Bump axios from 1.15.0 to 1.15.2#1454
Conversation
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.15.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
added
javascript
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Dependabot Review
Security: The update resolves known axios advisories present in 1.15.0. An isolated npm audit against [email protected] reports axios as vulnerable, including prototype-pollution/auth-bypass, NO_PROXY/SSRF bypass, header injection, XSRF leakage, multipart CRLF injection, and body/content-length bypass advisories. Isolated audits for both [email protected] and the lockfile-resolved [email protected] report 0 axios vulnerabilities. I did not find a new axios advisory introduced by this PR. A full project yarn npm audit --environment production --recursive --json still reports unrelated pre-existing vulnerabilities in other packages.
Safety: Repository usage is limited to src/utils/apiCallHandler.js (get, post, put, delete with simple headers and withCredentials) plus Jest mocks. The axios changes from 1.15.0 to 1.15.2 are mostly security hardening and bug fixes. However, this PR's lockfile currently resolves axios to 1.16.0, not 1.15.2; 1.16.0 adds extra observable changes around fetch/http/xhr adapter limits, aborts, redirects/proxy headers, URL-decoded basic auth credentials, protocol parsing, and UTF-8 URL encoding. I do not see repo code using the affected advanced options (socketPath, proxy config, maxBodyLength, maxContentLength, URL-embedded basic auth, custom transformRequest, etc.).
Local test results:
yarn install --immutablepassed with existing peer-dependency warnings.yarn lintpassed.CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporterpassed:92suites,816tests.yarn exec cypress runcould not run locally because the Cypress binary was not cached and the cloud environment could not download it fromdownload.cypress.io(SSL_ERROR_SYSCALL). The webpack dev server did compile successfully before this attempt. GitHub CI had lint/test/deploy green when checked;test-cypresswas still in progress.
Recommendation: Merge with caution once GitHub's Cypress job is green and maintainers are comfortable that the actual installed version is 1.16.0. If the intention is strictly to review/ship 1.15.2, the lockfile should be corrected or the manifest pinned before merge.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
| version: 1.15.0 | ||
| resolution: "axios@npm:1.15.0" | ||
| "axios@npm:^1.15.2": | ||
| version: 1.16.0 |
There was a problem hiding this comment.
This PR is titled as an axios 1.15.0 -> 1.15.2 update, but Yarn resolves the new ^1.15.2 range to [email protected]. 1.16.0 has additional behavioural changes beyond the Dependabot summary for 1.15.2, so this should be intentional before merging.
There was a problem hiding this comment.
Dependabot review: axios
Security: This PR is beneficial. Although the PR title says 1.15.2, the committed yarn.lock resolves [email protected] because package.json uses the caret range ^1.15.2. The effective locked upgrade is therefore [email protected] -> [email protected].
The old locked version 1.15.0 is affected by axios advisories that are fixed by this update:
GHSA-pmwg-cvhr-8vh7/CVE-2026-42043: high severityNO_PROXYloopback bypass inaxios <=1.15.0, patched in>=1.15.1.GHSA-q8qp-cvcw-x6jj/CVE-2026-42264: high severity prototype-pollution read-side gadgets in the Node HTTP adapter, patched in>=1.15.2.
The effective 1.16.0 lockfile also moves axios' follow-redirects dependency range from ^1.15.11 to ^1.16.0. I did not find a current yarn npm audit finding for axios or follow-redirects after the update. The audit still exits non-zero due to pre-existing unrelated advisories elsewhere in the dependency tree.
Safety of merging: Low risk for this repository. Axios usage here is concentrated in src/utils/apiCallHandler.js as simple browser-facing get, post, put, and delete calls with JSON/auth headers and withCredentials on project reads. I did not find repo usage of the options most affected by the 1.15.2/1.16.0 changes: Node proxy/NO_PROXY, socketPath, beforeRedirect, custom Host, URL-embedded basic auth, maxBodyLength, or maxContentLength.
Notable upstream behavior changes in 1.16.0 include fetch-adapter enforcement of maxBodyLength/maxContentLength, stricter protocol parsing, URL-decoded basic auth credentials, preserved user-supplied Host through proxies, and UTF-8 URL encoding cleanup. These do not appear to affect the current app usage.
Local verification:
yarn install --immutablepassed with existing peer warnings.yarn lintpassed.CI=true yarn testpassed: 92 suites, 816 tests.yarn buildpassed with existing webpack asset-size warnings.- The webpack dev server started and compiled successfully on port 3011.
- Cypress e2e could not be run in this cloud runner: the Cypress binary was not present after install, and
download.cypress.iofailed withOpenSSL SSL_connect: SSL_ERROR_SYSCALL, soyarn exec cypress runcould not start.
Recommendation: Merge. The update removes known axios security exposure from the locked dependency tree and the observable behavior changes are unlikely to affect this frontend's current axios usage. The only caveat is that the PR title understates the effective locked version (1.16.0), but I do not see that as a blocker.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
1 participant
Bumps axios from 1.15.0 to 1.15.2.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
5829343chore(release): prepare release 1.15.2 (#10789)4709a48fix: added fix for memory leak in sockets (#10788)be33360chore: update changelog (#10781)4791514fix: more header pollutions (#10779)6feafcffix: socket issue (#10777)302e273docs: update docs, add a couple actions etc (#10776)ac42446chore(release): prepare release 1.15.1 (#10767)908f220docs: update threatmodel (#10765)f93f815docs: added docs around potential decompressions bomb (#10763)1728aa1fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.