.

Walkthrough

• Chore: Bumped axios from 1.10.0 to 1.11.0 in pr-review/package.json
• Chore: Bumped axios from 1.10.0 to 1.11.0 in pr-summary/package.json

_{Model: o4-mini | Prompt Tokens: 438 | Completion Tokens: 454}

[github-actions]

I’ve taken a friendly look at your code with some AI-powered suggestions. These ideas are meant to spark improvements, not dictate rules, so feel free to use what resonates with you. You’re in charge of how it evolves, and AI is here as a supportive companion.
_{Model: o4-mini | Prompt Tokens: 880 | Completion Tokens: 1854}

[github-actions]

You have updated axios from a fixed version to another fixed version. Pinning to an exact version can make it harder to receive backward-compatible patches. Consider using a semver range (e.g., ^1.11.0) to automatically pull in non-breaking updates and security fixes:

{
  "dependencies": {
    "axios": "^1.11.0"
  }
}

[github-actions]

Same here as in the other package. Rather than pinning axios exactly, use a caret range to allow non-breaking patch updates:

{
  "dependencies": {
    "axios": "^1.11.0"
  }
}