🚨 [security] Update axios 1.13.2 → 1.14.0 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ axios (1.13.2 → 1.14.0) · Repo · Changelog

Security Advisories 🚨

🚨 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";
const maliciousConfig = JSON.parse('{"proto": {"x": 1}}');

await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Release Notes

1.14.0

This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably proxy-from-env v2 alignment and main entry compatibility fix).

🚀 New Features

• Runtime Features: No new end-user features were introduced in this release.
• Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (#7510)

🐛 Bug Fixes

• Headers: Trim trailing CRLF in normalised header values. (#7456)
• HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (#7457)
• Fetch Adapter: Cancel ReadableStream created during request-stream capability probing to prevent async resource leaks. (#7515)
• Proxy Handling: Fixed env proxy behavior with proxy-from-env v2 usage. (#7499)
• CommonJS Compatibility: Fixed package main entry regression affecting CJS consumers. (#7532)

🔧 Maintenance & Chores

• Security/Dependencies: Updated formidable and refreshed package set to newer versions. (#7533, #10556)
• Tooling: Continued migration to Vitest and modernised CI/test harnesses. (#7484, #7489, #7498)
• Build/Lint Stack: Rollup, ESLint, TypeScript, and related dev-dependency updates. (#7508, #7509, #7522)
• Documentation: Clarified JSON parsing and adapter-related docs/comments. (#7398, #7460, #7478)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve Axios:

• @aviu16 (#7456)
• @NETIZEN-11 (#7460)
• @fedotov (#7457)
• @nthbotast (#7478)
• @veeceey (#7398)
• @penkzhou (#7515)

Full Changelog: v1.13.6...v1.14.0

1.13.6

This release focuses on platform compatibility, error handling improvements, and code quality maintenance.

⚠️ Important Changes

• Breaking Changes: None identified in this release.
• Action Required: Users targeting React Native should verify their integration, particularly if relying on specific Blob or FormData behaviours, as improvements have been made to support these objects.

🚀 New Features

• React Native Blob Support: Axios now includes support for React Native Blob objects. Thanks to @moh3n9595 for the initial implementation. (#5764)
• Code Quality: Implemented prettier across the codebase and resolved associated formatting issues. (#7385)

🐛 Bug Fixes

• Environment Compatibility:

  • Fixed module exports for React Native and Browserify environments. (#7386)
  • Added safe FormData detection for the WeChat Mini Program environment. (#7324)

• Error Handling:

  • AxiosError.message is now correctly enumerable. (#7392)
  • AxiosError.from now correctly copies the status property from the source error, ensuring better error propagation. (#7403)

🔧 Maintenance & Chores

• Dependencies: Updated the development_dependencies group (5 updates). (#7432)
• Infrastructure: Migrated @rollup/plugin-babel from v5.3.1 to v6.1.0. (#7424)
• Documentation: Added missing JSDoc comments to utilities. (#7427)

🌟 New Contributors

We are thrilled to welcome our new contributors! Thank you for helping improve the project:

• @Gudahtt (#7386)
• @ybbus (#7392)
• @Shiwaangee (#7324)
• @skrtheboss (#7403)
• @Janaka66 (#7427)
• @moh3n9595 (#5764)
• @digital-wizard48 (#7424)

Full Changelog: v1.13.5...v1.13.6

1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @sachin11063 (first contribution — PR #7323)
• @asmitha-16 (first contribution — PR #7326)

Full Changelog: v1.13.4...v1.13.5

1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release
  • Cleaned up interceptor test files
  • Improved workflow configurations

Infrastructure & CI/CD

• refactor: ci and build (#7340) (8ff6c19)

  • Major refactoring of CI/CD workflows
  • Consolidated workflow files for better maintainability
  • Added mise configuration for the development environment
  • Improved sponsor block update automation
  • Enhanced issue and PR templates
  • Added automatic release notes generation
  • Implemented workflow cancellation for concurrent runs

• chore: codegen and some updates to workflows (76cf77b)

  • Code generation improvements
  • Workflow optimisations

Migration Notes

Breaking Changes

None in this release.

Deprecations

None in this release.

Contributors

Thank you to all contributors who made this release possible! Special thanks to:

• jasonsaayman - Release management and CI/CD improvements

1.13.3

Release notes:

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

⁉️ dotenv (downgrade, 17.2.3 → 16.6.1) · Repo · Changelog

Release Notes

17.2.3 (from changelog)

Changed

• Fixed typescript error definition (#912)

17.2.2 (from changelog)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (from changelog)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (from changelog)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

17.1.0 (from changelog)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

17.0.1 (from changelog)

Changed

• Patched injected log to count only populated/set keys to process.env (#879)

17.0.0 (from changelog)

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#875)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ proxy-from-env (indirect, 1.1.0 → 2.1.0) · Repo

Release Notes

2.1.0

What's Changed

This version is identical to v2.0.0, except it supports more old Node.js versions, as old as Node v10.0.0 (#38).

The most significant change between 1.x and 2.x is the transition from url.parse to the standard URL API. Check out the README to learn more about the difference.

Full Changelog: v2.0.0...v2.1.0

2.0.0

What's Changed

• Remove url.parse usage to avoid DEP0169 DeprecationWarning (#30).

• Use WHATWG URL constructor to parse strings instead of url.parse.
  This may cause getProxyForUrl to return an empty string instead of
  a proxy URL when the input is an invalid URL.

• Switch from CJS to ESM. When import syntax is used, the minimum
  compatible Node.js version is v12.17.0. When require is used, the
  minimum compatible Node.js version is v20.19.0, because that version
  introduced require(esm) support.

• Drop detection of npm_config_-prefixed environment variables, which
  was introduced in 1.1.0. Now the behavior is back to version 1.0.0.
  This should not affect users in practice, because the npn ecosystem
  dropped support for these environment variables many years ago (#13).

Full Changelog: v1.1.0...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

• 2.1.0
• Explicitly document expectations for invalid URLs
• Clarify precedence of no_proxy / NO_PROXY in tests
• Restore CJS support for Node versions before 20 (#38)
• 2.0.0
• Update README
• Replace url.parse with WHATWG URL API
• Drop support for npm_config_* prefixes
• Add sideEffects:false to package.json for easier tree shaking
• test: simplify testProxyUrl
• CI: Run tests with all supported Node.js versions
• Add test for difference between url.parse and WHATWG URL
• Migrate from CommonJS to ESM
• Upgrade to eslint 9 with flat config
• Drop support for Node < 20
• Remove obsolete endsWith polyfill
• Fix manual coverage test (test-coverage-as-html)
• CI: Update action versions (#33)
• CI: Report to coveralls only from main repo (#35)
• Add workflow_dispatch trigger to run-tests action
• Replace Travis CI with Github Actions (#24)

🆕 @​types/graceful-fs (added, 4.1.9)

🆕 create-jest (added, 29.7.0)

🆕 diff-sequences (added, 29.6.3)

🆕 exit (added, 0.1.2)

🆕 is-core-module (added, 2.16.1)

🆕 jest-get-type (added, 29.6.3)

🆕 kleur (added, 3.0.3)

🆕 path-parse (added, 1.0.7)

🆕 prompts (added, 2.4.2)

🆕 resolve (added, 1.22.11)

🆕 resolve.exports (added, 2.0.3)

🆕 sisteransi (added, 1.0.5)

🆕 supports-preserve-symlinks-flag (added, 1.0.0)

🆕 @​jest/console (added, 29.7.0)

🆕 @​jest/core (added, 29.7.0)

🆕 @​jest/environment (added, 29.7.0)

🆕 @​jest/expect (added, 29.7.0)

🆕 @​jest/expect-utils (added, 29.7.0)

🆕 @​jest/fake-timers (added, 29.7.0)

🆕 @​jest/globals (added, 29.7.0)

🆕 @​jest/reporters (added, 29.7.0)

🆕 @​jest/schemas (added, 29.6.3)

🆕 @​jest/source-map (added, 29.6.3)

🆕 @​jest/test-result (added, 29.7.0)

🆕 @​jest/test-sequencer (added, 29.7.0)

🆕 @​jest/transform (added, 29.7.0)

🆕 @​jest/types (added, 29.6.3)

🆕 @​sinclair/typebox (added, 0.27.10)

🆕 @​sinonjs/fake-timers (added, 10.3.0)

🆕 babel-jest (added, 29.7.0)

🆕 babel-plugin-istanbul (added, 6.1.1)

🆕 babel-plugin-jest-hoist (added, 29.6.3)

🆕 babel-preset-jest (added, 29.6.3)

🆕 ci-info (added, 3.9.0)

🆕 cjs-module-lexer (added, 1.4.3)

🆕 wrap-ansi (added, 8.1.0)

🆕 expect (added, 29.7.0)

🆕 istanbul-lib-instrument (added, 5.2.1)

🆕 semver (added, 7.7.4)

🆕 istanbul-lib-source-maps (added, 4.0.1)

🆕 jest-changed-files (added, 29.7.0)

🆕 jest-circus (added, 29.7.0)

🆕 jest-config (added, 29.7.0)

🆕 jest-diff (added, 29.7.0)

🆕 jest-docblock (added, 29.7.0)

🆕 jest-each (added, 29.7.0)

🆕 jest-environment-node (added, 29.7.0)

🆕 jest-haste-map (added, 29.7.0)

🆕 jest-leak-detector (added, 29.7.0)

🆕 jest-matcher-utils (added, 29.7.0)

🆕 jest-message-util (added, 29.7.0)

🆕 jest-mock (added, 29.7.0)

🆕 jest-regex-util (added, 29.6.3)

🆕 jest-resolve (added, 29.7.0)

🆕 jest-resolve-dependencies (added, 29.7.0)

🆕 jest-runner (added, 29.7.0)

🆕 jest-runtime (added, 29.7.0)

🆕 jest-snapshot (added, 29.7.0)

🆕 jest-util (added, 29.7.0)

🆕 jest-validate (added, 29.7.0)

🆕 jest-watcher (added, 29.7.0)

🆕 jest-worker (added, 29.7.0)

🆕 pretty-format (added, 29.7.0)

🆕 pure-rand (added, 6.1.0)

🆕 write-file-atomic (added, 5.0.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #68.