Bump axios from 1.13.6 to 1.15.2#74
Conversation
Bumps [axios](https://github.com/axios/axios) from 1.13.6 to 1.15.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.6...v1.15.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
rtibblesbot
left a comment
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency Update Review
Package: axios 1.13.6 → 1.15.2
Semver risk: Minor (two releases)
Dependency type: Production
CI status: Passing ✓
Changelog Analysis
Sources consulted:
- Dependabot-sourced release notes for v1.15.1 and v1.15.2 (PR body)
Breaking changes: None within the 1.x range.
Security fixes (v1.15.1):
- Header injection hardening (#10749)
- CRLF stripping in multipart headers (#10758)
- Prototype pollution / auth bypass:
in→hasOwnPropertyfor config objects (#10761, #10760) withXSRFTokentruthy bypass — prevented cross-origin XSRF token leaking (#10762)maxBodyLengthenforcement whenmaxRedirects: 0(#10753)- Streamed response
maxContentLengthbypass fix (#10754) - Follow-up CVE completion (#10755)
Security fixes (v1.15.2):
- Prototype pollution hardening in HTTP adapter,
resolveConfig,mergeConfig— null-prototype config objects (#10779) - SSRF via
socketPath: rejects non-string values, addsallowedSocketPathsallowlist (#10777) - Supply-chain hardening:
.npmrcignore-scripts=true, lockfile lint CI, scoped CODEOWNERS (#10776)
Bug fixes: Keep-alive socket memory leak (#10788), FormData handling, progress event clamping.
On the "Install script changes" flag: Dependabot notes that this version modifies axios's own prepare script. This is the supply-chain hardening in #10776 — axios updated their own CI scripts and added ignore-scripts=true to their .npmrc. Positive signal, not a concern.
Transitive dependency: proxy-from-env bumped ^1.1.0 → ^2.1.0 (major bump of a transitive dep; CI validates no breakage).
Compatibility Assessment
- Project uses affected APIs: No direct usage found —
axiosis notrequire()'d anywhere inscripts/*.js. All HTTP calls go throughgithub.rest.*from the GitHub Actions toolkit. Security fixes are unlikely to affect runtime behavior either way. - Code changes required: No — no breaking API changes in 1.x.
- Prior failed attempts: None found in PR comments or history.
Recommendation
Safe to merge. Two releases of significant security fixes (prototype pollution, SSRF, header injection, XSRF token leak) with no breaking API changes and passing CI. See inline suggestion.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Reviewed the pull request diff checking for:
- Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
- Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
- Architecture: duplicated concerns, minimal interfaces, composition over inheritance
- Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
- Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
- Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
- Checked CI status and linked issue acceptance criteria
- For UI changes: inspected screenshots for layout, visual completeness, and consistency
| }, | ||
| "dependencies": { | ||
| "axios": "^1.13.6", | ||
| "axios": "^1.15.2", |
There was a problem hiding this comment.
suggestion: axios is a production dependency but doesn't appear to be require()'d anywhere in scripts/*.js — all HTTP calls go through github.rest.*. If it's genuinely unused, removing it would eliminate a recurring security-update burden and reduce the dependency footprint. Worth verifying before the next update cycle.
1 participant
Bumps axios from 1.13.6 to 1.15.2.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
5829343chore(release): prepare release 1.15.2 (#10789)4709a48fix: added fix for memory leak in sockets (#10788)be33360chore: update changelog (#10781)4791514fix: more header pollutions (#10779)6feafcffix: socket issue (#10777)302e273docs: update docs, add a couple actions etc (#10776)ac42446chore(release): prepare release 1.15.1 (#10767)908f220docs: update threatmodel (#10765)f93f815docs: added docs around potential decompressions bomb (#10763)1728aa1fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)