chore(deps): bump axios from 1.15.1 to 1.15.2
Open
Number: #613
Type: Pull Request
State: Open
Type: Pull Request
State: Open
Author:
![dependabot[bot]](https://github.com/dependabot.png)
dependabot[bot]
Association: Unknown
Comments: 3
dependabot[bot]Association: Unknown
Comments: 3
Created:
May 07, 2026 at 11:42 PM UTC
(about 1 month ago)
(about 1 month ago)
Updated:
May 07, 2026 at 11:47 PM UTC
(about 1 month ago)
(about 1 month ago)
Labels:
dependencies javascript
dependencies javascript
Description:
Bumps axios from 1.15.1 to 1.15.2.
Release notes
Sourced from axios's releases.
v1.15.2
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in
allowedSocketPathsallowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.🔒 Security Fixes
- Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and
resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing pollutedauth,baseURL,socketPath,beforeRedirect, andinsecureHTTPParserfrom influencing requests. (#10779)- SSRF via
socketPath: Rejects non-stringsocketPathvalues and adds an opt-inallowedSocketPathsconfig option to restrict permitted Unix domain socket paths, returningAxiosErrorERR_BAD_OPTION_VALUEon mismatch. (#10777)- Supply-chain Hardening: Added
.npmrcwithignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expandedSECURITY.md/THREATMODEL.mdwith provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)🚀 New Features
allowedSocketPathsConfig Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)🐛 Bug Fixes
- Keep-alive Socket Memory Leak: Installs a single per-socket
errorlistener tracking the active request viakAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation,MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)🔧 Maintenance & Chores
- Changelog: Updated
CHANGELOG.mdwith v1.15.1 release notes. (#10781)
Changelog
Sourced from axios's changelog.
v1.15.2 - April 21, 2026
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in
allowedSocketPathsallowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.🔒 Security Fixes
- Prototype Pollution Hardening (HTTP Adapter): Hardened the Node HTTP adapter and
resolveConfig/mergeConfig/validator paths to read only own properties and use null-prototype config objects, preventing pollutedauth,baseURL,socketPath,beforeRedirect, andinsecureHTTPParserfrom influencing requests. (#10779)- SSRF via
socketPath: Rejects non-stringsocketPathvalues and adds an opt-inallowedSocketPathsconfig option to restrict permitted Unix domain socket paths, returningAxiosErrorERR_BAD_OPTION_VALUEon mismatch. (#10777)- Supply-chain Hardening: Added
.npmrcwithignore-scripts=true, lockfile lint CI, non-blocking reproducible build diff, scoped CODEOWNERS, expandedSECURITY.md/THREATMODEL.mdwith provenance verification (npm audit signatures), 60-day resolution policy, and maintainer incident-response runbook. (#10776)🚀 New Features
allowedSocketPathsConfig Option: New request config option (and TypeScript types) to allowlist Unix domain socket paths used by the Node http adapter; backwards compatible when unset. (#10777)🐛 Bug Fixes
- Keep-alive Socket Memory Leak: Installs a single per-socket
errorlistener tracking the active request viakAxiosSocketListener/kAxiosCurrentReq, eliminating per-request listener accumulation,MaxListenersExceededWarning, and linear heap growth under concurrent or long-running keep-alive workloads (fixes #10780). (#10788)🔧 Maintenance & Chores
- Changelog: Updated
CHANGELOG.mdwith v1.15.1 release notes. (#10781)
Commits
5829343chore(release): prepare release 1.15.2 (#10789)4709a48fix: added fix for memory leak in sockets (#10788)be33360chore: update changelog (#10781)4791514fix: more header pollutions (#10779)6feafcffix: socket issue (#10777)302e273docs: update docs, add a couple actions etc (#10776)- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
Package Dependencies
Technical Details
| ID: | 15688659 |
| UUID: | 4402662048 |
| Node ID: | PR_kwDOHMCX5c7ZVzVv |
| Host: | GitHub |
| Repository: | cameri/nostream |