Skip to content

chore(deps): bump axios from 1.16.1 to 1.17.0#6653

Merged
github-actions[bot] merged 2 commits into
mainfrom
dependabot/npm_and_yarn/main/axios-1.17.0
Jun 7, 2026
Merged

chore(deps): bump axios from 1.16.1 to 1.17.0#6653
github-actions[bot] merged 2 commits into
mainfrom
dependabot/npm_and_yarn/main/axios-1.17.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 7, 2026

Copy link
Copy Markdown
Contributor

Bumps axios from 1.16.1 to 1.17.0.

Release notes

Sourced from axios's releases.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Changelog

Sourced from axios's changelog.

v1.17.0 — June 1, 2026

This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

🔒 Security Fixes

  • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
  • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

🚀 New Features

  • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

🐛 Bug Fixes

  • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
  • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
  • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
  • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
  • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
  • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
  • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
  • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

🔧 Maintenance & Chores

  • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
  • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
  • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
  • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
  • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
  • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump axios from 1.16.1 to 1.17.0
1b47459 
Bumps [axios](https://github.com/axios/axios) from 1.16.1 to 1.17.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.16.1...v1.17.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 7, 2026
@github-actions github-actions Bot merged commit af03a15 into main Jun 7, 2026
18 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/main/axios-1.17.0 branch June 7, 2026 23:12
davidkna-sap added a commit that referenced this pull request Jun 8, 2026
@davidkna-sap
Merge remote-tracking branch 'origin/main' into dependabot/npm_and_ya…
6bbcf57 
…rn/main/typescript-6.0.2

* origin/main: (93 commits)
  chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#6649)
  chore(deps): bump @typescript-eslint/parser from 8.60.0 to 8.60.1 (#6654)
  chore(deps): bump typescript-eslint from 8.60.0 to 8.60.1 (#6651)
  chore(deps): bump memfs from 4.57.3 to 4.57.6 (#6655)
  chore(deps): bump axios from 1.16.1 to 1.17.0 (#6653)
  chore(deps): bump eslint-plugin-jsdoc from 63.0.0 to 63.0.1 (#6652)
  chore(deps): bump eslint-import-resolver-typescript from 4.4.4 to 4.4.5 (#6650)
  chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 (#6648)
  chore(deps): bump js-yaml from 4.1.1 to 4.2.0 (#6647)
  chore(deps): bump eslint-plugin-jsdoc from 62.9.0 to 63.0.0 (#6628)
  chore(deps): bump bignumber.js from 11.1.1 to 11.1.2 (#6644)
  chore: Set explicit workflow permissions (#6629)
  chore(deps-dev): bump turbo from 2.9.15 to 2.9.16 (#6645)
  chore(deps): bump memfs from 4.57.2 to 4.57.3 (#6643)
  chore(deps): bump eslint-plugin-prettier from 5.5.5 to 5.5.6 (#6641)
  chore(deps-dev): bump eslint from 10.4.0 to 10.4.1 (#6642)
  chore(deps-dev): bump @sap/cds-dk from 9.9.1 to 9.9.2 (#6640)
  chore: Support changeset type shorthands via shared source of truth (#6617)
  chore(deps): bump @typescript-eslint/parser from 8.59.4 to 8.60.0 (#6636)
  chore(deps-dev): bump turbo from 2.9.14 to 2.9.15 (#6637)
  ...
davidkna-sap added a commit that referenced this pull request Jun 10, 2026
@davidkna-sap
Merge remote-tracking branch 'origin/main' into davidkna-sap_rm-pup
86d9e24 
* origin/main:
  chore: Remove node 20 from build matrix (#6662)
  chore(deps-dev): bump @types/node from 22.19.19 to 22.19.20 (#6660)
  chore(deps): bump bignumber.js from 11.1.2 to 11.1.3 (#6659)
  chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#6658)
  chore(deps): bump rtCamp/action-slack-notify from 2.3.3 to 2.4.0 (#6657)
  Update dependabot.yml
  chore(deps): bump semver from 7.8.1 to 7.8.2 (#6656)
  chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#6649)
  chore(deps): bump @typescript-eslint/parser from 8.60.0 to 8.60.1 (#6654)
  chore(deps): bump typescript-eslint from 8.60.0 to 8.60.1 (#6651)
  chore(deps): bump memfs from 4.57.3 to 4.57.6 (#6655)
  chore(deps): bump axios from 1.16.1 to 1.17.0 (#6653)
  chore(deps): bump eslint-plugin-jsdoc from 63.0.0 to 63.0.1 (#6652)
  chore(deps): bump eslint-import-resolver-typescript from 4.4.4 to 4.4.5 (#6650)
  chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 (#6648)
  chore(deps): bump js-yaml from 4.1.1 to 4.2.0 (#6647)
  chore(deps): bump eslint-plugin-jsdoc from 62.9.0 to 63.0.0 (#6628)
davidkna-sap added a commit that referenced this pull request Jun 10, 2026
@davidkna-sap
Merge remote-tracking branch 'origin/main' into davidkna-sap_internal…
1b1de18 
…-ts-shim

* origin/main:
  chore: Remove node 20 from build matrix (#6662)
  chore(deps-dev): bump @types/node from 22.19.19 to 22.19.20 (#6660)
  chore(deps): bump bignumber.js from 11.1.2 to 11.1.3 (#6659)
  chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#6658)
  chore(deps): bump rtCamp/action-slack-notify from 2.3.3 to 2.4.0 (#6657)
  Update dependabot.yml
  chore(deps): bump semver from 7.8.1 to 7.8.2 (#6656)
  chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#6649)
  chore(deps): bump @typescript-eslint/parser from 8.60.0 to 8.60.1 (#6654)
  chore(deps): bump typescript-eslint from 8.60.0 to 8.60.1 (#6651)
  chore(deps): bump memfs from 4.57.3 to 4.57.6 (#6655)
  chore(deps): bump axios from 1.16.1 to 1.17.0 (#6653)
  chore(deps): bump eslint-plugin-jsdoc from 63.0.0 to 63.0.1 (#6652)
  chore(deps): bump eslint-import-resolver-typescript from 4.4.4 to 4.4.5 (#6650)
  chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 (#6648)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants