Skip to content
This repository was archived by the owner on Aug 20, 2025. It is now read-only.

defender-client-deps: bump axios from 1.7.2 to 1.9.0 #647

Closed
dependabot wants to merge 1 commit into from
Closed

defender-client-deps: bump axios from 1.7.2 to 1.9.0 #647

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 1, 2025

Bumps axios from 1.7.2 to 1.9.0.

Release notes

Sourced from axios's releases.

Release v1.9.0

Release notes:

Bug Fixes

  • core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
  • fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
  • headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
  • headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
  • headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
  • http: send minimal end multipart boundary (#6661) (987d2e2)
  • types: fix autocomplete for adapter config (#6855) (e61a893)

Features

  • AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

Contributors to this release

Release v1.8.4

Release notes:

Bug Fixes

  • buildFullPath: handle allowAbsoluteUrls: false without baseURL (#6833) (f10c2e0)

Contributors to this release

Release v1.8.3

Release notes:

Bug Fixes

  • add missing type for allowAbsoluteUrls (#6818) (10fa70e)
  • xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#6814) (ec159e5)

Contributors to this release

Release v1.8.2

... (truncated)

Changelog

Sourced from axios's changelog.

1.9.0 (2025-04-24)

Bug Fixes

  • core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
  • fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
  • headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
  • headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
  • headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
  • http: send minimal end multipart boundary (#6661) (987d2e2)
  • types: fix autocomplete for adapter config (#6855) (e61a893)

Features

  • AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

Contributors to this release

1.8.4 (2025-03-19)

Bug Fixes

  • buildFullPath: handle allowAbsoluteUrls: false without baseURL (#6833) (f10c2e0)

Contributors to this release

1.8.3 (2025-03-10)

Bug Fixes

  • add missing type for allowAbsoluteUrls (#6818) (10fa70e)
  • xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#6814) (ec159e5)

Contributors to this release

... (truncated)

Commits
  • cdcfd21 chore(release): v1.9.0 (#6891)
  • 987d2e2 fix(http): send minimal end multipart boundary (#6661)
  • f112edf chore(ci): add PR files guard action; (#6890)
  • 61de4c0 chore(ci): update github actions; (#6889)
  • c3aba3d chore(ci): add labeler github action; (#6888)
  • f7a3b5e fix(headers): fixed support for setting multiple header values from an iterat...
  • e61a893 fix(types): fix autocomplete for adapter config (#6855)
  • 6c5d4cd fix(core): fix the Axios constructor implementation to treat the config argum...
  • dfe8411 fix(fetch): fixed ERR_NETWORK mapping for Safari browsers; (#6767)
  • d4f7df4 fix(headers): fix getSetCookie by using 'get' method for caseless access; (...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
defender-client-deps: bump axios from 1.7.2 to 1.9.0
1886739 
Bumps [axios](https://github.com/axios/axios) from 1.7.2 to 1.9.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.7.2...v1.9.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github May 1, 2025

Labels

The following labels could not be found: vulnerabilites. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot added dependabot dependencies Pull requests that update a dependency file labels May 1, 2025
@dependabot dependabot bot mentioned this pull request May 1, 2025
Closed
@socket-security
Copy link

socket-security bot commented May 1, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedelliptic@​6.5.41002510080100
Addedisarray@​1.0.0671008351100
Addedtr46@​0.0.31001006390100
Added@​aws-sdk/​util-utf8-browser@​3.259.01001006679100
Added@​openzeppelin/​defender-base-client@​1.48.0991006886100
Added@​ethersproject/​keccak256@​5.7.01001006977100
Added@​aws-crypto/​util@​1.2.21001007083100
Added@​aws-sdk/​types@​3.418.01001007089100
Added@​openzeppelin/​defender-sentinel-client@​1.48.0731009986100
Added@​ethersproject/​base64@​5.7.01001007577100
Addedhmac-drbg@​1.0.11001008476100
Added@​ethersproject/​rlp@​5.7.01001007677100
Addedisomorphic-unfetch@​3.1.01001007776100
Addedhash.js@​1.1.71001008576100
Updatedaxios@​1.7.2 ⏵ 1.6.199 +17710096100
Added@​ethersproject/​constants@​5.7.01001007777100
Added@​ethersproject/​logger@​5.7.01001007977100
Added@​ethersproject/​address@​5.7.01001007877100
Added@​ethersproject/​strings@​5.7.01001008477100
Added@​ethersproject/​signing-key@​5.7.01001007977100
See 19 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented May 1, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block Critical
elliptic@6.5.4 has a Critical CVE.

CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL)

Affected versions: <= 6.6.0

Patched version: 6.6.1

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
elliptic@6.5.4 has a Low CVE.

CVE: GHSA-f7q4-pwc6-w24p Elliptic's EDDSA missing signature length check (LOW)

Affected versions: >= 4.0.0, <= 6.5.6

Patched version: 6.5.7

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
elliptic@6.5.4 has a Low CVE.

CVE: GHSA-49q7-c7j4-3p7m Elliptic allows BER-encoded signatures (LOW)

Affected versions: >= 5.2.1, <= 6.5.6

Patched version: 6.5.7

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
elliptic@6.5.4 has a Low CVE.

CVE: GHSA-fc9h-whq2-v747 Valid ECDSA signatures erroneously rejected in Elliptic (LOW)

Affected versions: < 6.6.0

Patched version: 6.6.0

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
elliptic@6.5.4 has a Low CVE.

CVE: GHSA-434g-2637-qmqr Elliptic's verify function omits uniqueness validation (LOW)

Affected versions: < 6.5.6

Patched version: 6.5.6

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
elliptic@6.5.4 has a Low CVE.

CVE: GHSA-977x-g7h5-7qgw Elliptic's ECDSA missing check for whether leading bit of r and s is zero (LOW)

Affected versions: >= 2.0.0, <= 6.5.6

Patched version: 6.5.7

Source: examples/create-sentinel/package-lock.json

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jul 1, 2025

Superseded by #662.

@dependabot dependabot bot closed this Jul 1, 2025
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/axios-1.9.0 branch July 1, 2025 16:53
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependabot dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants