Open renovate[bot] opened 8 months ago
This PR contains the following updates:
1.4.0
1.7.4
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
This PR contains the following updates:
1.4.0
->1.7.4
GitHub Vulnerability Alerts
CVE-2023-45857
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.
CVE-2024-39338
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
Release Notes
axios/axios (axios)
### [`v1.7.4`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#174-2024-08-13) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.3...v1.7.4) ##### Bug Fixes - **sec:** CVE-2024-39338 ([#6539](https://redirect.github.com/axios/axios/issues/6539)) ([#6543](https://redirect.github.com/axios/axios/issues/6543)) ([6b6b605](https://redirect.github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a)) - **sec:** disregard protocol-relative URL to remediate SSRF ([#6539](https://redirect.github.com/axios/axios/issues/6539)) ([07a661a](https://redirect.github.com/axios/axios/commit/07a661a2a6b9092c4aa640dcc7f724ec5e65bdda)) ##### Contributors to this release - [Lev Pachmanov](https://redirect.github.com/levpachmanov "+47/-11 (#6543 )") - [Đỗ Trọng Hải](https://redirect.github.com/hainenber "+49/-4 (#6539 )") ### [`v1.7.3`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#173-2024-08-01) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.2...v1.7.3) ##### Bug Fixes - **adapter:** fix progress event emitting; ([#6518](https://redirect.github.com/axios/axios/issues/6518)) ([e3c76fc](https://redirect.github.com/axios/axios/commit/e3c76fc9bdd03aa4d98afaf211df943e2031453f)) - **fetch:** fix withCredentials request config ([#6505](https://redirect.github.com/axios/axios/issues/6505)) ([85d4d0e](https://redirect.github.com/axios/axios/commit/85d4d0ea0aae91082f04e303dec46510d1b4e787)) - **xhr:** return original config on errors from XHR adapter ([#6515](https://redirect.github.com/axios/axios/issues/6515)) ([8966ee7](https://redirect.github.com/axios/axios/commit/8966ee7ea62ecbd6cfb39a905939bcdab5cf6388)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+211/-159 (#6518 #6519 )") - [Valerii Sidorenko](https://redirect.github.com/ValeraS "+3/-3 (#6515 )") - [prianYu](https://redirect.github.com/prianyu "+2/-2 (#6505 )") ### [`v1.7.2`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#172-2024-05-21) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.1...v1.7.2) ##### Bug Fixes - **fetch:** enhance fetch API detection; ([#6413](https://redirect.github.com/axios/axios/issues/6413)) ([4f79aef](https://redirect.github.com/axios/axios/commit/4f79aef81b7c4644328365bfc33acf0a9ef595bc)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+3/-3 (#6413 )") ### [`v1.7.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#171-2024-05-20) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.7.0...v1.7.1) ##### Bug Fixes - **fetch:** fixed ReferenceError issue when TextEncoder is not available in the environment; ([#6410](https://redirect.github.com/axios/axios/issues/6410)) ([733f15f](https://redirect.github.com/axios/axios/commit/733f15fe5bd2d67e1fadaee82e7913b70d45dc5e)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+14/-9 (#6410 )") ### [`v1.7.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#170-2024-05-19) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.8...v1.7.0) ##### Features - **adapter:** add fetch adapter; ([#6371](https://redirect.github.com/axios/axios/issues/6371)) ([a3ff99b](https://redirect.github.com/axios/axios/commit/a3ff99b59d8ec2ab5dd049e68c043617a4072e42)) ##### Bug Fixes - **core/axios:** handle un-writable error stack ([#6362](https://redirect.github.com/axios/axios/issues/6362)) ([81e0455](https://redirect.github.com/axios/axios/commit/81e0455b7b57fbaf2be16a73ebe0e6591cc6d8f9)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+1015/-127 (#6371 )") - [Jay](https://redirect.github.com/jasonsaayman "+30/-14 ()") - [Alexandre ABRIOUX](https://redirect.github.com/alexandre-abrioux "+56/-6 (#6362 )") ### [`v1.6.8`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#168-2024-03-15) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.7...v1.6.8) ##### Bug Fixes - **AxiosHeaders:** fix AxiosHeaders conversion to an object during config merging ([#6243](https://redirect.github.com/axios/axios/issues/6243)) ([2656612](https://redirect.github.com/axios/axios/commit/2656612bc10fe2757e9832b708ed773ab340b5cb)) - **import:** use named export for EventEmitter; ([7320430](https://redirect.github.com/axios/axios/commit/7320430aef2e1ba2b89488a0eaf42681165498b1)) - **vulnerability:** update follow-redirects to 1.15.6 ([#6300](https://redirect.github.com/axios/axios/issues/6300)) ([8786e0f](https://redirect.github.com/axios/axios/commit/8786e0ff55a8c68d4ca989801ad26df924042e27)) ##### Contributors to this release - [Jay](https://redirect.github.com/jasonsaayman "+4572/-3446 (#6238 )") - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+30/-0 (#6231 )") - [Mitchell](https://redirect.github.com/Creaous "+9/-9 (#6300 )") - [Emmanuel](https://redirect.github.com/mannoeu "+2/-2 (#6196 )") - [Lucas Keller](https://redirect.github.com/ljkeller "+3/-0 (#6194 )") - [Aditya Mogili](https://redirect.github.com/ADITYA-176 "+1/-1 ()") - [Miroslav Petrov](https://redirect.github.com/petrovmiroslav "+1/-1 (#6243 )") ### [`v1.6.7`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#167-2024-01-25) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.6...v1.6.7) ##### Bug Fixes - capture async stack only for rejections with native error objects; ([#6203](https://redirect.github.com/axios/axios/issues/6203)) ([1a08f90](https://redirect.github.com/axios/axios/commit/1a08f90f402336e4d00e9ee82f211c6adb1640b0)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+30/-26 (#6203 )") - [zhoulixiang](https://redirect.github.com/zh-lx "+0/-3 (#6186 )") ### [`v1.6.6`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#166-2024-01-24) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.5...v1.6.6) ##### Bug Fixes - fixed missed dispatchBeforeRedirect argument ([#5778](https://redirect.github.com/axios/axios/issues/5778)) ([a1938ff](https://redirect.github.com/axios/axios/commit/a1938ff073fcb0f89011f001dfbc1fa1dc995e39)) - wrap errors to improve async stack trace ([#5987](https://redirect.github.com/axios/axios/issues/5987)) ([123f354](https://redirect.github.com/axios/axios/commit/123f354b920f154a209ea99f76b7b2ef3d9ebbab)) ##### Contributors to this release - [Ilya Priven](https://redirect.github.com/ikonst "+91/-8 (#5987 )") - [Zao Soula](https://redirect.github.com/zaosoula "+6/-6 (#5778 )") ### [`v1.6.5`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#165-2024-01-05) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.4...v1.6.5) ##### Bug Fixes - **ci:** refactor notify action as a job of publish action; ([#6176](https://redirect.github.com/axios/axios/issues/6176)) ([0736f95](https://redirect.github.com/axios/axios/commit/0736f95ce8776366dc9ca569f49ba505feb6373c)) - **dns:** fixed lookup error handling; ([#6175](https://redirect.github.com/axios/axios/issues/6175)) ([f4f2b03](https://redirect.github.com/axios/axios/commit/f4f2b039dd38eb4829e8583caede4ed6d2dd59be)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+41/-6 (#6176 #6175 )") - [Jay](https://redirect.github.com/jasonsaayman "+6/-1 ()") ### [`v1.6.4`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#164-2024-01-03) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.3...v1.6.4) ##### Bug Fixes - **security:** fixed formToJSON prototype pollution vulnerability; ([#6167](https://redirect.github.com/axios/axios/issues/6167)) ([3c0c11c](https://redirect.github.com/axios/axios/commit/3c0c11cade045c4412c242b5727308cff9897a0e)) - **security:** fixed security vulnerability in follow-redirects ([#6163](https://redirect.github.com/axios/axios/issues/6163)) ([75af1cd](https://redirect.github.com/axios/axios/commit/75af1cdff5b3a6ca3766d3d3afbc3115bb0811b8)) ##### Contributors to this release - [Jay](https://redirect.github.com/jasonsaayman "+34/-6 ()") - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+34/-3 (#6172 #6167 )") - [Guy Nesher](https://redirect.github.com/gnesher "+10/-10 (#6163 )") ### [`v1.6.3`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#163-2023-12-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.2...v1.6.3) ##### Bug Fixes - Regular Expression Denial of Service (ReDoS) ([#6132](https://redirect.github.com/axios/axios/issues/6132)) ([5e7ad38](https://redirect.github.com/axios/axios/commit/5e7ad38fb0f819fceb19fb2ee5d5d38f56aa837d)) ##### Contributors to this release - [Jay](https://redirect.github.com/jasonsaayman "+15/-6 (#6145 )") - [Willian Agostini](https://redirect.github.com/WillianAgostini "+17/-2 (#6132 )") - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+3/-0 (#6084 )") ### [`v1.6.2`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#162-2023-11-14) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.1...v1.6.2) ##### Features - **withXSRFToken:** added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ([#6046](https://redirect.github.com/axios/axios/issues/6046)) ([cff9967](https://redirect.github.com/axios/axios/commit/cff996779b272a5e94c2b52f5503ccf668bc42dc)) ##### PRs - feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old \`withCredentials\` behavior; ( [#6046](https://api.github.com/repos/axios/axios/pulls/6046) ) ``` 📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. You should now use withXSRFToken along with withCredential to get the old behavior. This functionality is considered as a fix. ``` ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+271/-146 (#6081 #6080 #6079 #6078 #6046 #6064 #6063 )") - [Ng Choon Khon (CK)](https://redirect.github.com/ckng0221 "+4/-4 (#6073 )") - [Muhammad Noman](https://redirect.github.com/mnomanmemon "+2/-2 (#6048 )") ### [`v1.6.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#161-2023-11-08) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.6.0...v1.6.1) ##### Bug Fixes - **formdata:** fixed content-type header normalization for non-standard browser environments; ([#6056](https://redirect.github.com/axios/axios/issues/6056)) ([dd465ab](https://redirect.github.com/axios/axios/commit/dd465ab22bbfa262c6567be6574bf46a057d5288)) - **platform:** fixed emulated browser detection in node.js environment; ([#6055](https://redirect.github.com/axios/axios/issues/6055)) ([3dc8369](https://redirect.github.com/axios/axios/commit/3dc8369e505e32a4e12c22f154c55fd63ac67fbb)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+432/-65 (#6059 #6056 #6055 )") - [Fabian Meyer](https://redirect.github.com/meyfa "+5/-2 (#5835 )") ### [`v1.6.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#160-2023-10-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.5.1...v1.6.0) ##### Bug Fixes - **CSRF:** fixed CSRF vulnerability CVE-2023-45857 ([#6028](https://redirect.github.com/axios/axios/issues/6028)) ([96ee232](https://redirect.github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0)) - **dns:** fixed lookup function decorator to work properly in node v20; ([#6011](https://redirect.github.com/axios/axios/issues/6011)) ([5aaff53](https://redirect.github.com/axios/axios/commit/5aaff532a6b820bb9ab6a8cd0f77131b47e2adb8)) - **types:** fix AxiosHeaders types; ([#5931](https://redirect.github.com/axios/axios/issues/5931)) ([a1c8ad0](https://redirect.github.com/axios/axios/commit/a1c8ad008b3c13d53e135bbd0862587fb9d3fc09)) ##### PRs - CVE 2023 45857 ( [#6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+449/-114 (#6032 #6021 #6011 #5932 #5931 )") - [Valentin Panov](https://redirect.github.com/valentin-panov "+4/-4 (#6028 )") - [Rinku Chaudhari](https://redirect.github.com/therealrinku "+1/-1 (#5889 )") #### [1.5.1](https://redirect.github.com/axios/axios/compare/v1.5.0...v1.5.1) (2023-09-26) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#5919](https://redirect.github.com/axios/axios/issues/5919)) ([e410779](https://redirect.github.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#5917](https://redirect.github.com/axios/axios/issues/5917)) ([bc9af51](https://redirect.github.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#5890](https://redirect.github.com/axios/axios/issues/5890)) ([#5892](https://redirect.github.com/axios/axios/issues/5892)) ([4c89f25](https://redirect.github.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://redirect.github.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+89/-18 (#5919 #5917 )") - [David Dallas](https://redirect.github.com/DavidJDallas "+11/-5 ()") - [Sean Sattler](https://redirect.github.com/fb-sean "+2/-8 ()") - [Mustafa Ateş Uzun](https://redirect.github.com/0o001 "+4/-4 ()") - [Przemyslaw Motacki](https://redirect.github.com/sfc-gh-pmotacki "+2/-1 (#5892 )") - [Michael Di Prisco](https://redirect.github.com/Cadienvan "+1/-1 ()") ##### PRs - CVE 2023 45857 ( [#6028](https://api.github.com/repos/axios/axios/pulls/6028) ) ``` ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459 ``` ### [`v1.5.1`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#151-2023-09-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.5.0...v1.5.1) ##### Bug Fixes - **adapters:** improved adapters loading logic to have clear error messages; ([#5919](https://redirect.github.com/axios/axios/issues/5919)) ([e410779](https://redirect.github.com/axios/axios/commit/e4107797a7a1376f6209fbecfbbce73d3faa7859)) - **formdata:** fixed automatic addition of the `Content-Type` header for FormData in non-browser environments; ([#5917](https://redirect.github.com/axios/axios/issues/5917)) ([bc9af51](https://redirect.github.com/axios/axios/commit/bc9af51b1886d1b3529617702f2a21a6c0ed5d92)) - **headers:** allow `content-encoding` header to handle case-insensitive values ([#5890](https://redirect.github.com/axios/axios/issues/5890)) ([#5892](https://redirect.github.com/axios/axios/issues/5892)) ([4c89f25](https://redirect.github.com/axios/axios/commit/4c89f25196525e90a6e75eda9cb31ae0a2e18acd)) - **types:** removed duplicated code ([9e62056](https://redirect.github.com/axios/axios/commit/9e6205630e1c9cf863adf141c0edb9e6d8d4b149)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+89/-18 (#5919 #5917 )") - [David Dallas](https://redirect.github.com/DavidJDallas "+11/-5 ()") - [Sean Sattler](https://redirect.github.com/fb-sean "+2/-8 ()") - [Mustafa Ateş Uzun](https://redirect.github.com/0o001 "+4/-4 ()") - [Przemyslaw Motacki](https://redirect.github.com/sfc-gh-pmotacki "+2/-1 (#5892 )") - [Michael Di Prisco](https://redirect.github.com/Cadienvan "+1/-1 ()") ### [`v1.5.0`](https://redirect.github.com/axios/axios/blob/HEAD/CHANGELOG.md#150-2023-08-26) [Compare Source](https://redirect.github.com/axios/axios/compare/v1.4.0...v1.5.0) ##### Bug Fixes - **adapter:** make adapter loading error more clear by using platform-specific adapters explicitly ([#5837](https://redirect.github.com/axios/axios/issues/5837)) ([9a414bb](https://redirect.github.com/axios/axios/commit/9a414bb6c81796a95c6c7fe668637825458e8b6d)) - **dns:** fixed `cacheable-lookup` integration; ([#5836](https://redirect.github.com/axios/axios/issues/5836)) ([b3e327d](https://redirect.github.com/axios/axios/commit/b3e327dcc9277bdce34c7ef57beedf644b00d628)) - **headers:** added support for setting header names that overlap with class methods; ([#5831](https://redirect.github.com/axios/axios/issues/5831)) ([d8b4ca0](https://redirect.github.com/axios/axios/commit/d8b4ca0ea5f2f05efa4edfe1e7684593f9f68273)) - **headers:** fixed common Content-Type header merging; ([#5832](https://redirect.github.com/axios/axios/issues/5832)) ([8fda276](https://redirect.github.com/axios/axios/commit/8fda2766b1e6bcb72c3fabc146223083ef13ce17)) ##### Features - export getAdapter function ([#5324](https://redirect.github.com/axios/axios/issues/5324)) ([ca73eb8](https://redirect.github.com/axios/axios/commit/ca73eb878df0ae2dace81fe3a7f1fb5986231bf1)) - **export:** export adapters without `unsafe` prefix ([#5839](https://redirect.github.com/axios/axios/issues/5839)) ([1601f4a](https://redirect.github.com/axios/axios/commit/1601f4a27a81ab47fea228f1e244b2c4e3ce28bf)) ##### Contributors to this release - [Dmitriy Mozgovoy](https://redirect.github.com/DigitalBrainJS "+66/-29 (#5839 #5837 #5836 #5832 #5831 )") - [夜葬](https://redirect.github.com/geekact "+42/-0 (#5324 )") - [Jonathan Budiman](https://redirect.github.com/JBudiman00 "+30/-0 (#5788 )") - [Michael Di Prisco](https://redirect.github.com/Cadienvan "+3/-5 (#5791 )")Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.