From c6dc67e50f2ad5464045685f5f18b97d2d62c58e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 6 Nov 2025 19:13:12 +0000
Subject: [PATCH 1/2] chore(deps): bump axios from 1.8.4 to 1.12.0

Bumps [axios](https://github.com/axios/axios) from 1.8.4 to 1.12.0.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.8.4...v1.12.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.12.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 package.json |  2 +-
 yarn.lock    | 13 +------------
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/package.json b/package.json
index 9e33772568f..8177197cf88 100644
--- a/package.json
+++ b/package.json
@@ -93,7 +93,7 @@
     "@type-cacheable/ioredis-adapter": "^10.0.4",
     "agentkeepalive": "^4.6.0",
     "app-store-server-api": "^0.16.0",
-    "axios": "1.8.4",
+    "axios": "1.12.0",
     "base64url": "^3.0.1",
     "bn.js": "^5.2.1",
     "class-transformer": "^0.5.1",
diff --git a/yarn.lock b/yarn.lock
index bf8f2261a58..6f271c46fbb 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -25190,17 +25190,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"axios@npm:1.8.4":
-  version: 1.8.4
-  resolution: "axios@npm:1.8.4"
-  dependencies:
-    follow-redirects: "npm:^1.15.6"
-    form-data: "npm:^4.0.0"
-    proxy-from-env: "npm:^1.1.0"
-  checksum: 10c0/450993c2ba975ffccaf0d480b68839a3b2435a5469a71fa2fb0b8a55cdb2c2ae47e609360b9c1e2b2534b73dfd69e2733a1cf9f8215bee0bcd729b72f801b0ce
-  languageName: node
-  linkType: hard
-
 "axios@npm:^1.5.1, axios@npm:^1.6.0, axios@npm:^1.6.7, axios@npm:^1.7.4, axios@npm:^1.8.2, axios@npm:^1.8.3":
   version: 1.10.0
   resolution: "axios@npm:1.10.0"
@@ -35184,7 +35173,7 @@ __metadata:
     agentkeepalive: "npm:^4.6.0"
     app-store-server-api: "npm:^0.16.0"
     autoprefixer: "npm:^10.4.14"
-    axios: "npm:1.8.4"
+    axios: "npm:1.12.0"
     babel-eslint: "npm:^10.1.0"
     babel-jest: "npm:29.7.0"
     base64url: "npm:^3.0.1"

From 0e6c85c5fc8a8853a5dc401b0dfc5463c5e3aa65 Mon Sep 17 00:00:00 2001
From: Valerie Pomerleau <vpomerleau@mozilla.com>
Date: Fri, 28 Nov 2025 12:21:41 -0800
Subject: [PATCH 2/2] feat(axios): harden error/header handling for axios 1.12
 upgrade

Because:

* Axios 1.12 changes around AxiosHeaders and error typing can break unsafe assumptions.
* Spreading defaults.headers and unguarded response/status access risk runtime issues.

This commit:

* profile.client.ts: narrow with axios.isAxiosError; guard response/status; avoid spreading defaults.headers in getUserinfo; set only Authorization
* pubsub-proxy.controller.ts: use axios.isAxiosError and guard err.response before accessing/returning it
* client-capability.service.ts: guard response.status with axios.isAxiosError
* No functional changes intended beyond safer error/header handling.

Closes #
---
 libs/profile/client/src/lib/profile.client.ts        | 12 +++++++-----
 .../client-capability/client-capability.service.ts   |  9 +++++----
 .../src/pubsub-proxy/pubsub-proxy.controller.ts      | 11 +++++------
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/libs/profile/client/src/lib/profile.client.ts b/libs/profile/client/src/lib/profile.client.ts
index 26221963de9..f98263789f0 100644
--- a/libs/profile/client/src/lib/profile.client.ts
+++ b/libs/profile/client/src/lib/profile.client.ts
@@ -69,10 +69,11 @@ export class ProfileClient {
     try {
       return (await this.axiosInstance[method](endpoint, requestData)).data;
     } catch (err) {
-      const response = err.response || {};
-      if (err.errno > -1 || (response.status && response.status < 500)) {
-        throw new ProfileClientError(err);
-      } else {
+      if (axios.isAxiosError(err)) {
+        const status = err.response?.status;
+        if ((err as any).errno > -1 || (status !== undefined && status < 500)) {
+          throw new ProfileClientError(err);
+        }
         throw new ProfileClientServiceFailureError(
           this.config.serviceName,
           method,
@@ -80,6 +81,7 @@ export class ProfileClient {
           err
         );
       }
+      throw err;
     }
   }
 
@@ -124,8 +126,8 @@ export class ProfileClient {
       const userinfo = await this.makeRequest(
         userinfoUrl,
         {
+          // This is an override for specific keys, other default headers will be merged automatically by axios
           headers: {
-            ...this.axiosInstance.defaults.headers,
             Authorization: `Bearer ${accessToken}`,
           },
         },
diff --git a/packages/fxa-event-broker/src/client-capability/client-capability.service.ts b/packages/fxa-event-broker/src/client-capability/client-capability.service.ts
index a4799f692e2..0ab6eb62dc8 100644
--- a/packages/fxa-event-broker/src/client-capability/client-capability.service.ts
+++ b/packages/fxa-event-broker/src/client-capability/client-capability.service.ts
@@ -51,13 +51,14 @@ export class ClientCapabilityService
       if (throwOnError) {
         throw ExtendedError.withCause(
           'Unexpected error fetching client capabilities from auth-server',
-          err
+          err as Error
         );
       }
       this.log.error('updateCapabilities', {
-        status: err.response
-          ? (err.response as AxiosResponse).status
-          : undefined,
+        status:
+          axios.isAxiosError(err) && err.response
+            ? err.response.status
+            : undefined,
         message: 'Error fetching client capabilities.',
       });
       Sentry.captureException(err);
diff --git a/packages/fxa-event-broker/src/pubsub-proxy/pubsub-proxy.controller.ts b/packages/fxa-event-broker/src/pubsub-proxy/pubsub-proxy.controller.ts
index e62151a8655..80dfbc27ff6 100644
--- a/packages/fxa-event-broker/src/pubsub-proxy/pubsub-proxy.controller.ts
+++ b/packages/fxa-event-broker/src/pubsub-proxy/pubsub-proxy.controller.ts
@@ -126,11 +126,11 @@ export class PubsubProxyController {
       }
       return response;
     } catch (err) {
-      if (err.response) {
+      if (axios.isAxiosError(err) && err.response) {
         // Proxy normal HTTP responses that aren't 200.
         this.metrics.increment(`proxy.fail`, {
           clientId,
-          statusCode: (err.response as AxiosResponse).status.toString(),
+          statusCode: String(err.response.status),
           type: message.event,
         });
         this.log.debug('proxyDeliverFail', {
@@ -138,11 +138,10 @@ export class PubsubProxyController {
           message: 'failed to proxy message',
         });
         return err.response;
-      } else {
-        this.log.error('proxyDeliverError', { err });
-        Sentry.captureException(err);
-        throw ExtendedError.withCause('Proxy delivery error', err);
       }
+      this.log.error('proxyDeliverError', { err });
+      Sentry.captureException(err);
+      throw ExtendedError.withCause('Proxy delivery error', err as Error);
     }
   }