Skip to content

chore(deps): bump axios from 0.30.2 to 1.13.5#137

Open
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/axios-1.13.5
Open

chore(deps): bump axios from 0.30.2 to 1.13.5#137
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/axios-1.13.5

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 10, 2026
edited by cubic-dev-ai bot
Loading

Bumps axios from 0.30.2 to 1.13.5.

Release notes

Sourced from axios's releases.

v1.13.5

Release 1.13.5

Highlights

  • Security: Fixed a potential Denial of Service issue involving the __proto__ key in mergeConfig. (PR #7369)
  • Bug fix: Resolved an issue where AxiosError could be missing the status field on and after v1.13.3. (PR #7368)

Changes

Security

  • Fix Denial of Service via __proto__ key in mergeConfig. (PR #7369)

Fixes

  • Fix/5657. (PR #7313)
  • Ensure status is present in AxiosError on and after v1.13.3. (PR #7368)

Features / Improvements

  • Add input validation to isAbsoluteURL. (PR #7326)
  • Refactor: bump minor package versions. (PR #7356)

Documentation

  • Clarify object-check comment. (PR #7323)
  • Fix deprecated Buffer constructor usage and README formatting. (PR #7371)

CI / Maintenance

  • Chore: fix issues with YAML. (PR #7355)
  • CI: update workflow YAMLs. (PR #7372)
  • CI: fix run condition. (PR #7373)
  • Dev deps: bump karma-sourcemap-loader from 0.3.8 to 0.4.0. (PR #7360)
  • Chore(release): prepare release 1.13.5. (PR #7379)

New Contributors

Full Changelog: axios/axios@v1.13.4...v1.13.5

v1.13.4

Overview

The release addresses issues discovered in v1.13.3 and includes significant CI/CD improvements.

Full Changelog: v1.13.3...v1.13.4

What's New in v1.13.4

Bug Fixes

  • fix: issues with version 1.13.3 (#7352) (ee90dfc)
    • Fixed issues discovered in v1.13.3 release

... (truncated)

Commits
  • 29f7542 chore(release): prepare release 1.13.5 (#7379)
  • 431c3a3 ci: fix run condition (#7373)
  • 9ff3a78 ci: update ymls (#7372)
  • 265b712 docs: fix deprecated Buffer constructor and formatting issues in README (#7371)
  • 475e75a feat: add input validation to isAbsoluteURL (#7326)
  • 28c7215 fix: Denial of Service via proto Key in mergeConfig (#7369)
  • 04cf019 docs: clarify object check comment (#7323)
  • 696fa75 fix: status is missing in AxiosError on and after v1.13.3 (#7368)
  • 569f028 fix: added a option to choose between legacy and the new request/response int...
  • 44b7c9f chore(deps-dev): bump karma-sourcemap-loader (#7360)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade axios to 1.13.5 in API and Extensions to pick up security fixes and v1.x improvements. This mitigates a DoS risk in mergeConfig and keeps our HTTP stack current.

  • Dependencies

    • Bump axios to ^1.13.5 in apps/api and apps/extensions.
    • Update lockfile; axios-retry and nestjs-http-promise now resolve against axios 1.13.5.

  • Migration

    • No code changes expected; verify interceptors, adapter usage, and error handling (AxiosError.status now consistently present, stricter isAbsoluteURL validation).
    • Run regression tests for HTTP requests and retry behavior.

Written for commit bbd7a78. Summary will update on new commits.

@dependabot
chore(deps): bump axios from 0.30.2 to 1.13.5
bbd7a78 
Bumps [axios](https://github.com/axios/axios) from 0.30.2 to 1.13.5.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v0.30.2...v1.13.5)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.13.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 10, 2026
@cla-assistant
Copy link

cla-assistant bot commented Feb 10, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

1 similar comment
@cla-assistant
Copy link

cla-assistant bot commented Feb 10, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 10, 2026

Greptile Overview

Greptile Summary

This PR upgrades axios from ^0.30.2 to ^1.13.5 in the API and Extensions workspaces and updates pnpm-lock.yaml accordingly.

Because this is a major-version bump, consumers of axios in other workspaces (not modified by this PR) should be re-validated; there are existing interceptor implementations that currently swallow request errors (missing return Promise.reject(...)) and will cause runtime behavior changes when axios is upgraded and those clients execute.

Confidence Score: 3/5

  • This PR is likely safe to merge after fixing existing interceptor error-propagation bugs and confirming install/test coverage outside this environment.
  • The change itself is a straightforward dependency bump, but axios is a major version upgrade and the repo contains axios clients with a definite bug (request interceptor error handler does not return the rejection). Additionally, tests/builds could not be executed here due to missing node/pnpm tooling, so runtime compatibility wasn’t verified.
  • apps/portal/app/services/api/api.ts; apps/extensions/src/app/services/api/api.ts; pnpm-lock.yaml

Important Files Changed

Filename Overview
apps/api/package.json Bumps axios dependency from ^0.30.2 to ^1.13.5.
apps/extensions/package.json Bumps axios dependency from ^0.30.2 to ^1.13.5.
pnpm-lock.yaml Updated axios to 1.13.5 in lockfile plus transitive bumps (e.g., semver/lodash/esquery) due to dependency resolution changes; needs full test/build verification.

Sequence Diagram

sequenceDiagram
  participant Dev as Developer
  participant PNPM as pnpm
  participant API as apps/api
  participant Ext as apps/extensions
  participant Lock as pnpm-lock.yaml
  participant Ax as axios@1.13.5

  Dev->>PNPM: pnpm install
  PNPM->>API: Resolve apps/api dependencies
  API->>Ax: Require axios ^1.13.5
  PNPM->>Ext: Resolve apps/extensions dependencies
  Ext->>Ax: Require axios ^1.13.5
  PNPM->>Lock: Write resolved versions
  Lock-->>Dev: axios pinned to 1.13.5

  Dev->>API: Run API code/tests
  API->>Ax: axios.create() + interceptors
  Ax-->>API: Requests/responses/errors flow

  Dev->>Ext: Run Extension code/build
  Ext->>Ax: axios.create() + interceptors
  Ax-->>Ext: Requests/responses/errors flow
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, 3 comments

Edit Code Review Agent Settings | Greptile

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 10, 2026

Additional Comments (3)

apps/portal/app/services/api/api.ts
Interceptor swallows errors

The request interceptor error handler doesn’t return the rejection (Promise.reject(error);), so the interceptor chain resolves with undefined and request failures can be silently swallowed. This will break error propagation regardless of axios version; with the axios major bump it’s important this gets fixed.

  (error: any) => {
    return Promise.reject(error);
  },

apps/extensions/src/app/services/api/api.ts
Interceptor swallows errors

Same issue as the portal API client: the request interceptor error handler calls Promise.reject(error) but doesn’t return it, so request errors won’t propagate correctly.

  (error: any) => {
    return Promise.reject(error);
  },

apps/portal/app/services/rebrandly/index.ts
Wrong axios response shape

api here is a fresh axios instance without the response => response.data interceptor used in services/api/api.ts, so await api.post(...) returns an AxiosResponse. Accessing res.data?.shortUrl is fine, but the current code double-serializes the body (JSON.stringify(linkRequest)) while also setting 'Content-Type': 'application/json'. Axios will not JSON-serialize a pre-stringified payload, and this can break server-side parsing if it expects an object (common for JSON APIs).

Prefer sending the plain object so axios applies JSON transform consistently.

    const res = await api.post('/v1/links', linkRequest);

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 10, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants