fix(deps): update dependency axios to v1.7.4 [security] #62

renovate · 2025-02-11T20:02:42Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
axios (source)	`1.6.0` -> `1.7.4`

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2024-39338

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Release Notes

axios/axios (axios)

`v1.7.4`

Compare Source

Bug Fixes

sec: CVE-2024-39338 (#6539) (#6543) (6b6b605)
sec: disregard protocol-relative URL to remediate SSRF (#6539) (07a661a)

Contributors to this release

`v1.7.3`

Compare Source

Bug Fixes

adapter: fix progress event emitting; (#6518) (e3c76fc)
fetch: fix withCredentials request config (#6505) (85d4d0e)
xhr: return original config on errors from XHR adapter (#6515) (8966ee7)

Contributors to this release

`v1.7.2`

Compare Source

Bug Fixes

fetch: enhance fetch API detection; (#6413) (4f79aef)

Contributors to this release

Dmitriy Mozgovoy

`v1.7.1`

Compare Source

Bug Fixes

fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#6410) (733f15f)

Contributors to this release

Dmitriy Mozgovoy

`v1.7.0`

Compare Source

Features

adapter: add fetch adapter; (#6371) (a3ff99b)

Bug Fixes

core/axios: handle un-writable error stack (#6362) (81e0455)

Contributors to this release

`v1.6.8`

Compare Source

Bug Fixes

AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
import: use named export for EventEmitter; (7320430)
vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

`v1.6.7`

Compare Source

Bug Fixes

capture async stack only for rejections with native error objects; (#6203) (1a08f90)

Contributors to this release

`v1.6.6`

Compare Source

Bug Fixes

fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
wrap errors to improve async stack trace (#5987) (123f354)

Contributors to this release

`v1.6.5`

Compare Source

Bug Fixes

ci: refactor notify action as a job of publish action; (#6176) (0736f95)
dns: fixed lookup error handling; (#6175) (f4f2b03)

Contributors to this release

`v1.6.4`

Compare Source

Bug Fixes

security: fixed formToJSON prototype pollution vulnerability; (#6167) (3c0c11c)
security: fixed security vulnerability in follow-redirects (#6163) (75af1cd)

Contributors to this release

`v1.6.3`

Compare Source

Bug Fixes

Regular Expression Denial of Service (ReDoS) (#6132) (5e7ad38)

Contributors to this release

`v1.6.2`

Compare Source

Features

withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )


📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

`v1.6.1`

Compare Source

Bug Fixes

formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

Contributors to this release

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 9f2f77e to 69d38f2 Compare February 11, 2025 20:04

fix(deps): update dependency axios to v1.7.4 [security]

182e0b6

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 69d38f2 to 182e0b6 Compare February 11, 2025 20:11

relekang merged commit 29cb85e into main Feb 11, 2025
2 checks passed

relekang deleted the renovate/npm-axios-vulnerability branch February 11, 2025 20:15

relekang added this to the v4 milestone Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency axios to v1.7.4 [security] #62

fix(deps): update dependency axios to v1.7.4 [security] #62

Uh oh!

renovate bot commented Feb 11, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

fix(deps): update dependency axios to v1.7.4 [security] #62

fix(deps): update dependency axios to v1.7.4 [security] #62

Uh oh!

Conversation

renovate bot commented Feb 11, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Release Notes

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Features

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Bug Fixes

Contributors to this release

Features

PRs

Contributors to this release

Bug Fixes

Contributors to this release

Configuration

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

renovate bot commented Feb 11, 2025 •

edited

Loading