chore(deps): bump axios from 1.8.4 to 1.15.2#19
Closed
dependabot[bot] wants to merge 1 commit intodevelopfrom
Closed
chore(deps): bump axios from 1.8.4 to 1.15.2#19dependabot[bot] wants to merge 1 commit intodevelopfrom
dependabot[bot] wants to merge 1 commit intodevelopfrom
Conversation
dependabot
Bot
added
dependencies
Bumps [axios](https://github.com/axios/axios) from 1.8.4 to 1.15.2. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.8.4...v1.15.2) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/axios-1.15.1
branch
from
51ed7d9 to
35ded58
Compare
5 tasks
y1o1
added a commit
that referenced
this pull request
Apr 24, 2026
* refactor: migrate axios → Node built-in fetch
Drop the axios runtime dependency in favor of the standard library.
Node 24 supplies fetch, Response, Headers, and AbortSignal.timeout — no
behavior change, smaller surface.
- session-grant-client: throw-on-non-2xx replaced with explicit resp.ok
check. Network errors (TypeError, AbortError) map to provider_unavailable
in a single catch. Retry-After lookup now uses Headers.get() which is
case-insensitive, so the Title-case test still passes without extra code.
- validation/introspect: added IntrospectHttpError so the router can branch
on HTTP status without peeking at a framework-specific error shape.
- validation/router: replaced axios.isAxiosError with instanceof
IntrospectHttpError.
- Tests: replaced vi.mock("axios") with vi.stubGlobal("fetch", vi.fn())
across the three affected suites. Two new tests added for the new error
paths (non-JSON 200 body, AbortError timeout).
tests: 86 → 88 passing. typecheck / lint / build clean.
Obsoletes dependabot PR #19 (axios 1.8 → 1.13 bump).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(validation): codify malformed 200 introspect response as 502
Addresses Codex review finding on the axios→fetch migration.
Before migration, axios 1.x with default silentJSONParsing=true swallowed
JSON.parse SyntaxError on a 200 response with a malformed body, returning
the raw string. The router's `if (!result.active)` then evaluated
`!"...".active` → truthy, mapping the case to 401 Invalid Token — an
accidental side effect, not an intentional contract.
After migration, `resp.json()` throws on malformed bodies, which the
router caught but mapped to 500 (fall-through path).
Explicitly codify the new contract: a 200 with a non-JSON body is a
provider bug, not an auth decision. Wrap the json() call and rethrow as
IntrospectHttpError(502). This mirrors session-grant-client's
provider_invalid_response (502) handling and makes provider bugs
observable rather than silently degrading to an auth-layer response.
Also add validation tests that were missing for the new fetch error paths:
- non-JSON 200 → IntrospectHttpError(502)
- non-2xx → IntrospectHttpError with matching status
- fetch rejection (AbortError/network) propagates to caller
tests: 88 → 91 passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(validation): reject introspection responses that violate RFC 7662
Closes an auth bypass reported by Copilot on PR #26.
resp.json() successfully parses non-object JSON (strings, numbers, arrays,
null) and objects where `active` is not a boolean. The router only
checked `if (!result.active)`, so a provider returning `{"active":"false"}`
would be truthy → bypass the 401 branch → forward an invalid token to
upstream.
RFC 7662 §2.2 defines `active` as a boolean. Reject any deviation at
introspect boundary by throwing IntrospectHttpError(502), which the router
already maps to 500. This closes the bypass regardless of the parsed shape:
- JSON primitives (string / number / null) → 502
- JSON arrays → 502
- Objects missing `active` → 502
- Objects where `active` is not a boolean (e.g. "false", 1, null) → 502
Only `{"active": <boolean>, ...}` is accepted as a valid introspection
response. The `[key: string]: unknown` extra fields remain permissive.
The bug existed under axios too (same falsy-check pattern), but this PR
touches the introspection path, so per CLAUDE.md it is in scope.
tests: 91 → 99 passing. 8 new parameterized cases covering the Critical
shapes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix: address Copilot round 2 review on PR #26
Three fixes surfaced by the second Copilot review after the RFC 7662
validation commit:
1. session-grant-client: error message for malformed 200 said "non-JSON
body", but parseJsonBody() also returns null for valid JSON that is
not a plain object (string / number / array). Update to
"non-JSON or non-object JSON body" so provider debugging is accurate.
2. AbortSignal.timeout coverage (session-grant-client + introspect):
the timeout tests only asserted that init.signal was an AbortSignal
instance, which would hold even if the code silently ignored the
configured timeoutMs. Wrap both tests with vi.spyOn(AbortSignal,
"timeout") and assert the call received 1234. vi.restoreAllMocks()
added to each afterEach to clean up the spy.
This point converged with Codex Minor 3 from the original review
round (CLAUDE.md multi-reviewer convergence rule), auto-promoting
from Minor to Important.
tests: 99 passing (no new tests; two existing tests strengthened).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps axios from 1.8.4 to 1.15.2.
Release notes
Sourced from axios's releases.
... (truncated)
Changelog
Sourced from axios's changelog.
... (truncated)
Commits
5829343chore(release): prepare release 1.15.2 (#10789)4709a48fix: added fix for memory leak in sockets (#10788)be33360chore: update changelog (#10781)4791514fix: more header pollutions (#10779)6feafcffix: socket issue (#10777)302e273docs: update docs, add a couple actions etc (#10776)ac42446chore(release): prepare release 1.15.1 (#10767)908f220docs: update threatmodel (#10765)f93f815docs: added docs around potential decompressions bomb (#10763)1728aa1fix: short-circuits on any truthy non-boolean in withXSRFToken (#10762)Maintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for axios since your current version.
Install script changes
This version modifies
preparescript that runs during installation. Review the package contents before updating.