dependabot[bot] opened a new pull request, #13102: URL: https://github.com/apache/cloudstack/pull/13102
Bumps [axios](https://github.com/axios/axios) from 0.21.4 to 0.31.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases";>axios's releases</a>.</em></p> <blockquote> <h2>v0.31.1</h2> <p>This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed <code>dist/</code> artefacts along with Bower support.</p> <h2>⚠️ Breaking Changes & Deprecations</h2> <ul> <li><strong>Bower & Committed <code>dist/</code> Removed:</strong> <code>dist/</code> bundles are no longer committed to the repo, and <code>bower.json</code> plus the Grunt <code>package2bower</code> task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (<strong><a href="https://redirect.github.com/axios/axios/issues/10747";>#10747</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9):</strong> Tightened <code>isFormData</code> to reject plain/null-prototype objects and require <code>append</code>, and guarded the Node HTTP adapter so <code>data.getHeaders()</code> is only merged when it is not inherited from <code>Object.prototype</code>. Blocks injected headers via polluted <code>getHeaders</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10750";>#10750</a></strong>)</li> <li><strong>Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf):</strong> <code>mergeConfig</code>, defaults resolution, and the HTTP adapter now uses own-property checks for <code>transport</code>, <code>env</code>, <code>Blob</code>, <code>formSerializer</code>, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10752";>#10752</a></strong>)</li> <li><strong>FormData / Params Recursion DoS:</strong> Added a configurable <code>maxDepth</code> (default <code>100</code>, <code>Infinity</code> disables) to <code>toFormData</code> and params serialisation, throwing <code>AxiosError</code> with code <code>ERR_FORM_DATA_DEPTH_EXCEEDED</code> when exceeded. Circular-reference detection is preserved. (<strong><a href="https://redirect.github.com/axios/axios/issues/10728";>#10728</a></strong>)</li> <li><strong>Null-Byte Injection in Query Strings:</strong> Removed the unsafe <code>%00</code> → null-byte substitution from <code>AxiosURLSearchParams.encode</code> so <code>%00</code> is preserved as-is. Other encoding behaviour (including <code>%20</code> → <code>+</code>) unchanged. (<strong><a href="https://redirect.github.com/axios/axios/issues/10737";>#10737</a></strong>)</li> <li><strong>Consolidated v1 Security Backport:</strong> Rolls up remaining v1 hardenings into <code>v0.x</code>: <code>maxContentLength</code> enforcement for <code>responseType: 'stream'</code> via a guarded transform with deferred piping, <code>maxBodyLength</code> enforcement for streamed uploads on native <code>http</code>/<code>https</code> with <code>maxRedirects: 0</code>, and stricter <code>withXSRFToken</code> handling so only own boolean <code>true</code> enables cross-origin XSRF headers. (<strong><a href="https://redirect.github.com/axios/axios/issues/10764";>#10764</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CODEOWNERS:</strong> Added <code>.github/CODEOWNERS</code> with <code>* @jasonsaayman</code> to set a default reviewer for all paths. (<strong><a href="https://redirect.github.com/axios/axios/issues/10740";>#10740</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v0.31.0...v0.31.1";>Full Changelog</a></p> <h2>v0.31.0</h2> <p>This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and <code>zizmor</code> scanning, resolves TypeScript typing issues in <code>AxiosInstance</code>, and fixes a performance regression in <code>isEmptyObject()</code>.</p> <h2>🔒 Security Fixes</h2> <ul> <li> <p><strong>Header Injection & Proxy Bypass:</strong> Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper <code>NO_PROXY</code>/<code>no_proxy</code> enforcement covering wildcards, explicit ports, loopback aliases (<code>localhost</code>, <code>127.0.0.1</code>, <code>::1</code>), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and <code>parsed.host</code> is used for correct port and IPv6 handling. (<strong><a href="https://redirect.github.com/axios/axios/issues/10688";>#10688</a></strong>)</p> </li> <li> <p><strong>CI Security:</strong> SHA-pins all actions and disables credential persistence in v0.x CI, introduces <code>zizmor</code> security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required <code>npm-publish</code> GitHub Environment with configurable reviewer protections. (<strong><a href="https://redirect.github.com/axios/axios/issues/10638";>#10638</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10639";>#10639</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10667";>#10667</a></strong>)</p> </li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li> <p><strong>TypeScript — <code>AxiosInstance</code> Return Types:</strong> Fixes return types in <code>AxiosInstance</code> methods to correctly resolve to <code>Promise<R></code> (matching <code>AxiosPromise<T></code> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (<strong><a href="https://redirect.github.com/axios/axios/issues/6253";>#6253</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/7328";>#7328</a></strong>)</p> </li> <li> <p><strong>Performance:</strong> Fixes a performance regression in <code>isEmptyObject()</code> that caused excessive computation when the argument was a large string. (<strong><a href="https://redirect.github.com/axios/axios/issues/6484";>#6484</a></strong>)</p> </li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Versioning & CI Workflow:</strong> Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (<strong><a href="https://redirect.github.com/axios/axios/issues/10690";>#10690</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10691";>#10691</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10692";>#10692</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/nakataki17";><code>@nakataki17</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/6253";>#6253</a></strong>)</li> <li><strong><a href="https://github.com/gmasclet";><code>@gmasclet</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/6484";>#6484</a></strong>)</li> <li><strong><a href="https://github.com/shaanmajid";><code>@shaanmajid</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10638";>#10638</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10639";>#10639</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10667";>#10667</a></strong>)</li> <li><strong><a href="https://github.com/ivan-churakov";><code>@ivan-churakov</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7328";>#7328</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v0.30.3...v0.31.0";>Full Changelog</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/axios/axios/commit/a589dc525af12e0fabef7d6e5be028ad433eee31";><code>a589dc5</code></a> chore: bump version to v0.31.1 (<a href="https://redirect.github.com/axios/axios/issues/10766";>#10766</a>)</li> <li><a href="https://github.com/axios/axios/commit/b0c632f36a5ea2e73c9bdf3a54164a8ede925736";><code>b0c632f</code></a> fix: backport security issues (<a href="https://redirect.github.com/axios/axios/issues/10764";>#10764</a>)</li> <li><a href="https://github.com/axios/axios/commit/b52187f4571b6b8663fed5904e3082ab30660364";><code>b52187f</code></a> fix: harden config merging (<a href="https://redirect.github.com/axios/axios/issues/10752";>#10752</a>)</li> <li><a href="https://github.com/axios/axios/commit/e3ddeb40f6a142a234925341151e2ca631a6de64";><code>e3ddeb4</code></a> fix: header security issues (<a href="https://redirect.github.com/axios/axios/issues/10750";>#10750</a>)</li> <li><a href="https://github.com/axios/axios/commit/f4f2d76e25cc0f777e5416e2d76282ab873ef9dc";><code>f4f2d76</code></a> chore: stop committing dist/ and remove bower (<a href="https://redirect.github.com/axios/axios/issues/10747";>#10747</a>)</li> <li><a href="https://github.com/axios/axios/commit/1f2f64433e5be205d74471c78c2721909282b9c0";><code>1f2f644</code></a> chore: add CODEOWNERS (<a href="https://redirect.github.com/axios/axios/issues/10740";>#10740</a>)</li> <li><a href="https://github.com/axios/axios/commit/44bca902e1bdd7dd6490c7b4985b63e729b0e634";><code>44bca90</code></a> fix: improve regex in AxiosURLSearchParams (<a href="https://redirect.github.com/axios/axios/issues/10737";>#10737</a>)</li> <li><a href="https://github.com/axios/axios/commit/4c4f07fabdb005f5430bab797f12b55e2ed5fb33";><code>4c4f07f</code></a> fix: form data recursion (<a href="https://redirect.github.com/axios/axios/issues/10728";>#10728</a>)</li> <li><a href="https://github.com/axios/axios/commit/5073eca0edd37b13a0e39dcb48794d779b7dff8d";><code>5073eca</code></a> chore: release v0.31.0 (<a href="https://redirect.github.com/axios/axios/issues/10697";>#10697</a>)</li> <li><a href="https://github.com/axios/axios/commit/b57eb1a93214c9d6840035add0cc705fa9d6d697";><code>b57eb1a</code></a> ci: update branch name (<a href="https://redirect.github.com/axios/axios/issues/10692";>#10692</a>)</li> <li>Additional commits viewable in <a href="https://github.com/axios/axios/compare/v0.21.4...v0.31.1";>compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions";>GitHub Actions</a>, a new releaser for axios since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/cloudstack/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
