dependabot[bot] opened a new pull request, #13290: URL: https://github.com/apache/cloudstack/pull/13290
Bumps [axios](https://github.com/axios/axios) from 0.21.4 to 0.32.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases";>axios's releases</a>.</em></p> <blockquote> <h2>v0.32.0 — May 4, 2026</h2> <p>This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.</p> <h2>⚠️ Breaking Changes & Deprecations</h2> <ul> <li>Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li>Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>Browser xhr adapter: Stricter own-property checks when reading config and headers. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li>Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li>Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v0.31.1...v0.32.0";><strong>Full Changelog</strong></a></p> <h2>v0.31.1</h2> <p>This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed <code>dist/</code> artefacts along with Bower support.</p> <h2>⚠️ Breaking Changes & Deprecations</h2> <ul> <li><strong>Bower & Committed <code>dist/</code> Removed:</strong> <code>dist/</code> bundles are no longer committed to the repo, and <code>bower.json</code> plus the Grunt <code>package2bower</code> task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (<strong><a href="https://redirect.github.com/axios/axios/issues/10747";>#10747</a></strong>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9):</strong> Tightened <code>isFormData</code> to reject plain/null-prototype objects and require <code>append</code>, and guarded the Node HTTP adapter so <code>data.getHeaders()</code> is only merged when it is not inherited from <code>Object.prototype</code>. Blocks injected headers via polluted <code>getHeaders</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10750";>#10750</a></strong>)</li> <li><strong>Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf):</strong> <code>mergeConfig</code>, defaults resolution, and the HTTP adapter now uses own-property checks for <code>transport</code>, <code>env</code>, <code>Blob</code>, <code>formSerializer</code>, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (<strong><a href="https://redirect.github.com/axios/axios/issues/10752";>#10752</a></strong>)</li> <li><strong>FormData / Params Recursion DoS:</strong> Added a configurable <code>maxDepth</code> (default <code>100</code>, <code>Infinity</code> disables) to <code>toFormData</code> and params serialisation, throwing <code>AxiosError</code> with code <code>ERR_FORM_DATA_DEPTH_EXCEEDED</code> when exceeded. Circular-reference detection is preserved. (<strong><a href="https://redirect.github.com/axios/axios/issues/10728";>#10728</a></strong>)</li> <li><strong>Null-Byte Injection in Query Strings:</strong> Removed the unsafe <code>%00</code> → null-byte substitution from <code>AxiosURLSearchParams.encode</code> so <code>%00</code> is preserved as-is. Other encoding behaviour (including <code>%20</code> → <code>+</code>) unchanged. (<strong><a href="https://redirect.github.com/axios/axios/issues/10737";>#10737</a></strong>)</li> <li><strong>Consolidated v1 Security Backport:</strong> Rolls up remaining v1 hardenings into <code>v0.x</code>: <code>maxContentLength</code> enforcement for <code>responseType: 'stream'</code> via a guarded transform with deferred piping, <code>maxBodyLength</code> enforcement for streamed uploads on native <code>http</code>/<code>https</code> with <code>maxRedirects: 0</code>, and stricter <code>withXSRFToken</code> handling so only own boolean <code>true</code> enables cross-origin XSRF headers. (<strong><a href="https://redirect.github.com/axios/axios/issues/10764";>#10764</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>CODEOWNERS:</strong> Added <code>.github/CODEOWNERS</code> with <code>* @jasonsaayman</code> to set a default reviewer for all paths. (<strong><a href="https://redirect.github.com/axios/axios/issues/10740";>#10740</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v0.31.0...v0.31.1";>Full Changelog</a></p> <h2>v0.31.0</h2> <p>This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and <code>zizmor</code> scanning, resolves TypeScript typing issues in <code>AxiosInstance</code>, and fixes a performance regression in <code>isEmptyObject()</code>.</p> <h2>🔒 Security Fixes</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/axios/axios/commit/8db2d44896849a21ed9721185b1034df24e1ba7b";><code>8db2d44</code></a> chore: bump version to v0.32.0 (<a href="https://redirect.github.com/axios/axios/issues/10840";>#10840</a>)</li> <li><a href="https://github.com/axios/axios/commit/2af6116a957b1dd1b32056181326da8a5540d3bc";><code>2af6116</code></a> chore: backport fixes from the v1x branch (<a href="https://redirect.github.com/axios/axios/issues/10838";>#10838</a>)</li> <li><a href="https://github.com/axios/axios/commit/a589dc525af12e0fabef7d6e5be028ad433eee31";><code>a589dc5</code></a> chore: bump version to v0.31.1 (<a href="https://redirect.github.com/axios/axios/issues/10766";>#10766</a>)</li> <li><a href="https://github.com/axios/axios/commit/b0c632f36a5ea2e73c9bdf3a54164a8ede925736";><code>b0c632f</code></a> fix: backport security issues (<a href="https://redirect.github.com/axios/axios/issues/10764";>#10764</a>)</li> <li><a href="https://github.com/axios/axios/commit/b52187f4571b6b8663fed5904e3082ab30660364";><code>b52187f</code></a> fix: harden config merging (<a href="https://redirect.github.com/axios/axios/issues/10752";>#10752</a>)</li> <li><a href="https://github.com/axios/axios/commit/e3ddeb40f6a142a234925341151e2ca631a6de64";><code>e3ddeb4</code></a> fix: header security issues (<a href="https://redirect.github.com/axios/axios/issues/10750";>#10750</a>)</li> <li><a href="https://github.com/axios/axios/commit/f4f2d76e25cc0f777e5416e2d76282ab873ef9dc";><code>f4f2d76</code></a> chore: stop committing dist/ and remove bower (<a href="https://redirect.github.com/axios/axios/issues/10747";>#10747</a>)</li> <li><a href="https://github.com/axios/axios/commit/1f2f64433e5be205d74471c78c2721909282b9c0";><code>1f2f644</code></a> chore: add CODEOWNERS (<a href="https://redirect.github.com/axios/axios/issues/10740";>#10740</a>)</li> <li><a href="https://github.com/axios/axios/commit/44bca902e1bdd7dd6490c7b4985b63e729b0e634";><code>44bca90</code></a> fix: improve regex in AxiosURLSearchParams (<a href="https://redirect.github.com/axios/axios/issues/10737";>#10737</a>)</li> <li><a href="https://github.com/axios/axios/commit/4c4f07fabdb005f5430bab797f12b55e2ed5fb33";><code>4c4f07f</code></a> fix: form data recursion (<a href="https://redirect.github.com/axios/axios/issues/10728";>#10728</a>)</li> <li>Additional commits viewable in <a href="https://github.com/axios/axios/compare/v0.21.4...v0.32.0";>compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions";>GitHub Actions</a>, a new releaser for axios since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/cloudstack/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
