y-young / f1music

校园音乐征集投票系统 A system for electing annual school music
MIT License
9 stars 3 forks source link

chore(deps): update dependency axios to v1.7.4 [security] #85

Open renovate[bot] opened 8 months ago

renovate[bot] commented 8 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
axios (source) 1.4.0 -> 1.7.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2024-39338

axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.


Release Notes

axios/axios (axios) ### [`v1.7.4`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#174-2024-08-13) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.3...v1.7.4) ##### Bug Fixes - **sec:** CVE-2024-39338 ([#​6539](https://redirect.github.com/axios/axios/issues/6539)) ([#​6543](https://redirect.github.com/axios/axios/issues/6543)) ([6b6b605](https://redirect.github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a)) - **sec:** disregard protocol-relative URL to remediate SSRF ([#​6539](https://redirect.github.com/axios/axios/issues/6539)) ([07a661a](https://redirect.github.com/axios/axios/commit/07a661a2a6b9092c4aa640dcc7f724ec5e65bdda)) ##### Contributors to this release - avatar [Lev Pachmanov](https://redirect.github.com/levpachmanov "+47/-11 (#​6543 )") - avatar [Đỗ Trọng Hải](https://redirect.github.com/hainenber "+49/-4 (#​6539 )") ### [`v1.7.3`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#173-2024-08-01) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.2...v1.7.3) ##### Bug Fixes - **adapter:** fix progress event emitting; ([#​6518](https://redirect.github.com/axios/axios/issues/6518)) ([e3c76fc](https://redirect.github.com/axios/axios/commit/e3c76fc9bdd03aa4d98afaf211df943e2031453f)) - **fetch:** fix withCredentials request config ([#​6505](https://redirect.github.com/axios/axios/issues/6505)) ([85d4d0e](https://redirect.github.com/axios/axios/commit/85d4d0ea0aae91082f04e303dec46510d1b4e787)) - **xhr:** return original config on errors from XHR adapter ([#​6515](https://redirect.github.com/axios/axios/issues/6515)) ([8966ee7](https://redirect.github.com/axios/axios/commit/8966ee7ea62ecbd6cfb39a905939bcdab5cf6388)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+211/-159 (#​6518 #​6519 )") - avatar [Valerii Sidorenko](https://redirect.github.com/ValeraS "+3/-3 (#​6515 )") - avatar [prianYu](https://redirect.github.com/prianyu "+2/-2 (#​6505 )") ### [`v1.7.2`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#172-2024-05-21) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.1...v1.7.2) ##### Bug Fixes - **fetch:** enhance fetch API detection; ([#​6413](https://redirect.github.com/axios/axios/issues/6413)) ([4f79aef](https://redirect.github.com/axios/axios/commit/4f79aef81b7c4644328365bfc33acf0a9ef595bc)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+3/-3 (#​6413 )") ### [`v1.7.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#171-2024-05-20) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.0...v1.7.1) ##### Bug Fixes - **fetch:** fixed ReferenceError issue when TextEncoder is not available in the environment; ([#​6410](https://redirect.github.com/axios/axios/issues/6410)) ([733f15f](https://redirect.github.com/axios/axios/commit/733f15fe5bd2d67e1fadaee82e7913b70d45dc5e)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+14/-9 (#​6410 )") ### [`v1.7.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#170-2024-05-19) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.8...v1.7.0) ##### Features - **adapter:** add fetch adapter; ([#​6371](https://redirect.github.com/axios/axios/issues/6371)) ([a3ff99b](https://redirect.github.com/axios/axios/commit/a3ff99b59d8ec2ab5dd049e68c043617a4072e42)) ##### Bug Fixes - **core/axios:** handle un-writable error stack ([#​6362](https://redirect.github.com/axios/axios/issues/6362)) ([81e0455](https://redirect.github.com/axios/axios/commit/81e0455b7b57fbaf2be16a73ebe0e6591cc6d8f9)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+1015/-127 (#​6371 )") - avatar [Jay](https://redirect.github.com/jasonsaayman "+30/-14 ()") - avatar [Alexandre ABRIOUX](https://redirect.github.com/alexandre-abrioux "+56/-6 (#​6362 )") ### [`v1.6.8`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#168-2024-03-15) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.7...v1.6.8) ##### Bug Fixes - **AxiosHeaders:** fix AxiosHeaders conversion to an object during config merging ([#​6243](https://redirect.github.com/axios/axios/issues/6243)) ([2656612](https://redirect.github.com/axios/axios/commit/2656612bc10fe2757e9832b708ed773ab340b5cb)) - **import:** use named export for EventEmitter; ([7320430](https://redirect.github.com/axios/axios/commit/7320430aef2e1ba2b89488a0eaf42681165498b1)) - **vulnerability:** update follow-redirects to 1.15.6 ([#​6300](https://redirect.github.com/axios/axios/issues/6300)) ([8786e0f](https://redirect.github.com/axios/axios/commit/8786e0ff55a8c68d4ca989801ad26df924042e27)) ##### Contributors to this release - avatar [Jay](https://redirect.github.com/jasonsaayman "+4572/-3446 (#​6238 )") - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+30/-0 (#​6231 )") - avatar [Mitchell](https://redirect.github.com/Creaous "+9/-9 (#​6300 )") - avatar [Emmanuel](https://redirect.github.com/mannoeu "+2/-2 (#​6196 )") - avatar [Lucas Keller](https://redirect.github.com/ljkeller "+3/-0 (#​6194 )") - avatar [Aditya Mogili](https://redirect.github.com/ADITYA-176 "+1/-1 ()") - avatar [Miroslav Petrov](https://redirect.github.com/petrovmiroslav "+1/-1 (#​6243 )") ### [`v1.6.7`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#167-2024-01-25) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.6...v1.6.7) ##### Bug Fixes - capture async stack only for rejections with native error objects; ([#​6203](https://redirect.github.com/axios/axios/issues/6203)) ([1a08f90](https://redirect.github.com/axios/axios/commit/1a08f90f402336e4d00e9ee82f211c6adb1640b0)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+30/-26 (#​6203 )") - avatar [zhoulixiang](https://redirect.github.com/zh-lx "+0/-3 (#​6186 )") ### [`v1.6.6`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#166-2024-01-24) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.5...v1.6.6) ##### Bug Fixes - fixed missed dispatchBeforeRedirect argument ([#​5778](https://redirect.github.com/axios/axios/issues/5778)) ([a1938ff](https://redirect.github.com/axios/axios/commit/a1938ff073fcb0f89011f001dfbc1fa1dc995e39)) - wrap errors to improve async stack trace ([#​5987](https://redirect.github.com/axios/axios/issues/5987)) ([123f354](https://redirect.github.com/axios/axios/commit/123f354b920f154a209ea99f76b7b2ef3d9ebbab)) ##### Contributors to this release - avatar [Ilya Priven](https://redirect.github.com/ikonst "+91/-8 (#​5987 )") - avatar [Zao Soula](https://redirect.github.com/zaosoula "+6/-6 (#​5778 )") ### [`v1.6.5`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#165-2024-01-05) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.4...v1.6.5) ##### Bug Fixes - **ci:** refactor notify action as a job of publish action; ([#​6176](https://redirect.github.com/axios/axios/issues/6176)) ([0736f95](https://redirect.github.com/axios/axios/commit/0736f95ce8776366dc9ca569f49ba505feb6373c)) - **dns:** fixed lookup error handling; ([#​6175](https://redirect.github.com/axios/axios/issues/6175)) ([f4f2b03](https://redirect.github.com/axios/axios/commit/f4f2b039dd38eb4829e8583caede4ed6d2dd59be)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+41/-6 (#​6176 #​6175 )") - avatar [Jay](https://redirect.github.com/jasonsaayman "+6/-1 ()") ### [`v1.6.4`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#164-2024-01-03) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.3...v1.6.4) ##### Bug Fixes - **security:** fixed formToJSON prototype pollution vulnerability; ([#​6167](https://redirect.github.com/axios/axios/issues/6167)) ([3c0c11c](https://redirect.github.com/axios/axios/commit/3c0c11cade045c4412c242b5727308cff9897a0e)) - **security:** fixed security vulnerability in follow-redirects ([#​6163](https://redirect.github.com/axios/axios/issues/6163)) ([75af1cd](https://redirect.github.com/axios/axios/commit/75af1cdff5b3a6ca3766d3d3afbc3115bb0811b8)) ##### Contributors to this release - avatar [Jay](https://redirect.github.com/jasonsaayman "+34/-6 ()") - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+34/-3 (#​6172 #​6167 )") - avatar [Guy Nesher](https://redirect.github.com/gnesher "+10/-10 (#​6163 )") ### [`v1.6.3`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#163-2023-12-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.2...v1.6.3) ##### Bug Fixes - Regular Expression Denial of Service (ReDoS) ([#​6132](https://redirect.github.com/axios/axios/issues/6132)) ([5e7ad38](https://redirect.github.com/axios/axios/commit/5e7ad38fb0f819fceb19fb2ee5d5d38f56aa837d)) ##### Contributors to this release - avatar [Jay](https://redirect.github.com/jasonsaayman "+15/-6 (#​6145 )") - avatar [Willian Agostini](https://redirect.github.com/WillianAgostini "+17/-2 (#​6132 )") - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+3/-0 (#​6084 )") ### [`v1.6.2`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#162-2023-11-14) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.1...v1.6.2) ##### Features - **withXSRFToken:** added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ([#​6046](https://redirect.github.com/axios/axios/issues/6046)) ([cff9967](https://redirect.github.com/axios/axios/commit/cff996779b272a5e94c2b52f5503ccf668bc42dc)) ##### PRs - feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old \`withCredentials\` behavior; ( [#​6046](https://api.github.com/repos/axios/axios/pulls/6046) ) ``` 📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. You should now use withXSRFToken along with withCredential to get the old behavior. This functionality is considered as a fix. ``` ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+271/-146 (#​6081 #​6080 #​6079 #​6078 #​6046 #​6064 #​6063 )") - avatar [Ng Choon Khon (CK)](https://redirect.github.com/ckng0221 "+4/-4 (#​6073 )") - avatar [Muhammad Noman](https://redirect.github.com/mnomanmemon "+2/-2 (#​6048 )") ### [`v1.6.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#161-2023-11-08) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.0...v1.6.1) ##### Bug Fixes - **formdata:** fixed content-type header normalization for non-standard browser environments; ([#​6056](https://redirect.github.com/axios/axios/issues/6056)) ([dd465ab](https://redirect.github.com/axios/axios/commit/dd465ab22bbfa262c6567be6574bf46a057d5288)) - **platform:** fixed emulated browser detection in node.js environment; ([#​6055](https://redirect.github.com/axios/axios/issues/6055)) ([3dc8369](https://redirect.github.com/axios/axios/commit/3dc8369e505e32a4e12c22f154c55fd63ac67fbb)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+432/-65 (#​6059 #​6056 #​6055 )") - avatar [Fabian Meyer](https://redirect.github.com/meyfa "+5/-2 (#​5835 )") ### [`v1.6.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#160-2023-10-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.5.1...v1.6.0) ##### Bug Fixes - **CSRF:** fixed CSRF vulnerability CVE-2023-45857 ([#​6028](https://redirect.github.com/axios/axios/issues/6028)) ([96ee232](https://redirect.github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0)) - **dns:** fixed lookup function decorator to work properly in node v20; ([#​6011](https://redirect.github.com/axios/axios/issues/6011)) ([5aaff53](https://redirect.github.com/axios/axios/commit/5aaff532a6b820bb9ab6a8cd0f77131b47e2adb8)) - **types:** fix AxiosHeaders types; ([#​5931](https://redirect.github.com/axios/axios/issues/5931)) ([a1c8ad0](https://redirect.github.com/axios/axios/commit/a1c8ad008b3c13d53e135bbd0862587fb9d3fc09)) ##### PRs - CVE 2023 45857 ( [#​6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+449/-114 (#​6032 #​6021 #​6011 #​5932 #​5931 )") - avatar [Valentin Panov](https://redirect.github.com/valentin-panov "+4/-4 (#​6028 )") - avatar [Rinku Chaudhari](https://redirect.github.com/therealrinku "+1/-1 (#​5889 )") #### [1.5.1](https://redirect.github.com/axios/axios/compare/v1.5.0...v1.5.1) (2023-09-26) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#​5919](https://redirect.github.com/axios/axios/issues/5919)) ([e410779](https://redirect.github.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#​5917](https://redirect.github.com/axios/axios/issues/5917)) ([bc9af51](https://redirect.github.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#​5890](https://redirect.github.com/axios/axios/issues/5890)) ([#​5892](https://redirect.github.com/axios/axios/issues/5892)) ([4c89f25](https://redirect.github.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://redirect.github.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+89/-18 (#​5919 #​5917 )") - avatar [David Dallas](https://redirect.github.com/DavidJDallas "+11/-5 ()") - avatar [Sean Sattler](https://redirect.github.com/fb-sean "+2/-8 ()") - avatar [Mustafa Ateş Uzun](https://redirect.github.com/0o001 "+4/-4 ()") - avatar [Przemyslaw Motacki](https://redirect.github.com/sfc-gh-pmotacki "+2/-1 (#​5892 )") - avatar [Michael Di Prisco](https://redirect.github.com/Cadienvan "+1/-1 ()") ##### PRs - CVE 2023 45857 ( [#​6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ### [`v1.5.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#151-2023-09-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.5.0...v1.5.1) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#​5919](https://redirect.github.com/axios/axios/issues/5919)) ([e410779](https://redirect.github.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#​5917](https://redirect.github.com/axios/axios/issues/5917)) ([bc9af51](https://redirect.github.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#​5890](https://redirect.github.com/axios/axios/issues/5890)) ([#​5892](https://redirect.github.com/axios/axios/issues/5892)) ([4c89f25](https://redirect.github.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://redirect.github.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+89/-18 (#​5919 #​5917 )") - avatar [David Dallas](https://redirect.github.com/DavidJDallas "+11/-5 ()") - avatar [Sean Sattler](https://redirect.github.com/fb-sean "+2/-8 ()") - avatar [Mustafa Ateş Uzun](https://redirect.github.com/0o001 "+4/-4 ()") - avatar [Przemyslaw Motacki](https://redirect.github.com/sfc-gh-pmotacki "+2/-1 (#​5892 )") - avatar [Michael Di Prisco](https://redirect.github.com/Cadienvan "+1/-1 ()") ### [`v1.5.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#150-2023-08-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.4.0...v1.5.0) ##### Bug Fixes - **adapter:** make adapter loading error more clear by using platform-specific adapters explicitly ([#​5837](https://redirect.github.com/axios/axios/issues/5837)) ([9a414bb](https://redirect.github.com/axios/axios/commit/9a414bb6c81796a95c6c7fe668637825458e8b6d)) - **dns:** fixed `cacheable-lookup` integration; ([#​5836](https://redirect.github.com/axios/axios/issues/5836)) ([b3e327d](https://redirect.github.com/axios/axios/commit/b3e327dcc9277bdce34c7ef57beedf644b00d628)) - **headers:** added support for setting header names that overlap with class methods; ([#​5831](https://redirect.github.com/axios/axios/issues/5831)) ([d8b4ca0](https://redirect.github.com/axios/axios/commit/d8b4ca0ea5f2f05efa4edfe1e7684593f9f68273)) - **headers:** fixed common Content-Type header merging; ([#​5832](https://redirect.github.com/axios/axios/issues/5832)) ([8fda276](https://redirect.github.com/axios/axios/commit/8fda2766b1e6bcb72c3fabc146223083ef13ce17)) ##### Features - export getAdapter function ([#​5324](https://redirect.github.com/axios/axios/issues/5324)) ([ca73eb8](https://redirect.github.com/axios/axios/commit/ca73eb878df0ae2dace81fe3a7f1fb5986231bf1)) - **export:** export adapters without `unsafe` prefix ([#​5839](https://redirect.github.com/axios/axios/issues/5839)) ([1601f4a](https://redirect.github.com/axios/axios/commit/1601f4a27a81ab47fea228f1e244b2c4e3ce28bf)) ##### Contributors to this release - avatar [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+66/-29 (#​5839 #​5837 #​5836 #​5832 #​5831 )") - avatar [夜葬](https://redirect.github.com/geekact "+42/-0 (#​5324 )") - avatar [Jonathan Budiman](https://redirect.github.com/JBudiman00 "+30/-0 (#​5788 )") - avatar [Michael Di Prisco](https://redirect.github.com/Cadienvan "+3/-5 (#​5791 )")

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.