From 5c2f7058bc22dbef2298a5f1f539126bcfa38523 Mon Sep 17 00:00:00 2001
From: Steve Smith <scsmith@users.noreply.github.com>
Date: Tue, 28 Apr 2026 09:42:23 +0100
Subject: [PATCH] =?UTF-8?q?Bump=20axios=201.13=E2=86=921.15.2=20and=20over?=
 =?UTF-8?q?ride=20follow-redirects=20to=201.16.0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes Dependabot alerts #63, #64, #65:
- GHSA-3p68-rc4w-qgx5: axios NO_PROXY hostname normalization SSRF
- GHSA-jr5f-v2jv-69x6: axios cloud metadata exfiltration via headers
- GHSA-r4q5-vmmm-2653: follow-redirects auth header leak on redirect

axios's semver range still resolves follow-redirects to 1.15.11, so an
override is needed to pull in 1.16.0. npm audit now reports 0 vulns.
---
 package-lock.json | 25 ++++++++++++++-----------
 package.json      |  3 ++-
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 9e4c3ea..7260747 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1800,14 +1800,14 @@
       "license": "MIT"
     },
     "node_modules/axios": {
-      "version": "1.13.6",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.6.tgz",
-      "integrity": "sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==",
+      "version": "1.15.2",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.2.tgz",
+      "integrity": "sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==",
       "license": "MIT",
       "dependencies": {
         "follow-redirects": "^1.15.11",
         "form-data": "^4.0.5",
-        "proxy-from-env": "^1.1.0"
+        "proxy-from-env": "^2.1.0"
       }
     },
     "node_modules/babel-jest": {
@@ -2856,9 +2856,9 @@
       "license": "ISC"
     },
     "node_modules/follow-redirects": {
-      "version": "1.15.11",
-      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz",
-      "integrity": "sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==",
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+      "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
       "funding": [
         {
           "type": "individual",
@@ -4848,10 +4848,13 @@
       }
     },
     "node_modules/proxy-from-env": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-      "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
-      "license": "MIT"
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+      "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      }
     },
     "node_modules/punycode": {
       "version": "2.3.1",
diff --git a/package.json b/package.json
index 33eefe5..59498ef 100644
--- a/package.json
+++ b/package.json
@@ -57,6 +57,7 @@
     "preset": "ts-jest"
   },
   "overrides": {
-    "minimatch": "^9.0.7"
+    "minimatch": "^9.0.7",
+    "follow-redirects": "^1.16.0"
   }
 }