Skip to content

chore(deps): bump axios from 0.27.2 to 0.32.0#4152

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/axios-1.16.0
Open

chore(deps): bump axios from 0.27.2 to 0.32.0#4152
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/axios-1.16.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 29, 2026
edited by cursor Bot
Loading

Bumps axios from 0.27.2 to 0.32.0.

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

  • Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

  • Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
  • Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
  • Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
  • Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
  • Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
  • URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
  • Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

  • Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

  • Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

  • Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
  • Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
  • FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
  • Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20+) unchanged. (#10737)
  • Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

  • CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.


Note

Medium Risk
axios drives many outbound integration and token flows; consolidating from 1.x to 0.32.x plus null-prototype merged config is a wide dependency change that warrants regression testing on HTTP paths.

Overview
Aligns axios on 0.32.0 across the monorepo by updating direct dependencies in backend/package.json, multiple Temporal workers, and shared libs (@crowd/common_services, database, integrations, nango, opensearch), with matching updates in pnpm-lock.yaml.

Several packages that previously declared axios 1.x now pin 0.32.0, so the install graph converges on a single first-party HTTP client version instead of mixed 0.27.x / 1.6–1.13 ranges. Transitive consumers (e.g. SendGrid, Slack, People Data Labs) may still resolve other axios versions where they bundle their own dependency.

0.32.0 brings security backports (prototype-pollution guards, stricter adapters, default error redaction) and a breaking behavior: merged config/header objects use a null prototype, which can affect code that relies on inherited object methods on axios config.

Reviewed by Cursor Bugbot for commit 1e02ba4. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 29, 2026
@dependabot dependabot Bot mentioned this pull request May 29, 2026
Closed
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented May 29, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 29, 2026

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

  • feat: add user authentication (CM-123)
  • feat: add user authentication (IN-123)

Projects:

  • CM: Community Data Platform
  • IN: Insights

Please add a Jira issue key to your PR title.

@dependabot dependabot Bot changed the title chore(deps): bump axios from 1.13.1 to 1.16.0 chore(deps): bump axios from 0.27.2 to 0.32.0 Jun 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch from 3001ddf to 53cc1df Compare June 3, 2026 17:14
cursor[bot]
cursor Bot reviewed Jun 3, 2026
View reviewed changes
Comment thread pnpm-lock.yaml
needle@https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b:
resolution: {tarball: https://codeload.github.com/clearbit/needle/tar.gz/84d28b5f2c3916db1e7eb84aeaa9d976cc40054b}
needle@git+https://git@github.com:clearbit/needle.git#84d28b5f2c3916db1e7eb84aeaa9d976cc40054b:
resolution: {commit: 84d28b5f2c3916db1e7eb84aeaa9d976cc40054b, repo: git@github.com:clearbit/needle.git, type: git}
Copy link
Copy Markdown

@cursor cursor Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearbit needle SSH resolution

Medium Severity

Regenerating the lockfile switched clearbit’s needle dependency from an anonymous HTTPS tarball to a git resolution whose metadata points at git@github.com:clearbit/needle.git. That can make pnpm install fail in CI or other environments that previously worked without GitHub SSH keys.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 53cc1df. Configure here.

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch 2 times, most recently from db304ae to 1e08701 Compare June 5, 2026 12:30
@dependabot
chore(deps): bump axios from 0.27.2 to 0.32.0
1e02ba4 
Bumps [axios](https://github.com/axios/axios) from 0.27.2 to 0.32.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.27.2...v0.32.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-1.16.0 branch from 1e08701 to 1e02ba4 Compare June 5, 2026 13:21
cursor[bot]
cursor Bot reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 1e02ba4. Configure here.

Comment thread services/libs/common_services/package.json
"@octokit/request": "^5.6.3",
"@octokit/rest": "^22.0.0",
"axios": "^1.13.1",
"axios": "^0.32.0",
Copy link
Copy Markdown

@cursor cursor Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Axios semver downgrade from 1.x

Medium Severity

This PR retargets multiple workspaces from axios 1.x ranges to ^0.32.0, which is a semver downgrade because major 1 sorts above 0. The stated goal is 0.27.20.32.0 on the legacy line; services already on 1.x should move to a current 1.x release, not 0.32.0.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 1e02ba4. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant