fix(deps): vuln axios (minor → 1.17.0) [example]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• example (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
axios	1.15.0	1.17.0	minor	Direct	11 HIGH, 9 MEDIUM, 1 LOW

---

Security Details

🚨 Critical & High Severity (11 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-hfxv-24rg-xrqf	HIGH	Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection	1.15.0	1.16.0
axios	GHSA-777c-7fjr-54vf	HIGH	Allocation of Resources Without Limits or Throttling in Axios	1.15.0	1.16.0
axios	GHSA-q8qp-cvcw-x6jj	HIGH	Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking	1.15.0	1.15.2
axios	GHSA-pjwm-pj3p-43mv	HIGH	axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)	1.15.0	1.16.0
axios	GHSA-35jp-ww65-95wh	HIGH	axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy	1.15.0	1.16.0
axios	GHSA-j5f8-grm9-p9fc	HIGH	Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection	1.15.0	1.16.0
axios	GHSA-6chq-wfr3-2hj9	HIGH	Axios: Header Injection via Prototype Pollution	1.15.0	1.15.1
axios	GHSA-pf86-5x62-jrwf	HIGH	Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking	1.15.0	1.15.1
axios	GHSA-pmwg-cvhr-8vh7	HIGH	Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0	1.15.0	1.15.1
axios	GHSA-3g43-6gmg-66jw	HIGH	axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge	1.15.0	1.15.2
axios	GHSA-p92q-9vqr-4j8v	HIGH	Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter	1.15.0	1.16.0

ℹ️ Other Vulnerabilities (10)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
axios	GHSA-w9j2-pvgh-6h63	MODERATE	Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy	1.15.0	1.15.1
axios	GHSA-xx6v-rp6x-q39c	MODERATE	Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion	1.15.0	1.15.1
axios	GHSA-62hf-57xw-28j9	MODERATE	Axios: unbounded recursion in toFormData causes DoS via deeply nested request data	1.15.0	1.15.1
axios	GHSA-5c9x-8gcm-mpgx	MODERATE	Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0	1.15.0	1.15.1
axios	GHSA-445q-vr5w-6q77	MODERATE	Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream	1.15.0	1.15.1
axios	GHSA-3w6x-2g7m-8v23	MODERATE	Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver	1.15.0	1.15.2
axios	GHSA-898c-q2cr-xwhg	MODERATE	axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions	1.15.0	1.16.0
axios	GHSA-vf2m-468p-8v99	MODERATE	Axios: HTTP adapter streamed responses bypass maxContentLength	1.15.0	1.15.1
axios	GHSA-m7pr-hjqh-92cm	MODERATE	Axios: no_proxy bypass via IP alias allows SSRF	1.15.0	1.15.1
axios	GHSA-xhjh-pmcv-23jw	LOW	Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams	1.15.0	1.15.1

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-prod-us1-6]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/dd-sdk-reactnative | test:native-ios-newarch     

ℹ️ Info

No other issues found (see more)

🧪 All tests passed
❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 28d795d | Docs | Datadog PR Page | Give us feedback!}