[Snyk] Upgrade axios from 0.25.0 to 1.6.7

[aravindvnair99]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade axios from 0.25.0 to 1.6.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 38 versions ahead of your current version.
• The recommended version was released a month ago, on 2024-01-25.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Internal Property Tampering SNYK-JS-TAFFYDB-2992450	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Prototype Pollution SNYK-JS-AXIOS-6144788	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Improper Input Validation SNYK-JS-FOLLOWREDIRECTS-6141137	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Improper Authentication SNYK-JS-JSONWEBTOKEN-3180022	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Improper Restriction of Security Token Assignment SNYK-JS-JSONWEBTOKEN-3180024	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Use of a Broken or Risky Cryptographic Algorithm SNYK-JS-JSONWEBTOKEN-3180026	482/1000 Why? Proof of Concept exploit, CVSS 7.5	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-WORDWRAP-3149973	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept
	Prototype Pollution SNYK-JS-MINIMIST-2429795	482/1000 Why? Proof of Concept exploit, CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: axios

• 1.6.7 - 2024-01-25
  

  Release notes:

  Bug Fixes

  • capture async stack only for rejections with native error objects; (#6203) (1a08f90)

  Contributors to this release

  • Dmitriy Mozgovoy
  • zhoulixiang
• 1.6.6 - 2024-01-24
  

  Release notes:

  Bug Fixes

  • fixed missed dispatchBeforeRedirect argument (#5778) (a1938ff)
  • wrap errors to improve async stack trace (#5987) (123f354)

  Contributors to this release

  • Ilya Priven
  • Zao Soula
• 1.6.5 - 2024-01-05
  

  Release notes:

  Bug Fixes

  • ci: refactor notify action as a job of publish action; (#6176) (0736f95)
  • dns: fixed lookup error handling; (#6175) (f4f2b03)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jay
• 1.6.4 - 2024-01-03
  

  Release notes:

  Bug Fixes

  • security: fixed formToJSON prototype pollution vulnerability; (#6167) (3c0c11c)
  • security: fixed security vulnerability in follow-redirects (#6163) (75af1cd)

  Contributors to this release

  • Jay
  • Dmitriy Mozgovoy
  • Guy Nesher
• 1.6.3 - 2023-12-26
  

  Release notes:

  Bug Fixes

  • Regular Expression Denial of Service (ReDoS) (#6132) (5e7ad38)

  Contributors to this release

  • Jay
  • Willian Agostini
  • Dmitriy Mozgovoy
• 1.6.2 - 2023-11-14
  

  Release notes:

  Features

  • withXSRFToken: added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046) (cff9967)

  PRs

  • feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old `withCredentials` behavior; ( #6046 )

  
  📢 This PR added 'withXSRFToken' option as a replacement for old withCredentials behaviour. 
  You should now use withXSRFToken along with withCredential to get the old behavior.
  This functionality is considered as a fix.
  

  Contributors to this release

  • Dmitriy Mozgovoy
  • Ng Choon Khon (CK)
  • Muhammad Noman
• 1.6.1 - 2023-11-08
  

  Release notes:

  Bug Fixes

  • formdata: fixed content-type header normalization for non-standard browser environments; (#6056) (dd465ab)
  • platform: fixed emulated browser detection in node.js environment; (#6055) (3dc8369)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Fabian Meyer
• 1.6.0 - 2023-10-26
  

  Release notes:

  Bug Fixes

  • CSRF: fixed CSRF vulnerability CVE-2023-45857 (#6028) (96ee232)
  • dns: fixed lookup function decorator to work properly in node v20; (#6011) (5aaff53)
  • types: fix AxiosHeaders types; (#5931) (a1c8ad0)

  PRs

  • CVE 2023 45857 ( #6028 )

  
  ⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459
  

  Contributors to this release

  • Dmitriy Mozgovoy
  • Valentin Panov
  • Rinku Chaudhari
• 1.5.1 - 2023-09-26
  

  Release notes:

  Bug Fixes

  • adapters: improved adapters loading logic to have clear error messages; (#5919) (e410779)
  • formdata: fixed automatic addition of the Content-Type header for FormData in non-browser environments; (#5917) (bc9af51)
  • headers: allow content-encoding header to handle case-insensitive values (#5890) (#5892) (4c89f25)
  • types: removed duplicated code (9e62056)

  Contributors to this release

  • Dmitriy Mozgovoy
  • David Dallas
  • Sean Sattler
  • Mustafa Ateş Uzun
  • Przemyslaw Motacki
  • Michael Di Prisco
• 1.5.0 - 2023-08-26
  

  Release notes:

  Bug Fixes

  • adapter: make adapter loading error more clear by using platform-specific adapters explicitly (#5837) (9a414bb)
  • dns: fixed cacheable-lookup integration; (#5836) (b3e327d)
  • headers: added support for setting header names that overlap with class methods; (#5831) (d8b4ca0)
  • headers: fixed common Content-Type header merging; (#5832) (8fda276)

  Features

  • export getAdapter function (#5324) (ca73eb8)
  • export: export adapters without unsafe prefix (#5839) (1601f4a)

  Contributors to this release

  • Dmitriy Mozgovoy
  • 夜葬
  • Jonathan Budiman
  • Michael Di Prisco
• 1.4.0 - 2023-04-27
• 1.3.6 - 2023-04-19
• 1.3.5 - 2023-04-05
• 1.3.4 - 2023-02-22
• 1.3.3 - 2023-02-13
• 1.3.2 - 2023-02-03
• 1.3.1 - 2023-02-01
• 1.3.0 - 2023-01-31
• 1.2.6 - 2023-01-28
• 1.2.5 - 2023-01-26
• 1.2.4 - 2023-01-24
• 1.2.3 - 2023-01-17
• 1.2.2 - 2022-12-29
• 1.2.1 - 2022-12-05
• 1.2.0 - 2022-11-22
• 1.2.0-alpha.1 - 2022-11-10
• 1.1.3 - 2022-10-15
• 1.1.2 - 2022-10-07
• 1.1.1 - 2022-10-07
• 1.1.0 - 2022-10-06
• 1.0.0 - 2022-10-04
• 1.0.0-alpha.1 - 2022-05-31
• 0.28.0 - 2024-02-12
• 0.27.2 - 2022-04-27
• 0.27.1 - 2022-04-26
• 0.27.0 - 2022-04-25
• 0.26.1 - 2022-03-09
• 0.26.0 - 2022-02-13
• 0.25.0 - 2022-01-18

from axios GitHub release notes

Commit messages

Package name: axios

• a52e4d9 chore(release): v1.6.7 (#6204)
• 2b69888 chore: remove unnecessary check (#6186)
• 1a08f90 fix: capture async stack only for rejections with native error objects; (#6203)
• 104aa3f chore(release): v1.6.6 (#6199)
• a1938ff fix: fixed missed dispatchBeforeRedirect argument (#5778)
• 123f354 fix: wrap errors to improve async stack trace (#5987)
• 6d4c421 chore(release): v1.6.5 (#6177)
• 0736f95 fix(ci): refactor notify action as a job of publish action; (#6176)
• f4f2b03 fix(dns): fixed lookup error handling; (#6175)
• 1f73dcb docs: update sponsor links
• 8790b8e chore(release): v1.6.4 (#6173)
• 0ad520d chore(ci): fix notify action; (#6172)
• 3c0c11c fix(security): fixed formToJSON prototype pollution vulnerability; (#6167)
• 75af1cd fix(security): fixed security vulnerability in follow-redirects (#6163)
• 90864b3 docs: update logos
• 1542719 docs: updated headline sponsors
• b15b918 chore(release): v1.6.3 (#6151)
• b76cce0 chore(ci): added branches filter for notify action; (#6084)
• 5e7ad38 fix: Regular Expression Denial of Service (ReDoS) (#6132)
• 8befb86 docs: update alloy link (#6145)
• d18f40d docs: add headline sponsors
• b3be365 chore(release): v1.6.2 (#6082)
• 8739acb chore(ci): removed redundant release action; (#6081)
• bfa9c30 chore(docs): fix outdated grunt to npm scripts (#6073)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[guardrails]

⚠️ We detected 2 security issues in this pull request:

Insecure File Management (1)

Severity	Details	Docs
High	Title: Path Traversal from user input Spot-the-Hole/functions/index.js Line 562 in 06bd757 path.join(os.tmpdir(), path.basename(req.files.file[0].fieldname)),	📚

More info on how to fix Insecure File Management in JavaScript.

---

Insecure Use of Crypto (1)

Severity	Details	Docs
Medium	Title: Insecure use of random generator Spot-the-Hole/functions/index.js Line 204 in 06bd757 result += characters.charAt(Math.floor(Math.random() * charactersLength));	📚

More info on how to fix Insecure Use of Crypto in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

[stale]

Automatically marked as stale due to lack of recent activity. Will be closed if no further activity occurs. Thank you for your contributions.

[stale]

Automatically closed due to lack of recent activity. Tag @aravindvnair99 to reopen. Thank you for your contributions.