Skip to content

Bump axios from 1.14.0 to 1.15.0#1381

Merged
Ryang-21 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/axios-1.15.0
Apr 14, 2026
Merged

Bump axios from 1.14.0 to 1.15.0#1381
Ryang-21 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/axios-1.15.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 12, 2026

Bumps axios from 1.14.0 to 1.15.0.

Release notes

Sourced from axios's releases.

v1.15.0

This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates.

⚠️ Important Changes

  • Deprecation: url.parse() usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (#10625)

🔒 Security Fixes

  • Proxy Handling: Fixed a no_proxy hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (#10661)
  • Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (#10660)

🚀 New Features

  • Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (#10652, #10653)

🔧 Maintenance & Chores

  • CI Security: Hardened workflow permissions to least privilege, added the zizmor security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (#10618, #10619, #10627, #10637, #10666)
  • Dependencies: Bumped serialize-javascript, handlebars, picomatch, vite, and denoland/setup-deno to latest versions. Added a 7-day Dependabot cooldown period. (#10574, #10572, #10568, #10663, #10664, #10665, #10669, #10670, #10616)
  • Documentation: Unified docs, improved beforeRedirect credential leakage example, clarified withCredentials/withXSRFToken behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (#10649, #10624, #7452, #7471, #10654, #10644, #10589)
  • Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (#10584, #10650, #10582, #10640, #10659, #10668)
  • Tests: Added regression coverage for urlencoded Content-Type casing. (#10573)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

Changelog

Sourced from axios's changelog.

Changelog

1.13.3 (2026-01-20)

Bug Fixes

  • http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
  • interceptor: handle the error in the same interceptor (#6269) (5945e40)
  • main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
  • package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
  • silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
  • turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
  • types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
  • types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
  • unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

Reverts

  • Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
  • deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

... (truncated)

Commits
  • 772a4e5 chore(release): prepare release 1.15.0 (#10671)
  • 4b07137 chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)
  • 51e57b3 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)
  • fba1a77 chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)
  • 0bf6e28 chore(deps): bump denoland/setup-deno in the github-actions group (#10669)
  • 8107157 chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)
  • e66530e ci: require npm-publish environment for releases (#10666)
  • 49f23cb chore(sponsor): update sponsor block (#10668)
  • 3631854 fix: unrestricted cloud metadata exfiltration via header injection chain (#10...
  • fb3befb fix: no_proxy hostname normalization bypass leads to ssrf (#10661)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump axios from 1.14.0 to 1.15.0
b9ba30b 
Bumps [axios](https://github.com/axios/axios) from 1.14.0 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 12, 2026
@dependabot dependabot Bot requested review from Copilot and removed request for Copilot April 12, 2026 11:54
@github-project-automation github-project-automation Bot moved this to Backlog (Not Ready) in DevX Apr 12, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 12, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedaxios@​1.14.0 ⏵ 1.15.091 +1100 +7510095100

View full report

@aacsspkt
Copy link
Copy Markdown

aacsspkt commented Apr 13, 2026

Can someone please review this and merge it?

AshFrancis added a commit to CTX-com/Cards402 that referenced this pull request Apr 13, 2026
@AshFrancis
feat(sdk): resumable purchase flow + soroban retry hardening
3c6532b 
submitSorobanTx now retries TRY_AGAIN_LATER and transient network
errors up to 5x with 1.5s spacing. The finalization deadline is
extended to 120s so mainnet RPC backpressure doesn't bail out
prematurely. DUPLICATE status is treated as "already in flight" and
falls through to polling instead of erroring. On a polling timeout
we still throw, but the tx hash is attached to the error so the
caller can recover.

purchaseCardOWS wraps every post-createOrder failure in a new
ResumableError carrying the orderId and phase (unpaid / paid). When
submitSorobanTx throws with a txHash, purchaseCardOWS swallows the
error and proceeds to waitForCard — the cards402 backend watcher
will credit the order when the tx eventually lands, even if the SDK
gave up polling. Auth / validation errors propagate unchanged.

The CLI's new `--resume <order-id>` flag skips createOrder and
reattaches to an existing order via waitForCard. On any resumable
error the CLI saves the order id to ~/.cards402/last-order and
prints a one-line resume hint so agents never lose track of
in-flight purchases.

Documents a known upstream axios vulnerability in the README —
@stellar/stellar-sdk pins axios 1.14.0, consumers can silence
`npm audit` with a one-line overrides block in their package.json.
Upstream fix is tracked at stellar/js-stellar-sdk#1381.
@mootz12 mootz12 requested a review from Ryang-21 April 14, 2026 20:14
@Ryang-21 Ryang-21 merged commit da2f95b into master Apr 14, 2026
10 checks passed
@Ryang-21 Ryang-21 deleted the dependabot/npm_and_yarn/axios-1.15.0 branch April 14, 2026 20:15
@github-project-automation github-project-automation Bot moved this from Backlog (Not Ready) to Done in DevX Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ryang-21 Ryang-21 Ryang-21 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

DevX
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aacsspkt @Ryang-21