🚨 [security] Update axios 1.13.2 → 1.13.5 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ axios (1.13.2 → 1.13.5) · Repo · Changelog

Security Advisories 🚨

🚨 Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig

Denial of Service via proto Key in mergeConfig

Summary

The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.

Details

The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:

utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
  const merge = mergeMap[prop] || mergeDeepProperties;
  const configValue = merge(config1[prop], config2[prop], prop);
  (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});

When prop is '__proto__':

1. JSON.parse('{"__proto__": {...}}') creates an object with __proto__ as an own enumerable property
2. Object.keys() includes '__proto__' in the iteration
3. mergeMap['__proto__'] performs prototype chain lookup, returning Object.prototype (truthy object)
4. The expression mergeMap[prop] || mergeDeepProperties evaluates to Object.prototype
5. Object.prototype(...) throws TypeError: merge is not a function

The mergeConfig function is called by:

• Axios._request() at lib/core/Axios.js:75
• Axios.getUri() at lib/core/Axios.js:201
• All HTTP method shortcuts (get, post, etc.) at lib/core/Axios.js:211,224

PoC

import axios from "axios";
const maliciousConfig = JSON.parse('{"proto": {"x": 1}}');

await axios.get("https://httpbin.org/get", maliciousConfig);

Reproduction steps:

1. Clone axios repository or npm install axios
2. Create file poc.mjs with the code above
3. Run: node poc.mjs
4. Observe the TypeError crash

Verified output (axios 1.13.4):

TypeError: merge is not a function
    at computeConfigValue (lib/core/mergeConfig.js:100:25)
    at Object.forEach (lib/utils.js:280:10)
    at mergeConfig (lib/core/mergeConfig.js:98:9)

Control tests performed:

Test	Config	Result
Normal config	{"timeout": 5000}	SUCCESS
Malicious config	JSON.parse('{"__proto__": {"x": 1}}')	CRASH
Nested object	{"headers": {"X-Test": "value"}}	SUCCESS

Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.

Impact

Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.

Affected environments:

• Node.js servers using axios for HTTP requests
• Any backend that passes parsed JSON to axios configuration

This is NOT prototype pollution - the application crashes before any assignment occurs.

Release Notes

1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @sachin11063 (first contribution — PR #7323)
• @asmitha-16 (first contribution — PR #7326)

Full Changelog: v1.13.4...v1.13.5

1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release
  • Cleaned up interceptor test files
  • Improved workflow configurations

Infrastructure & CI/CD

• refactor: ci and build (#7340) (8ff6c19)

  • Major refactoring of CI/CD workflows
  • Consolidated workflow files for better maintainability
  • Added mise configuration for the development environment
  • Improved sponsor block update automation
  • Enhanced issue and PR templates
  • Added automatic release notes generation
  • Implemented workflow cancellation for concurrent runs

• chore: codegen and some updates to workflows (76cf77b)

  • Code generation improvements
  • Workflow optimisations

Migration Notes

Breaking Changes

None in this release.

Deprecations

None in this release.

Contributors

Thank you to all contributors who made this release possible! Special thanks to:

• jasonsaayman - Release management and CI/CD improvements

1.13.3

Release notes:

Bug Fixes

• http2: Use port 443 for HTTPS connections by default. (#7256) (d7e6065)
• interceptor: handle the error in the same interceptor (#6269) (5945e40)
• main field in package.json should correspond to cjs artifacts (#5756) (7373fbf)
• package.json: add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754) (b89217e)
• silentJSONParsing=false should throw on invalid JSON (#7253) (#7257) (7d19335)
• turn AxiosError into a native error (#5394) (#5558) (1c6a86d)
• types: add handlers to AxiosInterceptorManager interface (#5551) (8d1271b)
• types: restore AxiosError.cause type from unknown to Error (#7327) (d8233d9)
• unclear error message is thrown when specifying an empty proxy authorization (#6314) (6ef867e)

Features

• add undefined as a value in AxiosRequestConfig (#5560) (095033c)
• add automatic minor and patch upgrades to dependabot (#6053) (65a7584)
• add Node.js coverage script using c8 (closes #7289) (#7294) (ec9d94e)
• added copilot instructions (3f83143)
• compatibility with frozen prototypes (#6265) (860e033)
• enhance pipeFileToResponse with error handling (#7169) (88d7884)
• types: Intellisense for string literals in a widened union (#6134) (f73474d), closes /github.com/microsoft/TypeScript/issues/33471#issuecomment-1376364329

Reverts

• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298) (a4230f5), closes #7253 #7 #7298
• deps: bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334) (2d6ad5e)

Contributors to this release

• Ashvin Tiwari
• Nikunj Mochi
• Anchal Singh
• jasonsaayman
• Julian Dax
• Akash Dhar Dubey
• Madhumita
• Tackoil
• Justin Dhillon
• Rudransh
• WuMingDao
• codenomnom
• Nandan Acharya
• Eric Dubé
• Tibor Pilz
• Gabriel Quaresma
• Turadg Aleahmad
• JohnTitor
• rohit miryala
• Wilson Mun
• techcodie
• Ved Vadnere
• svihpinc
• SANDESH LENDVE
• Lubos
• Jarred Sumner
• Adam Hines
• Subhan Kumar Rai
• Joseph Frazier
• KT0803
• Albie
• Jake Hayes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

• chore(release): prepare release 1.13.5 (#7379)
• ci: fix run condition (#7373)
• ci: update ymls (#7372)
• docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• feat: add input validation to isAbsoluteURL (#7326)
• fix: Denial of Service via __proto__ Key in mergeConfig (#7369)
• docs: clarify object check comment (#7323)
• fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• fix: added a option to choose between legacy and the new request/response interceptor ordering
• chore(deps-dev): bump karma-sourcemap-loader (#7360)
• refactor: bump minors package versions (#7356)
• chore: fix issues with yml (#7355)
• chore(release): prepare release 1.13.4 (#7353)
• fix: issues with version 1.13.3 (#7352)
• fix: release branch yml
• fix: all merge configs
• refactor: ci and build (#7340)
• chore(release): v1.13.3 (#7335)
• revert(deps): bump peter-evans/create-pull-request from 7 to 8 in the github-actions group (#7334)
• chore(sponsor): update sponsor block (#7330)
• fix(types): restore AxiosError.cause type from unknown to Error (#7327)
• fix(interceptor): handle the error in the same interceptor (#6269)
• fix: main field in package.json should correspond to cjs artifacts (#5756)
• fix(types): add handlers to AxiosInterceptorManager interface (#5551)
• docs: refresh CDN URLs and example JSON headers (#7236)
• doc: update deprecated var usage in documentation examples (#7246)
• docs: add async/await timeout handling example (#7250)
• chore: remove unnecessary eslint-disable directive (#7283)
• docs: add abort controller example (#7287)
• docs: fix typo in multipart/form-data README section (#7311)
• chore(deps): bump the production_dependencies group across 1 directory with 2 updates (#7231)
• chore(deps): bump peter-evans/create-pull-request (#7303)
• Add "API clients" section to Ecosystem (#7312)
• chore(sponsor): update sponsor block (#7308)
• fix(http2): Use port 443 for HTTPS connections by default. (#7256)
• docs: add typescript example for custom instance (#7288)
• Revert "fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7…" (#7298)
• test: add Node unit tests for toFormData and refactor buildURL to avoid param reassignment (#7272)
• chore(deps-dev): bump tar-fs from 2.1.1 to 2.1.4 (#7244)
• fix: silentJSONParsing=false should throw on invalid JSON (#7253) (#7257)
• feat: add Node.js coverage script using c8 (closes #7289) (#7294)
• chore(deps): bump the github-actions group across 1 directory with 2 updates (#7282)
• chore(deps-dev): bump js-yaml from 3.14.1 to 3.14.2 (#7296)
• chore(deps-dev): bump node-forge from 1.3.1 to 1.3.3 (#7293)
• feat: enhance pipeFileToResponse with error handling (#7169)
• chore(sponsor): update sponsor block (#7285)
• chore: remove TODO comment and dead code from http adapter error handler (#7229)
• feat: compatibility with frozen prototypes (#6265)
• style: turn '()=>' into '() =>' (#6324)
• feat(types): Intellisense for string literals in a widened union (#6134)
• style: get rid of redundency in imports (#6315)
• fix: unclear error message is thrown when specifying an empty proxy authorization (#6314)
• test: correct relationship between filename and test codes (#6155)
• feat: add automatic minor and patch upgrades to dependabot (#6053)
• chore: add options object to docstring so IDE's indicate it's available (#5999)
• fix(package.json): add 'bun' package.json 'exports' condition. Load the Node.js build in Bun instead of the browser build (#5754)
• fix: turn AxiosError into a native error (#5394) (#5558)
• docs: add comprehensive migration guide for 0.x to 1.x upgrade (#7218)
• docs: grammar issue in *.md (#7215)
• chore(deps): bump the github-actions group across 1 directory with 6 updates (#7148)
• feat: add `undefined` as a value in AxiosRequestConfig (#5560)
• docs: readme changes (#7042)
• feat: added copilot instructions
• chore: exclude vscode file
• docs: improved formatting and readability in Code of Conduct (#7198)
• chore: enhance form styling and input placeholders in examples (#7185)
• docs: clarify interceptors execution order (#7201)

⁉️ dotenv (downgrade, 17.2.3 → 16.6.1) · Repo · Changelog

Release Notes

17.2.3 (from changelog)

Changed

• Fixed typescript error definition (#912)

17.2.2 (from changelog)

Added

• 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (from changelog)

Changed

• Fix clickable tip links by removing parentheses (#897)

17.2.0 (from changelog)

Added

• Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
• Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})

# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"

// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)

17.1.0 (from changelog)

Added

• Add additional security and configuration tips to the runtime log (#884)
• Dim the tips text from the main injection information text

const TIPS = [
  '🔐 encrypt with dotenvx: https://dotenvx.com',
  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
  '⚙️  enable debug logging with { debug: true }',
  '⚙️  override existing env vars with { override: true }',
  '⚙️  suppress all logs with { quiet: true }',
  '⚙️  write to custom object with { processEnv: myObject }',
  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
]

17.0.1 (from changelog)

Changed

• Patched injected log to count only populated/set keys to process.env (#879)

17.0.0 (from changelog)

Changed

• Default quiet to false - informational (file and keys count) runtime log message shows by default (#875)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​types/graceful-fs (added, 4.1.9)

🆕 create-jest (added, 29.7.0)

🆕 diff-sequences (added, 29.6.3)

🆕 exit (added, 0.1.2)

🆕 is-core-module (added, 2.16.1)

🆕 jest-get-type (added, 29.6.3)

🆕 kleur (added, 3.0.3)

🆕 path-parse (added, 1.0.7)

🆕 prompts (added, 2.4.2)

🆕 resolve (added, 1.22.11)

🆕 resolve.exports (added, 2.0.3)

🆕 sisteransi (added, 1.0.5)

🆕 supports-preserve-symlinks-flag (added, 1.0.0)

🆕 @​jest/console (added, 29.7.0)

🆕 @​jest/core (added, 29.7.0)

🆕 @​jest/environment (added, 29.7.0)

🆕 @​jest/expect (added, 29.7.0)

🆕 @​jest/expect-utils (added, 29.7.0)

🆕 @​jest/fake-timers (added, 29.7.0)

🆕 @​jest/globals (added, 29.7.0)

🆕 @​jest/reporters (added, 29.7.0)

🆕 @​jest/schemas (added, 29.6.3)

🆕 @​jest/source-map (added, 29.6.3)

🆕 @​jest/test-result (added, 29.7.0)

🆕 @​jest/test-sequencer (added, 29.7.0)

🆕 @​jest/transform (added, 29.7.0)

🆕 @​jest/types (added, 29.6.3)

🆕 @​sinclair/typebox (added, 0.27.10)

🆕 @​sinonjs/fake-timers (added, 10.3.0)

🆕 babel-jest (added, 29.7.0)

🆕 babel-plugin-istanbul (added, 6.1.1)

🆕 babel-plugin-jest-hoist (added, 29.6.3)

🆕 babel-preset-jest (added, 29.6.3)

🆕 ci-info (added, 3.9.0)

🆕 cjs-module-lexer (added, 1.4.3)

🆕 wrap-ansi (added, 8.1.0)

🆕 expect (added, 29.7.0)

🆕 istanbul-lib-instrument (added, 5.2.1)

🆕 semver (added, 7.7.4)

🆕 istanbul-lib-source-maps (added, 4.0.1)

🆕 jest-changed-files (added, 29.7.0)

🆕 jest-circus (added, 29.7.0)

🆕 jest-config (added, 29.7.0)

🆕 jest-diff (added, 29.7.0)

🆕 jest-docblock (added, 29.7.0)

🆕 jest-each (added, 29.7.0)

🆕 jest-environment-node (added, 29.7.0)

🆕 jest-haste-map (added, 29.7.0)

🆕 jest-leak-detector (added, 29.7.0)

🆕 jest-matcher-utils (added, 29.7.0)

🆕 jest-message-util (added, 29.7.0)

🆕 jest-mock (added, 29.7.0)

🆕 jest-regex-util (added, 29.6.3)

🆕 jest-resolve (added, 29.7.0)

🆕 jest-resolve-dependencies (added, 29.7.0)

🆕 jest-runner (added, 29.7.0)

🆕 jest-runtime (added, 29.7.0)

🆕 jest-snapshot (added, 29.7.0)

🆕 jest-util (added, 29.7.0)

🆕 jest-validate (added, 29.7.0)

🆕 jest-watcher (added, 29.7.0)

🆕 jest-worker (added, 29.7.0)

🆕 pretty-format (added, 29.7.0)

🆕 pure-rand (added, 6.1.0)

🆕 write-file-atomic (added, 5.0.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pharmaintel-api	Ready	Preview, Comment	Feb 9, 2026 0:26am

[depfu]

Closed in favor of #60.

[depfu]

Closed in favor of #60.

[depfu]

Closed in favor of #60.