chore(deps): bump the ui-security-updates group across 1 directory with 3 updates by dependabot[bot] · Pull Request #977 · Azure-Samples/holiday-peak-hub

dependabot · 2026-05-08T05:21:03Z

Bumps the ui-security-updates group with 3 updates in the /apps/ui directory: axios, postcss and follow-redirects.

Updates axios from 1.15.0 to 1.15.2

Release notes

v1.15.2

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

Location Request Header Type: Adds Location to CommonRequestHeadersList for accurate typing of redirect-aware requests. (#7528)

🐛 Bug Fixes

FormData Handling: Removes Content-Type when no boundary is present on FormData fetch requests, supports multi-select fields, cancels request.body instead of the source stream on fetch abort, and fixes a recursion bug in form-data serialisation. (#7314, #10676, #10702, #10726)

HTTP Adapter: Handles socket-only request errors without leaking keep-alive listeners. (#10576)

Progress Events: Clamps loaded to total for computable upload/download progress events. (#7458)

Types: Aligns runWhen type with the runtime behaviour in InterceptorManager and makes response header keys case-insensitive. (#7529, #10677)

buildFullPath: Uses strict equality in the base/relative URL check. (#7252)

AxiosURLSearchParams Regex: Improves the regex used for param serialisation to avoid edge-case mismatches. (#10736)

Resilient Value Parsing: Parses out header/config values instead of throwing on malformed input. (#10687)

... (truncated)

Changelog

Sourced from axios's changelog.

v1.15.2 - April 21, 2026

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

🔒 Security Fixes

Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing polluted auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser from influencing requests. (#10779)

SSRF via socketPath: Rejects non-string socketPath values and adds an opt-in allowedSocketPaths config option to restrict permitted Unix domain socket paths, returning AxiosError ERR_BAD_OPTION_VALUE on mismatch. (#10777)

Supply-chain Hardening: Added .npmrc with ignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expanded SECURITY.md/THREATMODEL.md with provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)

🚀 New Features

allowedSocketPaths Config Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)

🐛 Bug Fixes

Keep-alive Socket Memory Leak: Installs a single per-socket error listener tracking the active request via kAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation, MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)

🔧 Maintenance & Chores

Changelog: Updated CHANGELOG.md with v1.15.1 release notes. (#10781)

Full Changelog

v1.15.1 - April 19, 2026

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

🔒 Security Fixes

Header Injection Hardening: Tightened validation and sanitisation across request header construction to close the header-injection attack surface. (#10749)

CRLF Stripping in Multipart Headers: Correctly strips CR/LF from multipart header values to prevent injection via field names and filenames. (#10758)

Prototype Pollution / Auth Bypass: Replaced unsafe in checks with hasOwnProperty to prevent authentication bypass via prototype pollution on config objects, with additional regression tests. (#10761, #10760)

withXSRFToken Truthy Bypass: Short-circuits on any truthy non-boolean value, so an ambiguous config no longer silently leaks the XSRF token cross-origin. (#10762)

maxBodyLength With Zero Redirects: Enforces maxBodyLength even when maxRedirects is set to 0, closing a bypass path for oversized request bodies. (#10753)

Streamed Response maxContentLength Bypass: Applies maxContentLength to streamed responses that previously bypassed the cap. (#10754)

Follow-up CVE Completion: Completes an earlier incomplete CVE fix to fully close the regression window. (#10755)

🚀 New Features

AI-Based Docs Translations: Initial scaffold for AI-assisted translations of the documentation site. (#10705)

... (truncated)

Commits

5829343 chore(release): prepare release 1.15.2 (#10789)
4709a48 fix: added fix for memory leak in sockets (#10788)
be33360 chore: update changelog (#10781)
4791514 fix: more header pollutions (#10779)
6feafcf fix: socket issue (#10777)
302e273 docs: update docs, add a couple actions etc (#10776)
ac42446 chore(release): prepare release 1.15.1 (#10767)
908f220 docs: update threatmodel (#10765)
f93f815 docs: added docs around potential decompressions bomb (#10763)
1728aa1 fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)
Additional commits viewable in compare view

Updates postcss from 8.5.9 to 8.5.10

Release notes

Sourced from postcss's releases.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

Changelog

Sourced from postcss's changelog.

8.5.10

Fixed XSS via unescaped </style> in non-bundler cases (by @TharVid).

Commits

33b9790 Release 8.5.10 version
536c79e Escape </style> in CSS output (#2074)
afa96b2 Update dependencies (#2073)
effe88b Typo (#2072)
3ee79a2 Thread model (#2071)
2e0683d Create incident response docs (#2070)
See full diff in compare view

Updates follow-redirects from 1.15.11 to 1.16.0

Commits

0c23a22 Release version 1.16.0 of the npm package.
844c4d3 Add sensitiveHeaders option.
5e8b8d0 ci: add Node.js 24.x to the CI matrix
7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
86dc1f8 Sanitizing input.
See full diff in compare view

dependabot · 2026-05-08T05:21:04Z

Labels

The following labels could not be found: frontend. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Cataldir · 2026-05-09T14:40:17Z

@dependabot rebase

github-actions · 2026-05-09T14:43:10Z

UI route-segment bundle budgets

UI route-segment bundle-budget report (gzipped JS, kilobytes):

route           size      limit     source                      status
--------------------------------------------------------------------------------
/               167.6     150       floor (root+polyfill)       OVER
/retailers      478.3     200       retailers.html              OVER
/builders       478.3     200       builders.html               OVER
/deploy         478       250       deploy.html                 OVER

Advisory at v1 (does not block PRs). Strict mode activates after the F1 cleanup follow-up trims dead-weight deps from the global path.

Budgets live in apps/ui/budgets.json. Gate spec: docs/ui/a11y-perf.md.

…th 3 updates Bumps the ui-security-updates group with 3 updates in the /apps/ui directory: [axios](https://github.com/axios/axios), [postcss](https://github.com/postcss/postcss) and [follow-redirects](https://github.com/follow-redirects/follow-redirects). Updates `axios` from 1.15.0 to 1.15.2 - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.15.0...v1.15.2) Updates `postcss` from 8.5.9 to 8.5.10 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.9...8.5.10) Updates `follow-redirects` from 1.15.11 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.2 dependency-type: direct:production dependency-group: ui-security-updates - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: ui-security-updates - dependency-name: postcss dependency-version: 8.5.10 dependency-type: direct:development dependency-group: ui-security-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added the dependencies Pull requests that update a dependency file label May 8, 2026

dependabot Bot force-pushed the dependabot/npm_and_yarn/apps/ui/ui-security-updates-9633e6d90c branch 2 times, most recently from b0c0e30 to 204ef17 Compare May 8, 2026 22:44

dependabot Bot force-pushed the dependabot/npm_and_yarn/apps/ui/ui-security-updates-9633e6d90c branch from 204ef17 to a209594 Compare May 9, 2026 14:41

dependabot Bot force-pushed the dependabot/npm_and_yarn/apps/ui/ui-security-updates-9633e6d90c branch from a209594 to cf66949 Compare May 11, 2026 06:30

dependabot Bot force-pushed the dependabot/npm_and_yarn/apps/ui/ui-security-updates-9633e6d90c branch from cf66949 to 75a091c Compare May 18, 2026 07:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the ui-security-updates group across 1 directory with 3 updates#977

chore(deps): bump the ui-security-updates group across 1 directory with 3 updates#977
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/apps/ui/ui-security-updates-9633e6d90c

dependabot Bot commented on behalf of github May 8, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Uh oh!

Cataldir commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github May 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v1.15.2

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

v1.15.2 - April 21, 2026

🔒 Security Fixes

🚀 New Features

🐛 Bug Fixes

🔧 Maintenance & Chores

v1.15.1 - April 19, 2026

🔒 Security Fixes

🚀 New Features

8.5.10

8.5.10

Uh oh!

dependabot Bot commented on behalf of github May 8, 2026

Labels

Uh oh!

Cataldir commented May 9, 2026

Uh oh!

github-actions Bot commented May 9, 2026

UI route-segment bundle budgets

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github May 8, 2026 •

edited

Loading