chore(deps): bump axios from 1.13.1 to 1.15.0#4012
chore(deps): bump axios from 1.13.1 to 1.15.0#4012dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
Bot
added
dependencies
|
|
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
3 similar comments
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/axios-1.15.0
branch
from
765d53b to
eb2c2f0
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
1 similar comment
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "@octokit/request": "^5.6.3", | ||
| "@octokit/rest": "^22.0.0", | ||
| "axios": "^1.13.1", | ||
| "axios": "^0.31.0", |
There was a problem hiding this comment.
Axios downgraded from 1.x to 0.x across all services
High Severity
The PR title says "bump axios from 1.13.1 to 1.15.0" but every service package is being changed from axios@^1.x to axios@^0.31.0, which is a major version downgrade, not an upgrade. The backend/package.json changing from ^0.27.2 to ^0.31.0 is fine (staying in 0.x), but all ~12 service packages that were on ^1.6.x/^1.8.x/^1.13.x are now also set to ^0.31.0. Axios 0.x has different error handling semantics, JSON parsing behavior, and request/response transforms compared to 1.x. Code relying on 1.x behavior — such as axios.isAxiosError(), AxiosError types, and consistent error-throwing patterns — may break or behave differently at runtime.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit eb2c2f0. Configure here.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/axios-1.15.0
branch
from
eb2c2f0 to
f376e14
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
2 similar comments
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f376e14. Configure here.
| "@crowd/redis": "workspace:*", | ||
| "@crowd/types": "workspace:*", | ||
| "axios": "^1.6.8", | ||
| "axios": "^0.31.0", |
There was a problem hiding this comment.
Services downgraded from axios 1.x to 0.x
High Severity
The PR claims to bump axios from 1.13.1 to 1.15.0, but it actually downgrades all 12+ service packages from axios 1.x to ^0.31.0. Only backend/package.json (previously on ^0.27.2) is correctly updated within the 0.x line. Every service under services/apps/ and services/libs/ was on various axios 1.x versions and is now incorrectly pinned to ^0.31.0. Axios 0.x and 1.x have significant API differences in error handling, headers structure, TypeScript types (e.g., InternalAxiosRequestConfig), and parameter serialization. This will likely cause runtime failures across all affected services.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit f376e14. Configure here.
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
Bumps [axios](https://github.com/axios/axios) from 1.13.1 to 1.15.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.1...v1.15.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/axios-1.15.0
branch
from
f376e14 to
0a3b202
Compare
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
1 similar comment
|
Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability. Example:
Projects:
Please add a Jira issue key to your PR title. |
1 participant
Bumps axios from 1.13.1 to 1.15.0.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
772a4e5chore(release): prepare release 1.15.0 (#10671)4b07137chore(deps-dev): bump vite from 8.0.0 to 8.0.5 in /tests/smoke/esm (#10663)51e57b3chore(deps-dev): bump vite from 8.0.2 to 8.0.5 (#10664)fba1a77chore(deps-dev): bump vite from 8.0.2 to 8.0.5 in /tests/module/esm (#10665)0bf6e28chore(deps): bump denoland/setup-deno in the github-actions group (#10669)8107157chore(deps-dev): bump the development_dependencies group with 4 updates (#10670)e66530eci: require npm-publish environment for releases (#10666)49f23cbchore(sponsor): update sponsor block (#10668)3631854fix: unrestricted cloud metadata exfiltration via header injection chain (#10...fb3befbfix: no_proxy hostname normalization bypass leads to ssrf (#10661)Maintainer changes
This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for axios since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
High Risk
This changes the HTTP client version across many backend services from Axios v1.x to v0.31.0, which is a major downgrade and may break request/interceptor behavior or TypeScript types at runtime. Lockfile updates also alter transitive networking/proxy packages, increasing the chance of subtle outbound HTTP behavior changes.
Overview
Updates dependency versions across the backend/worker workspace, primarily around HTTP tooling.
Replaces Axios
1.xusages inbackendand multipleservices/apps/*andservices/libs/*packages withaxios@0.31.0, and regeneratespnpm-lock.yamlaccordingly (including updatedfollow-redirects,form-data, andproxy-from-enventries).Lockfile changes also adjust a few other resolved artifacts (e.g.,
needlesource forclearbit) as part of the dependency re-resolution.Reviewed by Cursor Bugbot for commit 0a3b202. Bugbot is set up for automated code reviews on this repo. Configure here.