Bump axios from 0.27.2 to 0.31.0 by dependabot[bot] · Pull Request #8792 · ProcessMaker/processmaker

dependabot · 2026-04-23T19:08:57Z

Bumps axios from 0.27.2 to 0.31.0.

Release notes

v0.31.0

This release backports security fixes from v1.x, hardens the CI/CD supply chain with OIDC publishing and zizmor scanning, resolves TypeScript typing issues in AxiosInstance, and fixes a performance regression in isEmptyObject().

🔒 Security Fixes

Header Injection & Proxy Bypass: Backports v1 security hardening — sanitizes outgoing header values to strip invalid bytes, CRLF sequences, and boundary whitespace (including array values); adds proper NO_PROXY/no_proxy enforcement covering wildcards, explicit ports, loopback aliases (localhost, 127.0.0.1, ::1), bracketed IPv6, and trailing-dot hostnames. Proxy bypass is now checked before the proxy URL is parsed, and parsed.host is used for correct port and IPv6 handling. (#10688)

CI Security: SHA-pins all actions and disables credential persistence in v0.x CI, introduces zizmor security scanning with SARIF upload to code scanning, adds an OIDC Trusted Publishing workflow with npm provenance attestations, and gates all publishes behind a required npm-publish GitHub Environment with configurable reviewer protections. (#10638, #10639, #10667)

🐛 Bug Fixes

TypeScript — AxiosInstance Return Types: Fixes return types in AxiosInstance methods to correctly resolve to Promise<R> (matching AxiosPromise<T> semantics), and corrects the generic call signature so TypeScript properly enforces the response data type. TypeScript-only changes; no runtime impact. (#6253, #7328)

Performance: Fixes a performance regression in isEmptyObject() that caused excessive computation when the argument was a large string. (#6484)

🔧 Maintenance & Chores

Versioning & CI Workflow: Adds an automated versioning flow for v0.x, renames the CI workflow for consistency with the v1.x naming convention, and corrects the branch name reference in CI config. (#10690, #10691, #10692)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

@nakataki17 (#6253)

@gmasclet (#6484)

@shaanmajid (#10638, #10639, #10667)

@ivan-churakov (#7328)

Full Changelog

Release notes - v0.30.3

This is a critical security maintenance release for the v0.x branch. It addresses a high-priority vulnerability involving prototype pollution that could lead to a Denial of Service (DoS).

Recommendation: All users currently on the 0.x release line should upgrade to this version immediately to ensure environment stability.

🛡️ Security Fixes

Backport: Fix DoS via proto key in merge config

Patched a vulnerability where specifically crafted configuration objects using the proto key could cause a Denial of Service during the merge process. - by @FeBe95 in [PR #7388](axios/axios#7388)

⚙️ Maintenance & CI

CI Infrastructure Update

Updated Continuous Integration workflows for the v0.x branch to maintain long-term support and build reliability. - by @jasonsaayman in [PR #7407](axios/axios#7407)

⚠️ Breaking Changes

Configuration Merging Behavior:

As part of the security fix, Axios now restricts the merging of the proto key within configuration objects. If your codebase relies on unconventional deep-merging patterns that target the object prototype via Axios config, those operations will now be blocked. This is a necessary change to prevent prototype pollution.

... (truncated)

Commits

5073eca chore: release v0.31.0 (#10697)
b57eb1a ci: update branch name (#10692)
00ab2af refactor: change name to have a unified workflow (#10691)
9a66c09 chore: added a versioning flow (#10690)
03cdfc9 fix: backport the fixes from the v1 branch (#10688)
71be4e5 fix: return types in AxiosInstance methods should be Promise<R> (#6253)
62610f6 fix: fixed performance issue in isEmptyObject() (#6484)
68f97f7 ci: require npm-publish environment for releases (#10667)
58a6043 ci: add zizmor and harden v0.x CI (#10638)
b560d41 ci: add OIDC publish workflow for v0.x (#10639)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.

Bumps [axios](https://github.com/axios/axios) from 0.27.2 to 0.31.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v0.27.2...v0.31.0) --- updated-dependencies: - dependency-name: axios dependency-version: 0.31.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript labels Apr 23, 2026

dependabot Bot mentioned this pull request Apr 23, 2026

Bump axios from 0.27.2 to 1.13.5 #8725

Closed

dependabot Bot force-pushed the dependabot/npm_and_yarn/axios-0.31.0 branch from 77e8eed to 2830f92 Compare April 23, 2026 20:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump axios from 0.27.2 to 0.31.0#8792

Bump axios from 0.27.2 to 0.31.0#8792
dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot/npm_and_yarn/axios-0.31.0

dependabot Bot commented on behalf of github Apr 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.31.0

🔒 Security Fixes

🐛 Bug Fixes

🔧 Maintenance & Chores

🌟 New Contributors

Release notes - v0.30.3

🛡️ Security Fixes

⚙️ Maintenance & CI

⚠️ Breaking Changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 23, 2026 •

edited

Loading