chore(deps): bump axios from 1.15.0 to 1.15.2

[dependabot]

Bumps axios from 1.15.0 to 1.15.2.

Release notes

Sourced from axios's releases.

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)
• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)
• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)
• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)
• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)
• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)
• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)
• Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

• FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)
• HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)
• Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)
• Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)
• buildFullPath: Uses strict equality in the base/relative URL check. (#7252)
• AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)
• Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

• Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)
• SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)
• Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

• allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

• Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

• Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

---

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

• Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

• CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

• Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

• withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

• maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

• Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

• Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

• AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

• 5829343 chore(release): prepare release 1.15.2 (#10789)
• 4709a48 fix: added fix for memory leak in sockets (#10788)
• be33360 chore: update changelog (#10781)
• 4791514 fix: more header pollutions (#10779)
• 6feafcf fix: socket issue (#10777)
• 302e273 docs: update docs, add a couple actions etc (#10776)
• ac42446 chore(release): prepare release 1.15.1 (#10767)
• 908f220 docs: update threatmodel (#10765)
• f93f815 docs: added docs around potential decompressions bomb (#10763)
• 1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
• Additional commits viewable in compare view

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps): bump axios from 1.15.0 to 1.15.2
• Issue: None — title is clear, conventional, and correctly describes the change.
• Recommendation: Keep as-is. Good job following the conventional commit format.

---

❌ Commit Type

• No Commit Type checklist from the repository template is present in the PR body.
• Note: The PR description should include the Commit Type selection from the template. For this dependency bump use chore.
• Recommendation: Add the Commit Type section and check exactly one of the boxes, e.g.
  • - [x] chore - Maintenance/tooling

---

❌ Risk Level

• Assessment: No Risk Level selected in the PR body and there is no risk:low / risk:medium / risk:high label on the PR.
• Advised Risk: Low — reasoning: this is a patch-level upgrade of axios (1.15.0 → 1.15.2) that primarily contains security hardenings and bug fixes (prototype-pollution hardening, SSRF mitigation via socketPath, keep-alive socket memory leak fix). These are important but expected to be low-risk from an API-compatibility standpoint. However, please run a full CI and any integration tests that exercise HTTP behavior.
• Recommendation: Add a Risk Level selection in the PR body and apply the matching label (e.g. risk:low). Example PR body line:
  • - [x] Low - Minor changes, limited scope

---

❌ What & Why

• Current: The PR body contains auto-generated axios release notes / changelog.
• Issue: The repository template expects a short, explicit "What & Why" section. The current body has useful info but not the concise template item.
• Recommendation: Add a brief paragraph (1–3 sentences) like:
  • Bump axios from 1.15.0 to 1.15.2 to pick up security hardening (prototype-pollution fixes), an SSRF mitigation for socketPath, and a keep-alive socket memory leak fix. No API changes are expected in our usage.

---

❌ Impact of Change

• Issue: The PR does not include the required Impact section from the template. The changelog suggests security fixes and a change to follow-redirects; impact needs to be stated.
• Recommendation: Add a short Impact section. Example:
  • Users: No visible UI changes. End-users benefit from security fixes and stability improvements.
  • Developers: Verify any code that relies on unusual socketPath values or relies on follow-redirects behavior. No API changes expected, but run unit and integration tests.
  • System: The follow-redirects and follow-up axios upgrade may alter transitive dependency behavior; run CI and smoke tests for network interactions.

---

❌ Test Plan

• Assessment: The code diff updates package.json and the lockfile only. No unit tests or E2E tests were added. The PR body does not state how the change was validated.
• Recommendation: For dependency upgrades, provide one of the following in the Test Plan:
  • Run full CI (unit + integration + e2e) and report green status and any relevant logs.
  • If CI is blocked, provide manual validation steps performed (e.g., local smoke tests hitting endpoints, verifying no regressions in important flows). Example steps to add:
    • - [x] Manual smoke tests: ran the app and exercised X, Y, Z flows locally.
    • - [x] CI: All pipeline jobs passed (link to pipeline).
      If you have automated tests that exercise network code, explicitly mention they passed.

---

⚠️ Contributors

• Assessment: The PR body does not include a Contributors section. This is optional but recommended.
• Recommendation: Add a small contributors note (e.g., Contributors: dependabot[bot]) or leave blank; not required to pass.

---

✅ Screenshots/Videos

• Not applicable for a dependency bump. No action required.

---

Summary Table

Section	Status	Recommendation
Title	✅	Keep the title as-is.
Commit Type	❌	Add the Commit Type checklist and select chore.

|
| Risk Level | ❌ | Add risk:low in body and apply risk:low label. |
| What & Why | ❌ | Add a short 1–3 sentence "What & Why" explaining the bump and reason. |
| Impact of Change | ❌ | Add Users/Developers/System bullets describing impact and any caveats. |
| Test Plan | ❌ | State CI results or manual test steps; run full suite and link CI. |
| Contributors | ⚠️ | Optional: mention dependabot[bot] or relevant reviewers. |
| Screenshots/Videos | ✅ | Not applicable. |

Final message
Please update the PR body to include the missing template sections (Commit Type, Risk Level, What & Why, Impact of Change, and Test Plan). Add the matching risk label (recommended risk:low) and include CI links or test steps that show verification. After updating, remove the needs-pr-update label if present. Once those fields are added and CI is green, this dependency bump should be acceptable to merge.

If you'd like, I can suggest exact copy to paste for each missing section based on this diff.

---

Last updated: Wed, 13 May 2026 22:51:11 GMT

[github-actions]

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

✅ PR Title

• Current: chore(deps): bump axios from 1.15.0 to 1.15.2
• Issue: None — the title is clear and follows conventional commit style for a dependency bump. It includes the package and versions.
• Recommendation: Keep as-is.

---

⚠️ Commit Type

• The PR title indicates this is a chore (dependency bump), which is correct for this change.
• Note: The repository PR body template requires selecting a Commit Type checkbox. The PR body does not use the required template checkboxes. Please update the PR body to include the template and select only one commit type (e.g., - [x] chore).

---

❌ Risk Level

• Assessment: Missing/Not selected.
• Issue: The PR does not include a risk-level selection in the PR body (Low/Medium/High). The repository requires a risk label (e.g. risk:low, risk:medium, or risk:high) that must match the selection in the PR body.
• Recommendation: Based on the code diff (axios 1.15.0 → 1.15.2 across multiple package.json files + lockfile updates), this is a dependency patch update with security hardening and bug fixes. I advise selecting Low and adding the repo label risk:low. If you believe the bump has larger impact in your environment, choose the appropriate higher risk but document why.

---

❌ What & Why

• Current: (Missing — PR body is Dependabot release notes but does not follow the required PR template What & Why section.)
• Issue: The PR body does not contain the short required "What & Why" summary in the template format.
• Recommendation: Add a short, focused description. Example to paste into the template's What & Why block:
  • What: Bump axios from 1.15.0 to 1.15.2 across Standalone, vs-code-designer, logic-apps-shared, and vscode-extension packages.
  • Why: Upgrade to 1.15.2 to pick up security hardening (prototype pollution and SSRF mitigations), fix a keep-alive socket memory leak, and supply-chain hardening improvements.

---

❌ Impact of Change

• Issue: The PR body is missing the template Impact of Change section.
• Recommendation: Provide short bullet points describing impact. Suggested text:
  • Users: No direct UI changes. Indirectly reduces security risk for HTTP requests made by server-side Node code.
  • Developers: axios minor patch — may affect Node HTTP adapter behavior; verify any custom axios config usage (socketPath, baseURL, auth) still behaves as expected.
  • System: Fixes a memory leak in keep-alive sockets and adds prototype-pollution hardening; recommended to monitor long-running services that use axios.

---

❌ Test Plan

• Assessment: Missing assertion of tests. The diff only updates dependencies and the lockfile; no unit or E2E tests were added/updated.

• Issue: The PR body does not include the required Test Plan template checkboxes and does not explain how this dependency upgrade was validated. Per the repo guidance, if no unit/E2E tests are added, you must provide a clear explanation of how you tested the change (CI results, manual smoke tests, or why tests are not applicable).

• Recommendation: Update the Test Plan section with at least one of the following checked and documented:

  • - [x] Unit tests added/updated (if you added or updated any tests)
  • - [x] E2E tests added/updated (if applicable)
  • - [x] Manual testing completed with details such as: Ran CI (link to job), verified unit test suite passes, performed smoke tests for HTTP flows, verified no runtime errors in builds, and ran a short long-running keep-alive scenario to monitor for leaks.

  Minimal acceptable Test Plan for this dependency bump (example):

  • Manual testing completed:
    • CI (all pipelines) passed — link to CI run.
    • Ran local dev build and smoke-tested flows that call outbound HTTP endpoints using axios.
    • Validated that Node HTTP adapter options like socketPath and baseURL still behave as expected.

  If you cannot run CI or tests, explain why and when the verification will happen.

---

⚠️ Contributors

• Assessment: The Dependabot bot is the author and no additional contributors are listed.
• Recommendation: Add a Contributors section to the PR body to credit any humans who reviewed or validated the change (PMs/Designers typically not required here). If none, you can add a short reminder line: Contributors: dependabot[bot] (upgrade), <your-team/person> (validation).

---

⚠️ Screenshots/Videos

• Assessment: Not applicable for this non-UI change.
• Recommendation: Leave blank — not required.

---

Summary Table

Section	Status	Recommendation
Title	✅	Keep the current title.
Commit Type	⚠️	Add the template checkboxes and mark chore.
Risk Level	❌	Add risk:low label and select Low in body.
What & Why	❌	Add a short summary explaining the bump & reason.
Impact of Change	❌	Add Users/Developers/System bullets.
Test Plan	❌	Document CI/pass, or add unit/E2E tests, or detail manual testing.
Contributors	⚠️	Add who validated the change (even if just Dependabot + reviewer).
Screenshots/Videos	✅	Not applicable.

---

Final message
This PR cannot be approved as-is because the repository's PR template fields are not filled out and there is no risk label. Please update the PR body to use the repository template and include the following minimum changes:

1. Add the Commit Type section and check the appropriate box: - [x] chore.
2. Add the Risk Level and check exactly one: - [x] Low and add the repository label risk:low to the PR (or select a higher level only with justification).
3. Fill the What & Why section with a brief summary (see recommendation above).
4. Fill Impact of Change (Users / Developers / System) as recommended.
5. Complete the Test Plan: either add/update unit or E2E tests or mark Manual testing completed and include CI run link and verification steps.
6. Add a Contributors line (e.g., dependabot[bot], @your-username (validation)).

Why: the code diff shows only dependency bumps for axios (1.15.0 -> 1.15.2) across multiple packages and lockfile updates. This is a low-risk security/bugfix patch but the PR needs the required metadata (risk label and test verification) so reviewers and release managers can quickly assess and merge safely. Once you update the PR body and add the risk:low label and a Test Plan entry (or tests), re-request review and this check should pass.

Thanks — please update the PR with the suggested template entries and I'll re-check.

---

Last updated: Fri, 08 May 2026 01:02:28 GMT

[github-actions]

📊 Coverage Check

No source files changed in this PR.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.