fix(security): upgrade axios to 1.15.0 for GHSA-3p68-rc4w-qgx5 (#41739)

## Summary
- Upgrade `axios` to `^1.15.0` in `app/client/package.json` and
`app/client/packages/rts/package.json` to remediate GHSA-3p68-rc4w-qgx5
/ CVE-2025-62718.
- Regenerate `app/client/yarn.lock` so all client workspace consumers
(including `wait-on`) resolve to `axios@1.15.0`.
- Add RTS regression coverage in
`app/client/packages/rts/src/__tests__/axiosNoProxyNormalization.test.ts`
to verify loopback host variants are not proxied when `NO_PROXY` is set.

## Test plan
- [x] `yarn install --mode=skip-build` (from `app/client`)
- [x] `yarn why axios` shows `axios@1.15.0` for `appsmith`,
`appsmith-rts`, and `wait-on`
- [x] `yarn test:unit` (from `app/client/packages/rts`)
- [x] `yarn lint` (from `app/client/packages/rts`)
- [x] `yarn build` (from `app/client`)
- [x] `npx prettier --write ./src ./cypress` (from `app/client`)
- [ ] `npx eslint --fix -c ./cypress/.eslintrc.json --cache ./cypress`
(from `app/client`) - command was run multiple times but hangs in this
local environment without producing completion output.
- [ ] `yarn g:jest src/api/__tests__/apiRequestInterceptors.test.ts
src/api/__tests__/apiFailureResponseInterceptors.test.ts
src/api/__tests__/apiSucessResponseInterceptors.test.ts` (from
`app/client`) - fails in this environment due missing `canvas` binary
(`Cannot find module '../build/Release/canvas.node'`).

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->


Fixes
https://linear.app/appsmith/issue/APP-15127/security-critical-dependabot-alert-580-axios-no-proxy-hostname

## Summary by CodeRabbit

* **Chores**
* Updated HTTP client library dependencies across packages to the latest
compatible version for improved stability and performance.

* **Tests**
* Added test coverage for proxy configuration normalization behavior to
ensure reliable network connectivity.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->


## Automation

/ok-to-test tags="@tag.All"

<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/24443669428>
> Commit: ce5b569
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=24443669428&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Wed, 15 Apr 2026 09:39:49 UTC
<!-- end of auto-generated comment: Cypress test results  -->

Author: subrata71

app/client/package.json

@@ -121,7 +121,7 @@
     "assert-never": "^1.2.1",
     "astring": "^1.7.5",
     "async-mutex": "^0.5.0",
-    "axios": "^1.12.0",
+    "axios": "^1.15.0",
     "bfj": "^7.0.2",
     "camelcase": "^6.2.1",
     "classnames": "^2.3.1",
@@ -439,7 +439,7 @@
     "@blueprintjs/icons": "3.22.0",
     "@types/react": "^17.0.2",
     "postcss": "8.4.31",
-    "axios": "^1.12.0",
+    "axios": "^1.15.0",
     "esbuild": "^0.25.1",
     "path-to-regexp@^1.7.0": "1.9.0",
     "prismjs": "1.30.0",

app/client/packages/rts/package.json

@@ -23,7 +23,7 @@
     "@opentelemetry/sdk-trace-node": "^1.27.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
     "@shared/ast": "workspace:^",
-    "axios": "^1.12.0",
+    "axios": "^1.15.0",
     "dotenv": "10.0.0",
     "express": "^4.20.0",
     "express-validator": "^6.14.2",

app/client/packages/rts/src/__tests__/axiosNoProxyNormalization.test.ts

@@ -0,0 +1,54 @@
+import axios from "axios";
+import http from "http";
+
+describe("axios NO_PROXY normalization", () => {
+  const originalHttpProxy = process.env.HTTP_PROXY;
+  const originalNoProxy = process.env.NO_PROXY;
+
+  afterEach(() => {
+    if (originalHttpProxy === undefined) {
+      delete process.env.HTTP_PROXY;
+    } else {
+      process.env.HTTP_PROXY = originalHttpProxy;
+    }
+
+    if (originalNoProxy === undefined) {
+      delete process.env.NO_PROXY;
+    } else {
+      process.env.NO_PROXY = originalNoProxy;
+    }
+  });
+
+  it("does not proxy localhost variants when NO_PROXY includes loopback hosts", async () => {
+    const proxiedRequests: string[] = [];
+    const proxyServer = http.createServer((req, res) => {
+      proxiedRequests.push(`${req.method} ${req.url ?? ""}`);
+      res.statusCode = 200;
+      res.end("proxied");
+    });
+
+    await new Promise<void>((resolve) =>
+      proxyServer.listen(0, "127.0.0.1", resolve),
+    );
+    const address = proxyServer.address();
+
+    if (!address || typeof address === "string") {
+      proxyServer.close();
+      throw new Error("Failed to bind proxy server");
+    }
+
+    process.env.HTTP_PROXY = `http://127.0.0.1:${address.port}`;
+    process.env.NO_PROXY = "localhost,127.0.0.1,::1";
+
+    await axios
+      .get("http://localhost.:65534", { timeout: 300 })
+      .catch(() => null);
+    await axios.get("http://[::1]:65534", { timeout: 300 }).catch(() => null);
+
+    await new Promise<void>((resolve, reject) => {
+      proxyServer.close((error) => (error ? reject(error) : resolve()));
+    });
+
+    expect(proxiedRequests).toHaveLength(0);
+  });
+});

app/client/yarn.lock

@@ -13642,7 +13642,7 @@ __metadata:
     "@types/node": "*"
     "@types/nodemailer": ^6.4.17
     "@types/readline-sync": ^1.4.8
-    axios: ^1.12.0
+    axios: ^1.15.0
     dotenv: 10.0.0
     express: ^4.20.0
     express-validator: ^6.14.2
@@ -13788,7 +13788,7 @@ __metadata:
     assert-never: ^1.2.1
     astring: ^1.7.5
     async-mutex: ^0.5.0
-    axios: ^1.12.0
+    axios: ^1.15.0
     babel-jest: ^27.4.2
     babel-loader: ^8.2.3
     babel-plugin-lodash: ^3.3.4
@@ -14456,14 +14456,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:^1.12.0":
-  version: 1.12.2
-  resolution: "axios@npm:1.12.2"
+"axios@npm:^1.15.0":
+  version: 1.15.0
+  resolution: "axios@npm:1.15.0"
   dependencies:
-    follow-redirects: ^1.15.6
-    form-data: ^4.0.4
-    proxy-from-env: ^1.1.0
-  checksum: f0331594fe053a4bbff04104edb073973a3aabfad2e56b0aa18de82428aa63f6f0839ca3d837258ec739cb4528014121793b1649a21e5115ffb2bf8237eadca3
+    follow-redirects: ^1.15.11
+    form-data: ^4.0.5
+    proxy-from-env: ^2.1.0
+  checksum: 95a8455554867a083ab3772fcadba42a22ec4bb546dccc66011556d837a07e544ae006675a30a5c43453f3e37e7c0982e934cec482c06b75abead2a2c157448a
   languageName: node
   linkType: hard
 
@@ -20131,13 +20131,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"follow-redirects@npm:^1.0.0, follow-redirects@npm:^1.15.6":
-  version: 1.15.6
-  resolution: "follow-redirects@npm:1.15.6"
+"follow-redirects@npm:^1.0.0, follow-redirects@npm:^1.15.11":
+  version: 1.16.0
+  resolution: "follow-redirects@npm:1.16.0"
   peerDependenciesMeta:
     debug:
       optional: true
-  checksum: a62c378dfc8c00f60b9c80cab158ba54e99ba0239a5dd7c81245e5a5b39d10f0c35e249c3379eae719ff0285fff88c365dd446fab19dee771f1d76252df1bbf5
+  checksum: e90dce4607b1f6b8b9883287f912585573c19088209ad82341d550a795b4ba514522b73b1b340cf618279df27975cd46504d09149be60291ba6767384c1fd8f8
   languageName: node
   linkType: hard
 
@@ -29073,10 +29073,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"proxy-from-env@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "proxy-from-env@npm:1.1.0"
-  checksum: ed7fcc2ba0a33404958e34d95d18638249a68c430e30fcb6c478497d72739ba64ce9810a24f53a7d921d0c065e5b78e3822759800698167256b04659366ca4d4
+"proxy-from-env@npm:^2.1.0":
+  version: 2.1.0
+  resolution: "proxy-from-env@npm:2.1.0"
+  checksum: b106ad790f26d47ba4791af3fe8cba5c8d35d85020119c82c05b413eb11b3ab97d2393ecaed51bca97c2788fa256408283dfeb4d970b2ebcae6702310f064e7e
   languageName: node
   linkType: hard