chore(deps): bump axios from 0.27.2 to 0.32.0

[dependabot]

Bumps axios from 0.27.2 to 0.32.0.

Release notes

Sourced from axios's releases.

v0.32.0 — May 4, 2026

This release backports a comprehensive set of security and hardening fixes from the v1.x branch into v0.x, covering prototype-pollution protections, default error redaction, stricter proxy/cookie/socket handling, and one breaking change to merged config and header object prototypes.

⚠️ Breaking Changes & Deprecations

• Null-prototype merged objects: mergeConfig and header merging now return objects with a null prototype to block prototype-pollution gadgets. Consumers must use Object.prototype.hasOwnProperty.call(obj, key) and avoid implicit string coercion against merged config or header objects. (#10838)

🔒 Security Fixes

• Default error redaction: AxiosError.toJSON() now redacts sensitive keys by default to prevent credential leaks in logs. The behavior is configurable via config.redact, with defaults exposed on defaults.redact. (#10838)
• Cookie & XSRF handling: Cookie names are read literally rather than via regex, and only own properties are respected when evaluating withXSRFToken. (#10838)
• Proxy bypass IPv6 parity: NO_PROXY matching now handles canonical IPv4-mapped IPv6 forms such as ::ffff:127.0.0.1 and ::ffff:7f00:1. (#10838)
• Node http adapter hardening: Strips Proxy-Authorization when no proxy is in use and gates socketPath behind a new allowedSocketPaths allowlist (string or array, normalized) to reduce accidental Unix socket exposure. (#10838)
• Browser xhr adapter: Stricter own-property checks when reading config and headers. (#10838)
• URL parameters: AxiosURLSearchParams keeps %00 encoded and applies consistent encoding throughout. (#10838)
• Public type surface: Adds formDataHeaderPolicy, redact, and allowedSocketPaths to the TypeScript declarations alongside their runtime defaults. (#10838)

🔧 Maintenance & Chores

• Repo hygiene: Updates README.md and CHANGELOG.md, adds AGENTS.md, and refreshes the issue and PR templates. (#10838)

Full Changelog

v0.31.1

This release backports a broad set of security hardenings from the v1 line — covering prototype-pollution defences, stream size enforcement, XSRF handling, URL null-byte encoding, and bounded FormData recursion — and drops committed dist/ artefacts along with Bower support.

⚠️ Breaking Changes & Deprecations

• Bower & Committed dist/ Removed: dist/ bundles are no longer committed to the repo, and bower.json plus the Grunt package2bower task have been removed. CI still builds bundles before publish, so npm/yarn/pnpm consumers are unaffected; installs via Bower or directly from the git tree must migrate to npm or a CDN. (#10747)

🔒 Security Fixes

• Prototype Pollution in Header Merge (GHSA-6chq-wfr3-2hj9): Tightened isFormData to reject plain/null-prototype objects and require append, and guarded the Node HTTP adapter so data.getHeaders() is only merged when it is not inherited from Object.prototype. Blocks injected headers via polluted getHeaders. (#10750)
• Prototype Pollution in Config Merging (GHSA-pf86-5x62-jrwf): mergeConfig, defaults resolution, and the HTTP adapter now uses own-property checks for transport, env, Blob, formSerializer, and transforms arrays, and merged configs are returned as null-prototype objects. Prevents hijacking of the request flow through polluted prototypes. (#10752)
• FormData / Params Recursion DoS: Added a configurable maxDepth (default 100, Infinity disables) to toFormData and params serialisation, throwing AxiosError with code ERR_FORM_DATA_DEPTH_EXCEEDED when exceeded. Circular-reference detection is preserved. (#10728)
• Null-Byte Injection in Query Strings: Removed the unsafe %00 → null-byte substitution from AxiosURLSearchParams.encode so %00 is preserved as-is. Other encoding behaviour (including %20 → +) unchanged. (#10737)
• Consolidated v1 Security Backport: Rolls up remaining v1 hardenings into v0.x: maxContentLength enforcement for responseType: 'stream' via a guarded transform with deferred piping, maxBodyLength enforcement for streamed uploads on native http/https with maxRedirects: 0, and stricter withXSRFToken handling so only own boolean true enables cross-origin XSRF headers. (#10764)

🔧 Maintenance & Chores

• CODEOWNERS: Added .github/CODEOWNERS with * @jasonsaayman to set a default reviewer for all paths. (#10740)

Full Changelog

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

... (truncated)

Commits

• 8db2d44 chore: bump version to v0.32.0 (#10840)
• 2af6116 chore: backport fixes from the v1x branch (#10838)
• a589dc5 chore: bump version to v0.31.1 (#10766)
• b0c632f fix: backport security issues (#10764)
• b52187f fix: harden config merging (#10752)
• e3ddeb4 fix: header security issues (#10750)
• f4f2d76 chore: stop committing dist/ and remove bower (#10747)
• 1f2f644 chore: add CODEOWNERS (#10740)
• 44bca90 fix: improve regex in AxiosURLSearchParams (#10737)
• 4c4f07f fix: form data recursion (#10728)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

---

Note

Medium Risk
axios drives outbound HTTP across integrations, token refresh, and workers; 0.32’s security-related breaking changes and the shift from 1.x to 0.x on several packages warrant regression testing on external API calls and error logging.

Overview
Standardizes axios on ^0.32.0 (or ~0.32.0) across the monorepo: backend moves from 0.27.2, and multiple services apps and libs (common_services, database, integrations, nango, opensearch, enrichment/security/script workers, etc.) that previously pinned axios 1.x are aligned to the same 0.32 line. pnpm-lock.yaml is refreshed so workspace installs resolve axios@0.32.0 for those packages, with related transitive bumps (e.g. follow-redirects, form-data, proxy-from-env) and lockfile-only churn for some AWS SDK peer wiring and third-party packages still on axios 1.17.0.

0.32 brings backported security fixes (header/config prototype pollution, stricter XSRF/proxy/socket handling, default error redaction) plus a breaking behavior: merged config/header objects use a null prototype, which can affect code that assumes normal object inheritance on axios config merges.

^{Reviewed by Cursor Bugbot for commit 53cc1df. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 53cc1df. Configure here.}

[cursor]

Clearbit needle SSH resolution

Medium Severity

Regenerating the lockfile switched clearbit’s needle dependency from an anonymous HTTPS tarball to a git resolution whose metadata points at git@github.com:clearbit/needle.git. That can make pnpm install fail in CI or other environments that previously worked without GitHub SSH keys.

Additional Locations (1)

• pnpm-lock.yaml#L14879-L14880

 

^{Reviewed by Cursor Bugbot for commit 53cc1df. Configure here.}