fix(deps): vuln axios (major → 1.16.0) [opentelemetry/node-microservice]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• opentelemetry/node-microservice (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	0.21.0	1.16.0	major	Direct	9 HIGH, 12 MODERATE, 1 LOW

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (9 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	0.21.0	1.15.1
axios	GHSA-cph5-m8f7-6c5x	HIGH	axios Inefficient Regular Expression Complexity vulnerability	0.21.0	0.21.2
axios	CVE-2021-3749	HIGH	-	0.21.0	-
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	0.21.0	1.15.1
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	0.21.0	1.15.1
axios	CVE-2026-25639	HIGH	Axios affected by Denial of Service via proto Key in mergeConfig	0.21.0	-
axios	GHSA-43fc-jf86-j433	HIGH	Axios is Vulnerable to Denial of Service via proto Key in mergeConfig	0.21.0	1.13.5
axios	CVE-2025-27152	HIGH	Possible SSRF and Credential Leakage via Absolute URL in axios Requests	0.21.0	-
axios	GHSA-jr5f-v2jv-69x6	HIGH	axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL	0.21.0	1.8.2

ℹ️ Other Vulnerabilities (13)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	0.21.0	1.15.1
axios	GHSA-3p68-rc4w-qgx5	MODERATE	Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF	0.21.0	1.15.0
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	0.21.0	1.15.1
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	0.21.0	1.15.1
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	0.21.0	1.15.1
axios	GHSA-4w2v-q235-vp99	MODERATE	Axios vulnerable to Server-Side Request Forgery	0.21.0	0.21.1
axios	CVE-2020-28168	MODERATE	-	0.21.0	-
axios	GHSA-fvcv-3m26-pcqx	MODERATE	Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	0.21.0	1.15.0
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	0.21.0	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	0.21.0	1.15.1
axios	CVE-2023-45857	MODERATE	-	0.21.0	-
axios	GHSA-wf5p-g6vw-rhxx	MODERATE	Axios Cross-Site Request Forgery Vulnerability	0.21.0	1.6.0
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	0.21.0	1.15.1

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System