◐ Shell
clean mode source ↗

Bump axios from 1.13.6 to 1.15.2 by dependabot[bot] · Pull Request #74 · learningequality/.github

dependabot

Dependency Update Review

Package: axios 1.13.6 → 1.15.2
Semver risk: Minor (two releases)
Dependency type: Production
CI status: Passing ✓

Changelog Analysis

Sources consulted:

  • Dependabot-sourced release notes for v1.15.1 and v1.15.2 (PR body)

Breaking changes: None within the 1.x range.

Security fixes (v1.15.1):

  • Header injection hardening (#10749)
  • CRLF stripping in multipart headers (#10758)
  • Prototype pollution / auth bypass: inhasOwnProperty for config objects (#10761, #10760)
  • withXSRFToken truthy bypass — prevented cross-origin XSRF token leaking (#10762)
  • maxBodyLength enforcement when maxRedirects: 0 (#10753)
  • Streamed response maxContentLength bypass fix (#10754)
  • Follow-up CVE completion (#10755)

Security fixes (v1.15.2):

  • Prototype pollution hardening in HTTP adapter, resolveConfig, mergeConfig — null-prototype config objects (#10779)
  • SSRF via socketPath: rejects non-string values, adds allowedSocketPaths allowlist (#10777)
  • Supply-chain hardening: .npmrc ignore-scripts=true, lockfile lint CI, scoped CODEOWNERS (#10776)

Bug fixes: Keep-alive socket memory leak (#10788), FormData handling, progress event clamping.

On the "Install script changes" flag: Dependabot notes that this version modifies axios's own prepare script. This is the supply-chain hardening in #10776 — axios updated their own CI scripts and added ignore-scripts=true to their .npmrc. Positive signal, not a concern.

Transitive dependency: proxy-from-env bumped ^1.1.0^2.1.0 (major bump of a transitive dep; CI validates no breakage).

Compatibility Assessment

  • Project uses affected APIs: No direct usage found — axios is not require()'d anywhere in scripts/*.js. All HTTP calls go through github.rest.* from the GitHub Actions toolkit. Security fixes are unlikely to affect runtime behavior either way.
  • Code changes required: No — no breaking API changes in 1.x.
  • Prior failed attempts: None found in PR comments or history.

Recommendation

Safe to merge. Two releases of significant security fixes (prototype pollution, SSRF, header injection, XSRF token leak) with no breaking API changes and passing CI. See inline suggestion.

@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly

How was this generated?

Reviewed the pull request diff checking for:

  • Correctness: bugs, edge cases, undocumented behavior, resource leaks, hardcoded values
  • Design: unnecessary complexity, naming, readability, comment accuracy, redundant state
  • Architecture: duplicated concerns, minimal interfaces, composition over inheritance
  • Testing: behavior-based assertions, mocks only at hard boundaries, accurate coverage
  • Completeness: missing dependencies, unupdated usages, i18n, accessibility, security
  • Principles: DRY (same reason to change), SRP, Rule of Three (no premature abstraction)
  • Checked CI status and linked issue acceptance criteria
  • For UI changes: inspected screenshots for layout, visual completeness, and consistency