chore(deps): update dependency axios to ^1.16.1

[chrisns]

This PR contains the following updates:

Package	Type	Update	Change
axios (source)	devDependencies	minor	^1.15.1 → ^1.16.1

---

Release Notes

axios/axios (axios)

v1.16.1

Compare Source

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#​7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#​10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#​10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#​10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#​10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#​10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#​10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#​10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #​10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#​10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#​10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#​10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#​10835, #​10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#​10836, #​10853, #​10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#​10843, #​10859, #​10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#​10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#​10836)
• @​tommyhgunz14 (#​7413)
• @​abhu85 (#​10829)
• @​divyanshuraj1095 (#​10853)
• @​sagodi97 (#​10856)
• @​rkdfx (#​10868)
• @​Liuwei1125 (#​10866)

Full Changelog

v1.16.0

Compare Source

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[chrisns]

Superseded by new renovate grouping (per-scenario + npm-web + github-actions). See #357 for the config change. This PR's dep, if still pending, will be re-opened inside the appropriate grouped PR on the next renovate cycle.