fix(security): bump follow-redirects 1.15.x → 1.16.0 in examples/js (ENG-14502)

[andriy-sudo]

Vulnerability Fixed

Package	Old	New	Advisory	CVSS	Status
follow-redirects	1.15.11	1.16.0	GHSA-r4q5-vmmm-2653	MEDIUM	✅ Fixed

Linear: ENG-14502

Root Cause

follow-redirects <=1.15.11 only strips authorization, proxy-authorization, and cookie headers on cross-domain redirects. Custom auth headers (e.g. X-API-Key, X-Auth-Token) are forwarded verbatim to the redirect target. Fix: >=1.16.0.

follow-redirects is a transitive dependency via axios in examples/js/.

Fix

Added "follow-redirects": "^1.16.0" to overrides in examples/js/package.json. Regenerated package-lock.json — resolves to 1.16.0.

Changelog impact summary

Package	Old	New	Classification	Key changes
follow-redirects	1.15.11	1.16.0	Security	Strips all non-standard headers on cross-domain redirect. No breaking changes for standard usage

[coderabbitai]

Warning

Rate limit exceeded

@andriy-sudo has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 4 minutes and 57 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 4 minutes and 57 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd2acc49-a190-47a5-a2a6-95fc9ddca502

📥 Commits

Reviewing files that changed from the base of the PR and between d33b196 and b6fd4c5.

⛔ Files ignored due to path filters (1)

• examples/js/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• examples/js/package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/ENG-14502-fix-follow-redirects-ghsa-r4q5-vmmm-2653

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[andriy-sudo]

@KateZhang98 — SPOC review request. Reviewer assignment API returned empty (team-access-only repo). Please review and approve when ready.