fix: bump axios to ^1.16.0 in typescript SDK

[ParakhJaggi]

Description

Loosens the exact axios pin in typescript/src/package.json from 1.13.6 to ^1.16.0 so consumers of @coinbase/cdp-sdk can pick up axios security patches via npm update / npm audit fix.

The exact pin was added in #631 to block the compromised axios@1.14.1 release. Since then, two advisories have been published affecting 1.13.6:

GHSA	CVE	Severity	Description	Fixed in
GHSA-fvcv-3m26-pcqx	CVE-2026-40175	Moderate	Unrestricted Cloud Metadata Exfiltration via Header Injection Chain	1.15.0
GHSA-3p68-rc4w-qgx5	CVE-2025-62718	Moderate	NO_PROXY Hostname Normalization Bypass leading to SSRF	1.15.0

Because the dependency is an exact pin, downstream consumers can't deduplicate or update it. They have to add an overrides entry, which many internal-policy frameworks (including Tavily's) disallow.

^1.16.0 excludes the compromised 1.14.x line (1.14.0/1.14.1) and allows future patch releases.

Closes #681.

Tests

• pnpm install (in both typescript/ and examples/typescript/) regenerated the lockfiles cleanly. axios resolves to 1.16.0.
• pnpm test (typescript): 473 passed (42 files).
• pnpm build (typescript): clean — build:cjs, build:esm, build:types all succeed.

Checklist

• Updated the typescript README if relevant — n/a, dep-only change
• Updated the python README if relevant — n/a
• Added a changelog entry (typescript/.changeset/loosen-axios-pin.md, patch bump)
• Added e2e tests if introducing new functionality — n/a, no new functionality

Note: my git config doesn't have commit signing set up. If signing is enforced by CI on this repo, happy to re-push with a signed commit — just flag it.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1