Skip to content

chore(deps): bump axios from ^0.21.1 to ^1.9.0#2393

Open
ZLeventer wants to merge 1 commit intogoogleanalytics:mainfrom
ZLeventer:deps/bump-axios-0.21-to-1.9
Open

chore(deps): bump axios from ^0.21.1 to ^1.9.0#2393
ZLeventer wants to merge 1 commit intogoogleanalytics:mainfrom
ZLeventer:deps/bump-axios-0.21-to-1.9

Conversation

@ZLeventer
Copy link
Copy Markdown

@ZLeventer ZLeventer commented Apr 24, 2026

Summary

Bumps axios (devDependency) from ^0.21.1 to ^1.9.0.

Motivation

The 0.x axios line has two known CVEs that affect code using axios with redirect-following:

CVE Severity Description
CVE-2023-45857 High (CVSS 8.8) Credential exposure via cross-origin redirect — axios forwards the Authorization header to redirect targets on different origins
CVE-2024-39338 High SSRF bypass via protocol-relative redirect URLs

Both are fixed in the 1.x series. The 0.x line is no longer maintained upstream.

Change

- "axios": "^0.21.1",
+ "axios": "^1.9.0",

axios is a devDependency used in the test/tooling layer only — it is not included in the production bundle. No application source changes are required.

Migration notes

axios 1.x has minor breaking changes around config merging and error shape. Since this package uses axios only as a devDependency (not imported in src/), no application code changes are needed alongside this bump.

@ZLeventer
chore(deps): bump axios from ^0.21.1 to ^1.9.0
e621b3c 
Addresses CVE-2023-45857 (SSRF via forged server-side requests when
axios follows redirects with credentials) and CVE-2024-39338 (SSRF
bypass via cross-origin redirect). The 0.x line is unsupported;
1.x is the current stable series.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZLeventer