[Snyk] Upgrade axios from 1.17.0 to 1.18.0#217
Closed
mladenba wants to merge 1 commit into
Closed
Conversation
Snyk has created this PR to upgrade axios from 1.17.0 to 1.18.0. See this package in npm: axios See this project in Snyk: https://app.snyk.io/org/devrev/project/58ce53c3-7bbd-4cc5-bc81-52dc7ce644c2?utm_source=github&utm_medium=referral&page=upgrade-pr
Contributor
Author
|
This minor version upgrade for Key Changes:
Recommendation: Source: GitHub Release Notes v1.18.0
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade axios from 1.17.0 to 1.18.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 1 version ahead of your current version.
The recommended version was released 21 days ago.
Breaking Change Risk
Release notes
Package name: axios
-
1.18.0 - 2026-06-14
-
-
- Status Validation: Added
-
-
-
- @ drori12 (#10984)
- @ eyupcanakman (#10899)
- @ Adi-Beker (#10995)
-
1.17.0 - 2026-06-03
- Config Hardening: Guarded
- Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)
- HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with
- Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
- Proxy TLS: Preserved user
- React Native FormData: Cleared default
- Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
- Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
- Bundler Compatibility: Converted
- Types: Corrected
- Build Tooling: Avoided emitting a null
- HTTP/2 Internals: Extracted
- Package Publishing: Reduced published package size by switching to a
- CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
- Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
- Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
- Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright,
- @ BasixKOR (#6792)
- @ carladams1299-lab (#10861)
- @ LaplaceYoung (#10812)
- @ JamieMagee (#10939)
- @ RonGamzu (#10905)
- @ sapirbaruch (#10891)
- @ nezukoagent (#10901)
- @ devareddy05 (#10929)
- @ Mohammad-Faiz-Cloud-Engineer (#10922)
- @ azandabot (#10931)
- @ niksy (#10896)
from axios GitHub release notesv1.18.0 — June 13, 2026
This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
🔒 Security Fixes
Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)
URL And Request Hardening: Rejects malformed
http:andhttps:URLs that omit//withERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and localNO_PROXYmatching. (#11000)🐛 Bug Fixes
transitional.validateStatusUndefinedResolvesso applications can opt in to treatingvalidateStatus: undefinedlike the option was omitted, whilevalidateStatus: nullremains the explicit way to accept every status. (#10899)🔧 Maintenance & Chores
Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the
proxyrequest config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)Dependencies: Bumped
@ babel/core,@ babel/preset-env,@ commitlint/cli,@ commitlint/config-conventional,@ rollup/plugin-babel,@ rollup/plugin-commonjs,@ vitest/browser,@ vitest/browser-playwright,eslint,lint-staged,rollup,vitest, andactions/checkout. (#10989, #10996, #10997)Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime
VERSIONvalue. (#11003)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v1.17.0 — June 1, 2026
This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
🔒 Security Fixes
socketPath,params, andparamsSerializerreads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)🚀 New Features
transitional.advertiseZstdAcceptEncodingcontrolling whetherzstdis advertised inAccept-Encoding. (#6792, #10920)🐛 Bug Fixes
httpsAgentTLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)Content-Typefor React NativeFormDataso multipart boundaries can be generated correctly. (#10898)resolveConfigfrom an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)AxiosHeaders.toJSON()return types and updated CommonJSisCanceltypings to narrow toCanceledError<T>. (#10956, #10952)Authorizationheader from the GitHub build helper whenGITHUB_TOKENis unset. (#10931)🔧 Maintenance & Chores
Http2Sessionsinto its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)filesallowlist and dropping unneeded unminified bundle source maps. (#10939)fs-extra,qs, docs dependencies, and GitHub Actions dependencies includingactions/dependency-review-actionandzizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: