[Snyk] Upgrade axios from 1.4.0 to 1.13.1

[codingdud]

Snyk has created this PR to upgrade axios from 1.4.0 to 1.13.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 37 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Request Forgery (CSRF) SNYK-JS-AXIOS-6032459	666	Proof of Concept
	Prototype Pollution SNYK-JS-AXIOS-6144788	666	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-7361793	666	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	666	Proof of Concept
	Allocation of Resources Without Limits or Throttling SNYK-JS-AXIOS-12613773	666	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-AXIOS-6124857	666	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9292519	666	Proof of Concept
	Server-side Request Forgery (SSRF) SNYK-JS-AXIOS-9403194	666	No Known Exploit
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	666	Proof of Concept

Release notes

Package name: axios

• 1.13.1 - 2025-10-28
  

  Release notes:

  Bug Fixes

  • http: fixed a regression that caused the data stream to be interrupted for responses with non-OK HTTP statuses; (#7193) (bcd5581)

  Contributors to this release

  • Anchal Singh
  • Dmitriy Mozgovoy
• 1.13.0 - 2025-10-27
  

  Release notes:

  Bug Fixes

  • fetch: prevent TypeError when config.env is undefined (#7155) (015faec)
  • resolve issue #7131 (added spacing in mergeConfig.js) (#7133) (9b9ec98)

  Features

  • http: add HTTP2 support; (#7150) (d676df7)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Noritaka Kobayashi
  • Aviraj2929
  • prasoon patel
  • Samyak Dandge
  • Anchal Singh
  • Rahul Kumar
  • Amit Verma
  • Abhishek3880
  • Dhvani Maktuporia
  • Usama Ayoub
  • ikuy1203
  • Nikhil Simon Toppo
  • Jane Wangari
  • Supakorn Ieamgomol
  • Kian-Meng Ang
  • UTSUMI Keiji
• 1.12.2 - 2025-09-14
  

  Release notes:

  Bug Fixes

  • fetch: use current global fetch instead of cached one when env fetch is not specified to keep MSW support; (#7030) (cf78825)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Noritaka Kobayashi
• 1.12.1 - 2025-09-12
  

  Release notes:

  Bug Fixes

  • types: fixed env config types; (#7020) (b5f26b7)

  Contributors to this release

  • Dmitriy Mozgovoy
• 1.12.0 - 2025-09-11
  

  Release notes:

  Bug Fixes

  • adding build artifacts (9ec86de)
  • dont add dist on release (a2edc36)
  • fetch-adapter: set correct Content-Type for Node FormData (#6998) (a9f47af)
  • node: enforce maxContentLength for data: URLs (#7011) (945435f)
  • package exports (#5627) (aa78ac2)
  • params: removing '[' and ']' from URL encode exclude characters (#3316) (#5715) (6d84189)
  • release pr run (fd7f404)
  • types: change the type guard on isCancel (#5595) (0dbb7fd)

  Features

  • adapter: surface low‑level network error details; attach original error via cause (#6982) (78b290c)
  • fetch: add fetch, Request, Response env config variables for the adapter; (#7003) (c959ff2)
  • support reviver on JSON.parse (#5926) (2a97634), closes #5924
  • types: extend AxiosResponse interface to include custom headers type (#6782) (7960d34)

  Contributors to this release

  • Willian Agostini
  • Dmitriy Mozgovoy
  • khani
  • Ameer Assadi
  • Emiedonmokumo Dick-Boro
  • Zeroday BYTE
  • Jason Saayman
  • 최예찬
  • Gligor Kotushevski
  • Aleksandar Dimitrov
• 1.11.0 - 2025-07-23
  

  Release notes:

  Bug Fixes

  • form-data npm pakcage (#6970) (e72c193)
  • prevent RangeError when using large Buffers (#6961) (a2214ca)
  • types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

  Contributors to this release

  • izzy goldman
  • Manish Sahani
  • Noritaka Kobayashi
  • James Nail
  • Tejaswi1305
• 1.10.0 - 2025-06-14
  

  Release notes:

  Bug Fixes

  • adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
  • form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
  • package: add module entry point for React Native; (#6933) (3d343b8)

  Features

  • types: improved fetchOptions interface (#6867) (63f1fce)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Noritaka Kobayashi
  • Dimitrios Lazanas
  • Adrian Knapp
  • Howie Zhao
  • Uhyeon Park
  • Sampo Silvennoinen
• 1.9.0 - 2025-04-24
  

  Release notes:

  Bug Fixes

  • core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
  • fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
  • headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
  • headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
  • headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
  • http: send minimal end multipart boundary (#6661) (987d2e2)
  • types: fix autocomplete for adapter config (#6855) (e61a893)

  Features

  • AxiosHeaders: add getSetCookie method to retrieve set-cookie headers values (#5707) (80ea756)

  Contributors to this release

  • Dmitriy Mozgovoy
  • Jay
  • Willian Agostini
  • George Cheng
  • FatahChan
  • Ionuț G. Stan
• 1.8.4 - 2025-03-19
• 1.8.3 - 2025-03-12
• 1.8.2 - 2025-03-07
• 1.8.1 - 2025-02-26
• 1.8.0 - 2025-02-26
• 1.7.9 - 2024-12-04
• 1.7.8 - 2024-11-25
• 1.7.7 - 2024-08-31
• 1.7.6 - 2024-08-30
• 1.7.5 - 2024-08-23
• 1.7.4 - 2024-08-13
• 1.7.3 - 2024-08-01
• 1.7.2 - 2024-05-21
• 1.7.1 - 2024-05-20
• 1.7.0 - 2024-05-19
• 1.7.0-beta.2 - 2024-05-19
• 1.7.0-beta.1 - 2024-05-07
• 1.7.0-beta.0 - 2024-04-28
• 1.6.8 - 2024-03-15
• 1.6.7 - 2024-01-25
• 1.6.6 - 2024-01-24
• 1.6.5 - 2024-01-05
• 1.6.4 - 2024-01-03
• 1.6.3 - 2023-12-26
• 1.6.2 - 2023-11-14
• 1.6.1 - 2023-11-08
• 1.6.0 - 2023-10-26
• 1.5.1 - 2023-09-26
• 1.5.0 - 2023-08-26
• 1.4.0 - 2023-04-27

from axios GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
simpform	Error			Nov 23, 2025 7:31am

[gemini-code-assist]

Summary of Changes

Hello @codingdud, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to enhance the security and stability of the project by upgrading the 'axios' HTTP client library from version '1.4.0' to '1.13.1'. This significant update resolves a range of critical and moderate security vulnerabilities and introduces various bug fixes and new features accumulated over 37 versions, ensuring the application benefits from the latest improvements and protections.

Highlights

• Dependency Upgrade: Upgrades the 'axios' package from version '1.4.0' to '1.13.1', incorporating 37 new versions.
• Security Fixes: Addresses multiple high and medium severity vulnerabilities, including Cross-site Request Forgery (CSRF), Prototype Pollution, Server-side Request Forgery (SSRF), Improper Handling of Extra Parameters, Allocation of Resources Without Limits or Throttling, Regular Expression Denial of Service (ReDoS), and Information Exposure.
• Transitive Dependency Updates: Updates several transitive dependencies such as 'follow-redirects', 'form-data', 'function-bind', 'get-intrinsic', 'gopd', 'has-symbols', 'has-tostringtag', and 'es-set-tostringtag', and introduces new ones like 'call-bind-apply-helpers', 'dunder-proto', 'es-define-property', 'es-errors', 'es-object-atoms', 'get-proto', 'hasown', and 'math-intrinsics'.
• New Features and Bug Fixes: Incorporates numerous bug fixes and new features from the updated 'axios' versions, including HTTP2 support, improved fetch adapter options, and various type definition enhancements.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades axios from version 1.4.0 to 1.13.1. This is an important security update that resolves multiple vulnerabilities, including Cross-site Request Forgery (CSRF), Prototype Pollution, and Server-side Request Forgery (SSRF). While this is a minor version upgrade, it spans 37 individual releases. I have added a comment regarding a specific change in URL parameter encoding in axios@1.12.0 which could be a potential breaking change. Given the large version jump, thorough end-to-end testing of features that rely on axios is highly recommended to ensure no regressions are introduced.

[gemini-code-assist]

The upgrade to axios@1.13.1 is a large version jump. It's worth noting that axios@1.12.0 introduced a change to how URL parameters are encoded. Specifically, [ and ] characters are now URL-encoded in query parameters to better align with RFC3986. This may affect how array parameters are sent and interpreted by your backend, especially if it has specific expectations for the format of array parameters (e.g., param[]=value1&param[]=value2). This change could potentially introduce subtle bugs if your backend parsing is strict.