SWI-3723 [Snyk] Security upgrade axios from 1.6.1 to 1.15.0

[bwappsec]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• samples/client/petstore/typescript-axios/builds/with-npm-version/package.json
• samples/client/petstore/typescript-axios/builds/with-npm-version/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Unintended Proxy or Intermediary ('Confused Deputy') SNYK-JS-AXIOS-15965856	329
	HTTP Response Splitting SNYK-JS-AXIOS-15969258	245

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[bwappsec]

This upgrade from axios v1.6.1 to v1.15.0 introduces significant changes, including one documented breaking change and a critical security hardening measure that may affect specific use cases.

Breaking Change (from v1.8.0):

• URL Handling: The logic for handling absolute URLs in requests has changed. Previously, an absolute url in a request would ignore the configured baseURL. Now, the default behavior is to combine the baseURL and the request url. To retain the old behavior, you must explicitly set the allowAbsoluteUrls: true configuration option.

Important Security Change (from v1.15.0):

• Configuration Merging: To address a security vulnerability, Axios now blocks the merging of the __proto__ key within configuration objects. If your application relies on unconventional deep-merging patterns that modify the object prototype through Axios config, this will no longer work.

Other Changes:

• The update includes numerous bug fixes, security patches (including fixes for SSRF and header injection), and adds runtime support for Deno and Bun.

Recommendation:

• Review all instances where a baseURL is configured to ensure that request URLs are constructed as expected. Use the allowAbsoluteUrls: true flag where necessary.
• Verify that your application does not rely on prototype merging in Axios configurations.

Source: GitHub Releases

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[bwappsec]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.