Bump axios from 0.16.2 to 0.32.0

[dependabot]

Bumps axios from 0.16.2 to 0.32.0.

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits

• 8db2d44 chore: bump version to v0.32.0 (#10840)
• 2af6116 chore: backport fixes from the v1x branch (#10838)
• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semgrep-code-auth0-samples]

Semgrep found 1 ssc-9f75fd94-e484-4842-ba51-a6da2e792bae finding:

• package-lock.json
  • L1766 - Triage

Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the data-parent HTML attribute value to jQuery's $() constructor without sanitization, allowing an attacker who can influence that attribute to inject and execute arbitrary JavaScript in a victim's browser (XSS).

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1766.

Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040

Semgrep found 1 ssc-11b5542a-cf1c-4aac-809a-ed44a7e0a895 finding:

• package-lock.json
  • L1766 - Triage

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the data-target attribute value directly to jQuery's $() constructor without sanitization. Because jQuery parses HTML strings as live DOM nodes, an attacker who can control a data-target (or href) attribute on a Bootstrap trigger element can inject arbitrary HTML and execute JavaScript in the victim's browser, leading to session hijacking or sensitive data exposure.

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1766.

Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735

Semgrep found 1 ssc-14f6c9a3-9712-488d-aa61-02218488adef finding:

• package-lock.json
  • L4966 - Triage

Risk: This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.

Fix: Upgrade this library to at least version 1.2.11 at react-redux-embedded-login/package-lock.json:4966.

Reference(s): https://osv.dev/vulnerability/MAL-2023-462

Semgrep found 1 ssc-7655e34f-47d3-43f6-b687-32e02f3c8005 finding:

• package-lock.json
  • L6359 - Triage

Risk: Affected versions of handlebars are vulnerable to Improper Control of Generation of Code ('Code Injection') / Improper Encoding or Escaping of Output / Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The Handlebars CLI precompiler allows arbitrary JavaScript injection by embedding unescaped template filenames and CLI option values such as --namespace, --commonjs, and --handlebarPath directly into generated output. An attacker who can control these inputs can cause malicious code to execute when the precompiled bundle is loaded in Node.js or a browser.

Manual Review Advice: A vulnerability from this advisory is reachable if you execute templates through the Handlebars CLI precompiler

Fix: Upgrade this library to at least version 4.7.9 at react-redux-embedded-login/package-lock.json:6359.

Reference(s): GHSA-xjpj-3mr7-gcpf, CVE-2026-33941

Semgrep found 1 ssc-2b10eb66-0d71-4a46-ace0-cd5ab36d3141 finding:

• package-lock.json
  • L78 - Triage

Risk: Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using acorn on the CLI

Fix: Upgrade this library to at least version 5.7.4 at react-redux-embedded-login/package-lock.json:78.

Reference(s): GHSA-6chw-6frg-f759

Semgrep found 1 ssc-c5a69759-0cfc-41b4-aa6c-ae584bd301a6 finding:

• package-lock.json
  • L14347 - Triage

Risk: Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument)

Fix: Upgrade this library to at least version 3.1.11 at react-redux-embedded-login/package-lock.json:14347.

Reference(s): GHSA-cf66-xwfp-gvc4, CVE-2018-14732

Semgrep found 1 ssc-783d6282-b329-42de-b9e3-741ae63ddaa7 finding:

• package-lock.json
  • L6815 - Triage

Risk: Affected versions of http-proxy are vulnerable to Incomplete List of Disallowed Inputs / Protection Mechanism Failure. A denial-of-service exists in node-http-proxy when using proxyReq.setHeader: an HTTP request with a body longer than ~1024 bytes triggers an unhandled ERR_HTTP_HEADERS_SENT exception that crashes the proxy server.

Manual Review Advice: A vulnerability from this advisory is reachable if you set headers on the proxy request using the proxyReq.setHeader function in a standalone proxy server implemented using the http-proxy package

Fix: Upgrade this library to at least version 1.18.1 at react-redux-embedded-login/package-lock.json:6815.

Reference(s): GHSA-6x33-pw7p-hmpq

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

• package-lock.json
  • L13779 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:13779.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

• package-lock.json
  • L13779 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:13779.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

• package-lock.json
  • L13779 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:13779.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793

Semgrep found 1 ssc-6b25e01f-0c74-4dc1-a6c4-3d650baba180 finding:

• package-lock.json
  • L13621 - Triage

Risk: tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.

Fix: Upgrade this library to at least version 1.0.5 at react-redux-embedded-login/package-lock.json:13621.

Reference(s): GHSA-jgrx-mgxx-jf9v, CVE-2021-3777

Semgrep found 1 ssc-17eda294-146f-4ed3-91f7-5ef1b349d687 finding:

• package-lock.json
  • L1532 - Triage

Risk: Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript

Fix: There are no safe versions of this library available for upgrade. Library included at react-redux-embedded-login/package-lock.json:1532.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

Semgrep found 1 ssc-1606921e-eb4c-4a25-bcec-3cbfbc985ee1 finding:

• package-lock.json
  • L3158 - Triage

Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.

Fix: Upgrade this library to at least version 0.5.1 at react-redux-embedded-login/package-lock.json:3158.

Reference(s): GHSA-hr2v-3952-633q, CVE-2018-3750

Semgrep found 2 ssc-0df1d23c-17f9-4a9b-956f-dc8a9d741e65 findings:

• package-lock.json
  • L12702 - Triage
  • L13899 - Triage

Risk: Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Fix: Upgrade this library to at least version 2.0.1 at react-redux-embedded-login/package-lock.json:12702.

Reference(s): GHSA-4g88-fppr-53pp, CVE-2019-10747