Title: build(deps-dev): bump axios from 0.30.3 to 0.32.0 in /js by dependabot[bot] · Pull Request #371 · hyperblast/beefweb · GitHub
Open Graph Title: build(deps-dev): bump axios from 0.30.3 to 0.32.0 in /js by dependabot[bot] · Pull Request #371 · hyperblast/beefweb
X Title: build(deps-dev): bump axios from 0.30.3 to 0.32.0 in /js by dependabot[bot] · Pull Request #371 · hyperblast/beefweb
Description: Bumps axios from 0.30.3 to 0.32.0.
Release notes
Sourced from axios's releases.
v0.32.0 — May 4, 2026
This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.
⚠️ Breaking Changes & Deprecations
Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)
🔒 Security Fixes
Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
URL parameters: AxiosURLSearchParams keeps encoded and applies consistent encoding throughout. (#10838)
Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)
🔧 Maintenance & Chores
Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)
Full Changelog
v0.31.1
This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.
⚠️ Breaking Changes & Deprecations
Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)
🔒 Security Fixes
Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
Null-Byte Injection in Query Strings: Removed the unsafe → null-byte substitution from AxiosURLSearchParams.encode so is preserved as-is. Other encoding behaviour (including → +) unchanged. (#10737)
Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)
🔧 Maintenance & Chores
CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)
Full Changelog
v0.31.0
This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().
🔒 Security Fixes
... (truncated)
Commits
8db2d44 chore: bump version to v0.32.0 (#10840)
2af6116 chore: backport fixes from the v1x branch (#10838)
a589dc5 chore: bump version to v0.31.1 (#10766)
b0c632f fix: backport security issues (#10764)
b52187f fix: harden config merging (#10752)
e3ddeb4 fix: header security issues (#10750)
f4f2d76 chore: stop committing dist/ and remove bower (#10747)
1f2f644 chore: add CODEOWNERS (#10740)
44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
4c4f07f fix: form data recursion (#10728)
Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show
Open Graph Description: Bumps axios from 0.30.3 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v1.x ...
X Description: Bumps axios from 0.30.3 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v...
Opengraph URL: https://github.com/hyperblast/beefweb/pull/371
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:4609cb47-ceae-9bfe-a246-4012682f2584 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | E860:2ED9BA:B66A34:FFBCDB:6A4BE253 |
| html-safe-nonce | fbdf37374f04f038f47cc44a8b75fccb9a30244656b02d36cfce4aab61212987 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFODYwOjJFRDlCQTpCNjZBMzQ6RkZCQ0RCOjZBNEJFMjUzIiwidmlzaXRvcl9pZCI6IjU2MDM5MDA3NjY0MDgxMzkzNDciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | c08155e9bbb3e3abd1d2bdc0b28876ac9aa58dc8369e5540d344b39b289914f4 |
| hovercard-subject-tag | pull_request:3773097000 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/hyperblast/beefweb/pull/371/files |
| twitter:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/29110?s=400&v=4 |
| og:image:alt | Bumps axios from 0.30.3 to 0.32.0. Release notes Sourced from axios's releases. v0.32.0 — May 4, 2026 This release backports a comprehensive set of security and hardening fixes from the v1.x ... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 0f5d3ba365b3985d75c32a5957c8635488d58dcf027ae6ae958eee7edaa306a2 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/hyperblast/beefweb git https://github.com/hyperblast/beefweb.git |
| octolytics-dimension-user_id | 19171756 |
| octolytics-dimension-user_login | hyperblast |
| octolytics-dimension-repository_id | 100525135 |
| octolytics-dimension-repository_nwo | hyperblast/beefweb |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 100525135 |
| octolytics-dimension-repository_network_root_nwo | hyperblast/beefweb |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 253920ac2dc35b0849cca4633895f1f2e5f03051 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width