fix(deps): update dependency axios to v1.6.0 [security] #2020

renovate · 2023-11-11T08:00:07Z

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	`1.1.3` -> `1.6.0`

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Release Notes

axios/axios (axios)

`v1.6.0`

Compare Source

Features

adapter: add fetch adapter; (#6371) (a3ff99b)

Contributors to this release

1.6.8 (2024-03-15)

Bug Fixes

AxiosHeaders: fix AxiosHeaders conversion to an object during config merging (#6243) (2656612)
import: use named export for EventEmitter; (7320430)
vulnerability: update follow-redirects to 1.15.6 (#6300) (8786e0f)

Contributors to this release

1.6.7 (2024-01-25)

Bug Fixes

capture async stack only for rejections with native error objects; (#6203) (1a08f90)

Contributors to this release

1.6.6 (2024-01-24)

Bug Fixes

fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
wrap errors to improve async stack trace (#5987) (123f354)

Contributors to this release

1.6.5 (2024-01-05)

Bug Fixes

ci: refactor notify action as a job of publish action; (#6176) (0736f95)
dns: fixed lookup error handling; (#6175) (f4f2b03)

Contributors to this release

1.6.4 (2024-01-03)

Bug Fixes

security: fixed formToJSON prototype pollution vulnerability; (#6167) (3c0c11c)
security: fixed security vulnerability in follow-redirects (#6163) (75af1cd)

Contributors to this release

1.6.3 (2023-12-26)

Bug Fixes

Regular Expression Denial of Service (ReDoS) (#6132) (5e7ad38)

Contributors to this release

1.6.2 (2023-11-14)

Features

withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

PRs

feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )


📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

Contributors to this release

1.6.1 (2023-11-08)

Bug Fixes

formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

Contributors to this release

PRs

feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )


📢 This PR added &#x27;withXSRFToken&#x27; option as a replacement for old withCredentials behaviour. 
You should now use withXSRFToken along with withCredential to get the old behavior.
This functionality is considered as a fix.

`v1.5.1`

Compare Source

Bug Fixes

CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
types: fix AxiosHeaders types; (#5931) (a1c8ad0)

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes

adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
types: removed duplicated code (9e62056)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

`v1.5.0`

Compare Source

Bug Fixes

CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
types: fix AxiosHeaders types; (#5931) (a1c8ad0)

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes

adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
types: removed duplicated code (9e62056)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

`v1.4.0`

Compare Source

Bug Fixes

formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

dns: added support for a custom lookup function; (#5339) (2701911)
types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

formdata: added a check to make sure the FormData class is available in the browser's global scope; (#5545) (a6dfa72)
formdata: fixed setting NaN as Content-Length for form payload in some cases; (#5535) (c19f7bf)
headers: fixed the filtering logic of the clear method; (#5542) (ea87ebf)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#5528) (128d56f)
http: use explicit import instead of TextEncoder global; (#5530) (6b3c305)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#5521) (96d336f)
serializer: fixed serialization of array-like objects; (#5518) (08104c0)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

`v1.3.6`

Compare Source

Bug Fixes

formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

dns: added support for a custom lookup function; (#5339) (2701911)
types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

formdata: added a check to make sure the FormData class is available in the browser's global scope; (#5545) (a6dfa72)
formdata: fixed setting NaN as Content-Length for form payload in some cases; (#5535) (c19f7bf)
headers: fixed the filtering logic of the clear method; (#5542) (ea87ebf)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#5528) (128d56f)
http: use explicit import instead of TextEncoder global; (#5530) (6b3c305)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#5521) (96d336f)
serializer: fixed serialization of array-like objects; (#5518) (08104c0)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

`v1.3.5`

Compare Source

Bug Fixes

formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

dns: added support for a custom lookup function; (#5339) (2701911)
types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

formdata: added a check to make sure the FormData class is available in the browser's global scope; (#5545) (a6dfa72)
formdata: fixed setting NaN as Content-Length for form payload in some cases; (#5535) (c19f7bf)
headers: fixed the filtering logic of the clear method; (#5542) (ea87ebf)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug Fixes

http: treat http://localhost as base URL for relative paths to avoid ERR_INVALID_URL error; (#5528) (128d56f)
http: use explicit import instead of TextEncoder global; (#5530) (6b3c305)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.1 (2023-02-01)

Bug Fixes

formdata: add hotfix to use the asynchronous API to compute the content-length header value; (#5521) (96d336f)
serializer: fixed serialization of array-like objects; (#5518) (08104c0)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

`v1.3.4`

Compare Source

Bug Fixes

formdata: add multipart/form-data content type for FormData payload on custom client environments; (#5678) (bbb61e7)
package: export package internals with unsafe path prefix; (#5677) (df38c94)

Features

dns: added support for a custom lookup function; (#5339) (2701911)
types: export AxiosHeaderValue type. (#5525) (726f1c8)

Performance Improvements

merge-config: optimize mergeConfig performance by avoiding duplicate key visits; (#5679) (e6f7053)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.6 (2023-04-19)

Bug Fixes

types: added transport to RawAxiosRequestConfig (#5445) (6f360a2)
utils: make isFormData detection logic stricter to avoid unnecessary calling of the toString method on the target; (#5661) (aa372f7)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.5 (2023-04-05)

Bug Fixes

headers: fixed isValidHeaderName to support full list of allowed characters; (#5584) (e7decef)
params: re-added the ability to set the function as paramsSerializer config; (#5633) (a56c866)

Contributors to this release

Dmitriy Mozgovoy

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.4 (2023-02-22)

Bug Fixes

blob: added a check to make sure the Blob class is available in the browser's global scope; (#5548) (3772c8f)
http: fixed regression bug when handling synchronous errors inside the adapter; (#5564) (a3b246c)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.3 (2023-02-13)

Bug Fixes

formdata: added a check to make sure the FormData class is available in the browser's global scope; (#5545) (a6dfa72)
formdata: fixed setting NaN as Content-Length for form payload in some cases; (#5535) (c19f7bf)
headers: fixed the filtering logic of the clear method; (#5542) (ea87ebf)

Contributors to this release

PRs

CVE 2023 45857 ( #6028 )


⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.3.2 (2023-02-03)

Bug

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2023-11-11T08:04:58Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.37%. Comparing base (f4217b0) to head (2a787d3).

❗ Current head 2a787d3 differs from pull request most recent head 079b151. Consider uploading reports for the commit 079b151 to get more accurate results

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #2020   +/-   ##
========================================
  Coverage    97.37%   97.37%           
========================================
  Files          413      413           
  Lines         9871     9871           
  Branches      1084     1084           
========================================
  Hits          9612     9612           
  Misses         259      259

Flag	Coverage Δ
integration	`97.37% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

renovate bot requested a review from C0ZEN as a code owner November 11, 2023 08:00

renovate bot added the dependencies Alter the dependencies label Nov 11, 2023

renovate bot assigned C0ZEN Nov 11, 2023

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 2a787d3 to 079b151 Compare February 24, 2024 01:33

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 079b151 to 0005d39 Compare March 8, 2025 14:13

renovate bot changed the title ~~fix(deps): update dependency axios to v1.6.0 [security]~~ fix(deps): update dependency axios to v1.8.2 [security] Mar 8, 2025

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 0005d39 to cc2b403 Compare March 28, 2025 19:25

renovate bot changed the title ~~fix(deps): update dependency axios to v1.8.2 [security]~~ fix(deps): update dependency axios to v1.6.0 [security] Mar 28, 2025

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from cc2b403 to de9c742 Compare September 13, 2025 18:58

renovate bot changed the title ~~fix(deps): update dependency axios to v1.6.0 [security]~~ fix(deps): update dependency axios to v1.12.0 [security] Sep 13, 2025

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from de9c742 to 5507e77 Compare September 18, 2025 17:58

renovate bot changed the title ~~fix(deps): update dependency axios to v1.12.0 [security]~~ fix(deps): update dependency axios to v1.6.0 [security] Sep 18, 2025

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 5507e77 to 82fe714 Compare September 30, 2025 05:58

renovate bot changed the title ~~fix(deps): update dependency axios to v1.6.0 [security]~~ fix(deps): update dependency axios to v1.12.0 [security] Sep 30, 2025

fix(deps): update dependency axios to v1.6.0 [security]

933c5fb

renovate bot force-pushed the renovate/npm-axios-vulnerability branch from 82fe714 to 933c5fb Compare September 30, 2025 19:40

renovate bot changed the title ~~fix(deps): update dependency axios to v1.12.0 [security]~~ fix(deps): update dependency axios to v1.6.0 [security] Sep 30, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

fix(deps): update dependency axios to v1.6.0 [security] #2020

fix(deps): update dependency axios to v1.6.0 [security] #2020

Uh oh!

renovate bot commented Nov 11, 2023 •

edited

Loading

Uh oh!

codecov bot commented Nov 11, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

fix(deps): update dependency axios to v1.6.0 [security] #2020

Are you sure you want to change the base?

fix(deps): update dependency axios to v1.6.0 [security] #2020

Uh oh!

Conversation

renovate bot commented Nov 11, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2023-45857

Release Notes

v1.6.0

Features

Contributors to this release

1.6.8 (2024-03-15)

Bug Fixes

Contributors to this release

1.6.7 (2024-01-25)

Bug Fixes

Contributors to this release

1.6.6 (2024-01-24)

Bug Fixes

Contributors to this release

1.6.5 (2024-01-05)

Bug Fixes

Contributors to this release

1.6.4 (2024-01-03)

Bug Fixes

Contributors to this release

1.6.3 (2023-12-26)

Bug Fixes

Contributors to this release

1.6.2 (2023-11-14)

Features

PRs

Contributors to this release

1.6.1 (2023-11-08)

Bug Fixes

Contributors to this release

PRs

v1.5.1

Bug Fixes

PRs

Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes

Contributors to this release

PRs

v1.5.0

Bug Fixes

PRs

Contributors to this release

1.5.1 (2023-09-26)

Bug Fixes

Contributors to this release

PRs

v1.4.0

Bug Fixes

Features

Performance Improvements

Contributors to this release

PRs

1.3.6 (2023-04-19)

Bug Fixes

Contributors to this release

PRs

1.3.5 (2023-04-05)

Bug Fixes

Contributors to this release

PRs

1.3.4 (2023-02-22)

Bug Fixes

Contributors to this release

PRs

1.3.3 (2023-02-13)

Bug Fixes

Contributors to this release

PRs

1.3.2 (2023-02-03)

Bug Fixes

renovate bot commented Nov 11, 2023 •

edited

Loading

`v1.6.0`

`v1.5.1`

`v1.5.0`

`v1.4.0`

`v1.3.6`

`v1.3.5`