mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
dependabot[bot]
5320702a8a
Bumps [axios](https://github.com/axios/axios) from 1.16.0 to 1.16.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases">axios's releases</a>.</em></p> <blockquote> <h2>v1.16.1 — May 13, 2026</h2> <p>This release ships a defence-in-depth fix for prototype pollution in <code>formDataToJSON</code>, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution Defence-in-Depth:</strong> Hardened <code>formDataToJSON</code> against already-polluted <code>Object.prototype</code> by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (<strong><a href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li> <li><strong>Proxy Cleartext Leak:</strong> Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (<strong><a href="https://redirect.github.com/axios/axios/issues/10858">#10858</a></strong>)</li> <li><strong>CI Cache Removal:</strong> Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (<strong><a href="https://redirect.github.com/axios/axios/issues/10882">#10882</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Data URI Parsing:</strong> Updated the <code>fromDataURI</code> regex to match RFC 2397 more strictly, fixing edge cases in <code>data:</code> URL handling. (<strong><a href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li> <li><strong>Unicode Headers:</strong> Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (<strong><a href="https://redirect.github.com/axios/axios/issues/10850">#10850</a></strong>)</li> <li><strong>XHR Upload Progress:</strong> Guarded against malformed <code>ProgressEvent</code> payloads emitted by some environments during XHR upload, preventing crashes when <code>loaded</code> / <code>total</code> are missing or invalid. (<strong><a href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li> <li><strong>Webpack 4 Fetch Adapter:</strong> Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (<strong><a href="https://redirect.github.com/axios/axios/issues/10864">#10864</a></strong>)</li> <li><strong>Type Definitions:</strong> Made <code>parseReviver</code> <code>context.source</code> optional in the type definitions to align with the ES2023 specification. (<strong><a href="https://redirect.github.com/axios/axios/issues/10837">#10837</a></strong>)</li> <li><strong>URL Object Support Reverted:</strong> Reverted the change that allowed passing a <code>URL</code> object as <code>config.url</code> (originally <strong><a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (<strong><a href="https://redirect.github.com/axios/axios/issues/10874">#10874</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Cycle Detection Refactor:</strong> Replaced the array-based cycle tracker in <code>toJSONObject</code> with a <code>WeakSet</code>, improving performance and memory behaviour on large nested structures. (<strong><a href="https://redirect.github.com/axios/axios/issues/10832">#10832</a></strong>)</li> <li><strong>composeSignals Cleanup:</strong> Refactored <code>composeSignals</code> to use a clearer early-return structure, simplifying the cancellation/abort composition path. (<strong><a href="https://redirect.github.com/axios/axios/issues/10844">#10844</a></strong>)</li> <li><strong>AI Readiness & Repo Docs:</strong> Added <code>AGENTS.md</code> and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (<strong><a href="https://redirect.github.com/axios/axios/issues/10835">#10835</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10841">#10841</a></strong>)</li> <li><strong>Docs Improvements:</strong> Clarified the GET request example, fixed the interceptor <code>eject</code> example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (<strong><a href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li> <li><strong>Sponsorship Tooling:</strong> Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (<strong><a href="https://redirect.github.com/axios/axios/issues/10843">#10843</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10859">#10859</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10869">#10869</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>@commitlint/cli</code> from 20.5.0 to 20.5.2. (<strong><a href="https://redirect.github.com/axios/axios/issues/10846">#10846</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/hpinmetaverse"><code>@hpinmetaverse</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>)</li> <li><strong><a href="https://github.com/tommyhgunz14"><code>@tommyhgunz14</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li> <li><strong><a href="https://github.com/abhu85"><code>@abhu85</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li> <li><strong><a href="https://github.com/divyanshuraj1095"><code>@divyanshuraj1095</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>)</li> <li><strong><a href="https://github.com/sagodi97"><code>@sagodi97</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li> <li><strong><a href="https://github.com/rkdfx"><code>@rkdfx</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li> <li><strong><a href="https://github.com/Liuwei1125"><code>@Liuwei1125</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">Full Changelog</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md">axios's changelog</a>.</em></p> <blockquote> <h2>v1.16.1 — May 13, 2026</h2> <p>This release ships a defence-in-depth fix for prototype pollution in <code>formDataToJSON</code>, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.</p> <h2>🔒 Security Fixes</h2> <ul> <li><strong>Prototype Pollution Defence-in-Depth:</strong> Hardened <code>formDataToJSON</code> against already-polluted <code>Object.prototype</code> by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (<strong><a href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li> <li><strong>Proxy Cleartext Leak:</strong> Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (<strong><a href="https://redirect.github.com/axios/axios/issues/10858">#10858</a></strong>)</li> <li><strong>CI Cache Removal:</strong> Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (<strong><a href="https://redirect.github.com/axios/axios/issues/10882">#10882</a></strong>)</li> </ul> <h2>🐛 Bug Fixes</h2> <ul> <li><strong>Data URI Parsing:</strong> Updated the <code>fromDataURI</code> regex to match RFC 2397 more strictly, fixing edge cases in <code>data:</code> URL handling. (<strong><a href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li> <li><strong>Unicode Headers:</strong> Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (<strong><a href="https://redirect.github.com/axios/axios/issues/10850">#10850</a></strong>)</li> <li><strong>XHR Upload Progress:</strong> Guarded against malformed <code>ProgressEvent</code> payloads emitted by some environments during XHR upload, preventing crashes when <code>loaded</code> / <code>total</code> are missing or invalid. (<strong><a href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li> <li><strong>Webpack 4 Fetch Adapter:</strong> Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (<strong><a href="https://redirect.github.com/axios/axios/issues/10864">#10864</a></strong>)</li> <li><strong>Type Definitions:</strong> Made <code>parseReviver</code> <code>context.source</code> optional in the type definitions to align with the ES2023 specification. (<strong><a href="https://redirect.github.com/axios/axios/issues/10837">#10837</a></strong>)</li> <li><strong>URL Object Support Reverted:</strong> Reverted the change that allowed passing a <code>URL</code> object as <code>config.url</code> (originally <strong><a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (<strong><a href="https://redirect.github.com/axios/axios/issues/10874">#10874</a></strong>)</li> </ul> <h2>🔧 Maintenance & Chores</h2> <ul> <li><strong>Cycle Detection Refactor:</strong> Replaced the array-based cycle tracker in <code>toJSONObject</code> with a <code>WeakSet</code>, improving performance and memory behaviour on large nested structures. (<strong><a href="https://redirect.github.com/axios/axios/issues/10832">#10832</a></strong>)</li> <li><strong>composeSignals Cleanup:</strong> Refactored <code>composeSignals</code> to use a clearer early-return structure, simplifying the cancellation/abort composition path. (<strong><a href="https://redirect.github.com/axios/axios/issues/10844">#10844</a></strong>)</li> <li><strong>AI Readiness & Repo Docs:</strong> Added <code>AGENTS.md</code> and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (<strong><a href="https://redirect.github.com/axios/axios/issues/10835">#10835</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10841">#10841</a></strong>)</li> <li><strong>Docs Improvements:</strong> Clarified the GET request example, fixed the interceptor <code>eject</code> example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (<strong><a href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li> <li><strong>Sponsorship Tooling:</strong> Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (<strong><a href="https://redirect.github.com/axios/axios/issues/10843">#10843</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10859">#10859</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10869">#10869</a></strong>)</li> <li><strong>Dependencies:</strong> Bumped <code>@commitlint/cli</code> from 20.5.0 to 20.5.2. (<strong><a href="https://redirect.github.com/axios/axios/issues/10846">#10846</a></strong>)</li> </ul> <h2>🌟 New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/hpinmetaverse"><code>@hpinmetaverse</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10836">#10836</a></strong>)</li> <li><strong><a href="https://github.com/tommyhgunz14"><code>@tommyhgunz14</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/7413">#7413</a></strong>)</li> <li><strong><a href="https://github.com/abhu85"><code>@abhu85</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10829">#10829</a></strong>)</li> <li><strong><a href="https://github.com/divyanshuraj1095"><code>@divyanshuraj1095</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10853">#10853</a></strong>)</li> <li><strong><a href="https://github.com/sagodi97"><code>@sagodi97</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10856">#10856</a></strong>)</li> <li><strong><a href="https://github.com/rkdfx"><code>@rkdfx</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10868">#10868</a></strong>)</li> <li><strong><a href="https://github.com/Liuwei1125"><code>@Liuwei1125</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">Full Changelog</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/axios/axios/commit/1337d6b537afb2d3f501074c8ac4ef4308221197"><code>1337d6b</code></a> chore(release): prepare release 1.16.1 (<a href="https://redirect.github.com/axios/axios/issues/10877">#10877</a>)</li> <li><a href="https://github.com/axios/axios/commit/858a790cec06054547d0d3f941916d6fb2a4d18e"><code>858a790</code></a> fix: remove all caches (<a href="https://redirect.github.com/axios/axios/issues/10882">#10882</a>)</li> <li><a href="https://github.com/axios/axios/commit/34adfd90efc9c145488399e1cf7fa96de67080fa"><code>34adfd9</code></a> revert: "fix: support URL object as config.url input (<a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a>)" (<a href="https://redirect.github.com/axios/axios/issues/10874">#10874</a>)</li> <li><a href="https://github.com/axios/axios/commit/847d89b43654405d9a231e0b669832c2092b621f"><code>847d89b</code></a> fix: support URL object as config.url input (<a href="https://redirect.github.com/axios/axios/issues/10866">#10866</a>)</li> <li><a href="https://github.com/axios/axios/commit/40948863677bb793bfff0293cce7e7b4f8a1b212"><code>4094886</code></a> fix(progress): guard malformed XHR upload events (<a href="https://redirect.github.com/axios/axios/issues/10868">#10868</a>)</li> <li><a href="https://github.com/axios/axios/commit/44f0c5bf73c45df6009365141faa394d73596bd7"><code>44f0c5b</code></a> chore: change sponsorship link and add Twicsy advertisement (<a href="https://redirect.github.com/axios/axios/issues/10869">#10869</a>)</li> <li><a href="https://github.com/axios/axios/commit/64e1095efedc64c9fecf5176bd9cf2e5e93140d6"><code>64e1095</code></a> chore: update PR and issue template to use h2 (<a href="https://redirect.github.com/axios/axios/issues/10865">#10865</a>)</li> <li><a href="https://github.com/axios/axios/commit/3e6b4e1f311b43aa1dc77d78150a601d9fe4b280"><code>3e6b4e1</code></a> fix: error unexpected token in fetch JS compatibility issue with Webpack 4 (#...</li> <li><a href="https://github.com/axios/axios/commit/c4453bab70f53575175903aee60810c821f72129"><code>c4453ba</code></a> fix: add the ability to add additional sponsors to the process sponsors scrip...</li> <li><a href="https://github.com/axios/axios/commit/caa00a90b524bb67ed033474abcf4d8645ced793"><code>caa00a9</code></a> fix: https data in cleartext to proxy (<a href="https://redirect.github.com/axios/axios/issues/10858">#10858</a>)</li> <li>Additional commits viewable in <a href="https://github.com/axios/axios/compare/v1.16.0...v1.16.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>