Skip to content

chore(deps): bump axios from 0.27.2 to 0.32.0#4152

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/axios-1.16.0
Open

chore(deps): bump axios from 0.27.2 to 0.32.0#4152
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/axios-1.16.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 29, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps axios from 0.27.2 to 0.32.0.

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

  • Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

  • Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
  • Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
  • Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
  • Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
  • Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
  • URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
  • Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

  • Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

  • Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

  • Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
  • Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
  • FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
  • Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20+) unchanged. (#10737)
  • Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

  • CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.


Note

Medium Risk
Wide HTTP client version change (including 1.x → 0.32.0) touches integrations, enrichment, and API paths with no code updates; 0.32.0’s null-prototype config merge may cause subtle runtime regressions.

Overview
Standardizes axios on ^0.32.0 (resolved 0.32.0) across the monorepo by updating backend/package.json, eight workers, and five shared libs (common_services, database, integrations, nango, opensearch). Several packages that previously pinned axios 1.x are now aligned with the backend’s 0.27.2 → 0.32.0 bump.

pnpm-lock.yaml is regenerated so first-party packages share a single axios@0.32.0 install; older lock entries for multiple axios@1.x builds are removed. Third-party packages (e.g. @sendgrid/client, @slack/web-api, peopledatalabs) still pull axios@1.17.0 transitively. There are no TypeScript/runtime code changes in this diff.

Reviewers should note 0.32.0 brings security hardening and a breaking change: merged config/header objects use a null prototype, which can affect code that assumes normal Object behavior on axios config.

Reviewed by Cursor Bugbot for commit 67066b7. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026
@dependabot dependabot Bot mentioned this pull request May 29, 2026
Closed
@CLAassistant

CLAassistant commented May 29, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

  • feat: add user authentication (CM-123)
  • feat: add user authentication (IN-123)

Projects:

  • CM: Community Data Platform
  • IN: Insights

Please add a Jira issue key to your PR title.

@dependabot dependabot Bot changed the title chore(deps): bump axios from 1.13.1 to 1.16.0 chore(deps): bump axios from 0.27.2 to 0.32.0 Jun 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch from 3001ddf to 53cc1df Compare June 3, 2026 17:14
cursor[bot]
cursor Bot reviewed Jun 3, 2026
View reviewed changes
Comment thread pnpm-lock.yaml
needle@https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b:
resolution: {tarball: https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b}
needle@git+https://git@github.com:clearbit/needle.git#84d28b5f2c3916db1e7eb84aeaa9d976cc40054b:
resolution: {commit: 84d28b5f2c3916db1e7eb84aeaa9d976cc40054b, repo: git@github.com:clearbit/needle.git, type: git}

@cursor cursor Bot Jun 3, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearbit needle SSH resolution

Medium Severity

Regenerating the lockfile switched clearbit’s needle dependency from an anonymous HTTPS tarball to a git resolution whose metadata points at git@github.com:clearbit/needle.git. That can make pnpm install fail in CI or other environments that previously worked without GitHub SSH keys.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 53cc1df. Configure here.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch 3 times, most recently from 1e08701 to 1e02ba4 Compare June 5, 2026 13:21
cursor[bot]
cursor Bot reviewed Jun 5, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 1e02ba4. Configure here.

Comment thread services/libs/common_services/package.json
"@octokit/request": "^5.6.3",
"@octokit/rest": "^22.0.0",
"axios": "^1.13.1",
"axios": "^0.32.0",

@cursor cursor Bot Jun 5, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Axios semver downgrade from 1.x

Medium Severity

This PR retargets multiple workspaces from axios 1.x ranges to ^0.32.0, which is a semver downgrade because major 1 sorts above 0. The stated goal is 0.27.20.32.0 on the legacy line; services already on 1.x should move to a current 1.x release, not 0.32.0.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1e02ba4. Configure here.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch 2 times, most recently from a7eb49c to ba2a968 Compare June 9, 2026 08:49
@dependabot
chore(deps): bump axios from 0.27.2 to 0.32.0
67066b7 
Bumps [axios](https://github.com/axios/axios) from 0.27.2 to 0.32.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.27.2...v0.32.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch from ba2a968 to 67066b7 Compare June 9, 2026 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant