Bumps [axios](https://github.com/axios/axios) from 1.13.2 to 1.15.0. <details> <summary>Release notes</summary> Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>. <blockquote> <h2>v1.15.0</h2> This release delivers two critical security patches, adds runtime support for Deno and Bun, and includes significant CI hardening, documentation improvements, and routine dependency updates. <h2>⚠️ Important Changes</h2> <ul> <li>Deprecation: <code>url.parse()</code> usage has been replaced to address Node.js deprecation warnings. If you are on a recent version of Node.js, this resolves console warnings you may have been seeing. (<a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a>)</li> </ul> <h2>🔒 Security Fixes</h2> <ul> <li>Proxy Handling: Fixed a <code>no_proxy</code> hostname normalisation bypass that could lead to Server-Side Request Forgery (SSRF). (<a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a>)</li> <li>Header Injection: Fixed an unrestricted cloud metadata exfiltration vulnerability via a header injection chain. (<a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a>)</li> </ul> <h2>🚀 New Features</h2> <ul> <li>Runtime Support: Added compatibility checks and documentation for Deno and Bun environments. (<a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a>, <a href="https://redirect.github.com/axios/axios/issues/10653">#10653</a>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li>CI Security: Hardened workflow permissions to least privilege, added the <code>zizmor</code> security scanner, pinned action versions, and gated npm publishing with OIDC and environment protection. (<a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a>, <a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a>, <a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a>, <a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a>, <a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a>)</li> <li>Dependencies: Bumped <code>serialize-javascript</code>, <code>handlebars</code>, <code>picomatch</code>, <code>vite</code>, and <code>denoland/setup-deno</code> to latest versions. Added a 7-day Dependabot cooldown period. (<a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a>, <a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a>, <a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a>, <a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a>, <a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a>, <a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a>, <a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a>, <a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a>, <a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a>)</li> <li>Documentation: Unified docs, improved <code>beforeRedirect</code> credential leakage example, clarified <code>withCredentials</code>/<code>withXSRFToken</code> behaviour, HTTP/2 support notes, async/await timeout error handling, header case preservation, and various typo fixes. (<a href="https://redirect.github.com/axios/axios/issues/10649">#10649</a>, <a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a>, <a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a>, <a href="https://redirect.github.com/axios/axios/issues/7471">#7471</a>, <a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a>, <a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a>, <a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a>)</li> <li>Housekeeping: Removed stale files, regenerated lockfile, and updated sponsor scripts and blocks. (<a href="https://redirect.github.com/axios/axios/issues/10584">#10584</a>, <a href="https://redirect.github.com/axios/axios/issues/10650">#10650</a>, <a href="https://redirect.github.com/axios/axios/issues/10582">#10582</a>, <a href="https://redirect.github.com/axios/axios/issues/10640">#10640</a>, <a href="https://redirect.github.com/axios/axios/issues/10659">#10659</a>, <a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a>)</li> <li>Tests: Added regression coverage for urlencoded <code>Content-Type</code> casing. (<a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a>)</li> </ul> <h2>🌟 New Contributors</h2> We are thrilled to welcome our new contributors. Thank you for helping improve Axios: <ul> <li><a href="https://github.com/raashish1601"><code>@raashish1601</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a>)</li> <li><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a>)</li> <li><a href="https://github.com/ashstrc"><code>@ashstrc</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a>)</li> <li><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a>)</li> <li><a href="https://github.com/theamodhshetty"><code>@theamodhshetty</code></a> (<a href="https://redirect.github.com/axios/axios/issues/7452">#7452</a>)</li> </ul> <h2>v1.14.0</h2> This release focuses on compatibility fixes, adapter stability improvements, and test/tooling modernisation. <h2>⚠️ Important Changes</h2> <ul> <li>Breaking Changes: None identified in this release.</li> <li>Action Required: If you rely on env-based proxy behaviour or CJS resolution edge-cases, validate your integration after upgrade (notably <code>proxy-from-env</code> v2 alignment and <code>main</code> entry compatibility fix).</li> </ul> <h2>🚀 New Features</h2> <ul> <li>Runtime Features: No new end-user features were introduced in this release.</li> <li>Test Coverage Expansion: Added broader smoke/module test coverage for CJS and ESM package usage. (<a href="https://redirect.github.com/axios/axios/pull/7510">#7510</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li>Headers: Trim trailing CRLF in normalised header values. (<a href="https://redirect.github.com/axios/axios/pull/7456">#7456</a>)</li> <li>HTTP/2: Close detached HTTP/2 sessions on timeout to avoid lingering sessions. (<a href="https://redirect.github.com/axios/axios/pull/7457">#7457</a>)</li> <li>Fetch Adapter: Cancel <code>ReadableStream</code> created during request-stream capability probing to prevent async resource leaks. (<a href="https://redirect.github.com/axios/axios/pull/7515">#7515</a>)</li> <li>Proxy Handling: Fixed env proxy behavior with <code>proxy-from-env</code> v2 usage. (<a href="https://redirect.github.com/axios/axios/pull/7499">#7499</a>)</li> </ul>  </blockquote> ... (truncated) </details> <details> <summary>Changelog</summary> Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>. <blockquote> <h2>v1.15.0 — April 7, 2026</h2> This release delivers two critical security patches targeting header injection and SSRF via proxy bypass, adds official runtime support for Deno and Bun, and includes significant CI security hardening. <h2>🔒 Security Fixes</h2> <ul> <li> Header Injection (CRLF): Rejects any header value containing <code>\r</code> or <code>\n</code> characters to block CRLF injection chains that could be used to exfiltrate cloud metadata (IMDS). Behavior change: headers with CR/LF now throw <code>"Invalid character in header content"</code>. (<a href="https://redirect.github.com/axios/axios/issues/10660">#10660</a>) </li> <li> SSRF via <code>no_proxy</code> Bypass: Introduces a <code>shouldBypassProxy</code> helper that normalises hostnames (strips trailing dots, handles bracketed IPv6) before evaluating <code>no_proxy</code>/<code>NO_PROXY</code> rules, closing a gap that could cause loopback or internal hosts to be inadvertently proxied. (<a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a>) </li> </ul> <h2>🚀 New Features</h2> <ul> <li>Deno & Bun Runtime Support: Added full smoke test suites for Deno and Bun, with CI workflows that run both runtimes before any release is cut. (<a href="https://redirect.github.com/axios/axios/issues/10652">#10652</a>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li>Node.js v22 Compatibility: Replaced deprecated <code>url.parse()</code> calls with the WHATWG <code>URL</code>/<code>URLSearchParams</code> API across examples, sandbox, and tests, eliminating <code>DEP0169</code> deprecation warnings on Node.js v22+. (<a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li> CI Security Hardening: Added <a href="https://github.com/zizmorcore/zizmor">zizmor</a> GitHub Actions security scanner; switched npm publish to OIDC Trusted Publishing (removing the long-lived <code>NODE_AUTH_TOKEN</code>); pinned all action references to full commit SHAs; narrowed workflow permissions to least privilege; gated the publish step behind a dedicated <code>npm-publish</code> environment; and blocked the sponsor-block workflow from running on forks. (<a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a>, <a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a>, <a href="https://redirect.github.com/axios/axios/issues/10627">#10627</a>, <a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a>, <a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a>, <a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a>) </li> <li> Docs: Clarified HTTP/2 support and the unsupported <code>httpVersion</code> option; added documentation for header case preservation; improved the <code>beforeRedirect</code> example to prevent accidental credential leakage. (<a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a>, <a href="https://redirect.github.com/axios/axios/issues/10654">#10654</a>, <a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a>) </li> <li> Dependencies: Bumped <code>picomatch</code>, <code>handlebars</code>, <code>serialize-javascript</code>, <code>vite</code> (×3), <code>denoland/setup-deno</code>, and 4 additional dev dependencies to latest versions. (<a href="https://redirect.github.com/axios/axios/issues/10564">#10564</a>, <a href="https://redirect.github.com/axios/axios/issues/10565">#10565</a>, <a href="https://redirect.github.com/axios/axios/issues/10567">#10567</a>, <a href="https://redirect.github.com/axios/axios/issues/10568">#10568</a>, <a href="https://redirect.github.com/axios/axios/issues/10572">#10572</a>, <a href="https://redirect.github.com/axios/axios/issues/10574">#10574</a>, <a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a>, <a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a>, <a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a>, <a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a>, <a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a>) </li> </ul> <h2>🌟 New Contributors</h2> We are thrilled to welcome our new contributors. Thank you for helping improve axios: <ul> <li><a href="https://github.com/Kilros0817"><code>@Kilros0817</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10625">#10625</a>)</li> <li><a href="https://github.com/shaanmajid"><code>@shaanmajid</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10616">#10616</a>, <a href="https://redirect.github.com/axios/axios/issues/10617">#10617</a>, <a href="https://redirect.github.com/axios/axios/issues/10618">#10618</a>, <a href="https://redirect.github.com/axios/axios/issues/10619">#10619</a>, <a href="https://redirect.github.com/axios/axios/issues/10637">#10637</a>, <a href="https://redirect.github.com/axios/axios/issues/10641">#10641</a>, <a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a>)</li> <li><a href="https://github.com/ashstrc"><code>@ashstrc</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10624">#10624</a>, <a href="https://redirect.github.com/axios/axios/issues/10644">#10644</a>)</li> <li><a href="https://github.com/Abhi3975"><code>@Abhi3975</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10589">#10589</a>)</li> <li><a href="https://github.com/raashish1601"><code>@raashish1601</code></a> (<a href="https://redirect.github.com/axios/axios/issues/10573">#10573</a>)</li> </ul> <a href="https://github.com/axios/axios/compare/v1.14.0...v1.15.0">Full Changelog</a> <hr /> <h2>v1.14.0 — March 27, 2026</h2> This release fixes a security vulnerability in the <code>formidable</code> dependency, resolves a CommonJS compatibility regression, hardens proxy and HTTP/2 handling, and modernises the build and test toolchain. <h2>🔒 Security Fixes</h2> <ul> <li>Formidable Vulnerability: Upgraded <code>formidable</code> from v2 to v3 to address a reported arbitrary-file vulnerability. Updated test server and assertions to align with the v3 API. (<a href="https://redirect.github.com/axios/axios/issues/7533">#7533</a>)</li> </ul> <h2>🐛 Bug Fixes</h2>  </blockquote> ... (truncated) </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/axios/axios/commit/772a4e54ecc4cc2421e2b746daff0aca10f359d7"><code>772a4e5</code></a> chore(release): prepare release 1.15.0 (<a href="https://redirect.github.com/axios/axios/issues/10671">#10671</a>)</li> <li><a href="https://github.com/axios/axios/commit/4b071371be2f810b4bc7797a13838e0f806ebb22"><code>4b07137</code></a> chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (<a href="https://redirect.github.com/axios/axios/issues/10663">#10663</a>)</li> <li><a href="https://github.com/axios/axios/commit/51e57b39db251bfe3d34af5c943dfea18e06c8b6"><code>51e57b3</code></a> chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (<a href="https://redirect.github.com/axios/axios/issues/10664">#10664</a>)</li> <li><a href="https://github.com/axios/axios/commit/fba1a77930f0c459677b729161627234b88c90aa"><code>fba1a77</code></a> chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (<a href="https://redirect.github.com/axios/axios/issues/10665">#10665</a>)</li> <li><a href="https://github.com/axios/axios/commit/0bf6e28eac86e87da2b60bbf5ea4237910e1a08e"><code>0bf6e28</code></a> chore(deps): bump denoland/setup-deno in the github-actions group (<a href="https://redirect.github.com/axios/axios/issues/10669">#10669</a>)</li> <li><a href="https://github.com/axios/axios/commit/8107157c572ee4a54cb28c01ab7f7f3d895ba661"><code>8107157</code></a> chore(deps-dev): bump the development_dependencies group with 4 updates (<a href="https://redirect.github.com/axios/axios/issues/10670">#10670</a>)</li> <li><a href="https://github.com/axios/axios/commit/e66530e3302d56176befd0778155dafea2487542"><code>e66530e</code></a> ci: require npm-publish environment for releases (<a href="https://redirect.github.com/axios/axios/issues/10666">#10666</a>)</li> <li><a href="https://github.com/axios/axios/commit/49f23cbfe4d308a075281c5f798d4c68f648cbe2"><code>49f23cb</code></a> chore(sponsor): update sponsor block (<a href="https://redirect.github.com/axios/axios/issues/10668">#10668</a>)</li> <li><a href="https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"><code>3631854</code></a> fix: unrestricted cloud metadata exfiltration via header injection chain (<a href="https://redirect.github.com/axios/axios/issues/10">#10</a>...</li> <li><a href="https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"><code>fb3befb</code></a> fix: no_proxy hostname normalization bypass leads to ssrf (<a href="https://redirect.github.com/axios/axios/issues/10661">#10661</a>)</li> <li>Additional commits viewable in <a href="https://github.com/axios/axios/compare/v1.13.2...v1.15.0">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for axios since your current version. </details> <details> <summary>Install script changes</summary> This version modifies <code>prepare</code> script that runs during installation. Review the package contents before updating. </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>