Title: build(deps): bump axios from 0.21.1 to 0.31.1 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #3 · https-github-com-PAVDSSVD/AdguardForiOS · GitHub
Open Graph Title: build(deps): bump axios from 0.21.1 to 0.31.1 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #3 · https-github-com-PAVDSSVD/AdguardForiOS
X Title: build(deps): bump axios from 0.21.1 to 0.31.1 in /AdguardExtension/SafariWebExtension/extension by dependabot[bot] · Pull Request #3 · https-github-com-PAVDSSVD/AdguardForiOS
Description: Bumps axios from 0.21.1 to 0.31.1.
Release notes
Sourced from axios's releases.
v0.31.1
This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.
⚠️ Breaking Changes & Deprecations
Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)
🔒 Security Fixes
Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
Null-Byte Injection in Query Strings: Removed the unsafe → null-byte substitution from AxiosURLSearchParams.encode so is preserved as-is. Other encoding behaviour (including → +) unchanged. (#10737)
Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)
🔧 Maintenance & Chores
CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)
Full Changelog
v0.31.0
This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().
🔒 Security Fixes
Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)
CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)
🐛 Bug Fixes
TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise
Open Graph Description: Bumps axios from 0.21.1 to 0.31.1. Release notes Sourced from axios's releases. v0.31.1 This release backports a broad set of security hardenings from the v1 line — covering prototype-polluti...
X Description: Bumps axios from 0.21.1 to 0.31.1. Release notes Sourced from axios's releases. v0.31.1 This release backports a broad set of security hardenings from the v1 line — covering prototype-pol...
Opengraph URL: https://github.com/https-github-com-PAVDSSVD/AdguardForiOS/pull/3
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:ffe08939-c4ed-a128-6d4d-db0aecb20332 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | A5CE:1F19:7D4765B:B1C402F:6A50ED15 |
| html-safe-nonce | 9f5faa8c1959e9077ed58bd15ea611851987ab8d5db6f5d5420daaa166c9a8ac |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBNUNFOjFGMTk6N0Q0NzY1QjpCMUM0MDJGOjZBNTBFRDE1IiwidmlzaXRvcl9pZCI6IjU0NDI4MzQxMjgzOTQzMTcwNzciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 6570b54eb765c0263ca7cea46124b046d00046d8769ea3a8013fec8691b4dbf1 |
| hovercard-subject-tag | pull_request:3633935880 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/https-github-com-PAVDSSVD/AdguardForiOS/pull/3/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps axios from 0.21.1 to 0.31.1. Release notes Sourced from axios's releases. v0.31.1 This release backports a broad set of security hardenings from the v1 line — covering prototype-polluti... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5266e58c17a510c403505cc811606465e90a881d2007ee7df1c4800d5c659838 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/https-github-com-PAVDSSVD/AdguardForiOS git https://github.com/https-github-com-PAVDSSVD/AdguardForiOS.git |
| octolytics-dimension-user_id | 148691212 |
| octolytics-dimension-user_login | https-github-com-PAVDSSVD |
| octolytics-dimension-repository_id | 1208523990 |
| octolytics-dimension-repository_nwo | https-github-com-PAVDSSVD/AdguardForiOS |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | true |
| octolytics-dimension-repository_parent_id | 43807802 |
| octolytics-dimension-repository_parent_nwo | AdguardTeam/AdguardForiOS |
| octolytics-dimension-repository_network_root_id | 43807802 |
| octolytics-dimension-repository_network_root_nwo | AdguardTeam/AdguardForiOS |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 5ec60191a48933536a90c8a19f47142fcd0d4739 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width