chore(deps): bump axios from 0.30.2 to 1.13.5

[dependabot]

Bumps axios from 0.30.2 to 1.13.5.

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

• Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
• Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

• Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

• Fix/5657. (PR #7313)
• Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

• Add input validation to isAbsoluteURL. (PR #7326)
• Refactor: bump minor package versions. (PR #7356)

Documentation

• Clarify object-check comment. (PR #7323)
• Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

• Chore: fix issues with YAML. (PR #7355)
• CI: update workflow YAMLs. (PR #7372)
• CI: fix run condition. (PR #7373)
• Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
• Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

• @​sachin11063 (first contribution — PR #7323)
• @​asmitha-16 (first contribution — PR #7326)

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

• fix: issues with version 1.13.3 (#7352) (ee90dfc)
  • Fixed issues discovered in v1.13.3 release

... (truncated)

Commits

• 29f7542 chore(release): prepare release 1.13.5 (#7379)
• 431c3a3 ci: fix run condition (#7373)
• 9ff3a78 ci: update ymls (#7372)
• 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
• 475e75a feat: add input validation to isAbsoluteURL (#7326)
• 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
• 04cf019 docs: clarify object check comment (#7323)
• 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
• 569f028 fix: added a option to choose between legacy and the new request/response int...
• 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade axios to 1.13.5 in API and Extensions to pick up security fixes and v1.x improvements. This mitigates a DoS risk in mergeConfig and keeps our HTTP stack current.

• Dependencies

  • Bump axios to ^1.13.5 in apps/api and apps/extensions.
  • Update lockfile; axios-retry and nestjs-http-promise now resolve against axios 1.13.5.

• Migration

  • No code changes expected; verify interceptors, adapter usage, and error handling (AxiosError.status now consistently present, stricter isAbsoluteURL validation).
  • Run regression tests for HTTP requests and retry behavior.

^{Written for commit bbd7a78. Summary will update on new commits.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cubic-dev-ai]

No issues found across 3 files

[greptile-apps]

Greptile Overview

Greptile Summary

This PR upgrades axios from ^0.30.2 to ^1.13.5 in the API and Extensions workspaces and updates pnpm-lock.yaml accordingly.

Because this is a major-version bump, consumers of axios in other workspaces (not modified by this PR) should be re-validated; there are existing interceptor implementations that currently swallow request errors (missing return Promise.reject(...)) and will cause runtime behavior changes when axios is upgraded and those clients execute.

Confidence Score: 3/5

• This PR is likely safe to merge after fixing existing interceptor error-propagation bugs and confirming install/test coverage outside this environment.
• The change itself is a straightforward dependency bump, but axios is a major version upgrade and the repo contains axios clients with a definite bug (request interceptor error handler does not return the rejection). Additionally, tests/builds could not be executed here due to missing node/pnpm tooling, so runtime compatibility wasn’t verified.
• apps/portal/app/services/api/api.ts; apps/extensions/src/app/services/api/api.ts; pnpm-lock.yaml

Important Files Changed

Filename	Overview
apps/api/package.json	Bumps axios dependency from ^0.30.2 to ^1.13.5.
apps/extensions/package.json	Bumps axios dependency from ^0.30.2 to ^1.13.5.
pnpm-lock.yaml	Updated axios to 1.13.5 in lockfile plus transitive bumps (e.g., semver/lodash/esquery) due to dependency resolution changes; needs full test/build verification.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant PNPM as pnpm
  participant API as apps/api
  participant Ext as apps/extensions
  participant Lock as pnpm-lock.yaml
  participant Ax as axios@1.13.5

  Dev->>PNPM: pnpm install
  PNPM->>API: Resolve apps/api dependencies
  API->>Ax: Require axios ^1.13.5
  PNPM->>Ext: Resolve apps/extensions dependencies
  Ext->>Ax: Require axios ^1.13.5
  PNPM->>Lock: Write resolved versions
  Lock-->>Dev: axios pinned to 1.13.5

  Dev->>API: Run API code/tests
  API->>Ax: axios.create() + interceptors
  Ax-->>API: Requests/responses/errors flow

  Dev->>Ext: Run Extension code/build
  Ext->>Ax: axios.create() + interceptors
  Ax-->>Ext: Requests/responses/errors flow

Loading

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (3)

apps/portal/app/services/api/api.ts
Interceptor swallows errors

The request interceptor error handler doesn’t return the rejection (Promise.reject(error);), so the interceptor chain resolves with undefined and request failures can be silently swallowed. This will break error propagation regardless of axios version; with the axios major bump it’s important this gets fixed.

  (error: any) => {
    return Promise.reject(error);
  },

---

apps/extensions/src/app/services/api/api.ts
Interceptor swallows errors

Same issue as the portal API client: the request interceptor error handler calls Promise.reject(error) but doesn’t return it, so request errors won’t propagate correctly.

  (error: any) => {
    return Promise.reject(error);
  },

---

apps/portal/app/services/rebrandly/index.ts
Wrong axios response shape

api here is a fresh axios instance without the response => response.data interceptor used in services/api/api.ts, so await api.post(...) returns an AxiosResponse. Accessing res.data?.shortUrl is fine, but the current code double-serializes the body (JSON.stringify(linkRequest)) while also setting 'Content-Type': 'application/json'. Axios will not JSON-serialize a pre-stringified payload, and this can break server-side parsing if it expects an object (common for JSON APIs).

Prefer sending the plain object so axios applies JSON transform consistently.

    const res = await api.post('/v1/links', linkRequest);

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud