chore(deps): update dependency axios to v1.16.1

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	1.14.0 → 1.16.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

axios/axios (axios)

v1.16.1

Compare Source

v1.16.1 — May 13, 2026

This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.

🔒 Security Fixes

• Prototype Pollution Defence-in-Depth: Hardened formDataToJSON against already-polluted Object.prototype by walking own properties only, so attacker-controlled keys inherited from a poisoned prototype cannot propagate through deserialization. (#​7413)
• Proxy Cleartext Leak: Fixed an issue where HTTPS request data could be transmitted in cleartext to an HTTP proxy under certain configurations. (#​10858)
• CI Cache Removal: Removed all GitHub Actions caches as a defence-in-depth measure against cache poisoning vectors in the build pipeline. (#​10882)

🐛 Bug Fixes

• Data URI Parsing: Updated the fromDataURI regex to match RFC 2397 more strictly, fixing edge cases in data: URL handling. (#​10829)
• Unicode Headers: Preserved Unicode header values when running through request interceptors, so non-ASCII header content is no longer corrupted before dispatch. (#​10850)
• XHR Upload Progress: Guarded against malformed ProgressEvent payloads emitted by some environments during XHR upload, preventing crashes when loaded / total are missing or invalid. (#​10868)
• Webpack 4 Fetch Adapter: Fixed an "unexpected token" error caused by syntax in the fetch adapter that Webpack 4 could not parse, restoring compatibility for legacy bundler users. (#​10864)
• Type Definitions: Made parseReviver context.source optional in the type definitions to align with the ES2023 specification. (#​10837)
• URL Object Support Reverted: Reverted the change that allowed passing a URL object as config.url (originally #​10866) due to regressions; this support will be reintroduced in a later release once the underlying issues are addressed. (#​10874)

🔧 Maintenance & Chores

• Cycle Detection Refactor: Replaced the array-based cycle tracker in toJSONObject with a WeakSet, improving performance and memory behaviour on large nested structures. (#​10832)
• composeSignals Cleanup: Refactored composeSignals to use a clearer early-return structure, simplifying the cancellation/abort composition path. (#​10844)
• AI Readiness & Repo Docs: Added AGENTS.md and related contributor-guide updates for both human and AI agents, plus post-release documentation improvements. (#​10835, #​10841)
• Docs Improvements: Clarified the GET request example, fixed the interceptor eject example to reference the correct instance, and corrected the Buzzoid sponsor description in the README. (#​10836, #​10853, #​10856)
• Sponsorship Tooling: Fixed empty sponsor arrays in the sponsor processing script, added the ability to inject additional sponsors, updated the sponsorship link, and added a Twicsy advertisement entry. (#​10843, #​10859, #​10869)
• Dependencies: Bumped @commitlint/cli from 20.5.0 to 20.5.2. (#​10846)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

• @​hpinmetaverse (#​10836)
• @​tommyhgunz14 (#​7413)
• @​abhu85 (#​10829)
• @​divyanshuraj1095 (#​10853)
• @​sagodi97 (#​10856)
• @​rkdfx (#​10868)
• @​Liuwei1125 (#​10866)

Full Changelog

v1.16.0

Compare Source

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

v1.15.2

Compare Source

This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.

v1.15.1

Compare Source

This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.

v1.15.0

Compare Source

Bug Fixes

• headers: fixed & optimized clear method; (#​5507) (9915635)
• http: add zlib headers if missing (#​5497) (65e8d1e)

Features

• fomdata: added support for spec-compliant FormData & Blob types; (#​5316) (6ac574e)

Contributors to this release

• Dmitriy Mozgovoy
• ItsNotGoodName

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.6 (2023-01-28)

Bug Fixes

• headers: added missed Authorization accessor; (#​5502) (342c0ba)
• types: fixed CommonRequestHeadersList & CommonResponseHeadersList types to be private in commonJS; (#​5503) (5a3d0a3)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.5 (2023-01-26)

Bug Fixes

• types: fixed AxiosHeaders to handle spread syntax by making all methods non-enumerable; (#​5499) (580f1e8)

Contributors to this release

• Dmitriy Mozgovoy
• Elliot Ford

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.4 (2023-01-22)

Bug Fixes

• types: renamed RawAxiosRequestConfig back to AxiosRequestConfig; (#​5486) (2a71f49)
• types: fix AxiosRequestConfig generic; (#​5478) (9bce81b)

Contributors to this release

• Dmitriy Mozgovoy
• Daniel Hillmann

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

1.2.3 (2023-01-10)

Bug Fixes

• types: fixed AxiosRequestConfig header interface by refactoring it to RawAxiosRequestConfig; (#​5420) (0811963)

Contributors to this release

• Dmitriy Mozgovoy

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.2] - 2022-12-29

Fixed

• fix(ci): fix release script inputs #​5392
• fix(ci): prerelease scipts #​5377
• fix(ci): release scripts #​5376
• fix(ci): typescript tests #​5375
• fix: Brotli decompression #​5353
• fix: add missing HttpStatusCode #​5345

Chores

• chore(ci): set conventional-changelog header config #​5406
• chore(ci): fix automatic contributors resolving #​5403
• chore(ci): improved logging for the contributors list generator #​5398
• chore(ci): fix release action #​5397
• chore(ci): fix version bump script by adding bump argument for target version #​5393
• chore(deps): bump decode-uri-component from 0.2.0 to 0.2.2 #​5342
• chore(ci): GitHub Actions Release script #​5384
• chore(ci): release scripts #​5364

Contributors to this release

• Dmitriy Mozgovoy
• Winnie

[1.2.1] - 2022-12-05

Changed

• feat(exports): export mergeConfig #​5151

Fixed

• fix(CancelledError): include config #​4922
• fix(general): removing multiple/trailing/leading whitespace #​5022
• fix(headers): decompression for responses without Content-Length header #​5306
• fix(webWorker): exception to sending form data in web worker #​5139

Refactors

• refactor(types): AxiosProgressEvent.event type to any #​5308
• refactor(types): add missing types for static AxiosError.from method #​4956

Chores

• chore(docs): remove README link to non-existent upgrade guide #​5307
• chore(docs): typo in issue template name #​5159

Contributors to this release

• Dmitriy Mozgovoy
• Zachary Lysobey
• Kevin Ennis
• Philipp Loose
• secondl1ght
• wenzheng
• Ivan Barsukov
• Arthur Fiorette

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.2.0] - 2022-11-10

Changed

• changed: refactored module exports #​5162
• change: re-added support for loading Axios with require('axios').default #​5225

Fixed

• fix: improve AxiosHeaders class #​5224
• fix: TypeScript type definitions for commonjs #​5196
• fix: type definition of use method on AxiosInterceptorManager to match the the README #​5071
• fix: __dirname is not defined in the sandbox #​5269
• fix: AxiosError.toJSON method to avoid circular references #​5247
• fix: Z_BUF_ERROR when content-encoding is set but the response body is empty #​5250

Refactors

• refactor: allowing adapters to be loaded by name #​5277

Chores

• chore: force CI restart #​5243
• chore: update ECOSYSTEM.md #​5077
• chore: update get/index.html #​5116
• chore: update Sandbox UI/UX #​5205
• chore:(actions): remove git credentials after checkout #​5235
• chore(actions): bump actions/dependency-review-action from 2 to 3 #​5266
• chore(packages): bump loader-utils from 1.4.1 to 1.4.2 #​5295
• chore(packages): bump engine.io from 6.2.0 to 6.2.1 #​5294
• chore(packages): bump socket.io-parser from 4.0.4 to 4.0.5 #​5241
• chore(packages): bump loader-utils from 1.4.0 to 1.4.1 #​5245
• chore(docs): update Resources links in README #​5119
• chore(docs): update the link for JSON url #​5265
• chore(docs): fix broken links #​5218
• chore(docs): update and rename UPGRADE_GUIDE.md to MIGRATION_GUIDE.md #​5170
• chore(docs): typo fix line #​856 and #​920 #​5194
• chore(docs): typo fix #​800 #​5193
• chore(docs): fix typos #​5184
• chore(docs): fix punctuation in README.md #​5197
• chore(docs): update readme in the Handling Errors section - issue reference #​5260 #​5261
• chore: remove \b from filename #​5207
• chore(docs): update CHANGELOG.md #​5137
• chore: add sideEffects false to package.json #​5025

Contributors to this release

• Maddy Miller
• Amit Saini
• ecyrbe
• Ikko Ashimine
• Geeth Gunnampalli
• Shreem Asati
• Frieder Bluemle
• 윤세영
• Claudio Busatto
• Remco Haszing
• Dmitriy Mozgovoy
• Csaba Maulis
• MoPaMo
• Daniel Fjeldstad
• Adrien Brunet
• Frazer Smith
• HaiTao
• AZM
• relbns

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.3] - 2022-10-15

Added

• Added custom params serializer support #​5113

Fixed

• Fixed top-level export to keep them in-line with static properties #​5109
• Stopped including null values to query string. #​5108
• Restored proxy config backwards compatibility with 0.x #​5097
• Added back AxiosHeaders in AxiosHeaderValue #​5103
• Pin CDN install instructions to a specific version #​5060
• Handling of array values fixed for AxiosHeaders #​5085

Chores

• docs: match badge style, add link to them #​5046
• chore: fixing comments typo #​5054
• chore: update issue template #​5061
• chore: added progress capturing section to the docs; #​5084

Contributors to this release

• Jason Saayman
• scarf
• Lenz Weber-Tronic
• Arvindh
• Félix Legrelle
• Patrick Petrovic
• Dmitriy Mozgovoy
• littledian
• ChronosMasterOfAllTime

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.2] - 2022-10-07

Fixed

• Fixed broken exports for UMD builds.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.1] - 2022-10-07

Fixed

• Fixed broken exports for common js. This fix breaks a prior fix, I will fix both issues ASAP but the commonJS use is more impactful.

Contributors to this release

• Jason Saayman

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.1.0] - 2022-10-06

Fixed

• Fixed missing exports in type definition index.d.ts #​5003
• Fixed query params composing #​5018
• Fixed GenericAbortSignal interface by making it more generic #​5021
• Fixed adding "clear" to AxiosInterceptorManager #​5010
• Fixed commonjs & umd exports #​5030
• Fixed inability to access response headers when using axios 1.x with Jest #​5036

Contributors to this release

• Trim21
• Dmitriy Mozgovoy
• shingo.sasaki
• Ivan Pepelko
• Richard Kořínek

PRs

• CVE 2023 45857 ( #​6028 )

⚠️ Critical vulnerability fix. See https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459

[1.0.0] - 2022-10-04

Added

• Added stack trace to AxiosError #​4624
• Add AxiosError to AxiosStatic #​4654
• Replaced Rollup as our build runner #​4596
• Added generic TS types for the exposed toFormData helper #​4668
• Added listen callback function #​4096
• Added instructions for installing using PNPM #​4207
• Added generic AxiosAbortSignal TS interface to avoid importing AbortController polyfill #​4229
• Added axios-url-template in ECOSYSTEM.md #​4238
• Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #​4248
• Added react hook plugin #​4319
• Adding HTTP status code for transformResponse #​4580
• Added blob to the list of protocols supported by the browser #​4678
• Resolving proxy from env on redirect #​4436
• Added enhanced toFormData implementation with additional options 4704
• Adding Canceler parameters config and request #​4711
• Added automatic payload serialization to application/x-www-form-urlencoded #​4714
• Added the ability for webpack users to overwrite built-ins #​4715
• Added string[] to AxiosRequestHeaders type #​4322
• Added the ability for the url-encoded-form serializer to respect the formSerializer config #​4721
• Added isCancel type assert #​4293
• Added data URL support for node.js #​4725
• Adding types for progress event callbacks #​4675
• URL params serializer #​4734
• Added axios.formToJSON method #​4735
• Bower platform add data protocol #​4804
• Use WHATWG URL API instead of url.parse() #​4852
• Add ENUM containing Http Status Codes to typings #​4903
• Improve typing of timeout in index.d.ts #​4934

Changed

• Updated AxiosError.config to be optional in the type definition #​4665
• Updated README emphasizing the URLSearchParam built-in interface over other solutions #​4590
• Include request and config when creating a CanceledError instance #​4659
• Changed func-names eslint rule to as-needed #​4492
• Replacing deprecated substr() with slice() as substr() is deprecated #​4468
• Updating HTTP links in README.md to use HTTPS #​4387
• Updated to a better trim() polyfill #​4072
• Updated types to allow specifying partial default headers on instance create #​4185
• Expanded isAxiosError types #​4344
• Updated type definition for axios instance methods #​4224
• Updated eslint config #​4722
• Updated Docs #​4742
• Refactored Axios to use ES2017 #​4787

Deprecated

• There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

Removed

• Removed incorrect argument for NetworkError constructor #​4656
• Removed Webpack #​4596
• Removed function that transform arguments to array #​4544

Fixed

• Fixed grammar in README #​4649
• Fixed code error in README #​4599
• Optimized the code that checks cancellation #​4587
• Fix url pointing to defaults.js in README #​4532
• Use type alias instead of interface for AxiosPromise #​4505
• Fix some word spelling and lint style in code comments #​4500
• Edited readme with 3 updated browser icons of Chrome, FireFox and Safari #​4414
• Bump follow-redirects from 1.14.9 to 1.15.0 #​4673
• Fixing http tests to avoid hanging when assertions fail #​4435
• Fix TS definition for AxiosRequestTransformer #​4201
• Fix grammatical issues in README #​4232
• Fixing instance.defaults.headers type #​4557
• Fixed race condition on immediate requests cancellation #​4261
• Fixing Z_BUF_ERROR when no content #​4701
• Fixing proxy beforeRedirect regression #​4708
• Fixed AxiosError status code type #​4717
• Fixed AxiosError stack capturing #​4718
• Fixing AxiosRequestHeaders typings #​4334
• Fixed max body length defaults #​4731
• Fixed toFormData Blob issue on node>v17 #​4728
• Bump grunt from 1.5.2 to 1.5.3 #​4743
• Fixing content-type header repeated #​4745
• Fixed timeout error message for http 4738
• Request ignores false, 0 and empty string as body values #​4785
• Added back missing minified builds #​4805
• Fixed a type error #​4815
• Fixed a regression bug with unsubscribing from cancel token; #​4819
• Remove repeated compression algorithm #​4820
• The error of calling extend to pass parameters #​4857
• SerializerOptions.indexes allows boolean | null | undefined #​4862
• Require interceptors to return values #​4874
• Removed unused imports #​4949
• Allow null indexes on formSerializer and paramsSerializer #​4960

Chores

• Set permissions for GitHub actions #​4765
• Included githubactions in the dependabot config #​4770
• Included dependency review #​4771
• Update security.md #​4784
• Remove unnecessary spaces #​4854
• Simplify the import path of AxiosError #​4875
• Fix Gitpod dead link #​4941
• Enable syntax highlighting for a code block #​4970
• Using Logo Axios in Readme.md #​4993
• Fix markup for note in README #​4825
• Fix typo and formatting, add colons #​4853
• Fix typo in readme #​4942

Security

• Update SECURITY.md #​4687

Contributors to this release

• Bertrand Marron

• Dmitriy Mozgovoy

• Dan Mooney

• Michael Li

• aong

• Des Preston

• Ted Robertson

• zhoulixiang

• Arthur Fiorette

• Kumar Shanu

• JALAL

• Jingyi Lin

• Philipp Loose

• Alexander Shchukin

• Dave Cardwell

• Cat Scarlet

• Luca Pizzini

• Kai

• Maxime Bargiel

• Brian Helba

• reslear

• Jamie Slome

• Landro3

• rafw87

• Afzal Sayed

• Koki Oyatsu

• Dave

• 暴走老七

• Spencer

• Adrian Wieprzkowicz

• Jamie Telin

• 毛呆

• Kirill Shakirov

• Rraji Abdelbari

• Jelle Schutter

• Tom Ceuppens

• Johann Cooper

• Dimitris Halatsis

• chenjigeng

• João Gabriel Quaresma

• Victor Augusto

• neilnaveen

• Pavlos

• Kiryl Valkovich

• Naveen

• wenzheng

• hcwhan

• Bassel Rachid

• Grégoire Pineau

• felipedamin

• Karl Horky

• Yue JIN

• Usman Ali Siddiqui

• WD

• Günther Foidl

• Stephen Jennings

• C.T.Lin

• mia-z

• Parth Banathia

• parth0105pluang

• Marco Weber

• Luca Pizzini

• Willian Agostini

• Huyen Nguyen

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• mcp/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 25fe5977-a2e6-4659-af20-f209074e937f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch konflux/mintmaker/master/axios-1.x-lockfile

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}