Skip to content

Bump axios from 0.21.4 to 0.31.0#75

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/axios-0.31.0
Closed

Bump axios from 0.21.4 to 0.31.0#75
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/axios-0.31.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 30, 2026
edited
Loading

Bumps axios from 0.21.4 to 0.31.0.

Release notes

Sourced from axios's releases.

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

  • Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

  • CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

  • TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

  • Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

  • Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

  • Backport: Fix DoS via proto key in merge config
    • Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @​FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

  • CI Infrastructure Update

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

@dependabot
Bump axios from 0.30.0 to 0.31.0
b37b5a3 
Bumps [axios](https://github.com/axios/axios) from 0.30.0 to 0.31.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 0.31.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 30, 2026
@dependabot dependabot Bot changed the title Bump axios from 0.30.0 to 0.31.0 Bump axios from 0.21.1 to 0.31.0 Apr 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch from a39f151 to 9f19b7e Compare April 30, 2026 15:41
@dependabot dependabot Bot changed the title Bump axios from 0.21.1 to 0.31.0 Bump axios from 0.21.2 to 0.31.0 Apr 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch from 9f19b7e to 5d15741 Compare April 30, 2026 16:40
@dependabot dependabot Bot changed the title Bump axios from 0.21.2 to 0.31.0 Bump axios from 0.21.4 to 0.31.0 Apr 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch 2 times, most recently from 9d95759 to 9f43491 Compare April 30, 2026 16:47
@pathnirvana pathnirvana force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch from 9f43491 to 928364d Compare April 30, 2026 18:10
@pathnirvana pathnirvana force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch from 928364d to b37b5a3 Compare May 1, 2026 06:52
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 8, 2026

Superseded by #88.

@dependabot dependabot Bot closed this May 8, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/axios-0.31.0 branch May 8, 2026 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants