dependabot[bot] opened a new pull request, #78: URL: https://github.com/apache/fineract-backoffice-ui/pull/78
Bumps [axios](https://github.com/axios/axios) from 1.15.2 to 1.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/releases";>axios's releases</a>.</em></p> <blockquote> <h2>v1.18.0 โ June 13, 2026</h2> <p>This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.</p> <h2>๐ Security Fixes</h2> <ul> <li> <p><strong>Redirect Header Safety:</strong> Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (<strong><a href="https://redirect.github.com/axios/axios/issues/10892";>#10892</a></strong>)</p> </li> <li> <p><strong>URL And Request Hardening:</strong> Rejects malformed <code>http:</code> and <code>https:</code> URLs that omit <code>//</code> with <code>ERR_INVALID_URL</code>, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local <code>NO_PROXY</code> matching. (<strong><a href="https://redirect.github.com/axios/axios/issues/11000";>#11000</a></strong>)</p> </li> </ul> <h2>๐ Bug Fixes</h2> <ul> <li><strong>Status Validation:</strong> Added <code>transitional.validateStatusUndefinedResolves</code> so applications can opt in to treating <code>validateStatus: undefined</code> like the option was omitted, while <code>validateStatus: null</code> remains the explicit way to accept every status. (<strong><a href="https://redirect.github.com/axios/axios/issues/10899";>#10899</a></strong>)</li> </ul> <h2>๐ง Maintenance & Chores</h2> <ul> <li> <p><strong>Documentation:</strong> Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the <code>proxy</code> request config as Node.js-only in the advanced docs. (<strong><a href="https://redirect.github.com/axios/axios/issues/10984";>#10984</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10988";>#10988</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10992";>#10992</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10995";>#10995</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>@babel/core</code>, <code>@babel/preset-env</code>, <code>@commitlint/cli</code>, <code>@commitlint/config-conventional</code>, <code>@rollup/plugin-babel</code>, <code>@rollup/plugin-commonjs</code>, <code>@vitest/browser</code>, <code>@vitest/browser-playwright</code>, <code>eslint</code>, <code>lint-staged</code>, <code>rollup</code>, <code>vitest</code>, and <code>actions/checkout</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10989";>#10989</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10996";>#10996</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10997";>#10997</a></strong>)</p> </li> <li> <p><strong>Release Metadata:</strong> Prepared the 1.18.0 release by updating package metadata and the runtime <code>VERSION</code> value. (<strong><a href="https://redirect.github.com/axios/axios/issues/11003";>#11003</a></strong>)</p> </li> </ul> <h2>๐ New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/drori12";><code>@โdrori12</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10984";>#10984</a></strong>)</li> <li><strong><a href="https://github.com/eyupcanakman";><code>@โeyupcanakman</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10899";>#10899</a></strong>)</li> <li><strong><a href="https://github.com/Adi-Beker";><code>@โAdi-Beker</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10995";>#10995</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.17.0...v1.18.0";>Full Changelog</a></p> <h2>v1.17.0 โ June 1, 2026</h2> <p>This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.</p> <h2>๐ Security Fixes</h2> <ul> <li><strong>Config Hardening:</strong> Guarded <code>socketPath</code>, <code>params</code>, and <code>paramsSerializer</code> reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (<strong><a href="https://redirect.github.com/axios/axios/issues/10901";>#10901</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10922";>#10922</a></strong>)</li> <li><strong>Release Publishing:</strong> Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (<strong><a href="https://redirect.github.com/axios/axios/issues/10926";>#10926</a></strong>)</li> </ul> <h2>๐ New Features</h2> <ul> <li><strong>HTTP Compression:</strong> Added Node HTTP adapter support for zstd response decompression, with <code>transitional.advertiseZstdAcceptEncoding</code> controlling whether <code>zstd</code> is advertised in <code>Accept-Encoding</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/6792";>#6792</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10920";>#10920</a></strong>)</li> </ul> <h2>๐ Bug Fixes</h2> <ul> <li><strong>Authentication Handling:</strong> Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (<strong><a href="https://redirect.github.com/axios/axios/issues/10929";>#10929</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10896";>#10896</a></strong>)</li> <li><strong>Proxy TLS:</strong> Preserved user <code>httpsAgent</code> TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10957";>#10957</a></strong>)</li> <li><strong>React Native FormData:</strong> Cleared default <code>Content-Type</code> for React Native <code>FormData</code> so multipart boundaries can be generated correctly. (<strong><a href="https://redirect.github.com/axios/axios/issues/10898";>#10898</a></strong>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/axios/axios/blob/v1.x/CHANGELOG.md";>axios's changelog</a>.</em></p> <blockquote> <h2>v1.18.0 โ June 13, 2026</h2> <p>This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.</p> <h2>๐ Security Fixes</h2> <ul> <li> <p><strong>Redirect Header Safety:</strong> Added Node HTTP adapter support for stripping caller-specified sensitive headers on cross-origin redirects, helping prevent custom auth headers such as API keys from leaking to another origin. (<strong><a href="https://redirect.github.com/axios/axios/issues/10892";>#10892</a></strong>)</p> </li> <li> <p><strong>URL And Request Hardening:</strong> Rejects malformed <code>http:</code> and <code>https:</code> URLs that omit <code>//</code> with <code>ERR_INVALID_URL</code>, while tightening prototype-pollution-safe config reads, stream size limits, FormData depth handling, data URL sizing, and local <code>NO_PROXY</code> matching. (<strong><a href="https://redirect.github.com/axios/axios/issues/11000";>#11000</a></strong>)</p> </li> </ul> <h2>๐ Bug Fixes</h2> <ul> <li><strong>Status Validation:</strong> Added <code>transitional.validateStatusUndefinedResolves</code> so applications can opt in to treating <code>validateStatus: undefined</code> like the option was omitted, while <code>validateStatus: null</code> remains the explicit way to accept every status. (<strong><a href="https://redirect.github.com/axios/axios/issues/10899";>#10899</a></strong>)</li> </ul> <h2>๐ง Maintenance & Chores</h2> <ul> <li> <p><strong>Documentation:</strong> Published the v1.17.0 release notes, fixed a changelog typo, clarified the package update PR policy, and marked the <code>proxy</code> request config as Node.js-only in the advanced docs. (<strong><a href="https://redirect.github.com/axios/axios/issues/10984";>#10984</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10988";>#10988</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10992";>#10992</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10995";>#10995</a></strong>)</p> </li> <li> <p><strong>Dependencies:</strong> Bumped <code>@babel/core</code>, <code>@babel/preset-env</code>, <code>@commitlint/cli</code>, <code>@commitlint/config-conventional</code>, <code>@rollup/plugin-babel</code>, <code>@rollup/plugin-commonjs</code>, <code>@vitest/browser</code>, <code>@vitest/browser-playwright</code>, <code>eslint</code>, <code>lint-staged</code>, <code>rollup</code>, <code>vitest</code>, and <code>actions/checkout</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/10989";>#10989</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10996";>#10996</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10997";>#10997</a></strong>)</p> </li> <li> <p><strong>Release Metadata:</strong> Prepared the 1.18.0 release by updating package metadata and the runtime <code>VERSION</code> value. (<strong><a href="https://redirect.github.com/axios/axios/issues/11003";>#11003</a></strong>)</p> </li> </ul> <h2>๐ New Contributors</h2> <p>We are thrilled to welcome our new contributors. Thank you for helping improve axios:</p> <ul> <li><strong><a href="https://github.com/drori12";><code>@โdrori12</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10984";>#10984</a></strong>)</li> <li><strong><a href="https://github.com/eyupcanakman";><code>@โeyupcanakman</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10899";>#10899</a></strong>)</li> <li><strong><a href="https://github.com/Adi-Beker";><code>@โAdi-Beker</code></a></strong> (<strong><a href="https://redirect.github.com/axios/axios/issues/10995";>#10995</a></strong>)</li> </ul> <p><a href="https://github.com/axios/axios/compare/v1.17.0...v1.18.0";>Full Changelog</a></p> <h2>v1.17.0 โ June 1, 2026</h2> <p>This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.</p> <h2>๐ Security Fixes</h2> <ul> <li><strong>Config Hardening:</strong> Guarded <code>socketPath</code>, <code>params</code>, and <code>paramsSerializer</code> reads with own-property checks to prevent inherited prototype values from affecting request behavior, including SSRF-sensitive paths. (<strong><a href="https://redirect.github.com/axios/axios/issues/10901";>#10901</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10922";>#10922</a></strong>)</li> <li><strong>Release Publishing:</strong> Switched the publish workflow to npm staged publishing for safer, auditable package releases with provenance. (<strong><a href="https://redirect.github.com/axios/axios/issues/10926";>#10926</a></strong>)</li> </ul> <h2>๐ New Features</h2> <ul> <li><strong>HTTP Compression:</strong> Added Node HTTP adapter support for zstd response decompression, with <code>transitional.advertiseZstdAcceptEncoding</code> controlling whether <code>zstd</code> is advertised in <code>Accept-Encoding</code>. (<strong><a href="https://redirect.github.com/axios/axios/issues/6792";>#6792</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10920";>#10920</a></strong>)</li> </ul> <h2>๐ Bug Fixes</h2> <ul> <li><strong>Authentication Handling:</strong> Restored Basic auth on same-origin Node redirects while continuing to strip credentials cross-origin, and aligned the fetch adapter with HTTP adapter behavior for URL-embedded Basic auth. (<strong><a href="https://redirect.github.com/axios/axios/issues/10929";>#10929</a></strong>, <strong><a href="https://redirect.github.com/axios/axios/issues/10896";>#10896</a></strong>)</li> <li><strong>Proxy TLS:</strong> Preserved user <code>httpsAgent</code> TLS options when tunneling HTTPS requests through HTTP CONNECT proxies. (<strong><a href="https://redirect.github.com/axios/axios/issues/10957";>#10957</a></strong>)</li> <li><strong>React Native FormData:</strong> Cleared default <code>Content-Type</code> for React Native <code>FormData</code> so multipart boundaries can be generated correctly. (<strong><a href="https://redirect.github.com/axios/axios/issues/10898";>#10898</a></strong>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/axios/axios/commit/2d06f96e8602c2db13b65a26340ee4a1bbc0b61f";><code>2d06f96</code></a> chore(release): prepare release 1.18.0 (<a href="https://redirect.github.com/axios/axios/issues/11003";>#11003</a>)</li> <li><a href="https://github.com/axios/axios/commit/32fc489632377d214db55bfa4e2c48486a7d7ce2";><code>32fc489</code></a> fix: malformed http urls (<a href="https://redirect.github.com/axios/axios/issues/11000";>#11000</a>)</li> <li><a href="https://github.com/axios/axios/commit/b40ce498abfa10d90b873b4fd08f520afa5d2545";><code>b40ce49</code></a> chore(deps-dev): bump the development_dependencies group with 10 updates (<a href="https://redirect.github.com/axios/axios/issues/10";>#10</a>...</li> <li><a href="https://github.com/axios/axios/commit/fe964f960ecb52c3e1155b0daf7be77541956b01";><code>fe964f9</code></a> docs: mark proxy config as Node.js only (<a href="https://redirect.github.com/axios/axios/issues/10995";>#10995</a>)</li> <li><a href="https://github.com/axios/axios/commit/5f229d2d1f018d1db3dab6bbe034dbf3f9041b99";><code>5f229d2</code></a> chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 in the github-actions ...</li> <li><a href="https://github.com/axios/axios/commit/fae9d4e7db6a858c407c75e607a071c533c5c4f6";><code>fae9d4e</code></a> docs: clarify package update PR policy (<a href="https://redirect.github.com/axios/axios/issues/10992";>#10992</a>)</li> <li><a href="https://github.com/axios/axios/commit/28ab2ced820e55192806c53472ab3eb0cbb68dc2";><code>28ab2ce</code></a> chore(deps-dev): bump the development_dependencies group with 2 updates (<a href="https://redirect.github.com/axios/axios/issues/10989";>#10989</a>)</li> <li><a href="https://github.com/axios/axios/commit/a8e4f13aeecc45a3b8fab3ecfd9ddb5d70fb772b";><code>a8e4f13</code></a> fix(core): keep default validateStatus when request passes undefined (<a href="https://redirect.github.com/axios/axios/issues/10899";>#10899</a>)</li> <li><a href="https://github.com/axios/axios/commit/614f4552a17de757d4171ad7c3bd38c9c1025fd8";><code>614f455</code></a> docs: publish v1.17.0 release notes (<a href="https://redirect.github.com/axios/axios/issues/10988";>#10988</a>)</li> <li><a href="https://github.com/axios/axios/commit/6bb12c191f5380fad321322fb90216ae0dc36985";><code>6bb12c1</code></a> fix: custom auth headers not stripped on cross-origin redirects (<a href="https://redirect.github.com/axios/axios/issues/10892";>#10892</a>)</li> <li>Additional commits viewable in <a href="https://github.com/axios/axios/compare/v1.15.2...v1.18.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/fineract-backoffice-ui/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
