[FEEDS-1217] Upgrade axios and other dependencies to fix security vulnerabilities (#636)

- Upgraded axios from 0.x (0.27.2) to ^1.13.5
- Upgraded form-data from ^4.0.0 to ^4.0.4
- Upgraded qs from ^6.10.2 to ^6.14.2
- Upgraded @babel/runtime from ^7.23.2 to ^7.26.10
- Added yarn resolution for jws ^3.2.3 to fix jsonwebtoken dependency

Fixed security vulnerabilities:
- axios: CSRF, SSRF/credential leakage, DoS via __proto__
- form-data: unsafe random function
- qs: DoS vulnerabilities
- jws: HMAC signature verification

Updated TypeScript imports for axios 1.x compatibility in:
- src/client.ts
- src/files.ts
- src/images.ts

Result: 9 vulnerabilities → 0 vulnerabilities in production dependencies

Author: itsmeadi

package.json

@@ -109,20 +109,23 @@
     "webpack-cli": "^5.1.1"
   },
   "dependencies": {
-    "@babel/runtime": "^7.23.2",
+    "@babel/runtime": "^7.26.10",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/qs": "^6.9.10",
-    "axios": "0.x",
+    "axios": "^1.13.5",
     "faye": "^1.4.0",
     "follow-redirects": "1.15.6",
-    "form-data": "^4.0.0",
+    "form-data": "^4.0.4",
     "jsonwebtoken": "^9.0.2",
     "jwt-decode": "^4.0.0",
-    "qs": "^6.10.2"
+    "qs": "^6.14.2"
   },
   "peerDependencies": {
     "@types/node": ">=10"
   },
+  "resolutions": {
+    "jws": "^3.2.3"
+  },
   "repository": {
     "type": "git",
     "url": "git://github.com/GetStream/stream-js.git"

src/client.ts

@@ -5,7 +5,7 @@ import * as https from 'https';
 import * as axios from 'axios';
 import * as Faye from 'faye';
 import { jwtDecode } from 'jwt-decode';
-import AxiosProgressEvent from 'axios';
+import type { AxiosProgressEvent } from 'axios';
 
 import { Personalization } from './personalization';
 import { Collections } from './collections';
@@ -703,7 +703,7 @@ export class StreamClient<StreamFeedGenerics extends DefaultGenerics = DefaultGe
     uri: string | File | Buffer | NodeJS.ReadStream,
     name?: string,
     contentType?: string,
-    onUploadProgress?: (progressEvent: typeof AxiosProgressEvent) => void,
+    onUploadProgress?: (progressEvent: AxiosProgressEvent) => void,
   ) {
     const fd = utils.addFileToFormData(uri, name, contentType);
     return this.doAxiosRequest<FileUploadAPIResponse>('POST', {

src/files.ts

@@ -1,4 +1,4 @@
-import AxiosProgressEvent from 'axios';
+import type { AxiosProgressEvent } from 'axios';
 import { StreamClient } from './client';
 
 export class StreamFileStore {
@@ -25,7 +25,7 @@ export class StreamFileStore {
     uri: string | File | Buffer | NodeJS.ReadStream,
     name?: string,
     contentType?: string,
-    onUploadProgress?: (progressEvent: typeof AxiosProgressEvent) => void,
+    onUploadProgress?: (progressEvent: AxiosProgressEvent) => void,
   ) {
     return this.client.upload('files/', uri, name, contentType, onUploadProgress);
   }

src/images.ts

@@ -1,4 +1,4 @@
-import AxiosProgressEvent from 'axios';
+import type { AxiosProgressEvent } from 'axios';
 import { StreamClient, FileUploadAPIResponse } from './client';
 
 export type ImageProcessOptions = {
@@ -33,7 +33,7 @@ export class StreamImageStore {
     uri: string | File | Buffer | NodeJS.ReadStream,
     name?: string,
     contentType?: string,
-    onUploadProgress?: (progressEvent: typeof AxiosProgressEvent) => void,
+    onUploadProgress?: (progressEvent: AxiosProgressEvent) => void,
   ) {
     return this.client.upload('images/', uri, name, contentType, onUploadProgress);
   }