Skip to content

[Snyk] Upgrade axios from 1.17.0 to 1.18.0#217

Closed
mladenba wants to merge 1 commit into
mainfrom
snyk-upgrade-97cd040d13c58592be79114cd9fb897b
Closed

[Snyk] Upgrade axios from 1.17.0 to 1.18.0#217
mladenba wants to merge 1 commit into
mainfrom
snyk-upgrade-97cd040d13c58592be79114cd9fb897b

Conversation

@mladenba

@mladenba mladenba commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to upgrade axios from 1.17.0 to 1.18.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 1 version ahead of your current version.

  • The recommended version was released 21 days ago.

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Release notes
Package name: axios
  • 1.18.0 - 2026-06-14

    v1.18.0 — June 13, 2026

    This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.

    🔒 Security Fixes

    • Redirect Header Safety: Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (#10892)

    • URL And Request Hardening: Rejects malformed http: and https: URLs that omit // with ERR_INVALID_URL, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local NO_PROXY matching. (#11000)

    🐛 Bug Fixes

    • Status Validation: Added transitional.validateStatusUndefinedResolves so applications can opt in to treating validateStatus: undefined like the option was omitted, while validateStatus: null remains the explicit way to accept every status. (#10899)

    🔧 Maintenance & Chores

    • Documentation: Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the proxy request config as Node.js-only in the advanced docs. (#10984, #10988, #10992, #10995)

    • Dependencies: Bumped @ babel/core, @ babel/preset-env, @ commitlint/cli, @ commitlint/config-conventional, @ rollup/plugin-babel, @ rollup/plugin-commonjs, @ vitest/browser, @ vitest/browser-playwright, eslint, lint-staged, rollup, vitest, and actions/checkout. (#10989, #10996, #10997)

    • Release Metadata: Prepared the 1.18.0 release by updating package metadata and the runtime VERSION value. (#11003)

    🌟 New Contributors

    We are thrilled to welcome our new contributors. Thank you for helping improve axios:

    Full Changelog

  • 1.17.0 - 2026-06-03

    v1.17.0 — June 1, 2026

    This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.

    🔒 Security Fixes

    • Config Hardening: Guarded socketPath, params, and paramsSerializer reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (#10901, #10922)
    • Release Publishing: Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (#10926)

    🚀 New Features

    • HTTP Compression: Added Node HTTP adapter support for zstd response decompression, with transitional.advertiseZstdAcceptEncoding controlling whether zstd is advertised in Accept-Encoding. (#6792, #10920)

    🐛 Bug Fixes

    • Authentication Handling: Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (#10929, #10896)
    • Proxy TLS: Preserved user httpsAgent TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (#10957)
    • React Native FormData: Cleared default Content-Type for React Native FormData so multipart boundaries can be generated correctly. (#10898)
    • Headers: Silently skipped empty or whitespace-only header names instead of throwing, matching parsed-header behavior and avoiding React Native response crashes. (#10875)
    • Request Data Merging: Preserved enumerable symbol keys when cloning plain request data through axios merge logic. (#10812)
    • Bundler Compatibility: Converted resolveConfig from an arrow default export to a named function export to avoid webpack and Babel transform interop failures. (#10891)
    • Types: Corrected AxiosHeaders.toJSON() return types and updated CommonJS isCancel typings to narrow to CanceledError<T>. (#10956, #10952)
    • Build Tooling: Avoided emitting a null Authorization header from the GitHub build helper when GITHUB_TOKEN is unset. (#10931)

    🔧 Maintenance & Chores

    • HTTP/2 Internals: Extracted Http2Sessions into its own helper module and added direct unit coverage for session pooling, timeout, and cleanup behavior. (#10861)
    • Package Publishing: Reduced published package size by switching to a files allowlist and dropping unneeded unminified bundle source maps. (#10939)
    • CI and Release Automation: Added bundle-size reporting, moved reports to the job summary, fixed bundle-size comparison coverage, added Node 26 to the matrix, pinned npm for staged publishing, and prepared the 1.17.0 release. (#10907, #10911, #10916, #10927, #10935, #10983)
    • Developer Workflow: Added a dev container and iterated on OpenSpec workflow files before removing them from the release branch. (#10925, #10914, #10958)
    • Documentation and Policy: Updated disclosure, contributor, collaboration, threat-model, advanced docs, README badges, release notes, moderator configuration, and project metadata. (#10890, #10889, #10921, #10945, #10905, #10933, #10915, #10887, #10955)
    • Dependencies: Bumped Babel tooling, Commitlint, ESLint, Rollup, Globals, Vitest, Playwright, fs-extra, qs, docs dependencies, and GitHub Actions dependencies including actions/dependency-review-action and zizmorcore/zizmor-action. (#10871, #10879, #10918, #10919, #10934, #10947, #10954, #10960)

    🌟 New Contributors

    We are thrilled to welcome our new contributors. Thank you for helping improve axios:

    Full Changelog

from axios GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

Snyk has created this PR to upgrade axios from 1.17.0 to 1.18.0.

See this package in npm:
axios

See this project in Snyk:
https://app.snyk.io/org/devrev/project/58ce53c3-7bbd-4cc5-bc81-52dc7ce644c2?utm_source=github&utm_medium=referral&page=upgrade-pr
@mladenba

mladenba commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Merge Risk: Medium

This minor version upgrade for axios introduces security hardening measures that change behavior and could impact specific use cases.

Key Changes:

  • Stricter URL Validation: The library now rejects malformed http: and https: URLs that omit // (e.g., http:example.com) by throwing an ERR_INVALID_URL error. Applications using such URLs will see their requests fail. [1, 4]
  • Redirect Header Stripping: In Node.js, sensitive headers (like custom authorization headers) are now automatically stripped during cross-origin redirects to prevent security leaks. If your application relies on forwarding these headers to a different origin during a redirect, that behavior will no longer work. [1, 4]
  • Status Validation: A new transitional option, validateStatusUndefinedResolves, has been added for more flexible status code validation, but this is an opt-in feature. [1]

Recommendation:
Verify that your application is not using malformed URLs and does not depend on forwarding sensitive headers during cross-origin redirects. Testing redirect and error-handling logic is recommended after this upgrade.

Source: GitHub Release Notes v1.18.0

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants