fix: clear stale header on redirect when target is no-proxy#10794
Merged
Conversation
jasonsaayman
added
priority::medium
Member
Author
|
@cubic-dev-ai review again on the latest PR |
Contributor
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 2/5
- There is a high-confidence, high-severity risk in
lib/adapters/http.js: case-sensitive header stripping can leaveproxy-authorizationvariants in place across redirects. - This can cause credential leakage behavior in redirect flows, so the current change is not yet low-risk to merge despite the small file scope.
- Pay close attention to
lib/adapters/http.js- make header removal case-insensitive so proxy auth headers are reliably cleared on redirects.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:211">
P1: Header removal is case-sensitive, so stale `proxy-authorization` variants can survive redirects.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Member
Author
|
@cubic-dev-ai review this again, check that we have no regressions or potential blind spots here |
Contributor
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 4/5
- This PR is likely safe to merge, with minimal risk: the only issue is a test gap in
tests/unit/adapters/http.test.js, not a confirmed runtime defect in production code. - The NO_PROXY redirect test currently doesn’t validate the HTTPS bypass path as intended because
https_proxyis not kept set; this could let a proxy-bypass regression slip through undetected. - Given the moderate-low severity (4/10) and high confidence, this is a quality/coverage concern rather than a merge-blocking behavior break.
- Pay close attention to
tests/unit/adapters/http.test.js- ensure the NO_PROXY case keepshttps_proxyconfigured so the test truly proves bypass behavior.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tests/unit/adapters/http.test.js">
<violation number="1" location="tests/unit/adapters/http.test.js:2351">
P2: The NO_PROXY redirect test doesn't actually exercise the bypass path for HTTPS targets. Keep `https_proxy` set so the redirect uses a proxy URL and NO_PROXY is what clears it.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Member
Author
|
@cubic-dev-ai review this one last time |
Contributor
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete regression risk in
lib/adapters/http.js:Proxy-Authorizationis being stripped on initial requests, not just during redirects, which can break proxy-authenticated requests. - Given the issue is medium severity (6/10) with fairly strong confidence (7/10), this introduces some user-facing risk and makes the merge less predictable without a fix.
- Pay close attention to
lib/adapters/http.js- header-stripping behavior should be limited to redirect handling so initial request credentials are preserved.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/adapters/http.js">
<violation number="1" location="lib/adapters/http.js:211">
P2: The new header-stripping logic runs on initial requests, so it removes user-supplied `Proxy-Authorization` even when not handling a redirect.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Member
Author
|
@cubic-dev-ai please check one last time |
Contributor
@jasonsaayman I have started the AI code review. It will take a few minutes to complete. |
This was referenced Apr 25, 2026
Closed
saikumarrs
pushed a commit
to rudderlabs/rudder-sdk-node
that referenced
this pull request
May 24, 2026
 <h3>Snyk has created this PR to upgrade axios from 1.15.2 to 1.16.0.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **1 version** ahead of your current version. - The recommended version was released **21 days ago**. #### Breaking Change Risk  > **Notice:** This assessment is enhanced by AI. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>axios</b></summary> <ul> <li> <b>1.16.0</b> - <a href="https://redirect.github.com/axios/axios/releases/tag/v1.16.0">2026-05-02</a></br><h2>v1.16.0 — May 2, 2026</h2> <p>This release adds support for the QUERY HTTP method and a new <code>ECONNREFUSED</code> error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.</p> <h2><g-emoji class="g-emoji" alias="warning">⚠️ </g-emoji> Notable Changes</h2> <p>A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:</p> <ul> <li><strong>Fetch adapter now enforces <code>maxBodyLength</code> and <code>maxContentLength</code>.</strong> These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310518523" data-permission-text="Title is private" data-url="axios/axios#10795" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10795/hovercard" href="https://redirect.github.com/axios/axios/pull/10795">#10795</a></strong>)</li> <li><strong>Proxy requests now preserve user-supplied <code>Host</code> headers.</strong> Previously, the proxy path could overwrite a custom <code>Host</code>. Virtual-host-style routing through a proxy will now behave correctly. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>)</li> <li><strong>Basic auth credentials embedded in URLs are now URL-decoded.</strong> If you have percent-encoded credentials in a URL (e.g. <code>https://user:p%40ss@host</code>), the decoded value is what now goes on the wire. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4351589744" data-permission-text="Title is private" data-url="axios/axios#10825" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10825/hovercard" href="https://redirect.github.com/axios/axios/pull/10825">#10825</a></strong>)</li> <li><strong><code>parseProtocol</code> now strictly requires a colon in the protocol separator.</strong> Strings that loosely parsed as protocols before may no longer match. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li> <li><strong>Deprecated <code>unescape()</code> replaced with modern UTF-8 encoding.</strong> Non-ASCII URL handling is now spec-correct; consumers depending on legacy <code>unescape()</code> quirks may see different output bytes. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li> <li><strong><code>transformRequest</code> input typing change was reverted.</strong> The typing change introduced in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a> was reverted in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a> after follow-up review — net behavior is unchanged from 1.15.2. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong>QUERY HTTP Method:</strong> Added support for the QUERY HTTP method across adapters and type definitions. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323864507" data-permission-text="Title is private" data-url="axios/axios#10802" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10802/hovercard" href="https://redirect.github.com/axios/axios/pull/10802">#10802</a></strong>)</li> <li><strong>ECONNREFUSED Error Constant:</strong> Exposed <code>ECONNREFUSED</code> as a constant on <code>AxiosError</code> so callers can match connection-refused failures without comparing string literals (closes <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2398798239" data-permission-text="Title is private" data-url="axios/axios#6485" data-hovercard-type="issue" data-hovercard-url="/axios/axios/issues/6485/hovercard" href="https://redirect.github.com/axios/axios/issues/6485">#6485</a>). (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4235938363" data-permission-text="Title is private" data-url="axios/axios#10680" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10680/hovercard" href="https://redirect.github.com/axios/axios/pull/10680">#10680</a></strong>)</li> <li><strong>Encode Helper Export:</strong> Exported the internal <code>encode</code> helper from <code>buildURL</code> so userland param serializers can reuse the same encoding logic that axios uses internally. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3023608053" data-permission-text="Title is private" data-url="axios/axios#6897" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6897/hovercard" href="https://redirect.github.com/axios/axios/pull/6897">#6897</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>HTTP Adapter — Redirects & Headers:</strong> Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing <code>requestDetails</code> argument on <code>beforeRedirect</code>, preserved user-supplied <code>Host</code> headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310371730" data-permission-text="Title is private" data-url="axios/axios#10794" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10794/hovercard" href="https://redirect.github.com/axios/axios/pull/10794">#10794</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323346513" data-permission-text="Title is private" data-url="axios/axios#10800" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10800/hovercard" href="https://redirect.github.com/axios/axios/pull/10800">#10800</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2141603120" data-permission-text="Title is private" data-url="axios/axios#6241" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6241/hovercard" href="https://redirect.github.com/axios/axios/pull/6241">#6241</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4351589744" data-permission-text="Title is private" data-url="axios/axios#10825" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10825/hovercard" href="https://redirect.github.com/axios/axios/pull/10825">#10825</a></strong>)</li> <li><strong>HTTP Adapter — Streams & Timeouts:</strong> Preserved the partial response object on <code>AxiosError</code> when a stream is aborted after headers arrive, honoured the <code>timeout</code> option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and <code>maxRedirects: 0</code>. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4260994859" data-permission-text="Title is private" data-url="axios/axios#10708" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10708/hovercard" href="https://redirect.github.com/axios/axios/pull/10708">#10708</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4344944445" data-permission-text="Title is private" data-url="axios/axios#10819" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10819/hovercard" href="https://redirect.github.com/axios/axios/pull/10819">#10819</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3509777101" data-permission-text="Title is private" data-url="axios/axios#7149" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7149/hovercard" href="https://redirect.github.com/axios/axios/pull/7149">#7149</a></strong>)</li> <li><strong>Fetch Adapter:</strong> Enforced <code>maxBodyLength</code> / <code>maxContentLength</code> in the fetch adapter, set the <code>User-Agent</code> header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a <code>TypeError</code> in restricted environments. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310518523" data-permission-text="Title is private" data-url="axios/axios#10795" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10795/hovercard" href="https://redirect.github.com/axios/axios/pull/10795">#10795</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4294198336" data-permission-text="Title is private" data-url="axios/axios#10772" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10772/hovercard" href="https://redirect.github.com/axios/axios/pull/10772">#10772</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336242387" data-permission-text="Title is private" data-url="axios/axios#10806" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10806/hovercard" href="https://redirect.github.com/axios/axios/pull/10806">#10806</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3662226069" data-permission-text="Title is private" data-url="axios/axios#7260" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7260/hovercard" href="https://redirect.github.com/axios/axios/pull/7260">#7260</a></strong>)</li> <li><strong>XHR Adapter:</strong> Unsubscribed the <code>cancelToken</code> and <code>AbortSignal</code> listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4303641135" data-permission-text="Title is private" data-url="axios/axios#10787" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10787/hovercard" href="https://redirect.github.com/axios/axios/pull/10787">#10787</a></strong>)</li> <li><strong>Error Handling:</strong> Attached the parsed response to <code>AxiosError</code> when <code>JSON.parse</code> fails inside <code>dispatchRequest</code>, prevented <code>settle</code> from emitting <code>undefined</code> error codes, and tightened the <code>parseProtocol</code> regex to require a colon in the protocol separator. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4270604544" data-permission-text="Title is private" data-url="axios/axios#10724" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10724/hovercard" href="https://redirect.github.com/axios/axios/pull/10724">#10724</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3678162351" data-permission-text="Title is private" data-url="axios/axios#7276" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7276/hovercard" href="https://redirect.github.com/axios/axios/pull/7276">#7276</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li> <li><strong>Types & Exports:</strong> Aligned the CommonJS <code>CancelToken</code> typings with the ESM build, fixed a compiler error caused by <code>RawAxiosHeaders</code>, and re-exported <code>create</code> from the package index. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3959718695" data-permission-text="Title is private" data-url="axios/axios#7414" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7414/hovercard" href="https://redirect.github.com/axios/axios/pull/7414">#7414</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2291674940" data-permission-text="Title is private" data-url="axios/axios#6389" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6389/hovercard" href="https://redirect.github.com/axios/axios/pull/6389">#6389</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2365076865" data-permission-text="Title is private" data-url="axios/axios#6460" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6460/hovercard" href="https://redirect.github.com/axios/axios/pull/6460">#6460</a></strong>)</li> <li><strong>UTF-8 Encoding:</strong> Replaced the deprecated <code>unescape()</code> call with a modern UTF-8 encoding implementation. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li> <li><strong>Misc Cleanup:</strong> Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4365717510" data-permission-text="Title is private" data-url="axios/axios#10833" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10833/hovercard" href="https://redirect.github.com/axios/axios/pull/10833">#10833</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Refactor — ES6 Modernisation:</strong> Modernised the <code>utils</code> module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4173424907" data-permission-text="Title is private" data-url="axios/axios#10588" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10588/hovercard" href="https://redirect.github.com/axios/axios/pull/10588">#10588</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3967256044" data-permission-text="Title is private" data-url="axios/axios#7419" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7419/hovercard" href="https://redirect.github.com/axios/axios/pull/7419">#7419</a></strong>)</li> <li><strong>Tests:</strong> Hardened the HTTP test server lifecycle to fix flaky <code>FormData</code> EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4345005129" data-permission-text="Title is private" data-url="axios/axios#10820" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10820/hovercard" href="https://redirect.github.com/axios/axios/pull/10820">#10820</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4305591702" data-permission-text="Title is private" data-url="axios/axios#10791" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10791/hovercard" href="https://redirect.github.com/axios/axios/pull/10791">#10791</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4310668356" data-permission-text="Title is private" data-url="axios/axios#10796" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10796/hovercard" href="https://redirect.github.com/axios/axios/pull/10796">#10796</a></strong>)</li> <li><strong>Docs:</strong> Documented <code>paramsSerializer.encode</code> for strict RFC 3986 query encoding, updated the <code>parseReviver</code> TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4346633084" data-permission-text="Title is private" data-url="axios/axios#10821" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10821/hovercard" href="https://redirect.github.com/axios/axios/pull/10821">#10821</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298576114" data-permission-text="Title is private" data-url="axios/axios#10782" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10782/hovercard" href="https://redirect.github.com/axios/axios/pull/10782">#10782</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4290932663" data-permission-text="Title is private" data-url="axios/axios#10759" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10759/hovercard" href="https://redirect.github.com/axios/axios/pull/10759">#10759</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4335735712" data-permission-text="Title is private" data-url="axios/axios#10804" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10804/hovercard" href="https://redirect.github.com/axios/axios/pull/10804">#10804</a></strong>)</li> <li><strong>Reverted:</strong> Reverted the <code>transformRequest</code> input typing change from <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a> after follow-up review. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336537376" data-permission-text="Title is private" data-url="axios/axios#10810" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10810/hovercard" href="https://redirect.github.com/axios/axios/pull/10810">#10810</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>actions/setup-node</code>, the <code>github-actions</code> group, and <code>postcss</code> (in <code>/docs</code>) to their latest versions. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4301894928" data-permission-text="Title is private" data-url="axios/axios#10785" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10785/hovercard" href="https://redirect.github.com/axios/axios/pull/10785">#10785</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4342327794" data-permission-text="Title is private" data-url="axios/axios#10813" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10813/hovercard" href="https://redirect.github.com/axios/axios/pull/10813">#10813</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4342985432" data-permission-text="Title is private" data-url="axios/axios#10814" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10814/hovercard" href="https://redirect.github.com/axios/axios/pull/10814">#10814</a></strong>)</li> <li><strong>Release:</strong> Updated changelog and packages, and prepared the 1.16.0 release. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4304455485" data-permission-text="Title is private" data-url="axios/axios#10790" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10790/hovercard" href="https://redirect.github.com/axios/axios/pull/10790">#10790</a></strong>, <strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4368693595" data-permission-text="Title is private" data-url="axios/axios#10834" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10834/hovercard" href="https://redirect.github.com/axios/axios/pull/10834">#10834</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/singhankit001/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/singhankit001">@ singhankit001</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4173424907" data-permission-text="Title is private" data-url="axios/axios#10588" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10588/hovercard" href="https://redirect.github.com/axios/axios/pull/10588">#10588</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cuiweixie/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cuiweixie">@ cuiweixie</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3967256044" data-permission-text="Title is private" data-url="axios/axios#7419" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7419/hovercard" href="https://redirect.github.com/axios/axios/pull/7419">#7419</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/iruizsalinas/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/iruizsalinas">@ iruizsalinas</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4303641135" data-permission-text="Title is private" data-url="axios/axios#10787" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10787/hovercard" href="https://redirect.github.com/axios/axios/pull/10787">#10787</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/MarcosNocetti/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/MarcosNocetti">@ MarcosNocetti</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4235938363" data-permission-text="Title is private" data-url="axios/axios#10680" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10680/hovercard" href="https://redirect.github.com/axios/axios/pull/10680">#10680</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/deepview-autofix/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/deepview-autofix">@ deepview-autofix</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4271998290" data-permission-text="Title is private" data-url="axios/axios#10729" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10729/hovercard" href="https://redirect.github.com/axios/axios/pull/10729">#10729</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/atharvasingh7007/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/atharvasingh7007">@ atharvasingh7007</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4284929830" data-permission-text="Title is private" data-url="axios/axios#10745" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10745/hovercard" href="https://redirect.github.com/axios/axios/pull/10745">#10745</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/OfekDanny/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/OfekDanny">@ OfekDanny</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4294198336" data-permission-text="Title is private" data-url="axios/axios#10772" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10772/hovercard" href="https://redirect.github.com/axios/axios/pull/10772">#10772</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mnahkies/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mnahkies">@ mnahkies</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3959718695" data-permission-text="Title is private" data-url="axios/axios#7414" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7414/hovercard" href="https://redirect.github.com/axios/axios/pull/7414">#7414</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/tboyila/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/tboyila">@ tboyila</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4290932663" data-permission-text="Title is private" data-url="axios/axios#10759" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10759/hovercard" href="https://redirect.github.com/axios/axios/pull/10759">#10759</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Kingo64/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Kingo64">@ Kingo64</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3023608053" data-permission-text="Title is private" data-url="axios/axios#6897" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6897/hovercard" href="https://redirect.github.com/axios/axios/pull/6897">#6897</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ramram1048/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ramram1048">@ ramram1048</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2291674940" data-permission-text="Title is private" data-url="axios/axios#6389" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6389/hovercard" href="https://redirect.github.com/axios/axios/pull/6389">#6389</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/FLNacif/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/FLNacif">@ FLNacif</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2365076865" data-permission-text="Title is private" data-url="axios/axios#6460" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/6460/hovercard" href="https://redirect.github.com/axios/axios/pull/6460">#6460</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/zozo123/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/zozo123">@ zozo123</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4336242387" data-permission-text="Title is private" data-url="axios/axios#10806" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10806/hovercard" href="https://redirect.github.com/axios/axios/pull/10806">#10806</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/pierluigilenoci/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/pierluigilenoci">@ pierluigilenoci</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4323864507" data-permission-text="Title is private" data-url="axios/axios#10802" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10802/hovercard" href="https://redirect.github.com/axios/axios/pull/10802">#10802</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/afurm/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/afurm">@ afurm</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4260994859" data-permission-text="Title is private" data-url="axios/axios#10708" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10708/hovercard" href="https://redirect.github.com/axios/axios/pull/10708">#10708</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/karan-lrn/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/karan-lrn">@ karan-lrn</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3912225221" data-permission-text="Title is private" data-url="axios/axios#7378" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7378/hovercard" href="https://redirect.github.com/axios/axios/pull/7378">#7378</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ebeigarts/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ebeigarts">@ ebeigarts</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3509777101" data-permission-text="Title is private" data-url="axios/axios#7149" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7149/hovercard" href="https://redirect.github.com/axios/axios/pull/7149">#7149</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Raymondo97/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Raymondo97">@ Raymondo97</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298576114" data-permission-text="Title is private" data-url="axios/axios#10782" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10782/hovercard" href="https://redirect.github.com/axios/axios/pull/10782">#10782</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mixelburg/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/mixelburg">@ mixelburg</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4346633084" data-permission-text="Title is private" data-url="axios/axios#10821" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10821/hovercard" href="https://redirect.github.com/axios/axios/pull/10821">#10821</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/ashishkr96/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/ashishkr96">@ ashishkr96</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4347021851" data-permission-text="Title is private" data-url="axios/axios#10822" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10822/hovercard" href="https://redirect.github.com/axios/axios/pull/10822">#10822</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/cyphercodes/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/cyphercodes">@ cyphercodes</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4344944445" data-permission-text="Title is private" data-url="axios/axios#10819" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10819/hovercard" href="https://redirect.github.com/axios/axios/pull/10819">#10819</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/Jye10032/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/Jye10032">@ Jye10032</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3662226069" data-permission-text="Title is private" data-url="axios/axios#7260" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7260/hovercard" href="https://redirect.github.com/axios/axios/pull/7260">#7260</a></strong>)</li> <li><strong><a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/VeerShah41/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://redirect.github.com/VeerShah41">@ VeerShah41</a></strong> (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="3678162351" data-permission-text="Title is private" data-url="axios/axios#7276" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/7276/hovercard" href="https://redirect.github.com/axios/axios/pull/7276">#7276</a></strong>)</li> </ul> <p><a href="https://redirect.github.com/axios/axios/compare/v1.15.2...v1.16.0">Full Changelog</a></p> </li> <li> <b>1.15.2</b> - <a href="https://redirect.github.com/axios/axios/releases/tag/v1.15.2">2026-04-21</a></br><p>This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in <code>allowedSocketPaths</code> allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution Hardening (HTTP Adapter):</strong> Hardened the Node HTTP adapter and <code>resolveConfig</code>/<code>mergeConfig</code>/validator paths to read only own properties and use null-prototype config objects, preventing polluted <code>auth</code>, <code>baseURL</code>, <code>socketPath</code>, <code>beforeRedirect</code>, and <code>insecureHTTPParser</code> from influencing requests. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297881989" data-permission-text="Title is private" data-url="axios/axios#10779" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10779/hovercard" href="https://redirect.github.com/axios/axios/pull/10779">#10779</a></strong>)</li> <li><strong>SSRF via <code>socketPath</code>:</strong> Rejects non-string <code>socketPath</code> values and adds an opt-in <code>allowedSocketPaths</code> config option to restrict permitted Unix domain socket paths, returning <code>AxiosError</code> <code>ERR_BAD_OPTION_VALUE</code> on mismatch. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297772207" data-permission-text="Title is private" data-url="axios/axios#10777" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10777/hovercard" href="https://redirect.github.com/axios/axios/pull/10777">#10777</a></strong>)</li> <li><strong>Supply-chain Hardening:</strong> Added <code>.npmrc</code> with <code>ignore-scripts=true</code>, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded <code>SECURITY.md</code>/<code>THREATMODEL.md</code> with provenance verification (<code>npm audit signatures</code>), 60-day resolution policy, and maintainer incident-response runbook. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297522478" data-permission-text="Title is private" data-url="axios/axios#10776" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10776/hovercard" href="https://redirect.github.com/axios/axios/pull/10776">#10776</a></strong>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li><strong><code>allowedSocketPaths</code> Config Option:</strong> New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4297772207" data-permission-text="Title is private" data-url="axios/axios#10777" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10777/hovercard" href="https://redirect.github.com/axios/axios/pull/10777">#10777</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Keep-alive Socket Memory Leak:</strong> Installs a single per-socket <code>error</code> listener tracking the active request via <code>kAxiosSocketListener</code>/<code>kAxiosCurrentReq</code>, eliminating per-request listener accumulation, <code>MaxListenersExceededWarning</code>, and linear heap growth under concurrent or long-running keep-alive workloads (fixes <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298011964" data-permission-text="Title is private" data-url="axios/axios#10780" data-hovercard-type="issue" data-hovercard-url="/axios/axios/issues/10780/hovercard" href="https://redirect.github.com/axios/axios/issues/10780">#10780</a>). (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4304224147" data-permission-text="Title is private" data-url="axios/axios#10788" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10788/hovercard" href="https://redirect.github.com/axios/axios/pull/10788">#10788</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Changelog:</strong> Updated <code>CHANGELOG.md</code> with v1.15.1 release notes. (<strong><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="4298245836" data-permission-text="Title is private" data-url="axios/axios#10781" data-hovercard-type="pull_request" data-hovercard-url="/axios/axios/pull/10781/hovercard" href="https://redirect.github.com/axios/axios/pull/10781">#10781</a></strong>)</li> </ul> <p><a href="https://redirect.github.com/axios/axios/compare/v1.15.1...v1.15.2">Full Changelog</a></p> </li> </ul> from <a href="https://redirect.github.com/axios/axios/releases">axios GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJlMjE3ZGU0YS02ZGE2LTRhNGUtYThiZC1jNjQxMDUyZjI2YTciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImUyMTdkZTRhLTZkYTYtNGE0ZS1hOGJkLWM2NDEwNTJmMjZhNyJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates?utm_source=&utm_content=fix-pr-template) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724/settings/integration?pkg=axios&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) [//]: # 'snyk:metadata:{"breakingChangeRiskLevel":"medium","FF_showPullRequestBreakingChanges":true,"FF_showPullRequestBreakingChangesWebSearch":false,"customTemplate":{"variablesUsed":[],"fieldsUsed":["commitMessage","title"],"templateUrl":"https://app.snyk.io/rest/groups/f6659a58-7be6-43af-8ec5-3d06dd5bfeaa/settings/pull_request_template?version=2024-10-15"},"dependencies":[{"name":"axios","from":"1.15.2","to":"1.16.0"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","prPublicId":"e217de4a-6da6-4a4e-a8bd-c641052f26a7","packageManager":"npm","priorityScoreList":[],"projectPublicId":"3ec84776-2902-4d8e-9cd9-a5d98be10724","projectUrl":"https://app.snyk.io/org/rudder-qa/project/3ec84776-2902-4d8e-9cd9-a5d98be10724?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"group","description":"default","title":"group"},"templateVariants":["custom"],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2026-05-02T15:04:00.274Z"},"vulns":[]}' Co-authored-by: snyk-bot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Stops leaking
Proxy-Authorizationacross redirects by stripping it on redirected requests, then re-adding it only if the final proxy needs credentials. Covers no-proxy targets, different proxies, env-derived proxies,NO_PROXYbypasses, and case-insensitive header keys. Addresses AXI-197 and GHSA-j5f8-grm9-p9fc.Description
Proxy-AuthorizationinsetProxyonly on redirect; preserve user-supplied header on the initial request.NO_PROXYbypass./docs/proxy section to note the header is not carried across redirects; add a short security note.Testing
NO_PROXYbypass, redirect to a different proxy without credentials, hook withconfigProxy=false, preserving user-supplied header on the initial request, and case-insensitive stripping.Authorizationnorauthorizationleak attacker values.Written for commit d78e4ca. Summary will update on new commits.