You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.
🔒 Security Fixes
Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosErrorERR_BAD_OPTION_VALUE on mismatch. (#10777)
allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)
🐛 Bug Fixes
Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)
🔧 Maintenance & Chores
Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
🔒 Security Fixes
Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)
🚀 New Features
AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)
🐛 Bug Fixes
FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.
🔒 Security Fixes
Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosErrorERR_BAD_OPTION_VALUE on mismatch. (#10777)
allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)
🐛 Bug Fixes
Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)
🔧 Maintenance & Chores
Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
🔒 Security Fixes
Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)
🚀 New Features
AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.
Install script changes
This version modifies prepare script that runs during installation. Review the package contents before updating.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
⚠️ CRITICAL SECURITY WARNING
This PR must NOT be merged. A high-severity security issue has been identified: the version 1.15.2 for axios, along with specified versions for form-data (4.0.5) and proxy-from-env (2.1.0), do not exist on the official npm registry. This pattern is indicative of a supply chain attack targeting the build pipeline.
While Codacy marks this PR as 'up to standards', this automated check does not account for the existence or authenticity of third-party package versions. Additionally, the package-lock.json contains hundreds of lines of unrelated changes to native bindings (@oxc-resolver, @swc/core) that appear to be used for obfuscation. Any further investigation should be handled by the security team immediately.
About this PR
The package-lock.json file includes a high volume of unrelated changes for @oxc-resolver and @swc/core. In the context of a PR referencing non-existent package versions, this obfuscation is a major red flag for a potential malicious contribution.
The package.json manifest was previously targeting ^1.7.4, while the PR metadata claims a jump from 1.13.2. This technical debt makes it easier for malicious dependency changes to go unnoticed during automated reviews.
Test suggestions
Verify application connectivity with axios 1.15.2 via integration tests.
Regression test for requests using socketPath to ensure they are not blocked unless unauthorized.
Verify that withXSRFToken does not leak tokens when provided with truthy non-boolean values.
Automated validation of package version existence in public registries and checksum verification.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify application connectivity with axios 1.15.2 via integration tests.
2. Regression test for requests using `socketPath` to ensure they are not blocked unless unauthorized.
3. Verify that `withXSRFToken` does not leak tokens when provided with truthy non-boolean values.
4. Automated validation of package version existence in public registries and checksum verification.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
CRITICAL: The version 1.15.2 for axios does not exist in the public npm registry (the current stable release is 1.7.9). Additionally, sub-dependencies like proxy-from-env (2.1.0) and form-data (4.0.5) are also non-existent. This PR appears to be a supply chain attack. Furthermore, the manifest was previously set to ^1.7.4, contradicting the PR title's claim of bumping from 1.13.2.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: This block introduces unrelated native bindings for @oxc-resolver. These additions are out of scope for an axios version bump and should be reviewed for intentionality or moved to a separate chore.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Bumps axios from 1.13.2 to 1.15.2.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
5829343chore(release): prepare release 1.15.2 (#10789)4709a48fix: added fix for memory leak in sockets (#10788)be33360chore: update changelog (#10781)4791514fix: more header pollutions (#10779)6feafcffix: socket issue (#10777)302e273docs: update docs, add a couple actions etc (#10776)ac42446chore(release): prepare release 1.15.1 (#10767)908f220docs: update threatmodel (#10765)f93f815docs: added docs around potential decompressions bomb (#10763)1728aa1fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.